adamcz

he had to say “yes” to avoid blowing his cover

later, a flying man covered in a trash bag diverted the meteor. the mysterious trash bag man is a hero, while clark kent is known for bringing pajamas to work and pooping his pants

Stephen Holden’s review in The New York Times said “There is no transcendent agent of evil; the enemy is within … the movie remains above the typical splatter ’n’ scream fest. These careless hedonists are convincing, and the ensemble acting feels believable.”^[37] Aintitcool’s Harry Knowles said “Damn I fucking loved it.”^[38] 

Link

There’s a LOT going on here.

@dktattoos "hey, I'm tryna eat lunch here....." ---------------------------------------------- #thesimpsonstattoo #thesimpsons #simpsonstattoo #simpsons #tattoo #moe #inked #tat #tattyslip #simpsonsfan #homer #bart #lisa #maggie #marge #mattgroening #futurama #cartoontattoo #cartoontats #epictattoo #simpsonstat

​clue: what do you call a person that comes out at knight and tries to kill u ?
he has no face .he’s a legend .
answer: slender man

Submitted by @danhasabeard "I like the way snrub thinks....." ---------------------------------------------- #thesimpsonstattoo #thesimpsons #simpsonstattoo #simpsons #tattoo #moe #inked #tat #tattyslip #simpsonsfan #homer #bart #lisa #maggie #marge #mattgroening #futurama #cartoontattoo #cartoontats #epictattoo #simpsonstat

if everyone ignores all the issues and JUST calls the president-elect this funny name, he’ll have no choice but to straighten up and fly right

we did it!!!

A decade ago, if a desktop computer got infected with malware the chief symptom probably was an intrusive browser toolbar of some kind. Five years ago you were more likely to get whacked by a banking trojan that stole all your passwords and credit card numbers. These days if your mobile or desktop computer is infected what gets installed is likely to be “ransomware” — malicious software that locks your most prized documents, songs and pictures with strong encryption and then requires you to pay for a key to unlock the files.

Here’s some basic advice about where to go, what to do — and what not to do — when you or someone you know gets hit with ransomware.

First off — breathe deep and try not to panic. And don’t pay the ransom.

True, this may be easier said than done: In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles. Continue to ignore the demands and your files will be gone, kaput, nil, nyet, zilch, done forever, warns the extortion message.

See, the key objective of ransomware is a psychological one — to instill fear, uncertainty and dread in the victim — and to sow the conclusion in the victim’s mind that any solution for restoring full access to all his files involves paying up. Indeed, paying the ransom is often the easiest, fastest and most complete way of reversing a security mistake, such as failing to patch, opening a random emailed document e.g., or clicking a link that showed up unbidden in instant message. Some of the more advanced and professional ransomware operations have included helpful 24/7 web-based tech support.

Paying up is certainly not the cheapest option. The average ransom demanded is approximately $722, according to an analysis published in September by Trend Micro. Interestingly, Trend found the majority of organizations that get infected by ransomware end up paying the ransom. They also found three-quarters of companies which had not suffered a ransomware infection reported they would not pay up when presented with a data ransom demand. Clearly, people tend to see things differently when they’re the ones in the hot seat.

And for those not yet quite confident in the ways of Bitcoin (i.e. most victims), paying up means a crash course in acquiring the virtual currency known as Bitcoin. Some ransomware attackers are friendlier than others in helping victims wade through the process of setting up an account to handle Bitcoin, getting it funded, and figuring out how to pay other people with it. Others just let you figure it all out. The entire ordeal is a trial by fire for sure, but it can also be a very expensive, humbling and aggravating experience.

In the end the extortionist may bargain with you if they’re in a good mood, or if you have a great sob story. But they still want you to know that your choice is a binary one: Pay up, or kiss your sweet files goodbye forever.

This scenario reminds me of the classic short play/silent movie about the villainous landlord and the poor young lady who can’t pay the rent. I imagine the modern version of this play might go something like…

Villain: You MUST pay the ransom!

Victim: I CAN’T pay the ransom!

Villain: You MUST pay the ransom!

Victim: I CAN’T pay the ransom!

Hero: I’ll pay the ransom!

Victim: Oh! My hero!

Villain: Curses! Foiled again!

Okay, nobody’s going to pay the ransomware demand for you (that’s only in Hollywood!). But just like the hero in the silent movie, there are quite a few people out there who are in fact working hard to help victims avoid paying the ransom (AND get their files back to boot).

Assuming you don’t have a recent backup you can restore, fear not: With at least some strains of ransomware, the good guys have already worked out a way to break or sidestep the encryption, and they’ve posted the keys needed to unlock these malware variants free of charge online.

But is the strain that hit your device one that experts already know how to crack? 

WHERE TO GO?

The first place victims should look to find out is nomoreransom.org, a site backed by security firms and cybersecurity organizations in 22 countries. Since its launch on July 25, 2016, nomoreransom.org estimates that it has been able to save 6,000 victims of ransomware more than $2 million USD to date. Last week the group announced the site is now available in Dutch, French, Italian, Portuguese and Russian.

Visit the Crypto Sheriff page at nomoreransom.org, upload one of the files encrypted by the ransomware, and the site will let you know if there is a solution available to unlock all of your files for free.

Another destination that may be useful for ransomware victims is bleepingcomputer.com, which has an excellent Ransomware Help and Tech Support section that is quite useful and may save you a great deal of time and money. But please don’t just create an account here and cry for help. Your best bet is to read the “pinned” notes at the top of that section and follow the instructions carefully.

Chances are, whoever responds to your request will want you to have run a few tools to help identify which strain of ransomware hit your system before agreeing to help. So please be patient and be kind, and remember that if someone decides to help you here they are likely doing so out of their own time and energy.

HOW NOT TO BE THE NEXT RANSOMWARE VICTIM

Regularly backup your data, and make sure the backups are not connected to the computers and networks they are backing up. Most ransomware variants can encrypt files on any attached drives or network files that are also accessible to the host machine (including cloud hosting and cloud-based backups if those passwords are stored on the machine). Bleepingcomputer’s Lawrence Abrams just published this a nice primer called How to Protect and Harden a Computer Against Ransomware.

Many companies are now selling products that claim to block ransomware attacks. Those claims are beyond the scope of this article, but don’t be lulled into thinking these products will always protect you.

Even products that could somehow block all ransomware attacks can’t prevent the biggest reason that ransomware attacks succeed: They trick victims into taking an action that inadvertently undermines the security of their device — be it a smart phone, tablet or desktop computer.

This usually involves clicking a link or downloading and opening a file that arrives in an email or instant message. In either case, it is an action that opens the door to the attacker to download and install malware.

Remember my Three Rules of Online Security:

1: If you didn’t go looking for it, don’t install it.

2: If you installed it, update it.

3: If you no longer need it (or, if it’s become too big of a security risk) get rid of it.

These rules apply no matter what device you use to get online, but I’ll add a few recommendations here that are more device-specific. For desktop users, some of the biggest risks come from insecure browser plugins, as well as malicious Microsoft Office documents and “macros” sent via email and disguised as invoices or other seemingly important, time-sensitive documents.

Microsoft has macros turned off by default in most modern Office versions because they allow attackers to take advantage of resources on the target’s computer that could result in running code on the system. So understand that responding affirmatively to an “Enable Macros?” prompt in an Office document you received externally and were not expecting is extremely risky behavior.

Enterprises can use a variety of group policy changes to harden their defenses against ransomware attacks, such as this one which blocks macros from opening and automatically running in Office programs on Windows 10. Other ransomware-specific group policy guides are here, here and here (happy to add more “here’s” here if they are worthy, let me know).

Also, get rid of or hobble notoriously insecure, oft-targeted browser plugins that require frequent security updates — like Java and Flash. If you’re not good about updating these programs frequently, you may fall victim to an exploit kit that delivers ransomware. Exploit kits are malicious programs made to be stitched into hacked or malicious Web sites. People who visit these sites or who are redirected to them and who are browsing the Web with an outdated version of Flash or Java can have malware automatically and quietly installed.

Mobile users in general need to spend just a tiny fraction more time discerning the origin and reputation of the applications they wish to install, as mobile ransomware variants tend to mimic or even piggyback on popular games and applications found in app stores and other places. Don’t just download the first app that matches your search. And always download from the original source whenever possible to ensure you’re not getting a copycat, counterfeit or malicious version of the game or application that you’re seeking.

For more tips on how not to become the next ransomware victim, check out the bottom half of the FBI’s most recent advisory on the topic.

ATTN: @screenshotsofdespair

“we’re not gonna armed revolt anymore because our side won. besides, some of your signs are really mean”

@lady_chain "Can I play the piano any more? Of course you can......." ---------------------------------------------- #thesimpsonstattoo #thesimpsons #simpsonstattoo #simpsons #tattoo #moe #inked #tat #tattyslip #simpsonsfan #homer #bart #lisa #maggie #marge #mattgroening #futurama #cartoontattoo #cartoontats #epictattoo #simpsonstat

@truebluetattooaustralia "Yes....." ---------------------------------------------- #thesimpsonstattoo #thesimpsons #simpsonstattoo #simpsons #tattoo #moe #inked #tat #tattyslip #simpsonsfan #homer #bart #lisa #maggie #marge #mattgroening #futurama #cartoontattoo #cartoontats #epictattoo #simpsonstat

I had said at least two times this week that “game changers” rarely happen. Single events or revelations rarely upend presidential elections, which tend to be decided by more structural forces instead, such as political partisanship and the state of the economy. And then, on Friday, the Washington Post’s David Fahrenthold revealed a video recording of Donald Trump making crude and vulgar comments about women — and the way rich men can treat them. The response to the Trump tape suggests that we might be seeing a real change in the political landscape. “Game change” moments are few and far between, and Hillary Clinton was already leading Trump pretty comfortably in national and swing state polls. But what might make the Trump tape have more of an impact than previous Trump controversies?

The content

This is the most obvious possibility. Many commentators have hastened to point out that the remarks were not just “lewd” or suggestive — they advocated sexual assault. The recording shows Trump doing several things presidential candidates aren’t supposed to do: treat fellow humans like they’re objects, talk about doing something illegal, encouraging others to break the law.

Relying on the content as an explanation is challenging in this election, though. Trump’s willingness to insult women was apparent at the first primary debate in August 2015 and has been evident on many occasions since then. What one voter called “volatility” is also part of Trump’s political persona. Writing about what makes political scandals stick in 2008, my colleague Nate Silver pointed out that the most potent scandals reinforce a “core negative perception about the candidate, particularly one that had henceforth been difficult to articulate” — but not a perception that’s already received so much coverage that “little further damage can be done.” The implication is somewhat counterintuitive: “Game change” moments are not surprising; rather, they confirm what we already suspected or even pretty much knew, but in ways that have new implications for the campaign. John McCain’s selection of Sarah Palin as his running mate in 2008 fits this model — there were doubts about McCain’s judgment, and then he selected a running mate who wasn’t well prepared or vetted. Trump’s comments in the video reveal a willingness to violate social norms — and fellow human beings — that goes beyond what the candidate has said before. But given the apparently flimsy role of norms this year, will this be enough to change the trajectory of the election?

Timing and context

Much of the literature on campaign effects in U.S. presidential elections points to two findings. First, the main role of campaigns is what political scientists call “partisan activation.” This means that media coverage, candidate speeches, debates and advertising help voters identify the candidate who matches their preferences on the issues — the campaign doesn’t persuade people to switch political sides so much as make clear which candidate is already on their side. The second contribution is about timing: Partisan activation happens over the course of the campaign, so by October, voters start to make up their minds, with less potential for major shifts in support.

One of the things that’s been most remarkable about this campaign is that despite the unconventional Republican nominee, these familiar dynamics have been evident. Partisan activation has so far worked reasonably well for Trump, with initially reluctant Republican voters, reminded of their disagreements with Clinton, declaring their intent to vote for the party nominee.

Where does Friday’s revelation fit into this? It’s early October, with both conventions down and two debates in the books with two to go. Much of the partisan activation that’s going to happen has already happened. Still, for the campaigns and lower-information voters, who may be just tuning in, this is an intense time. And for high-information voters, political journalists and other people who have been paying attention to the campaign for a long time, we’re at the point where it’s become a bit of a slog. Anything resembling a real campaign development is unexpected and welcome for this second group. This could prove a potent combination. It offers a new and salacious story just as the final stage of the campaign ramps up.

Party factors

The typical “game change” narrative usually describes an interaction among media, candidates and voters. But if the Trump tape proves to change the course of the election, it will probably be a party story. Elected Republicans have largely hopped aboard the Trump bandwagon, but many prominent officials did so reluctantly. House Speaker Paul Ryan and Republican National Committee Chairman Reince Priebus, for example, endorsed Trump only after several meetings. Ryan was supposed to appear with Trump for the first time at a campaign event this weekend in Wisconsin. That’s not happening anymore. Ryan and Priebus have condemned Trump’s comments.

Historically — though we don’t have a lot of instances to draw from — politicians are really in trouble when their parties turn on them. Losing support from his own party was part of what led to President Richard Nixon’s resignation as the Watergate scandal worsened. In contrast, Democrats generally stuck with Bill Clinton during his impeachment hearing in the late 1990s. What was the difference between these two situations? A combination of conscience and political calculation, as usual, shaped politicians’ response. Republican and Democratic legislators alike received constituent mail about Watergate, mostly urging Nixon’s removal. Clinton, in contrast, remained fairly popular with the public through his impeachment proceedings.

Just as Republican members of Congress abandoned Nixon and called for his resignation, a few top Republicans have withdrawn their support for the 2016 ticket, including Utah Rep. Jason Chaffetz. Several of these officials have also called for Trump to leave the race. New Hampshire Sen. Kelly Ayotte has announced her intention to write in Mike Pence when she votes in November. But at the time of this writing, major party leaders had not withdrawn their endorsements.

Of course, this isn’t Watergate, and Trump isn’t a sitting president. If Trump bows out, Gerald Ford won’t become president, Hillary Clinton (most likely) will. That undoubtedly changes the messages Republican leaders will hear from their constituents — and their own sense of the right thing to do. FiveThirtyEight contributor Daniel Nichanian is keeping a list of Republican positions on Trump, and so far the balance is toward denouncing the remarks but not withdrawing support. Whether that remains the course most GOP officials take or whether there’s a more wholesale abandonment of Trump will go a long way toward determining how much of an effect the Trump tape has on the race. After Trump won the nomination, there was some noise about focusing on the down-ballot races and pulling back from the presidential contest, and maybe that’s what will happen now.

Nevertheless, when the game is this partisan, it resists change. Because the election is close and the nominee is already controversial — more than 50 percent of the Republican primary electorate voted for someone else — GOP leaders could make a big difference in Trump’s electoral support. Signals from people like Ryan and other elected Republicans play a role in partisan activation. But for precisely this reason, they may choose not to pull the plug on him entirely.

Bicycle culture

Link

@barrettfiser We love seeing friendship tattoos. This set is on @cory73 and @porteredge Part 2 ---------------------------------------------- #thesimpsonstattoo #thesimpsons #simpsonstattoo #simpsons #tattoo #moe #inked #tat #tattyslip #simpsonsfan #homer #bart #lisa #maggie #marge #mattgroening #futurama #cartoontattoo #cartoontats #epictattoo #simpsonstat

@barrettfiser We love seeing friendship tattoos. This set is on @cory73 and @porteredge Part 1 ---------------------------------------------- #thesimpsonstattoo #thesimpsons #simpsonstattoo #simpsons #tattoo #moe #inked #tat #tattyslip #simpsonsfan #homer #bart #lisa #maggie #marge #mattgroening #futurama #cartoontattoo #cartoontats #epictattoo #simpsonstat

“i need you to train me how to do the job i’m hiring you for so i understand what it is we do here”

have a great weekend

rules are for other people!

what about my need to not observe the behaviors that form a society when they inconvenience me

@missmelissatattooer "Why was I programmed to feel pain...." ---------------------------------------------- #thesimpsonstattoo #thesimpsons #simpsonstattoo #simpsons #tattoo #moe #inked #tat #tattyslip #simpsonsfan #homer #bart #lisa #maggie #marge #mattgroening #futurama #cartoontattoo #cartoontats #epictattoo #simpsonstat

A recent ping from a reader reminded me that I’ve been meaning to blog about the security limitations of using cell phone text messages for two-factor authentication online. The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

Mark Cobb, a computer technician in Reno, Nev., said had his daughter fallen for the ruse, her Gmail account would indeed have been completely compromised, and she really would have been locked out of her account because the crooks would have changed her password straight away.

Cobb’s daughter received the scam text message because she’d enabled 2-factor authentication on her Gmail account, selecting the option to have Google request that she enter a 6-digit code texted to her cell phone each time it detects a login from an unknown computer or location (in practice, the code is to be entered on the Gmail site, not sent in any kind of texted or emailed reply).

In this case, the thieves already had her password — most likely because she re-used it on some other site that got hacked. Cobb says he and his daughter believe her mobile number and password may have been exposed as part of the 2012 breach at LinkedIn.

In any case, the crooks were priming her to expect a code and to repeat it back to them because that code was the only thing standing in the way of their seizing control over her account. And they could control when Google would send the code to her phone because Google would do this as soon as they tried to log in using her username and password. Indeed, the timing aspect of this attack helps make it more believable to the target.

This is a fairly clever — if not novel — attack, and it’s one I’d wager would likely fool a decent percentage of users who have enabled text messages as a form of two-factor authentication. Certainly, text messaging is far from the strongest form of 2-factor authentication, but it is better than allowing a login with nothing more than a username and password, as this scam illustrates.

Nevertheless, text messaging codes to users isn’t the safest way to do two-factor authentication, even if some entities — like the U.S. Social Security Administration and Sony’s Playstation network — are just getting around to offering two-factor via SMS.

But don’t take my word for it. That’s according to the National Institute of Standards and Technology (NIST), which recently issued new proposed digital authentication guidelines urging organizations to favor other forms of two-factor — such as time-base one-time passwords generated by mobile apps — over text messaging. By the way, NIST is seeking feedback on these recommendations.

If anyone’s interested, Sophos’s Naked Security blog has a very readable breakdown of what’s new in the NIST guidelines. Among my favorite highlights is this broad directive: Favor the user.

“To begin with, make your password policies user friendly and put the burden on the verifier when possible,” Sophos’s Chester Wisniewski writes. “In other words, we need to stop asking users to do things that aren’t actually improving security.” Like expiring passwords and making users change them frequently, for example.

Okay, so the geeks-in-chief are saying it’s time to move away from texting as a form of 2-factor authentication. And, of course, they’re right, because text messages are a lot like email, in that it’s difficult to tell who really sent the message, and the message itself is sent in plain text — i.e. is readable by anyone who happens to be lurking in the middle.

But security experts and many technology enthusiasts have a tendency to think that everyone should see the world through the lens of security, whereas most mere mortal users just want to get on with their lives and are perfectly content to use the same password across multiple sites — regardless of how many times they’re told not to do so.

Indeed, while many more companies now offer some form of two-factor authentication than did two or three years ago — consumer adoption of this core security feature remains seriously lacking. For example, the head of security at Dropbox recently told KrebsOnSecurity that less than one percent of its user base of 500 million registered users had chosen to turn on 2-factor authentication for their accounts. And Dropbox isn’t exactly a Johnny-come-lately to the 2-factor party: It has been offering 2-factor logins for a full four years now.

I doubt Dropbox is somehow an aberration in this regard, and it seems likely that other services also suffer from single-digit two-factor adoption rates. But if more consumers haven’t enabled two-factor options, it’s probably because a) it’s still optional and b) it still demands too much caring and understanding from the user about what’s going on and how these security systems can be subverted.

Personally, I favor app-based time-based one-time password (TOTP) systems like Google Authenticator, which continuously auto-generates a unique code via a mobile-based app.

Google recently went a step further along the lines of where I’d like to see two-factor headed across the board, by debuting a new “push” authentication system that generates a prompt on the user’s mobile device that users need to tap to approve login requests. This is very similar to another push-based two-factor system I’ve long used and trusted — from Duo Security [full disclosure: Duo is an advertiser on this site].

For a comprehensive breakdown of which online services offer two-factor authentication and of what type, check out twofactorauth.org. And bear in mind that even if text-based authentication is all that’s offered, that’s still better than nothing. What’s more, it’s still probably more security than the majority of the planet has protecting their accounts.

The massive data breach at the U.S. Office of Personnel Management (OPM) that exposed background investigations and fingerprint data on millions of Americans was the result of a cascading series of cybersecurity blunders from the agency’s senior leadership on down to the outdated technology used to secure the sensitive data, according to a lengthy report released today by a key government oversight panel.

The 241-page analysis, commissioned by the U.S. House Oversight & Government Reform Committee, blames OPM for jeopardizing U.S. national security for more than a generation.

The report offers perhaps the most exhaustive accounting and timeline of the breach since it was first publicly disclosed in mid-2015. According to the document, the lax state of OPM’s information security left the agency’s information systems exposed for any experienced hacker to infiltrate and compromise.

“The agency’s senior leadership failed to fully comprehend the extent of the compromise, allowing the hackers to remove manuals and other sensitive materials that essentially provided a roadmap to the OPM IT environment and key users for potential compromise,” the report charges.

Probably the most incisive portion of the assessment is the timeline of major events in the breach, which details a series of miscalculations on the part of the OPM leadership. The analysis paints the picture of a chronic — almost willful — underestimation by senior leadership at OPM about the seriousness of the threat facing the agency, until it was too late.

According to the report, the OPM first learned something was amiss on March 20, 2014, when the US-CERT notified the agency of data being exfiltrated from its network. In the ensuing weeks, OPM worked with US-CERT to implement a strategy to monitor the attackers’ movements to gather counterintelligence.

The only problem with this plan, according to the panel, was that the agency erroneously believed it had cornered the intruder. However, the hacker that OPM and US-CERT had eyes on wasn’t alone. While OPM monitored the first hacker [referred to in the report only as Hacker X1] on May 7, 2014 another hacker posed as an employee of an OPM contractor (Keypoint) performing background investigations. That intruder, referred to as Hacker X2, used the contractor’s OPM credentials to log into the OPM system, install malware and create a backdoor to the network.

As the agency monitored Hacker X1’s movements through the network, the committee found, it noticed hacker X1 was getting dangerously close to the security clearance background information. OPM, in conjunction with DHS, quickly developed a plan to kick Hacker X1 out of its system. It termed this remediation “the Big Bang.” At the time, the agency was confident the planned remediation effort on May 27, 2014 eliminated Hacker X1’s foothold on their systems.

The decision to execute the Big Bang plan was made after OPM observed the attacker load keystroke logging malware onto the workstations of several database administrators, the panel found.

“But Hacker X2, who had successfully established a foothold on OPM’s systems and had not been detected due to gaps in OPM’s security posture, remained in OPM’s systems post-Big Bang,” the report notes.

On June 5, malware was successfully installed on a KeyPoint Web server. After that, X2 moved around OPM’s system until July 29, 2014, when the intruders registered opmlearning.org — a domain the attackers used as a command-and-control center to manage their malware operations.

Beginning in July through August 2014, the Hacker X2 exfiltrated the security clearance background investigation files. Then in December 2014, 4.2 million personnel records were exfiltrated.

On March 3, 2015, wdc-news-post[dot]com was registered by the attackers, who used it as a command-and-control network. On March 26, 2015, the intruders begin stealing fingerprint data.

The committee found that had the OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft.

For example, “OPM’s adoption of two-factor authentication for remote logons in early 2015, which had long been required of federal agencies, would have precluded continued access by the intruder into the OPM network,” the panel concluded.

Unfortunately, the exact details on how and when the attackers gained entry and established a persistent presence in OPM’s network are not entirely clear, the committee charges.

“This is in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems,” the report notes. “The data breach by Hacker X1 in 2014 should have sounded a high level, multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data. It wasn’t until April 15, 2015 that the OPM identified the first indicator that its systems were compromised by Hacker X2.”

The information stolen in the breach included detailed files and personal background reports on more than 21.5 million individuals, and fingerprint data on 5.6 million of these individuals. Those security clearance background reports often included extremely sensitive information, such as whether applicants had consulted with a health care professional regarding an emotional or mental health condition; illegally used any drugs or controlled substances; experienced financial problems due to gambling.

The intrusion, widely attributed to hackers working with the Chinese government, likely pointed out which federal employees working for the U.S. State Department were actually spies trained by the U.S. Central Intelligence Agency. That’s because — unlike most federal agencies — the CIA conducted its own background checks on potential employees, and did not manage the process through the OPM.

As The Washington Post pointed out in September 2015, the CIA ended up pulling a number of officers from its embassy in Beijing in the wake of the OPM breach, mainly because the data leaked in the intrusion would have let the Chinese government work out which State Department employees stationed there were not listed in the background check data stolen from the OPM.

As bad and as total as the OPM breach has been, it’s remarkable how few security experts I’ve heard raise the issue of what might be at stake if the OPM plunderers had not simply stolen data, but also manipulated it.

Not long after congressional hearings began on the OPM breach, I heard from a source in the U.S. intelligence community who wondered why nobody was asking this question: If the attackers could steal all of this sensitive data and go undetected for so long, could they not also have granted security clearances to people who not only didn’t actually warrant them, but who might have been recruited in advance to work for the attackers? To this date, I’ve not heard a good answer to this question.

A copy of the 110 mb report is available here (PDF).

​when did my parents let me cross the road 

(when i was 20 years old)!!!

Pew, pew…