Analogies are useful but don't get carried away, especially when talking about something as broad as "the government" (as if it were one singular thing). The fact that a BLM federal officer lost his firearm doesn't instantly mean that all of our Tomahawk cruise missiles are next to be stolen.
The closest thing to the proposed encryption backdoor is the clipper chip proposal of the 90s, and that did have severe vulnerabilities that the authors completely overlooked.
And I'd recommend you watch John Oliver's segment about nuclear launch codes to recalibrate your trust in those officials. We've come scarily close to Armageddon multiple times over the last few decades, which was prevented only by sheer dumb luck. Just because it's the scariest thing known to man doesn't mean the people responsible for it aren't incompetent.
The fact that a BLM officer lost his firearm doesn't instantly mean that all the cruise missiles are next, but yes, the fact that the USG is unable to maintain sensitive records of twenty million cleared personnel does say something about their ability to keep secret information safe.
http://gizmodo.com/for-20-years-the-nuclear-launch-code-at-u...
No thanks.
Senator McCain started asking questions about how it was possible to maintain citizens' privacy, but at the same time be able to access private data. Then he made it clear what his feelings were on the subject. Basically, his argument boiled down to "But, ISIS!".
"Is ISIS trying to kill Americans?", he asked the FBI director. The director said "yes". Then he said that b/c of ISIS, the govt has to be able to access keys so they can read encrypted data.
Backdoors make the situation worse, not better. We'll still have ISIS, we'll be even less secure, and we'll have lost whatever is left of our right to privacy.
Pretty much a lose-lose for everyone involved (except maybe ISIS).
The answer to "But, ISIS!" is not backdoors, it's foreign policy.
Sure, you could in theory have a highly distributed system with multiple keys, but then you can't use it day to day for monitoring communications, which is the whole purpose of the backdoor.
The government may be able to keep the nuclear codes safe in such a fashion, but it wouldn't if ten different government agencies wanted to use them on a daily basis.
We should keep saying it to our reprehensatives in Congress.
I get deeply frustrated (though I understand where they are coming from) when governments make the argument that they can't take advantage of this or that cloud service because the service's security isn't vetted. Clearly, the security in the backing systems owned by the government isn't sufficiently vetted either, so they're sacrificing velocity for non-security.
I know, it's a flippant attitude. Blame a lousy day. ;)
This is more an indication of the NSA focusing too strongly on offensive/monitoring operations and not on information security, which is their job as well.
This is precisely how I feel about this kind of thing.
To my mind, the NSA should be working to make the security technologies used by American individuals, American companies, and the American government as strong and as free of vulnerabilities as possible. The necessary degree of transparency would, of course, mean any such improvements would be available to anyone in other countries, but I think that situation is far superior to our current climate where we suspect (and not as wild conspiracy theory) that our vulnerabilities were as likely created by the NSA as not.
Many American individuals—and presumably companies—consider the NSA an adversary simply because these individuals value their privacy and the NSA has shown only hostility toward Americans concerning their privacy. In some alternate universe, my own opinion of the NSA could have been positive had they been an agency focused on decreasing the risk of individuals' privacy being compromised.
At the very least, that they are not (apparently) presently sufficiently charged with assisting other branches of the government maintain security is a misallocation of talent.
Defense against "cyber attack" isn't even NSA's job, and where NSA participates in such endeavors that's on .mil, not .gov
DHS does have responsibility for cyber security on .gov however. But what is DHS supposed to do if OPM decides to throw open the keys to the kingdom to any random "authenticated" contractor handling background checks?
P.S. NSA might somehow have caught this despite everything I mentioned if they were engaged in better "monitoring operations" on other government networks and international communications relays... is that really what you want?
Is that really their job? It seems there might be a dozen other agencies responsible, ones less interested in foreign computer networks. Is that DISA's bailiwick? Perhaps NIST? Homeland Security? et cetera
For example, your aged grandfather used to run ethernet through pressurized conduit. If that pressure ever dropped some heavily armed men would turn up.
The IP packet header has fields for security classification as well as compartment. If I design warheads and you design rocket engines, our computers are in different compartments so the router between us will drop packets if you and I attempt to discuss our work. However I could invite you to lunch.
What Bradley Manning did was simply not possible. Or rather it would not have been without the Congressional COTS mandate: Common Off-The-Shelf Computers. Rather than design special hardware or write special software for military computing the avionics for the F-35 Joint Strike Fighter were purchased online from Alibaba.
edit: Freely provide easy to use tools for doing the signing and verification, and for people who still aren't savvy enough to do it themselves, train notaries to do it.
Why does the government need so much data on its employees; that's what should be asked!
I don't know if you had to get a clearance or not, and if you did, what kind. But assuming that you did get a clearance, they need all of this information because they need to build up a psychological, emotional, familial, and financial profile of you to determine how much of a risk you are. At least, that is what the government will tell you is the reason why they investigate you so much.
You can request a copy of the investigation the US government performs on you (whether you are a government employee or a contractor with a clearance) through a form you can find on the website of the Office of Personnel Management. Although, hilariously, they will censor some of the information about you that they find. That is a window into what their thinking is, because you see who they talk to, what questions they ask, and how people responded.
Clearly, OPM should know, but omg is the state of security poor.
My company didn't compile detailed background information about my "sexual misconduct", or spend money trying to detail the ways in which I might be blackmailed.
So yeah, it's a little different.
What I'd like to know is how this information failed to warrant even the level of protection mandated for medical records - according to at least one major news source, the data wasn't even encrypted. The standard criteria in the US for "top secret" classification is described as material having the potential to cause "exceptionally grave damage" to the national security of the nation. A database of information pertaining to a process designed to collect all information potentially usable for coercion (blackmail, social ties, etc) of all the individuals in the most sensitive positions of the government, should have been classified and protected at the Top Secret level.
Frankly, the outrage I've seen so far is not nearly enough for the scale of the irresponsibility here. I firmly believe the director and CIO of the OPM should not only be removed from office, they should be subject to criminal charges for mishandling information that clearly _should_ have been classified.
Well, most SF/HN startups data wouldn't get people killed if leaked to the wrong hands, whereas OPM had sensitive information on spies/foreign agents/etc where that is a serious possibility.
The question I'm curious about is what if a Silicon Valley style startup was going to start a company holding ID information for gov workers? Including potentially identities of people whose livelihood depends on secrecy. I'd imagine they would be investing quite heavily in security. But it is plausible even that wouldn't stop nation-state attackers...
The Navy is happy to fire commanding officers for calling out sailors who show up late for physical training because it's embarrassing to the sailor, and yet it seems like we can't get anything close to that kind of accountability elsewhere.
It's not so much that Archuleta 'let this happen' (since I guarantee they would be hacked anyways), but the defensive efforts prior to this happening were even worse than you'd expect for government, and the response efforts since have almost been worse!
https://www.clearancejobs.com/security_clearance_faq.pdf
"What will I be asked during a security clearance interview? During a ESI, the investigator will cover every item on your clearance application and have you confirm the accuracy and completeness of the information. You will be asked about a few matters that are not on your application, such as the handling of protected information, susceptibility to blackmail, and sexual misconduct. You will be asked to provide details regarding any potential security/suitability issues. During a SPIN, the investigator will only cover the security/suitability issue(s) that triggered the SPIN. The purpose of the SPIN is to afford the applicant the opportunity to refute or to confirm and provide details regarding the issue(s)."
More:
http://www.navytimes.com/story/military/2015/06/17/sf-86-sec...
"They got everyone's SF-86," one Pentagon official familiar with the investigation told Military Times.
"The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions."
..
http://news.clearancejobs.com/2015/06/13/sf-86-stolen-opm-ha...
"The entirety of at least some SF-85 and SF-86 background investigations held on OPM servers were breached, meaning sensitive data including relatives, spouses, and sensitive information on everything from mental health counseling to sexual behavior is now in the hands of the Chinese government."
And if you're really bored:
So what if the red bastards get the file of someone who's 22yo and just out of school? Chances are it's 90% OSInt anyway.
The naked babies uploaded by their parents and parents friends today will be very familiar with the way the world will be, for it will all they would have known on some personal level beyond the grandparents of that time ranting on how good things used to be and wanting to allocate resources for destruction of others for such banal causes, despite the hypocrisies as their robot aids wipe the slobber from their mouths…
