The Dim-Post

April 8, 2016

The password is password

Filed under: Uncategorized — danylmc @ 8:11 am

Via Fish:

Our spies have been rapped for loose controls around the largest collection of sensitive information held by any government department which includes details of people’s alcohol and drug use — and their sexual behaviour.

The systems were so loose the Inspector General of Intelligence and Security said there was a risk foreign spies would try and access the information and use it to compromise Kiwis with high-level security clearances.

Urgent changes are underway to the system after an inquiry found a large number of people in the Security Intelligence Service had access to its collection of highly personal information on thousands of people.

The information is collected by the SIS as part of its inquiries into people needing security clearances for government work, including in the intelligence community.

To make the judgment around someone’s security clearance — up to “top secret special” — it results in a collection of details about people’s sex lives, drug use and possible alcohol abuse, along with information about their mental health or personal finances.

It’s been conventional wisdom in Wellington for as long as I can remember that people being vetted by the SIS should never actually disclose anything because the information was completely insecure. Good to hear that this has filtered up to their watchdog. Also, we should definitely trust them with sweeping new powers because they’re so trustworthy and professional and competent.

23 Comments »

  1. It’s been conventional wisdom in Wellington for as long as I can remember that people being vetted by the SIS should never actually disclose anything because the information was completely insecure.

    Sort of.
    The whole point is that it’s a behavioural control anyway. It’s a test of candour, rather than a maintained list of potentially perfidious activities.
    Otherwise none of those happily married, alcoholic, closet queens in MFAT could ever hold down a job.

    Comment by Gregor W — April 8, 2016 @ 8:45 am

  2. Back in the 2000s they were apparently still worried about communist infiltration. ‘When you were living in London, why did you go to Prague for a weekend with a group of your best friends just before your wedding? Did anyone make contact with you there to try and recruit you?’

    Comment by danylmc — April 8, 2016 @ 9:01 am

  3. I very much doubt you’d find anyone in a senior ICT position in Govt who would be willing to say they were confident that their network wasn’t already compromised by the Chinese. It’s not a government problem, it’s an industry problem, and it’s going to get worse. Once upon a time, we had people with solid technical skills; a surprising number trained by the Post Office. Today learning a mark up language makes you a coder.

    Excuse me while I go and shout at the kids on my lawn.

    Comment by Robert Singers — April 8, 2016 @ 9:31 am

  4. The only wrong answer to most of the security vetting questions is “something different to what your referees said or the SIS already found out”.

    Comment by Trouble Man — April 8, 2016 @ 9:55 am

  5. I very much doubt you’d find anyone in a senior ICT position in Govt who would be willing to say they were confident that their network wasn’t already compromised by the Chinese.

    That’s because it would be a stupid question and empirically unproveable. Compromise takes many forms.
    Information Security/egress controls are mostly a human/procedural problem rather than a technology one, though there are some great tools that assist with preventing inadvertent exposure and forensic examination.

    Comment by Gregor W — April 8, 2016 @ 10:15 am

  6. When I worked with such things, the rule generally was that secret information shouldn’t be on a computer, if it was on a computer it should be in a Faraday cage with the disks taken out and locked in a safe after use, and if anyone was so reckless as to have a network, that should be entirely in a Faraday cage with a datalock (two copperclad doors) for access.

    In an open society, what can the Chinese really learn from spying that they couldn’t get by asking, googling, or putting in an OIA request?

    Comment by richdrich — April 8, 2016 @ 10:15 am

  7. “In an open society, what can the Chinese really learn from spying that they couldn’t get by asking, googling, or putting in an OIA request?”

    I am sure that many in their diplomatic corps and intelligence services just see the open society as cunning camouflage for the secret state within that actually controls the world.

    Two of my referees for vetting for a job with a National government were a member of Nga Tomatoa and a left wing Professor associated with Labour. I got the job.

    Comment by Tinakori — April 8, 2016 @ 11:19 am

  8. @richdrich – most of that still holds true, but there are always the usual challenges between data secrecy and data usability that need to navigated.

    Technology changes have also reduced the effectiveness of old school techniques like Faraday cages to a certain extent, though they are definitely still in use as part of a suite of physical defenses.

    A while back, I worked in a place that degaussed everyone who left the site (which was Faradayed, hardened optical connections, private network etc.) as part of a physical inspection process.
    The controller was particularly proud of this perimeter strategy until it was pointed out that USB ports weren’t always secured, and that it would pretty easy to hide a memory stick up your bunghole.

    Comment by Gregor W — April 8, 2016 @ 12:06 pm

  9. @ tinakori

    Nga Tomatoa? Is that an Italian iwi?

    The story I was told is they only ask about things they already know about.

    Comment by insider — April 8, 2016 @ 12:48 pm

  10. @richdrich it’s not about what you find out, it’s about when you find it out.

    Comment by Robert Singers — April 8, 2016 @ 1:47 pm

  11. “Nga Tomatoa? Is that an Italian iwi?”

    The predictive spelling kept trying for tomato and I added the “a” without doing my own checking! Tamatoa, of course.

    Comment by Tinakori — April 8, 2016 @ 5:29 pm

  12. I say “tomato”, you say “tomatoa”.

    Comment by Mark — April 8, 2016 @ 5:35 pm

  13. “Two of my referees for vetting for a job with a National government …. I got the job.” Im sure after talking to you for half an hour Tinakori, your ‘beliefs’ got you the job.
    I was thinking that -maybe in the beltway, crazy ideas about infrastructure, must have a day job working for someone in national. I dread the thought that it could be something like the crazy creature Cera

    Comment by ghostwhowalksnz — April 8, 2016 @ 7:11 pm

  14. Mark are you one of those ‘green on the outside, red on the inside’ types I keep reading about. I only ask because of your pic. I would be crushed to find out Kermit was an undercover green operative.

    Comment by leeharmanclark — April 8, 2016 @ 7:44 pm

  15. @richdrich: “In an open society, what can the Chinese really learn from spying that they couldn’t get by asking, googling, or putting in an OIA request?”

    Fortunately our law includes an important clause to counter the creeping and concerning global espionage attempts via invocation of the OIA. Agencies needn’t respond to any requestor unless they’re a NZ Citizen or Resident, or happen to be within NZ at the time of requesting, or happen to be requesting on behalf of a body corporate that has a place of business in New Zealand.

    Also, the Ombudsman is not very effective at processing complaints whenever agencies don’t bother to do what they’re required to do.

    Problem solved.

    Comment by izogi — April 8, 2016 @ 11:54 pm

  16. “I was thinking that -maybe in the beltway, crazy ideas about infrastructure, must have a day job working for someone in national”

    It was just over 20 years ago, Ghost. And no loyalty test – ideological or otherwise – was required.That seemed to be the case with most of the people hired by that government. For Labour it’s the other way round, with the non ideological very much in the minority. Why the difference? I suspect its because left wingers tend to be more insecure about their ideas and, in the search for certainty, they slap a rather crude template over almost everything and say this is right and that is left………..when really the world ain’t that simple. That’s one of the reasons why they oscillate between calling the Key government hard right or Labour lite. Rob Salmond’s latest effort at Public Address is an example of the latter, a weak attempt at consolation and self flattery at the same time.

    Comment by Tinakori — April 9, 2016 @ 3:49 pm

  17. How much of PA’s content is Rob Salmond now? A third? A half? He’s destroyed the place. It’s just one “have I mentioned how awesome Andrew Little is?” post after another.

    Comment by @simongarlick — April 10, 2016 @ 2:18 am

  18. Who the heck is Rob Salmond?

    Comment by leeharmanclark — April 10, 2016 @ 7:28 am

  19. How much of PA’s content is Rob Salmond now? A third? A half? He’s destroyed the place.

    A simple visit to the site tells us the answer: No it isn’t, and he hasn’t.

    http://publicaddress.net/system/

    Comment by sammy 3.0 — April 10, 2016 @ 8:15 am

  20. I’d still be lying if I said my view of PA hadn’t changed since Rob started blogging there frequently.

    It’s always been clear that Russell and the site have a political slant across many issues, but the posts have normally at least been well reasoned and independent. Rob’s blogging directly on behalf of the Labour Party (or it may as well be), reacting to everything negative stated about the Labour Party, goes a step beyond that, IMHO.

    At least it’s now categorised into its own corner, I guess.

    Comment by izogi — April 10, 2016 @ 4:10 pm

  21. “…this is the ordinary class of spies, properly so called, forming a regular part of the army. Tu Mu says: # “Your surviving spy must be a man of keen intellect, though n outward appearance a fool; of shabby exterior, but with a will of iron. He must be active, robust, endowed with physical strength and courage; thoroughly accustomed to all sorts of dirty work, able to endure hunger and cold, and to put up with shame and ignominy.”

    – Sun Tzu, The Art of War XIII, 167:2

    In outward appearance, needed greater oversight, which necessitates greater powers? While in actual fact, of keen intellect, knowing all – and profiting buy it in the war they have been tasked with? A largely economic war, with little to do with “security”.

    Comment by Malcontent — April 10, 2016 @ 7:42 pm

  22. sammy 3.0:

    How much of PA’s content is Rob Salmond now? A third? A half? He’s destroyed the place.

    A simple visit to the site tells us the answer: No it isn’t, and he hasn’t.

    Five of last week’s twelve posts on PA were by Rob “Asians are stealing our land” Salmond.

    Comment by @simongarlick — April 11, 2016 @ 11:15 am

  23. @Izogi:
    Fortunately our law includes an important clause to counter the creeping and concerning global espionage attempts via invocation of the OIA. Agencies needn’t respond to any requestor unless they’re a NZ Citizen or Resident, or happen to be within NZ at the time of requesting, or happen to be requesting on behalf of a body corporate that has a place of business in New Zealand.

    The Law Commission has recommended that that clause be removed, as its inconsistent with both LGOIMA and the Privacy Act, and also current best practice. Also, the Ombudsman has said that non-citizen requests must still be handled reasonably, which in most cases means treting them like a valid OIA request.

    Comment by idiotsavant23 — April 11, 2016 @ 8:09 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: