Why The Government Can’t Be Trusted With Your Data
… Because they don’t know how to protect it.
Warren P. Strobel, McClatchy Newspapers reports on the latest atrocity, Passport record system open to abuse, IG finds
WASHINGTON — A State Department passport record system that holds personal data on more than 120 million Americans is wide open to abuse and unable to prevent or detect unauthorized access, investigators said Thursday.
The review by the department’s inspector general was ordered after revelations in March that State Department employees and contractors had accessed the files of presidential candidates Hillary Clinton, John McCain and Barack Obama.
The IG report found a much broader problem.
…
“The system is unable to protect itself,” said one State Department official, who requested anonymity to speak more freely. “Anybody can go in.”
Anything they collect you have to assume is available to a hacker, because the Feds don’t know how to secure data. Your passport file is more than enough information to clean out your bank accounts and destroy your credit.
They demand that you buy a new superduper passport to provide greater security, and then they leave their files open to the whole bloody world.
Speaking of privacy, don’t miss Joe Galloway’s piece at McClatchy – Commentary: How dare they rip the Fourth Amendment?
13 comments
Oh, great. I just renewed my passport a few weeks ago. Oh well. Why am I not surprised that the system is vulnerable.
A mere few years ago, the things Galloway wrote would have been unremarkable, simply a statement of basic principles. Now…
This is unbelievable to me given the protections I’m providing for a program that will be used on an intranet at a single location.
A big part of the problem is overuse of outside contractors.
…I have given up on the whole idea of ID security provided by my FedBorg employer. There have been two different episodes of ID theft that may well have involved my personal information over the last couple of years, so I just shrug when I have to acknowledge the usual federal “Privacy Act” pronouncements that I have to sign…
I’m on a credit watch because of the VA laptop theft. This is truly pathetic when they keep bleating about securing everything and they can’t protect their own files.
If I were still flying around and lost my passport, I’d just order another one from Hong Kong. It would probably have higher quality materials, and they would already have the data needed.
There is really no good reason for the government to have any of this data in the first place.
Well, maybe some kind of case can be made that the fed gov should have some relatively small number of employees to keep track of but beyond that, nope.
Not only can they not secure the data the opportunity for misuse is exceedingly large.
We only know about it because of the political people who had their data accessed. Now, we discover that it is widespread and affects all kinds of people.
They require a passport for more and more places and don’t have the people available to process the claims. They hire Joe’s Septic Tank Service and Passport Processing Company to fill in the gap, and they don’t do background checks on anyone. They still don’t have the final design for the ID cards for ports, much left have a system in place.
They are just totally incompetent, and so are the contractors they hire.
zzzzzz-zap!
[although i understand it’s illegal]
Jeezus fuckin’ keee-ryst. Now, back when I was doing school administration systems (working for a contractor), our software wasn’t the most secure on the planet. But at least we *tried*. And sometimes we even succeeded, like when the principal went into the computer and changed a grade for the daughter of a prominent politician to be a better grade on the transcript because said daughter needed it to win out over another student for a scholarship. That was a no-no under state law — only the teacher could assign a grade and the grade in the computer had to match the “official” grade, the one in the last column of her (or his) physical grade book, which was the one and only “definitive” grade and if the one in the computer didn’t match, it was the one in the computer that was wrong. Any correction had to be made to the “official” grade book and signed off by the teacher, under state law the principal did not have that power. The principal denied doing it, but our audit trail clearly showed that the edit came from his terminal from his user ID at a time that he was in his office. Pretty damned conclusive. The principal ended up getting fired for lying to the school board. (And for other things — he was a pretty lousy principal, actually — but that was the one that finally got the school board peeved enough to send him on his way).
Anywho… our customers were adamant about privacy issues. We assigned our own student ID’s rather than using social security numbers as student ID’s, for example. We had to have social security numbers in the system in order to match up with the federal free lunch database so we could report the proper number of free lunch students to get the Title 1 funding for those students, but those social security numbers lived in an obscured field that you needed a special access code to change or view, and were not used on any reports produced by the system. And so on and so forth. We weren’t perfect, but mostly because the computer hardware and database software of the day just didn’t support the kinds of things like encryption that we take for granted today, I mean we were running an entire school district off of a 66mhz machine with 4MB of RAM and an 80GB hard drive for cryin’ out loud! The upside is that the data was decidedly less portable then, the actual computer lived in a secured area and all that you could do to access it was come in through a dumb terminal over a serial line. If you managed to escape from our menu system and found a Unix shell, there was no way to ship the data out en masse — there was no development environment, no network, no modem software to dial out on the modem, etc. The modem would answer calls but only allow the central office ID to come in to retrieve data via UUCP protocol (the nightly updates of the central office computer from the individual school computers). You couldn’t just grab a laptop and head out the door. The closest you could do to that would be to grab a QIC-80 tape and head out the door… not much to be done about that other than exhort the school secretaries to secure those when they did the weekly tape rotation, and folks able to read QIC-format tapes probably numbered in the low thousands.
Ah yes, the good old days. Hard to believe that was only 15 years ago! Now look at where we are. Everything’s on the Internet. Everything’s hacked and trojan’ed and root-kitted to a fare-thee-well. Nothing’s secure. And nobody seems to have a clue as to how to secure it. Ah yes, “progress”.
– Badtux the “If that’s progress…” Penguin
Hipparchia, you can shield it with a small piece of aluminum duct tape. Not the cloth type, but the actual aluminum strips with adhesive on the back. They also sell a copper tape version at craft stores for stained glass work.
Badtux, there are so many products and devices available these days that will protect a system, that not protecting one is simply stupid.
This is the same set of problems that arises with electronic voting software – there is no serious attempt at securing the system. It’s not like they don’t have an entire group at NSA who do nothing but harden government systems, but apparently no one knows they exist, although it is one of the stated purposes of the Agency on its non-classified mission statement, and has been for decades.
These people don’t really care or understand about security. They don’t seem to care or understand that the information they are making available is quite valuable to “terrorists”. What could better than having a faked passport that has all of the real information of another person on it.
there are any number of creative suggestions being put forth in various places around the web, but i’m in favor of acts of civil disobedience here, not safer ways of complying with a surveillance state.
Oh, you think no one will notice the tape? Put a peace symbol outside and a flower sticker on the inside, that will almost guarantee an arrest.
If they ask about it, tell if you don’t do it the scientologists will be able to control your mind.
I wasn’t going to comment (laughing too hard!) But…
no comment! LOL :p
I’ve always preferred uncivil disobedience.