> A spokesperson for the DOJ told Motherboard on Monday that the department “is looking into the unauthorized access of a system operated by one of its components...
Please don't give us the "we weren't hacked. It was a company we used that was!" Nonsense. I'm tired of hearing this. It's the same thing blue shield said when its/my/your data was pilfered. YOU are responsible for it! If you pass it off to some incompetent third party, then that reflects even more poorly on you!
In this context, "component" means an agency that's part of the DOJ. The FBI, for example, is a component of the DOJ. They're simply stating that Main Justice wasn't hacked.
Oh, you mean like all the personal information I had to submit to the Defense Investigative Service when they did my background check for a security clearance?
Why, it's funny you should ask! I just got a letter from the Office or Personnel Management about three months ago, proudly informing me that all that data is now in the hands of some foreign intelligence service.
Of course, they claimed it was the result of a "sophisticated" attack, which is government fail-speak for "We left your data on a bus, and a hobo took it".
>> Of course, they claimed it was the result of a "sophisticated" attack, which is government fail-speak for "We left your data on a bus, and a hobo took it".
No it isn't. The hack of OPM was very well publicized. It was a long time project of the Chinese government to break into OPM's computers. I don't believe everything I read, but in this case I know is exactly what happened.
My wife got the same letter from her time working at the VA. Fingerprints, social security number and all the other personal details that they required.
I don't wonder. It'll get hacked and stolen, repeatedly. Government isn't technically competent by itself, and doesn't know how to select those who are.
> Government isn't technically competent by itself, and doesn't know how to select those who are.
This is just dead wrong. I think you're conflating "Government" and "Politicians". The government pays tech very well and hires intelligent people. I once did a consulting gig and went in with your exact mindset. It was the only time I've ever been fully confident that I was the dumbest person in the room.
The reason they'll always lose is the sheer quantity of attacks. Every day we have front page posts critical of the US government. That sentiment (clearly) extends far beyond the front page of hacker news. I'd wager you wouldn't have to put much effort into finding anti-governmental rhetoric in the comments section of a cooking website.
Beyond that, the weak link is rarely the technical side, e.g. Snowden. I think we all can be confident they will lose the information, but I really don't believe it's because they are technically incompetent.
As someone who's done DoD contracting for many years working for different agencies... I have to agree with parent. The amount of competent people I ran into, on the government and contractor side, could be counted on a single hand. I've reported and seen so many security holes that were never fixed it's ridiculous. I'd like to imagine the work done by our group was top notch but even if it objectively is it's rare to work on any DoD project without 10+ contractors all with varying levels of competence.
Very true. I did DoD/IC contracting for 16 years before finally getting fed up and going into the "real" world last year. There are some very talented and intelligent people working as govies and as contractors, but for every very good person there are at least 4 turds.
The OPM breach exposing personal data of all cleared individuals (and their friends & families) for the past ~25 years points to management as being grossly incompetent.
>The government pays tech very well and hires intelligent people.
No they don't. Or at least, not the parts I worked in. Maybe the really secure stuff gets paid well, but from what I've seen government jobs are one of the worst paying jobs for an IT individual.
Why? What's the metric? All governments have the same kinds of data and potential for embarrassment. And in terms of GDP, the U.S., E.U. and China are in the same ballpark.
Ca. 1996, the DOJ web server was hacked by somebody. At this point, I don't remember the details--Adolf Hitler as AG, a naughty picture or two. It shouldn't be hard to find.
That makes for nice headlines, but anyone who actually understands this stuff knows that hacking the public-facing web server is not a big deal and not really related to obtaining private info like this.
Edit: I just remembered, there is (of course) a relevant xkcd for this: https://xkcd.com/932/
If, like me, you don't know the term OSINT, it stands for "open source intelligence." What it means is publicly available information: phone books, mailing lists, published documents and other things people can find just by snooping a little and not breaching a security system. (Note: According the Wikipedia, this is a US-centric view of the term and may be different where you live.)
Due to the amount of turnover and lack of upper management effort you can "hack" almost any recruiting company. Most new recruiters have access to all internal records and are using a basic password (12345678 or password123)
It's not uncommon for recruiters to access other companies database to find numbers and email addresses.
Honestly if you have ever sent your resume to a recruiting agency your information is fairly accessible to anyone who cares to look for it. I can find cell phone numbers of most managers in the city because they applied for some recruiting agencies entry level positions 10+ years ago.
Yep. Even the spooky Stratfor[1] would have more information than this. This is nothing like what Snowden or literally hundreds of thousands of people who hold TS/SCI have access to (identities of NCOs or other espionage operatives, access to recruiting databases for foreign nationals who went abroad to the US for graduate studies and are being assessed as potential intelligence assets by their professors, etc). A pissed off 4channer with good Google-fu could get more information than this.
[1] Which I'm sure intelligence agencies are thankful for, because all the tin-foil hatters are misplacing their resources in designing conspiracy theories about an incompetent "private intelligence organization" which amounts to a bunch of people who could easily be outsmarted by a 4chan-er with good Google-fu. You know all those stories you heard about the KGB being incompetent, or now hear about how the Party is in modern China w/r/t information control? Yeah.. the FIVEEYES are about on par when it comes to incompetence.
> recruiting databases for foreign nationals who went abroad to the US for graduate studies and are being assessed as potential intelligence assets by their professors
When I was a research assistant in college in the US, we had an Iranian student apply to work with us several times, even after we told him no the first time. We were researching the properties of yellow cake uranium for the Department of Energy! Obviously there are strict rules on that kind of work, hiring him would have been VERY illegal, but he still kept bugging us even after telling him that.
Here's a sign: there are the names and numbers of members of a secretive FBI counter-terrorism unit in the list. Stuff that, if not actually classified, is held close.
They arent responsible, subcontractor is. As I posted some time ago:
"The very first thing University of Washington Center for Information Assurance and Cybersecurity (accredited by U.S. Department of Homeland Security, whatever that means) teaches you about becoming a CIO is precisely delegating responsibility :)"
So they're teaching idiots to hand off responsibility to other idiots and only cover their asses legally. What sort of irresponsible education do you have in the US?
I fail to see how this brings ANY value to ANYONE, other than those who explicitly wish to engage in abuse of authority. I also fail to see how teaching this as a skill in university is any better than teaching advanced pocket picking skills to school children as part of the standard curriculum.
So, you'll excuse my potty mouth, but I have to repeat myself - EVERYONE engaged on either side of this practice is a certifiable idiot.
Please don't give us the "we weren't hacked. It was a company we used that was!" Nonsense. I'm tired of hearing this. It's the same thing blue shield said when its/my/your data was pilfered. YOU are responsible for it! If you pass it off to some incompetent third party, then that reflects even more poorly on you!