Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Thursday, April 13, 2023

On Distribution LIsts

 Kevin Drum and many others don't understand how a National Guard member could have access to the sort of information which was leaked.

I think part of it is the pathology of distribution lists.  One of my early jobs in ASCS was reviewing and updating the distribution lists we maintained for various types of directives. These were paper or telegraph messages, but similar logic would apply in the world of data.

I think there's severa; aspects of what I'm calling pathology:

  • no one pays any attention to distribution lists.  Once they're set up they can go on forever, automatically.
  • distribution lists can be based on an office, a position, or an individual. If you specify x number of paper copies for an office, it's then up to the office manager to see they get distributed.  In today's world, the email/is sent to the office url. If it's a position, then whoever occupies the position or acts for the occupant would have access.  If it's an individual, then an individual address. Each of these are vulnerable.
  • The vulnerability is in part the fact that things change, but as I said, the distribution list is automatic.  Bureaucracies may have procedures for "out-processing" people, but that's not a priority (I remember my outprocessing from Nam).
  • The other vulnerability is the gap in comprehension between the originator of the classified info and the actual recipient in the bureaucracy. 
I'll be interested to see how close my guesses come to the reality in the current case.

Thursday, December 07, 2017

How Times Have Changed: Test Data

The Times had an article on the theft by three Homeland Security employees of a set of personal data of DHS employees.

What were they going to do with the data?

Well, they were going to write software, or rather copy  and modify the IG's software for managing IG cases and sell it to other IG's.  And the stolen data was going to be used to test the software as they developed it.

What a change in 30 years.  Back in the 1980's and early 90's I very casually moved around sets of live data saved from county office systems to serve as the basis for testing new software.  While we had the Privacy Act requirements, we weren't really conscious of privacy restrictions and security.  Consequently I, and others, could do then what would be firing offenses today.

Friday, January 27, 2017

Records and Security Orientation for Trump Staff?

On Sunday the White House staff appointed by Trump had their orientation on ethics. Please tell me that the staff, and all department heads, are also going to receive an orientation from National Archives and Records Administration  and IT on records management, email management, and cybersecurity?

Tuesday, July 05, 2016

Clinton and Emails

I may have written this before, but Clinton's behavior at State, at least as described in a recent summary of the aide's deposition, makes sense to me.  Bottomline: bigshots don't give a damn about systems and legalities.  It's the job of the bureaucracy around the bigshots to adjust the systems and legalities to what the bigshot wants.  Clinton wasn't going to devote any brain cells to worrying about the security status of what she writes or reads; she was focused on the content.  The exception to this is the initial discussion of the private server and Blackberry.  Then you're expecting a civil service bureaucrat to tell the big boss the rules and how to get around them.  Won't happen with many bureaucrats.

The big mistakes Clinton made was on insisting on a lot of close personal aides (Obama let her have more control over State personnel than is usual) so no one to say nay and on insisting on total control of release of emails. 

The big mistake we the public make is expecting that laws are self-enforcing; they require bureaucrats to say nay.

Thursday, April 28, 2016

Cyber security for Farmers?

FBI says farmers vulnerable to hacking of digitized data. 

I'm not sure what the motivation would be.  The piece discusses the possible theft of bulk data for use in market manipulation and such.  That's possible I suppose, perhaps particularly at the state and corporation level, but I'd think it unlikely.  What other motivation: ransom, as has happened with hospitals.  I don't think farm-level data is that crucial or time sensitive. 

I know the ag lobby has put in legal provisions requiring FSA to keep secret some data, but that's more anti-EWG measures than anything else.

Call me cynical, but the cyber-security/industrial complex has an interest in alarming everyone they can, so they can sell their services. 

Thursday, March 24, 2016

The Half-Life of Information

In the dispute between the FBI and Apple over obtaining access to the terrorist's cellphone data I thought of the concept in my title.  Radioactive elements have a half-life, the amount of time it takes any mass of the element to emit radiation and convert to half the mass.  (Not a good definition but look up wikipedia if you want better.)  The point being each element decays at a set rate, fixed by nuclear physics.

Apply the same concept to the information of interest to law enforcement. Some types of information, say the DNA on a rape kit, would lose interest very gradually, perhaps losing interest entirely when the rapist is almost certainly dead of old age.  Other types, perhaps the appointment calendar, would lost interest much quicker. Assuming law enforcement knew who the person was likely to see, the calendar might be of no interest once the day of the appointment is past.

It's now been more than 3 months since the San Bernadino shootings, so my guess is that much of the information has decayed into relative meaninglessness.  We don't know the information, so we can't tell for certain, but I think it likely  The longer it takes the FBI to access the data, the greater the chance it won't be helpful.

My point: fast access to the data is worth a lot, which should be a consideration in determining whether and under what rules law enforcement gets access.

Friday, January 30, 2015

Gloom and Doom

"Gloom and doom" was a popular term in the '50s--if I remember Republicans accused the Dems of embracing gloom and doom when Dems pointed with alarm at all the shortcomings of Ike's administration and the general state of the world.

On a day when spring seem far away, I thought I'd highlight a contemporary gloom and doomster, Leslie Gelb, writing as part of a Politico survey of learned people forecasting 15 years ahead:

The world of 2030 will be an ugly place, littered with rebellion and repression. Societies will be deeply fragmented and overwhelmed by irreconcilable religious and political groups, by disparities in wealth, by ignorant citizenry and by states’ impotence to fix problems. This world will resemble today’s, only almost everything will be more difficult to manage and solve.
Advances in technology and science won’t save us. Technology will both decentralize power and increase the power of central authorities. Social media will be able to prompt mass demonstrations in public squares, even occasionally overturning governments as in Hosni Mubarak’s Egypt, but oligarchs and dictators will have the force and power to prevail as they did in Cairo. Almost certainly, science and politics won’t be up to checking global warming, which will soon overwhelm us.
Muslims will be the principal disruptive factor, whether in the Islamic world, where repression, bad governance and economic underperformance have sparked revolt, or abroad, where they are increasingly unhappy and distained by rulers and peoples. In America, blacks will become less tolerant of their marginalization, as will other persecuted minorities around the world. These groups will challenge authority, and authority will slam back with enough force to deeply wound, but not destroy, these rebellions.
A long period of worldwide economic stagnation and even decline will reinforce these trends. There will be sustained economic gulfs between rich and poor. And the rich will be increasingly willing to use government power to maintain their advantages.
Unfortunately, the next years will see a reversal of the hopes for better government and for effective democracies that loomed so large at the end of the Cold War.
(I think he's by far the most pessimistic seer.)

Enjoy the weekend.

Tuesday, June 11, 2013

Security Clearances and Math

Somehow the math doesn't add up.  There was an article in the Post this morning, then I found this blog post.
 "The number of persons who held security clearances for access to classified information last year exceeded 4.2 million — far more than previously estimated — according to a new intelligence community report to Congress (pdf)."
OPM says there are 2.756 million federal employees, and a total of 4.403 million legislative, executive and military branch employees.  I never had a security clearance, either in the Army or in USDA, but the figures imply that the average person in government does.  Why, for goodness sake?  I can see the law enforcement branches, but not much else.

I hope the figures are wrong.  I hope what's going on is that the data bases of security clearances aren't being purged very well when people leave the government.  Or is it the case that: once cleared, always cleared, and leaving government doesn't cancel the clearance. 

Saturday, February 02, 2013

Security Software

NY Times reported  that hackers based in China had been attacking their computer system and the identities and passwords of their staff.  Buried in the article was a factoid: their security software provided was Symantec, and its software failed to identify all but one intrusion.

Thursday, April 12, 2012

Hacked: Apology and Information

This is the text of an email message I'm sending out which I thought I'd also post here:

Yesterday morning you may have received an email from “bharshaw at hotmail.com” with no subject which contained a url, probably ending in “176.xxx” where the “xxx” is a file type, usually an image one but not always. There was also a post on my facelessbureaucrat blog. I’m still not sure what happened but it appears my hotmail and possibly google passwords were hacked and someone used my email account to spam you. As far as I know now the url did not contain a virus (my wife got one, which she opened, but full scans of my PC using McAfee didn’t reveal any virus. But since I’m no expert:
  1. if you did click on the url and open it, please be sure your security software is running and up-to-date. Let me know if you have any problems.
  2. if you didn’t click on it, delete the message and congratulate yourself on following the prime rule for email safety: never open an unexpected url or attachment. Check first.
I’m now changing my passwords, following the experience of James Fallows after his wife’s account was hacked (see his http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/ –but don’t click on that—go to the Atlantic website and search for “Fallows password” to see the sequence of posts he put up. Long story short, he went to Lastpass, which is a  free password manager and permits you to have strong passwords for individual accounts.
My apologies for endangering your security.
.