back to article How much info did hackers steal on US spies? Try all of it

If the latest reports are true and Chinese hackers have managed to pilfer as much data about US government employees in sensitive positions as is thought, the Obama administration may be headed for a serious intelligence crisis. According to an Associated Press report on Friday, hackers linked to China may have compromised …

  1. silent_count

    If you have nothing to hide, you have nothing to fear.

    1. HildyJ Silver badge
      Thumb Down

      That's not the point

      Feel free to fill one out and post it. For people whose major asset is their Facebook account, it might not matter, but it does to the rest of us.

      I, for one, have something to hide from hackers: my name, address, and SSN, to start. Not to mention those "verify your identity" questions like high school, street I grew up on, mother's maiden name, etc.

      And I'll point out, the forms and other information that was stolen were from people who had passed their security clearance.

      1. Eddy Ito

        Re: That's not the point

        Not to mention those "verify your identity" questions like high school, street I grew up on, mother's maiden name, etc.

        Those questions are worse than useless since most of it is public information. You graduate high school - it's in the paper, your address was recorded by the registrar of deeds, your parents marriage license is recorded somewhere and their proud parents (your grandparents) undoubtedly had an announcement in the paper. Sure, it's a bit of work but it's all there and when you consider a good number of people still live in the town they grew up in it's quite a bit easier. Kids of career military might be a little harder to pin down if they moved several times but not too much since there are very detailed records of that too.

        1. Doctor Syntax Silver badge

          Re: That's not the point

          "most of it is public information"

          So it is but for any one person it takes time, effort & expense to locate as anyone interested in genealogy will tell you. You may run into multiple people with the same names and have to devote more time to sorting them out. Having it all neatly laid out by the data subject saves an awful lot.

      2. Trevor_Pott Gold badge

        Re: That's not the point

        "For people whose major asset is their Facebook account, it might not matter, but it does to the rest of us."

        It matters to everyone, or it matters to noone. You do not get privacy for the privileged but not for the proles. That's how revolutions start.

        1. Anonymous Coward
          Anonymous Coward

          Re: That's not the point

          Throughout the long recorded history of mankind, I've noticed one universal. So long as those who consider themselves one of the "middle-class" are treated well, their lot improving, and their "rights" (social privileges) untrammeled, they go with the program, whatever program has been selected by those (perceived to be) in charge. When that contract is broken, revolution is not far over the horizon.

          You can drape this in philosophical, economic, political science, psychological, or other frameworks, it matters not. History is very unforgiving.

          1. Dan 55 Silver badge

            Re: That's not the point

            The trick is the government distributing enough wealth to the population to keep them happy. Very few countries actually manage it.

            On the subject of wealth, this is the proof that your data is worth something.

            1. Anonymous Coward
              Anonymous Coward

              Where's the data-breach posted? is it on pastebin yet??

              there are a few names that I'd like to cross-check

              Bliar

              various Milipedes

              etc

              wealth you say?

        2. Tom 7 Silver badge

          Re: That's not the point

          @ Trevor_Pott Thas how revolutions used to start - ooh look topless girl on a mountain!

      3. Graham Marsden

        @HildyJ - Re: That's not the point

        I think your Irony Detector malfunctioned.

        (At least I *hope* the OP was being ironic...)

      4. Anonymous Coward
        Anonymous Coward

        @HildyJ "verify your identity" questions

        Only a moron answers truthfully to those security questions that are a plague on websites everywhere, asking what high school you went to, the name of the street you lived on when you are in third grade, etc. No matter how good of a password you choose, if you answer these questions truthfully you may as well have used "password1" for your password since it takes almost no effort to find many of these answers for the average person and email the "forgot password" link to reset their password.

        It is sad that those same questions are used to verify your identity when you try to access your credit report since that's probably already been pulled for all the high value targets on the list, but considering the scale of this breach the ability of the Chinese government to access your credit report is like adding a firecracker to a bonfire.

        Guess I'm lucky that even if they got my info the Chinese government wouldn't have any interest in me since my stint as a contractor was nearly a decade ago and I don't have any friends who are Chinese nationals.

        No doubt the US has broken into similar databases for most countries in the world, except for those too backward (or too smart?) to have digitized them.

        1. Dr Gerard Bulger

          Re: @HildyJ "verify your identity" questions

          What annoys me about these security question is that banks and others, such as SKY TV/Broadband INSIST that they will only correspond by telephone. I am on an analogue telephone, which can be hacked into by anyone with a pair or crocodile clips, Sky will not give any email address and their web chat then says RING in if you want anything done. Banks respond even to letters, hand written by a phone call to confirm what I wrote, because reading is beyond them. Oh no, you have to ring and to blurt out bits of passwords and those security questions over an open line. Then they transfer you to another department you make you do the whole thing over again. I think I must have given my details to six different people with SKY once. Telstra in Australia no better

          1. x 7

            Re: @HildyJ "verify your identity" questions

            "banks and others, such as SKY TV/Broadband INSIST that they will only correspond by telephone"

            simple reasons for that:

            1) dealing with an enquiry by phone means there is no paper record to scan / read / analyse / action and file. Everything happens and is logged during the call with the operative keying the record there and then

            2) companies invest a lot of capital in setting up call centres and they want to sweat the assets - put as much work through them as possible

            3) every call to a call centre is a potential sales opportunity. You'd be surprised at how many complaint calls can be reversed into a new sale or upgrade

            Sorry this is a diversion from the thread but I felt the point required answering

          2. Tom 13

            Re: they will only correspond by telephone.

            Be thankful they do.

            The "free security" OPM is offering as a result of the breach? Yeah that's right government is distributing the notification in unsigned email asking those who have been affected to go to a website to register. If you have the temerity to call them, they refer you to their website while keeping you on indefinite hold. Absolutely no chance for fraud there sir, none whatsoever.

      5. JeffyPoooh
        Pint

        Re: That's not the point

        "verify your identity"

        Yeah. Questions with 'secret' answers that only you know, but you keep telling the answers to anyone that asks.

        The stupidest security concept in history.

    2. Anonymous Coward
      Anonymous Coward

      if you have nothing to hack, you have nothing to fear

      TFTY

    3. Neil Stansbury

      Wrong

      You have everything to fear...

      Because you have no idea how that information will be used today or what inferences will be drawn from it tomorrow, or indeed who your conveniently collated life history will be passed on to - intentionally or unintentionally.

      People who suggest you have nothing to hide live in cloud cuckoo land, whereby talentless, unqualified politicians & civil servants don their super-hero capes and upon their white steed coming riding out of the sunset to your rescue.

      Dream on.

      The simple reality is this, if you genuinely have nothing to hide, then you have nothing worthwhile sharing, so keep your mouth shut and hide as much as possible.

      1. Mark 85 Silver badge
        Big Brother

        @ Neil S -- Re: Wrong

        It is funny in many (funny = scary) how information is passed around. I recently had need to log on to UPS (United Parcel Service) which meant "open an account". Instead of my filling in the blanks as I remembered things or wanted to put in... they were asking questions from 20 years ago AND telling me if I got the answer wrong. Needless to say, I didn't open the account, I called instead and quickly rectified the issue. If they are getting wrong data, let 'em have it. The scary part is, what if they were getting it right? Where did it come from? Who else has access to this?

        Do I have anything to hide? Just my identity as far as financials go. Do I have anything to fear? You bet. There's already too much out there. I realize it's not "am I going to be a victim?" but rather "when am I going to be a victim?".

    4. Anonymous Coward
      Anonymous Coward

      Post-snowden, I'd naturally assume these were in some sort of unmaintained and unpatched SharePain server.

      If you have nothing to hide, you use M$ warez. In other words, if you use any of their products, but don't have the time or budget to constantly sit around to patch and reboot every other day, assume your data will be compromised sooner or later.

    5. Anonymous Coward
      Anonymous Coward

      You must understand the background.

      If you have nothing to hide, you have nothing to fear.

      That's actually not the point of deeper security vetting. Deep security vetting is not a pass/fail process (although the data contributes to a final decision), it is a risk assessment that is actually in your interest.

      Such an assessment seeks to discover where an adversary might seek to coerce or pressure you into cooperating, and plan accordingly. It means that some work may be a personal risk to you, or that you may be very suited to some work because you do not have a weak spot there.

    6. hymie

      You are a dumbass.

  2. HildyJ Silver badge
    FAIL

    Lots of people have to fill this out

    As a retired fed, I wanted to clarify something. When people hear "security clearance" they think military and intelligence people but the use of security clearances in the US Government is much more widespread. Many people in positions considered "sensitive" for reasons other than military secrets are required to fill out this form. In addition to text/PDF records, the government also collects digitized pictures and fingerprints (although I don't know if OPM gets those).

    1. Charles 9 Silver badge

      Re: Lots of people have to fill this out

      But it's still a veritable one-stop shop for identity theft, which itself has serious security consequences.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lots of people have to fill this out

        One stop shop? In a shop you usually have to pay. Here the Feds have given the data away.

        Having said that, I wouldn't put it past the bureaucrats to have allowed this to happen because it can now be used to"justify" a vast increase in offensive operations against China et al, and it gifts them the ultimate budget defence of "of our budget gets cut we won't be able to secure your personal data".

        Never forget that the purpose of a bureaucracy is quite singular, and that is to grow and sustain itself even at the expense of the host organism.

        1. edge_e
          Facepalm

          Re: Lots of people have to fill this out

          It's ok, it doesn't ask for the name of your first pet

          1. Hollerith 1

            Re: Lots of people have to fill this out

            Not name of first pet? Whew! My password is safe.

            1. breakfast
              Coat

              Re: Lots of people have to fill this out

              And so is my Porn Name!

          2. Philip Lewis

            Re: Lots of people have to fill this out

            Actually, first pet is the one i always choose. there are only 5 living people who know the answer to this one.

            1. Anonymous Coward
              Anonymous Coward

              Re: Lots of people have to fill this out

              As long as you don't put your first pet's name on the security clearance form, you should be fine.

        2. Ole Juul

          Re: Lots of people have to fill this out

          One stop shop? In a shop you usually have to pay.

          It's a loss leader.

    2. Robert Helpmann??
      Childcatcher

      Re: Lots of people have to fill this out

      Many people in positions considered "sensitive" for reasons other than military secrets are required to fill out this form.

      Exactly. Also, the constant refrain from the press on this is that it is all about government employees, but it affects everyone who has filled out one of these forms, including contractors, retirees and those who merely applied for a position but never were hired.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lots of people have to fill this out

        It also covers ex employees off UK organisations who had even relatively short secondments :-( although it was made up of fewer pages 10 years ago

    3. John Smith 19 Gold badge
      Happy

      Re: Lots of people have to fill this out

      "As a retired fed, I wanted to clarify something. When people hear "security clearance" they think military and intelligence people but the use of security clearances in the US Government is much more widespread. Many people in positions considered "sensitive" for reasons other than military secrets are required to fill out this form. In addition to text/PDF records, the government also collects digitized pictures and fingerprints (although I don't know if OPM gets those)."

      I'd read various memoirs of US Govt types mentioning the Draconian application form.

      So "Spy" really is a documentary?

    4. Anonymous Coward
      Anonymous Coward

      Re: Lots of people have to fill this out

      "...digitized pictures..."

      This line of reasoning leads to full burkas for everyone.

  3. Anonymous Coward
    Anonymous Coward

    Fail

    I believe el Reg here has to add a special fail icon, double-sized with extra swiss cheese (because holes).

  4. Anonymous Coward
    Anonymous Coward

    Perhaps they plan to flog it on Tor in order to recoup some of TREEEEEEEELIONS in "loans"

  5. Mark 85 Silver badge

    This is rapidly becoming a world laughing stock

    And deservedly so... I'm just waiting to hear what else has been lifted like maybe social security information, immigration information, etc. Yes a super massive FAIL to the government for not providing the security the data deserves. Congress is just as much blame as I'm sure they've slashed IT budgets left and right. The want the data slurps but won't protect the people's information.

    I fear the worst is yet to come.....

    1. Charles 9 Silver badge

      Re: This is rapidly becoming a world laughing stock

      Probably some financial bombshell that instantly kills global trust in the Dollar.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is rapidly becoming a world laughing stock

        "...global trust in the Dollar"

        WTF?

        What trust?

        Have you mistaken circumspect pragmatism for trust?

        1. Charles 9 Silver badge

          Re: This is rapidly becoming a world laughing stock

          It's still trust in a sense; otherwise the world would've abandoned the Dollar for something else. The fact they haven't implies some level of trust, even if it's of a paranoid level.

    2. Anonymous Coward
      Anonymous Coward

      Re: This is rapidly becoming a world laughing stock

      It was not so long ago that one guy looking for UFO information made headlines because he was able to look through a 'secure' US Mil computer. The US said then that their networks were so secure he had to be the worlds master hacker. Now it turns out that almost anyone can walk in and look round any US Gov/Mil computer and take what they want.

      This much vaunted 'security' is indeed becoming truly laughable.

      1. Esme

        Re: This is rapidly becoming a world laughing stock

        Indeed, and it's about time that the US apologised to Mr McKinnon for harassing him over their own failings. It was blindingly obvious at the time that US governemnt security was laughable, yet they still hounded teh poor chap simply because they were embarassed at having their failings exposed and tried to make Mr McKinnon suffer because of their embarassment. That's simply despicable.

      2. Tom 13

        Re: almost anyone can walk in and look round any US Gov/Mil computer

        No, not the Mil computers, OPM. Trust me on this. My roommate has enough trouble logging into his work computer every day and he's authorized to do so. The secure one? Yeah, that's an even bigger PITA.

        The problem is OPM forgot ignored the fact that since those records constitute the underpinnings for the whole security infrastructure, so when collected into a single database it requires one grade above Eyes Only clearance.

    3. keithpeter Silver badge
      Windows

      Re: This is rapidly becoming a world laughing stock

      I hope that this discovery will lead to questions being asked about the resources being spent on mass surveillance of home and allied populations - i.e. huge data trawls producing low priority information that is mostly just deleted after some period of time.

      Just possibly someone might begin to think that a little spending on actual secure systems for the basics like this might be a better idea?

      Jaron Lanier writes about 'siren servers' by which he means the way various agencies 'sell' large IT based projects to gullable politicians/corporate managers. Shiny, sound good, but apparently generate little advantage.

      PS: if this happened in the UK we would never hear about it of course. Rest assured.

      1. Primus Secundus Tertius

        Re: This is rapidly becoming a world laughing stock

        @keithpeter

        In the UK they just send CDs of social security data in the post. As you say, they have not admitted that anyone has actually used that information. Also they leave memory sticks in pubs and taxis, but don't admit that.

        The UK Treasury clearly did not believe in spending money to protect data about UK citizens. It looks as though the USA has a similar problem.

      2. Tom 13

        Re: discovery will lead to questions being asked about the resources being spent

        Why? They're two completely independent questions. What you want cut off is about collecting data on potential threats. The OPM breach is about protecting known targets.

  6. Magani
    WTF?

    El Reg illuminates again

    Thank you, El Reg, for showing me another instance in the seemingly never-ending list of words that Merkins use differently to other English speakers:

    "Had your wages garnished?"

    My first thought was of my pay packet lightly sprinkled with pepper and a few parsley flakes. It would seem however, that they were referring to what I'd always known as 'garnishee'.

    Am I alone here, or do fellow Strine speakers (to say nothing of K1W1s or those from the Mother Country) also know it as 'garnisheed wages'?

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: El Reg illuminates again

      It's AMEЯICAN ЯEVEЯSAL...

      Try to imagine newspeak delivered in some hideous slack-jawed parochial accent.

      Garnishing : Taking something away

      Officer involved homicide: The filth just shot you

      Land of the free: Prison (if you're lucky)

      ...and so on...

      Poor sods have even been made to drive on the wrong side of the road!

      Whoops! Forgot the mask. <sarc>Wouldn't want to end up on any lists!</sarc>

  7. Adam 1

    On an aside, the (allegedly) sentient beings setting fire to the joint here have passed laws to require ISPs to store all metadata for two years. Every website you visit, every email you send.

    But don't worry, I'm sure that data will be perfectly safe from hackers.

    1. Paul Crawford Silver badge
      Facepalm

      If you collect it, it will get leaked eventually.

      1. Destroy All Monsters Silver badge

        this_is_fine_burning_house_dog.jpg

        1. Anonymous Coward
          Anonymous Coward

          It does seem to be a very compelling argument to stop people hoovering up all your data.

    2. Magani
      Big Brother

      Whatever you do...

      ...don't tell our political masters about VPNs.

      I foresee a time very soon when my system will be on a non-log-keeping VPN 24/7.

      (And before you ask, while I have nothing to hide, I also have curtains in my house. Bugger off, Big Brother!)

  8. PhilipN Silver badge

    Who - me?

    I automatically started to consider answers to these questions (you all did - go on, admit it) then stopped half way because the next thought was if all that had been set out in black and white : "Who the fuck is this person? Nobody I recognise."

  9. skeptical i
    Paris Hilton

    Just direct employees? Or also contractors' employees?

    If some government contractors require various clearances, would this same form be used as a starting point to determine which contractors (and contractors' employees) get them? If so, would they (or copies of them) also have been stored with the employees' forms that got hacked? Sorry if this was addressed elsewhere (hence Paris). I'm concerned about a former co-worker who had moved on/up to a job for a company that did government work.

    1. HildyJ Silver badge

      Re: Just direct employees? Or also contractors' employees?

      Yes, it's the same form but I don't know if OPM is the repository for them. They are probably in the original agency's database and the FBI's.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just direct employees? Or also contractors' employees?

        Yes, I think they're stored in the same database.

        I think I read that on Ars...

    2. Tom 13

      Re: Just direct employees? Or also contractors' employees?

      It's a question OPM is mostly dodging for the moment for the first breach (technically tepid denials), on the second the answer seems to be yes both types of data were compromised. And really, if you're thinking about it from the black hat angle, both databases have value if not necessarily of the same type. If you've got a fed you probably have deep penetration, with a contractor you might get wide penetration.

  10. Tommy Pock

    Spies got spied.

    It couldn't have happened to a nicer country.

  11. Neil Barnes Silver badge

    Dear US of A

    When hole is deep enough, stop digging...

    What imbecile placed this data on an external-facing network?

    1. bri

      Re: Dear US of A

      Who said it was on external-facing network? They could get there through multiple hops - it's perfectly sufficient for another government body to have connections both to OPM and external network.

      Having seen some large networks and their defenses I don't believe that such hacks are *that* straightforward. But granted, it would be even more tragic that way.

      1. Neil Barnes Silver badge

        Re: Dear US of A

        @Bri - you're right, it probably wasn't on anything directly visible - but my point is that information like that should have been locked as tightly, and as accessibly, as if it were individual paper copies in a filing cabinet.

        Access should have been restricted to a small set of people able to access *one file at a time* and ideally physically separated - airgapped - from generic access; that is, access permissions are physical, not electronic. This is not the sort of information for which there is *ever* a need for one person to see all of it, and a huge risk - as demonstrated - if they do. But some genius has been sold the idea that it would be much easier to deal with if it were all in one virtual database...

        Which is not to say that it is only the USA government that can commit such idiocies, nor even that a one-file-at-a-time access mechanism would necessarily stop people trying, and perhaps succeeding in, gaining access illicitly - it's such a juicy target. It's not the only one - think of insurance companies, health agencies, tax agencies, benefit systems, banks... they're all in the same boat and if they're not thinking about this now, no matter how good they think their systems are, then they should be.

        1. Anonymous Coward
          Anonymous Coward

          Re: a need for one person to see all of it

          Sure there is - otherwise how are you going to go data mining to search for potential spies, communist sympathisers, tourist cells etc?

      2. Koconnor100

        Re: Dear US of A

        Internal facing networks are no safer. the night janiter plops a rasberry computer with a wireless modem to the outside world into an unused jack and moves along and no one is the wiser. (rasberry's are very small). And with China constantly gathering private information on people, and a long history of black mailing (usually ex chinese patriots ... we have a gun to your grandads head, you will do as you are told...) , yeah , they're going to penetrate everything.

        Even if you lock out the chinese immigratns, they have home addresses. They can black mail the imigrants into planting letter bombs (carry them by hand so the post office can't intercept them) , and after a few go off start threatenning americans "We know where you live, thank you for giving the names and addresses of your wife and children you will do as we say OR ELSE !" ....

        And NSA is going to be up there saying "YOU NEED US ! THIS IS OUR TIME !" but really , it's theyr'e breaking of everyone's encryption everywhere that caused this. We need more NSA like we need a hole in our heads.

        1. Anonymous Coward
          Anonymous Coward

          Re: "a rasberry computer with a wireless modem"

          "a rasberry computer with a wireless modem to the outside world into an unused jack "

          Absolutely impossible, at least at my previous employer, where Raspberry Pis were confiscated by the IT Department if discovered onsite.

          Same outfit (a UK List X site) also didn't seem to care that the networked printer/copiers (supplied and maintained by a company whose technicians' identities were generally not checked before entry to the site) were very convenient places to hide the same kind of dodgy game.

          Or alternatively someone could have used a random smartphone with a USB OTG LAN adapter and plugged that in instead. Kind of hard to spot.

          Anyway, in principle, on a properly configured switched network, an ordinary port will only see traffic which is genuinely destined for that port (its own MAC address, or multicast/broadcast). Sadly, the same employer didn't seem to have managed to set this up right; my desktop saw all kinds of traffic it should never have seen.

          In principle then, even without the joys of 802.11X per-port authentication (can you do that on a Pi?), network port snooping shouldn't be all that useful a tactic. If you can get at a managed switch and configure a mirror port, that would be helpful, but if you can do that the organisation probably has bigger problems.

        2. Paul Crawford Silver badge

          Re: Dear US of A

          "the night janiter plops a rasberry computer with a wireless modem"

          If they are taking security seriously the switch would be configured to only allow specific MAC addresses on specific ports and even then only allowing the DHCP-supplied IP address to be used, so that trick won't work.

          Also if they take security seriously they would put all the crappy never-patched network things like printers, web cameras, etc, on a separate VLAN/IP range (and without external access in the sad case they are not air-gapped) so their behaviour can be seen more clearly by intrusion monitoring systems, etc, and they can be blocked from initiating any connection to the "good range" machines (i.e. they only react to a print command and don't get to broadcast or probe the PCs).

          A more likely physical attach is to plug 'evil USB' devices in to unguarded machines. OK those systems should also be locked down so USB is not on autorun on anything like it, but that may not be enough if they have a zero-day exploit for the lower level USB hardware/stack used. In the nation-state with insider doing dirty work case that is, of course, possible.

          Either way, it is much much harder to exploit a network not on-line, as exfiltrating the data needs some sort of access (USB or similar again) and there is a high risk of the person getting caught if the sysadmins have some regular checking of system logs for device attachment, etc, happening.

          1. Roland6 Silver badge

            Re: Dear US of A @Paul Crawford

            "If they are taking security seriously the switch would be configured to only allow ..."

            You are omitting the fun and games of multiple layers of traffic encryption which are usually done both physically separate to the switch and to each other, so that there is minimal risk of traffic of differing grades being "in the clear" in the same physical box...

            1. Paul Crawford Silver badge

              Re: Dear US of A @Paul Crawford

              You are of course correct.

              I was just thinking aloud about things that can be done for little physical cost on "normal" PCs & networks typically used in below-secret Gov, Business & Universities. OK, air-gapping is not common on those, but all the other features are pretty much standard on Cisco and similar kit, so having red/black networks for internal/external can be done and spare kit used for both.

              Edited to add, worth a read:

              http://www.gocsc.com/UserFiles/File/Ortronics/WhitePaperGovtv5AUG2011FINAL.pdf

          2. Anonymous Coward
            Anonymous Coward

            Re: Dear US of A

            "If they are taking security seriously the switch would be configured to only allow specific MAC addresses on specific ports and even then only allowing the DHCP-supplied IP address to be used, so that trick won't work."

            And if the device acts as a transparent sniffer that CLONES the target's MAC? AND is provided information from inside the device to decrypt connections and so on?

            1. Paul Crawford Silver badge

              Re: Dear US of A

              Again, you are looking at a much higher bar than plugging in a device to an unused port at the recreational area, etc.

              Now you are actually tampering with the internal wiring and could easily install a keyboard logger, etc. But on an isolated network you would have to use a radio link out, and that could be monitored as part of a sweep for bugging anyway, if you are sufficiently paranoid or working to regulations that deamand that degree of security. That is why the "red" cables in proper high security installations have to be visible along whole length and subject to regular inspections for tampering (or shielded fibre with some fibres used as tamper-detection, etc).

              1. Charles 9 Silver badge

                Re: Dear US of A

                "But on an isolated network you would have to use a radio link out, and that could be monitored as part of a sweep for bugging anyway."

                Not if it's designed NOT to transmit all the time but instead only on a specially coded signal it receives first, THEN it transmits its stuff in a quick short-range burst that would require omnipresent super-sensitive (as in prone to drowning out) detector to trace. If you're pro enough to get this far, you probably have an egress plan as well.

      3. Roland6 Silver badge

        Re: Dear US of A

        "Who said it was on external-facing network? They could get there through multiple hops"

        Well that would indicate that the database was incorrectly graded for security purposes. As given the risks associated with disclosure - the full database should of been Secret or higher (so no physical connection to lower grade networks), with only highly selective extracts being made available on networks with lower security ratings.

        So once again it seems the US government is paying in spades for it's approach to security which doesn't seem to have changed over the years - namely extradite and put on trial those identified as having made unauthorised access to their "secure" IT systems.

    2. Charles 9 Silver badge

      Re: Dear US of A

      "When hole is deep enough, stop digging..."

      But what happens when you've been digging through sloppy mud all day and all you have is a shovel? Oh, and you hear thunder in the distance...

      1. Destroy All Monsters Silver badge

        Re: Dear US of A

        Well, the surveillance state seems to be shovel-ready.

    3. Tom 13

      Re: Dear US of A

      OPM is the clearing house for every other agency across the country. How else to you manage that other than an external facing network? No, really; how do you do it? Army, Navy, Air Force Marines, Coast Guard National Guard, okay maybe them you can put on secure PCs on the mil net. Dept of Energy? Dept of Commerce (NOAA/weather, FAA)? Dept of Treasury? Dept of Homeland Security? NASA? Dept of State? Dept of Veterans Affairs?

      You need immediate access across multiple locations. Maybe you can make the case it shouldn't be on the internet, but even that's problematic. Yes it should have been secured better than it was, but simply not public facing won't meet system requirements.

      1. Paul Crawford Silver badge

        Re: @Tom 13

        Firstly all these remote locations don't need access to a lot of data at any one time, so the database server ought to rate-limit requests and queries to a reasonable amount per authorised machine/user.

        Secondly having something where the leak is so significant really ought to have raised the question about how many sites really need to access it, and for them you could have deployed specific machines with dedicated hardware encryption in the network card (or a dedicated secure router) to tunnel the data to/from the server.

        None of them having any simple path to the outside world so an attacker would need multiple physical access aspects to begin hacking past the user account and rate-limiting aspects. Anyone needing to access the data base would find those PC(s) in a reasonably secured room, log on and do their job, then go. Room could be CCTV'd so any attempted tampering would be on record, etc.

        It is all perfectly possible, but it costs money to do (much less than the hack is going to cost, I'll bet) and adds some inconvenience, but still much easier than the old days of paper files. So its not really *that* inconvenient.

  12. Duncan Macdonald Silver badge
    Mushroom

    Politicians ?

    Would the records include the current crop of politicians (Congressmen, Senators, President and VP) ?

    If so then GOOD - see how they like being exposed.

    1. Tom 13

      Re: Politicians ?

      Nope, they get their security clearances by fact of having been elected. No other paperwork needed. Their staff on OTH ...

  13. Infury8r

    Obama's entry should make interesting reading

    1. Hollerith 1

      Hell, no.

      We know everything we every want to know, or don't want to know, about Obama, given that every Denier, Birther etc has dug deep. I'd love to see the rap sheets on every State governor, especially the ones running for Pesident. More especially their campaign funding.

    2. KA1AXY

      Finally! We get to see the long form birth certificate...here:

      WWW.heisauscitizen.cn

      :-)

  14. Christoph

    This is absolutely appalling

    If this is correct, it means that China has nearly as much information on NSA staff as the NSA has on every other person on the planet!

    How Terrible!

    They don't like it up 'em!

  15. Mark 85 Silver badge

    There's more to this than identiry theft....

    I seriously suspect that people are going to die. If I were in the CIA or other agency, I'd figure that I'm a target. If I had filled out the form and had relatives in certain countries... some of them may die and not by natural causes. That's the freakin' scary part. There's a whole lot more to worry about and our stupid.. #$%^#@ government is responsible.

    If we think the US is alone in this, who broke into the German system? What did they get? Are there other countries that have been broken into and either they aren't telling or they don't know it yet?

    Don't get too smug those of you not in the US, I suspect your government may have already been hacked or is about to be.

    1. Anonymous Coward
      Anonymous Coward

      Re: There's more to this than identiry theft....

      "If we think the US is alone in this, who broke into the German system?"

      I think you'll find their "ally" your stupid.. #$%^#@ government is responsible for that one too.

    2. Paul Crawford Silver badge

      Re: There's more to this than identiry theft....

      The sad thing in this train wreck was seen to be coming for a long time, as you have:

      1) Gov collecting data on its people like a fetishist

      2) Gov cutting IT budgets and not holding anyone personally responsible, with power, to do anything about it.

      3) Putting stuff on or connected to external networks because its cheaper/easier/more productive that way.

      4) Software / OS being so complex and hole-ridden with developers all running after "shiny and new" instead of simple and reliable.

      5) Other nations realising 1-4 and the gains to be had from popping said data.

      The USA may not be the first, but it sure as hell won't be the last nation to have its dirty laundry sent to China (or Russia, Israel, etc, etc)

    3. Caoilte

      Re: There's more to this than identiry theft....

      This will certainly make it very hard to be ethnically Chinese and work for the US government, but I wonder if that might not have been the case already.

    4. Anonymous Coward
      Anonymous Coward

      Re: There's more to this than identiry theft....

      > I seriously suspect that people are going to die

      Suspect? We should have a word about biology sometime.

      1. Mark 85 Silver badge

        Re: There's more to this than identiry theft....

        Cute comment. Go back and re-read the first paragraph. It ain't about biology. It's more about one's relatives getting a bullet to the head and family gets a bill for the bullet. And about some employees may "disappear"...

  16. Anonymous Coward
    Anonymous Coward

    we who are about to be ripped off (again)

    point out that this is the best argument against mass surveillance. A one stop honey pot, managed by lowest bidder. The amount of detail that a bunch of clerks have on those of us who have to get clearances to do our tedious jobs has concerned coworkers for years. Our identities could easily be "borrowed". Israelies are good at that as an Ozwegian found out a few years ago. One wonders how many of the TLAs that lurk around Brandfis' Attorney Generals Department lends identities as required to our good fiends when required.

    1. Anonymous Coward
      Anonymous Coward

      Re: we who are about to be ripped off (again)

      I know it is a silly question, but why wasn't this data encrypted? Any ideas out there?

      In my shop (an NGO, ffs) all externally facing data was encrypted at rest and in transit. All systems using that data needed to use a key and two way handshake before the data was useful. Our local DB copies were frequently sucked out by local yokels within our various branch offices, but this was always a disappointing experience for the suckers.

      Why does stupidity and lowest common denominator thinking always win over common sense and good design?

      1. Anonymous Coward
        Anonymous Coward

        Re: we who are about to be ripped off (again)

        "I know it is a silly question, but why wasn't this data encrypted?"

        Didn't you get the memo?

        If you've done nothing wrong you have nothing to hide. Only terrorists and paedophiles use encryption.

        1. Anonymous Coward
          Anonymous Coward

          Re: we who are about to be ripped off (again)

          Have an upvote on me, it is all much clearer now.

      2. Charles 9 Silver badge

        Re: we who are about to be ripped off (again)

        "In my shop (an NGO, ffs) all externally facing data was encrypted at rest and in transit. All systems using that data needed to use a key and two way handshake before the data was useful."

        Thing was, the stuff has to be useful at SOME point, which is where you attack the database: at the points where they MUST be decrypted to be useful. That's always been the unavoidable flaw with encryption. In order for data to be useful, you have DEcrypt it SOMEWHERE.

        1. Anonymous Coward
          Anonymous Coward

          Re: you have DEcrypt it SOMEWHERE.

          "In order for data to be useful, you have DEcrypt it SOMEWHERE."

          That's very true. Even so, does it necessarily lead to the conclusion that encrypting the data is a pointless exercise? I'd have thought that encryption was one layer in a multi-layered approach, but what do I know.

          1. Charles 9 Silver badge

            Re: you have DEcrypt it SOMEWHERE.

            Trouble is the multi-layered approach suffers from a common ponit of failure: the user interface where EVERYTHING has to be removed in order for the stuff to be of any use. About the only solution to this problem (essentially an exploitable "analog hole") is to go cyberpunk (in the style of William Gibson or Shirow Masamune) and have enc/dec security capabilities built directly into our brains.

            1. Anonymous Coward
              Anonymous Coward

              Re: you have DEcrypt it SOMEWHERE.

              "Trouble is the multi-layered approach suffers from a common ponit of failure: the user interface"

              Others have already mentioned that the user interface has built in rate limits. Any attempt to extract more decrypted data than plausible rate limits would permit, should immediately be ringing alarm bells.

              1. Charles 9 Silver badge

                Re: you have DEcrypt it SOMEWHERE.

                "Others have already mentioned that the user interface has built in rate limits. "

                That doesn't stop a PATIENT adversary, though. And the GOOD ones are patient. Patient adversaries are how we developed techniques like Smurfing and steganography. They probably started at a position where the stuff is used as part of the job, sniffed out the ones picked up during normal operations, and slowly worked up, finding ways to defeat the detectors as he went.

              2. Tom 13

                Re: plausible rate limits would permit

                Who says they exceeded plausible rate limits? Some of the reports I've read claim they traced the breach as far back as December 2014.

                What if the account compromised was an system admin level account? You know, the ones where you're expected to move the databases around as you reconfigure things.

      3. Tom 13

        Re: why wasn't this data encrypted

        It's not clear whether the data was encrypted or not. If the data is encrypted on the drive, but uses an access account to decrypt the data and you compromise an access account, the data is still yours for the taking. That's largely the way the industry works these days with everything pushing to single log on authentication.

    2. Tom 13

      Re: we who are about to be ripped off (again)

      No it's not. The compromised data wasn't part of surveillance. It was collected specifically to do security clearances; to prove who you are and that you don't have any obvious weak links. That is, it isn't simply surveillance, it's been narrowed and refined. Indeed the biggest problem NSA and the rest of the mass surveillance people have is that there is too much data to easily produce usable information. Anyone trying to raid your one stop honey pot faces the same problem the surveillance agencies do, except not being state actors they are less likely to have the available resources to process the data.

      Lame arguments like this make the whole "no mass surveillance" crowd look like the tinfoil hat brigade. Use some logic instead of grooving on your latest hate meme.

  17. Anonymous Coward
    Anonymous Coward

    a scoop of a century

    or worse. And when in Chinese hands, the data is also likely to end up, bits of it, sold off to other interested "parties", happy to pay for this information. Russians would be delighted to be allowed to bid for some records, Iranians would be even more keen to "co-operate" with China on a "far-reaching range of issues", above and below water. Short of replacing those millions of affected bods (yeah, put them in storage and churn out new model), there's very little that can be done. I bet there's a race to go through the records, both in the US and in China, to see what information can be used immediately, before the other side applies countermeasure. Somehow, in this instance, I feel nothing but sorry for the US. Well, perhaps, ironically, given the fact they see it fair to spy on the whole world: what goes round...

  18. Ilmarinen
    Big Brother

    WTF?

    Questions, questions,

    and so few reply "None of your business".

    Speaks volumes of why Government can treat people as less than chattels.

    1. HildyJ Silver badge

      Re: WTF?

      No answer, no job. And probably a mark on your permanent record at the FBI.

      1. Ilmarinen
        Black Helicopters

        Re: WTF?

        @ HildyJ

        That is not the problem; the problem is that most people accept this.

        As most do not refuse they continue as willing subjects to unrestrained big government, which is never less obtrusive, but only becomes more so.

  19. Anonymous Coward
    Anonymous Coward

    Clusterf+ck

    What a disaster. Seriously, things couldn't be any worse, IF the leak is of that magnitude.

    How on earth will this be mitigated?

    1. Anonymous Coward
      Mushroom

      Re: Clusterf+ck

      From our side or their side?

      From our side, the only solution is for everyone in that database to turn themselves in to their nearest hospital as a living organ donor.

      For their side, well....we've got B-1's, B-2's, B-52's, and F-117's and I'm sure we could scrape up some F-111's, we could just empty our nuclear arsenal. It would take about 12 hours.

      Either way, the problem would be solved....but neither solution is perfect, since all of the pilots' data was in that database.

  20. Anonymous Coward
    Anonymous Coward

    As China builds pretty much every electronic device now used in the USA does this come as a surprise ?

    US intelligence, now there's an oxymoron if I ever heard one.

    1. Anonymous Coward
      Anonymous Coward

      I'm quite certain you'll find that this is more a case of..

      "As the USA creates pretty much every piece of software now used in the USA does this come as a surprise?"

      Which just makes your conclusion all the more tragic.

  21. Unicornpiss
    Black Helicopters

    That's what they want you to think?

    China actually hacked a database with made up information on hundreds of "people." All part of the plan...

    Seriously though, this breach is utterly appalling and should never have been allowed to happen. Since we can't police China effectively, maybe it's time for some trade sanctions?

    1. Infernoz Bronze badge
      FAIL

      Re: That's what they want you to think?

      Why are you so brain-dead as to suggest sanctions on China when the corpocracy which took over the US government and others shipped most of the goods manufacturing and jobs to China, so that the US is now a parasitic dependant of China!

      So where will all your goods come from then, stupid? Is it sinking in now just how stuffed the US is?

      The US government has been corrupted so badly and been fed so much over-priced shoddy junk (for massive corporate profits, mainly for the 0.1%) that it can't even do effective data security for what is arguably it's Achilles Heal, the living people who work for this zombie fiction!

      1. Chris G Silver badge

        Re: That's what they want you to think?

        Having just reacted and downvoted Unicornpiss, on second thoughts he/she may have been being ironic in which case an upvote would be in order. Alternatively it could be a case of 'Don't feed the trolls' so no vote. Decisions , decisions!

        As for the really spooky peeps in the US, would they necessarily have any details on this database still?

        1. laird cummings

          Re: That's what they want you to think?

          "As for the really spooky peeps in the US, would they necessarily have any details on this database still?"

          Oh, yes. Absolutely - those 'really spooky' people didn't spring forth, fully-formed, from the CIA's head. They were once lowly applicants. The SF-86 is the gateway to the very first clearance, which is necessary to gain entre to the kinds of programs wherein one becomes 'really spooky.'

          The comforting factor is that those 'really spooky' people are burried as needles in an enormous needle-stack, and the SF-86 doesn't link forwards, only backwards. Mister X's *pre-spook* history revealed, but no one knows which of those millions *became* Mister X.

          Government data is forever (until deleted in a mis-timed backup or datacenter fire).

      2. Anonymous Coward
        Anonymous Coward

        Re: That's what they want you to think?

        "Is it sinking in now just how stuffed the US is?"

        Somehow I doubt it. I don't think Fox or its viewers could cope with the news that World War III has finished and the winners were the global corporate kleptocrats in conjunction with "communist" China.

      3. This post has been deleted by its author

    2. Ilmarinen
      FAIL

      Re: That's what they want you to think?

      "can't police China effectively" - who do you think you are ?

      Clue: the Opium wars were a couple of centuries ago and the "China" that we are pretty much in hock to is a soverign Big Government state with big military and global trade. Sending the traditional gunboat would result in sinking at the least. And what do you think the outcome of "trade sanctions" might be?

      Words do not fail me, but almost.

  22. DryBones
    Holmes

    "I trust Google with my data more than I trust the US government."

    Doesn't sound so silly now, does it?

  23. Andy Tunnah

    Wow

    Anyone else get the urge to fill one of these in just to see how screwed up your life looks from the outside looking in ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Wow

      No, I couldn't remember the answers to the questions that were enumerated in the article... and I'm only 46.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow

        Maybe it's really a thinly disguised Alzheimer's test!

      2. Tom 13

        Re: I couldn't remember the answers to the questions

        Yeah, if you don't get into one of these jobs pretty much straight out of college, you're screwed on answering the questions. If you do, you just keep a copy of your last form to update them.

        Although I will say that when I had to reconstruct some of those questions for some job interviews, the internet was scary good at digging up the answers for me. I could actually reconstruct my housing record all the way back through college.

  24. WalterAlter
    Pirate

    Duck and Cover Bilderberger Swine

    Would be nice to have critical quantities of data on the intel conduits to and from globalist oligarch elements and their assets in the CIA, NSA, ONI, FBI, FEMA and other potential police state apparats. This will be THE topic of woe at the current Bilderberger meeting. Hopefully our hackers are in touch with their hackers and such outlets as Cryptome and Wikileaks will be in the loop.

    IF China is the invisible hand in all this, they will first use it to insure and amplify the work of the BRICS economic and credit bloc.

  25. swampdog

    Probably explains why..

    ..I don't often get a lot of that kind of work. Name, Address & signature is all they get out of me.

    Either they're going to check or they're fishing.

    1. laird cummings

      Re: Probably explains why..

      "Either they're going to check or they're fishing."

      They ARE going to check, but without help from you it costs too much. And if you're not going to be cooperative, you've already demonstrated a bad attitude, as far as security goes. Why should they waste extra $$ on an attitude case? Especially as you're no special snowflake, and there are thousands of people without attitude problems who also want jobs.

  26. x 7

    Don't forget the recent breaches of data at nearly all of the USA Health Insurance schemes.

    That data when added to this makes the hole much much worse

  27. Mitoo Bobsworth
    Joke

    "US intelligence..."

    First prize for best use of an oxymoron in an article about US agencies.

  28. Paul Herber Silver badge

    Snowden

    I don't know why they don't just blame that Edward Snowden chap.

    1. Anonymous Coward
      Facepalm

      Re: Snowden

      Yeah, after all, he proved it could be done.

      1. Destroy All Monsters Silver badge

        Re: Snowden

        COUGH

    2. NotMyRealName

      Re: Snowden

      The UK government, via its compliant mouthpiece the Sunday Times, has today done that! The Chinese, so they say, hacked Snowden's files. No mention of US data losses....

      1. Destroy All Monsters Silver badge
        Holmes

        Re: Snowden

        Yeah....

        The probability that the US data slurp is being admitted in the same timeframe as the (frankly bizarre) story that Russian-Chinese Axis of Evil Hacking "cracked Snowden's files" is being put out, with both being true is low indeed.

        1. Anonymous Coward
          Anonymous Coward

          Re: Snowden

          Yes, its all so simple now.

          Snowden bad, Government data guardians good.

          The data guardians (irony, please) will now need to make encryption illegal and store everyone's communications and private information online. Perhaps they will encrypt it too. Everyone else can f-off. And of course it's all Snowden's fault. His files probably contained the backdoor passwords for all those secure gov't databases. Or the URL of the sharepoint server where all the data was consolidated. Stupid doesn't begin to describe....

          Honestly, isn't it time for Alice to come out of the rabbit hole?

          A secure facility somewhere outside Washington DC, mid-November 2016:

          "Gentlemen, the Queen of Hearts will see you now, please leave your mobile phones, laptops and USB keys with the nice man in uniform."

        2. Anonymous Coward
          Anonymous Coward

          Re: Snowden

          Read this:

          http://www.democraticunderground.com/1016124601

          1. Anonymous Coward
            Anonymous Coward

            Re: Snowden

            Interesting article on how the hack was discovered.

            http://arstechnica.com/security/2015/06/report-hack-of-government-employee-records-discovered-by-product-demo/

            1. Sir Runcible Spoon

              Re: Snowden

              "Interesting article on how the hack was discovered."

              Doesn't sound right. Unless the OPM are running a flat network and the computer running the demo software was just plugged into a meeting room ethernet port to run a scan.

              Deploying this software into complex environments takes time and planning (aka projects) - I just don't seem someone plugging their laptop into the network and 'discovering' this malware unless that network is completely open - in which case there are more problems to deal with than I could list!

              1. Anonymous Coward
                Anonymous Coward

                Re: Snowden

                I have looked into the CYTech company, who do defense work and other things. One of their demos is a full network scan. This apparently uncovered some malware and triggered the forensic discovery that it had been present for at least a year. Check out www.cyfir.com for a description of the product(s). An interesting feature is concurrent scans of outgoing connections, which may be how they discovered the malware.

                As for it not sounding right, if someone with sufficient privilege gave the vendors access, they could do whatever they wanted. A flat or flattish network architecture wouldn't surprise me in the least, as wouldn't open ethernet ports, etc. etc

                There are many, many network vulnerability scanning tools out there. Sounds like the OPM had just begun discovering them, a bit too late it seems. Don't forget that this is a government agency and a PHB could have easily handed them the keys to the kingdom.

                Still trying to find out more on this story, but so far no dice. They need to be interviewed by El Reg. For now only the Washington Post seems to be reporting it (paywall).

            2. Anonymous Coward
              Anonymous Coward

              More info on how the breach was uncovered.

              The Cytech services company makes full(ish) disclosure of what went down

              http://globenewswire.com/news-release/2015/06/15/744621/10138466/en/CyTech-Services-Confirms-Assistance-to-OPM-Breach-Response.html

              No such thing as bad publicity

      2. Dr Paul Taylor

        Re: Snowden

        BBC online news is carrying the same story, citing the Sunday Times: www.bbc.co.uk/news/uk-33125068

        1. Anonymous Coward
          Anonymous Coward

          Re: Snowden

          So let me check I've understood this right:

          The US's own OPM gets hacked, over a period of years, and nobody notices till some software outfit does a demo of an intrusion detection package. This despite the fact that the US guvmint has spent a fortune on an in-house anti-intrusion system. The apparently plausible story is that everyone on the Federal payroll is at risk. Maybe more victims will emerge from other databases.

          And then a few days later, in an (ahem) unrelated and as yet uncorroborated story, Snowden is once again accused of putting the lives of a few (in comparison) spies at risk, people who knew they would be at risk even before they accepted the job.

          Look, over there, a lion/tiger/squirrel/honest politician!

          Pardon me if I'm not very sympathetic to the anti-Snowden storyplanters and their puppets on this occasion.

          1. laird cummings

            Re: Snowden

            "The US's own OPM gets hacked, over a period of years, and nobody notices till some software outfit does a demo of an intrusion detection package..."

            Entirely plausible, if you're familliar with the Gordian Knot that is the US Civil Service and Government agency rules - including procurement rules.

      3. Doctor Syntax Silver badge

        Re: Snowden

        "The Chinese, so they say, hacked Snowden's files."

        ... and we know that because ...erm .. how do we know that?

  29. John 98

    What the Chinese did with it?

    One imagines that the Chinese have used all this data to quietly log in to a multitude of systems using the accounts of users with little technical knowledge, or concern for security, with easliy guessed passwords. They may well have reams of other background information, plus of course the abilty to cause chaos whenever they wish. And an amusing thought, they may have known for quite a while all about what the NSA and CIA have been up to round the world. Maybe more than Snowdon? And maybe been allowing some misleading "hacks" into their own systems for good measure?

    1. Anonymous Coward
      Anonymous Coward

      Re: What the Chinese did with it?

      I'm starting to feel that we've got a real "wow" coming.

      Has NSA/CIA realised that Russia and China have unpicked their little AES knot? Maybe Snowden was a test to confirm that?

      http://www.thesundaytimes.co.uk/sto/news/uk_news/National/article1568673.ece

      1. Paul Crawford Silver badge

        Re: What the Chinese did with it?

        Maybe Snowden's documents were the source, or maybe this mega-hack. Who is to say the UK has not been popped (or was sharing with the US which clearly has been)?

        If I were Russia/China it would make sense to say it was Snowden to disguise being in on this hack, for example.

        Similarly if I were the USA/UK it would make sense to use Snowden as a stool pigeon to try and deflect public anger from the piss-poor security in place and/or the lack of appreciation of what such a massive database of all security-checked staff could mean when leaked.

      2. Anonymous Coward
        Anonymous Coward

        Re: What the Chinese did with it?

        That Sunday Times article is paywalled, but the same subject is covered elsewhere:

        "RUSSIA and China have cracked the top-secret cache of files stolen by the fugitive US whistleblower Edward Snowden, forcing MI6 to pull agents out of live operations in hostile countries, according to senior officials in Downing Street, the Home Office and the security services. "

        Technically plausible? Possibly. Actually credible (given the sources): not here it's not. "They would say that, wouldn't they. And they have a long long long record of consistently misleading the public."

    2. Roland6 Silver badge

      Re: What the Chinese did with it?

      Depends who "the Chinese" are. If they are government then I suggest they will do the same as we did in the WWII and for many decades afterwards over Bletchley Park, namely keep very quiet and use the information wisely.

      Given what is on Form 86, I suggest it is information with a very long shelf life, which can also be used to cross match data from other 'public' sources. So they know who your children are and where they are...

      1. x 7

        Re: What the Chinese did with it?

        As I said before...when cross matched with the medical insurance data they've already ripped off they have a lot of info on a lot of potential targets thats going to have a very very long shelf life.

        As of now, everyone on that list is a potential target for threat blackmail or extortion. That by implication means no-one on that list can be trusted. Everybody - and I mean everybody - with a security clearance is going to have to be turned over and checked thoroughly. Its going to make the McCarthy era look like playtime.

        1. Charles 9 Silver badge

          Re: What the Chinese did with it?

          "Everybody - and I mean everybody - with a security clearance is going to have to be turned over and checked thoroughly."

          Credits to milos the FIRST people turned are going to be the CHECKERS, putting your square in a "Who Watches the Watchers?" scenario and no way out since you need checkers to hire more checkers.

  30. Afernie

    Isn't there an agency dedicated to preventing this?

    Pretty sure it's the one with the motto that reads "Defending Our Nation. Securing The Future." What's that you say - they couldn't spare any analysts or budget because they were too busy checking up on their girlfriends and sifting through US citizens email for fun and profit as much as any security objective?

    For shame..

    1. JonP

      Re: Isn't there an agency dedicated to preventing this?

      Yeah, it's almost like they need an agency that can deal with security on a national level. I'm sure they'll think of something...

      1. Anonymous Coward
        Anonymous Coward

        Re: Isn't there an agency dedicated to preventing this?

        We could call it "National Job Security Agency" or something a bit shorter.

  31. RegisterYank
    Big Brother

    Forget all that yap, the danger is....

    You just handed at least one foreign intelligence service a concise list of persons to check, which filters out all the non-sensitive government employees and all the general population. Then you give their spy service a list of potentially key people who can be blackmailed or a list of their loved ones that can be threatened or kidnapped.

    And yet, this is not the major story that it should be. The US government is spending trillions of dollars to trample on the privacy of everyone on the planet, yet cannot be trusted to maintain the security of a simple database.

    They'll eventually sacrifice some minor government functionaries and never change their priorities.

    1. ecofeco Silver badge

      Re: Forget all that yap, the danger is....

      Exactly.

    2. Paul Crawford Silver badge
      Unhappy

      Re: Forget all that yap, the danger is....

      Sadly it could get worse, the original hackers could paste it on a torrent or similar to provide plausible deny-ability for the state about acting on the information in it, and just say they got it from the hackers' public posting. That way other nations and every low-life scammer out there would have the treasure trove as well.

      I feel sad for all of those US citizens now at risk and angry that their government was so stupidly caviller in having such an important database on a public-connected system (probably?) with such a poorly thought-through security aspect as this.

      They pay billions for the NSA and the least they could have done was got them to give the whole system and its management a once-over. Scrap that, Snowden showed even they had not thoroughly thought-through big system security.

  32. ecofeco Silver badge

    I keep telling ya

    You can't fix the special kind of stupid that is the US.

    1. laird cummings

      Re: I keep telling ya

      "You can't fix the special kind of stupid that is the US" ...Government.

      FTFY

  33. razorfishsl

    The Real WTF here... is that it was stored unencrypted... despite the US supposedly harboring some of the smartest people in IT

    1. laird cummings

      RE: The Real WTF...

      All in the interests of making it 'accessable' and 'searchable.'

      Which appears to have been accomplished in a grand fashion.

  34. Wzrd1

    Let's put it this way

    I have filled out the SF86 four times in my life, first when I worked with nuclear weapons, then with other highly sensitive operations and recently, for a job in the civilian world.

    So, as near as I've been able to ascertain, the PRC knows everything about me - for the past 35 - 40 years.

    Save, for some military duties.

    Federal positions specific duties are outside of OPM's purview.

    1. laird cummings

      Re: Let's put it this way

      Yup. Also, your spouse, your children, your siblings, your parents.

  35. Anonymous Coward
    Anonymous Coward

    Didn't GCHQ just release an unsubstantiated cover story suggesting that this is somehow all Edward Snowden's fault?

  36. Anonymous Coward
    Anonymous Coward

    Don't worry

    This will all blow over in 30 or 40 years and won't be an issue.

  37. RW
    FAIL

    Putting that stuff online was asking for trouble

    Sure, they didn't mean to put it online, but where there's a connection to Ye Olde Internette, there are hackers, and they are smarter than you are.

    Information that should never be leaked should never be digitized. To do so is asking for trouble.

  38. sisk
    Trollface

    Well at least they don't ask if you're gay. Some secrets are safe!

    Wait....they know whether your ex was Bob or Megan? Or both? Well so much for that.

  39. laird cummings

    One-stop shopping for ID thieves; but necessary

    The article makes it sound all so pointless and sinisiter and intrusive... Well, they're right on intrusive, but then, you don't have to ask for a security-clearance job, either.

    The primary point of the SF-86 is to give the suits doing your background check a leg up, so they don't have to spend so much money checking you out. If they had to do it from scratch, it would take years, and cost millions - per clearance.

    It's not JUST the leg up, either; those references that they could 'just look up' themselves? Who you pick as your references tells something specific about *you* - your judgement, that is. Did you pick morally-upstanding citizens? Or did you cite your drug-smoking trouble-making friends? (I have literally seen just exactly that on an SF-86!) If you lack the judgement to cudgel your brain for a few 'good citizen' refferences (or don't have any!), then the guys in suits can bin your application for 'demonstrated poor judgement' and save the taxpayers a lot of cash.

    The more complete your SF-86, the less it costs for the government to make an informed decision about your judgement, trustworthiness, and lack of hostile influences - All of which are necessary. It generally works out pretty well - Despite some very public breaches of late, the VAST, overwhelming majority of security-cleared persons go abuot their jobs in a trustworthy manner, day in, day out, for their entire careers.

    Which of course makes the breach of trust on the part of the government that much worse. I'll guarantee you that my name is in that pile of data. And my wife's. And my father's. My children. My siblings. And pretty much all of my friends. Every last one of us, betrayed by the government to whom I (and my wife, and my father) rendered faithful service.

    1. Charles 9 Silver badge

      Re: One-stop shopping for ID thieves; but necessary

      So what do you do about it? The very NATURE of the form and need to access it readily for security reasons MAKES it a damn juicy target. IOW, easy for you, easy for them, no way around it.

      1. laird cummings

        Re: One-stop shopping for ID thieves; but necessary

        What you *do* is not place it in an internet-accessible archive. Also; you apply solid security standards to the archive. And you segregate the archive into 'current' and 'historical.' There's generally not much call for SF86s from twenty years ago, though some MAY be called forth to corroberate a current case - But every instance where the form isn't being used for current clearances should be pushed right back into the 'History' bin, which should be kept 'near-line' as opposed to 'on-line.'

  40. Anonymous Coward
    Anonymous Coward

    Spooks play the victim to gain sympathy.

    From another perspective, perhaps the reason they are advertising this and wringing their hands so publicly is because this information is fundamentally useless to anyone.

    If the leak was really so damaging, they would not be making a deal about it. The reason they need to squeal like stuck pigs is to ensure that we understand how vital the "intelligence" services are, and so feed them more money to help beef up their defences. Help them recover from this tiny lapse, the poor dears.

    We've been well primed over the years to sympathise with alcoholics, depressives, kleptomaniacs and homosexuals, so helping the spies get back on their feet should come naturally to us.

    (Along with hating even more the Chinese and Russian evil doers.)

    This is nothing more than the spies' equivalent of a fraudulent "Flood appeal".

    Crafty buggers.

  41. Paul Smith

    "...how the Obama administration responds to the crisis."

    How did this become Obama's fault? Did that fool n* leave his laptop on the bus again? No, he doesn't take the bus any more, and he doesn't have a laptop.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021