[Dailydave] The OPM Mess and the Bigger Picture

Dave Aitel dave at immunityinc.com
Tue Jun 30 10:32:37 EDT 2015


So I dunno how many of you remember Tom Cruise before he was a raging
scientologist, but he did this one movie you might have heard of called
"Mission Impossible". And he spent quite a lot of energy trying to steal
the NOC-list <https://www.youtube.com/watch?v=ar0xLps7WSY> full of the
names of non-official cover agents which in theory mapped to their cover
names or something. It was unclear what it was exactly, but it fit on a
magneto-optical disk that was like, all the range in the 90's but which
has been replaced by literally anything else now.

And that's pretty much exactly what the Chinese stole here, except
without the French guy from "The Professional" and all the outfits. The
problem, as we're going to drill home again and again over the next year
during damage control in congressional meetings each more painful and
less informative than the last, wasn't that OPM didn't protect the
database, but that they HAD THE DATABASE COLLECTED AT ALL.

I think there's a DailyDave Post about this exact problem
<https://lists.immunityinc.com/pipermail/dailydave/2014-July/000701.html> from
a year ago or so. It's the same mistake RSA made, but a few letters
higher in the alphabet, is all. Of course, damage control is going to
come back and say things like "well, CIA was smart enough not to put
their people in the database" except that of course, there's a lot of
people who start in one agency (say, DoD) and then go the the CIA, or
DIA or whatever. I don't know if any of them were in the hacked data,
but you can probably assume they were.

But there's a little silver lining in the OPM hack, and it is this:

1. Covert identities are dead anyways, because databases full of
biometrics are everywhere, and you can read someone's fingerprints off
any beer glass faster than you can say "Your Cover Is Blown, Ethan
Hunt". That's not even counting the DNA revolution of being able to map
the entire human family tree out that nobody is talking about yet.
Regardless, you cannot hide WHO you are in the modern age if for no
other reason than Facebook exists. Deal with it.
<http://media.giphy.com/media/4wAO1N5uusbMQ/giphy.gif>
2. The entire clearance system as a whole has been obliterated by modern
information sciences.

#2 is the most important. *Clearances and classifications in general
don't scale.* We are pretending they do because the idea of ripping them
out is so painful, like so many other technologies we built in the
fifties. But the very idea is broken at a high level and we need to get
over it if we're going to have a hope of properly running Government
operations that requiring secrets. It's as if we're hosting the entire
US Government on a Unix Users and Groups permissions system on one Linux
kernel and hoping we are getting security because nobody has a local
root. We need something fundamentally BETTER and ideally we come up with
it before the Chinese do. Maybe the OPM hack is our chance?

-dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150630/b9f7fed4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150630/b9f7fed4/attachment.sig>


More information about the Dailydave mailing list