Dailydave mailing list archives
The OPM Mess and the Bigger Picture
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 30 Jun 2015 10:32:37 -0400
So I dunno how many of you remember Tom Cruise before he was a raging scientologist, but he did this one movie you might have heard of called "Mission Impossible". And he spent quite a lot of energy trying to steal the NOC-list <https://www.youtube.com/watch?v=ar0xLps7WSY> full of the names of non-official cover agents which in theory mapped to their cover names or something. It was unclear what it was exactly, but it fit on a magneto-optical disk that was like, all the range in the 90's but which has been replaced by literally anything else now. And that's pretty much exactly what the Chinese stole here, except without the French guy from "The Professional" and all the outfits. The problem, as we're going to drill home again and again over the next year during damage control in congressional meetings each more painful and less informative than the last, wasn't that OPM didn't protect the database, but that they HAD THE DATABASE COLLECTED AT ALL. I think there's a DailyDave Post about this exact problem <https://lists.immunityinc.com/pipermail/dailydave/2014-July/000701.html> from a year ago or so. It's the same mistake RSA made, but a few letters higher in the alphabet, is all. Of course, damage control is going to come back and say things like "well, CIA was smart enough not to put their people in the database" except that of course, there's a lot of people who start in one agency (say, DoD) and then go the the CIA, or DIA or whatever. I don't know if any of them were in the hacked data, but you can probably assume they were. But there's a little silver lining in the OPM hack, and it is this: 1. Covert identities are dead anyways, because databases full of biometrics are everywhere, and you can read someone's fingerprints off any beer glass faster than you can say "Your Cover Is Blown, Ethan Hunt". That's not even counting the DNA revolution of being able to map the entire human family tree out that nobody is talking about yet. Regardless, you cannot hide WHO you are in the modern age if for no other reason than Facebook exists. Deal with it. <http://media.giphy.com/media/4wAO1N5uusbMQ/giphy.gif> 2. The entire clearance system as a whole has been obliterated by modern information sciences. #2 is the most important. *Clearances and classifications in general don't scale.* We are pretending they do because the idea of ripping them out is so painful, like so many other technologies we built in the fifties. But the very idea is broken at a high level and we need to get over it if we're going to have a hope of properly running Government operations that requiring secrets. It's as if we're hosting the entire US Government on a Unix Users and Groups permissions system on one Linux kernel and hoping we are getting security because nobody has a local root. We need something fundamentally BETTER and ideally we come up with it before the Chinese do. Maybe the OPM hack is our chance? -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The OPM Mess and the Bigger Picture Dave Aitel (Jun 30)
- Re: The OPM Mess and the Bigger Picture William Arbaugh (Jun 30)