Photographs taken by Reuters during a congressional hearing on Wednesday showed the US attorney general, Pam Bondi, holding a document titled “Jayapal Pramila Search History”, listing files that the Democratic US representative Pramila Jayapal had accessed during her review of the Epstein materials.
“DoJ has extended Congress the opportunity to review unredacted documents in the Epstein files,” a justice department spokesperson said in a statement. “As part of that review, DoJ logs all searches made on its systems to protect against the release of victim information.”
“There is someone or two people from the [justice department] monitoring you as you sit on those computers,” Mace told NPR. “There is a tech person who logs you into the computer. They log you into the computer because they’re giving you your own identification. They are tracking all of the documents that members of Congress open, and they’re tracking everything that you do in that room.”
I think it would be really big news if they suddenly stopped trying to play dirty.
Looks to me like the ‘confidential peek’ was essentially a honeypot so the DOJ would understand better what the House is interested in.
This is intra-governmental warfare which is typical for an empire that in a ‘collapse-in-progress’ state.
There have to be other governments who have partial datasets of this. Once Five-Eyes collapses entirely, that information might begin to leak.
Tracking all of that is basic information security. I would be surprised if they didn’t have that tracked for every user login at the DoJ. Especially if anyone outside the organization is given access.
Everything our vendors do in the system at work is tracked. The DoJ not doing that would be actual news.
The root issue isn’t that there is tracking, it’s that the DOJ can’t be trusted anymore in any way.
To me this is extreme, especially since the files made available to Congress are still not completely redacted, and even then, according to Nancy Mace, they have someone else type in credentials for the user (absolutely NOT infosec best practice, lol) and then watch over the user’s shoulder visually observing everything they access, in addition to whatever basic auditing (access logging) is already taking place.
From Jamie Raskin’s statement on the matter:
The Department of Justice has required Members of Congress who wish to review the slightly-less-redacted Epstein files to travel to a DOJ annex, sit at one of four DOJ-owned computers, use a clunky and convoluted software system provided by DOJ, and search for and read documents while DOJ staffers look over our shoulders. It is the perfect set up for DOJ to spy on Members’ review, monitoring, recording, and logging every document we choose to pull up.
Again, these are still-redacted, unclassified documents. Basic auditing – what I believe you are referring to – is and remains unquestioned. To me, this tracking goes way beyond basic infosec, and that is proven by its immediate assembly into individual reports on each member for use in the hearing.
To me, this tracking goes way beyond basic infosec, and that is proven by its immediate assembly into individual reports on each member for use in the hearing.
Not really. If their document management system is designed to use individual accounts for everyone, which would be a basic function… Making an account for each lawmaker would be standard practice. And pulling a report of what a user accessed would almost certainly be a basic function as well.
Those are both basic functionality of every document management system robust enough for even medium sized businesses, we don’t even have to get to something as large as the DOJ. They aren’t running something like a paperless-ngx instance.
I think you may be misunderstanding me. There are actual infosec protocols and standards involved, well-defined best practices, not just guesses.
Third party use of user credentials invalidates the entire tracking process, as does allowing/mandating visual observation of the resources accessed.
In both events, the resources are not actually being accessed by the person tracked. So while you talk about creating a user account for each lawmaker (standard) and creating a report of their resource usage (standard), in reality information security has already been breached three times. First, by not giving the credentials to the user and making the user responsible for seeing to their privacy. Secondly, by the third party that typed in the credentials for the user. Thirdly, by the observing party who visually accessed the resources in tandem with the user.
That’s not standard at all, it’s complete shit. And worse still, it killed the legitimacy of any real auditing.
I’ll explain. Let’s say I’m Raskin, and I jumped through these hoops to see these files. Okay, fine, I saw them and went home. But now it’s next week, and suddenly I am being accused of selling information I saw in the files to a media outlet, except I never saw these other files. They weren’t in the set I personally looked at.
Pull your auditing and tell me how far it gets you now. You won’t have any idea who really pulled those extra files, or even if they were pulled at all.
That’s why it’s not even basic information security.
EDITED TO ADD: that’s not even a software generated report. Looking at the actual picture of Pramila Jayapal’s EFTA searches, it is a hand typed list with descriptors and even an EFTA number typo. The fifth item, the list of Epstein’s victims, is EFTA211240, not EFTA211214.