The US agency plundered by Chinese hackers made one of the dumbest security moves possible

Business Insider ^ | 6/18/15 | Natasha Bertrand

[Libloather]

Contractors in Argentina and China were given "direct access to every row of data in every database" when they were hired by the Office of Personnel Management (OPM) to manage the personnel records of more than 14 million federal employees, a federal consultant told ArsTechnica.

The massive breach of OPM's database — made public by the Obama administration this month — prompted speculation over why the agency hadn't encrypted its systems, which contain the sensitive security clearance and background information for intelligence and military personnel.

Encryption, however, according to Ars, would not have helped in this case because administrators responsible for managing these records had root access to the system, Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified yesterday at a two-hour hearing before the House Oversight and Government Reform Committee.

[elpadre]

“...Contractors in Argentina and China were given “direct access to every ...”

You don’t think China has everything secret the US government has?? Obviously we are essentially handing it to them - a la Billy Clinton. After all, they own us with all the money they have given us in exchange for worthless bonds.

How many contracts has the Pentecost, now filled with Obama people, awarded to China?? And for doing what??

[bert]

what damages have you personally been subject to that would justify a law suit?

[iontheball]

what damages have you personally been subject to that would justify a law suit?

---

If someone borrows your valuable car and then the car is stolen from the friend do you not believe you have a cause of action? A car is one thing, all your most private personal information is priceless. It is valuable property that you have entrusted in the hands of a trustee and the trustee has lost your valuable property. There is a fiduciary duty that applies. Moreover, privacy laws come into play and just the breach is actionable.

[bert]

I think your analogy is false

absent damages, real damages, I see no merit for a law suit

the fact some unknown now has the data does not mean that you personally were damaged. If they make a mortgage application or file an ammended tax return, there might be damages

[Organic Panic]

Bush’s fault. Republican sequester’s fault. Not enough spending’s fault. Global warming’s fault.

Obama’s awesome awesomeness will protect us.

[PAR35]

They probably required something more secure:

Pa$$w0rd

Capital and lower case, numbers and special characters. Looks like a strong password to me.

[PAR35]

The way a class action settlement would work would be the attorney gets most of the money, the named plaintiffs get a little bit, and the class members get something essentially worthless.

[hal ogen]

Has anyone been fired for this?

[lowbridge]

“The password was “12345”

At least they changed it from password.”

Dont worry. This time they got smart and changed it to “qwerty”

[JoeProBono]

[Delta 21]

Dont need keys, password or a badge when the door is left wide open.

[Jeff F]

I suspect that Edward Snowden's massive theft of NSA data is linked to this. He may have been recruited by the Chinese. At the very least, the Chinese would have known of his importance during his stay in Hong Kong, and would have thoroughly exploited it before allowing him to leave for Russia. Even if Snowden wanted to keep the Chinese from accessing his stolen files, he would have had no means to do so. The Truecrypt encryption program he used would have only temporarily impeded Chinese (and then Russian) intelligence.

I think it is very likely that China and Russia have copies of the crown jewels of our intelligence databases. I think it is likely they have multiple active backdoors into key government databases to keep their database snapshots current. The backdoors are almost certainly augmented by redundant tiers of human agents.

The level of stupidity, incompetence, and danger in this matter is so great that one can only deal with it by ignoring it. That seems to be working for now as very few citizens know anything about this, much less care. Americans have been well conditioned to have a broad contempt for their country, after all.

Unfortunately, these are the sort of failures that result in lost wars. Every week we seem to be moving closer to war with one or both of our major adversaries.

[MortMan]

Hey - That’s the combination on my LUGGAGE!

[King Moonracer]

The OPM IT team frequently outsources its work to foreign contractors working in their home country.

Idiots. Bribes were paid. I remember a defense company CIO who helped pimp incompetent US based outsourcing so he could attend conferences and get a few rounds of golf for free. Imagine what foreigners offered.

[null and void]

What’s stopping you from starting a class-action lawsuit?

[tacticalogic]

You can read the comments at the site and see the organized campaign to try to excuse this by talking about all the private sector companies that got hacked too. They're so consistent it's pretty obvious they're all reading from the same "talking points" memo.

They don't even realize that bringing that up is actually making it worse. Every one of those breaches that was discovered exposed one or more security weakness in those systems. Any competent security administrator should have been examining his own systems for those same vulnerabilities and getting them corrected once they were exposed and shown that they were actively being exploited.

[Caipirabob]

How can we learn if our information was compromised?

[Will88]

Outsourcing government work to contractors in Argentina and China? Words fail.

[dila813]

It could have helped if the database tables were encrypted themselves.

Root access wouldn’t have helped them.

[SunkenCiv]

Not to be a smart-mouth, but they’ll be most interested for the time being in 20- and 30-somethings, and file those, uh, older for later use (after they’re no longer with us) to build false IDs; in Asians; skills with non-English languages; overseas assignments; some other criteria.