Tag: Your Government Doesn’t Love You

Why Political Fights Never Cease

If you are involved in a political issue or even pay attention to one you know that the battle never ends. Take self-defense, for example. Recently the right of self-defense has been making gains in legislatures of the federal and many state governments. But the fight isn’t even close to ending because opponents to self-defense are finding new political tools to make people defenseless. Seattle is looking to restrict the right to self-defense not by passing a prohibition but by creating a new tax:

City Council President Tim Burgess has proposed a tax on every firearm and round of ammo sold in the city, which would be used to fund gun violence prevention programs.

The tax, which would amount to $25 on each modern firearm and 5 cents on each round of ammunition, is expected to skim as much as a $500,000 per year from the wallets of gun owners, the Seattle Times reports. This figure would be in addition to the various state and local retail taxes that approach 9.6 percent in the city already.

If prohibitions aren’t working just raise the costs until they’re prohibitively expensive for all but the wealthiest! Herein lies the issue with political issues of all sorts. No matter what gains are made your opponents will find a new avenue to attack you. Now that legislation isn’t working to the anti-self-defense crowd’s favor they’re looking at adding taxes to ensure poor people are unable to defend themselves. They are also looking at regulations that requires jumping through hoops to discourage people from obtaining a means to defend themselves.

Politics is disgusting business because governments wield monopoly power and can therefore do whatever they want. With that being the case there is an infinite number of ways to use the government to screw people over. If one arm of the government isn’t beating your opponents for you you just need to pay off another arm. That’s why no fight over a political issue will be done until the state has been abolished in its entirety.

If A Law Is Passed And Nobody Can Enforce It Is It Still A Law

Online harassment, often called cyber-bullying by legal marketing teams, has become a very hot topic in the last couple of years. More people are seeing first hand how ruthless denizens of the Internet can be and are demanding something be done. Governments around the world are acknowledging this issue and addressing it in the only way they know how, issuing decrees. New Zealand has lead the charge by passing a law making online harassment illegal:

The Harmful Digital Communications Bill passed its third and final reading last night.

[…]

The bill’s key elements:

Harmful Digital Communications Bill: key provisions

  • A fine of up to $50,000 for an individual or up to $200,000 for a body corporate, or up to two years’ jail for posting or sending a “harmful digital communication” – aka cyber-bullying with a post likely to cause distress. The bill covers racist, sexist and religiously intolerant comments, plus those about disabilities or sexual orientation;
  • Up to three years’ jail for the new crime of incitement to suicide;
  • An “approved agency” will advocate on behalf of complainants. The aim is that the agency will be able to make direct contact with web publishers and social media sites like Facebook and Twitter, where a member of the public often has trouble getting heard (the Law Commission has recommended NetSafe be the approved agency; the non-profit NetSafe’s backers include InternetNZ, the NZPolice, the Ministry of Education and private companies);
  • If the approved agency makes no headway, a complaint is escalated to a District Court judge; and
  • Web publishers can opt in to a safe-harbour provision, protecting them from liability (and arguably also crimping free speech) if they agree to take down allegedly offending material on demand or at least within a grace period of 48 hours.

When used outside of legal circles the word law implies something that, as far as we know, cannot be violated. The laws of physicals, for example, state that the speed of light cannot be exceeded. That leads me to ask an important question, if nobody can enforce a law is it still a law?

If you read through this bill you’ll quickly realize that it puts the legal burden on the content host. In order to avoid being held liable for user content the host must agree to remove reported content within 48 hours of notifying the author if the author doesn’t submit a counter-notice within the same span of time. Anybody who has worked in a sizable company knows that the default position of the legal department is always on the safe side. That being the case this bill will likely convince companies to pull down any reported content with little or no investigation. So this bill, on the surface, appears to solve the problem by ensuring companies are motivated to remove harassing content (and, as a more concerning aside, could end up being a tool useful for general censorship as well if companies remove content without actually investigating it).

But deleting content doesn’t actually solve the problem of online harassment. Content is easy to create and post. If something harassing is deleted it can simply be posted again. Even if the account of the person posting offending content is shutdown it’s a simple matter on most sites to create a new account. And if there’s a specific person being targeted by numerous individuals, such as the people targeted by GamerGate, it quickly becomes infeasible to shutdown accounts faster than they’re created. A handful of administrators charged with reviewing complaints and closing offending accounts is no match for hundreds or thousands of individuals dedicated to posting harassing content. Therefore I would argue this bill isn’t a law because it can be easily bypassed by online harassers.

I’m not a fan of complaining about a proposed solution without offering one of my own. To that end I want to diverge from the topic of whether or not this is a law and focus on what is actually needed to counter online harassers. Dealing with the issue of online harassment means focusing on the harassers, not the content hosts. But siccing law enforcers after individuals who have effective tools to anonymize themselves (as with any technology, tools that anonymize people can be used for good and bad) is also infeasible. How, for example, can law enforcement agents pursue an Internet protocol (IP) address, which is the only identifiable information content hosts may have access to, of a Tor exit relay or a virtual private network (VPN) provider in a foreign country? Even if the IP address can be traced back to an entity law enforcers can go after how can they verify the owner even knew their network was being used for online harassment? A depressingly large number of people have no idea how to secure their wireless access points and many businesses that offer wireless access to customers do so with open networks because the logistics involved in doing the same with a secure network is too complex for them.

So the question becomes, what can be done to counter online harassment? Back when malicious hackers acquired login credentials for several celebrities’ iCloud accounts I said a counter-hacker initiative was needed and I believe such a tactic could be applicable here as well. Groups dedicated to countering online harassers could raise the costs of harassing people online, which is nearly zero at the moment. The key, in my opinion, is having people dedicated to the task (in other words, like any private security group, paid for their services so they can focus on providing them) that aren’t restricted by state decrees and have the motivation law enforcers lack.

Is this the only solution? Hardly. It’s just one that I can think of. Would this solution work? I believe so but I can’t say for certain. What I do know is finding a solution to online harassment, as with finding a solution to any problem, requires markets. The creativity of the world has to be tapped to find a way to effectively address this problem because the creativity of the world is currently being tapped to create this problem. Relying on a handful of individuals to write unenforceable words on pieces of paper isn’t going to accomplish anything.

You Have To Pay To Play

Every year people from around the world gather in the Nevada desert to show off art, demonstrate their self-sufficiency, and just generally have a good time. This even is called Burning Man and it has been going on since 1986. Because all property is owned by the federal government the organizers of Burning Man have to beg for permission from the Bureau of Land Management (BLM) in order to host the event in the middle of nowhere. Anytime you have to beg the government for permission there’s a payoff involved. Usually this payoff is wrapped in bureaucratic paperwork and terminology such as permit and license. Seldom is the government blatant about what it wants and why it wants it. But this year the BLM decided toss off the thin veil of officialdom and just demand the luxury air conditioned trailer and unlimited ice cream for some of its agents:

Lavish requests by federal authorities for flush toilets and 24-hour access to soft-serve ice cream at Burning Man are putting Sen. Harry Reid (D-NV) and Nevada Republicans on the same side as hippies.

The Bureau of Land Management is denying a permit to hold the music and cultural festival on public land unless organizers pay more than $1 million to house “VIP” agents in an air-conditioned compound with couches and hot water, reported the Reno Gazette-Journal.

Why do federal agents need 24-hour access to soft-serve ice cream, flush toilets, and air conditioned trailers to keep an eye on a bunch of hippies who have managed to host a yearly event since 1986 without nuking a portion of the Nevada desert? Because it’s not about ensuring safety, enforcing environmental protections, or preventing the violation of federal decrees. The BLM’s involvement, like all government involvement, is about transferring wealth from the people to the state and stroking the egos of state agents. State agents often receive inferior pay to people who hold similar jobs in the private sector. In exchange for lesser pay they demand certain benefits such as pensions and obedience from serfs. All of these demands by the BLM are about forcing serfs to kowtow to the king and his knights. But it does give us a rare glimpse of the state outright demonstrating its true intentions instead of trying to make them more palatable by wrapping them in bureaucratic nonsense.

Unaffordable Health Insurance Soon To Be More Unaffordable

I assume any bill passed by Congress will do the opposite of what its title says and I’m usually correct. The Affordable Care Act (ACA) may be the best example of this. Going by the title you would assume the bill is means to lower the cost of healthcare in this country. What it actually does is puts a gun to everybody head (which really is the only thing the government knows how to do) to force them to buy health insurance. What happens when a business knows you must do business with them? This:

WASHINGTON — Health insurance companies around the country are seeking rate increases of 20 percent to 40 percent or more, saying their new customers under the Affordable Care Act turned out to be sicker than expected. Federal officials say they are determined to see that the requests are scaled back.

Blue Cross and Blue Shield plans — market leaders in many states — are seeking rate increases that average 23 percent in Illinois, 25 percent in North Carolina, 31 percent in Oklahoma, 36 percent in Tennessee and 54 percent in Minnesota, according to documents posted online by the federal government and state insurance commissioners and interviews with insurance executives.

And there’s not a damn thing we can do about it. Of course government officials are going to ensure the requests are scaled back because the health insurance companies paid them a great deal to pass the ACA so they could jack up rates. If government officials actually care about the costs fronted by the people they would have made it illegal to raise insurance rates (or not have passed the ACA in the first place).

If you live in the Twin Cities you know what game is being played here. It’s the same game Xcel Energy plays every few years. Xcel will request to raise its rates by a large amount knowing government officials who oversee its granted power provision monopoly will scale back the request. So long as Xcel demands double of what it really wants it gets what it wants in the end.

Now that we’re all forced to buy health insurance the insurance providers are going to request to jack up their rates every several years. Government officials, claiming to be magnanimous, will bitch that the rate hike is outrageous and demand the rate be raised by less. Eventually a number the insurance providers and government officials are happy with will be agreed upon and we’ll all be forced to pay more.

Shit like this is why I thought everybody who advocated for the ACA was a bloody idiot. It’s also why I think anybody who wants to “repeal and replace” or “modify” the ACA instead of completely abolishing it is a bloody idiot.

David Cameron Is On A Holy Crusade To End Encryption

When Edward Snowden showed the world that the United States and British governments were spying on the entire world, including their own citizens, a lot of people were pissed. Citizens of those countries were pissed because their governments had promised them for decades that they weren’t going to spy on them. Other countries, especially those who were allied with the United States and Britain, were pissed for the same reason. Both the United States and British governments were pissed because lots of people suddenly started encrypting the lines of communication that were being spied upon.

In addition to becoming pissed off the people being spied on decided to start making more thorough use of encryption. Seeing this and noting how it could hurt their spying efforts the two government responsible for this entire mess have been working diligently on making those who have begun using strong encryption criminals. David Cameron, a British politician, has been beating on the criminalizing encryption drum especially hard:

David Cameron has signalled that he intends to ban strong encryption — putting the British government on a collision course with some of the biggest tech companies in the world.

As reported by Politics.co.uk, the British Prime Minister reaffirmed his commitment to tackling strong encryption products in Parliament on Monday in response to a question.

Crypto Wars II is moving into full swing. What I really enjoy about Mr. Cameron’s crusade is how blatantly it demonstrates the true goals of the British state. Like all states the British state claims to protect the person, property, and rights of the people within its borders. However banning strong encryption would violate every British citizens’ person, property, and rights.

By not having access to strong encryption users of the Internet are directly at risk of many threats. The first threat is that their personal information is up for grabs by anybody who has the knowledge to bypass weak crypto systems. That means, for example, abused spouses could have their efforts to contact help discovered and thwarted.

Property is also at great risk if strong crypto isn’t available. If you think the leaking of credit card data is bad now just imagine what it would be like if anybody snooping communications between a client and server could break the crypto and nab the card data. Business deals would also be at risk because anybody snooping communications between two businesses could see what deals were being worked on and maneuver to hamper those deals.

Weak crypto systems also put peoples’ rights at risk. Due process could go entirely out the window if law enforcement officers are able to extend their “anything you say can and will be used against you” to snooping on every citizen at all hours of the day. On a personal level you also put the right of privacy at risk Embarrassing communications, such as those between a doctor and their patient could suddenly find themselves posted on public forums.

There is an upside to all of this. What Mr. Cameron proposes is a pipe dream. Prohibiting strong crypto is impossible because it is nothing more than math and math, being in the realm of ideas, cannot be stopped from spreading. With the widespread use of the Internet we’ve seen how impossible censorship has become and that isn’t going to change.

NSA Officially Allowed to Continue Spying Operation

Many people were too euphoric about the expiration of Section 215 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (the whole name of the act doesn’t get printed out enough, which is a shame because somebody spent a tremendous amount of time trying to think of a backronym for USA PATRIOT) Act to take a moment to consider what it really meant. I noted that the expiration didn’t actually change anything but governments love their redundancy so the Foreign Intelligence Surveillance Court ruled that the National Security Agency (NSA) could resume (implying it didn’t simply continue its surveillance program after the expiration) wholesale spying on American citizens:

WASHINGTON — The Foreign Intelligence Surveillance Court ruled late Monday that the National Security Agency may temporarily resume its once-secret program that systematically collects records of Americans’ domestic phone calls in bulk.

[…]

In a 26-page opinion made public on Tuesday, Judge Michael W. Mosman of the surveillance court rejected the challenge by FreedomWorks, which was represented by a former Virginia attorney general, Ken Cuccinelli, a Republican. And Judge Mosman said the Second Circuit was wrong, too.

“Second Circuit rulings are not binding” on the surveillance court, he wrote, “and this court respectfully disagrees with that court’s analysis, especially in view of the intervening enactment of the USA Freedom Act.”

When the Second Circuit issued its ruling that the program was illegal, it did not issue any injunction ordering the program halted, saying it would be prudent to see what Congress did as Section 215 neared its June 1 expiration. Jameel Jaffer, an A.C.L.U. lawyer, said on Tuesday that the group would now ask for one.

Once again I find it necessary to reiterate that politics isn’t going to solve this problem. The government enjoys the ability to spy on the populace too much to give it up. No amount of begging, voting, or completely pointless filibustering by presidential hopefuls who don’t have a chance in Hell of winning the nomination is going make the NSA’s surveillance apparatus go away.

If you actually oppose this kind of spying then it is up to you to do something about it. Standing by and hoping you can vote somebody into office to deal with the problem for you isn’t going to cut it. You need to learn, encrypt, and decentralized.

The NSA’s program relies on the pervasive use of plaintext communications and centralization. Collecting plaintext, which is a term for any unencrypted data including e-mails and phone calls, costs very little outside of the taps on the lines and storage. Encrypted text is an entirely different beast. When the NSA scoops up encrypted communications it doesn’t know what it has obtained unless it is able to break the encryption. The documents leaked by Snowden showed us that the NSA had problems with numerous encryption tools including Pretty Good Privacy (PGP) and Off-the-Record (OTR) messaging. Even when the NSA is able to break the encryption it’s not a costless endeavor when compared to plaintext.

Another key thing the NSA relies on is centralization. It’s much easier to surveil people when they’re all using a handful of services. With the popularity of Gmail, the fact that there are only four major cell phone carriers in the country, and how many people use Facebook a lot of data is being stored in a handful of locations, which means the NSA only needs to focus its efforts on a few key spots to spy on a vast majority of American. If more people ran their own e-mail, XMPP, etc. servers it would increase the NSA’s costs as it would have to spread out its efforts. Utilizing decentralized networks, such as Wi-Fi mesh networks, instead of centralized Internet Service Providers (ISP) would even further complicate the NSA’s efforts.

Fighting the NSA’s surveillance apparatus requires increasing the agency’s costs. That can only be done by the ubiquitous use of encryption and decentralizing infrastructure. Don’t be a lazy libertarian, start learning how to utilize cryptographic tools today. As always I’m here to help.

Why Everybody Should Use Encryption

Using encryption requires individuals to put forth the effort to learn. Because people tend to be lazy they usually spend more time coming up with excuses for not learning encryption than they do learning how to use it. Ultimately the excuse they end up settling on is that they have nothing to hide. This is bullshit, of course. If they truly didn’t have anything to hide they would put Internet accessible cameras and microphones in every room of their house and allow anybody to check in on what they’re doing at any time. But they don’t.

Besides the fact that we all have something to hide there is another reason why the “nothing to hide” excuse doesn’t work. To quote Bruce Schneier:

Encryption should be enabled for everything by default, not a feature you turn on only if you’re doing something you consider worth protecting.

This is important. If we only use encryption when we’re working with important data, then encryption signals that data’s importance. If only dissidents use encryption in a country, that country’s authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can’t tell the dissidents from the rest of the population. Every time you use encryption, you’re protecting someone who needs to use it to stay alive.

By not using encryption you are putting lives in danger. Specifically the lives of people who need encryption to stay alive. So long as a majority of people utilize unencrypted forms of communication the presence of encryption becomes a signal that indicates to a snoop that the captured data is important. If all data, from e-mails wishing grandma a happy birthday to plans for protesting the latest act of police brutality, is encrypted then the spies can’t use it to indicate what is and isn’t important. At that point their costs skyrocket because the only way for them to learn what is and isn’t important is to decrypt everything, which isn’t feasible for any organization.

So stop making excuses and learn how to encrypt your data. There are plenty of people out there, including myself, willing to help you. If you don’t then you’re contributing to a problem that puts real lives in danger.

History of Crypto War I

In its zeal to preserve the power to spy on its citizens members of the United States government have begun pushing to prohibit civilians from using strong cryptography. While proponents of this prohibition try to scare you with words such as terrorists, drug cartels, and pedophiles let’s take a moment to remember the last time this war was waged:

Encryption is a method by which two parties can communicate securely. Although it has been used for centuries by the military and intelligence communities to send sensitive messages, the debate over the public’s right to use encryption began after the discovery of “public key cryptography” in 1976. In a seminal paper on the subject, two researchers named Whitfield Diffie and Martin Hellman demonstrated how ordinary individuals and businesses could securely communicate data over modern communications networks, challenging the government’s longstanding domestic monopoly on the use of electronic ciphers and its ability to prevent encryption from spreading around the world. By the late 1970s, individuals within the U.S. government were already discussing how to solve the “problem” of the growing individual and commercial use of strong encryption. War was coming.

The act that truly launched the Crypto Wars was the White House’s introduction of the “Clipper Chip” in 1993. The Clipper Chip was a state-of-the-art microchip developed by government engineers which could be inserted into consumer hardware telephones, providing the public with strong cryptographic tools without sacrificing the ability of law enforcement and intelligence agencies to access unencrypted versions of those communications. The technology relied on a system of “key escrow,” in which a copy of each chip’s unique encryption key would be stored by the government. Although White House officials mobilized both political and technical allies in support of the proposal, it faced immediate backlash from technical experts, privacy advocates, and industry leaders, who were concerned about the security and economic impact of the technology in addition to obvious civil liberties concerns. As the battle wore on throughout 1993 and into 1994, leaders from across the political spectrum joined the fray, supported by a broad coalition that opposed the Clipper Chip. When computer scientist Matt Blaze discovered a flaw in the system in May 1994, it proved to be the final death blow: the Clipper Chip was dead.

The battlefield today reflects the battlefield of Crypto War I. Members of the government are again arguing that all civilian cryptography should be weakened by mandating the use of key escrow that allows the government to gain access to any device at any time. As with the last war, where the government proposed Clipper Chip was proven to be completely insecure, this war must be looked at through the eye of government security practices or, more specifically, lack of security practices. It was only last week that we learned some of the government’s networks are not secure, which lead to the leaking of every federal employee’s personal information. How long do you think it would take before a hack of a government network lead to the leaking of every escrow key? I’d imagine it would take less than a week. After that happened every device would be rendered entirely insecure by anybody who downloaded the leaked escrow keys.

What everybody should take away from this is that the government is willing to put each and every one of us at risk just so it can maintain the power to spy on use with impunity. But its failure to win Crypto War I proved that the world wouldn’t come to an end if the government couldn’t spy on us with impunity. Since Crypto War I the power of law enforcement agents to acquire evidence of wrongdoing (according to the state) didn’t suddenly stop, terrorist attacks didn’t suddenly become a nightly occurrence, and children being abducted by pedophiles didn’t suddenly become a fact of everyday life.

Crypto War II is likely inevitable but it can be won just as the last one was. The first step to victory is not allowing yourself to be suckered by government lies.

Like Vultures to a Corpse

One of the hardest things to stomach after a shooting, besides the event itself, is the way politicians swoop in to exploit the situation for political gain. Before anybody has even had a chance to breathe we are subjected to politicians getting on screen and blaming the event on whatever hot button issue they’ve been pushing. Obama, for example, decided to take a moment to remind the country that he’s been pushing for stronger gun restrictions:

President Barack Obama on Thursday expressed profound “sadness and anger” at the Charleston church shooting as well as deeply personal frustration that America’s political climate makes it virtually impossible for now to tighten restrictions on who can buy firearms.

“We don’t have all the facts, but we do know that once again, innocent people were killed in part because someone who wanted to inflict harm had no trouble getting their hands on a gun,” Obama said in the White House briefing room, Vice President Joe Biden standing at his side.

Thanks a lot, jackass.

But Obama wasn’t the only politicians exploiting this tragedy. Everybody’s favorite religious zealot, Rick Santorum, was compelled, probably by the voice of “Jesus” that he constantly hears in his head, to talk about religious liberty:

Presidential candidate and former Sen. Rick Santorum (R-PA) on Thursday called the attack by a white gunman on a historic black church in Charleston, S.C. part of a broader assault on “religious liberty” in America.

“It’s obviously a crime of hate. Again, we don’t know the rationale, but what other rationale could there be?” Santorum said on the New York radio station AM 970.

This is why nobody likes you, Rick.

I swear America has found a way to politicize everything goddamn topic and event in existence. If a skyscraper full of people collapsed tomorrow every politician would be be on camera within the hour arguing why it was caused by their pet political issue. They’re all a bunch of vultures. Actually, scratch that. Vultures serve a valuable role in the environment. Politicians don’t even do that.

Government Networks Are too Old to Secure

The quest for answers regarding the recent breach that put every federal employee’s personal information at risk has begun. As with most government investigations into government screw ups this one is taking the form of public questionings of mid-level federal employees. Buried within the extensive waste of time that was the most recent public hearing were a few nuggets of pure gold. For starters the Office of Personnel Management (OPM) Director, Katherine Archuleta, let some information slip that should be very concerning to everybody:

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

Apparently government networks are too old to secure. The only conclusion one could draw from this is that involved the government networks are running on unsupported software. Perhaps most of the computers in its networks are still running Windows XP or something older. Perhaps the hardware they’re using is so ancient that it cannot actually encrypt and decrypt data without a noticeable performance hit. What is clear is that somebody really screwed up. Whether it was network administrators failing to update software and hardware or bean counters failing to set aside funding for modernization the network that holds the personal information for every federal employee was not properly maintained. And this is the same organization that has a great deal of personal information about every American citizen. The federal government has your name, address, phone number, Social Security Number, date of birth, and more sitting in its janky-ass network. Think about that for a moment while you contemplate the importance of privacy from the government.

But old networks aren’t the only problem with the government’s networks:

But even if the systems had been encrypted, it would have likely not mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

Gaining valid user credentials shouldn’t allow one to obtain personal information on every government employee. This admission indicates that every user on the network must either have administrative rights or the data isn’t protected in any way against unauthorized access from internal users. Any network administrator worth a damn knows that you only give users the privileges they require. Developers of systems that handle sensitive personal information should know that any access to said information would require approval from one or more higher ups. If I’m a user and want to access somebody’s Social Security Number there should be some kind of overseer that must approve the request.

Many network administrators haven’t implemented multifactor authentication but this omission is inexcusable for a network that contained so much personal information. Relying on user names and passwords to protect massive databases of personal information is gross negligence. With options such as YubiKey, RSA Secure ID, and Google Authenticator there is no excuse for not implementing multifactor authentication on networks with so much sensitive information.

Well all know governments love oversight and this is no exception. The systems in question were inspected by a government overseer, were deemed to not be properly secure, and nothing was done about it:

He referred to OPM’s own inspector general reports and hammered Seymour in particular for the eleven major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”

Here we see one of the biggest failures with government oversight, the lack of enforcement. When an inspector deems systems to be unfit those systems should be made fit. If they’re not made fit people charged with maintaining them should be replaced. There is no point in oversight without follow through.

When people claim they have nothing to hide from the government they seldom stop to consider who can gain access to its data. It’s not just the law enforcers. Due to general incompetence when it comes to security it’s potentially anybody with valid user credentials. And valid user credentials are obtainable by exploiting the weakest link in any computer network, the user. According to Dr. Andy Ozment the credentials were likely obtained through social engineering, which is something most people can fall prey to. Because of the lack of multifactor authentication that means anybody who can social engineer user credentials from a government employee potentially has access to all of the data collected by the government on yourself. Is that something you’re honestly OK with? Do you really want a government this incompetent at protecting the personal data of its own employees holding a lot of personal data about you?