Re: Clinton's Office Says Her Passport Files Also Breached

[Rich Kulawiec <rsk () gsp org>]

[ I elided your remarks 'cause this is rather long as it is.  Hopefully
I've managed to respond to all of them. ]

I actually toned down my initial response.  No, you may not see it. ;-)

Don't take this personally.  I have no idea who you are.  I don't really
care.  I'm reacting to what you've said and haven't even bothered to
notice your name, let alone remember it.  It's irrelevant.  So -- throughout
this -- read "you" as "generic you".

And my reaction is a mix of astonishment, exasperation, disappointment,
and outrage.  Were I given this response by a freshman student on a final
exam, I'd fail them for the course.  I would never expect to hear such
a thing from a professional working in the field.

(And if the certification processes aren't weeding out people who
lack even this rudimentary level of understanding, then they're even more
worthless than I think they are -- and I already think they're pure crap.)


So here are some preliminary thoughts (and I do mean "preliminary") that
outline in part just what the big deal is. I'm sure these only scratch
the surface and are rife with omissions, and probably even a few errors.
But even in this incomplete, unpolished state, I think that any one of
these is more than enough to demonstrate that this is a very serious matter.


1. If we presume that one part of what we've been told is true -- that
accesses of certain passport files result in notifications to supervisors
-- then we know that the people running the operation are complete
morons who have failed to demonstrate even a rudimentary grasp of basic
security principles.  They have implemented one of Marcus Ranum's Six
Dumbest Ideas in Security, to wit, #1: default permit.  The proper way
for this to work, of course, is that all such files should be locked and
all access forbidden without PRIOR supervisory approval.  There should
also be additional measures in place: for example, offhand I can think of:

        - it should require more than one supervisor.  This closes down
        some attack vectors and it means that others rely on cooperation
        between two or more people, which in turn means that in addition
        to violating the Privacy Act, unauthorized accesses would require
        a conspiracy.  It also means there are more loose lips to blab
        about it, increasing both the probability of detection and the
        probability that someone can be turned if detection occurs.

        - it should generate notification that goes up and across the
        supervisory chain in a manner which can't be controlled
        by supervisors.

        - the list of files thus treated should be actively maintained,
        and should contain people who are likely to be the targets of
        curiosity, blackmail, threats, etc.  Standing entries should
        include members of Congress, federal judges, governors, etc.;
        ad hoc entries should be created based on the front pages of
        the New York Times, Washington Post, etc.  and should require
        approval by more than one person, in order to prevent reverse
        gaming of the system by an individual.

        - access to locked files should never be permitted to contractors,
        only to permanent employees.  If necessary, workloads should be
        shifted in order to accomplish this.

        - in the case of especially sensitive files -- and this is one
        of them -- then access should require approval that comes from
        the office of the Secretary of State.

        - unless the access relates to an ongoing criminal investigation,
        any subject on this list should be notified when their data
        is accessed.  For example, if someone needed to do a routine
        check on former President Carter's passport prior to a trip
        to Peru, then he should be informed.  This also increases the
        probability that spurious accesses will be detected, especially
        if the notification process is via a channel that workers and
        supervisors can't access or control.

2. We don't know who accessed these files, we don't know why, we don't
know if they made copies, we don't know if they transcribed information,
we don't know if they passed any of it on, we don't know who they're
associated with, we don't know who they're working for, we don't know...
much of anything.  But any student of history (or anyone old enough
to recall it) should realize that we didn't know the answers to rather
similar questions when McCord, Barker, Gonzalez, Martinez, and Sturgis
were caught either.

This incident should be setting off alarms in everyone's heads which
keep insisting that it's not so simple, not so cut-and-dried, as it's
being made out to be.  Which is not to rule out the faint possibility
that in the end it might turn out to be so -- but it would be naive in
the extreme to presume that today.

And we most *certainly* should not accept any spokesbot's statement that
they "believe no copies were made" or "believe the information wasn't
passed on".  That's the same fatuous nonsense that we hear every time
there's a data leak.  They're announcing the negative hypothesis as fact
when it's only possible to prove the positive one.

There is no such thing as "belief" in security.


3.  *three times*?  That's not idle curiosity.  Think about it: they'd
already fired two people for this, yet a third one DID IT AGAIN ANYWAY,
even though there can be little doubt that they knew about the previous
firings, knew why they took place, knew about the monitoring mechanism,
and very likely knew whose file was involved.  (If you were supervising
this department and just fired two people. wouldn't you make sure that
all current as well as any incoming new employees were excruciatingly
aware of this?  Would you not have had an all-hands meeting during which
you read the riot act to everyone in a loud, clear voice?)

Idle curiosity is insufficient motivation for someone to risk losing
their job under these circumstances.  People don't take chances like
this just because they're bored.  (And actually, "chances" isn't the
right word, because again, if we believe part of what we were told,
it wasn't probable they'd be caught: it was certain.  And they knew it.)

This strongly suggests to me that (a) it wasn't idle curiosity and
(b) the job was considered expendable.

Oh, and: don't you think that given how many of these breaches we already
know about -- by now some *supervisors* should have been fired?


4. Who else's files?  Now we're told that Senators Clinton and McCain's
files were also accesssed.  It's very curious that this did not come
out during the press conference call.

Think about it: you're the Secretary of State.  You get wind of this.
What are the first questions that comes into your head?  They should be:

        What about Michelle Obama?
and:
        What about Senator Clinton?  and Senator McCain?

If these aren't the questions that come to mind instantly then you
shouldn't be Secretary of State: you clearly lack sufficient mental agility.

And when these questions come to mind, in the first ten seconds after you
find this out, you then spend the next twenty seconds issuing the order
to have them answered right friggin' now.  And you get those answers in
a very big hurry, because you want to make sure you have them in-hand
*before* you set up a media conference call.  If necessary, you have
staff work all night and you have the conference call the next morning.

You do this because (a) it's completely obvious due diligence and
(b) you darn well know that you're going to be asked.

In short, you don't make a move until you have this data in hand.

But this isn't what happened.  Why?

Also: consider the contrast in timelines.  This problem, if we're to
believe part of what we're told, festered for months.  But the elapsed
time from when the story broke to when the press conference call was
held was only a couple of hours.   So we see a pathetically slow reaction
(if any) followed by a lightning-quick one.  That's decidedly odd.


5. Given the disclosures about Senator Clinton and Senator McCain, we
can now not only repeat all the questions above (and add "have these
people been fired too?"), we can ask why this wasn't disclosed at the
same time, and we can also inquire as to who else's file was accessed.
Huckabee?  Richardson?  Kucinich?  Romney?  How about Wright?  Or Hagee?

Or were these other accesses merely invented so that the problem could
be spun in a manner consistent with getting it out of the news cycle?

Paranoia?  No.  It's prudent skepticism.  It's a recognition that the
most believable lies contain a lot of truth, and that this administration
lies as a matter of institutional policy.


6. Who leaked this to the Washington Times?  Why did they leak it?
Why the wingnut Washington Times and not the Washington Post or New York
Times or some other actual real live newspaper read by grown-ups?  Was it
someone in the administration -- which would hardly raise an eyebrow
given that this adminstration has a well-known history of using leaks of
confidential/private/secret information when it suits its purposes -- or
was it someone frustrated by inability to draw administration attention
to the problem?


7. The Secretary of State claims she only found out about this
yesterday.  So either:

        a. She is telling the truth
or
        b. She is lying

If (a) then something is severely wrong at State, because there is simply
no possible way that the passport file of a presidential candidate gets
accessed twice and supervisors are notified and people are fired and
the Secretary of State doesn't know a darn thing about it.

If (b) then I trust it's obvious why this is a major problem.


8. Something else that's severely wrong: put yourself in the position of
a supervisor who gets a message from the database system that the file of
a presidential candidate has been accessed.  After you call security and
have the relevant person detained, do you quiz them extensively about what
they were doing, get them to admit they were indulging their curiosity,
fire them, and have them escorted off the premises?

No, you do not.  You do that if it was Britney Spears' file.  But it's
not -- it's a PRESIDENTIAL CANDIDATE.  So you call the Secret Service.
You call the FBI.  You go find your supervisor, and then two of you go
find his/her supervisor, and you repeat this process until everyone in
that chain is sitting in the Secretary's office waiting for the Secret
Service and the FBI to get there, and when they show up, you all
collectively go crawl up that person's ass with a microscope.
Meanwhile, someone finds a lawyer, and they go get the appropriate
warrant(s) to set up surveillance on that person.  When you finally
let that person go, you keep track of everyone they come in contact with,
every phone call, every email (which should be easy since the telcos
are already illegally doing it anyway).  And so on.

This is presuming you let them go.  If you have grounds, you charge
them with violating the Privacy Act and you arrest them.

You do all this because there is the distinct possibility that this person
means to harm the candidate -- or their family.  And because you can't
rule that out except by process of elimination (and maybe not even then),
you deploy massive resources to do that very thing.

And then you inform the candidate so that *their* people know what the
hell is going on.  And as soon as humanly possible, you bundle everything
you found out into a dossier and put it in the hands of the Secret Service
detail associated with that candidate.  And then you do this for the
other candidates and their assigned details because you know that there
will be occasions when they're all in the same place at the same time,
so it would be prudent to have as many clued-in eyeballs as possible
present when that happens.

This is an extremely obvious course of action even to the casual observer.
But it didn't happen.  Why?


9. You get an independent investigator for several reasons.

First, internal investigators can't be trusted.

Second, State has already proved to my satisfaction that it's either
incompetent or lying or both.  No point letting it prove it again by
investigating itself.

Third, you need someone who's a careerist, not a political appointee.

Fourth, an inevitable part of this will be the blame game.  An independent
investigator doesn't care who gets blamed and won't bias the investigation
in order to spare anyone humiliation.  We hope.

And finally, you do this because you're aware that 16 years ago, during a
previous Bush administration, Elizabeth Tamposi -- an assistant Secretary
of State -- dispatched people to ransack then-candidate Bill Clinton's
passport file in search of material that could be used against him in
the campaign.  Coincidence?  Yeah, riiiiiight.


10. Who else's passport file has been accessed to indulge someone's
curiosity, to acquire data for resale, to dig up dirt for political
reasons, to leak to the press, to [fill in with a myriad of other
purposes]?  It should be abundantly obvious that if this level of
abuse and malfeasance can take place with known-critical data, that
there is every reason to think that less critical data which is not
tripwired for alarm-on-access has been essentially undefended.

That's a huge problem.


---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.