The entire US Social Security database was uploaded on a random cloud server, Whistle-Blower Says
Technology
97
Beiträge
56
Kommentatoren
67
Aufrufe
-
Could you please explain like I'm 10?
The SSA stores a lot of sensitive data. Normally with sensitive data you want to be very careful with who can access it and how.
What is potentially worrisome in this situation is it seems like the SSA is taking on the "move fast and break things" attitude of Silicon Valley.
More technically, most government agencies use AWS and Azure (cloud providers) to host data. So spinning up a new server isn't inherently bad. However, creating a new server that is secure and has the correct access controls (user permissions regarding who can see/change content) can be challenging. The whistle blower believes they are not doing this right, and it sounds like the head of the SSA isn't disagreeing, just saying he thinks the risk is worth it.
-
Given it's the government it's most likely AWS or Azure. That really isn't inherently bad, it's more the attitude of "move fast and break things" doesn't necessarily work for secure systems with sensitive data.
So again, it’s all just bullshit hopes and dreams by the anti-doge people. No data has been exposed or hacked, no evidence of it actually being on anything insecure.
-
This post did not contain any content.
It's times like this I wonder about the like/dislike paradigm I.E. "I like/dislike knowing this and/or appreciate the perceived reputability of the source" vs. "This is good news/I fucking hate this."
This one just got a "I fucking hate this" from me.
-
At this point I think you can legally opt out of any type of data collection by the government like the Census. You're required by law to participate but they are also required by law to keep your information safe, that's no longer possible in this administration and there's plenty of relevant data to back it up.
I think we should be able to have a national class action against DOGE. 100% serious, all US citizens for sure, and anyone else with data in the Social Security database, should sue the individuals responsible for this.
Then we take the money and start a company that contracts out to the government to create a national digital ID system that is the most secure in the world, and allows for amazing anonymity.
-
So again, it’s all just bullshit hopes and dreams by the anti-doge people. No data has been exposed or hacked, no evidence of it actually being on anything insecure.
In cyber security you may never know if a bad actor got access to your systems/data. The issue with not following good security practices is that you increase the risk of this happening.
Its like saying we should stop mandating vaccines cause the diseases aren't around anymore. When you let down your defenses you end up with outbreaks that shouldn't have happened and are harder to control.
-
The SSA stores a lot of sensitive data. Normally with sensitive data you want to be very careful with who can access it and how.
What is potentially worrisome in this situation is it seems like the SSA is taking on the "move fast and break things" attitude of Silicon Valley.
More technically, most government agencies use AWS and Azure (cloud providers) to host data. So spinning up a new server isn't inherently bad. However, creating a new server that is secure and has the correct access controls (user permissions regarding who can see/change content) can be challenging. The whistle blower believes they are not doing this right, and it sounds like the head of the SSA isn't disagreeing, just saying he thinks the risk is worth it.
That makes sense, thanks for the explanation
-
We‘re getting closer to a cyberpunk world every day
Once a nuke goes off in a major city, we are pretty much guaranteed it from what I understand about multiple cyberpunk-style worlds
-
I don't love the idea of the Trump administration being in charge of creating a national ID system, but this maybe the best time to make one.
If Democrats proposed a national ID database the crazy 'FEMA is coming to round us up' republicans would freak out about it. As proven with Trump sending the national guard into D.C., as long as Trump does it they don't care.
I hate this is a good point
-
It's times like this I wonder about the like/dislike paradigm I.E. "I like/dislike knowing this and/or appreciate the perceived reputability of the source" vs. "This is good news/I fucking hate this."
This one just got a "I fucking hate this" from me.
The votes on the posting itself should reflect if the content is worth your time. I'm not even American and I have a really bad feeling after reading the article, but it's better to know than being in the dark, and the article itself is full of details which make it pretty reasonable to believe it's the truth.
Mr Borges really brought the receipts on this one, and he is one of the heros of the american people that will probably pay dearly for his courage, and he still did what's right.
-
OP, please revise your title to match the article, it is currently misinformation.
The complaint is about where the oversight comes from. This is not some random cloud server.
“S.S.A. stores all personal data in secure environments that have robust safeguards in place to protect vital information,” he said. “The data referenced in the complaint is stored in a longstanding environment used by S.S.A. and walled off from the internet. High-level career S.S.A. officials have administrative access to this system with oversight by S.S.A.’s information security team.”
Don't you think after 5 months without oversight who exactly has access to that server that the difference between this and a random s3 bucket is nearly nil? But you are right, in the light of integrity the title should reflect the facts as they present themselves currently.
-
I dont have a problem with that, but what I will object to is the current regime making the replament ID system. 1) there is no way they would design it well or securely, smart people capable of building such a system are usually the first to bounce to another country as they will have the means to do so. 2) it would be too easy for them to lord the new ID over peoples heads (like they are with immigration status now) and impliment a social credit score like China does.
Your correct that SSNs should not be used as IDs, but getting the government to build a modern system for that opens too many avanues for abuse (especially with darth cheeto in charge).
this is a whole can of worms that you can look into but the entire western conception of the Chinese social credit system is essentially a myth propagated by western media outlets.
don’t get me wrong, the chinese government legislated local governors implement something vaguely similar to the financial credit system in the west but, as the law works in china, they all interpreted the order differently and it seems only the “good” parts get rolled out nationally.
situations similar to the western “social credit” myth existed for a brief time in a very small number of local pockets (think smaller divisions such as cities and towns), but they were quickly absconded and the architects of those systems punished, for essentially wasting government time and money.
note i’m definitely not a tankie fuck tankies but i also think if we’re gonna talk about china we don’t need to make shit up bc just like the US there is plenty of real shit to criticize. the “social credit” thing is a joke that westerners get made fun of internationally for believing, pretty much. it’s not remotely real, at least how you probably think of it.
realistically at this point you don’t have more or less rights or freedoms as a citizen of china or the united states. you’re pretty equally fucked either way now.
-
Don't you think after 5 months without oversight who exactly has access to that server that the difference between this and a random s3 bucket is nearly nil? But you are right, in the light of integrity the title should reflect the facts as they present themselves currently.
I do, yes, it's blazingly stupid and others have been jailed for less.
But I've noticed a number of misleading post titles recently, like the just today there was obe about a cyclist getting hit by a car when it was actually the cyclist turning into traffic. Tragic, but the title misleads. So I've started pointing them out.
Maybe I just long for the days when titles aren't rewritten to drive opinion and engagement (regardless of if I agree or disagree).
-
In cyber security you may never know if a bad actor got access to your systems/data. The issue with not following good security practices is that you increase the risk of this happening.
Its like saying we should stop mandating vaccines cause the diseases aren't around anymore. When you let down your defenses you end up with outbreaks that shouldn't have happened and are harder to control.
In cyber security you may never know if a bad actor got access to your systems/data. The issue with not following good security practices is that you increase the risk of this happening.
If they're using Azure or AWS then they have a level of built in good security practices. These people aren't morons, they know what they're doing. In fact, using AWS or Azure you have to fuck things up to make it insecure, because by default they're all pretty locked down.
Its like saying we should stop mandating vaccines cause the diseases aren’t around anymore.
I'm 100% a pro-vaccine person, but vaccines should not be mandatory. "My body, my choice" - isn't that the saying? Or is that only for women wanting an abortion? If someone doesn't want to get a vaccine then they can suffer the potential consequences while those who are vaccinated don't (but they have to deal with the potential side effects of the vaccine).
-
In cyber security you may never know if a bad actor got access to your systems/data. The issue with not following good security practices is that you increase the risk of this happening.
If they're using Azure or AWS then they have a level of built in good security practices. These people aren't morons, they know what they're doing. In fact, using AWS or Azure you have to fuck things up to make it insecure, because by default they're all pretty locked down.
Its like saying we should stop mandating vaccines cause the diseases aren’t around anymore.
I'm 100% a pro-vaccine person, but vaccines should not be mandatory. "My body, my choice" - isn't that the saying? Or is that only for women wanting an abortion? If someone doesn't want to get a vaccine then they can suffer the potential consequences while those who are vaccinated don't (but they have to deal with the potential side effects of the vaccine).
While AWS/Azure do make the initial configs rather fool proof, that falls apart the moment you start configuring them for actual use. It's also especially easy to mess things up when handling PII, at the SSA level it's probably something that DOGE staff don't have experience with.
As for vaccines. Largely through that out there cause it seemed like obvious bait for you, but I don't think a single slogan "my choice my body" really encapsulates the arguments around abortion
-
While AWS/Azure do make the initial configs rather fool proof, that falls apart the moment you start configuring them for actual use. It's also especially easy to mess things up when handling PII, at the SSA level it's probably something that DOGE staff don't have experience with.
As for vaccines. Largely through that out there cause it seemed like obvious bait for you, but I don't think a single slogan "my choice my body" really encapsulates the arguments around abortion
The people working at doge are mostly what people would consider geniuses in their field. Configuring azure databases to be secure is a piece of cake. Like I said, it’s harder to make them insecure than it is to make them secure. I know, I work with them every day. How does handling PII make it easier to mess things up exactly?
Good to know you were just trying to bait and “troll”, not really good faith arguing is it? You wouldn’t have been trying to find something to disagree with just because you can’t argue against my actual point I made, were you?
“My body my choice” perfectly encapsulates the argument for abortion because it literally is pro-abortion people’s main argument - and yes, I am 100% pro-abortion.
-
The people working at doge are mostly what people would consider geniuses in their field. Configuring azure databases to be secure is a piece of cake. Like I said, it’s harder to make them insecure than it is to make them secure. I know, I work with them every day. How does handling PII make it easier to mess things up exactly?
Good to know you were just trying to bait and “troll”, not really good faith arguing is it? You wouldn’t have been trying to find something to disagree with just because you can’t argue against my actual point I made, were you?
“My body my choice” perfectly encapsulates the argument for abortion because it literally is pro-abortion people’s main argument - and yes, I am 100% pro-abortion.
I think the line "how does handling PII make it easier to mess things up" just about sums things up for me.
-
I think the line "how does handling PII make it easier to mess things up" just about sums things up for me.
If the servers are secure and the PII is properly encrypted in the original db then how does it make it any easier to mess up? Would love to hear your expert opinion on this.
-
This post did not contain any content.
the government may be responsible for reissuing every American a new Social Security number at great cost
Has this department made our government efficient yet?
-
If the servers are secure and the PII is properly encrypted in the original db then how does it make it any easier to mess up? Would love to hear your expert opinion on this.
There are laws about how to handle PII and potential criminal charges based on things like the Privacy Act. Meaning there are additional requirements above and beyond how people normally store data on a system.
More requirements = More chances to mess up
-
There are laws about how to handle PII and potential criminal charges based on things like the Privacy Act. Meaning there are additional requirements above and beyond how people normally store data on a system.
More requirements = More chances to mess up
And you’ve got evidence those laws aren’t being followed? No? There’s nothing that hosting it on a secure cloud server that makes that any easier to “mess up”.
