OPM data breach
Yonatan Zunger at G+ has some good comments, including of the inclusion of the SF-86 Questionnaire for National Security Positions data thought leaked.
From that last Wired piece:
> the breach was actually discovered during a sales demonstration by a security company named CyTech Services (paywall), showing the OPM its forensic product.
Go ahead and smoke that....
> There’s another concern even beyond that blackmail risk. SF-86 forms can include a list of foreign contacts with whom a worker has come in contact. Diplomats and other workers with access to classified information are required—depending on their job—to provide a list of these contacts....
Data Is Liability
I've been saying for a while  (and Google and Yonatan have occasionally wandered into my field of fire) that data is liability. Or as Cory Doctorow puts it, personal electronic data is the nuclear waste of the information age.
I've also been increasingingly coming of the opinion that, while concerns for oppression of the unprivileged and general population are my principle interest, it's actually the establishment: governments, business, banks, etc., who are more vulnerable, if only because they have greater secrets, historically greater control over them, and, in breached security, greater vulnerability to either attack or manipulation.
An exceptionally peculiar aspect of digital data is that, while it may remain in the boxes and cages provided for it, it's got a notable tendency to find itself liberated. Often without warning, and not detected for days, weeks, months, or longer, afterward (as in this case). In the real world we've got friction, especially associated with data processing and transfer. In digital form, far less so. Sometimes friction is good.
Dan Kaminsky, "Not Safe For Not Working On"
I'm still backlogged wanting to write about last year's Nude Celebrity Phone hacking. Dan Kaminsky, fortunatly, has written virtually everything I could say on the topic and then some:
"Not Safe For Not Working On"
Victim shaming is par for the course in Infosec. Though more the case for the celeb scandal than this one.
You Don’t Necessarily Know When You’ve Been Hit, Let Alone What’s Gone. A hugely underappreciated aspect. Paul Vixie's had some similar comments along these lines.
It’s time we start outright blocking passwords common enough that they can be online brute forced, and it’s time we admit we know what they are. A fight I've attempted (and lost) at far too many organizations.
> There’s an old Soviet saying:
> If you think it, don’t say it
> If you say it, don’t write it.
> If you write it, don’t be surprised.
(I discussed Kaminsky's piece earlier at G+)
Data Regulation Must Change
Until attitudes change, and the question "what is the risk if this leaks" is asked for every piece of data collected, we'll continue to see more of these stories. The irony in this case is that SF-86 background checks -- the basic questionanaire for national security positions, is what's thought to have leaked. Or as I observed yesterday on Hacker News, ultimately, countermeasures risk becoming attack surfaces. Indira Gandhi, prime minister of India, was assassinated by two of her own bodyguards.[2,3]
That means, though:
Data provenance. Transmission and sharing only with authentication.
Strict data retention policies. Destruction of data past a specific age.
Massive penalties for both disclosure and acting on fraudulent identification credentials. The latter won't do much for the OPM breach, but if personal data simply aren't financially useful, interest in them will dry up markedly.
There's also my burning suspicion that the data aren't actually all that valuable. Google's own Roberto Bayardo (@bayardo):
> People (journalists in particular) vastly overestimate the value of personal data for marketing & advertising purposes.
What's useful? Search term + location. The rest of it, not so much.
You can see the form for yourself (PDF).
How Many More Times?
We've already seen numerous staggering attacks, from without and within:
US against the Soviet Union in the 1982 sabotage of the Urengoy-Surget-Chelyabinsk natural gas pipeline, by the CIA.
Stuxnet, likely US and/or Israeli attack against Iran's nuclear program and possibly North Korea.
Numerous data breaches. There are numerous online lists, with the largest from one being Heartland Payment Systems (2009), TJX (2007), TRW (1984), Sony Corporation (2011), CardSystems (2005), and RockYou (2009).[6,7,8,9]
Wikileaks have published extensive extracts from U.S. diplomatic cables, largely provided by US soldier Chelsea (then Bradley) Manning .
The ne plus ultra of security, the US National Security Agency, was outed by one of its own contractors, Edward Snowden. As with Manning, an act of conscience.
The Director of the Central Intelligence Agency, General David Petraeus, was both 1) involved in sharing classified data and 2) brought down by his use of online media (including a shared Gmail account in which messages were composed but not sent).
Sample from a few days back:
And nearly precisely a year ago:
Largest data breaches of all time http://flowingdata.com/2011/06/13/largest-data-breaches-of-all-time/
World's Biggest Data Breaches Selected losses greater than 30,000 records (updated 6th June 2015) http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
The 5 biggest data breaches of 2014 (so far) http://www.pcworld.com/article/2453400/the-biggest-data-breaches-of-2014-so-far.html
10 Worst Data Breaches of All Time http://www.tomsguide.com/us/biggest-data-breaches,news-19083.html