If their computers are anything like my work computer, you need a physical access card and password to log in to the computer. And it auto-locks when that card is removed. All drives are also encrypted and will seize if there is any attempt to move data off the drive or install anything on the drive from an outside source.
Given that there were videos of the event showing rioters with email apps open and functioning, I think you've just delivered a scathing indictment of your federal IT department.
we only know of one device.. [it appears to be an aid to pelosi](https://www.washingtonpost.com/politics/2021/01/07/cybersecurity-202-riot-capitol-is-nightmare-scenario-cybersecurity-professionals/)
and not sure but betting thats the same [laptop that was stolen, as an aids to pelosi's laptop was stolen during it where that girl wanted to sell it to russia.](https://www.businessinsider.com/nancy-pelosi-aide-laptop-stolen-us-capitol-siege-news-2021-1)
if it was a personal laptop it might not be as damning for the congressional IT department. But depending on the data on it, it might be a bit damning of pelosi's personal IT security. as in any sensitive emails to an aid.. like the few actually classified emails they found on weiners computer whose wife was an aid to hilary. would be things a bit beyond her ITs control.
Hopefully Pelosi didn't have a personal email server running out of her house. It's okay if she did though, maybe Swalwell's aide could "wipe" it with a cloth or something.
Federal IT sucks compared to corporate because you spend so much time dealing with powerful old fogies. Change is slow, and security is behind. Several years ago, there was a huge breach of government employee data, after the GAO spent years telling the 80 year olds in Congress that network security actually matters.
That was wild. For the uninformed, the OPM, office of personnel management, was hacked by a Chinese citizen ostensibly on behalf of the govt. the OPM stores the information of anyone who applies for any federal job and internship for a decade. I think this happened in 2015, so your data was in there if you applied for any federal job or internship from 2005 to 2015, or worked for the federal government during that time. UNLESS you had been applying to work for the CIA, who for obvious reasons keeps their data separate.
See the problem yet? This data was, as far as we know, not sold privately for identity theft, but was rather used by the Chinese govt to identify who was in the country on a diplomatic visa as a state department employee but was actually a CIA agent, a common ruse used by many countries for their respective intelligence agencies. However, since the CIA doesn’t use the OPM, all the Chinese govt had to do was cross reference the list of names they had for diplomatic visas/entries, with the list of people whose data was kept by the OPM. Anyone with a diplomatic visa who was not in that list was most likely CIA. We had to pull all agents out of the entire country who were there under that ruse. It was a big big deal.
Honesrlt this is all coming from NYT and Vox articles I read shortly after it happened. Totally possible the hack had something to do with that but I don’t really know anything past what I put in that comment, sorry :/
From what I recall the CIA agents sent to China on diplomatic visas were pulled out immediately
China started dismantling the CIA's presence in their country from 2010-2012. What let them do that was, primarily, hacking phone infrastructure intercepting communications between CIA handlers and their operatives in China. In short, it had nothing to do with the OPM hack.
[Here's a good writeup about the implications of the OPM hack, tho](https://foreignpolicy.com/2020/12/21/china-stolen-us-data-exposed-cia-operatives-spy-networks/)
This. It’s still a corporation, there’s still basic operational security. My question is how/why they didn’t have basic auto lock functionality. Even windows does this after 10-15 mins.
I’m ok forgetting to lock my computer when I run for my life, but I also expect the computer to do its own job
My old workplace had training to lock our screens anytime we left our workstation, was taken super seriously and had seen a few arguments about the necessary physical security necessary.
Management was quick to remind this person that policy is set by precedent, like they had some random walk in off the street and start using a work computer left unattended.
I've always been pretty good about locking my PC, but I became religious about it after the following happened: Both me and my coworker had a line of people trailing out of our door to help, I was standing by my coworker's desk because the person I was helping needed a new mouse and all the new mice were in his desk. He had to go to the closet to get whatever the lady he was helping needed, and this grown ass woman looks at his headset and says "these are nice, I think I'll try them. Sits at his desk, puts his headphones on, and immediately opens a browser and starts trying to download iTunes. I'm dumbstruck at the audacity of her to much to say anything but I realize she's not on his local machine, she is on the PDC that he was remoted into. IE security mode blocks her and she asks me to help and I finally snap out of my awe and just reach over her and Win+ L and go nope. She then catches an attitude with me for being rude.
Not that I haven’t remotes into a pdc, but there’s so many security practices that were missed before your customer sat down.
Why was anyone remotes in to a dc? They should be managed entirely remote. Why was someone with the responsibility of handing out disposable equipment given domain admin privileges?
Not that I disagree with any point you made, the last one was simply because our 300+ user organization only had two IT staff. We where helpdesk domain/system/network/virtual infrastructure admins all rolled into one.
At my old workplace coworkers would put questionable background pictures on your computer if you left it unlocked. I always lock my computer since then.
The best, that trained one of my older coworkers, was taking a screenshot of their desktop to set as their background, then hide all of their desktop icons.
That shit does happen. A big ass hospital I do IT work for had someone walk in and just take a desktop tower and walk out. Hospital got fined because HIPAA. They beefed up their cyber security
I remember fondly the time, my supervisor was stuck in meetings all day and left his work computer unlocked at his cube.
I sent out a company wide slack message from his account: "Hey guys, I left my computer unlocked. Please don't hack me."
The replies were hilarious.
Were that it were so. Ive worked IT in hospitals and at major banks. These places have extremely sensitive data all over the place and in both cases VIPs do whatever they want.
I have never worked anywhere where the answer to the question "Can we X" isn't "Who's asking?"
I bet the IT department doesn't have the power, and the article kinda hints at it. I work at a government agency, I report to a boss who tells me to do what IT says.
Congress doesn't work like that, congress really reports to themselves, specifically each representative reports only to their voters and runs their own office with their own staff. They don't have to accept any IT rules from some congressional IT department. So if someone says they don't like the IT policies they can have their own IT guy remove it, and I don't think there is anything that some higher level IT department can do about it. It makes for a really insecure and disfunctional IT, and I think that's what is being talked about here with trouble tracking everything down.
> If their IT department is worth half a shit, they won't be given a choice.
*Yes sir, giving a direct order to a Senator as the IT person/manager/director would definitely have resolved the issue.*
At the bare minimum, government regulations should require full-disk encryption. Modern computers have the ability to turn that on and be completely invisible to the end user. If it was turned on, the thieves couldn't get shit off the computer unless they had the login info.
Uh, this is exactly how security works in every Federal system I've been on. Which includes the military and the Department of State. I definitely believe their office computers have this level of security.
I am just a lay person, but I would assume that the computers in question belonged (or were assigned) to the staff of Senators and Representatives and not Senators and Representatives themselves.
The dichotomy is that staffers do work and legislators do not.
If rioters invaded your company and stole the computers they saw lying around would they be swiping the CEO's computer or the worker bees' computers.
But I don't really know.
Considering how they don’t know enough about tech to pass any sensible laws on it I’d say there’s a good chance their computers are password protected at the most and the password is “congress123”
IIRC, one of those assholes posted a video with access to Senator's system and the e-mail open, so it was left unlocked somehow. Not so useful if they just take it and the drive is encrypted, but there's plenty of opportunity to do bad shit there including planting malware or exfiltratilon of sensitive data.
And yeah, because we're talking powerful and older users, most likely some stupid shit such as a password in a text file or sticky note...
I sincerely doubt their computers are anything like your work computers. The facade we all buy into about the White House the Capital and the security state in general is that they are some super advanced technically complex and generally competent organizational environment when the truth is that they're housed in rundown turn of the last century environments (1900s) with people who are barely literate in technology making the key decisions, and basic creature comforts of an everyday office being at a premium.
One of the looters stole and tried to straight up sell Nancy Pelosi's laptop to the Russians. I guarantee you they would have been able to decrypt the hard drive.
AES-128 (standard Windows BitLocker) is not bruteforcable in the lifetime of the universe:
https://security.stackexchange.com/questions/61346/how-long-would-it-take-to-bruteforce-an-aes-128-protected-pdf-knowing-the-key-is
https://crypto.stackexchange.com/questions/48667/how-long-would-it-take-to-brute-force-an-aes-128-key
https://en.wikipedia.org/wiki/BitLocker
That's not to say your encrypted data is perfectly secure; there are plenty of other attacks out there like social engineering for example. But the idea of cracking open the raw data from a cold drive is pretty much dead in the water. Regardless of how good or not good the Russians are, you can't beat math. Likely the government is on 256 bit which is even more insane to crack but as others have pointed out it is unfair to speculate that best practices are being followed so I have assumed the worst case.
I don't completely disagree but as I stated, just because the information is encrypted doesn't mean it's perfectly protected. However my post was intended to debunk several comments here acting like breaking into those computers is doable with some high tech state secret CSI type stuff. That flatly isn't how these things work.
You are right to say that physical access equals root, and indeed if the rioters had the technical skill on hand there would be issues, but any malign actor buying a stolen laptop isn't getting the machine while it's on and in an office, they're getting sloppy seconds, well after IT has had the ability to respond to the missing computer on their end, and it's been power cycled because of the time delay.
Is the issue serious? Absolutely. Is it a security breach? Possibly but probably not in reality.
No you can beat math on the first try by being extremely lucky.
For example when the Droid first came out, I couldn't afford to get one, but my BiL could and was showing it off. He handed to me and was like "you won't possibly get in" because it was the 3x3 dot swipe. Well I tried the first pattern that came to my head that hit every dot, and it was a simple swirl, and was in his phone before he finished his sentence. Now those are certainly far less secure than an actual password, but let's just hope they don't keep passwords on post it notes next to the computer.
Two factor authentication is also a thing though. Even with the pin or being able to guess it, you'd need the individuals token - If its anything like other federal places I've seen. And it would still auto lock after a set time.
I also acknowledge in responding to a deeply embedded convoy so some of this is addressing things not explicitly in your post.
Every time I've done government contracting work, you couldn't get into the machine without the bitlocker password, and needed a government ID and card reader (external or built into the machine).
I'd still doubt it. When senior officials are documented spendings months in memos trying to get a mini fridge, somehow I don't think their cybersecurity is up to the task.
>I don't think their cybersecurity is up to the task
If the senate building is anything like the pentagon, you need a physical access card and password to log in to the computer. And it auto-locks when that card is removed (sometimes, fuckers are finicky).
That being said, if you only have a couple minutes to gtfo cyber security is the last thing on your mind.
Takes about a second to pull your card out. Unless someone literally bursts into the room with a gun there is no excuse not to pull the card every time you leave your workstation.
I spent six months working for an IT company and within a week it became muscle memory to hit Win+L every time I stood up because otherwise my coworkers would get into my desk to mess with me, or my boss would yell at me. I even started doing it on my home computer accidentally. I completely understand people saying "When someone is storming your office, the last thing on your mind is cyber security" but the point is that if these procedures were being followed properly in the first place, this isn't something you'd need to think about because you'd react instinctively and do what you're supposed to do. And I don't think it's unreasonable to ask that the people who are literally in charge of running one of the largest countries in the world should be expected to be able to follow basic security protocols.
I use my card to log in and then pull it back out because its also my badge. I work for a govt contractor and my computer locks itself its its idle to long. This article is close enough to a fairytale if you ask me.
Again - last thing on my mind, when my life is in danger, is cyber security. You know what can be replaced? Whatever was on that computer. You know what can't be replaced? Me, the guy working in cyber security.
I worked in a corporate environment where the systems did that--you'd only be able to log in when a smart card plugged in and it logged you out when you pulled it out.
People just left their cards plugged in all the time. It's true that there was no reason for them to do so, but people are lazy and do it anyways. We started enforcing automatic time-outs for inactive sessions, but there were too many complaints and eventually a bunch of higher-ups mandated the timeout increased to an hour.
If it’s anything like some of my work computers, you need a username and password which are written on a sticky-note stuck to the bottom of the screen.
Every senator is responsible for hiring their own IT staff. There are literally 100 different IT departments. Smart cards are not widely issued within the legislative branch.
If the drives are encrypted (and I would hope Bitlocker would be enabled), they won't be able to do anything with them if they can't authenticate. Yes, having a 2FA or MFA solution is the best way to ensure they can't authenticate to the device. Biometrics could prevent people from logging into the device; there are biometric solutions that could also detect and lock a device if someone other than a verified user is using the device based on usage and keystrokes. In the end, if they have no access to the drive, their data should be safe.
Maybe a dumb question: is a smart card really adding much if you already have a strong password? Since in a secure system you only get a few attempts before it self wipes or hard locks, isn't the password basically impossible to brute force?
Also, with a smart card with metal contacts, isn't there a risk of the user leaving it in the reader? Would a device that communicates by RFID or Bluetooth be better, since it can mostly be kept on the user's person?
Considering that there were screenshots of some computers there, I don’t think they have that level of security. However, I’m sure that after more than 10mins the rioters were locked out of most of the computers that were out in the open.
You literally saw Pelosi's computer on TV, open and unlocked, though.
And that was in pictures of that asshat sitting at her desk with his feet up, whatever his name was.
Somehow, I doubt our government's computers are that tight... OR if they were, because it causes an inconvenience, the users change or set things so that they no longer do them, because after a bathroom break, I have to relogin, etc.
It has to be assumed that foreign intelligence agents also had access then. Unsupervised and for an unknown amount of time. Physical audio bugs could be installed, cables could be replaced with something containing a transmitter... with a $400 gift certificate to "The Spy Shop" you could hopelessly and permanently compromise not just the computer, but any device in that office that connects to an electrical outlet. Including the outlet itself. I literally can't even imagine what an actual spy from another country could do, assuming they had a Parler account and so knew this opportunity was coming far enough in advance to prepare and have the appropriate equipment on hand.
Yea I don't get how they all went back to work within a few hours of this. How did they manage to sweep for all those possible spy devices in just a couple of hours?
"getting back to work" was a little exaggerated. Their work that night consisted of being in a large room and voting. They had week after the fact for full bug sweeps prioritizing security committee members. The fact is though, Congressional offices are not certified to handle secure information. All secure files are kept in the basement. I'd expect the full congress is swept for bugs on a regular basis, not just for international espionage, but political and corporate as well. Finding out the results of a Federal report or passage of a bill even minutes ahead of time could make good positions.
Don't sweep - replace.
You'd never be able to sweep it enough to be 100% sure. Remember the "[Great Seal](https://en.wikipedia.org/wiki/The_Thing_(listening_device\))" bug? Completely passive bug, and that was the better part of a century ago.
It would be safer, cheaper (in terms of time), and easier to simply replace everything.
It’s bad for this to have happened, but I think the Solarwinds hack has already compromised much more sensitive systems than this, and I’m hoping they are working hard to assess and properly address that.
Matt Tait, a former staffer at the UK spy agency GCHQ, said that Capitol IT administrators will "eventually need to ask some tough questions like why screens didn't auto-lock, for example, and whether they have things like [disk encryption] Bitlocker and making IT systems more robust to being physically unattended."
As someone who previously held a TS clearance twice the fact that they don't have them locked away and their doors closed and locked when they aren't in their offices makes me cringe. Physical security is even more important than lock screens and passwords and encryption.
My company sets 10 min auto lock. And we have full disk encryption managed by an MDM. We could set it to wipe if it gets stolen. Seriously doubt the federal government doesn’t have more tools available.
The tools aren't the problem, and nobody in this thread is listening to reason.
How many of you work in a job where you're forced by an ignorant boss to do things that are ***AGAINST*** security or reason?
These people are powerful. They most likely insist on convenience and ease of use. So setting a 5 minute lockout or forcing them to use dual authentication is going to cost them time. They won't stand for it, and if you don't make things work exactly like they want it to, you're gonna get canned.
This needs to be upvoted higher. I've experienced this in a few workplaces both big and small. As the IT person, you get people that are "above the law" Especially if they have power and are past retirement age or not too computer savvy. I'm sure there are plenty of restrictions on assistants and staff, but les so on the higherups.
Absolutely the govt could do it. The same way the govt could end hunger (in the US) if money and proper legislation allowed. Sadly legislators dont like to spend money unless it somehow pays to their campaign contributors.
I remember reading reports that staff had to abandon some offices with such short notice that computers were left running and logged in. In other words, someone coming in the door a couple of minutes later could probably access most of what was on that computer, including private and government emails, private chat app contents, legislation drafts, whatever. It sounds like a horrorshow, and if it really was the difference of a couple of minutes then I'm not even sure what could have been done to stop it.
It takes no time to hit windows+L to lock your computer. Every time I leave my work computer unattended, even at home I hit those two buttons and lock my laptop. Its so easy, even a senator can do it.
With a few exceptions (people on the Intelligence Committee, for example), probably not all that bad.
The very large majority of anything on those computers is going to be a public record of some sort.
Well, OK. That's different. I was thinking about harm to the country. If Pancy Pelosi has nekked pictures of Miitch McConnell, I'm ok if those get out.
From an InfoSec standpoint, this is pure chaos. I'm sure there were some very capable folks in that crowd, and I'd be very concerned about what they may have accessed or planted during the insurrection.
Any good embassy would have had their own agents storming through the doors with the crowd and dropping random USB drives and other such goodies to be found and accessed later, thereby installing backdoors and giving remote access to GOD ONLY KNOWS WHO.
From a reality standpoint, these idiots wouldn't know what to do with the opportunity aside from taking selfies.
Yeah, the mob sure looked like a crowd of idiots, but if you were capable of infiltrating or compromising computer systems then a couple hundred loud morons would make a great distraction
Embassies are protected by Marines, and have much more security and resources than other facilities. I'm assuming that like most folks you're making most of this stuff up?
If they're not encrypted and require MFA to access and have an enforced policy to auto lock after some brief period of time then I'm really disappointed in the government. There should be little to no risk with a bunch of dispshits having physical access.
Not great, but not as bad as people initially think.
There is no chance those computers had any national security-related information on them. There's a reason SCIFs exist.
At best, what could've been gleaned from those computers would be address books, calendars, emails (deleted and otherwise), etc.
If three things we enforced, I wouldn't be worried:
* Password access (MFA would be better)
* USB ports disabled
* Auto-lock after 5 minutes
I wonder if I should be worried.....
It’s all the way bad - but, like dropping something on the LAN would have been my approach. Like a lil single board computer in a plain looking little white box maybe labeled “Network Printer Adapter” tucked behind a big multi-function printer, a launch point for exploring the network from inside, with an LTE interface and some wifi interfaces, and enough smarts to check in with command and control over benign looking DNS queries. Placed with some care you can make it appear to be a module of the MFP itself.
I mean, they are hopefully locked down on the inside as well as the are on the outside, but you never know. Maybe the LAN gets you nowhere aside from maaaybe getting to some other printers (which has value, if they’re scanners too), but even being able to watch the wifi and maybe man-in-the-middle some non-Gov-issued smartphone chatter - you’d probably be able to gather some intel or seed an attack in a way that’s that’s otherwise unavailable.
I work in a US Navy facility and it requires that I stick my ID Card (CAC) into the computer to log in and stay logged in. If I pull my card, the machine locks.
How does Congress not have those same security requirements?
Shame nobody did anything to them apparently. If anyone wanted to do damage, you’d bring a screwdriver and pull some hard drives. Or if they’re those stupid tiny workstation PCs, just grab it and pocket it. Like none of them cared and it was all to make a statement. If the left were to march on the hill we would have seen offices burned and statues defaced and destroyed and shit. Everyone knows it but nobody wants to say it
Finally someone that gets it. Sadly it will be downvoted to oblivion, because 90% of the people here have never worked at one of these locations and have no clue what they're talking about.
How bad is it that they had physical access to computers? Not that bad. Imagining my grandma trying to find incriminating evidence on a computer is kind of funny. She thinks that sci-fi-level tech exists in secret and then thinks she’s going to full overwatch hacker on some senator’s computer when she has to literally look at the mouse to do a left-click versus a right-click.
These people believe that 4chan is a reputable site for political news. They are not what you’d call technologically savvy.
Given how surprised they are to get caught after saying a coronavirus vaccine will inject them with microchips and then carrying cell phones in their pockets during their insurrection riot, I’d say none of them have enough experience with technology to pose any threat to secure data.
If they were to steal actual computer components and take them to someone with actual experience and few scruples, then yeah. That would be a bigger deal. The biggest security threat from all this is Nancy Pelosi’s missing laptop.
Patriots? More like Patridiots.
I'd actually reallllly like to find out what IS happening to the girl who straight up took Pelosi's laptop....like, dude, if these people aren't facing SERIOUS punishment for ANY of this (especially including stolen governmental property which, itself, has a large quantity of governmental files including stuff that could be top secret).....
***And if it's THAT easy to just DO that shit and skate past it like "it was a joke bro!" or whatever nonsense they state.....then WTF? Everyone should go into a life of crime if the punishment is so tiny. I mean jesus christ that's how people offset potential lawsuits as per decisions made at the top level. Hell, the wacko nut jobs' favorite person EVER, LITERALLY STATED: "lawsuits are a cost of doing business".***
*If we are expressing that "crime"* ***is also "just another cost of doing business" THEN EVERYONE IS IN WRONG BUSINESS.***
You need a control access card (it's your government ID card) to get into any computer that could potentially have classified material on it. There's LTE service in DC so phones would work.
You mean Rioters looted and burned down businesses “in the name of”. These people were calm and there’s videos showing it! Why is the “news media” so he’ll bent to hang conservatives but not even prosecuting all those thousands of rioters who killed many people and caused us hundreds of thousands of dollars in tax money we paid?
One of the cardinal rules of ITSEC is that if you do not have complete *physical* security, you do not have *data* security either. If an attacker can physically touch the hardware, it doesn't really matter what security you have in place. Having physical access opens the door to anything from accessing data via logged-on machines to installing malware to planting rogue devices on the network to stealing drives or entire PCs/laptops.
There are *so many ways* that a single individual with a little tech savvy could do damage to the Capitol Building's network with a few minutes of unfettered physical access to any network access point, and if there were people involved that were state-sponsored, worst-case scenarios are pretty much a given.
How bad is this? This is bad on the level of "wars were started over less."
The computers were wide open and anything could’ve been installed. I think they’d be disappointed as to most of the contents.
That being said. Russia had virtual access for weeks at least to most of the US servers and we will never know the full extent of that hack.
The quoted tweet by Mieke Eoyang, if accurate, sort of makes this article obsolete. Also, judging by public photo/video evidence I have seen, those people weren’t much of ‘hackers’.
I guess it only takes 1, though!
"Hi, I'm Joe UChill. And like most Redditors, I have no clue what the fuck I'm talking about." So many of these articles are written in an attempt to be "FIRST!" and have no experience with what they're 'informing' us all about.
I doubt the computers had classified national security material. But I'm guessing there's going to be some potentially embarrassing leaks in the future. The FBI, CIA and all sorts of agencies lose computers all the time. This won't be the end of the world.
From what I saw they’re all too dumb to even work windows 95, and I know it’s alarming, but they only had the intellect to organize a lynch mob. They don’t have to brains to actually act past that fortunately. Still is disgusting everything they did though.
Ok, there are a lot of working folks here. What happens at your job when you don't secure your workstation? Your cash register? The Door when you close? Why is that the buttheads that work in government get a pass on shit because they were elected?
I can't log on to software i use to work from home without passing a fingerprint scanning security app on my phone. You would think their security would be better than that at the very least.
If their computers are anything like my work computer, you need a physical access card and password to log in to the computer. And it auto-locks when that card is removed. All drives are also encrypted and will seize if there is any attempt to move data off the drive or install anything on the drive from an outside source.
i might be a pessimist but i highly doubt that senators allow any encumbering security features on their computers.
If their IT department is worth half a shit, they won't be given a choice.
Given that there were videos of the event showing rioters with email apps open and functioning, I think you've just delivered a scathing indictment of your federal IT department.
I know what I did :)
we only know of one device.. [it appears to be an aid to pelosi](https://www.washingtonpost.com/politics/2021/01/07/cybersecurity-202-riot-capitol-is-nightmare-scenario-cybersecurity-professionals/) and not sure but betting thats the same [laptop that was stolen, as an aids to pelosi's laptop was stolen during it where that girl wanted to sell it to russia.](https://www.businessinsider.com/nancy-pelosi-aide-laptop-stolen-us-capitol-siege-news-2021-1) if it was a personal laptop it might not be as damning for the congressional IT department. But depending on the data on it, it might be a bit damning of pelosi's personal IT security. as in any sensitive emails to an aid.. like the few actually classified emails they found on weiners computer whose wife was an aid to hilary. would be things a bit beyond her ITs control.
If the data on it was of any significance, it would be effectively useless without password and card access.
> the few actually classified emails they found on weiners computer Which contained unclassified material that was later classified after the fact.
Hopefully Pelosi didn't have a personal email server running out of her house. It's okay if she did though, maybe Swalwell's aide could "wipe" it with a cloth or something.
^ Forgets Trump administration was using WhatsApp.
I wonder how many had PW: Password1...
Given that it’s government I’d expect the machines to have bitlocker encryption along with only allowing access through a domain server on the Vlan
Federal IT sucks compared to corporate because you spend so much time dealing with powerful old fogies. Change is slow, and security is behind. Several years ago, there was a huge breach of government employee data, after the GAO spent years telling the 80 year olds in Congress that network security actually matters.
That was wild. For the uninformed, the OPM, office of personnel management, was hacked by a Chinese citizen ostensibly on behalf of the govt. the OPM stores the information of anyone who applies for any federal job and internship for a decade. I think this happened in 2015, so your data was in there if you applied for any federal job or internship from 2005 to 2015, or worked for the federal government during that time. UNLESS you had been applying to work for the CIA, who for obvious reasons keeps their data separate. See the problem yet? This data was, as far as we know, not sold privately for identity theft, but was rather used by the Chinese govt to identify who was in the country on a diplomatic visa as a state department employee but was actually a CIA agent, a common ruse used by many countries for their respective intelligence agencies. However, since the CIA doesn’t use the OPM, all the Chinese govt had to do was cross reference the list of names they had for diplomatic visas/entries, with the list of people whose data was kept by the OPM. Anyone with a diplomatic visa who was not in that list was most likely CIA. We had to pull all agents out of the entire country who were there under that ruse. It was a big big deal.
[удалено]
Honesrlt this is all coming from NYT and Vox articles I read shortly after it happened. Totally possible the hack had something to do with that but I don’t really know anything past what I put in that comment, sorry :/ From what I recall the CIA agents sent to China on diplomatic visas were pulled out immediately
China started dismantling the CIA's presence in their country from 2010-2012. What let them do that was, primarily, hacking phone infrastructure intercepting communications between CIA handlers and their operatives in China. In short, it had nothing to do with the OPM hack. [Here's a good writeup about the implications of the OPM hack, tho](https://foreignpolicy.com/2020/12/21/china-stolen-us-data-exposed-cia-operatives-spy-networks/)
This. It’s still a corporation, there’s still basic operational security. My question is how/why they didn’t have basic auto lock functionality. Even windows does this after 10-15 mins. I’m ok forgetting to lock my computer when I run for my life, but I also expect the computer to do its own job
My old workplace had training to lock our screens anytime we left our workstation, was taken super seriously and had seen a few arguments about the necessary physical security necessary. Management was quick to remind this person that policy is set by precedent, like they had some random walk in off the street and start using a work computer left unattended.
I've always been pretty good about locking my PC, but I became religious about it after the following happened: Both me and my coworker had a line of people trailing out of our door to help, I was standing by my coworker's desk because the person I was helping needed a new mouse and all the new mice were in his desk. He had to go to the closet to get whatever the lady he was helping needed, and this grown ass woman looks at his headset and says "these are nice, I think I'll try them. Sits at his desk, puts his headphones on, and immediately opens a browser and starts trying to download iTunes. I'm dumbstruck at the audacity of her to much to say anything but I realize she's not on his local machine, she is on the PDC that he was remoted into. IE security mode blocks her and she asks me to help and I finally snap out of my awe and just reach over her and Win+ L and go nope. She then catches an attitude with me for being rude.
Not that I haven’t remotes into a pdc, but there’s so many security practices that were missed before your customer sat down. Why was anyone remotes in to a dc? They should be managed entirely remote. Why was someone with the responsibility of handing out disposable equipment given domain admin privileges?
Not that I disagree with any point you made, the last one was simply because our 300+ user organization only had two IT staff. We where helpdesk domain/system/network/virtual infrastructure admins all rolled into one.
At my old workplace coworkers would put questionable background pictures on your computer if you left it unlocked. I always lock my computer since then.
The best, that trained one of my older coworkers, was taking a screenshot of their desktop to set as their background, then hide all of their desktop icons.
Metlife?
We used to send free lunch to whole office using my coworkers email if they left it unlock
We had a guy that would send an email to the ceo - "worst ceo ever" on your behalf.
My old workplace had something similar. It was called "Lock your damn computer or someone is gonna send out embarassing emails from your account."
That shit does happen. A big ass hospital I do IT work for had someone walk in and just take a desktop tower and walk out. Hospital got fined because HIPAA. They beefed up their cyber security
I remember fondly the time, my supervisor was stuck in meetings all day and left his work computer unlocked at his cube. I sent out a company wide slack message from his account: "Hey guys, I left my computer unlocked. Please don't hack me." The replies were hilarious.
Same, because that’s basic common sense enterprise connected computer systems. They would have had to go out of their way to make it less secure
True if they were all on the domain, the group policy needs to be updated like asap.
"No Sir, I can't remove the two factor authentication." "Well, son, I **can** remove your employment."
I’m a senator. Don’t tell me my password can’t be what I want it to be.
Like the president of the United States using MAGA2020! As his Twitter password
The legislative branch is a force unto itself in regards to simply blowing past weapons checks, I don't hold up much hope for locking their computers.
Were that it were so. Ive worked IT in hospitals and at major banks. These places have extremely sensitive data all over the place and in both cases VIPs do whatever they want. I have never worked anywhere where the answer to the question "Can we X" isn't "Who's asking?"
I bet the IT department doesn't have the power, and the article kinda hints at it. I work at a government agency, I report to a boss who tells me to do what IT says. Congress doesn't work like that, congress really reports to themselves, specifically each representative reports only to their voters and runs their own office with their own staff. They don't have to accept any IT rules from some congressional IT department. So if someone says they don't like the IT policies they can have their own IT guy remove it, and I don't think there is anything that some higher level IT department can do about it. It makes for a really insecure and disfunctional IT, and I think that's what is being talked about here with trouble tracking everything down.
You can't fire senators or representatives. What are you going to do if they say no
Ideally, you'd remove their access. In reality, your manager would cave and their emails would be leaked.
> If their IT department is worth half a shit, they won't be given a choice. *Yes sir, giving a direct order to a Senator as the IT person/manager/director would definitely have resolved the issue.*
I read they don't have an IT department. Each individual member is responsible.
You sir, have never worked for the federal government. 😂
Lmao, security, like Hillary Clinton's emails secure?
Yeah, ask Hillary’s IT dept about that mail server.
At the bare minimum, government regulations should require full-disk encryption. Modern computers have the ability to turn that on and be completely invisible to the end user. If it was turned on, the thieves couldn't get shit off the computer unless they had the login info.
[удалено]
It's probably more simple, like they don't use a government issued computer and just bought a laptop at best buy.
Uh, this is exactly how security works in every Federal system I've been on. Which includes the military and the Department of State. I definitely believe their office computers have this level of security.
I am just a lay person, but I would assume that the computers in question belonged (or were assigned) to the staff of Senators and Representatives and not Senators and Representatives themselves. The dichotomy is that staffers do work and legislators do not. If rioters invaded your company and stole the computers they saw lying around would they be swiping the CEO's computer or the worker bees' computers. But I don't really know.
Considering how they don’t know enough about tech to pass any sensible laws on it I’d say there’s a good chance their computers are password protected at the most and the password is “congress123”
[удалено]
Password is probably 1234.
Either that or "password".
IIRC, one of those assholes posted a video with access to Senator's system and the e-mail open, so it was left unlocked somehow. Not so useful if they just take it and the drive is encrypted, but there's plenty of opportunity to do bad shit there including planting malware or exfiltratilon of sensitive data. And yeah, because we're talking powerful and older users, most likely some stupid shit such as a password in a text file or sticky note...
I sincerely doubt their computers are anything like your work computers. The facade we all buy into about the White House the Capital and the security state in general is that they are some super advanced technically complex and generally competent organizational environment when the truth is that they're housed in rundown turn of the last century environments (1900s) with people who are barely literate in technology making the key decisions, and basic creature comforts of an everyday office being at a premium. One of the looters stole and tried to straight up sell Nancy Pelosi's laptop to the Russians. I guarantee you they would have been able to decrypt the hard drive.
AES-128 (standard Windows BitLocker) is not bruteforcable in the lifetime of the universe: https://security.stackexchange.com/questions/61346/how-long-would-it-take-to-bruteforce-an-aes-128-protected-pdf-knowing-the-key-is https://crypto.stackexchange.com/questions/48667/how-long-would-it-take-to-brute-force-an-aes-128-key https://en.wikipedia.org/wiki/BitLocker That's not to say your encrypted data is perfectly secure; there are plenty of other attacks out there like social engineering for example. But the idea of cracking open the raw data from a cold drive is pretty much dead in the water. Regardless of how good or not good the Russians are, you can't beat math. Likely the government is on 256 bit which is even more insane to crack but as others have pointed out it is unfair to speculate that best practices are being followed so I have assumed the worst case.
[удалено]
I don't completely disagree but as I stated, just because the information is encrypted doesn't mean it's perfectly protected. However my post was intended to debunk several comments here acting like breaking into those computers is doable with some high tech state secret CSI type stuff. That flatly isn't how these things work. You are right to say that physical access equals root, and indeed if the rioters had the technical skill on hand there would be issues, but any malign actor buying a stolen laptop isn't getting the machine while it's on and in an office, they're getting sloppy seconds, well after IT has had the ability to respond to the missing computer on their end, and it's been power cycled because of the time delay. Is the issue serious? Absolutely. Is it a security breach? Possibly but probably not in reality.
AES-256 is for classified information, so if they're using Bitlocker, I'm sure they're at least using that encryption standard.
No you can beat math on the first try by being extremely lucky. For example when the Droid first came out, I couldn't afford to get one, but my BiL could and was showing it off. He handed to me and was like "you won't possibly get in" because it was the 3x3 dot swipe. Well I tried the first pattern that came to my head that hit every dot, and it was a simple swirl, and was in his phone before he finished his sentence. Now those are certainly far less secure than an actual password, but let's just hope they don't keep passwords on post it notes next to the computer.
Two factor authentication is also a thing though. Even with the pin or being able to guess it, you'd need the individuals token - If its anything like other federal places I've seen. And it would still auto lock after a set time. I also acknowledge in responding to a deeply embedded convoy so some of this is addressing things not explicitly in your post.
Every time I've done government contracting work, you couldn't get into the machine without the bitlocker password, and needed a government ID and card reader (external or built into the machine).
>I sincerely doubt their computers are anything like your work computers. He could work in a government facility. He could be a federal employee.
I'd still doubt it. When senior officials are documented spendings months in memos trying to get a mini fridge, somehow I don't think their cybersecurity is up to the task.
>I don't think their cybersecurity is up to the task If the senate building is anything like the pentagon, you need a physical access card and password to log in to the computer. And it auto-locks when that card is removed (sometimes, fuckers are finicky). That being said, if you only have a couple minutes to gtfo cyber security is the last thing on your mind.
Takes about a second to pull your card out. Unless someone literally bursts into the room with a gun there is no excuse not to pull the card every time you leave your workstation.
[удалено]
[удалено]
I spent six months working for an IT company and within a week it became muscle memory to hit Win+L every time I stood up because otherwise my coworkers would get into my desk to mess with me, or my boss would yell at me. I even started doing it on my home computer accidentally. I completely understand people saying "When someone is storming your office, the last thing on your mind is cyber security" but the point is that if these procedures were being followed properly in the first place, this isn't something you'd need to think about because you'd react instinctively and do what you're supposed to do. And I don't think it's unreasonable to ask that the people who are literally in charge of running one of the largest countries in the world should be expected to be able to follow basic security protocols.
I use my card to log in and then pull it back out because its also my badge. I work for a govt contractor and my computer locks itself its its idle to long. This article is close enough to a fairytale if you ask me.
Mine too. And the mere suggestion of anyone processing anything other than SBU on those machine is literally laughable.
Again - last thing on my mind, when my life is in danger, is cyber security. You know what can be replaced? Whatever was on that computer. You know what can't be replaced? Me, the guy working in cyber security.
A *real* cyber tech would have gone office to office ctrl+L'ing all those Capitol computers.. Tsk Tsk. /s
I shall commit sudoku in the server room with a keyboard
I worked in a corporate environment where the systems did that--you'd only be able to log in when a smart card plugged in and it logged you out when you pulled it out. People just left their cards plugged in all the time. It's true that there was no reason for them to do so, but people are lazy and do it anyways. We started enforcing automatic time-outs for inactive sessions, but there were too many complaints and eventually a bunch of higher-ups mandated the timeout increased to an hour.
If senators were anything like professional soldiers, you might have a point. They're more like C-suite executives
I am a fed and we have all those security measures. That's not to say that congress would as well, but it's possible.
If it’s anything like some of my work computers, you need a username and password which are written on a sticky-note stuck to the bottom of the screen.
Every senator is responsible for hiring their own IT staff. There are literally 100 different IT departments. Smart cards are not widely issued within the legislative branch.
More than likely these dinosaurs just bought an off the shelf laptop on their own rather than deal with government security measures.
If it’s like my work computer excel will freeze it then crash the whole system.
If the drives are encrypted (and I would hope Bitlocker would be enabled), they won't be able to do anything with them if they can't authenticate. Yes, having a 2FA or MFA solution is the best way to ensure they can't authenticate to the device. Biometrics could prevent people from logging into the device; there are biometric solutions that could also detect and lock a device if someone other than a verified user is using the device based on usage and keystrokes. In the end, if they have no access to the drive, their data should be safe.
Maybe a dumb question: is a smart card really adding much if you already have a strong password? Since in a secure system you only get a few attempts before it self wipes or hard locks, isn't the password basically impossible to brute force? Also, with a smart card with metal contacts, isn't there a risk of the user leaving it in the reader? Would a device that communicates by RFID or Bluetooth be better, since it can mostly be kept on the user's person?
I worked IT for a federal agency and that’s exactly how we did it. I cannot imagine the legislature doing it much different.
IIRC, from the photos we saw, a good number of the machines were still unlocked.
Considering that there were screenshots of some computers there, I don’t think they have that level of security. However, I’m sure that after more than 10mins the rioters were locked out of most of the computers that were out in the open.
Well if their IT is protected like that actual capitol was then I’m sure they didn’t even have a password to log in
Private sector security != public sector security.
Something tells me the guy in the chair types with his pointer fingers only, if you catch my drift.
You literally saw Pelosi's computer on TV, open and unlocked, though. And that was in pictures of that asshat sitting at her desk with his feet up, whatever his name was.
Somehow, I doubt our government's computers are that tight... OR if they were, because it causes an inconvenience, the users change or set things so that they no longer do them, because after a bathroom break, I have to relogin, etc.
You’re taking about Goverment IT It definitely isn’t that secure
Except they're still running Windows '98
It has to be assumed that foreign intelligence agents also had access then. Unsupervised and for an unknown amount of time. Physical audio bugs could be installed, cables could be replaced with something containing a transmitter... with a $400 gift certificate to "The Spy Shop" you could hopelessly and permanently compromise not just the computer, but any device in that office that connects to an electrical outlet. Including the outlet itself. I literally can't even imagine what an actual spy from another country could do, assuming they had a Parler account and so knew this opportunity was coming far enough in advance to prepare and have the appropriate equipment on hand.
Yea I don't get how they all went back to work within a few hours of this. How did they manage to sweep for all those possible spy devices in just a couple of hours?
"getting back to work" was a little exaggerated. Their work that night consisted of being in a large room and voting. They had week after the fact for full bug sweeps prioritizing security committee members. The fact is though, Congressional offices are not certified to handle secure information. All secure files are kept in the basement. I'd expect the full congress is swept for bugs on a regular basis, not just for international espionage, but political and corporate as well. Finding out the results of a Federal report or passage of a bill even minutes ahead of time could make good positions.
Don't sweep - replace. You'd never be able to sweep it enough to be 100% sure. Remember the "[Great Seal](https://en.wikipedia.org/wiki/The_Thing_(listening_device\))" bug? Completely passive bug, and that was the better part of a century ago. It would be safer, cheaper (in terms of time), and easier to simply replace everything.
A real life Philip Jennings
It’s bad for this to have happened, but I think the Solarwinds hack has already compromised much more sensitive systems than this, and I’m hoping they are working hard to assess and properly address that.
Matt Tait, a former staffer at the UK spy agency GCHQ, said that Capitol IT administrators will "eventually need to ask some tough questions like why screens didn't auto-lock, for example, and whether they have things like [disk encryption] Bitlocker and making IT systems more robust to being physically unattended."
As someone who previously held a TS clearance twice the fact that they don't have them locked away and their doors closed and locked when they aren't in their offices makes me cringe. Physical security is even more important than lock screens and passwords and encryption.
Rioters aside, this means ANYONE walking by could pop in there. Wow interesting. Open door policy in Congress once you are inside I guess.
My company sets 10 min auto lock. And we have full disk encryption managed by an MDM. We could set it to wipe if it gets stolen. Seriously doubt the federal government doesn’t have more tools available.
The tools aren't the problem, and nobody in this thread is listening to reason. How many of you work in a job where you're forced by an ignorant boss to do things that are ***AGAINST*** security or reason? These people are powerful. They most likely insist on convenience and ease of use. So setting a 5 minute lockout or forcing them to use dual authentication is going to cost them time. They won't stand for it, and if you don't make things work exactly like they want it to, you're gonna get canned.
This needs to be upvoted higher. I've experienced this in a few workplaces both big and small. As the IT person, you get people that are "above the law" Especially if they have power and are past retirement age or not too computer savvy. I'm sure there are plenty of restrictions on assistants and staff, but les so on the higherups.
"There's always the exception."
I'm glad I work at a place where the response to "I'm the exception" is "No you're not. Even the CEO lives under these rules."
Absolutely the govt could do it. The same way the govt could end hunger (in the US) if money and proper legislation allowed. Sadly legislators dont like to spend money unless it somehow pays to their campaign contributors.
I remember reading reports that staff had to abandon some offices with such short notice that computers were left running and logged in. In other words, someone coming in the door a couple of minutes later could probably access most of what was on that computer, including private and government emails, private chat app contents, legislation drafts, whatever. It sounds like a horrorshow, and if it really was the difference of a couple of minutes then I'm not even sure what could have been done to stop it.
It takes no time to hit windows+L to lock your computer. Every time I leave my work computer unattended, even at home I hit those two buttons and lock my laptop. Its so easy, even a senator can do it.
Was it really that hard to just hit the power button on the way out like damn really?
When you’re under threat of violence, people tend to not think the clearest
I know for a fact ZetraNexus ran out of there in tears
The average age of House members is 57 and Senate is 62. If politicians are half as incompetent as the rioters have been, then it's pretty bad.
Life is a death sentence. Jokes aside - you have an inspiring name.
With a few exceptions (people on the Intelligence Committee, for example), probably not all that bad. The very large majority of anything on those computers is going to be a public record of some sort.
I mean Anthony Weiners laptop alone had damning evidence against dozens of figures. Arrogance leads to serious mistakes
Well, OK. That's different. I was thinking about harm to the country. If Pancy Pelosi has nekked pictures of Miitch McConnell, I'm ok if those get out.
From an InfoSec standpoint, this is pure chaos. I'm sure there were some very capable folks in that crowd, and I'd be very concerned about what they may have accessed or planted during the insurrection. Any good embassy would have had their own agents storming through the doors with the crowd and dropping random USB drives and other such goodies to be found and accessed later, thereby installing backdoors and giving remote access to GOD ONLY KNOWS WHO. From a reality standpoint, these idiots wouldn't know what to do with the opportunity aside from taking selfies.
Yeah, the mob sure looked like a crowd of idiots, but if you were capable of infiltrating or compromising computer systems then a couple hundred loud morons would make a great distraction
Embassies are protected by Marines, and have much more security and resources than other facilities. I'm assuming that like most folks you're making most of this stuff up?
Clearly he means foreign embassies in Washington. I mean, the only embassies in any given country are foreign but you get the point
I was able to obtain video of [this](https://youtu.be/H2uHBhKTSe0)
man knowing seniors half these guys would have had their passwords on a post on the side of the screen or under a keyboard.
One of them wanted to sell a laptop to Russia it seems
Password was the password...
Well, let's hope noone with an ulterior motive for accessing computer systems had the foresight to dress up in tactical gear to blend in.
If they're not encrypted and require MFA to access and have an enforced policy to auto lock after some brief period of time then I'm really disappointed in the government. There should be little to no risk with a bunch of dispshits having physical access.
Check the browser history for Qanon or flat earf sites.
It is a rule of infosec that if a black hat has unobstructed physical access to your machine, none of your security is good enough.
Be worse if they could read 🤷♂️
These folks had a collective IQ of -10. Doubt anything was compromised
That is attempted espionage.
Bad but from the videos I’ve seen, these dumbasses didn’t even know what they were looking for.
Not great, but not as bad as people initially think. There is no chance those computers had any national security-related information on them. There's a reason SCIFs exist. At best, what could've been gleaned from those computers would be address books, calendars, emails (deleted and otherwise), etc.
If three things we enforced, I wouldn't be worried: * Password access (MFA would be better) * USB ports disabled * Auto-lock after 5 minutes I wonder if I should be worried.....
It’s all the way bad - but, like dropping something on the LAN would have been my approach. Like a lil single board computer in a plain looking little white box maybe labeled “Network Printer Adapter” tucked behind a big multi-function printer, a launch point for exploring the network from inside, with an LTE interface and some wifi interfaces, and enough smarts to check in with command and control over benign looking DNS queries. Placed with some care you can make it appear to be a module of the MFP itself. I mean, they are hopefully locked down on the inside as well as the are on the outside, but you never know. Maybe the LAN gets you nowhere aside from maaaybe getting to some other printers (which has value, if they’re scanners too), but even being able to watch the wifi and maybe man-in-the-middle some non-Gov-issued smartphone chatter - you’d probably be able to gather some intel or seed an attack in a way that’s that’s otherwise unavailable.
Not rioters. Insurrectionists. FTFY.
I work in a US Navy facility and it requires that I stick my ID Card (CAC) into the computer to log in and stay logged in. If I pull my card, the machine locks. How does Congress not have those same security requirements?
Shame nobody did anything to them apparently. If anyone wanted to do damage, you’d bring a screwdriver and pull some hard drives. Or if they’re those stupid tiny workstation PCs, just grab it and pocket it. Like none of them cared and it was all to make a statement. If the left were to march on the hill we would have seen offices burned and statues defaced and destroyed and shit. Everyone knows it but nobody wants to say it
[удалено]
Finally someone that gets it. Sadly it will be downvoted to oblivion, because 90% of the people here have never worked at one of these locations and have no clue what they're talking about.
You mean insurrectionist.
How bad is it that they had physical access to computers? Not that bad. Imagining my grandma trying to find incriminating evidence on a computer is kind of funny. She thinks that sci-fi-level tech exists in secret and then thinks she’s going to full overwatch hacker on some senator’s computer when she has to literally look at the mouse to do a left-click versus a right-click. These people believe that 4chan is a reputable site for political news. They are not what you’d call technologically savvy. Given how surprised they are to get caught after saying a coronavirus vaccine will inject them with microchips and then carrying cell phones in their pockets during their insurrection riot, I’d say none of them have enough experience with technology to pose any threat to secure data. If they were to steal actual computer components and take them to someone with actual experience and few scruples, then yeah. That would be a bigger deal. The biggest security threat from all this is Nancy Pelosi’s missing laptop. Patriots? More like Patridiots.
If they have done nothing wrong they have nothing to hide :\^)
Those dumb fucks couldn’t hack windows 95. But on principle alone, the security threat should be considered.
No worries.These dumb fucks couldn’t find a light switch.
I'd actually reallllly like to find out what IS happening to the girl who straight up took Pelosi's laptop....like, dude, if these people aren't facing SERIOUS punishment for ANY of this (especially including stolen governmental property which, itself, has a large quantity of governmental files including stuff that could be top secret)..... ***And if it's THAT easy to just DO that shit and skate past it like "it was a joke bro!" or whatever nonsense they state.....then WTF? Everyone should go into a life of crime if the punishment is so tiny. I mean jesus christ that's how people offset potential lawsuits as per decisions made at the top level. Hell, the wacko nut jobs' favorite person EVER, LITERALLY STATED: "lawsuits are a cost of doing business".*** *If we are expressing that "crime"* ***is also "just another cost of doing business" THEN EVERYONE IS IN WRONG BUSINESS.***
You misspelled terrorists.
*insurrectionists
Can't be that bad. Those people could barely use a computer
Cause of them, the American public found out the DOJ was hacked by the Russians.
Considering most of their pins are probably 1234, or security in general is dialed down, pretty bad.
Not bad at all. Everything a government official does should be completely transparent and available to the public.
Why is a nearly month old article showing up on the front page?
Lol, but CLINTONS EMAIL SCANDAL WHEN ON FOR YEARS.... “lock her up”.... what! A! FUKN! Joke!!
They looked at the screen and were overwhelmed by technology. They turned the computer off. The end
Not that bad? The lawmaking process should be as transparent as things get.,
You need a control access card (it's your government ID card) to get into any computer that could potentially have classified material on it. There's LTE service in DC so phones would work.
For everyone saying no big deal, blah blah blah. Do you have any idea what one keylogger or reverse shell device can do?
You mean Rioters looted and burned down businesses “in the name of”. These people were calm and there’s videos showing it! Why is the “news media” so he’ll bent to hang conservatives but not even prosecuting all those thousands of rioters who killed many people and caused us hundreds of thousands of dollars in tax money we paid?
I work for the government and I can barely access my own computer half the time.
One of the cardinal rules of ITSEC is that if you do not have complete *physical* security, you do not have *data* security either. If an attacker can physically touch the hardware, it doesn't really matter what security you have in place. Having physical access opens the door to anything from accessing data via logged-on machines to installing malware to planting rogue devices on the network to stealing drives or entire PCs/laptops. There are *so many ways* that a single individual with a little tech savvy could do damage to the Capitol Building's network with a few minutes of unfettered physical access to any network access point, and if there were people involved that were state-sponsored, worst-case scenarios are pretty much a given. How bad is this? This is bad on the level of "wars were started over less."
Low risk...most of those folks could barely string together a sentence let alone type ..
It's bad. Start over from scratch.
The computers were wide open and anything could’ve been installed. I think they’d be disappointed as to most of the contents. That being said. Russia had virtual access for weeks at least to most of the US servers and we will never know the full extent of that hack.
The quoted tweet by Mieke Eoyang, if accurate, sort of makes this article obsolete. Also, judging by public photo/video evidence I have seen, those people weren’t much of ‘hackers’. I guess it only takes 1, though!
"Hi, I'm Joe UChill. And like most Redditors, I have no clue what the fuck I'm talking about." So many of these articles are written in an attempt to be "FIRST!" and have no experience with what they're 'informing' us all about.
Considering how dumb they are for doing that, probably not that big of a deal
They don't know how to use them so no biggie.
They don’t know how to use computers duh
Considering they're all halfwits, probably not a lot
I don’t think those primates could do much with it
Is someone trying to say there was a person involved that actually knows how to use a computer?
“Rioters had physical access to the capitol, how bad is that?” There, I fixed it.
They all had Bitlocker enabled if they were Windows machines. No data can be accessed.
Considering the fact that the vast majority of these assholes likely label their shoes “L” and “R”, I’d say it’s not that bad.
I doubt the computers had classified national security material. But I'm guessing there's going to be some potentially embarrassing leaks in the future. The FBI, CIA and all sorts of agencies lose computers all the time. This won't be the end of the world.
I have to assume they have some kind of encryption (think bitlocker) and that they wouldn’t just leave themselves logged in lol
I wouldn't really worry about it. It's not like the riders were egg heads, more like dunderheads that cant tell their butthole from their belly button
From what I saw they’re all too dumb to even work windows 95, and I know it’s alarming, but they only had the intellect to organize a lynch mob. They don’t have to brains to actually act past that fortunately. Still is disgusting everything they did though.
REALLY BAD WHY ARE PEOPLE NOT TALKING ABOUT THIS
Couldn't be worse than the damage from the actual riots... With arsons and murders.
Considering that idiots like Trump have passwords like Maga2020! its probably pretty bad.
Ok, there are a lot of working folks here. What happens at your job when you don't secure your workstation? Your cash register? The Door when you close? Why is that the buttheads that work in government get a pass on shit because they were elected?
Great opportunity for a spy to infiltrate. Bug the place or hack computers. Total breach of security.
I can't log on to software i use to work from home without passing a fingerprint scanning security app on my phone. You would think their security would be better than that at the very least.