You’re Doing it Wrong – Page 30

Hacking Team Changes Its Tune In Desperate Attempt To Remain Relevant

Last week Hacking Team made a big deal about terrorists having access to its advanced technology. This week everything is different. Hacking Team wants the world to know that the technology that was obtained from its internal network is old and crappy and no big deal:

On Monday, Hacking Team released a statement saying that while some of its surveillance-related source code was released to the public, the firm still retains an edge. “Important elements of our source code were not compromised in this attack and remain undisclosed and protected,” the release said. “We have already isolated our internal systems so that additional data cannot be exfiltrated outside Hacking Team. A totally new internal infrastructure is being build [sic] at this moment to keep our data safe.”

Hacking Team must work very fast if it was able to discover all new exploits between last week and today that allows it to regain its edge as a top purveyor of surveillance software to countries that regularly commit atrocities. At best the company is literally making up bullshit, which wouldn’t be the first time considering how often it denied doing business with many of the countries it was doing business with, or at worst has been able to buy a slew of new zero-day exploits. Either way I doubt the damage against Hacking Team’s brand can be undone. Being a malware seller that was breached is one thing but being a malware seller that has demonstrably shitty internal security practices isn’t likely to put its customers’ minds at ease.

My highest hope is that Hacking Team goes bankrupt and its top brass are raked through the coals.

Hennepin County Offers To Make Peaceful Transactions More Risky

Every day people are performing voluntary transactions, many of which are setup over trade websites like Craigslist. There have been a few horror stories arising from these arranged transactions, mostly because one party didn’t demand the transaction occur in a public place, but a vast majority occur without incident. Thanks to the media and police the handful of bad incidents have been trumped up enough to make a lot of people unnecessarily afraid of such transactions. Now that it has helped create the problem Hennepin County is claiming to have the solution:

MINNEAPOLIS (KMSP) – Ever purchased or sold an item on Craigslist and wondered if the person on the other end could kill you? To combat online purchasing crime, Hennepin County unveiled “Swap Spots,” public safe havens where members of the community can go to make a variety of transactions.

[…]

Swap Spots are only available during normal hours of operation and designated by a blue and red logo. A deputy is not required to monitor each exchange, will not facilitate the transaction, and won’t keep a log of transactions, but if you would like a deputy present, the sheriff’s office said they’ll try to accommodate you.

What could make another otherwise peaceful transactions risky? Adding armed men with liability shield and an extensive history of violence into the mix! That’s what Hennepin County is offering with these “Swap Spots.” Instead of meeting in a public place, say a busy park or a restaurant, to perform a transaction people now have the option of performing the transaction under the gaze of police officers who are likely chomping at the bit to arrest somebody for violating some esoteric law, failing to pay a tax, or any number of other possible justifications they can fabricate on the spot.

If I were going through with an online transaction the last place I would do it at is one of these “Swap Spots.” Adding government in any capacity to the free market is always dangerous. I’d far prefer performing a transaction at a restaurant where you’re not only safe but also have access to food and drink (which is always nice when doing business).

Hacking Team Demonstrates It Doesn’t Know What Words Mean

Hacking Team has finally released a response to the attack it incurred. Much like the company’s internal network security the response it posted should have people concerned. In addition to not following basic security practices, such as not storing login credentials in plaintext files, the company also doesn’t have a strong grasp of the English language:

Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies.

If Hacking Team could control who had access to the technology before the attack the attack wouldn’t have been successful. The fact the attack was successful proves that Hacking Team didn’t have control over its technology. Apparently whoever is doing public relations for the company doesn’t know what the meaning of control is.

The next two sentences, especially combined with the above sentence, are especially laughable to me:

Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so.

Instead of governments and government agencies having exclusive use of Hacking Team’s technology now terrorists, extortionists, and others have access to its technology? What exactly is the difference between a government and an extortionist? None. Governments by their very nature are extortionists. They do tend to use nice sounding euphemisms like taxes, license fees, and citations but in reality government are in the business of forcefully taking wealth from the populace.

Looking a bit deeper we must asking how some of the governments and agencies Hacking Team sold to; such as Sudan, Ethiopia, and the Drug Enforcement Agency; differ in any notable way from other terrorist organizations. With the exception Hacking Team has accepted money from them there is no notable difference. Simply calling something by a different name doesn’t change what it is. Admittedly this is a problem many people have with the English language.

Outside of the failure to utilize the English language the Hacking Team response contains this gem:

HackingTeam is evaluating if it is possibile to mitigate the danger.

How could a company that discovers previously unknown vulnerabilities help mitigate danger to people? For actual security companies the answer is to work with developers to fix the vulnerabilities before they can be actively exploited. Hacking Team, on the other hand, sat on those vulnerabilities so it could sell tools for the sole purpose of exploiting them. Its entire business model relied on people being in danger. Had it actually cared about helping mitigate danger it wouldn’t have sold the tools it did, especially to the customers it did.

This Hacking Team breach just gets better by the day. Between the company’s scummy practices, source code getting open sourced, and complete failure at handling public relations this breach is the gift that keeps on giving.

If A Law Is Passed And Nobody Can Enforce It Is It Still A Law

Online harassment, often called cyber-bullying by legal marketing teams, has become a very hot topic in the last couple of years. More people are seeing first hand how ruthless denizens of the Internet can be and are demanding something be done. Governments around the world are acknowledging this issue and addressing it in the only way they know how, issuing decrees. New Zealand has lead the charge by passing a law making online harassment illegal:

The Harmful Digital Communications Bill passed its third and final reading last night.

[…]

The bill’s key elements:

Harmful Digital Communications Bill: key provisions

A fine of up to $50,000 for an individual or up to $200,000 for a body corporate, or up to two years’ jail for posting or sending a “harmful digital communication” – aka cyber-bullying with a post likely to cause distress. The bill covers racist, sexist and religiously intolerant comments, plus those about disabilities or sexual orientation;

Up to three years’ jail for the new crime of incitement to suicide;

An “approved agency” will advocate on behalf of complainants. The aim is that the agency will be able to make direct contact with web publishers and social media sites like Facebook and Twitter, where a member of the public often has trouble getting heard (the Law Commission has recommended NetSafe be the approved agency; the non-profit NetSafe’s backers include InternetNZ, the NZPolice, the Ministry of Education and private companies);

If the approved agency makes no headway, a complaint is escalated to a District Court judge; and

Web publishers can opt in to a safe-harbour provision, protecting them from liability (and arguably also crimping free speech) if they agree to take down allegedly offending material on demand or at least within a grace period of 48 hours.

When used outside of legal circles the word law implies something that, as far as we know, cannot be violated. The laws of physicals, for example, state that the speed of light cannot be exceeded. That leads me to ask an important question, if nobody can enforce a law is it still a law?

If you read through this bill you’ll quickly realize that it puts the legal burden on the content host. In order to avoid being held liable for user content the host must agree to remove reported content within 48 hours of notifying the author if the author doesn’t submit a counter-notice within the same span of time. Anybody who has worked in a sizable company knows that the default position of the legal department is always on the safe side. That being the case this bill will likely convince companies to pull down any reported content with little or no investigation. So this bill, on the surface, appears to solve the problem by ensuring companies are motivated to remove harassing content (and, as a more concerning aside, could end up being a tool useful for general censorship as well if companies remove content without actually investigating it).

But deleting content doesn’t actually solve the problem of online harassment. Content is easy to create and post. If something harassing is deleted it can simply be posted again. Even if the account of the person posting offending content is shutdown it’s a simple matter on most sites to create a new account. And if there’s a specific person being targeted by numerous individuals, such as the people targeted by GamerGate, it quickly becomes infeasible to shutdown accounts faster than they’re created. A handful of administrators charged with reviewing complaints and closing offending accounts is no match for hundreds or thousands of individuals dedicated to posting harassing content. Therefore I would argue this bill isn’t a law because it can be easily bypassed by online harassers.

I’m not a fan of complaining about a proposed solution without offering one of my own. To that end I want to diverge from the topic of whether or not this is a law and focus on what is actually needed to counter online harassers. Dealing with the issue of online harassment means focusing on the harassers, not the content hosts. But siccing law enforcers after individuals who have effective tools to anonymize themselves (as with any technology, tools that anonymize people can be used for good and bad) is also infeasible. How, for example, can law enforcement agents pursue an Internet protocol (IP) address, which is the only identifiable information content hosts may have access to, of a Tor exit relay or a virtual private network (VPN) provider in a foreign country? Even if the IP address can be traced back to an entity law enforcers can go after how can they verify the owner even knew their network was being used for online harassment? A depressingly large number of people have no idea how to secure their wireless access points and many businesses that offer wireless access to customers do so with open networks because the logistics involved in doing the same with a secure network is too complex for them.

So the question becomes, what can be done to counter online harassment? Back when malicious hackers acquired login credentials for several celebrities’ iCloud accounts I said a counter-hacker initiative was needed and I believe such a tactic could be applicable here as well. Groups dedicated to countering online harassers could raise the costs of harassing people online, which is nearly zero at the moment. The key, in my opinion, is having people dedicated to the task (in other words, like any private security group, paid for their services so they can focus on providing them) that aren’t restricted by state decrees and have the motivation law enforcers lack.

Is this the only solution? Hardly. It’s just one that I can think of. Would this solution work? I believe so but I can’t say for certain. What I do know is finding a solution to online harassment, as with finding a solution to any problem, requires markets. The creativity of the world has to be tapped to find a way to effectively address this problem because the creativity of the world is currently being tapped to create this problem. Relying on a handful of individuals to write unenforceable words on pieces of paper isn’t going to accomplish anything.

Open Carry is Different than Threatening People With a Gun

It’s time once again for some open carry drama. This time it’s being brought to use by the police of Gulfport, Mississippi. An individual of that town went into the local Wal-Mart with a shotgun and was racking shells into the chamber to intimidate shoppers. The local Special Weapons and Tactics (SWAT) team arrived on the scene but opted not to arrest the individual. Their reason? Open carry laws:

The police chief of Gulfport, Mississippi, expressed his frustration with his state’s open carry laws after a man strolling through a Walmart Sunday night menaced shoppers by loading and racking shells into his shotgun, causing police to dispatch a SWAT team and evacuate the store.

According to Police Chief Leonard Papania, he would have arrested the unidentified man and his companion if he could for stretching the city’s police forces thin while panicked Walmart employees huddled in a safe room, WMC reported.

[…]

Using surveillance video police were able to track the men down and speak with them, but due to Mississippi’s open carry laws, the chief said his hands were tied after conferring with city attorneys.

“In our nation there continues to be violent events. Many of these tragic events start to unfold with very similar circumstances where individuals exhibit peculiar actions with firearms around large crowds,” he explained. “The actions of these two men could have inadvertently led to a very violent misunderstanding.”

Bullshit. His hands were not tied. There are numerous laws on the books that would have allowed him to arrest the individual. Terroristic threats and brandishing being two of them that come to mind immediately. Walking around a store racking shells into the chamber of a shotgun qualifies as threatening behavior and threatening behavior is illegal under many statutes.

A very obvious line exists between openly carrying a firearm and threatening people with it. Walking around with a holstered handgun or a slug long arm is nothing more than openly carrying a firearm and isn’t threatening in any way. Unholstering a handgun or unslinging a long arm and manipulating the controls in public without a present threat is an act reasonable people can assume to be threatening. I certainly would. And that’s what brandishing is, waving a weapon around in a threatening manner.

What this looks like to me is the police or city attorneys (or both) purposely making a bad situation because they are unhappy that open carry is legal. It wouldn’t be the first time law enforcement or government attorneys purposely made a bad situation by refusing to do their supposed jobs just to create public support for passing a new restriction.

The Hardships Involved with Supporting Both Gun Rights and Gay Rights

Readers of my blog and people who know me in meatspace are aware of my absolutist positions on both gun and gay rights. I’m one of those people who believes you should be allowed to marry whoever you want and defend yourself against those who would attack you for living a life they find unacceptable. Unfortunately gun and gay rights activists often clash. Many people on the gun rights side, being devout Christians and social conservatives, strongly oppose legalizing same-sex marriage. Meanwhile many gay rights activists, being devout neoliberals, strongly oppose repealing gun restrictions. Both sides believe their respective gods, those being the Christian God and the state, have handed them a divine mission to force the world into submitting to their central plan. Being stuck in the middle can I often find myself unwelcome in both groups. And it seems I’m not alone:

The right to marry clashed with the right to carry over the weekend in Olympia, Washington, when members of the state’s Libertarian Party were barred from a gay pride event because of their support for the Second Amendment.

Last weekend marked the 25th anniversary of the Capital City Pride festival in the Evergreen State, and the Libertarian Party of Washington planned to attend the festival and man a booth — just like in the years past. However, when an attendee called the event’s organizers to ask if open carry would be allowed throughout the festival, the libertarians suddenly found themselves barred from the festivities.

[…]

Other than the voicemail Holcomb received the day before the festival, allegedly no other members of the LPWA — including those who registered for the booth — were informed that the entire party was no longer welcome at the inclusive event. It wasn’t until a LPWA booth organizer, Edwin Pole, showed up at 8 a.m. on Saturday that he was told he could no longer attend.

“She was absolutely, really overacting,” Pole told TheBlaze in an interview. “We were complying.”

Pole told TheBlaze that both he and Holcomb showed up to the event unarmed, and that while the LPWA had discussed whether or not they wanted to promote gun rights in the booth this year, they ultimately decided against it long before the confrontation with Schlecht. Pole said LPWA members had been asked to show up to the festival unarmed.

This is the kind of inconsistent advocacy that really pisses me off. I make no apologies for being an absolutist when it comes to things I consider to be rights. Voluntary association, which is what I consider any form of voluntary marriage to be, and self-defense, which is what laws removing restrictions on carrying firearms enable, are two of those things. In fact I cannot take anybody seriously who calls themselves an advocate of rights and doesn’t entirely oppose any restriction against voluntary association or self-defense. That’s not to say I believe you are required to carry a gun or have to personally endorse same-sex marriages but if you support any state restriction against either I don’t believe you have any grounds to call yourself an advocate of rights.

So I get a little pissy when I see gun rights activists opposing legalizing same-sex marriages and gay rights activists opposing people’s ability to defend themselves. And I get especially pissy when I see either side justifying their opposition by tying the thing they hate to a horrible event or organization:

Pole said he personally paid the $100 for the booth himself and did not take a check Schlecht allegedly attempted to shove into his notebook Saturday morning. He said that while the check was to reimburse for the cost of the booth, it was “not sufficient” as it did not compensate LPWA for the additional money, time and resources the organization had used in an attempt to get ready for the festival.

Aside from the check, Schlecht provided the LPWA members with a handwritten note that explained Capital City Pride’s decision to take away their booth.

“You and your associates are completely free to exercise your 1st Amendment rights to free speech in & around our fair grounds,” the note signed by Schlecht said. “You and your associates are free to exercise your 2nd Amendment rights. And be advised that your supreme insensitivity to the recent church shooting in Charleston will be duly noted by festival participants.”

Self-defense and the shooting in Charleston are in no way related. Not one damn way. The comparable action from the other side would be if a gun rights activist told a gay person that they couldn’t attend a gun rights rally on account of a mentally deranged gay man killing several straight people in an entirely different city. By trying to demonize gun rights supporters by insinuating they are somehow related to the shooting in Charleston Schlecht is being so blatantly dishonest that she should be embarrassed to the point of resigning her position. In fact if I were in charge of the event I would fire her immediately for such dishonest behavior. She doesn’t give a shit about rights so I see no reason she should be involved with an event advocating rights.

Speaking of the event itself, I’ve always been of the opinion that gay pride festivals should have as many firearms present as rainbow flags. Members of the lesbian, gay, bisexual, and transgender (LGBT) community are frequent targets of violent attacks. The Stonewall riots, for example, were the result of one such attack by police officers. So if anybody should understand the need for having access to an immediate, effective means of self-defense it should be members of the LGBT community. It’s actually depressing to see so many gay rights activists also supporting the oppression of the LGBT community by opposing attempts to repeal restrictions on gun ownership and carrying.

Before I end this post I’d like to take a semi-related aside. Anybody who knows their history of esoteric politics may see a lot of similarities between this event and the idea behind the Guns and Dope Party. Back in the day a wise man realized that if you had all of the cannabis users and gun owners in the country united you’d have a majority of the voter base. The only problem was that the cannabis users and gun owners tended, and still tend, not to like one another. So he conceived of the Guns and Dope Party to unite the two factions and bring liberty to the land. Since you live in this tyrannical shit hole with me you know that the two groups’ hatred for one another won out. Sadly history appears to be repeating itself, which just further shows that divide and conquer is an effective strategy when you’re the ruler and want to prevent your power from being toppled.

This Flag Shit is Out of Hand

I’ve tried to ignore the recent Internet controversy surrounding the Confederate flag. It’s the exact same argument as last time and my opinion on the matter hasn’t changed. Flying the Confederate flag is stupid for the exact same reasons flying the United States flag is. But this time the controversy has reached some stupendously stupid levels.

Remember the Dukes of Hazzard? Not the shitty remake but the original show. It started the General Lee and some humans nobody cared about. The General Lee was an orange Dodge Charger that had a Confederate flag pained on the roof (because the show took place in the rural South which is otherwise indistinguishable from the rural North). There was nothing racist about the show. But the powers that be at Warner Brothers has decided to cease production of all toy General Lees. I can’t wait for the next Dukes of Hazzard remake where the General Lee is replaced with the General Sherman, a car with a United States flag painted on the roof.

Toys aren’t the only thing getting pulled. Do you like historical strategy games that strive for accuracy? Too bad! Apple has pulled Civil War strategy games on account of Confederate sides displaying, get this, Confederate flags. I bet people are really going to flip their shit when they find out that there are World War II strategy games that let you play as Germany.

Of course no controversy would be complete without somebody at Slate writing an absolutely idiotic piece. It’s titled The Confederate Flag Doesn’t Belong in a Museum and it’s stupid because the Confederate flag does belong in a museum because that’s exactly what museums exist for. The title is clickbait though because the author feels that the Confederate flag could be put in a museum but only if a mountain of conditions are met:

What might such an exhibit look like? It would need to tell the history behind the flag. It is a symbol of white supremacy, and museums should acknowledge it as such. The designer for the second national flag of the Confederacy described it as a representation of the fight to “maintain the Heaven-ordained supremacy of the white man over the inferior or colored race.” The exhibit should also acknowledge the role the flag played in South Carolina’s past. The flag that’s captured national attention this week came to Columbia in 1962, as a reaction to black people fighting for and winning rights during the civil rights era.

Effective museum interpretation would not stop there. It would address the reoccurring questions surrounding this symbol. Why do people find the flag offensive? Why are other people so attached to the flag? Why do some people who embrace the fullness of Southern pride, including the Confederate flag, not see themselves as racists?

Furthermore, a complete interpretation of the Confederate flag would need to make clear that black people have always resisted white supremacy and fought for the demise of institutional racism.

Why the hell isn’t the United States flag subjected to these same conditions? That flag not only represents slavery, racism, and war but it also represents the almost complete extermination of this country’s indigenous people, dropping nuclear weapons on civilian populations, placing people in concentration camps because of their race, and a whole lot of other really shitty things.

It’s one thing to say the Confederate flag shouldn’t be flown in front of government buildings (but hypocritical if the advocate doesn’t believe the United States flag should also be taken down) but it’s an entirely different thing to attempt to erase it from history. To quote George Santayana, “Those who cannot remember the past are condemned to repeat it.”

Uber Wants Defenseless Drivers and Passengers

I’ve watched ride sharing companies Uber and Lyft with a great deal of interest. The idea of having a system where vehicle owners can connect with people wanting ride to the benefit of both appeals to me. But I’ve always been put off by both services’ centralized nature. Centralized systems are too easy for the state to regulate or shutdown and lend themselves too well to the central authority placing every stricter rules on the users. Uber has decided to flex its centralized power by banning both drivers and passengers from carrying firearms while using its service:

Uber Technologies says it is banning firearms of any kind during rides arranged through the Uber platform, and drivers or riders who violate the rule may lose access to the platform. The rules also apply to Uber’s affiliates.

The company said Friday it changed its firearms policy on June 10 to make sure riders and drivers feel comfortable. In a statement, Uber said it made the change after reviewing feedback from both passengers and Uber drivers. Previously it had deferred to local law on the issue.

I could point out concealed means concealed and that Uber doesn’t have an legal authority so carrying while using its service isn’t criminal. But I firmly believe if a company doesn’t want to do business with me then I don’t want to do business with it. I’m also of the opinion that it should be up to the driver, the person who owns the vehicle after all, to decide what they do and do not want to allow in their vehicle. A decentralized ride sharing service would allows drivers to make such decisions.

This announcement is rather ironic though. Whereas most companies that announce gun prohibitions don’t have a history involving firearms Uber does. One of its drivers actually prevented a mass shooting:

A group of people had been walking in front of the driver around 11:50 p.m. Friday in the 2900 block of North Milwaukee Avenue when Everardo Custodio, 22, began firing into the crowd, Quinn said.
cComments

The driver pulled out a handgun and fired six shots at Custodio, hitting him several times, according to court records. Responding officers found Custodio lying on the ground, bleeding, Quinn said. No other injuries were reported.

With this new policy Uber is effectively saying it would have preferred if more people had died in that incident. I don’t want to do business with a company that doesn’t want to do business with me and I certainly don’t want to do business with a company that would rather people die than its drivers and passengers be armed.

Darwin in Action

How do you check to see if one of your firearms is loaded? If you answered, Put it against my head and pull the trigger,” you may want to reconsider your life:

MIMS, Fla. — Police say a man who was checking to see if a bullet was still in the chamber of a pistol has died after he put the gun to his head and pulled the trigger, accidentally shooting himself.

Authorities say 49-year-old Charles Cooper shot himself at 1:50 a.m. Sunday during a weekend fishing trip and a cookout in Mims.

I have a hard time considering that accidental. Accidents usually imply the actor wasn’t purposely taking action to cause the result. Our brilliant specimen here pretty deliberately put the gun to his head. It probably won’t surprise anybody to hear that alcohol was likely involved. Once again it’s worth noting that alcohol and firearms, or any other weapon for that matter, don’t mix well.

With that said I believe he should be awarded nn achievement in excellence for saving future generations from his prodigy.

Government Networks Are too Old to Secure

The quest for answers regarding the recent breach that put every federal employee’s personal information at risk has begun. As with most government investigations into government screw ups this one is taking the form of public questionings of mid-level federal employees. Buried within the extensive waste of time that was the most recent public hearing were a few nuggets of pure gold. For starters the Office of Personnel Management (OPM) Director, Katherine Archuleta, let some information slip that should be very concerning to everybody:

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

Apparently government networks are too old to secure. The only conclusion one could draw from this is that involved the government networks are running on unsupported software. Perhaps most of the computers in its networks are still running Windows XP or something older. Perhaps the hardware they’re using is so ancient that it cannot actually encrypt and decrypt data without a noticeable performance hit. What is clear is that somebody really screwed up. Whether it was network administrators failing to update software and hardware or bean counters failing to set aside funding for modernization the network that holds the personal information for every federal employee was not properly maintained. And this is the same organization that has a great deal of personal information about every American citizen. The federal government has your name, address, phone number, Social Security Number, date of birth, and more sitting in its janky-ass network. Think about that for a moment while you contemplate the importance of privacy from the government.

But old networks aren’t the only problem with the government’s networks:

But even if the systems had been encrypted, it would have likely not mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

Gaining valid user credentials shouldn’t allow one to obtain personal information on every government employee. This admission indicates that every user on the network must either have administrative rights or the data isn’t protected in any way against unauthorized access from internal users. Any network administrator worth a damn knows that you only give users the privileges they require. Developers of systems that handle sensitive personal information should know that any access to said information would require approval from one or more higher ups. If I’m a user and want to access somebody’s Social Security Number there should be some kind of overseer that must approve the request.

Many network administrators haven’t implemented multifactor authentication but this omission is inexcusable for a network that contained so much personal information. Relying on user names and passwords to protect massive databases of personal information is gross negligence. With options such as YubiKey, RSA Secure ID, and Google Authenticator there is no excuse for not implementing multifactor authentication on networks with so much sensitive information.

Well all know governments love oversight and this is no exception. The systems in question were inspected by a government overseer, were deemed to not be properly secure, and nothing was done about it:

He referred to OPM’s own inspector general reports and hammered Seymour in particular for the eleven major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”

Here we see one of the biggest failures with government oversight, the lack of enforcement. When an inspector deems systems to be unfit those systems should be made fit. If they’re not made fit people charged with maintaining them should be replaced. There is no point in oversight without follow through.

When people claim they have nothing to hide from the government they seldom stop to consider who can gain access to its data. It’s not just the law enforcers. Due to general incompetence when it comes to security it’s potentially anybody with valid user credentials. And valid user credentials are obtainable by exploiting the weakest link in any computer network, the user. According to Dr. Andy Ozment the credentials were likely obtained through social engineering, which is something most people can fall prey to. Because of the lack of multifactor authentication that means anybody who can social engineer user credentials from a government employee potentially has access to all of the data collected by the government on yourself. Is that something you’re honestly OK with? Do you really want a government this incompetent at protecting the personal data of its own employees holding a lot of personal data about you?