Slashdot Mirror

That's old information. The National Background Investigations Bureau has done most of the background investigations for a while, but NBIB is now moving that entire function to be part of the DoD.

If you want to use your credit card to verify you know a name that matches a number and maybe two other numbers and a checksum, good for you. Any credit card processor will verify it for you *AND* if you're not a customer of one you can just go try and buy ANYTHING online and if the credit card checks out you can go and use it.

Government IDs are different and the systems that can verify them run everything from C# to Ada to Cobol. https://fcw.com/articles/2013/...
There are -no- APIs to allow anyone to verify them, but moreover there won't be any APIs because OUR government doesn't want FOREIGN governments to be able to verify passports, SSNs, IDs, etc.

That same "concern" is shared by most every other country in the world. So right there you can kiss API verification goodbye.

Where does that leave us? Public-key? No... because that's not either
a) Government provided (read "verified and if they don't like you you can't have one")
b) Government authenticated (read "if you piss them off it won't verify" think Assange, Snowden, Aaron Schwartz, or ANYONE accused of a crime)

So given that governments won't provide an API, and we the free people don't want our ability to interact on the Internet taken away by
a) conscious act of government not wanting to auth you ... or
b) government can't run a server well and it's not able to auth you ... or
c) the contractor doing upgrades takes it down 6 hours each Sunday morning like some F** database servers...
this is a nonstarter.

E

Government and the technical augmentation or automation thereof is a fascinating source of ideas and issues, philosophical and economic. But the OP's choice of a term like "Big Government" seeks to attract only lightweight libertarians and nattering neocons who are blissfully transfixed by antiseptic fantasies like meritocracy and Big Bad Bureaucracy.

Why discuss flamebait? Let's ask a better question.

Can AI/tech improve or replace government? Can it help us to focus better on issues rather than politics? Might tech help us to make concrete measurable progress toward achieving specific goals, improve administative efficiency, and minimize the role of gov't in our lives? Yes, I'm convinced that it can, and I'd love to discuss it. But the OP's simplistic article won't inspire that level of discourse here and now.

For a better start on this topic, I recommend:

"Automating Easy Government Solutions with Machine Learning"
https://18f.gsa.gov/2015/11/18...

"Why Government Managers Need to Know About Machine Learning"
http://datasmart.ash.harvard.e...

"How can government make the most of machine learning systems and avoid the pitfalls?"
http://www.nesta.org.uk/blog/h...

"White House to probe role of AI in government"
https://fcw.com/articles/2016/...

Maybe they just want to receive their emails and know that in the past, DNC servers and systems have been hacked. It's ingenious to say that their private system is automatically less secure than the government servers unless someone is an email security specialist and has knowledge of the two systems -- I'm sure someone on Slashdot will weigh in on this. ;-)

Perhaps with the record of Karl Rove and his operatives activities on Democratic servers -- I can definitely understand the Clinton's reticence to be on these same servers they've plagued. Doing the business of the state pre-supposes that all your communications are looked at by friendlies; not that everything you do is looked at in terms to set you up.

I can imagine a scenario where someone from the political opposition can read that you have a meeting with so and so, and can use that against you in some manner. As benign as changing the time of a meeting to making a fraudulent email and leaking it to the press.

Anything can happen if someone else with ill will controls the mail server.

Better to whether the small storm of criticism later, than be naive and pretend that political operatives won't do again what they've done to you in the past.
http://www.dispatch.com/conten...
Anyone remember Mike Connell? http://www.democracynow.org/20...
Former hackers were hired to create the original Diebold voting machines; http://www.dailykos.com/story/...
>> and Anonymous claimed they stopped the voting machines from being manipulated in the last election -- sounds like a quiet political cyber war is going on.

I'm sure to people not involved in politics, they think these are paranoid ramblings like Ross Perot claiming that the Bush crowd was pulling dirty tricks, tapping his conversations, and altering photos of his daughter; http://www.nytimes.com/1992/10...

Ross Perot is a man who used his own money and put is own neck on the line to retrieve kidnapped employees. Like him or not, he seems a bastion of integrity compared to the average politician.

Oh, and let's not forget that the RNC emails went missing;
http://freepress.org/article/a...
Rove's went missing;
http://www.nytimes.com/2007/04...
And Iron Mountain lost emails -- and since their whole business model is storing sensitive data is probably one of the few things they've EVER lost;
http://fcw.com/articles/2014/0...

I'm not saying this to excuse a politician from not being transparent -- but I'd think we need to address the fact that dirty tricks are going on, and we need to make sure there are no man-in-the-middle attacks and manipulations of data.

The Patent Office, in an effort to modernize and attract more talent (you know, accept less salary for your engineering/science degree by working for the government instead of the private sector) implemented a plan to permit people to work from home, and from there to work remotely from the city the Office itself is located at, any city you want (within the 48 contiguous states). This was a natural outgrowth of an earlier (and successful) effort to eliminate paper at the office and work entirely electronically.

The actual source material for the Post article appears to show growing pains that one can reasonably expect from permitting thousands of employees to do their work from home, hundreds or even thousands of miles from the Office (if they qualify). Whereas the Post article seems written intentionally to inflame the reader (for what... maybe to sell more advertising? build cred for the writer?), the source material shows no wide-spread fraud, just your typical employees finding that, with the freedom to work at home, it's real easy to put your work off until deadline and then cram, or not put in the hours you would if you had a supervisor looking into your cubicle each morning. Same shit the private sector has been dealing with for years.

From what I can tell from the source, the management of the PTO is on it, and has been on it at least since the report came out in 2012. The only difference is that, because this is government, it's public and everyone can arm-chair quarterback their asses (probably as they themselves goof off at their terminals at work or from inside their momma's basement), whereas if a private company were going through this, it would be an internal matter and none of your damned business.

The Patent Office performs a function that is crucial; not even the Koch brothers would deny that. Shitting on the whole lot of them because a couple of employees can't handle the freedom of telework is unfair and dishonest, particularly coming from people taking suspiciously long lunch hours to write comments on slashdot :-|

The Federal Records Act requires retention of records. That email is a "record" for statutory purposes is a long settled matter. Conducting government business on a system with a retention period of 14 days and no archive is a crime.

It's your banana republic government either deliberately neglecting their obligation to preserve or destroying evidence or both. There aren't any plausible alternatives.

Enjoy.

"Prior to 2011" corresponds to when the Bush administration switched email systems without including an automated archiver.
http://fcw.com/articles/2010/01/19/web-white-house-email-system-details.aspx?m=2

On the other hand, I've worked in NARA and I've worked with Records Officers in cabinet-level agencies and you're smoking some medical grade stuff if you think any but a handful of emails that aren't sent to or from the a White House are required by the FRA to be archived.

Yes, the article is primarily focused on the lack of electronic data and only briefly mentions the business rules complexity. I was responding the to the comment that the business rules were impossible to implement.

The business rules for federal pensions are incredibly complex. Each new wrinkle/law that was passed exponentially increases the number of permutations of rules that need to be handled. There are exceptions on top of exceptions--within exceptions. The inability to implement these business rules was a large factor in the failure of the most recent modernization effort (see link).

http://fcw.com/articles/2008/0...

I've heard about that awful EHR (Electronic Health Record) integration effort between the Veterans Administration (VA) and the Department of Defense (DoD) for years. It's a failure of a lot of things, but if open source is even on the list of those things, it's low on the list. At the top of the list is dotted lines and bureaucracy, of course. Heck, IT projects often go off the rails, particularly big expensive ones. Let alone one done for the Department of Defense (DoD). And of course, it's not just the DoD, it's also an inter-department collaboration. Doomed for failure, unless it's managed excellently.

It appears that one big reason that this integration project is so hard is because the VA can't compete when it comes to process and bureaucracy. They don't have nearly as large a budget. This quote is telling:

"The iEHR demise was expected by all, accordingly," one VA source said. DOD officials "outspend, outtalk and outlast us at every engagement. We try to emulate much of their process-based decision-making as if we could afford to. We can't. The overhead is crippling, and we are not funded equivalently."

Source: http://fcw.com/articles/2013/05/01/veterans-affairs-trouble.aspx

It pains me to see any IT project that gets out of control and ultimately fails. I hate it even worse when it's the government. As a veteran, I especially hate to see this one. And as an open source user, contributor and advocate, Oracle blaming that massive failure on open source adds insult to injury.

If you're really need security you wouldn't be using any public cloud service. You'd do it yourself or you'd do it the way the CIA are planning to do- hire others (Amazon or IBM) to build a "private cloud" for them: http://fcw.com/articles/2013/03/18/amazon-cia-cloud.aspx
http://seattletimes.com/html/businesstechnology/2021649799_amazonciaxml.html

So why didn't Microsoft bid for the CIA project and win it?

Whatever it is, public cloud stuff isn't secure enough for a significant amount of the CIA's needs. At least USD600 million worth.

because of Republican intransigence

NOAA is run by celebrity bureaucrats that gift huge satellite deals to influential contractors that then run up costs. It's gotten so bad inside NOAA that they've banned OIG staff (Office of the Inspector General, the people responsible for oversight of NOAA) from attending Program Management meetings because the IG has recently aquired the nasty habit of investigating NOAA's indifference to cost overruns.

There have been no large budget cuts. Here is the history of NOAA's annual budgets for the past 20 years, transcribed from a series of NOAA budget "blue books" which provides the actual NOAA budget authority enacted by Congress.

(billions)
1993 1.70
1994 1.99
1995 1.96
1996 1.93
1997 1.97
1998 2.05
1999 2.27
2000 2.34
2001 3.09
2002 3.36
2003 3.34
2004 3.74
2005 3.92
2006 3.91
2007 3.90
2008 3.90
2009 4.40
2010 4.70
2011 4.60
2012 4.90
2013 4.93
2014 5.55 (requested)

NOAA has enjoyed generous budgets over a long period of time. They can't afford to launch satellites not because of dah evib repubwikins but because they are failing to govern themselves responsibly.

The NOAA swamp needs to be drained and dupes like you need to check yourselves; you don't know what you're talking about.

Whenever a government department is threatened with cuts, they announce that they'll cut front-line staff and not overpaid managers or worthless paper-pushers. That's why government spending expands forever until the economy collapses.

That's not how it works at all. First almost everyone is furloughed, that is, gets unpaid holidays. DoD will furlough their 800,000 civilian employees one day a week starting April 1. So 800,000 will loose 20% of their pay! Other Departments/Agencies my furlough more or less days per week or delay until after April 1. Of course employees don't spend what they don't get and the deductions for health plans and retirement stay the same. AFAIK the furloughs can last only 22 workdays or 30 calendar days and then a RIF (reduction in force starts automatically). When furloughs will start depends on the financial state of the Federal agency. Some, such as DoD will start at the earliest time, April 1. The Forest Service (US Dept. of Agriculture) will be able to hold off until 1 May or later, for instance.

The reduction in force list is developed mostly by formula and depends on skills, seniority, military service, etc. I think that most of the lists have been (or are being compiled) but not released. An employee on the RIF list can 'bump' a an employee not on the list if the employee is qualified for the position (some other conditions, too) and then that employee can bump someone else and so on. RIFs are expensive in present but will result in savings in the future.

It should be noted: “relative to the private sector, the federal workforce is less than half the size it was back in the 1950s and 1960s”
http://fcw.com/Articles/2012/09/13/Size-federal-workforce.aspx?Page=2

Okay, can't watch the youtube video(blocked due to limited bandwidth here), but it let me onto the infowars site.

750M rounds is 2.5 rounds per person in the USA, yes. However: Scare tactics are being used.

First, it's for training ammunition - my training/qualification for the year is at well over 500 rounds between pistol and rifle(~half each). I'm not DHS, but it should be a clue as to how many rounds it takes to train&qualify somebody. It's often an annual requirement.

Second - it's a 'purchase UP TO' order, up to 70M rounds/year, between all winning parties, for a 5 year contract. NOT 'planning to buy 750M rounds of ammo'. Going by the contract, that's a MAX of 350M. The minimum order in a year is 1 lot of 1k rounds. In these sorts of contracts they list the maximum possible they expect for each item - for example, a big purchase of .40S&W handguns, a shift to .357 Sig, whatever. .223 is well represented, though I wonder that they aren't shooting NATO 5.56 spec rifles(the difference is about a human hair; doesn't matter much in training I guess). Going by my figure, a max order of 70M rounds would let you dual-qualify ~140k people. Office types trained 'just in case' would use a bit less ammo, SWAT types far more. A quick search shows 160k employees in DHS. Or maybe it's 188k employees AND 200k contractors. Whatever. I doubt they're going to be qualifying EVERYONE anytime soon, and probably don't plan to short of some crazy doomsday scenarios.

Third - "including 357 mag rounds that are able to penetrate walls." - just about ANY handgun self defense caliber is fully capable of penetrating a wall while remaining potentially lethal. It's a simple fact that a human body, which self defense rounds generally have to be able to completely penetrate to be considered effective, is more difficult to penetrate than 2 sheets of drywall. You want to go back to yea old days - when the .357 was developed, the standard was actually penetrating a car windscreen with a maximum deflection such that you'd still hit the driver. 9mm, btw, is 'normally' powerful enough for this, though you might need 2 shots(not as big of a deal for a semi), but this was back when we were still issuing revolvers to police. While we're at it, the contract also lists rifle calibers - .223, .30-06, and .308; all far more powerful than .357.

In other words, it's a big hoopla over just about nothing.

This is probably related to the "Cloud First" strategy adopted by the outgoing CIO Vivek Kundra. http://fcw.com/articles/2011/02/28/buzz-cloud-computing-and-budget.aspx

In 2008 any standard issue Army computer would've...

But were they able to track down and deal with the individual(s) that deployed Microsoft products?

The military procurement procedures produce a solid paper trail even if on some occasions they produce nothing else. Had they deployed properly engineered products rather than brands infamous for bad design the problem would not have arisen. The US Navy will focus on open systems only, if it can stay clear of the old M$ contractors and M$ resellers.

The U.S. Navy's and Marine Corp's NMCI computing infrastructure is all Windows XP. Let's see whether or not Microsoft withholds a patch from them.

Since 2008, the US Navy will acquire only systems based on open technologies and standards. That excludes M$ products explicitly in every way but name. The TCP/IP being just one example of failure on M$ part to implement standards. US Navy is ditching M$.

They'll probably go with an American company like Red Hat or roll their own spin of Red Hat.

The question remaining is will Bill's father's political connections keep lil Bill out of Camp X-Ray or not? If you've got Windows on your network, then you have a personnel problem, not just a network security problem.

The entry side of this program has been running for years. The exist side was piloted and canceled once before already. This applies only to non US citizens. The purpose of the exit system is to confirm a visa holder adhered to the period the visa was issued for; and that the person who leaves is the same one who entered. The usefulness of this is another issue entirely.

http://en.wikipedia.org/wiki/US_Visit
http://fcw.com/articles/2007/10/18/dhs-to-issue-plan-for-usvisit-exit-program-by-january.aspx

TFA seems to be wrong about this including US citizens. While I think fingerprinting anyone, citizen or not, coming into the country isn't something we should be doing, and certainly not when exiting, the bit about fingerprinting exiting US citizens is found nowhere other than in the article from IT News Australia. The actual DHS press release is very specific that this is a planned extension to US-VISIT and, as such, only applies to non-US-citizens:

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=AUSASAIR.story&STORY=/www/story/05-28-2009/0005034173&EDATE=THU+May+28+2009,+01:22+PM

Several additional articles all clearly indicating that this applies only to non-citizens:

http://www.fcw.com/Articles/2009/05/27/Web-US-VISIT-pilots.aspx
http://www.nextgov.com/nextgov/ng_20090528_7835.php?oref=rss

Who are you going to believe? The monopolist who sells the most insecure operating system on the planet, or the US Department of Defense, which has some of the highest security requirements anywhere?

DOD launches site to develop open-source software
By Doug Beizer, Jan 30, 2009
link
Defense Department officials have launched a new Web site where developers can work on open-source software projects specifically for DOD, David Mihelcic, the chief technology officer for the Defense Information Systems Agency (DISA), said today.
The new site, named Forge.mil, is based on the public site SourceForge.net which hosts thousands of open-source projects, Mihelcic said at an AFCEA Washington chapter lunch in Arlington, Va.
âoeIt is really is SourceForge.net upgraded to meet DOD security requirements,â Mihelcic said.

The population distribution in most of the US is simply not geared toward passenger rail except possibly at the local level

That's not really true. It rarely makes sense to extend light-rail systems beyond the densely packed urban centers, but you're ignoring the old heavy traffic. The layout of our towns, highways, etc are all heavily determined by the paths that the railroads took 150-75 years ago. This hasn't changed, as many of our Interstates were built along similar pathways.

Now, Amtrak may suck, but it's not like there's good competition available. Driving takes every bit as long and already costs far more, and our piss-poor airlines with worse food than a Flying J: Don't even get me started on the Fly America Act and even greater sins our government commits in their favor.

If we had new rail-systems and new stations (with ZipCar and other car rental companies etc. colocated thereupon), they might very well be able to perform profitably. Let foreigners run 'em, too, so that the food doesn't taste worse than the truck stop food you'd get when driving (which is still better than the nothing-to-ramen spectrum on American air carriers), and this may very well be worthwhile. If speedy rail systems can be built that are fast enough and substantially more environmentally sound, we might even consider taxing competing air routes to subsidize them in an effort to meet soon-to-be-adopted CO2 emissions goals. Of course you may wish to hold off until after opening them up to all comers to knock the price down an equivalent amount.

Regardless, I'd assert that there is a market for a competently run Amtrak with maglevs et al or, better yet, multiple competing private firms. We just don't see it right now because the Amtrak service is (marginally) worse than the (insanely bad) domestic airlines. If we can restore service to all the cities over the million-person mark, I think they'd do just fine.

They just can't compete as long as:

1: They're as slow as a car
2: They serve worse food than truck stops (like the airlines)
3: They fail to advertise and compete aggressively due to lack of real market pressure
4: They fail to service many large cities

Still, that's half the point of the above. Look beyond light rail - The car manufacturers can make a lot of money regearing to deal with the above issues. If they're going to be bailed out with taxpayer money anyway, perhaps we should lead them in this cheaper and more fuel-efficient direction.

Obama, like every president elect, now has offices in the General Services Administration.

So, yeah, that's a part of the government.

Also: http://www.fcw.com/online/news/154063-1.html The government officially has begun to formulate a national research and development agenda for âoegame-changing ideas" as part of the multiyear, multibillion-dollar, governmentwide effort to secure cyberspace through the Comprehensive National Cybersecurity Initiative (CNCI).

I always thought that Japan has been the leader in IPv6 deployment for quite a while now considering that the Japanese government is backing IPv6.

Well, its nice to see to the US military answering questions every kid wants answers to. Slashdot users, however, prefer a little more substance.

Firstly, the idea of a CyberCommand, that is, one or two locations that will control the response to a cyber attack, appears to be a little weak. The Internt was designed to be de-centralised for a reason, so that it would be resiliant against any form of attack. All it takes is for these buildings to have their comms links destroyed and instantly they become completely useless. Failing back to some form of mobile wireless can be ruled out if the attackers leave devices that use those networks as triggers. Mobile sat units would leave people very exposed and the operators would have limited capabilities.

What exists to prevent this?

Security through obscurity is a questionable practice. Any sufficently large organisation would know the locations of CyberCommand centers and fallback plans. So, there is not much point in hiding it from public view.

As CyberCommand would be a priority target, what are the fallback options?
What happens to critical networks once CyberCommand is gone?

I suppose the big question is, is there a point to a CyberCommand?

Would it not be better to have numerous state level command centers, totalling somewhere in the region of 500-1000 separate offices, each with the same capability? This would provide greater regional focus and redundancy options when dealing with real-time threats. In addition, long-term security planning for critical infrastructure and security planning/DR for regional government would be better served with such a de-centralised approach.

In terms of what has been advertised about CyberCommand, I have read the following:

"The director of the Air Force's Cyber Task Force said the United States can work to defeat terrorists by disrupting their radio-controlled improvised explosive devices, the satellite communications they use for planning attacks and the Web sites they create for training and recruiting."
http://www.fcw.com/print/12_41/news/96791-1.html

The radio jamming is already done on a daily basis, bombers just switch to different trigger mechanisms and as for satellite comms, well, its easier to make a phone call, send an email or make a comment on a specific website. These examples don't require a CyberCommand, they also fall under the domain of other groups such as SigInt, etc.

So, really, what were left with in terms of a CyberCommand is a bunch of script kiddies hacking websites to shut them down, some Cisco guys to block off net ranges, patching routers/firewalls, etc., some telco guys routing traffic and some coders to examine captured spyware/trojans/virus'. To enable this CyberCommand to function, the US would need to build the equivilent of the Great Firewall of China at either the telco level, or route all International links through a centralised command center and perform the filtering there. This would introduce a single point of failure, even if it was spread across numerous locations.

Beyond PR, I don't see how a CyberCommand could function in any manner that would strengthen US security, other than a completely decentralised model. Since it will have around 25,000 people operating out of 8th Air Force at Barksdale Air Force Base, it sounds this idea has not been fully thought through.

" Mr. ISSA. Okay. So here we have a situation where the Clinton Administration is on a platform that has to be phased out. Simply, they lost the war of who is going to supply emails. A period of time goes on in which Yes, we are dealing, to Dr. Weinstein's concern, with getting good archives, but we are also dealing with the fact that I can't play my Betamax tapes any more, either, and I can't seem to find anybody who has a Betamax player any more."

Maybe Mr Issa should look here. And Republicans are the ones who lose wars these days.

Meanwhile, the General Services Administration just saved a million bucks of taxpayers money with Notes.

Actually, the U.S. Government is beginning to roll out IPv6 now, internally.
They have even cloned a bunch of IPv6 evangelists to convince PHB types.

Dunno what the word on the street in the EU is, but around these parts, it's pretty well known that China is doing their best to use the web to exploit anything and everything they can. There are also numerous examples of attacks widely suspected to be sponsored by the Chinese gov on US agencies, including the military. On top of that, it was only a couple of months ago that the UK's MI5 issued a warning that China was actively targeting European financial and oil firms for web-based espionage! Maybe you should stop watching Fox News and start paying attention to your IDS logs . . .

The US government makes quite extensive use of open source software. In the Intelligence Community alone, some of the examples of open source software in use on Intelink, the IC's three networks that run at UNCLASSIFIED, SECRET, and TOP SECRET/SCI levels:

- LAMP (Linux, apache, PHP, MySQL) stacks to support a wide variety of applications, such as some below
- MediaWiki powers Intellipedia, the highly successful wikis that run on the three iterations of Intelink
- phpBB powers Intelink Forums
- WordPress MU enables the current generation of Intelink Blogs
- Jabber provides the IC-wide Intelink Instant Messaging
- tag|Connect is a social bookmarking tool based on del.icio.us
- Zimbra powers the uGov Collaboration Suite
- RSS, XML, and other open standards are used extensively
- ...and much more

These services are run in robust, highly available environments, and have gotten great support within various IC components. In fact, much of the social software movement within the IC is reliant on open source software and open standards, and they have been embraced. For a great overview of what the IC is doing with social software, see:

- 'The Intellipedians' The social software movement within the U.S. Intelligence Community, Federal Computer Week, 16 August 2007

And if you don't want to sit through the presentation (it is a bit long, though quite good), see:

- Open-Source Spying, New York Times Magazine, 3 December 2006
- A Wikipedia of Secrets, Washington Post, 5 November 2006

And on the newest initiative, A-Space:

- Logged In and Sharing Gossip, er, Intelligence, New York Times, 2 September 2007
- Classified social-networking system promises to help U.S. spies talk, collaborate, Associated Press, 5 September 2007

Some of the articles are a little over-simplified, but the reality is that social software running on open source platforms and environments is taking off in the Intelligence Community.

In the 21st century, you do have to worry about cyberattacks. The DHS uses some of these tools, and it is a Good Thing (tm) they are making them more secure. They help propriatary software vendors too, the difference is that with OSS everyone benefits.

China's continued pursuit of area denial and anti-access strategies is expanding from the traditional land, air, and sea dimensions of the modern battlefield to include space and cyber-space.

Information Warfare. There has been much writing on information warfare among China's military thinkers, who indicate a strong conceptual understanding of its methods and uses. For example, a November 2006 Liberation Army Daily commentator argued:

[The] mechanism to get the upper hand of the enemy in a war under conditions of informatization finds prominent expression in whether or not we are capable of using various means to obtain information and of ensuring the effective circulation of information; whether or not we are capable of making full use of the permeability, sharable property, and connection of information to realize the organic merging of materials, energy, and information to form a combined fighting strength; [and,] whether or not we are capable of applying effective means to weaken the enemy side's information superiority and lower the operational efficiency of enemy information equipment.

The PLA is investing in electronic countermeasures, defenses against electronic attack (e.g., electronic and infrared decoys, angle refl ectors, and false target generators), and computer network operations (CNO). China's CNO concepts include computer network attack, computer network defense, and computer network exploitation. The PLA sees CNO as critical to achieving "electromagnetic dominance" early in a conflict. Although there is no evidence of a formal Chinese CNO doctrine, PLA theorists have coined the term "Integrated Network Electronic Warfare" to prescribe the use of electronic warfare, CNO, and kinetic strikes to disrupt battlefield network information systems.

The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks. In 2005, the PLA began to incorporate offensive CNO into its exercises, primarily in first strikes against enemy networks.

I hope you don't expect miracles from 2.1 billion software budget. http://www.fcw.com/article81246

I agree, thought replacing hardware and software that's over 30 years old sounds like a good idea. So, I hope it's not wasted money.

Senators triple FAA software program's funds

BY Randall Edwards
Oct. 24, 2003

Senators recently approved a 215 percent budget increase for a major software acquisition program of the Federal Aviation Administration even though an inspector general described the project as a high-risk investment.

The Senate's version of the fiscal 2004 Transportation, Treasury and General Government Appropriations bill includes $223.5 million for the FAA's En Route Automation Program (ERAM). That's more than triple the $71 million spent on the project in fiscal 2003.

ERAM is designed to replace hardware and software systems that have monitored high-altitude aircraft through the National Airspace System for more than 30 years. Scheduled for deployment in 27 facilities by 2010, ERAM has an estimated total cost of $2.1 billion.

The Transportation Department's inspector general began auditing ERAM in mid-September and had already issued a Sept. 10 report that criticized the FAA's major modernization programs, including ERAM, for high costs and developmental delays.

Senators approved the ERAM increase despite the Appropriations Committee's disappointment that the FAA's budget request "provides insufficient details for a program of this importance and magnitude."

As a condition of funding, the committee requested that the agency include a detailed explanation of specific ERAM tasks and the associated costs for each within the fiscal 2005 budget.

In its report, the committee pointed out "the potential for dramatic cost escalation if the program is not managed effectively" and cited the FAA's "traditional difficulty with complex, software-related acquisition programs."

ERAM is one of several high-cost FAA projects intended to modernize the air traffic control system. They include the Wide Area Augmentation System, the Standard Terminal Automation Replacement System and the Next-Generation Air/Ground Communication program.

DAFIF was a free listing of every aviation facility on the planet: runways, airports, navaids, beacons. One day the US NGIA who compiles it pulled the plug on public access. They said some 'foreign content providers' had claimed copyright on their portion of the data. Instead of distributing a partial worldwide database (which would be kind of useless), they thought "screw it" and dropped public access. Not just US citizens lost out on this, but the whole world did.

Who did this affect? Everyone in Aviation.

So who was behind it? They wouldn't say at the time.

Turns out it was these little greasers: Air Services Australia. They did it because they wanted to rip off Australian Aviators, and they couldn't do that while the US made available an aviation database for free. This is one of these government organizations which pretends to 'privatize'. You get these pompous, stuffed-shirt public servants who think they built an organization from the ground up, when they were really handed something build from public money and said 'charge everyone'. So, Air Services Australia: Thanks a lot.

http://www.fcw.com/article91698-12-12-05-Prin
http://en.wikipedia.org/wiki/DAFIF
http://www.airservicesaustralia.com/

Under the USC government doesn't copyright their products: citizens already paid to produce it with their taxes. In Australia and Britain, there is a long tradition of fleecing the public.

I'd imagine that the monitoring around those systems is massive, and the security/setup is top-notch

You'd think so, but what evidence we have doesn't confirm your optimism:
http://www.treas.gov/tigta/auditreports/2007report s/200720048fr.html
http://www.fcw.com/article98135-04-03-07-Web&print Layout

The first article covers unsecured taxpayer information on IRS laptops, a problem the audit agency raised in 2003 which has yet to be addressed fully by the IRS. The second discusses more general security issues and reports that, "The tax agency experiences gaps in access controls related to user identification and authentication, authorization, encryption, monitoring, and physical security. Data is at risk from weaknesses in configuration management, segregation of duties, media destruction and disposal, and personnel security controls." For instance, the IRS backup tapes were unencrypted and stored at facilities where they were physically available to non-IRS personnel.

I recently had a first-hand experience with the quality of IT procedures at the IRS. One of my clients is a well-known consumer law organization whose inbound mail I scan for viruses and spam. One of their attorneys contacted me the other day saying that she was unable to receive email from attorneys at the IRS. Now some of you may have encountered the various forms of viruses and phishing scams that use forged @irs.gov addresses. In an effort to combat such stuff, I added a rule to my inbound mail server requiring that messages claiming to from someone@irs.gov actually be sent from a server in *.gov. Notice I didn't limit these messages just to servers in irs.gov; to cut down on the potential for false positives the rule allowed any such messages that originated on any server in the Federal government. Most of the illegitimate "irs.gov" messages I've seen come from spambots on residential and office networks and would be blocked by this otherwise quite permissive rule.

Well, these legitimate IRS messages were blocked because they originated on a server that had no reverse-DNS resolution configured. Without reverse-DNS my server couldn't determine the sending server's domain and thus blocked these legitimate irs.gov messages. Even if I hadn't had this rule in place, these messages might well have been tagged as spam. I give hosts with no reverse-DNS entries a pretty high SpamAssassin score, though not one that alone would result in the message being tagged as spam.

We later confirmed that this server was, in fact, an official outbound mail server for the IRS's attorneys, and perhaps for many other of its bureaucrats as well. Having reverse resolution configured for an SMTP server is pretty much de rigueur these days if you want to insure your messages get delivered. Apparently this knowledge did not extend to the IT staff at the Internal Revenue Service.

Here are links to a couple of more recent articles about this and, following that, the text from an email that went out earlier in the week.

OMB to require standard Windows desktop configuration
http://www.fcw.com/article97974-03-19-07

OMB sets security standards for Windows computers
http://www.govexec.com/story_page.cfm?articleid=36 410

----

March 20, 2007

MEMORANDUM FOR CHIEF INFORMATION OFFICERS

FROM: Karen Evans
Administrator, Office of E-Government and Information Technology

SUBJECT: Managing Security Risk By Using Common Security Configurations

Common security configurations provide a baseline level of security, reduce risk from security threats and vulnerabilities, and save time and resources. This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity, and availability of government information. This memorandum requires your agency to develop plans for using the Microsoft Windows XP and Vista security configurations with an implementation date of no later than February 1, 2008. [1]

As you know, section 3544(b)(2)(D)(iii) of the Federal Information Security Management Act (FISMA) requires agencies to develop minimally acceptable system configuration requirements and ensure compliance with them. Your agency is already required to:

* document in your annual FISMA report the frequency by which you implement system configuration requirements; [2] and

* use published configurations or be prepared to justify why you are not doing so.

As a model for this effort, the Air Force uses common security configurations for Microsoft Windows XP. These configurations were developed in collaboration with the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and Microsoft. These same organizations recently established common security configurations for Microsoft Vista. With these common security configurations now in place, we have a unique opportunity when using Microsoft Windows XP and acquiring Vista.

Requirements of Agency Plans

Agency plans for Microsoft Windows XP and Vista should be submitted to OMB by May 1, 2007 to fisma@omb.eop.gov and should describe the following items:

* Testing configurations in a non-production environment to identify adverse effects on system functionality;

* Implementing and automating enforcement for using these configurations;

* Restricting administration of these configurations to only authorized professionals;

* Ensuring new acquisitions by June 30, 2007, to include these configurations and require information technology providers to certify their products operate effectively using these configurations;

* Applying Microsoft patches available from DHS when addressing new Windows XP or Vista vulnerabilities;

* Providing NIST documentation of any deviations from these configurations and rationale for doing so; and [3]

* Ensuring these configurations are incorporated into agency capital planning and investment control processes.

Additional Resources Available to Agencies

By April 20, 2007, OMB in conjunction with DHS and other appropriate agencies will establish a means for information technology providers to obtain software images based on these configurations for test and development purposes. Additionally, the Chief Information Officer's Council will assist and facilitate sharing the common security configurations across the Federal government.

NIST has established a program to develop and maintain common security configurations for many operating systems and applications, and

"Hmm, that's more than Universities spend on tuition wavers and scholarships."

Thats right, ERP solutions will cost that much. They're expensive. One of the Michigan state schools had an ERP financials (dont remember which vendor) implementation that ran over $50M. Which is why there is a backlash in the community and projects like Sakai and Kuali have sprung up.

http://sakaiproject.org/

http://kuali.org/

But to be honest, I probably shouldnt have brought ERP stuff up, as it is slightly off topic from the discussion. But there's no question that proprietary ERP solutions cost big money. Mind you, the bulk of the cost is not vendor licenses, but in the consulting and customization for the implementation.

"And as for the purchase of CALs, does that include MSSQL, or Exchange?"

Depends on whether you need them or not. Most schools wont need global CAL coverage for MSSQL, and if they do, they can do per-processor licensing. But many schools use Exchange globally, as its a nice product for email, calendaring and PIM. From a strict CAL perspective, lets say a school has 20,000 employees that need exchange accounts. CALs cost ~$2.50 per user at the academic pricing (for staff), so that $50,000 that'll come up about every 3 years. Thats really not that much.

Granted, most schools wont do it that way, they'll do a Campus Agreement, and pay a smaller amount every year, and get global coverage for staff and students, and not have to manage licenses at all. They just 're-up' every year, with updated counts of staff and student FTE.

"How about 700 non-academic licenses for Office?"

Why would you buy non-academic licenses for Office at a higher-ed institution?

"Or 700 "upgrades" to Vista? How many Vista installations do you manage? Will you have to buy new computers to run it on? "

You wouldnt do it that way. You'd keep buying machines as normal, but buy them with Vista licenses, and image XP Pro onto them. Then when you're ready, you make the move. Or not, and keep using XP for years. Up to you.

"If not, what can you do with the XP licenses you've already paid for?"

Umm, use them for XP? Or am I misunderstanding your question? You seem to think that there's some pressing need to move your entire organization to Vista as soon as it comes out. But thats not how sane organizations work. You do it when its right for your organization, and thats usually when the value of the improvements or new features outweigh the cost. Each group has to decide that for themselves.

From a consumer perspective, the Vista upgrade is interesting but not compelling. But some things are nearly compelling from a corporate IT shop advantage, particularly the imaging scenarios.

"You're approaching a MILLION DOLLARS and haven't even broken a sweat. You think that's good business?"

Explain to me how you've come up with anything even close to $1M. I dont see it. And is that supposed $1M each year, or over 2 years, or 10, or what?

"Oh, and that bit of horseshit that spyware and malware is "not really an issue on well managed machines." --is that why the Department of Defense has banned the use of Outlook? I guess that is the definition of a well managed microsoft application -- don't use it at all."

They didnt ban the use of Outlook. You should have read the news articles closer.

http://www.fcw.com/article97178-12-22-06-Web

They banned HTML email in all forms, and banned OWA (Outlook Web Access), which is the webmail front end for Exchange server. This means that they're still using Outlook against Exchange (I presume, as they have OWA in the first place), they're just either:

1. Having their mail gateways strip HTML sections of emails coming in, or
2. Using group policy to force Outlook to operate in Text-Only mode, or
3. Both of the above.

And that wa

How this will probably work is the end solution uses a smart card to do some authentication and key storage.

All gov't employees will at some point get an ID card similar to the Common Access Card. This will have a number of public keys on it. One of which probably decrypts their workstation.

The U.S. gov't is building the capacity to issue millions of smart cards on their own. See this: http://www.fcw.com/article94813-06-07-06-Web There was a proper publicly available contract up for bid for this project but it wouldn't surprise me if it has been pulled in favor of a no-bid award.

Before anyone says, "Well it should be a secret! What if the terrists get a badge?!" There are two things to remember.

1. Lots of bad people have proper ID in their country of choice. Identification has little if any relationship to their activities. The failure points remain the usual human factors out in the field.

2. There's no need for secrecy in the production environment. Every half-decent perso system/PKI properly manages such an obvious point of failure. If a Visa-certified card plant can manage to keep track of 10's of millions of cards anyone can. It's not rocket science.

I for one welcome our fully encrypted overlords.

One of the best "In Soviet..." jokes I've ever seen, for those not in the know, it refers to some US made technology, most famously pipeline control software, the soviets stole in the early 1980s which was carefully designed to pass QA tests, then go haywire. Suffice to say, the plan worked, and in fact produced the largest non-nuclear explosion seen from space when it took out a large natural gas pipeline in Siberia. A version of the story here.

I can count the apples without using all of my fingers on one hand

July 5, 2004 "With the announcement that it is providing 1,566 servers to an Army supercomputer project, Apple Computer Inc. is making a move..."

"Why not help the Soviets with their shopping? Now that we know what they want, we can help them get it." There would be just one catch: The CIA would add "extra ingredients" to the software and hardware on the KGB's shopping list.
...
computer chips were designed to pass quality-acceptance tests before entry into Soviet service. Only later would they sporadically fail, frazzling the nerves of harried users. Pseudosoftware disrupted factory output.

Resulting in major collapses of Soviet infrastucture.

Some may argue it's not an IT disaster -- but the root of the problem was that people sourced buggy software from closed source vendors and couldn't get their bugs fixed. -- The same thing happens all the time on a smaller scale when people buy Windows.

According to FCW, security features included "Requiring a password" and "Storing census survey data in a complex format requiring specialized software to view".

So unless those hackers have access to obscure hacking devices like Knoppix disks and hex editors, the data is totally secure.

I feel safer already.

Although the article propably still has some merit the actual ban on laptops has now been lifted in the UK.

http://www.fcw.com/article95659-08-14-06-Web

]{

In related stories: Microsoft Windows Servers remain secure.

Outsourced the shuttle to a private company
Nasa is looking to outsource even more!
The article title made me laugh in light of your comment.

Like almost every other branch of the government, NASA does outsource. They contract out the building of almost any sort of vehicle out to private companies who are all competing for it.

Now if you think I'm just picking apart your statement for fun, you're only half right, look at this:

In light of this article, scary.

The NSA initiative, code-named ``Pioneer Groundbreaker,'' asked AT&T unit AT&T Solutions to build exclusively for NSA use a network operations center which duplicated AT&T's Bedminster, New Jersey facility, the court papers claimed.

That plan was abandoned in favor of the NSA acquiring the monitoring technology itself, plaintiffs' lawyers Bruce Afran said.
The NSA says on its Web site that in June 2000, the agency was seeking bids for a project to ``modernize and improve its information technology infrastructure.'' The plan, which included the privatization of its ``non-mission related'' systems support, was said to be part of Project Groundbreaker.
Mayer said the Pioneer project is ``a different component'' of that initiative.

The groundbreaker program is well known, in fact its infamous... in being a really really expensive network upgrade. The kind of thing with rewiring offices and buying lots of bandwidth from the likes of AT&T.

And I mean a lot of bandwidth. A lot of the DoD bandwidth contracts currently up for grabs are of course available online for anyone to see. (But shame on the nytimes, shame shame shame!) How did you think intercepted traffic came from all over the world back (But especially big telco sites) to Maryland? Still wonder why companies like AT&T want to do everything to help the NSA?

And of course groundbreaker is over budget and insecure.

So what is this secret new thing that is being claimed? The hints are:

• Its mentioned on the NSA website
• Its "non mission related"
• Its a component of a network upgrade
• And its called a "network operation center"

It makes sense that the NSA would want a new but ordinairy "network operation center" with its new network. You really really need one of those to show politicians around (scroll to "nsa loads nmap" for a good laugh). Especially the ones who know nothing about intelligence except what they have seen on 24. (I would be funny if there werent so many schools planes trains and subways blown up around the world after 9/11)

Guiding them past the movie theater and showing the huge list of languages in which movies are shown isn't glamorous, though it should get the point across of sigint being of no use without humans to read and hear it... It might also show why having computers that can display bidirectional text isn't some fancy feature nobody uses. (Its usefull for such obscure languages as say Arabic, just to name something random of the top of my head.) I guess the lack of lighting the 24 set designers came up with for dramatic effect makes these NOC places a little cheaper to run than hiring qualified analyst though.

Sure it could also be a top secret surveillance program advanced beyond anything ever seen before, possible including extra terrestrial technology and tinfoil hat countermeasures... I mean in theory you could call that a NOC I guess.

This possible hype reminds me of the echelon story. After unspecific press accounts surrounding a big and sloppy EU investigation about "echelon" people assumed the worse and the hype started to build and build.

Now some time has passed historians have been able to figure out exactly what component is codenamed echelon, and it looks a little like this. (Thats an 70`s VAX 11/780, for those who couldn't tell, shame on you)

The NNSA is a semi-autonomous arm of the Energy Department and also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies. So I wonder... How long will it be before someone actually utilitizes some of the information that's being stolen. We already know the military was hit for 26.5 million records, and supposedly the Chinese are ramping up their cyberoffense and defense. I'm wondering how long will it be before the ultimate "so that's what they wanted that information for" scenario comes about. It's sickening to see a country that can supposedly defend itself and the world, can't even secure their own networks. Last thing that needs to happen is this new NSA snooping database to get owned as well.

So here would be the nightmare scenario in my eyes... Hackers get DoD information from those 26.5 million VA database and slowly poison them... While the US is straddled in Iraq militarily, some country starts kidnapping those on the NNSA's list and either killing them or torturing them for information (schematics to facilities, etc.) while all this is going on, someone strikes inside the US on such a big scale, Hiroshima looks like a mild 4th of July show.... Scary isn't it? ... Luckily for us Americans, the NSA is snooping the planet so never fear they will find the culprits... Unless of course they get pwned too.

• Skilled jobs leaving the country, dumbing down our workforce,
• Technology going to China
• Significant funds going to a comunist dictatorship

http://www.gao.gov/docsearch/abstract.php?rptno=GA O-03-1173

http://www.fcw.com/article88762-05-02-05-Web

http://www.foxnews.com/story/0,2933,153647,00.html

http://www.fcw.com/article94010-04-10-06-Print

The built-in procedure that Intel Pentium-powered computers use to blow off their digital steam could put users in hot water by making the machines vulnerable to cyberattacks...

Established in 1987, FCW Media Group uniquely integrates government, business and technology news and information to produce resources that help government IT decision-makers achieve results and meet agency missions. Our market-leading print, online, event and custom media products form an integrated information system that serves the information needs of all members of the government IT buying team-agency executives, program managers, IT managers and systems integrators-across all segments of federal, state and local government.

• Defense
• Enterprise Architecture
• Executive
• Integrators
• Intelligent Infrastructure
• Product Solutions
• Program Management
• Security/Homeland Security
• Wireless

Quoting:

"I don't know what the right response is for you people, but clearly the state officials are being "handled" by Diebold here. You have to find some way expose or work against or break this down."

Well we've "handled" it back so far by proposing a much more reasonable test protocol. No response yet from them.

The thing about us doing the hack is, yes it'll be great if it's fair, but...OK, let's say the SecState's office does it, and it turns out later that what they tested was a classic "lab queen" Diebold Frankensteined up nice and special. Can you say "egg on face"? "Who does the hack" is connected to "who takes the political risk if it's done wrong"...noteworthy especially since state law (EC19202) says it's THEM that does the testing...

At the same moment we replied in EMail to the SecState's office, we put out a press release on this subject...we've had a fair number of responses so far and a few of hits in Google News just today:

http://www.govtech.net/magazine/channel_story.php/ 97374

(and the same story above in another "government news site"...)

http://www.fcw.com/article91533-11-23-05-Web

It's not a lot...but it's had one comical effect: the various reporters we've talked to have all tried to call the guy at the SecState's office engineering this thing (Bruce McDannold, whose phone number we included in our press release) and they all say he hasn't answered phone calls. He also hasn't gotten back to us, which is odd because he's usually very good about returning EMails.

I refuse to speculate on what he's up to and I'll forego the snideness I'm thinking.

To answer your original question: we WILL do this thing even with at least some of their restrictions in place...but we want a basically fair shot here, and what was proposed...well y'all can decide for yourselves what sort of offer they made us.

---

Full disclosure: I helped Bev Harris decipher the massive pile of files she downloaded from a Diebold FTP site in January '03 starting around July '03 on my part. She founded Black Box Voting Inc. as a non-political non-profit (501(c)(3) tax status) in mid-2004, at which time I became a volunteer member of the BBV board of directors. In July I lost my day job and three weeks ago I joined the full-time staff at BBV, resigning from the board of directors and moving up to the Seattle area. BBV has a full-time staff of three, I make $2k a month. Bev and I were the two co-plaintiffs in a consumer protection lawsuit in California that netted the state of California a $2.6mil refund; Bev and I each collected a "bounty" of $76,000. That suit started prior to BBV's formation as a non-profit and was run without any of the non-profit's resources.