Cybersecurity

And the Winner of Lawfare's "Most Interesting Database to Hack" Contest Is ...

By Paul Rosenzweig, Benjamin Wittes
Tuesday, August 11, 2015, 4:20 PM

When we announced our contest to pick the best US database for the Chinese PLA to hack, little did we know that we would get so many interesting, and indeed scary, entries. The possibilites were so many and so varied that we decided to seek our reader input on whom we should choose as the winner. And you were interested! We got more than 75 votes registerd in the reader poll of 40 different unique respondents (you were able to vote for more than one entry). Before announcing a winner, we wanted to say a special word of thanks to everyone who participated—both to those who submitted entries and to those who voted on them. As we said earlier, the contest was designed both to be amusing and to alert concerned database managers and counter-intelligence officials to take note of the specific databases mentioned and, more broadly, of the possibility that unclassified databases may, notwithstanding the lack of classification, be intelligence targets.

With that introduction on to the judging: We can't say what your criteria for choice was, but we can tell you what our (admitedly subjective) criteria were. We were looking for a database that was a high value target; unclassifed; somewhat unexpected in nature; and with a bit of a "wow" factor to it.

The good news is that our criteria matched the crowd source pretty well. We each named our top choices, and two of them were on both Ben and Paul's list. Remarkably, (0r maybe not) one of those two was also the top choice of our readers—and by an overwhelming margin. One database was named on 40 percent of the ballots and was also on both of our lists. So the winner of the first prize (dinner with us at a mutually convenient time) goes to the military national security lawyer (not named, but you know who you are) who suggested:

  • Defense Enrollment Eligibility Reporting System (DEERS) - A worldwide, computerized database of uniformed service members, their family members, and others (including retirees) who are eligible for military benefits. This one is the key to the military kingdom. It is the one database that any Special Operator or military person working under cover, whether for DoD or another agency, is absolutely listed under true name and details because otherwise their family will not receive healthcare, ID card, commissary/exchange privileges, etc.

After some cogitation, we have also decided to offer a second prize (drinks with us—we buy the first couple of rounds) to an honorable mention, that got a significant vote total and also frankly tickled our fancy. We offer drinks to the unnamed submitter who offered:

  • The Defense Department - Outlook Global Address Book – This database contains the email address of anyone with a CAC and a military email address. That includes even short-term workers in non-sensitive positions/organizations. Talk about a "phishers" delight.

Both winners are invited to get in touch with Paul at psrosenzweig@lawfareblog.com.