Monday, May 22, 2006

Select * from tblVeterans

This might make impersonating a Airborne Ranger easier. Data disks of millions of veterans are stolen -- The Associated Press

MONDAY, MAY 22, 2006 WASHINGTON Personal data, including the Social Security numbers of 26.5 million U.S. veterans, were stolen from an employee of the Department of Veterans Affairs this month after he took computer disks home without authorization, the agency said Monday. The secretary for veterans affairs, Jim Nicholson, said there was no evidence so far that the burglars who robbed the employee's home had used the material - or even knew they had it. The employee, a data analyst whom Nicholson would not identify, has been placed on leave "pending the outcome of an investigation," the agency said on its Web site.

Commentary

Professional database administrators know about things like granting permissions on tables and putting audit scripts in, the kind that send pager messages or emails to warn, for example, when somebody wants 26.5 million keys and related records. Normally one tries to restrict direct query access to a database to a chosen few; it being better to provide data access to users through an application front end. And you can control the living daylights out of a front end. It is good practice to provide select access through stored procedures or some similar mechanism where execute permissions can be assigned and where at least one can count the rowset requested before returning it. You want twenty six thousand records? Maybe and you'd log it. But somebody asking for twenty five million records and change -- the whole dataset -- would make you wonder.

How did this happen? In this case the robbery victim was a data analyst, somebody looking for trends in records. Maybe doing data mining. For a management report. So he had access in principle to the full set. And that's the problem with security schemes of all kinds. Friends often ask me if it is "safe" to transmit sensitive data over the Internet. My usual answer is that while there's some danger of a malicious application sweeping through the network the greatest danger is usually an employee at the other end who might leave the screen open on his account while going out to lunch. It's the trusted men who are vulnerable to misadventure or who may be seduced to betrayal. If you want the secrets of an organization, rob or suborn the men with access.

57 Comments:

Blogger Doug said...

"Mitnick"

5/22/2006 11:35:00 PM  
Blogger Doug said...

Social Engineering
Although often portrayed as a technical expert, most of Mitnick's attacks were based on social engineering , the practice of obtaining confidential information by manipulation of legitimate users, rather than technical exploits he discovered.

Mitnick discovered a large number of vulnerabilities in the OpenVMS operating system by getting access to the voice mail system of security researchers at DEC .

5/22/2006 11:40:00 PM  
Blogger ledger said...

As they say in the merchandise auditing business: "85 % of all merchandise theft comes from within an organization."

It may not be true in this case - but it sure could be.

I would look at the individual "who got the records stolen from him."

Sure, it's possible it was done by a state sponsor. But, let's just wait and see what turns up.

5/23/2006 02:09:00 AM  
Blogger Starling said...

Started out to leave a comment on this post but it began to run pretty long. So as to not be a comment hog, I posted the remarks to my own blog. Here's the link if anyone's interested.

5/23/2006 04:05:00 AM  
Blogger desert rat said...

Trust the government, the employees really are morally superior human beings, always wanting to "help", others, not themselves.

The new "Church", omnipresent and powerful.
All knowing and "here to help"

Just ask Mike Brown.

5/23/2006 06:34:00 AM  
Blogger desert rat said...

This comment has been removed by a blog administrator.

5/23/2006 06:40:00 AM  
Blogger desert rat said...

j.s.

While the "seal" may not be total, the total flow could be "cut" way back.

From 10,000 attempts to infiltrate the US per night, down to a managable number, a 1,000 or so.

Detain each infiltrator for six months in a tent city, as is beginning to be done by Sheriff Joe in Maricopa County, before returning the infiltrator to Mexico.

Impose a cost to the migrants and the flow will slow.
Impose a cost to the employeers of the undocumented workers, those employeers will utilize less illegal labor meanwhile economic demand for a more adequate Immigration system would grow.

If diffieculty were reason for inaction, we'd never have gone to Iraq. Discussion of action in Iran would also be verbotten.
If difficulty trumps need.

5/23/2006 06:45:00 AM  
Blogger Ash said...

OT-

Wretchard, you posted awhile back how to make a 'google bomb'. It seems one was set off and now if you type 'miserable failure' into google's search engine the top result is a link to Bush's bio.

5/23/2006 07:31:00 AM  
Blogger Charles said...

I'll be interested to see how this story pans out.

I worked in downtown DC as an IT contractor for a number of years and in that capacity spent time in a number of different government agencies including HUD, the VA, & US Customes & Border Patrol.

imho a lot of the msm attitude toward the New Orleans Astrodome projects people was shaped by the
threat their bad behavior posed to the job security HUD employees. What I learned from working at HUD was that HUD is not so much about providing public housing ie "the projects" for the poor as it is about providing secure employment for the 1000s of black civil servants drawing high paying salaries at HUD. Otherwise why continue a program for which the way out too often is through the criminal justice system.

The VA looks very mucy like HUD.

I hope my mother doesn't get a letter from the VA.

5/23/2006 07:39:00 AM  
Blogger Boghie said...

Another interesting bit of SQL from Wretchard’s past:

DELETE FROM TBPERPS WHERE ...

Interesting change of naming and syntax conventions. Personally, I still like the CAPS for the language, but have been using the reverse Hungarian conventions for a long time. All this object oriented stuff makes naming conventions very difficult to implement for a team though...

On the topic: The truly scary thing is how the data was acquired and stored. 26 million records on an SQL database requires a huge amount of disk space and a customer with a copy of the same SQL engine. Interesting...

My money is that said 'employee' will probably turn out to be a contractor - paid to do a specific job over a specific period of time.

And, if a contractor - who really knows the chap. Is he good? Is he safe with data? Is he Jack Bauer (sic, I think)? If working in the stifling NMCI environment, he probably had to take the data home to get any work done – yuk, yuk…

Government Reinvented.

As a contractor, nothing of note will happen to him. He will be dumped, but nobody will ever know. Probably end up reviewing Social Security records for potential illegal aliens getting benefits or something.

Enjoy the new world.

5/23/2006 07:40:00 AM  
Blogger Boghie said...

By the way,

As a result of NMCI and force structure changes I seriously doubt that Wretchard will be writing posts like
DELETE FROM TBPERPS WHERE ... anytime soon...

The Marine Corps has lost its ad-hoc data management capability.

But, at least they can't steal personal information!!!

5/23/2006 07:50:00 AM  
Blogger rhhardin said...

Only recently has it been necessary to guard social security numbers. IRS 1040's until pretty recently came with the SS number printed on the address label.

What changed is that the credit industry got lazy about knowing their customer, a comepetitive advantage that quickly got competed away, not even leaving them anything to show for it.

The agency that returns to knowing its customer will go out of business because of high costs, unless they all do it together.

Which could be achieved by making them responsible for the consequences of mistakes.

5/23/2006 07:55:00 AM  
Blogger Baron Bodissey said...

Wretchard, you are too right. That's what I thought after going through 6 months of Sarbanes-Oxley compliance.

For those who are unfamiliar with internal American politics, the Sarbanes-Oxley Act was Congress' ridiculous response to corporate malfeasance in high places at Enron and other firms.

I had to write a lot of code and design various structures to implement Sarbanes-Oxley (known to IT people as "SOX") at our company. It means that programmers and DBAs now have that much more of a difficult time doing their job.

But it's not the programmers and data entry clerks and low-level accountants who cause Enron-type scandals. It's the people at the top, the CEO, the CFO, the head of auditing, that are the would-be perps.

They still have the permissions and passwords, and when their scheme is ready, they'll pass the word down to flunkies like me, opening up the datastore for us to update.

And we'll have no idea what we're doing. We'll be running huge SQL statements to modify data which has little meaning to us, because data is data -- columns in tables, joined on the primary key, filtered by date, whatever...

Sorry. I just had to rant. I hate Sarbanes-Oxley.

5/23/2006 08:27:00 AM  
Blogger Charles said...

ledger said....

As they say in the merchandise auditing business: "85% of all merchandise theft comes from within an organization."
......................
As that would apply here--it would be appropriate to figure that the illegals coming into the country are going to need some social security numbers.

5/23/2006 08:34:00 AM  
Blogger Charles said...

And of course McCain is right there to legalize identity theft. And who better to steal from the vets.

Likely these will wind up as Rush Limbaugh talking points...followed by a gorebasm.

5/23/2006 08:40:00 AM  
Blogger Red River said...

It sounded like the analyst had flat files. I would be surprised to learn that the VA is still on 1980s technology.

"On the topic: The truly scary thing is how the data was acquired and stored. 26 million records on an SQL database requires a huge amount of space"

Really? 26 million x 250 bytes is just 6.5 gig. Thats an hour's worth of Redo in some of my dbs. Trivial.

Check this out for some big dbs. There are a lot of dbs that are not on this list.

http://www.wintercorp.com

The suggestions Wretchard makes for data security, while effectve for CSR/Managment type interfaces, are two orders of magnitude behind the state of the art and, in any case, are unworkable for effective data analysis and do not scale.

Once you start limiting access, you also decrease the usefulness of the data and the capabilities of the analyst while increasing cycle time and the cost of accessing the data. It also becomes harder to do maintenance and improvements.

5/23/2006 09:33:00 AM  
Blogger Stephen Macdonald said...

Test.

5/23/2006 09:46:00 AM  
Blogger Doug said...

Great Story about a great Old Man, Habu:
Yours.
---
Social Engineering from the Dark Side:
Elderly Darwinian Con Job Darwin Award Winners

Just heard it on KRLA News:

Two elderly women befriended homeless men, took out life insurance policies on them,
men were later killed in hit and run ACCIDENTS!

Moral
Accidents do happen.

(they should have worked for the govt, some NGO's or the world council of churches)

5/23/2006 10:17:00 AM  
Blogger Doug said...

river 9:33 AM,
Yeah, I knew that!

5/23/2006 10:20:00 AM  
Blogger Doug said...

So how do they do it Now?

5/23/2006 10:21:00 AM  
Blogger Doug said...

8:34 AM Charles,
Thanks, now I know mine will be put to a good-hearted COMPASSIONATE use.
McCain '08!
not

5/23/2006 10:25:00 AM  
Blogger Doug said...

nat,
Welcome back! (aboard)
Someone just mentioned you last week!
(but we couldn't remember your name!)

5/23/2006 10:26:00 AM  
Blogger Doug said...

Comments on Hardin's 7:55 AM?
Specifically wrt GOVT ID's, etc.
The Senate would never open up a NEW can of worms with their newfound compassion for illegals would they?

5/23/2006 10:32:00 AM  
Blogger Doug said...

Charles, 7:39 AM
I learned about the HUD scam from the inside way back in 70 in a place called Marin City, which was right near Sausalito, and not too far from San Quentin!
Looked out over Alcatraz!
Maybe Jamie can update us about what's up there now.
(also not far from Courtroom where Jackson Bro blew the Judges head off)

5/23/2006 10:39:00 AM  
Blogger Doug said...

"Impose a cost to the employeers of the undocumented workers, those employeers will utilize less illegal labor meanwhile economic demand for a more adequate Immigration system would grow."
---
'Rat,
Any ideas on how you might make it where American wages do not continue to be decimated by *high* immigration, legal or illegal?

5/23/2006 10:46:00 AM  
Blogger Doug said...

'Rat,
Samford mentioned the billions in China and India a while back and said we still have plenty of room:
I thought he was joking, as in sarcasm!
Now...
John?

5/23/2006 10:50:00 AM  
Blogger Doug said...

Get out the White Suit.

5/23/2006 10:50:00 AM  
Blogger Doug said...

Might have been 'Rat, something about your line of work, no personal info was disclosed!

5/23/2006 11:04:00 AM  
Blogger Doug said...

Speaking of your line of work:
Helprin was on Hewitt yesterday, he's pissed about shipbuilding being cut below Clinton levels.
I agree.
Check out radioblogger.com they probably have transcript and mp3.

5/23/2006 11:10:00 AM  
Blogger Doug said...

radioblogger does not have, sorry

5/23/2006 11:12:00 AM  
Blogger Doug said...

Wretch,
I was going to comment on that ;-)

5/23/2006 11:15:00 AM  
Blogger Doug said...

Informed, as always, of course.

5/23/2006 11:15:00 AM  
Blogger desert rat said...

You were lookng for some ship building info, or empathy, re: the carrier sunk in the Gulf.

The answer to your question, as per wages, would be to limit supply, raising the value of the Citizen over the dumped foreign labor.

If this were plywood or steel, there would not even be a debate, the trade protections would be in place. But protect the US Labor force from illegal foreign competition, even on the Homefront, with Mr Bush, not a chance.
Not part of the New World Order's impelmentation workorder.

5/23/2006 11:21:00 AM  
Blogger Doug said...

"Disposable Commodity"

5/23/2006 11:25:00 AM  
Blogger Doug said...

That is one of the most nativist, racist, disgusting comments I've ever read, 'Rat.
You should be ashamed!
...but since you aren't...
we'll see what can be done about that!

5/23/2006 11:26:00 AM  
Blogger Doug said...

Nat,
Still confused by 'Rat, but remember conversation, I think:
Buddy mentioned H-Bombing a carrier at Bikini:
I said:
Show me the evidence!

5/23/2006 11:29:00 AM  
Blogger desert rat said...

Those "illlegals" you betcha.

Referencing Human Rights Watch, illegal immigtation and the exploitation of the immigrants is America's foremost Human Rights abuse.

Ask Kimba Woods.
She and Zoe Baird have had first hand experience as to the true costs of illegally employeed migrants.

5/23/2006 11:29:00 AM  
Blogger Doug said...

11:26 AM not that thats a
*bad thing,* of course.
Just needs, ...correcting.

5/23/2006 11:36:00 AM  
Blogger Doug said...

The Business of America is...
COMPASSION.
Trust us.

5/23/2006 11:37:00 AM  
Blogger Doug said...

Don't forget "our" side:
Linda Chavez.

5/23/2006 11:42:00 AM  
Blogger Doug said...

GOTTA do it!
UPSIDE
Horseshoe Bay on Lake LBJ has plenty of domestic help, yardworkers, carpenters and bricklayers, and etc.
Life is just Grand, and you don't even have to pay for the help's kids or medicine!
---
Far Enough in the Heart of Texas to Be Away
Horseshoe Bay has become a haven to do a little bit of everything — or a lot of nothing.
---
Nice that the kids, education, and meds are prepaid on that labor:
Cuts down the *cost of doing business*, which is
Very important, given the recent rise in jet fuel for private aircraft!

5/23/2006 11:50:00 AM  
Blogger Doug said...

Witch soc sec number should I use?
---
"Which,"
Still stuck on that picture of you out at midnight with your witching sticks, prospecting for oil.
(shale)

5/23/2006 12:08:00 PM  
Blogger desert rat said...

This comment has been removed by a blog administrator.

5/23/2006 12:12:00 PM  
Blogger desert rat said...

For anyone who had a doubt or gave a damn

"...“Initial research by the U.S. Army Special Operations Command at Fort Bragg shows no Soldier with the name of Jesse Macbeth having ever been assigned to the Special Forces or the Army Rangers -- which are, in fact, two separate disciplines. This appears to be some sort of hoax. No Soldier by that name at Fort Lewis to our knowledge, in the past, either. Of course, the line about "go into the Army or go to jail" is vintage TV script not heard since the 1960s. There are also numerous wear and appearance issues with the Soldier's uniform -- a mix of foreign uniforms with the sleeves rolled up like a Marine and a badly floppy tan beret worn like a pastry chef. Of course, the allegations of war crimes are vague, as are the awards the Soldier allegedly received.” ..."

Not that there was doubt, it's just another wanna be, to be left behind, in the dust bin of history.

That boy could not find his own way,
let alone lead it.


From Michelle Milken's site.

5/23/2006 12:17:00 PM  
Blogger Doug said...

Please don't bring Kerry up again!

5/23/2006 12:27:00 PM  
Blogger Doug said...

The other two items concerned 'Rat's thing about Hormuz, I think, and the Oceanside or whatever it was made into a reef off Florida.

5/23/2006 12:57:00 PM  
Blogger Doug said...

In recent years, the submerged wreck, the top of which is only 40 ft below the surface, has become a scuba diving destination, one of only two (the other being USS Oriskany) carrier wrecks accessible to recreational divers.

Saratoga in culture
The 1931 movie Hell Divers starred Wallace Beery and a young Clark Gable as a pair of competing pilots on the Saratoga, and includes much footage of operations on board.

5/23/2006 01:13:00 PM  
Blogger Doug said...

Agreed, and Amen!

5/23/2006 01:58:00 PM  
Blogger Doug said...

But, I take it all back for both of us if you are willing to take Chinese wages for yourself, your family, and 3 generations hence.
(Maybe they'll have learned some sense by then.)
...and I'll take it all back if you were joking about "plenty of room" for Billions here and the can't stop funny stuff stuff.

5/23/2006 02:01:00 PM  
Blogger Doug said...

Positively Steynian!

5/23/2006 03:19:00 PM  
Blogger Marcus Aurelius said...

Security's biggest concern is to prevent "Oh $#!+" moments.

SOX adds quite a bit of documentation requirements but I am not certain that is an all bad thing. For years sound project management had similar requirements, that people document what they intend to do, what they are doing and what they have done and those who are being done for confirm each of those steps as well.

I worked in an international manufacturer where their IMS system was wide open to developers, I am not certain how much auditing was done with their FILE-AID setup but I wager a malicious user could have brought the plant to a halt until a restore could have been done.

BTW, the data may have been on flat files because that is the convenient way to dump data. I.e. spool on somefile;
select fld1 || ';' || fld2 || ';' || .... from TName

Also, for those interested in Google bombs go and google "waffles" it has dropped off but the target is now quite irrelevant.

5/23/2006 03:21:00 PM  
Blogger Doug said...

The Symmetries and Redundancies of Terror: Patterns in the Dark

5/23/2006 03:38:00 PM  
Blogger Red River said...

How about :


spool veterans_data_20060406.txt

select last_name, first_name, leo_flag, leo_comments
from v_veterans_fakes where
upper(last_name) like '%MACBETH%';

LAST_NAME FIRST_NAME LEO_FLAG LEO COMMENT

MACBETH JESSE Y
Wanted in WA STATE - CASE 666666

5/23/2006 03:40:00 PM  
Blogger Marcus Aurelius said...

The same company I refer to (above the one with the wide open IMS db system) used to send men to the bars of Elgin Illinois at shift end times. They would strike up conversations with the workers after a day of work and the workers would yield up quite a bit of buisness intelligence on their main competitor.

5/24/2006 08:24:00 PM  
Blogger M. Simon said...

wretchard,

In the fight against illegal immigration the Congress has decided to impliment a right to work data base.

In tests of the data base idea with 3,600 employers the error rate was 15%. Well Congress knows how to fix that. In the bill as written class action suits against government for job loss will be against the law.

In other words Congress expects a disaster.

Canadian gun registry ring a bell?

This reminds me a lot of the hysteria that got us a Constitutional Amendment against alcohol. It did not work out as planned.

I sure hope none who are clamoring for this lose their job over it.

You must start with the idea that government is incompetent and corrupt. Which used to be the bed rock of conservatism.

5/27/2006 03:58:00 AM  
Blogger M. Simon said...

It is interesting that so many here believe that you can repeal the laws of supply and demand by passing laws.

So tell me how is drug prohibition working?

And that alcohol prohibition thing worked really well didn't it?

And unions are going from strength to strength.

The only way to earn more money is to be worth it. There is a global market out there. Deal with it.

I just love "the government is my union, I shall not want" folks.

The right used to understand economics, well except for the drug war thing.

Gone are the days.

5/27/2006 04:17:00 AM  
Blogger M. Simon said...

Europe has tons of labor protections.

That has worked really well for them hasn't it.

5/27/2006 04:19:00 AM  

Post a Comment

<< Home


Powered by Blogger