<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
So I dunno how many of you remember Tom Cruise before he was a
raging scientologist, but he did this one movie you might have heard
of called "Mission Impossible". And he spent quite a lot of energy
trying to steal the <a
href="https://www.youtube.com/watch?v=ar0xLps7WSY">NOC-list</a>
full of the names of non-official cover agents which in theory
mapped to their cover names or something. It was unclear what it was
exactly, but it fit on a magneto-optical disk that was like, all the
range in the 90's but which has been replaced by literally anything
else now.<br>
<br>
And that's pretty much exactly what the Chinese stole here, except
without the French guy from "The Professional" and all the outfits.
The problem, as we're going to drill home again and again over the
next year during damage control in congressional meetings each more
painful and less informative than the last, wasn't that OPM didn't
protect the database, but that they HAD THE DATABASE COLLECTED AT
ALL.<br>
<br>
I think there's a DailyDave Post about <a
href="https://lists.immunityinc.com/pipermail/dailydave/2014-July/000701.html">this
exact problem</a> from a year ago or so. It's the same mistake RSA
made, but a few letters higher in the alphabet, is all. Of course,
damage control is going to come back and say things like "well, CIA
was smart enough not to put their people in the database" except
that of course, there's a lot of people who start in one agency
(say, DoD) and then go the the CIA, or DIA or whatever. I don't know
if any of them were in the hacked data, but you can probably assume
they were.<br>
<br>
But there's a little silver lining in the OPM hack, and it is this:<br>
<br>
1. Covert identities are dead anyways, because databases full of
biometrics are everywhere, and you can read someone's fingerprints
off any beer glass faster than you can say "Your Cover Is Blown,
Ethan Hunt". That's not even counting the DNA revolution of being
able to map the entire human family tree out that nobody is talking
about yet. Regardless, you cannot hide WHO you are in the modern age
if for no other reason than Facebook exists. <a
href="http://media.giphy.com/media/4wAO1N5uusbMQ/giphy.gif">Deal
with it.<br>
</a><br>
2. The entire clearance system as a whole has been obliterated by
modern information sciences.<br>
<br>
#2 is the most important. <b>Clearances and classifications in
general don't scale.</b> We are pretending they do because the
idea of ripping them out is so painful, like so many other
technologies we built in the fifties. But the very idea is broken at
a high level and we need to get over it if we're going to have a
hope of properly running Government operations that requiring
secrets. It's as if we're hosting the entire US Government on a Unix
Users and Groups permissions system on one Linux kernel and hoping
we are getting security because nobody has a local root. We need
something fundamentally BETTER and ideally we come up with it before
the Chinese do. Maybe the OPM hack is our chance?<br>
<br>
-dave<br>
<br>
</body>
</html>