The entire US Social Security database was uploaded on a random cloud server, Whistle-Blower Says
Technology
97
Beiträge
56
Kommentatoren
67
Aufrufe
-
Yeah, god forbid we have people who aren't fucking idiots taking care/maintaining our information.
But again - this has zero information. What cloud storage is it on? How is it not secure?
-
I’ve said for a while that the SSA should do basically this exact thing. In a more controlled manner, but still the same result. Announce something like “in two years, we’ll make our database public. Every single name, DOB, and SSN will be publicly searchable.
It sounds radical, but SSNs were never meant to be a secure form of ID. Old cards even said something like “do not use this as ID” on them. But organizations quickly latched onto it because they wanted to have a way to identify individuals with the same name and DOB. And SSNs were convenient because people already had them.
It would force organizations to develop their own way to ID people. It would be a huge step towards making an actual secure form of ID. And the warning time would give people enough time to design the new system and roll it out, while still giving a hard deadline for when it needs to be done.
There was a time when bank card number was practically all you needed to get someone's money.
I think Estonia's electronic IDs are the best, they have the government sign (sometimes provide, but generally just sign) your public key. It's both that the government doesn't have your private key and that it's immediately usable for many things. I don't know if they do, but one can also make ID cards (with a necessary chip inside, of course), where a private key can be written and used for signing operations, but not read back.
Modern technology allows so much goodness that politicians and corps have just started globally gaslighting us over what can be done and what can't. Stalling on technically easily solvable issues, so that it wouldn't come to real ones.
-
I dont have a problem with that, but what I will object to is the current regime making the replament ID system. 1) there is no way they would design it well or securely, smart people capable of building such a system are usually the first to bounce to another country as they will have the means to do so. 2) it would be too easy for them to lord the new ID over peoples heads (like they are with immigration status now) and impliment a social credit score like China does.
Your correct that SSNs should not be used as IDs, but getting the government to build a modern system for that opens too many avanues for abuse (especially with darth cheeto in charge).
and impliment a social credit score like China does.
Honestly you don't need such an official system, and such a commercial system, as that network of data brokers and credit rating providers, already exists. So of that in particular I wouldn't be scared because it's not avoidable anyway. What's avoidable is government's ability to discriminate based on data. Think how.
-
I agree that "random server" is a bad choice of words, but do want to add additional information context as the concern isn't necessarily unwarranted. Another qoute from the article:
“I have determined the business need is higher than the security risk associated with this implementation and I accept all risks,” wrote Aram Moghaddassi, who worked at two of Mr. Musk’s companies, X and Neuralink, before becoming Social Security’s chief information officer, in a July 15 memo.
Its also sounds like they did spin up a new database with limited security/oversight to "move" faster. Why that's worrisome is they aren't denying there is a risk or lack of security, they are just saying it's justified.
Could you please explain like I'm 10?
-
This post did not contain any content.
At this point I think you can legally opt out of any type of data collection by the government like the Census. You're required by law to participate but they are also required by law to keep your information safe, that's no longer possible in this administration and there's plenty of relevant data to back it up.
-
There was a time when bank card number was practically all you needed to get someone's money.
I think Estonia's electronic IDs are the best, they have the government sign (sometimes provide, but generally just sign) your public key. It's both that the government doesn't have your private key and that it's immediately usable for many things. I don't know if they do, but one can also make ID cards (with a necessary chip inside, of course), where a private key can be written and used for signing operations, but not read back.
Modern technology allows so much goodness that politicians and corps have just started globally gaslighting us over what can be done and what can't. Stalling on technically easily solvable issues, so that it wouldn't come to real ones.
The simple act of comparing signatures meant that it was very difficult to randomly target people. We don't have anything like that today, like a key/token pair.
-
What cloud servers are they using?
Given it's the government it's most likely AWS or Azure. That really isn't inherently bad, it's more the attitude of "move fast and break things" doesn't necessarily work for secure systems with sensitive data.
-
Could you please explain like I'm 10?
The SSA stores a lot of sensitive data. Normally with sensitive data you want to be very careful with who can access it and how.
What is potentially worrisome in this situation is it seems like the SSA is taking on the "move fast and break things" attitude of Silicon Valley.
More technically, most government agencies use AWS and Azure (cloud providers) to host data. So spinning up a new server isn't inherently bad. However, creating a new server that is secure and has the correct access controls (user permissions regarding who can see/change content) can be challenging. The whistle blower believes they are not doing this right, and it sounds like the head of the SSA isn't disagreeing, just saying he thinks the risk is worth it.
-
Given it's the government it's most likely AWS or Azure. That really isn't inherently bad, it's more the attitude of "move fast and break things" doesn't necessarily work for secure systems with sensitive data.
So again, it’s all just bullshit hopes and dreams by the anti-doge people. No data has been exposed or hacked, no evidence of it actually being on anything insecure.
-
This post did not contain any content.
It's times like this I wonder about the like/dislike paradigm I.E. "I like/dislike knowing this and/or appreciate the perceived reputability of the source" vs. "This is good news/I fucking hate this."
This one just got a "I fucking hate this" from me.
-
At this point I think you can legally opt out of any type of data collection by the government like the Census. You're required by law to participate but they are also required by law to keep your information safe, that's no longer possible in this administration and there's plenty of relevant data to back it up.
I think we should be able to have a national class action against DOGE. 100% serious, all US citizens for sure, and anyone else with data in the Social Security database, should sue the individuals responsible for this.
Then we take the money and start a company that contracts out to the government to create a national digital ID system that is the most secure in the world, and allows for amazing anonymity.
-
So again, it’s all just bullshit hopes and dreams by the anti-doge people. No data has been exposed or hacked, no evidence of it actually being on anything insecure.
In cyber security you may never know if a bad actor got access to your systems/data. The issue with not following good security practices is that you increase the risk of this happening.
Its like saying we should stop mandating vaccines cause the diseases aren't around anymore. When you let down your defenses you end up with outbreaks that shouldn't have happened and are harder to control.
-
The SSA stores a lot of sensitive data. Normally with sensitive data you want to be very careful with who can access it and how.
What is potentially worrisome in this situation is it seems like the SSA is taking on the "move fast and break things" attitude of Silicon Valley.
More technically, most government agencies use AWS and Azure (cloud providers) to host data. So spinning up a new server isn't inherently bad. However, creating a new server that is secure and has the correct access controls (user permissions regarding who can see/change content) can be challenging. The whistle blower believes they are not doing this right, and it sounds like the head of the SSA isn't disagreeing, just saying he thinks the risk is worth it.
That makes sense, thanks for the explanation
-
We‘re getting closer to a cyberpunk world every day
Once a nuke goes off in a major city, we are pretty much guaranteed it from what I understand about multiple cyberpunk-style worlds
-
I don't love the idea of the Trump administration being in charge of creating a national ID system, but this maybe the best time to make one.
If Democrats proposed a national ID database the crazy 'FEMA is coming to round us up' republicans would freak out about it. As proven with Trump sending the national guard into D.C., as long as Trump does it they don't care.
I hate this is a good point
-
It's times like this I wonder about the like/dislike paradigm I.E. "I like/dislike knowing this and/or appreciate the perceived reputability of the source" vs. "This is good news/I fucking hate this."
This one just got a "I fucking hate this" from me.
The votes on the posting itself should reflect if the content is worth your time. I'm not even American and I have a really bad feeling after reading the article, but it's better to know than being in the dark, and the article itself is full of details which make it pretty reasonable to believe it's the truth.
Mr Borges really brought the receipts on this one, and he is one of the heros of the american people that will probably pay dearly for his courage, and he still did what's right.
-
OP, please revise your title to match the article, it is currently misinformation.
The complaint is about where the oversight comes from. This is not some random cloud server.
“S.S.A. stores all personal data in secure environments that have robust safeguards in place to protect vital information,” he said. “The data referenced in the complaint is stored in a longstanding environment used by S.S.A. and walled off from the internet. High-level career S.S.A. officials have administrative access to this system with oversight by S.S.A.’s information security team.”
Don't you think after 5 months without oversight who exactly has access to that server that the difference between this and a random s3 bucket is nearly nil? But you are right, in the light of integrity the title should reflect the facts as they present themselves currently.
-
I dont have a problem with that, but what I will object to is the current regime making the replament ID system. 1) there is no way they would design it well or securely, smart people capable of building such a system are usually the first to bounce to another country as they will have the means to do so. 2) it would be too easy for them to lord the new ID over peoples heads (like they are with immigration status now) and impliment a social credit score like China does.
Your correct that SSNs should not be used as IDs, but getting the government to build a modern system for that opens too many avanues for abuse (especially with darth cheeto in charge).
this is a whole can of worms that you can look into but the entire western conception of the Chinese social credit system is essentially a myth propagated by western media outlets.
don’t get me wrong, the chinese government legislated local governors implement something vaguely similar to the financial credit system in the west but, as the law works in china, they all interpreted the order differently and it seems only the “good” parts get rolled out nationally.
situations similar to the western “social credit” myth existed for a brief time in a very small number of local pockets (think smaller divisions such as cities and towns), but they were quickly absconded and the architects of those systems punished, for essentially wasting government time and money.
note i’m definitely not a tankie fuck tankies but i also think if we’re gonna talk about china we don’t need to make shit up bc just like the US there is plenty of real shit to criticize. the “social credit” thing is a joke that westerners get made fun of internationally for believing, pretty much. it’s not remotely real, at least how you probably think of it.
realistically at this point you don’t have more or less rights or freedoms as a citizen of china or the united states. you’re pretty equally fucked either way now.
-
Don't you think after 5 months without oversight who exactly has access to that server that the difference between this and a random s3 bucket is nearly nil? But you are right, in the light of integrity the title should reflect the facts as they present themselves currently.
I do, yes, it's blazingly stupid and others have been jailed for less.
But I've noticed a number of misleading post titles recently, like the just today there was obe about a cyclist getting hit by a car when it was actually the cyclist turning into traffic. Tragic, but the title misleads. So I've started pointing them out.
Maybe I just long for the days when titles aren't rewritten to drive opinion and engagement (regardless of if I agree or disagree).
-
In cyber security you may never know if a bad actor got access to your systems/data. The issue with not following good security practices is that you increase the risk of this happening.
Its like saying we should stop mandating vaccines cause the diseases aren't around anymore. When you let down your defenses you end up with outbreaks that shouldn't have happened and are harder to control.
In cyber security you may never know if a bad actor got access to your systems/data. The issue with not following good security practices is that you increase the risk of this happening.
If they're using Azure or AWS then they have a level of built in good security practices. These people aren't morons, they know what they're doing. In fact, using AWS or Azure you have to fuck things up to make it insecure, because by default they're all pretty locked down.
Its like saying we should stop mandating vaccines cause the diseases aren’t around anymore.
I'm 100% a pro-vaccine person, but vaccines should not be mandatory. "My body, my choice" - isn't that the saying? Or is that only for women wanting an abortion? If someone doesn't want to get a vaccine then they can suffer the potential consequences while those who are vaccinated don't (but they have to deal with the potential side effects of the vaccine).
