W i k i l e a k s

jpete wrote:How can you say that when fraud is rampant? If there were a system in place to determine who is accessing the system, fraud would be nil.

If you mean they know which employee accesses the system, that's virtually meaningless because the bad guys aren't employees.

And the bad guy in the majority of this WikiLeaks stuff is a Pfc that was fully authorized to access the system so what good did any of the "security" do?

Any computer data system that contains as much information as SSA, or for that matter any government agency is large and complex. You need to have a better understanding on how it's organized before you can make simple generalizations like the bad guys are gaining access. The SSA system records are huge, not only does an individuals record include information about him or her it includes relationship to parents, spouses, etc. This is known as the master file. Access to this record is highly controlled. By law access is off limits to all most all other government agencies. So for example immigration can't access it. It is this master record that I'm speaking of. Even SSA own computer specialists (programmers) have difficulty getting access to it. Instead they use a fake data set when testing there newly developed programs. Any accesses to the master records requires pre-approval and there is strict recording of access logins.

When you apply for SSA benefits at your local field office the clerk can see your records but it can't be altered. The request for benefits must be supported by information that supports who you are. Here's were fraud can and does occur. But that is a much different problem than access to the master data files. Changes to the master files are done in batch processing mode. That's why it takes some time to start your benefits, a waiting period until the next batch processing input.

In the state department data breach it appears the low level intelligence analysis had wide ranging reading rights. Perhaps he couldn't alter the records but it's hard to understand why he would need such wide rights to do his war zone intelligence job. That was the first security breach, giving the broad rights. It's been reported that he recorded the state department data on a CD. A CD that he took in that contained music files. Then erased it and used it to record what he was looking at. Why would you allow a hardware system that has a CD burner in it? It's just a security risk, the second needless risk. If there is a need to record classified data to get it somewhere else, there is always stringent other approvals needed and a logging trail of who had what and when. Clearly there was also a security breach allowing him to bring a recordable data disk into the facility, whatever it was. That's a third security breach. Normally you can't even bring your lunch in to such a facility. Clearly there was a lot at fault. Yes, it was a rogue Pfc that had authorized access. But that's no excuse for not having a computer monitoring system in place that shows what, when and how much data was being looked at. For example our Forum's administrator can see everything we do. He used those tools to ban "Devil44" because he violated his warnings and the rules. There had to be obvious computer use clues the Pfc was up to no good. Either there wasn't a monitoring system in place or someone wasn't looking.

SS#s are either obtained from some old records or just seen by someone maybe in a Dr.s office or someplace that might have them. It wasn`t all that long ago that SS3s were wanted just about everywhere as ID proof. My X wife was denied a student loan because she was already on a loan in the same school. She had to prove who she was rather than the one enrolled being asked for ID. Turned out my X was going to attend in spring but then decided not to go till fall, her ID was sold by a school employee.

Yanche wrote:

jpete wrote:How can you say that when fraud is rampant? If there were a system in place to determine who is accessing the system, fraud would be nil.

If you mean they know which employee accesses the system, that's virtually meaningless because the bad guys aren't employees.

And the bad guy in the majority of this WikiLeaks stuff is a Pfc that was fully authorized to access the system so what good did any of the "security" do?

Any computer data system that contains as much information as SSA, or for that matter any government agency is large and complex. You need to have a better understanding on how it's organized before you can make simple generalizations like the bad guys are gaining access. The SSA system records are huge, not only does an individuals record include information about him or her it includes relationship to parents, spouses, etc. This is known as the master file. Access to this record is highly controlled. By law access is off limits to all most all other government agencies. So for example immigration can't access it. It is this master record that I'm speaking of. Even SSA own computer specialists (programmers) have difficulty getting access to it. Instead they use a fake data set when testing there newly developed programs. Any accesses to the master records requires pre-approval and there is strict recording of access logins.

When you apply for SSA benefits at your local field office the clerk can see your records but it can't be altered. The request for benefits must be supported by information that supports who you are. Here's were fraud can and does occur. But that is a much different problem than access to the master data files. Changes to the master files are done in batch processing mode. That's why it takes some time to start your benefits, a waiting period until the next batch processing input.

In the state department data breach it appears the low level intelligence analysis had wide ranging reading rights. Perhaps he couldn't alter the records but it's hard to understand why he would need such wide rights to do his war zone intelligence job. That was the first security breach, giving the broad rights. It's been reported that he recorded the state department data on a CD. A CD that he took in that contained music files. Then erased it and used it to record what he was looking at. Why would you allow a hardware system that has a CD burner in it? It's just a security risk, the second needless risk. If there is a need to record classified data to get it somewhere else, there is always stringent other approvals needed and a logging trail of who had what and when. Clearly there was also a security breach allowing him to bring a recordable data disk into the facility, whatever it was. That's a third security breach. Normally you can't even bring your lunch in to such a facility. Clearly there was a lot at fault. Yes, it was a rogue Pfc that had authorized access. But that's no excuse for not having a computer monitoring system in place that shows what, when and how much data was being looked at. For example our Forum's administrator can see everything we do. He used those tools to ban "Devil44" because he violated his warnings and the rules. There had to be obvious computer use clues the Pfc was up to no good. Either there wasn't a monitoring system in place or someone wasn't looking.

I everything you say is true, and I have no reason to believe it isn't, then I have two problems. One if the claim in the story I linked that claims 1 in 7 people have two SS#. Either knowingly or unknowingly. If everything is cross referenced as you claim, this shouldn't be possible.

And more on topic, if YOU know what should and shouldn't be done in respect to security measures on a large database like the State Department, why doesn't the State Department?

I still think it goes deeper than a PFC. & there should be no reason for him to have even been able to make one disc, the amt. leaked would be quite a few discs. This wasn`t a one time thing.

samhill wrote:I still think it goes deeper than a PFC. & there should be no reason for him to have even been able to make one disc, the amt. leaked would be quite a few discs. This wasn`t a one time thing.

Text takes up very little space especially when compressed. The entire contents of this forum is just over 600MB uncompressed, that would include all posts, PM's, member information and the search index which is actually quite big itself. The biggest table is the posts table which is nearly 300MB and that has a lot of stuff unrelated to the actual text itself. The compressed file is just over 90MB, keep in mind that also includes a lot of text that are instructions to rebuild it. That doesn't include uploaded files like images, that's many GB's.

I hope they have cleaned up the SSA system a little since my last exposure to it, but I would suspect it may be worse now. Back in the 90's I worked for a company where we setting up the first secure networks between payers and providers in the health care industry for claims processing purposes. One of the challenges was to accurately "identify" a person in our system. During our test phase we quickly eliminated using SS#'s as any part of the identification process because of the number of errors in that system at that time. We were getting more than an 8% error rate trying to use them combined with other information. There was no way to implement our type of system with that error %. We eliminated the SS# and found a combination of other info to verify peoples identity and we were well below a 1% error rate.

One other memorable part of that job was sitting in on the HCFA meetings outside DC trying to get meaningful standards in place for transactions and watching the HCFA "leaders" bend to the will of the payers every time. The payers (insurance industry) would put many roadblocks in place to getting things streamlined because it meant they would be able to hold onto the gov't money for a few extra days increasing their "float" margins.

jpete wrote:And more on topic, if YOU know what should and shouldn't be done in respect to security measures on a large database like the State Department, why doesn't the State Department?

Knowing why the Pfc was able to steal what he did may never be publicly known, especially since he will be tried by the military, where court records are not public.

I'm not a computer data security expert. What I talk about is just my experience in using systems that have been designed by experts. Why the State Department didn't have better controls is a very good question. My guess would come down the to age old problems, human nature and funding. Government agencies tend to do the best at what their mission is. Data protection is not the State Department's core mission, so the funding in dollars and people experts is likely down near the bottom of the list. Sure there are a lot of excellent computer experts in government, but could you see Hillary calling up NSA and saying we have a problem come on over and help us? It's turf battles and the we can do it ourselves, no thank you, attitude of agencies.

That doesn't make me feel good about them "protecting" me from all sorts of things. But by all means, we should continue spending a trillion dollars a year trying!