back to article Dossiers on US spies, military snatched in 'SECOND govt data leak'

A second data breach at the US Office of Personnel Management has compromised even more sensitive information about government employees than the first breach that was revealed earlier this week, sources claim. It's possible at least 14 million Americans have chapter and verse on their lives leaked, we're told. The Associated …

  1. Anonymous Coward
    Anonymous Coward

    Great

    Why dont I just get on the internet and post my entire identity myself to save the hackers time?

    Its going to get to the point we can claim identity theft for almost any bad action that occurs, insufficient funds...well someone must have stole my identity...

    I get like a letter from the military, banks, health insurance, government every few months saying my information may have been compromised....Who else wants it send me an email address and Ill send it right over if you havent gotten it off bit torrent or some tor site yet....FML

    1. Ole Juul

      Re: Great

      "if you havent gotten it off bit torrent or some tor site yet...."

      BitTorrent is a protocol, you don't get things "off" it. And what's a tor site?

      PS: I didn't give you a downvote, but this is an IT site. :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Great

        "And what's a tor site?"

        WTF?

        An abbreviation of "Tor 'hidden' services site" presumably.

        https://www.torproject.org/docs/hidden-services.html.en

        PS: I didn't give you a downvote, but this is an IT site. :p

    2. Olius

      Re: Great

      "Its going to get to the point we can claim identity theft for almost any bad action that occurs, insufficient funds...well someone must have stole my identity..."

      A friend of mine used to have a job in a certain bank's fraud dept, tracking down people who were "impersonating themselves" - ie, getting cards, maxing them out and then claiming their identity had been stolen and they hadn't really spent all that money...

  2. Doctor Syntax Silver badge

    "The AP's sources would not disclose the extent of the breach because details are classified."

    No problem, just ask the Chinese.

    You couldn't make it up.

    1. Ole Juul

      . . . details are classified.

      Yes, they're classified as American.

      1. Anonymous Coward
        Anonymous Coward

        I'd classify them as =HILARIOUS= myself

  3. Simon Brady

    Form 86

    The IT questions in Section 27 are interesting:

    Have you illegally or without proper authorization accessed or attempted to access any information technology system?

    Have you illegally or without authorization, modified, destroyed, manipulated, or denied others access to information residing on an information technology system or attempted any of the above?

    Have you introduced, removed, or used hardware, software, or media in connection with any information technology system without authorization, when specifically prohibited by rules, procedures, guidelines, or regulations or attempted any of the above?

    If you're applying for clearance to work at the NSA, the correct answer is presumably "yes".

    1. This post has been deleted by its author

  4. Antonymous Coward
    Big Brother

    Sauce for the goose...

    Dear [sic] US government. If you had nothing to hide, you'd have nothing to fear.

    Not so keen on them apples, are you. Twats.

    They pwn your country anyway, so really it's just their own data they're reviewing. Think of it more as an audit.

    1. Will Godfrey Silver badge
      Happy

      Re: Sauce for the goose...

      Beat me to it!

      1. Sir Runcible Spoon

        Re: Sauce for the goose...

        Except this isn't just 'government' - this is real peoples' lives we are talking about here.

        What if you had to have this clearance to work on a particular project for a US company and your details ended up in this database? How would you feel then, knowing that your loved ones might be in danger if you know something they want? Or how about the worry of traveling abroad and wondering if you'll get 'snatched'?

        Ok, a bit melodramatic perhaps, but it's a possibility. It's also one very good reason I don't actual put information online about what I do, it's just not worth the risk of painting a target on yourself if someone decides they want that information - whether it is another state or a criminal gang.

        For some reason I am reminded of the railway workers working on the Jubilee line at Canary Wharf jeering at the now unemployed workers leaving Lehman Brothers with their box of possessions in their arms - none of whom you could ever accuse of being a fat-cat or responsible for the crash - they were just office workers. Not nice.

  5. drunk.smile

    At some point...

    the U.S. govt is really going to need to sort of their security.

    Or is it really just too late for them to bother now.

    1. Anonymous Coward
      Anonymous Coward

      Re: At some point...

      We need to create some sort of National Security Agency with lots of cryptorgraphy experts to protect our information.

      1. Anonymous Coward
        Anonymous Coward

        Re: At some point...

        That sounds like an excellent idea AC. One question though: If you were to set up such an organisation, how would you ensure it spent its time productively down in the stuffy server room, diligently sweating over firewall rules and meticulously scrutinising all the (imported) hardware and not out whiling away its time on phun & phrivolous diversions like playing with Angela Merkel's mobe, or attempting to hoard the entire world's IP traffic, or whatever?

        1. Anonymous Coward
          Facepalm

          Re: At some point...

          Yes, one wonders where the U.S. Cybersecurity Command (The arm of the NSA that is supposed to defend U.S. networks) was on this one. Maybe their guys had all been borrowed by the rest of the NSA to go through honest citizens' mobile phone metadata.

          After all, who could possibly want to attack a bunch of servers that had the security background check data for just about everyone who works for the U.S. government and is not in the DoD/intelligence agencies?

  6. Gray
    Facepalm

    Where did we put it?

    Now that the horse is gone, it's time to lock the barn door ... except we've mislaid the lock!

    1. Anonymous Coward
      Anonymous Coward

      Re: Where did we put it?

      Mislaid it? We fucked up all the locks thirty years ago - so no-one else could use them.

      OOPS!

      -- tEH nsa

  7. Captain DaFt

    Oh dear

    Looks like they were to busy breaking into other's houses to remember to lock their own back door!

  8. The_Idiot

    Meanwhile...

    ... back at the ranch, they want _less_ powerful encryption, and _more_ back doors into equipment.

    The thing that scares me is, they still manage to think they're making sense. Of course, it must be me. After all, I'm an Idiot...

    1. Anonymous Coward
      Anonymous Coward

      Re: Meanwhile...

      "... back at the ranch, they want _less_ powerful encryption, and _more_ back doors into equipment."

      No they don't. They're just saying that (over and over and over again) in the hope of undermining some of The Snowden "Revelations". Don't take the word of politicians and spooks at phace value. Idiot!*

      *(by your own admission) ;o)

      1. The_Idiot

        Re: Meanwhile...

        And Idiot I am - aye, and a Fool to boot. I have it on expert authority - my wife! :-)))

        1. Anonymous Coward
          Anonymous Coward

          Re: Meanwhile...

          Your wife sounds nice. You should introduce us.

          >:)

  9. Anonymous Coward
    Anonymous Coward

    I wonder if they'll let us know how far back?

    I was never a government employee, but if it includes contractors I filled out that form when I had an active security clearance back in 2007.

    1. Voland's right hand Silver badge

      Re: I wonder if they'll let us know how far back?

      Total information awareness == total information clusterf*ck.

      This is data held in the name of "national security" so I suspect it has no back date cutoff. In fact, I suspect they went ahead and digitized data from the earlier times and added it to the archive.

      1. Anonymous Coward
        Anonymous Coward

        Re: digitized data from the earlier times

        Nope, that costs money so it wasn't done. Also it isn't bright, shiny.

    2. saundby

      Re: I wonder if they'll let us know how far back?

      Yes, you filled out this form as part of your request for a clearance. I've been through it several times as a contractor myself. It gets longer every time, adding new sections for the fear of the day.

  10. Anonymous Coward
    Anonymous Coward

    They might have fared better if they'd had some encryption on some of that.

    It's also a demonstration of why backdoors are never a good idea.

    1. Anonymous Coward
      Anonymous Coward

      Only terrorists and paedophiles use encryption. If you've done nothing wrong you have nothing to hide.

      1. Anonymous Coward
        Anonymous Coward

        Well the US doesn't anymore.

  11. Mark 85
    Facepalm

    I'm still not believing this...

    It's just unbelievable that this sort of information isn't tucked into a properly secured, possibly air-gapped network. I'm also not believing the revered NSA was unaware of it. As recall reading somewhere (and naturally, I can't find the reference now) that they are also tasked with protecting government systems from outside attack.

    I think if I worked for any agency (especially any of the 3-letter ones), I'd be looking for a new job because sooner or later, someone's going to come looking for those employees.

    As a citizen, I'm wondering if it would be just as well to pave over the Fort Meade compound and turn it into a parking lot. It might be just as effective.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm still not believing this...

      Problem being millions and millions of people have security clearances (me included)..the form is over 100 pages...how would you get millions of people into an air gapped network to fill it out...hence its available on the internet and my guess is it wasnt nearly as hard to get into as even they are acting like it was.

      I would hope it would be very well secured, but since in my experience many of their these programs dont take some basic steps and many of the ones they do don't really do that much to protect the system so I am hardly surprised.

      1. Voland's right hand Silver badge

        Re: I'm still not believing this...

        how would you get millions of people into an air gapped network to fill it out

        Err... You are mistaking two things. The process of filling it out and the process of keeping the record.

        While the data is filled out, checked, verified and clearance granted or denied the record cannot be air gapped. However that is at most thousands at any given time.

        Once the clearance is granted the record should go into deep freeze storage and not be accessed unless you need it for investigative purposes. You can at most instigate a one-way incoming data feed strictly in specific format for audit purposes (literally cut off the return wires/fiber). Even if queries are allowed they should be viciously rate limited.

        This was the procedure in the days when this was on paper. You could not just ask "Can I have the whole archive, thank you". This should have been the design today, when it is electronic. However someone fond of big data and total information awareness made the data searchable and accessible in realtime.

        It's the same story as with Snowden and Microsoft Sharepoint. Someone committed a court-martial offence by authorizing the storage of classified data in a form which is not fit for purpose. However instead of having the stupid moron court-martialed, named, shamed, his government pension removed and thrown into chokey we are now blaming the Chinese.

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm still not believing this...

          If you build it they will come

          1. Anonymous Coward
            Anonymous Coward

            Re: I'm still not believing this...

            No. Maybe it's because I'm almost passing out - having read all night (Hunter S. Thompson's Hell's Angels etc) - but it suddenly seemed to me it was more believable that there was no 'hack'. This is just to make the US public (and all the other paranoid Westerners) to lose whatever vague sense of comprehension they might have thought they had re: cyber(sic)urity that coupled with the limited possibility anyway that they'd have seen this as primarily a US fail, they'll now be so utterly lost they'll all but beg the var. Govs to do absolutely anything the Intelligence Agencies say they need to do, just when there is the hint - on both sides of the Atlantic - of the pretence of a smidgeon of accountability turning up and giving us ideas above our station.

            (Nb. Apologies if this is as hard to read as it feels. More than me falling asleep at the [mouse]wheel, here, near the end of the book is some Ginsberg. I saw the best minds of my generation destroyed by trying to parse Ginsberg).

            1. Antonymous Coward
              Holmes

              Re: I'm still not believing this...

              "Apologies if this is as hard to read as it feels."

              It is!

              It's an interesting idea though... if I managed to parse it correctly! A sort of cyber-variant of the "9 11" conspiracy theories, except plausible because:

              1) You're not suggesting that the US TLAs killed thousands of Yanks. Or actually did anything at all.

              2) There's no reason (other than the politicians' words - and we know what they're worth) to believe that anything at all has even happened.

              If you're right, I'm not sure the motives are what you (appeared to) imply. I can't see how you'd spin this entertaining débâcle into a compelling argument to stem the apparent tide against US surveillance... "Er, you remember all that data you were making all that fuss about? Well, you'll never guess what. Some bastard's only gone and nicked it. So we're gonna have to collect it all again. All-right?" (?!)

              Definitely worth keeping an eye peeled for signs of slightly more subtle / less direct motive in a similar vein. An obvious candidate that just popped in: I wonder what odds one can get for a flutter on this incidentoid, in due course of course, being "traced" to Huawei network kit...

              1. Sir Runcible Spoon

                Re: I'm still not believing this...

                "I wonder what odds one can get for a flutter on this incidentoid, in due course of course, being "traced" to Huawei network kit..."

                That would be even more embarrassing than this leak since the spooks just signed off that kit as safe

              2. Anonymous Coward
                Anonymous Coward

                Re: I'm still not believing this...

                I have a more boring TLA explanation: CYA

                So far we have seen the following official explanations in the press:

                "zer0 day vunerablities"

                "Snowden told the Russians and Chinese where all our spies are"

                "Breach uncovered during a security product demo" Wall Street Journal.

                Only number 3 smacks of reality. I suspect the dire state of US Gov't data system security is just beginning to be discovered by the pols.

                If heads don't roll now, they never will. This is because bureaucrats and politicians are all the same, protect thine own ass first, everything else comes second, including your data security and personal privacy.

                The next "mitigation" will be to unplug all the government networks and go back to using typewriters. That' ll show'em.

                Let's see how easily the Chinese can hack into our (unlocked) filing cabinets.

                And don't you worry, there will be free identity theft insurance, all paid for by Joe Q. Public.

                1. Anonymous Coward
                  Anonymous Coward

                  Re:dire state of US Gov't data system security

                  The pols have known about this for decades. But they haven't done anything about it because it's not sexy. It's like their choices when building new roads or repairing the old ones. Since they can put either their or their friend's name on the new road, it gets an earmark every time. Filling the potholes, not so much.

                  Let's see how easily the Chinese can hack into our (unlocked) filing cabinets.

                  Fairly easily via the cleaning crews. In fact that's been a problem for a friend of mine. Seems while he was on leave for several weeks they had six alerts for people who should have known better leaving "For official use only" documents on desks in unlocked rooms. Office is in an uproar as the powers that be issue pointless new edicts to try to eradicate the problem. Solution seems simple to me: fire the person on whose desk the information was found, or the person who had access to the information or both.

          2. Anonymous Coward
            Anonymous Coward

            Re: I'm still not believing this...

            "If you build it they will come"

            Correction - if you connect it they will come.

            How is this hooking everything up to the internet working for everyone? It's great, right? So convenient...

    2. Anonymous Coward
      Anonymous Coward

      Re: I'm still not believing this...(@Mark 85)

      The problem with suggesting Cleared Personnel get a new job, is that with the SF-86 database cracked.. well, we'd have to get a new life. The SF-86 contains everything over the last 7-10 years; and for some details, your entire life. This can put friends/family (all have to be listed) at risk, leave some personnel open to blackmail, and give an intelligence operator myriad openings for more subtle information pumping.

      It also has all the answers to the "are you really you?" verification questions that the credit agencies use: "Where did you live in 2003?" "What is your second child's middle name?" "What was your annual salary in 2011?" ..All in one handy book.

    3. Tom 13

      Re: I'm still not believing this...

      How do you air gap it and still leave it instantaneously available to nearly every other federal department at all of their locations? The two are mutually exclusive. Given our current environment the immediate access concern won out over the air gap concern.

  12. Destroy All Monsters Silver badge
    Big Brother

    After Snowden's Summer of Surveillance..

    ...the Feds' Summer of Exfiltrage.

    Everyone is contributing to this show!

    1. Anonymous Coward
      Anonymous Coward

      Re: After Snowden's Summer of Surveillance..

      Attempting to paper over the cracks with a "look! look! everyone's doing it" routine?

  13. iLuddite

    a problem I would not want

    Presumably, people in data security will lose jobs. What will they put on their resumes?

  14. Jim 43

    Meh

    Whoever it is has mine. I wish them well.

    I do, however, expect them to be a better job of keeping it secure.

  15. cantankerous swineherd

    oops. can't they just press Ctrl z or something?

  16. De Facto
    FAIL

    Back to typewriters following Putin's footsteps?

    It was recently reported, that after Russians snatched Snowden, Putin's first response was ordering of 300 legacy typewriters for Kremlin staffers. When none of broadly worldwide used US designed PCs and other digital devices, american built OSes and smartphones were free from NSA introduced backdoors and encryption vulnerabilities, while NSA was fully busy in hiding from public their secretely found zero-day software exploits, perhaps Obama should had to follow the only logically possible sound advice. One can not hack what is not there. It was only a matter of time that foreign governments and criminals beyond NSA controls would understand how americans shot themselves in the foot and start doing the same in reverse. Sadly, that is how Russia's new führer outsmarted Obama. One can assume that there would not even be a war between Russia and Ukraine, if American spying data, agents, policies would not be exposed now to any government who want to make fun of them now.

  17. WalterAlter
    Devil

    Is this Obama's "Bay of Pigs"

    And will the CIA likewise cut short his sojourn on Planet Earth?

    1. This post has been deleted by its author

  18. x 7

    This leak, put together with the recent leaks of USA medical / health insurance records together create quite a significant ability to blackmail / coerce key security and military staff.

    Interestingly, over the last 12 months there have been multiple attempts both by infected e-mail and phone, of spear-fishing attempts at some (if not all) of the UK providers of health care records. So far there has not been any - known - successful penetration. So far the private UK providers seemed to have resisted penetration - but can the same be said of the NHS Summary Care Records? If that was breached then the potential for damage is quite large.

    1. Stevie

      spear-fishing attempts at some (if not all) of the UK providers of health care records

      These are probably the desperate attempts of British people trying to access their own information, the user API's being the last thing built on any system and the Health Care IT projects never getting past the "aborted trial roll-out and massive lawsuit issuance" stage according to stories on El Reg.

  19. Anonymous Coward
    Anonymous Coward

    If you put all you eggs in one basket, you really gotta keep your eyes at that basket. Stupid Yanks.

  20. Anonymous Coward
    Anonymous Coward

    Smokescreen anyone?

    Interesting how today's news (14th June) is suddenly full of reports of 'sources' saying that 'Russian and Chinese intelligence experts have decrypted Snowden's documents and now we have had to move all our spies', whereas NOT getting much publicity is 'Russia/China whatever has downloaded all that information unencrypted anyhow'.

    I have no idea whether strong encryption was a) used on the stuff Snowden took and b) whether it would be possible to decrypt it if it was. But what a good way of passing on the blame to a scapegoat.

    1. Anonymous Coward
      Anonymous Coward

      Re: Smokescreen anyone?

      And when the 14 million government employees start feeling the pain (when, I wonder?) they can always blame it on Ed,

      Cluebat severely needed. It will be interesting to see what sort of agitprop comes up next week. J

  21. Stevie

    Bah!

    No problem. All the *really* dangerous secret stuff was on Hillary's e-mail server, which - as of today's intel - hasn't been hacked.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like