Hackers stole personnel data and Social Security numbers for every federal employee, a government worker union said Thursday, asserting that the cyber theft of U.S. employee information was more damaging than the Obama administration has acknowledged.http://bigstory.ap.org/article/af77f567a4b74f128a4869031dc9add9/union-hackers-have-personnel-data-every-federal-employee

for better and for worse, Citizens United allows unions to spend unlimitedly on issue ads, just like Super PACs. unions have protected political speech rights just like corporations now.

for better and for worse, Citizens United allows unions to spend unlimitedly on issue ads, just like Super PACs. unions have protected political speech rights just like corporations now.

VRWC has busted the unions, who can't "speak" nearly as loudly as BigCorp and billionaires can "speak", just as the decades-long VRWC strategy has planned.

Why the Federal Government Sucks at Cyber Security

Veracode, based in Burlington, Mass., runs a cloud-based service that audits the source code (http://recode.net/2014/03/17/seven-questions-on-software-security-for-veracodes-chris-wysopal/) of software applications for security vulnerabilities. The report documents the results of these scans carried out over the course of 18 months, ending in March, of 208,670 applications for its customers in both the private and government sectors. And it doesn’t make government IT managers look good.

The firm examined how often software used by its customers contained security flaws, how often those applications complied with widely accepted security standards, and how often vulnerabilities were fixed.

The company found that Web applications in use by federal agencies failed to comply with security standards 76 percent of the time. The standards, created by the nonprofit Open Web Application Security Project (https://www.owasp.org/index.php/Main_Page), are widely used across the Web. By comparison it found that the financial services industry complies with OWASP 42 percent of the time.

It gets worse: Veracode also measured how often and how quickly software security flaws are fixed after they’re found. During the 18 months covered by the report, Veracode discovered a total of 6.9 million security flaws, of which its customers fixed 4.7 million. But when you break down the tendency to fix those flaws by industry, government agencies ranked dead last again. Veracode found the agencies patched the flaws found in their software only 27 percent of the time. By comparison, companies in the manufacturing sector fixed their flaws 81 percent of the time.

Why aren’t government agencies fixing their flaws? Because no one is requiring them to do so, says Veracode CTO Chris Wysopal. “They don’t fix them because there’s no regulation or compliance rules that require it,” he said in an interview with Re/code.

Additionally, government agencies often work with outside contractors to build their software or to deploy commercial software, Wysopal said. Often when security problems are discovered, government contracts don’t specifically require that the contractor fix the problem.

Government agencies tend to follow what IT pros call a policy-based approach to computer security, where agencies check off a list of requirements set by lawmakers and regulators that they have to follow. Private companies typically do the same thing, but they also add to their mix a risk-based approach. “With a risk-based approach, you look at what you have that attackers might want and what’s in place to stop them,” Wysopal said. “Both approaches are valid, but everyone should do both.”

And sadly, none of this is news in government circles. An April report by the report by the Government Accountability Office (http://www.gao.gov/products/GAO-15-573T) found that the number of security incidents at federal agencies grew from 5,500 in 2006 to more than 67,000 last year. And the number of security incidents that involved personal information of either employees or other people rose from about 10,500 to nearly 28,000 in 2014.

http://recode.net/2015/06/23/why-the-federal-government-sucks-at-cybersecurity/