Chinese dataplane?
A longtime reader and good friend of mine sent me a link this week to a CNBC story about the loss of fingerprint records in the Office of Personnel Management hack I have written about before. It’s just one more nail in the coffin of a doltish bureaucracy that — you know I’m speaking the truth here — will probably result in those doltish bureaucrats getting even more power, even more data, and ultimately losing those data, too.
So the story says they lost the fingerprint records of 56 million people! Game over.
Remember how this story unfolded? There had been a hack and some records were compromised. Then there had been a hack and hundreds of thousands of records were compromised. Rinse-repeat almost ad infinitum until now we know that 56 million fingerprint records were lost.
I think it is safe to assume at this point that all records held by the Office of Personnel Management have been accessed and copied by the bad guys. It went undetected for months, they had high-bandwidth access, so whatever secrets there were in those records, background checks, security clearances, etc., are now probably for sale.
Or are they? It turns out there are far worse things that could be done with the records — all the records, not just fingerprints — than simply selling or even ransoming them. So I sat around with my buddies and we wondered aloud what this could all mean? We’re folks who have been in technology forever and we’re not stupid, but we aren’t running the NSA, either, so take what I am about to write here as pure speculation.
“The only way I can imagine it hurting someone is if false criminal records were created using them,” said one friend.
Shit, I hadn’t thought of that! We get so caught-up in the ideas of stealing/revealing, stealing/selling, and stealing/ransoming that I, for one, hadn’t considered the more insidious idea that records could be tampered with or new ones created. Turn a few thousand good guys into bad guys in the records, create a few thousand more people who don’t actually exist, and that system will become useless.
“It’s pretty grim,” said another friend. “Worst case it takes fingerprints out of the security toolbox. If you had 50+ million fingerprints on file how could that help you be a bad guy? Or what if the bad guys have ALREADY COMPROMISED THE FINGERPRINT DATABASE? What if they replaced all 50 million fingerprints with one? That was certainly within their capability to do and you know the Feds wouldn’t tell us if they had. If I was a bad guy I would steal the database, corrupt what was left behind, then hold the real fingerprint records for ransom. $100 each? In Bitcoins? That’s $5 billion.”
That guy has real criminal potential, I’d say, but he’s right that we’ll never really know.
“It was my impression the way computers read and store fingerprint signatures is different than they way they’re optically used and searched,” explained another friend. “In theory you couldn’t reproduce a fingerprint from its electronic signature. But the bad guys may have optical copies of people’s fingerprints, and one could probably do more with them. At least with the pay services they could control and secure in software where they read a fingerprint. I think there will be ways like this to keep the theft from messing up the electronic payment systems. I hope.”
And all this was prelude to Thursday’s arrival of Chinese President Xi Jinping specifically for cyber security talks. Beltway pundits say we need to pressure China to stop the cyber attacks. We need to put more leverage and more pressure on China. Yeah, right. That will never work. Even if China went 100 percent clean there are probably 20 other countries doing the same thing.
My guess, with the Chinese President here and cybersecurity talks on the table, is that we’ve co-created a new, entirely Big Data edition of the old Cold War Mutually Assured Destruction (MAD). They have all of our data but we have all of theirs, too. Either everything is now useless on both sides or we find a way to live with it and the spies all get to keep their jobs, after all. This job keeping aspect is key — cops need criminals.
If we find a way to live with records loss in this manner it also means both China and the USA are now madly stealing the records of every other country. It’s a data arms race.
Now here’s the scary part, at least for me. Who are the runners in this data arms race? Certainly the G8 powers can all compete if they choose to, but then so does impoverished North Korea (remember the SONY hack?). Since this comes down to a combination of brain power and computing power, it doesn’t really require being a state to play in the game. A big tech company could do it. Heck, a really clever individual with a high credit limit on his AWS account could do it, right?
They probably have already.
So what does this mean, readers, for the future of our society? Is it good news or bad? I simply don’t know.
Without criminals with which to deal, cops can still deal with stuff like crowd control, car crashes, natural disasters, directing traffic if the power goes out at major intersections, and all that sort of thing.
FINALLY I understand why Cringely’s writing is so bereft of common sense. He sits around with a bunch of burned out cubicle rats, and takes drunk notes on their dementia-soaked ramblings. An international conspiracy to mess with a fingerprint database. Wow. How skeery. I won’t be able to sleep EVER AGAIN.
–
This blog ceases to even be entertaining. I once — decades ago — thought I might glean some understanding of the tech world. But this is just embarrassing… AGAIN. Just stop writing. It’s over.
The point of the column is to get us talking among ourselves. Theft of all kinds of databases has been in the news lately. This article provides a forum where those in the know can contribute to everyone’s knowledge of what a fingerprint database is, and what can or cannot be done with it if it falls into the wrong hands. (I remember an unusually short Cringely article, that ended with “Now talk among yourselves”. https://www.cringely.com/2010/12/19/its-all-downhill-from-here/
See this New Yorker cartoon
https://www.newyorker.com/cartoons/daily-cartoon/daily-cartoon-thursday-september-24th-fortune-cookie
If you have a society with no criminals, it more likely means that you *do* have a lot of cops, and that a large part of their job is in keeping people from *becoming* criminals in the first place.
Example: The best why to keep people from speeding on any particular stretch of freeway is to have a cop in a police car driving down it. The mere presence of that cop creates a bubble of very well-behaved motorists around him/her. Similarly, no one would run a red light at an intersection if they can see there’s a cop right there.
Unfortunately, we’ve been conditioned into having an attitude that cops “should be out catching criminals,” and that if they’re not doing that then they’re not doing their jobs. So we incentivize punishment, rather than prevention. If there’s little crime in a city then its police department’s budget is more likely to get cut, so it becomes harder for them to keep doing what they were doing that’s been keeping crime low, and the funds sent to other departments where they actually have problems with crime. (“And now you’ve got two problems.”)
It’s hard to prove that the absence of something (e.g. crime) is the result of any particular factor, like an effective and visible police force, though. Instead it’s statistics that are more easily directly-linked that get focused on, like number of arrests/convictions/citations.
Another way punishment is incentivized is many cop cars now are ‘hidden’ in plain sight. In Hawaii, now they’ve got lots of regular civilian looking cars, but with a small blue bar of lights on the top of the roof. So what’s the point of that? The cynic in me says it’s to purposely punish drivers and catch them speeding or doing any ticket-able infraction. Deterring law breaking isn’t enough, else they would keep the old fashioned black and white cop cars. Raising revenue is more important that a compliant society.
I used to work in a company that created fingerprint identity software. Generally speaking actual fingerprint images are not stored or used (though the Feds might be different.) So it depends on what they mean by “stole fingerprints.”
Images are reduced to feature sets that are characteristics of the image and, in properly standardized templates, are then cryptographically signed. Most fingerprint systems are extremely suspicious of feature sets that are identical (since every fingerprint image captured is a little different due to skin elasticity) and so to defeat them you need to manipulate the feature set a little, which is tough to do with a signed template.
And generally speaking is is pretty hard to recreate a fingerprint image from the feature set (though there is some published research that has done so.) Even with the image many modern fingerprint scanners are not easily defeated by prosthetic. This was a problem in the past but years of hard work by scanner technologists have rendered that problem rather moot.
It is possible that the actual original fingerprint cards were captured. Again though to match them would require encoding the feature set and signing them which is hard, unless they also compromised the signing certificate.
Anyway obviously a terrible deal, but “stealing fingerprints” is very different than stealing passwords or social security numbers. They are considerably harder to leverage.
If you have write access to the database, you don’t need to modify any fingerprint sigs to cause havoc. Just swap them around a bit. Sit back, wait for your changes to get into the backups (assuming there are backups), and then watch and giggle as the OPM tries to undo your changes.
… or swap in anybody’s prints you like as “safe” folks. American-born oriental-extraction security guys, check. records managers. scientific associates. senior researcher in advanced X-ray lithography, whose job is to maintain the archives of all semiconductor masks.
hey, the prints check out. the record checks out. musn’t discriminate that Stanley P. Anderson III looks like a Chinese factory worker. he is the duly elected Congressman from North Dakota, and that’s his election certificate.
Who, exactly, is signing these fingerprint sets and why does anyone think the signing server hasn’t been compromised at least to the extent that forged sets can be signed? Delete the original and insert the signed forgery/Trojan (or replacement if you will). Then, how long will someone be jailed, or exist as a mole, before anyone will believe in the possibility that the Trojan set is a fake? Have you ever tried to convince a Federal bureaucrat that the data on their monitor is incorrect– hey, the fingerprint computer search matches the crime scene case closed! Good luck Mr. Phelps, hope you never had a security clearance.
As an outsider to the security and database business, I find it interesting that so many people think the fingerprint databases can be messed with, but no one is concerned about bank records that state what we’re worth. No one is converting their assets into gold buried in the back yard, or bitcoin, for that matter.
5.6 million, not 56 million.
One worry that I’ve hd, that everyone seems to be studiously avoiding talking about is: Did the Bad Guys have write access to the records, or just read access? Because if they had write access they could create fully vetted identities with top secret clearances.
Re: “5.6 million, not 56 million”. Actually the article said 5.6 million [people| were affected. If each person has 10 fingers, that’s 56 million individual prints. 🙂
So we can treat 56 million as an upper limit.
Is it know whether prints for all fingers of a particular user have been harvested? I use fingerprint access on my PC but I’ve only registered a single finger. If it were compromised, presumably, I could revoke it and register another finger. If only the print for a single finger has been stored, they could all be revoked and forced to register a different digit this time.
Do they have have another 9 lives for this one?
Technological fact: the cost of digitisation, copying, transmission, storage of information tends toward zero.
This fact will eventually become like gravity, inescapable. We can’t legislate around it so we must face the consequences even if they run against our wishes, habits and expectations. We should not confuse transient trends of actors that make humongous bucketloads of money in monetizing information digital transmission with the long term fact that it will not be monetizable.
Our current society is organized around the production and selling of physical artifacts so we tend to think we can control and monetize the transmission of information, whatever it is. We fail to acknowledge that the original author/creator/gatherer of that information is poorly remunerated. This remuneration is the small percentage of the cost of the information whole ecosystem (marketing, lawyers, bureaucrats of all kinds). We have hoped that the dematerialisation of information would change that. The opposite is true, new sharks enter a poorly regulated arena and the authors are worse off.
We must accept that the authors must make money in the physical word.
We must accept that one can decouple information from advertising so that advertising will dwindle (a good thing)
We must accept that every information will eventually be public so we must make it so in a non-tamperable way, That will involve block chains.
But these changes will not happen in a day because no one wants it. Expectation of privacy, of monetization…
Also, changes do not happen in isolation.
Eventually one will realize that the tertiary explosion mostly is a bureaucratic cancer with a big impact on environment, that production will eventually be done by robots so not everyone will have a job (at least as we know it).
Also in some area, the big industrial infrastructures will be replaced by neobiological ones.
We have no clue of what tomorrow will be. But we know some of the forces that will shape it.
I think that everyone is missing the point here – the real issue is our apparent trust in imaginary things, in a way we are reverting to the middle ages and a belief in Basilisks and Hippogriffs. We reduce a physical thing – fingerprints, iris maps, facial features to numbers and then treat the numbers as if they are real things – they are not. We talk about “Identity theft” as if someone’s identity can actually be stolen in the same way that you steal a car.
You can’t steal my identity, all that can be done is to fool someone into trusting a falsehood – what they do with that is their problem, not mine – fool on them. This latest breach, and the ones that will be revealed later this year, undermine all “trust” in a digital identity just as if it’s Mr. Basilisk applying for a mortgage or buying a car.
I think that our inability to “protect” this sort of information ought to push all societies back to dealing with and verifying the real identities of people – we should simply hit “delete” on all these records and go back to pencil and paper – less convenient certainly, but it does enforce a real restriction on the abilities of all organizations to simply stockpile more and more information simply because it “might” be useful, and then make it available to any Tom, Dick, or Harry who can fake an SSL certificate and login with “Password123”
As I hear repeated coverage of President Obama’s demands that President Xi stop his country’s cyberattacks against America, a thought keeps occurring to me: How can anyone in the American government even consider such a demand while the NSA is still in operation? Does anyone honestly believe China’s espionage efforts amount to even a tiny fraction of what the NSA does every single day?
Pot, meet kettle. If I were President Xi listening to President Obama whine about cyberattacks, I’d just point to Fort Meade and say “you first”.
I don’t understand people’s obsession with hacking. It’s by far one of the hardest ways to get information. As an admittedly amateur security person, I’ve explored this topic for many years and discovered that, the easiest way to get the information you want is…
Ask for it.
Social engineering is by far the most effective way to get information and usually very easy. It was Kevin Mitnick’s primary way.
The other way is to build a service that asks you for the information and that owns it. Companies like Facebook have people willingly give them private information by the bucketload. Imagine if Apple (fingerprint ID, credit card info, buying habits, web usuage, etc.) wanted to secretly look at your data…how would you even know? Samsung is a Korean company, bound by laws of a different company…imagine if China released the next “must have” product…
Do you use a credit card? Loyalty card? Google? Any website? Do you use the same password on multiple sites? All you need is one of them to be a false front.
As a consultant, I regularly go into “secure” companies…all with security policies. If they have a problem though, they usually give me their passwords so I can get on the system and fix it for them. This is especially true of the older, heads of the company who really don’t understand technology at all but, due to their position, have access to everything, even if they don’t know how to get to it.
Hacking makes great headlines and movies but, in reality, it’s one of the more labour intensive ways to get information…most smart people look for the easy way because they are lazy.
Humans in general fall into just one of two categories:
1. Faithful
2. Faithless.
It isn’t religion, it is genetic programming.
Faithful are the flock. (99.999%)
Faithless are the black sheep. They reason. (.00001%)
The faithless are our leaders – AND – mainly criminal psychopaths. (Same thing).
Most decisions of importance in our lives are made by people stamping our documents, one way or another.
For years I diligently filled out the bureaucratic SF-86 form while working in the defense industry. This very long form contains enormous amounts of personal information; pretty much your whole life history and much of your relatives, including their dates-of-birth and their places-of-birth. It was unpleasant to call the in-laws and get all that information from them, but my fellow engineers and I all did it. To show the depths of how cold and mechanized the system is, the year after my Mom died, my SF-86 form was denied because “Deceased persons cannot have an address.” I had to go back in, remove her address, and resubmit the form because marking somebody as deceased did not automatically remove their address.
It is tragically ironic that that the agency given responsibility to vet the very people who would handle our nations most sensitive data did not, themselves, keep that data on safe and sequestered networks.
Bob recently wrote about an attempt to collect data that used a combination of probing a firms phone system, social engineering, and faking caller-id’s. The perpetrators were able get their malware installed on a few users PC’s. Fortunately the firms security protection detected it and stopped it before any harm was done. This is happening almost every day against almost every firm. The problem is real, it is serious, it is everywhere.
“So the story says they lost the fingerprint records of 56 million people! ”
.
Actually, the story says 5.6 million people – so you’re off by an order of magnitude (factor of 10)!
.
“The Office of Personnel Management announced Wednesday that 5.6 million people are now estimated to have had their fingerprint information stolen.”
.
If you are talking security, we should probably bring in a government security expert… Col. Flagg, CIA. you might remember him from the M*A*S*H program…
“Does your President look a little like Wie Kahn Doo, former head of the Chinese Red Army, who disappeared last week? I have checked him out. The real guy. Fingerprints are Barack Obama. DNA is Barack Obama. Voiceprint. Don’t trust those pictures. who took them? what’s their background? This guy, he’s Swiss intelligence. that guy, he’s got 12 morals charges, 3 stints in the clink. that guy? drug runner. I say that’s the President, and if he wants to form a military alliance with China, that’s our Commander in Chief. I follow orders.”
thank you, Col Flagg. obviously we have overcome any potential threats from the database ripoff.
Eh?
>> ALREADY COMPROMISED THE FINGERPRINT DATABASE
Backups. Yes, they could have a broken backup procedure, but backup policy is not that hard. Recover the backup to create a duplicate database, then do a lot of comparisons to determine if the exposed DB is hacked. All it costs is a little money for hardware. There’s a window of loss due to the age of the newest safe backup, but that’s relatively narrow.
I think this puts the conversation back onto more familiar territory. It’s the use of the ancillary data that’s the risk. They’re not likely to create bogus credit card accounts – so what are they going to use this for?
I agree. Backups could show if corruption or extra records were inserted. Hopefully the backup was made with off-line media. This article appears a bit sensational.
Time to reread “Neuromancer”, dated and 80s as it might be, just to revisit a world in a continuous state of under-the-covers war, and most ordinary people were utterly oblivious to it.
“So what does this mean, readers, for the future of our society?”
It means that in the future, all information will become available to any and all who want it. In the past century, we have seen how all technology begins as expensive and available to a privileged few people or institutions. As its cost goes down, it becomes available to the masses. The same is true of information (think instantaneous delivery of news, credit scores, baseball statistics, etc.) . Look toward a society where it is impossible to tell a lie or keep a secret, because out there somewhere is readily accessible data that will expose you. In a society with no secrets and no lies, there will either be universal trust or universal distrust.
I can’t resist, but at what point does the information cease to be information? At what point does information itself start to deliquesce?
Quote from Edmund: “You can’t steal my identity, all that can be done is to fool someone into trusting a falsehood – what they do with that is their problem, not mine”
Actually, this “falsehood” can make an honest person’s life hell. This happens when a criminal impersonates an honest person, and the criminal racks up huge credit card debt (for example). There are numerous examples where the honest person loses their credit rating, and spends months or years proving that they were not responsible for the criminal behaviour…..and while this process is going on they can’t use credit cards or get a mortgage.
……and that ACTUALLY IS THEIR PROBLEM. Please don’t use false logic to minimise a real issue.
It’s their own fault for letting a machine tell them what to do, isn’t it?
As someone whose records were taken, I may consider a life of crime. I can leave my prints and simply state they were stolen if I were ever caught.
This country has so much important infrastructure and sensitive data, on networks accessible to the Internet for convenience sake only. Seems real easy to me, put it on a separate network. I know that is not the solve all, because those have been defeated as well, but at least it’s harder.
Various data security/integrity laws at the federal and state levels require companies to properly secure their personally identifiable customer as well as employee information. One example is the company Avmed who ended up settling with the government for $3.5 million for possible exposure of customer’s personal information after two laptops that were lost.
.
All personally identifiable information should be encrypted at rest, and in transit if it is kept in a network connected system. If the data is to be used for reasons other than its primary function (identifying people and their related key information / accounts etc) – then it should be anonymized (systematically removing all traces of real identification from the data). Anonymous data – while useful in a statistical context, is completely useless in terms of targeting anyone specifically.
.
So – if this data was so important/dangerous – why didn’t the OPM use proper procedures for handling it electronically – given the necessity of laws and regulations governing this for corporations?
.
Finally, if this data is so risky to hold on to, why are we holding on to it? Safer alternatives would be to erase the data from our databases, move the data to an isolated (secure – e.g. non-internet connected) network – which has its own logistical nightmares, or (the horror) make paper copies of the relevant data – for even more logistical fear and loathing.
What makes the OPM break even more troubling is that it includes disclosures and background research that were made for those getting various security clearances. If there’s “meat” in there to blackmail individuals in sensitive positions, it shouldn’t come as a surprise when someone does so.
Well, if I were a nation state doing this then I would have a “long con” in mind. With the information I downloaded I would work at creating external references to specially identified staff which the nation state decides to target. I would, for example, create arrest records, child porn convictions, etc., etc. Remember, I’m doing this (hacking or by using previously infiltrated moles) into reference databases that have not been highlighted.
As these specially identified staff attempt to get renewed clearances, these discrepancies will cause suspicion to fall, first, on employees. Eventually, I fully expect these employees will be able to demonstrate that the information is inaccurate or false and, eventually, certain previously trusted reference resources will be considered unreliable.
Now, when I want to infiltrate a mole into a position of trust, any discrepancies found in references that are no longer considered reliable will be discarded making it much easier to advance a mole or hold back a potential adversary.
Personnel security theater is like airport security theater, except instead of getting groped you don’t get the job.
Anything that has the potential to get the federal government out of its 1950s-morality security-theater paradigm, and into a trust-based personnel security model, is a Good Thing.
Re: “So I sat around with my buddies”. I think a far more interesting story would be about those buddies. Who are they?
Re: “Is it good news or bad?” Like the Snowden revelations, or the disclosure of security vulnerabilities, this type of breach is necessary to motivate people into thought and action. Awareness of a problem is the first step to solving it.
Re: ” I think there will be ways like this to keep the theft from messing up the electronic payment systems. I hope.” I doubt if it will mess things up since most of us have been, and still do, use payment systems that don’t rely on fingerprints. Sure, I’m looking forward to the day when fingerprints will make it unnecessary to carry a wallet or purse, but that doesn’t mean I want to be a beta tester.
[…] So much for biometric security: 56,000,000 fingerprint records “lost” and potentially in the hands of Bad Guys? You know, unlike a credit card number, you can’t just apply for a new fingerprint! Mr. Cringely puts it best: Game Over. […]
I wonder if President Obama is smart enough to know about guilds?
They really perturb distributions. They self-govern and are a very efficient means of top down control. You can’t get China to stop criminality, but you can get a US-China criminal guild system established.
“Criminal guild”. Isn’t that what most wealth-redistribution tax systems amount to? Sounds like another phrase for communism. I fail to see the benefit to forming one as it would just legitimize whatever is considered illegitimate.
That is silly. More likely use of the information would be to let China detect spies among business visitors.
>North Korea hacked Sony
>China is the one attacking US
Jesus, Cringely, and you say you are all chummy with tech people.
I wonder what Bob said that can be proven untrue. A web link supporting a contrary view would be helpful.
Y’Know About 2 years ago I started a Government contract for a ‘Quality’ prime contractor. I Live Near DC so I generally hold a clearance, anyway one day in between contracts / during on boarding and it is from the FBI an they had been concerned, that, based on my fingerprints – to get re badged for work I had did 15 years in San Quentin – For Murder – – Nevermind the reality of more than a few cleared contracts during that period. My references clearly vouched for me but it was troubling.
Just come across this, I think Crigely should devote a whole section on companies letting China Gov view their source code.
https://www.wsj.com/articles/ibm-allows-chinese-government-to-review-source-code-1444989039
https://www.reuters.com/article/2015/10/17/us-ibm-china-wsj-idUSKCN0SA1BZ20151017
Chinese intelligence is building private ‘Facebook’ of US government employees’ hacked data, claims cyber-security expert
https://www.dailymail.co.uk/news/article-3237496/Chinese-intelligence-building-private-Facebook-government-employees-hacked-data-claims-cyber-security-expert.html
Timely writing ! I learned a lot from the information . Does anyone know where my assistant would be able to find a blank 2010 OPM SF 86 example to fill out ?
https://www.opm.gov/forms/standard-forms/
Bizlere vermiş olduğunuz destekten dolayı sizlere teşekkürü borç biliyoruz. Çizim teknikleri ve kaliteli kurs alanında güzel sanatlara hazırlık arkhe sanat ‘ı tepe noktaya taşıyarak vermiş olduğunuz önemi göstermiş oldunuz.
Taksim resim kursu ile haftanın yedi günü sizlerleyiz. Atölyemizi
https://www.arkhesanat.com/
Arkhe Sanat Yurtdışı Portfolyo hazırlık Eğitim Programı Başta İtalya, İngiltere, Fransa, Amerika olmak üzere birçok ülkede üniversitelerin Güzel Sanatlar, Sanat Tasarım ve Mimarlık Fakültelerinde, Interior Design, Graphic Design, Fashion Design, Industrial Design, Visual Art ve Architecture Bölümlerinde Lisans veya Yüksek Lisans Eğitimi almak isteyen öğrencilere yönelik belli bir çalışma disiplini izleyerek öğrencinin tercih etmiş olduğu bölüm uygulamaları ile farklı teknik ve malzemelerle oluşturulan ve dijital ortamda sunulan portfolyo çalışmalarını kapsamaktadır. Bu süreçte öğrenci tercih ettiği bölümle ilgili Desen Çalışmaları, Proje Tasarımı, Temel Sanat Eğitimi, Tasarı Geometri, Teknik Resim, Perspektif, Maket Yapımı, Dijital ortamda Proje Çizimi, Tipografi Uygulamaları, İllüstrasyon Çizimi, Boyama Teknikleri gibi dersleri alarak Portfolyo çalışmalarını tamamlar.
https://www.arkhesanat.com/egitim/yurtdisi-portfolyo-hazirlik/
Türkiyenin en nitelikli kurumu olan bakırköy resim kursu ile sizi gelecek adına güzel sanatlara hazırlık alanına hazırlamaktadır. Yüzlerce mezun ve nitelikli öğrenci bizlerle mezun oldu sizide ofisimize bekleriz en kaliteli eğitimi ayağınıza kadar getiirdik.
http://ruyaavcisi.com/