I tell this story a lot. But I think in the time of smartphones and such it also represents the only real secure site I thought was truly secure from what I knew of it. This was before smartphones were common, but I think it was ahead of its time in that way.
I worked for a company that occasionally would service some of our hardware onsite. One customer was a company that did a lot of work for the military and they had "that site" that a few folks visited. Here was how that worked:
Nothing except your body and your clothes left the site, anything you brought stayed onsite (laptops that we brought onsite were left behind / effectively disposable, later you couldn't even bring those, they provided one). All that stuff belonged to the military / whomever you interacted with at the site.
No electronics, cameras, etc that were not previously improved were allowed and you were told you would not be leaving anytime soon if you had something "unexpected or unauthorized".
It was highly suggested that nothing was in your rental car other than your keys, the equipment you needed as they searched the car and the folks would take what they wished.
If you realized you had something you didn't want to in the car it was highly suggested you do not turn around if you are at all close to the location and to drive up and immediately tell them you dorked up and brought something. This was a fairly remote location so the probabbly knew you were coming before you saw the gate and the guards didn't like surprises.
Upon arrival you parked, were blindfolded and driven from the gate to the site, you never actually saw the outside of the site until you were in the building. You were never alone at anytime. Trips to the bathroom while at the site were monitored... in person by a guard with a rifle.
Now all that sounds ominous but everyone reported that the folks there were very professional (not friendly but professional).
The point of that whole story was that even a while ago someone said "any electronics" were a threat and decided that they had to go to extremes to limit their access. Still today I think that was the closest to a "sure" policy.
I'm hoping they've implemented some form of localized EMP that you have to pass through now to leave, because large storage is so incredibly small now that it would be impossible to discern it from articles of clothing.
The "hard" part is really just getting the data off the computer in the first place, which is probably why they don't allow bringing in technology anymore.
I wonder how much of a micro computer could be smuggled in one or two parts at a time, stored in articles of clothing, with the intent of simply saving data to a micro SD card which would be the only thing you need to smuggle back out. You would need to be able to assemble the device without soldering.
I guess the easiest would be to build a digital camera to record the screen or photos instead of trying to plug into the computers themselves which probably have robust host intrustion detection and prevention. Or perhaps if you could just record the digital output of the computer before it reaches the monitor. That could be prevented with some form of HDCP though, I think.
This all sounds kind of like a science fiction movie (or In the Line of Fire or that Snowden movie) but it's an interesting thought exercise in any case.
The "localised EMP" you mention could simply be a low power microwave oven of same type we have in our kitchens you have to walk through. Waves of that frequency would not harm a person if they were fairly low power, but it would mess up every bit of non-metal-shielded electronics.
If you want to destroy a piece of electronics quickly put it in a microwave oven and hit start (also don't expect to eat from that oven later - plastic residue etc if it heats up that much is probably not safe to eat). This will destroy usb keys and storage on them, SSDs, laptops, smartphones and data on them. The only kind of data safe is magnetic type hard drives, but they become less and less common these days.
You could even make a kind of "wand" similar to what guys at the airport have for pinpointing metal items on people. Wave it around someone suspected of having a listening or recording device - job done.
So a bad actor would shield them? The primary countermeasure to incredibly small storage is minimizing the availability of devices that could write them on site. That microSD hidden in a nostril won't be of much use if the attacker does not find anything to plug it.
(regarding OP's story: I was kind of expecting it to end with the spaceballs password in heavy use behind all that physical security, still kind of disappointed/relieved)
The intention wasn't to "make it weird"; he simply serves as a prominent example of a) someone with an implanted medical device and b) someone who probably spent a lot of time in SCIFs.
Why,I always wipe like that! Yup, all the way to the elbow as if I were looking for a flash drive that somehow managed to get up that far! Yessiree, and it's completely normal that i keep a small memento in a wrap of TP in my pocket after a good visit to the bathroom!
A friend of mine had an amusing story about a visit to a secure facility. He was an engineer in the late '80s or early '90s at company that made some kind of custom text search hardware. He was sent to a customer site to do some service on one of the machines.
The customer was some government intelligence agency (he didn't tell me which one). The machine was in a small room, which also had a printer. To get to that room, you had to walk through a big room full of workers at desks.
Before entering that big room, his escort would press a button beside the door that apparently signaled to those in the room that an outsider was going to come through. That would make some audible signal in the room, and start some red lights flashing on the ceiling. Everyone in the room then had to clear their desks, putting all their papers in their drawers and locking them, and returning the most secret document to their safes.
When all that was done, everyone returned to their desks and then someone would open the door, my friend's escort would tell him to not look around, and would escort him through to the room with the machine. The door would be closed and locked, with my friend and the escort in the machine room, and my friend could work on the machine. Out in the big room, the workers would take their work back out and go back to work.
Occasionally, someone in the big room wanted to use the printer in the machine room. Before they could do that, my friend had to be escorted out of the machine room, back through the big room, and out to the corridor...going through that whole "secure the room so an outsider can pass through" procedure to get back out, and then to get back in after the printout had been retrieved.
Unfortunately, my friend had a lunch that day which disagreed with him somewhat, so that afternoon there were also a few times he needed to get to the bathroom, which of course required going through the big room each time.
I'm not the original commenter but I'm familiar with policies like this. I grew up in Lynchburg, VA, where the Naval Nuclear Fuel facility is, operated by what was B&W. It had identical policies: everything that goes in, stays in, no one allowed in without clearance, no paper or electronics leave, air gapped computer network, etc. Not the monitored bathroom breaks, though....
A blindfold allows someone to be in close proximity to the person while also retain g visibility and communication with that person and other people (e.g. the driver).
If you lack out a special cabi area for a vehicle, either you are leaving them to their own devices in that area, or limiting the senses of your own staff you put in to watch them.
Finally, it's just a lot more expensive and cumbersome to have a large piece of machinery like that, and more likely to fail. What happens if the engine fails? Do you need a spare now? Using a blindfold as backup means that a blindfold is sufficient, so just use it and any vehicle now works.
I did a poor / vague job of describing that the blindfold was used inside buildings too. Folks walked with their hand on the shoulder of a guard in front of them from time to time.
Makes sense. That presumably means people don't have to turn their monitors off and shuffle everything off their desks every time an uncleared person has to move through.
The location of the site is pretty pointless and impossible to obscure (everyone can find it in satellite imagery). However they can certainly obscure more specific details about the site: what building houses what, where access points are, physical security measures around those points, components used in entries, etc.
Everyone knows roughly where Area 51 is, but that doesn't necessarily mean they'll let a contractor know where all the external security cameras are sited.
Why would you be willing to work in such conditions? If my employer demanded to send me to such a facility I would happily tell them to shove it and look for another job.
I always thought that Android's 3x3 dot pattern draw password thing was superior against these type of over the shoulder attack, as long as you turn off the tracing effect. Without tracing and if you do it quickly, it just looks like you’re dragging your thumb randomly all over the phone.
Well, if you had a flir camera looking over your shoulder the tracing effect (caused by localised heating of the screen) would still be there. I actually heard it is a legit method to defeat pin entry systems. If you can get to the terminal soon enough it was used, relevant keys will be a little hotter than the other. This will be visible with flir. Then all you have to do is figure out the order of digits.
This, 1000x this! The whole "draw your code" is equal to 111111 codes, because both operations are easily possible to hack if you leave your phone to your peer or random freak. Isn't it the same issue as in many house alarm systems that you just need some UV light to note the most used keys to guess the code?
I can't imagine a more annoying feature. My bank already does this where I cannot use the keyboard to type in digits, I have to use their own on-screen keyboard that's scrambled between every digit(!!!) and I can't imagine anything like that anywhere near my phone. Either pin-based protection is good enough for you, or if you need more security then switch to full a-Z password.
Bank's security relies on reports of the past decade/century, and also, that kind of setup can't be okay for the blind users... how the hell are they supposed to interact with this monstruosity?...
It protects against several forms of banking malware trying to steal your money.
Of course, i know this because this is old stuff - at least around here. Both protections and banking malware advanced significantly since .. oh, say 2010.
But since banking malware is typically focused on countries, it might be different (less obsolete) if you're not in NW Europe.
It's an absolute pain in the ass for the user, especially something you're going to be asked to enter multiple times an hour potentially. I play a game that has a 'bank pin' and they scramble the location of the digits and it slows you down a lot and makes you look and think about it every time you enter it. It's a pain and I only have to enter it after 10 minutes of inactivity.
That would screw me over. My passphrases tend to be based on a physical pattern of the keys. I can't actually tell you what my phone code is. I just know the order I push the buttons. Similarly, if I have to type me computer passphrase on a non-qwerty keyboard, I couldn't do it. I don't actually know the letters, I just know the pattern on the keyboard.
If the numbers were scrambled, I'd have to pick a new system to select a password.
More importantly, Android's pattern draw allows the user to pass on an already traced line. That way you can't guess the pattern just by looking at the screen smudges.
A valid pattern on Android is to swipe the middle 3 dots backwards and forwards 3 times like left-middle-right-middle-left-middle-right. The smudge on the screen just shows it uses the middle three dots some number of times.
Not on Android 9 (tested on my Nokia 7 Plus). Once you pass on a dot, you can't get back to it. You also can't "jump over" dots (top left - top right is actually top left - top - top right).
They changed that at some point. Back in the KitKat days, I once pranked a friend by changing their pattern to the same pattern as before, but by skipping the middle dot (top left -> bottom right). If you did it fast enough, the gesture looked identical to the old pattern.
I liked BlackBerry10 picture passwords [0][1]. Unlocking was a bit slower than drawing few lines but good enough to unlock device fast - I'd say even if you were weakened by some disease/illness/exhausting workout moving slowly a number to target is easier than drawing few crossed lines.
I once got a friend's iPhone passcode correct first try by looking at finger smudges. If you're entering a passcode frequently it's definitely a risk to be aware of.
> it's the most obvious pattern you would think of.
First initial probably.
> honestly I set it to the same
Hmm. If it's the same, last name then? Maybe a diamond or something. I heard (Mitnick's book about best practices called The Art of Invisibility, chapter 1) many people don't use the corner dots very often, or they use an initial of their name.
I unintentionally can see people's phone patterns when they do it in view. At least with a passcode you can usually try to ignore it, or you have to try to pay attention. Those pattern ones show it visually in a way that's hard to ignore.
If I were giving a security recommendation to famous people and congresspeople I would recommend using a password like this. You might think it’s incredibly insecure, but imagine this GIF contained that 6 digit number that the congressman uses for all of his accounts. Suddenly, a ton of other services and passwords are vulnerable to an attacker.
In reality a lot of iPhones now require authentication at the app level for apps that have sensitive data.
To each his own, but knowing how public you are and how many people would want your passcode, I think the best practice is to use something dumb like 6 of the same keys.
This is itself bad advice. The proper solution is a truly random password, committed to memory, and all others being stored in a password manager, which is itself secured by a separate strong password
The problem isn't the password or the camera that captured it.
The problem is that the phone required a password in that scenario-- same user, phone never left his vicinity, probably not a long interval between uses. Being more selective about when to require a master password is a better protection model IMHO.
Or fingerprint readers, which most phones have had for years. It's possible that the DoD standards for the phone he has requires that biometrics be disabled.
I wonder what AI tech is being developed around detecting pin code entry on phones using passive CCTV networks.
If you process the feeds for public transit security cameras, I wouldn't be surprised if you can read the pin codes for a huge swath of the population. It would also reduce the need for law enforcement to try to get a suspect to tell them their passcode. Just look up that time they rode the subway 3 weeks ago and watch them enter it.
I often notice this at gas pumps. There are always cameras at gas pumps. If you pay at the pump, then you enter your pin. I shield mine very carefully, but I watch other people and they just punch in their pin without shielding. It's weird because people often shield their pin at a checkout counter because the clerk is right there (sort of) watching. Maybe these people feel at gas pumps, no one is watching... but the CCTV definitely is watching.
But it's not enough to know someone's code. So what if you do? Unless you can get the physical card without the owner knowing, what good would it do you?
Even being caught once entering your passcode on camera is enough to compromise it, regardless of how complex it is. A passphrase would possibly buy you more time (less discernible finger movement on a phone screen), but I would still consider it compromised.
I'd be curious if Apple had anonymous telemetry that showed what people were picking for their phone unlock PINs. Everyone I've ever seen set one does this same type of thing, either all one number, or they draw a line through the middle. The more advanced maybe use a date like their birthday that they can actually remember.
"What this process appears to show is that Apple never sees, handles, or stores your device passcode or password in unencrypted form, and it never passes the passcode or password over anything but secure transport. It requires only your Apple ID account name and password, sent over HTTPS, as the first stage of logging into iCloud, but not for the later stages."
This. I just went through every picture in the latest available Congressional Pictorial Directory, and I wasn't able to make a 100% sure identification, but my best guess was Rep. Andy Barr (Kentucky).
I don't lock my phone at all. Never have. However, with the new iPhones that don't have a home button, I believe that Apple is forcing you to either use face unlock or a passcode. There is no choice to just leave it unlocked.
So, as soon as my iPhone 6s stops working, I will have to choose to: 1) Give in and use my face to unlock. 2) Use a dumb passcode like 000000. 3) Upgrade to the newest iPhone that still has a home button (I think iPhone 8) or 4) Become and Android user.
I think your point may be that he doesn't have anything private on the phone to worry about or anything that needs to be kept secure?
I think the argument hidden in the headline here is that since this is a device owned by a congressman, and allowed inside this particular meeting, it has information on it that may be confidential, and therefore needs a much stronger password.
My phone has access to my email, phone number, texting.
With these 3 things you can get into my bank account, access to my domains, and into any online account I hold.
Then, personally and professionally, I manage other peoples' accounts, so, with my phone, you can probably social-engineer your way into those as well.
My point is, if you are married, have a job, email, or have other people in your life that you don't want to go through an identity theft crisis, or get hacked, stalked, etc, you should lock your phone.
Maybe you aren't the target, but you are the wide-open back door into their life.
Nobody in my contacts has given me non-public contact info such as secret phone numbers, email addresses or other such info.
I don't manage other peoples accounts from my phone.
My passwords are stored in an encrypted file, accessible only by entering my pin.
My email app has a pin lock.
I don't use the browser to login to any important sites like banking sites.
If you get my phone, the most you can do is order something for me on Amazon (it will be shipped to me, else you have to enter your own credit card) or you can mess with my GitHub content.
Looking at email or passwords is rare. Reading some quick news, opening maps, listening to music and so forth - I don't want to use a pin to access all of those things.
Someone installing an app to catch pins that I typed in and then giving me back my phone...then waiting until I typed a pin and stealing my phone again seems like a bit of a hassle. Out of curiosity though - what app in the app store allows you to do this? Or, do they have to jail break my phone to do it?
I'm not really trying to argue that my way is better. I'm just giving my personal point of view. It works for me. I just don't worry about things and shit seems to work out. I leave my house unlocked all the time. Same with my car. I leave the keys in the car when I go into stores.
It's just stuff. Perhaps if someone stole everything from me, I'd be even more free than I am now.
> .then waiting until I typed a pin and stealing my phone again seems like a bit of a hassle.
Why would you have to steal it again?
> Or, do they have to jail break my phone to do it?
They will most likely have to jailbreak it.
> I just don't worry about things and shit seems to work out.
Yeah, sure, nobody ever said it happens often, it's for the time it happens that it save you so much trouble.
A friend got his credit card stolen recently, no big deal, I'm in Canada and the bank take all the blame in theses cases. It still was way too much trouble to get a new card because the guy changed his card information and the bank couldn't validate his identity.
It's not always about what you may lose, it's about what may happens to get back from it.
> It's just stuff. Perhaps if someone stole everything from me, I'd be even more free than I am now.
I don't believe you, but good for you if believe it yourself.
On the flip side, one could also argue that as a public employee, everything that congressman does should be on the public record out in the light for everyone to see, and that the best security would actually be zero security.
This would also have the positive side effect of making it really hard for public employees to engage in corrupt and illicit behavior (which, as we all know, is so rampant that it's practically industry standard at this point).
I think it would be helpful to understand your use case and how you balance your personal tolerance for risk and consequences so we can better consider users like yourself.
Comments like the parent comment never fail to fascinate me - far and away, I have never seen more uncommon/unusual use cases for pretty much anything than I do on Hacker News. I don't mean that in a negative way at all, I mean it's just amazing how diverse a crowd we have on here and I love how many perspectives we end up seeing in the comments.
I primarily use it as a camera and tape recorder. And mobile wifi web browser with retina resolution in rare cases, all in which I specifically avoid using it to use any sites that require logging in.
I have a fake name on it. There are no contacts or email accounts set up on it.
It's not ever been activated as a cell phone.
Basically, I see no reason to have a password on it, and a password slows things down slightly and has the risk of forgetting (since I never reuse passwords), so why bother.
My Android phone that I do use as a cell phone though I have a password on it. It has similarly few personal details, but the call logs would make it easy to identify me.
Granted the iPhone's location logging though disabled might be storing info anyway, and probably the photos are GPS tagged, so those things would identify me.
My phone never leaves my sight. I don't do mobile banking of any kind. I can sign out/remotely wipe the device via the web. It would be nice to remotely turn ON the GPS to find my phone but Android has since removed the remote GPS ON feature.
If only I can find a smartphone for talk/text/web/GPS, I'd be switch in a heartbeat. I'm seriously getting sick of the all the security features that tend to bloat the device and slow it to a crawl.
That being said, if my phone was vulnerable to theft or I wasn't so careful, I would lock my screen.
> I don't lock my phone at all. Never have. However, with the new iPhones that don't have a home button, I believe that Apple is forcing you to either use face unlock or a passcode. There is no choice to just leave it unlocked.
And I'm saying that you can use it without those features enabled; even on iPhones without a home button.
How do all the people you communicate with via email, text, etc., feel about their contact information and messages with you being so easily accessible? Securing your devices isn't just about you...
Also, while it might not be too difficult for someone to figure out my phone number and/or email address from my name, it's not like there's a public directory of either. "Not secret" does not should not equal "public".
When I was a kid my house was "broken into" but because the door was unlocked the police couldn't qualify it as breaking and entering. It was merely trespassing and my neighbor who did it got off. I was 12, these details may be a bit fuzzy. I chased the guy off so nothing was taken, he just walked in, saw me running to the door and ran back out. Supposedly he was just drunk and wandered into the wrong house anyway.
I'm curious what affect not locking your phone might have on police reports if your identity/etc is ever stolen and you need to provide police reports. Possibly nothing, but I can imagine some credit cards legal team working hard on that aspect of things in the event you're trying to convince AMEX to return $40k of transactions you supposedly didn't make yourself and need reversed because your phone was swiped while logged into some CC app and they copied your card number.
> Supposedly he was just drunk and wandered into the wrong house anyway.
That's what made him fine, not the fact that you didn't lock.
That's a thing that quite misunderstood, but for a crime to be committed, you need criminal intent. If you just made a mistake and weren't aware it wasn't your house, it's not a crime to enter it.
Not all crimes require intent. Crimes where intent is not required are called "Strict liability" crimes, for those crimes it is sufficient to prove that the accused did the thing which is forbidden, and it's entirely irrelevant (to guilt, though not necessarily to sentencing) why they did it.
Also for some crimes the intent needn't match the outcome. For example in the UK _Attempted Murder_ requires (as well as facts of an attempt) you had an intent to kill, but _Murder_ only requires that you had an intent to at least cause grave harm, the fact of death makes it murder, even if a jury believes you intended only, say, to hospitalize the victim.
You're likely right and it was just my parents and police scaring me into keeping the doors locked. He wasn't arrested until the next day (had no idea he was a neighbor, he lived a few blocks away) when the police realized who he was.
But that's also the thing- we had no idea what his intent was. I do recall the police that night seeming less concerned because the door was unlocked and I was chided quite a bit. I do recall them telling me what I said in my initial post but I also understand criminal intent. Personally I'm glad the guy wasn't wrung up with a felony if he was just on some ambien sleepwalk bender or whatever he was on.
Why do you not want to use your face? And I don't think the lack of a home button changes whether or not you have to use a passcode. I haven't seen anything to indicate that the new iPhones can't be passcodeless (though I don't want to clear my FaceID data to test this). Just swipe up to unlock.
You can still choose not to have a passcode on newer iPhones.
That said, I have a really good friend that chooses not to use a passcode for their phone.
Somewhat irritating because being a really close friend we sometimes have very personal conversations via text, and the fact the they don’t lock their phone means I have to be conscious of that. These aren’t deep-dark secrets, but still personal things I wouldn’t share publicly.
I worked for a well known company today, many years ago when it was smaller. When the IT team created new accounts for employees, it was the standard Pa$$word password for everyone. It was up to the user to change their password. They had no password rotating rules or requirements.
Anyway, many years later after I started, IT hires a person who wants to do good while in IT. This person discovers the CEO is still using the day one password he was given. The IT person decides to email the CTO, the director of IT, and the head of HR warning them the CEO is still using his default password.
I’m not clear what exactly the wording was, but the IT person skipping over the chain of command was bad enough it got them fired.
> IT person skipping over the chain of command was bad enough it got them fired.
Isn't this roughly the opposite of what you want in an org? Otherwise there can be the failure mode of only good news getting reported up, so the folks running the company base their decisions on finely cultivated bullshit and are completely isolated from reality.
Management in IT was big on chain of command at that time. If the director of IT was insecure and wanted to filter bad news through him before going further up. Because this person went to the director’s boss, it angered the director.
There are lots of orgs with dumb MDM policies, but I doubt Congress is enforcing that one. MDMs usually prevent simple passwords like that (though not equally simple ones like 989898...).
No, it is not. These sorts of "I'm annoyed that I'm being forced to put in a password so I'll put the easiest one to type" passwords are in even the most basic password dictionaries, and are therefore susceptible to dictionary attack.
Sure, but if your angle of attack is "someone swiped my phone off my desk and wants to unlock it within the next 30 minutes before I wipe it remotely" then 111111 is as good as literally any other 6-digit pin code, unless the attacker just tries 111111. In which case 999999 is probably a better choice.
> Sure, but if your angle of attack is "someone swiped my phone off my desk and wants to unlock it within the next 30 minutes before I wipe it remotely" then 111111 is as good as literally any other 6-digit pin code, unless the attacker just tries 111111. In which case 999999 is probably a better choice.
Asking "How secure is this?" is essentially the same as "What angles of attack would this prevent?" So if your phone is susceptible to a very basic dictionary attack (which is just a codified way of saying "susceptible to educated guesses") then it is not "just as secure as any other code" because there are other passwords which aren't susceptible to this attack.
Note that my post was responding to the claim that it's "just as secure as any other code". It is not.
If you myopically only look at the most basic of attacks, then you can use crap security and it will work for those attacks. But a US Congressman could obviously be a target of sophisticated attackers. And you're literally proposing an attack which would break your proposed password, yet still defending the claim that it's just as secure.
I was just reading someone's comment saying they come to HN because the comments are so good, and I can't say I know what they're talking about. So much uneducated speculation about comments taken out of context is being presented as fact in these comments.
I was talking about odds of the iphone combination in general.
If you really want to delve into the specific scenario of a US Congressman then there are many more factors like how are you going to get access to the phone at all? How are you going to avoid the lost mode activating? Iphones have limited tries before permanently disabling so how many are you going to risk with a dictionary attempt? Would you really put 111111 as the first try considering most people wouldn't use that?
The problem is that 111111 and 999999 as well as 123456 etc are probably at the top of the list of codes to try before you start iterating brute force.
Bringing the phones into the "secure" CIF was just the icing on the cake of a straightforward attempt to disrupt the inquiry. It's a bit of direct action, almost like a sit-in. Presumably it's a crime, but not the sort that anyone is likely to be charged with if they have power.
I'm not an iPhone user but I thought that Apple warned you about this kind of password. It was covered quite a bit when Kanye was caught with a 000000 password when meeting with Trump.
And yesterday over a dozen members of Congress barged into one of the Congressional versions of this site without authorization and while recording video, audio, and taking photos on their personal smartphones.
Here is a Twitter thread about why that is such a problem:
Just trying to be a better HN citizen, so is there something specific I did wrong here that crossed a line or is it just a "know it when I see it" situation? I didn't reference anything partisan and was simply relating a recent political event to both the general topic of poor congressional cybersecurity and the specific topic that duxup was talking about regarding securing a site from electronic devices. It was the response to my comment that was sparking a partisan flamewar.
I hear you and appreciate your wish to be a good community member!
The value of an HN comment is the expected value of its future subthread—i.e. itself, plus the sum of the probability distribution of the responses it may receive.
In this case the EV of your post was negative: first because it brought in a partisan stunt that was still hot from the news of the moment; second by framing it one-sidedly ("barged into...without authorization...such a problem"); third by linking to a political source that one side is overwhelmingly likely to agree with and the other side to be unimpressed or offended by.
You're right that the flamewar was more in the responses to your comment than in your comment itself, but that's true of most flamewars. Flames get hotter as they spread. From a fire prevention point of view, the issue isn't where the fire burned hottest but where it started.
By the way, there are some deeper, interesting issues with this 'expected value' model of comments. It implies that commenters are in some sense responsible for the behavior of others and not just what they they themselves post. That's weird. And it implies that one needs to consider not just one's own post, but future replies—also weird. Yet it is the model that works the best in practice.
Thanks, I appreciate the thorough explanation. I agree that the "expected value" idea is an interesting one and I see how when viewed through that prism that the language I used and that linked source used can be seen as biased and more likely to incite a more partisan response.
Although I am still not sure I agree with the general guideline of not bringing up something like that incident as I believe it was on topic to both the post and the comment I replied to. My comment might have been the one to inspire a flamewar type response, but it wasn't the only comment that mentioned that incident in general. That said, I will try to be more mindful of that in the future.
Truly awful take. Enough with the "both sides" nonsense. One side is objectively bad. Even accidentally taking electronics into a SCIF can be grounds for losing ones security clearance and getting in major trouble. These people planned it, and executed that plan, for a publicity stunt. Enough has been said about why it wasn't necessary in any way for them to act like this, so I won't go into it, see other responses to your comment.
Please don't take HN threads further into partisan flamewar. Nothing good can come of this here, if you define 'good' as what's expressed by the site guidelines.
It's appropriate to blame Republicans if it's actually their fault and they are actually trying to disrupt the impeachment process. Or do we suddenly not care about the security rules now it's not "her emails"?
Sure, maybe sometimes they're necessary, but this isn't one of them. Leaving your phone behind isn't difficult. They may have a legitimate gripe, and this was a theatrical way of shining light on it, but there was nothing inherent to their stunt that prevented its execution while keeping a secure site secure.
The U.S. Code of Federal Regulations defines terrorism as "the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives" (28 C.F.R. Section 0.85).
By your logic, saying the thread is a thinly veiled attempt at blaming republicans would make the GOP lawmaker actions a thinly veiled attempt at terrorism, wouldn't it?
See where this is going?
There is some good Jon Stewart-era Daily Show material about GOP terrorism for the sake of politics.
> In other words, 1 out of every 4 Republicans in the House can participate in the inquiry hearings anyway. That doesn’t include Minority Leader Kevin McCarthy (R-Calif.), who is also allowed to participate. It does include Rep. Greg Pence (R-Ind.), the brother of the vice president. He sits on the Foreign Affairs committee.
> According to a news release sent from Gaetz’s office that was spotted by journalist Marcy Wheeler, 41 Republicans joined Gaetz’s sit-in protest Wednesday. Of that group, more than a quarter — 13 — were members of the three relevant committees and, therefore, allowed to attend the hearings!
111111 is perfectly acceptable for a phone password. His password was just broadcast to the entire world; at least using 111111 means that he doesn't have any illusions about how secure it is.
Phone passwords are for protecting things from your family.
Well I can expend that to friends as well if you like. Who do you think your password is protecting you from? Are you frequently at odds with law enforcement?
Most people aren't; it isn't a feature to protect people from governments (I wish we had more features that did). Encryption is a good thing in a general sense but for most users they are more likely to lock themselves out of their own data than protect themselves from anything outside their close friends and family.
>Phone passwords are for protecting things from your family.
I think what you actually mean is anyone who has physical access to your phone. If you lose your phone or it is taken by authorities, then you are at risk of having strangers access your data.
Strangers already have access to all my data; I use Gmail [0] for most of my important personal emailing, metadata like website browsing habits is already snoop-able. iMessages might be secure, but there isn't anything substantial there that can't be dug up elsewhere.
If this guy was relying on any password to protect his phone from physical access then he is in for a nasty shock - whatever his password was, his adversaries would know it after this video. That fact that it was 111111 doesn't actually change anything.
He's in the US government. If he is up to something and he has enemies; it will get leaked. If he doesn't have enemies the lack of security isn't so terrible. His work is supposed to all be in the public eye anyway.
I have worked with a few alpha types who considered themselves too important to waste time memorizing a password. I'm not sure if it's the case here, but I'd guess that brand of entitlement has a higher incidence rate within the halls of congress.
Nothing to do with intelligence either. Most people don't grasp the consequences of bad OPSEC, though they can fairly well understand why they should lock their door when away from home.
It was a funny conversation with a senior developer when I noticed he had his business card and his key card to work on the same extensible thingy that you clip on to your pants.
I remarked there's a reason why the key cards are unmarked, right?
It isn't just individuals who can't into OPSEC though. Soon after this conversation, the company created a policy saying you have to pay $10 to get a new key card if you lose your key card.
I thought that was stupid. Now, suddenly you have incentivized people to NOT report they don't have possession of their key card any more. We want people to report the instant they lose access to their key card, not three days later when they have exhausted all options. My understanding is that you can easily reactivate a key card if it is found again and the risk of unreported lost cards outweighs the cost of a new key card.
At a previous place, we had one single card for everything: enterprise restaurant, parking entrance, building entrance, Windows session, S/MIME signature & decryption... You were more or less unable to work without that card, so it was immediatly obvious if a card was missing.
I also agree with the conclusion (the risk of unreported lost cards outweighs the cost of a new key card).
I worked for a company that occasionally would service some of our hardware onsite. One customer was a company that did a lot of work for the military and they had "that site" that a few folks visited. Here was how that worked:
Nothing except your body and your clothes left the site, anything you brought stayed onsite (laptops that we brought onsite were left behind / effectively disposable, later you couldn't even bring those, they provided one). All that stuff belonged to the military / whomever you interacted with at the site.
No electronics, cameras, etc that were not previously improved were allowed and you were told you would not be leaving anytime soon if you had something "unexpected or unauthorized".
It was highly suggested that nothing was in your rental car other than your keys, the equipment you needed as they searched the car and the folks would take what they wished.
If you realized you had something you didn't want to in the car it was highly suggested you do not turn around if you are at all close to the location and to drive up and immediately tell them you dorked up and brought something. This was a fairly remote location so the probabbly knew you were coming before you saw the gate and the guards didn't like surprises.
Upon arrival you parked, were blindfolded and driven from the gate to the site, you never actually saw the outside of the site until you were in the building. You were never alone at anytime. Trips to the bathroom while at the site were monitored... in person by a guard with a rifle.
Now all that sounds ominous but everyone reported that the folks there were very professional (not friendly but professional).
The point of that whole story was that even a while ago someone said "any electronics" were a threat and decided that they had to go to extremes to limit their access. Still today I think that was the closest to a "sure" policy.