"haven't even bothered to notice your name", or what I've been saying either, wherein lies the entire absurdity of this thread.
My post meant to convey two things and two things alone: One, the absurdity of political candidates falling all over themselves trying to get to a microphone to get on TV. Two, that this is not a *newsworthy* story. In the time it took you to type this, dozens more have probably died in Tibet, dozens have died in Kenya, three militaries are sabre-waving at their respective borders in South America, no one knows when the Serbia-Kosovo thing will go south, more unborn children have been butchered for the sake of convenience, and so forth. The information in a passport file is really low on the list of systems that need to be hardened inside the federal government. And that doesn't even count how many more significant intrusions have taken place. In fact, I'm sure thousands more National ID numbers (or SSNs if you prefer the euphemism), CC numbers and so on have been stolen of every day people who don't have nearly the resources to track down and protect themselves from the fraud they're likely to see soon enough. Even a step further, this shit has taken place in every political campaign for high office since the dawn of elections... why are we getting bent out of shape now? Is it because we're disciples of the Church of Obama? Where you bent out of shape like this when Michael Steele's credit reports were stolen because I would think a credit report is far more consequential than what countries you visited? The point is, I didn't give a technical response to it, mostly because the only data we have are token statements from State and press releases from political campaigns in a hotly contested primary. And even then, those have been whitewashed through the press. We don't know what the hell happened yet, but what we do know is that the people involved got fired, and even if they don't get prosecuted, they're careers are over. In the grand scheme of life, this is not news. So you misattributed my original post to something I did not intend, made one character attack about my professionalism and then continue it here but can't even be honest with yourself by putting in disclaimers like "no offense", but then make ad hominems anyway. I'd just rather you left my flippant remark about **politics** lie. If you want a technical analysis, well, I'd like some data first... and money. So unless you somehow think my GCIH and CISSP certifications require me to support Barack "Empty Suit" Obama, I'm not sure what's left to discuss here. It was a comment about politics and the media, nothing more. On Sat, Mar 22, 2008 at 7:58 AM, Rich Kulawiec <[EMAIL PROTECTED]> wrote: > [ I elided your remarks 'cause this is rather long as it is. Hopefully > I've managed to respond to all of them. ] > > I actually toned down my initial response. No, you may not see it. ;-) > > Don't take this personally. I have no idea who you are. I don't really > care. I'm reacting to what you've said and haven't even bothered to > notice your name, let alone remember it. It's irrelevant. So -- > throughout > this -- read "you" as "generic you". > > And my reaction is a mix of astonishment, exasperation, disappointment, > and outrage. Were I given this response by a freshman student on a final > exam, I'd fail them for the course. I would never expect to hear such > a thing from a professional working in the field. > > (And if the certification processes aren't weeding out people who > lack even this rudimentary level of understanding, then they're even more > worthless than I think they are -- and I already think they're pure crap.) > > > So here are some preliminary thoughts (and I do mean "preliminary") that > outline in part just what the big deal is. I'm sure these only scratch > the surface and are rife with omissions, and probably even a few errors. > But even in this incomplete, unpolished state, I think that any one of > these is more than enough to demonstrate that this is a very serious > matter. > > > 1. If we presume that one part of what we've been told is true -- that > accesses of certain passport files result in notifications to supervisors > -- then we know that the people running the operation are complete > morons who have failed to demonstrate even a rudimentary grasp of basic > security principles. They have implemented one of Marcus Ranum's Six > Dumbest Ideas in Security, to wit, #1: default permit. The proper way > for this to work, of course, is that all such files should be locked and > all access forbidden without PRIOR supervisory approval. There should > also be additional measures in place: for example, offhand I can think of: > > - it should require more than one supervisor. This closes down > some attack vectors and it means that others rely on cooperation > between two or more people, which in turn means that in addition > to violating the Privacy Act, unauthorized accesses would require > a conspiracy. It also means there are more loose lips to blab > about it, increasing both the probability of detection and the > probability that someone can be turned if detection occurs. > > - it should generate notification that goes up and across the > supervisory chain in a manner which can't be controlled > by supervisors. > > - the list of files thus treated should be actively maintained, > and should contain people who are likely to be the targets of > curiosity, blackmail, threats, etc. Standing entries should > include members of Congress, federal judges, governors, etc.; > ad hoc entries should be created based on the front pages of > the New York Times, Washington Post, etc. and should require > approval by more than one person, in order to prevent reverse > gaming of the system by an individual. > > - access to locked files should never be permitted to contractors, > only to permanent employees. If necessary, workloads should be > shifted in order to accomplish this. > > - in the case of especially sensitive files -- and this is one > of them -- then access should require approval that comes from > the office of the Secretary of State. > > - unless the access relates to an ongoing criminal investigation, > any subject on this list should be notified when their data > is accessed. For example, if someone needed to do a routine > check on former President Carter's passport prior to a trip > to Peru, then he should be informed. This also increases the > probability that spurious accesses will be detected, especially > if the notification process is via a channel that workers and > supervisors can't access or control. > > 2. We don't know who accessed these files, we don't know why, we don't > know if they made copies, we don't know if they transcribed information, > we don't know if they passed any of it on, we don't know who they're > associated with, we don't know who they're working for, we don't know... > much of anything. But any student of history (or anyone old enough > to recall it) should realize that we didn't know the answers to rather > similar questions when McCord, Barker, Gonzalez, Martinez, and Sturgis > were caught either. > > This incident should be setting off alarms in everyone's heads which > keep insisting that it's not so simple, not so cut-and-dried, as it's > being made out to be. Which is not to rule out the faint possibility > that in the end it might turn out to be so -- but it would be naive in > the extreme to presume that today. > > And we most *certainly* should not accept any spokesbot's statement that > they "believe no copies were made" or "believe the information wasn't > passed on". That's the same fatuous nonsense that we hear every time > there's a data leak. They're announcing the negative hypothesis as fact > when it's only possible to prove the positive one. > > There is no such thing as "belief" in security. > > > 3. *three times*? That's not idle curiosity. Think about it: they'd > already fired two people for this, yet a third one DID IT AGAIN ANYWAY, > even though there can be little doubt that they knew about the previous > firings, knew why they took place, knew about the monitoring mechanism, > and very likely knew whose file was involved. (If you were supervising > this department and just fired two people. wouldn't you make sure that > all current as well as any incoming new employees were excruciatingly > aware of this? Would you not have had an all-hands meeting during which > you read the riot act to everyone in a loud, clear voice?) > > Idle curiosity is insufficient motivation for someone to risk losing > their job under these circumstances. People don't take chances like > this just because they're bored. (And actually, "chances" isn't the > right word, because again, if we believe part of what we were told, > it wasn't probable they'd be caught: it was certain. And they knew it.) > > This strongly suggests to me that (a) it wasn't idle curiosity and > (b) the job was considered expendable. > > Oh, and: don't you think that given how many of these breaches we already > know about -- by now some *supervisors* should have been fired? > > > 4. Who else's files? Now we're told that Senators Clinton and McCain's > files were also accesssed. It's very curious that this did not come > out during the press conference call. > > Think about it: you're the Secretary of State. You get wind of this. > What are the first questions that comes into your head? They should be: > > What about Michelle Obama? > and: > What about Senator Clinton? and Senator McCain? > > If these aren't the questions that come to mind instantly then you > shouldn't be Secretary of State: you clearly lack sufficient mental > agility. > > And when these questions come to mind, in the first ten seconds after you > find this out, you then spend the next twenty seconds issuing the order > to have them answered right friggin' now. And you get those answers in > a very big hurry, because you want to make sure you have them in-hand > *before* you set up a media conference call. If necessary, you have > staff work all night and you have the conference call the next morning. > > You do this because (a) it's completely obvious due diligence and > (b) you darn well know that you're going to be asked. > > In short, you don't make a move until you have this data in hand. > > But this isn't what happened. Why? > > Also: consider the contrast in timelines. This problem, if we're to > believe part of what we're told, festered for months. But the elapsed > time from when the story broke to when the press conference call was > held was only a couple of hours. So we see a pathetically slow reaction > (if any) followed by a lightning-quick one. That's decidedly odd. > > > 5. Given the disclosures about Senator Clinton and Senator McCain, we > can now not only repeat all the questions above (and add "have these > people been fired too?"), we can ask why this wasn't disclosed at the > same time, and we can also inquire as to who else's file was accessed. > Huckabee? Richardson? Kucinich? Romney? How about Wright? Or Hagee? > > Or were these other accesses merely invented so that the problem could > be spun in a manner consistent with getting it out of the news cycle? > > Paranoia? No. It's prudent skepticism. It's a recognition that the > most believable lies contain a lot of truth, and that this administration > lies as a matter of institutional policy. > > > 6. Who leaked this to the Washington Times? Why did they leak it? > Why the wingnut Washington Times and not the Washington Post or New York > Times or some other actual real live newspaper read by grown-ups? Was it > someone in the administration -- which would hardly raise an eyebrow > given that this adminstration has a well-known history of using leaks of > confidential/private/secret information when it suits its purposes -- or > was it someone frustrated by inability to draw administration attention > to the problem? > > > 7. The Secretary of State claims she only found out about this > yesterday. So either: > > a. She is telling the truth > or > b. She is lying > > If (a) then something is severely wrong at State, because there is simply > no possible way that the passport file of a presidential candidate gets > accessed twice and supervisors are notified and people are fired and > the Secretary of State doesn't know a darn thing about it. > > If (b) then I trust it's obvious why this is a major problem. > > > 8. Something else that's severely wrong: put yourself in the position of > a supervisor who gets a message from the database system that the file of > a presidential candidate has been accessed. After you call security and > have the relevant person detained, do you quiz them extensively about what > they were doing, get them to admit they were indulging their curiosity, > fire them, and have them escorted off the premises? > > No, you do not. You do that if it was Britney Spears' file. But it's > not -- it's a PRESIDENTIAL CANDIDATE. So you call the Secret Service. > You call the FBI. You go find your supervisor, and then two of you go > find his/her supervisor, and you repeat this process until everyone in > that chain is sitting in the Secretary's office waiting for the Secret > Service and the FBI to get there, and when they show up, you all > collectively go crawl up that person's ass with a microscope. > Meanwhile, someone finds a lawyer, and they go get the appropriate > warrant(s) to set up surveillance on that person. When you finally > let that person go, you keep track of everyone they come in contact with, > every phone call, every email (which should be easy since the telcos > are already illegally doing it anyway). And so on. > > This is presuming you let them go. If you have grounds, you charge > them with violating the Privacy Act and you arrest them. > > You do all this because there is the distinct possibility that this person > means to harm the candidate -- or their family. And because you can't > rule that out except by process of elimination (and maybe not even then), > you deploy massive resources to do that very thing. > > And then you inform the candidate so that *their* people know what the > hell is going on. And as soon as humanly possible, you bundle everything > you found out into a dossier and put it in the hands of the Secret Service > detail associated with that candidate. And then you do this for the > other candidates and their assigned details because you know that there > will be occasions when they're all in the same place at the same time, > so it would be prudent to have as many clued-in eyeballs as possible > present when that happens. > > This is an extremely obvious course of action even to the casual observer. > But it didn't happen. Why? > > > 9. You get an independent investigator for several reasons. > > First, internal investigators can't be trusted. > > Second, State has already proved to my satisfaction that it's either > incompetent or lying or both. No point letting it prove it again by > investigating itself. > > Third, you need someone who's a careerist, not a political appointee. > > Fourth, an inevitable part of this will be the blame game. An independent > investigator doesn't care who gets blamed and won't bias the investigation > in order to spare anyone humiliation. We hope. > > And finally, you do this because you're aware that 16 years ago, during a > previous Bush administration, Elizabeth Tamposi -- an assistant Secretary > of State -- dispatched people to ransack then-candidate Bill Clinton's > passport file in search of material that could be used against him in > the campaign. Coincidence? Yeah, riiiiiight. > > > 10. Who else's passport file has been accessed to indulge someone's > curiosity, to acquire data for resale, to dig up dirt for political > reasons, to leak to the press, to [fill in with a myriad of other > purposes]? It should be abundantly obvious that if this level of > abuse and malfeasance can take place with known-critical data, that > there is every reason to think that less critical data which is not > tripwired for alarm-on-access has been essentially undefended. > > That's a huge problem. > > > ---Rsk > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. >
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
