Slashdot Mirror
US Government Computer Security Evaluated
Logic Bomb writes "Yahoo is carrying a wire story about a report by the House Subcommittee on Government Management, Information and Technology. It gave the US government an overall grade of D- on computer security. That probably isn't a big surprise, but the details of the report are scary -- the Department of Defense got a D+. Isn't that lovely? The big question though is whether this is an example of particularly poor government performance or just typical of what you'd find in most Internet-linked systems. My guess is the latter."
as long as no one screws up the curve, they're good.
-----
Planning to be moderated ± 1: Bad Pun.
...people are wary of Carnivore, and don't believe the FBI's assurances of security and propriety. Any system that can be abused will be abused.
Perfect examples of why inefficiency/inadequacy are a definite risk.
Karma: Excellent, but still won't get you laid.
In spelling class D stands for "You Suck"
----
ADVENTURERS! - ANTIHERO FOR HIRE - CARDMASTER CONFLICT
I doubt if you would even need the stickies to get root on the other systems:
telnet voyager
login: root
password: *******
telnet ds9
login: root
password: *****
---------
Computer security at the Central Intelligence Agency was not rated ``because of the nature of its work'' but the spy agency gave a classified briefing to panel members, subcommittee spokeswoman Bonnie Heald said.
Well of course... what else would you expect? They would have to report all the hacks/cracks they have had. I'm certain the other departments would have gotten away without public disclosure if they could. What about the FBI, NSA ect..
Dirty Pirate Hooker
Here at the USPS, that is *exactly* the case. Other than myself, there are about five other people in this entire facility (app 500 people) with a clue.
The reason being that once people get a clue, they usually decide they want to get paid for having one and go elsewhere, thus this place turns into a training camp.
Government policies have an extremely hard time keeping up with the 21st century in a lot of ways. To pay people more money takes more political BS than I think most people realize. There are set positions with set salaries, and computer programmers are no exception, even though these salaries are about half of what you can find elsewhere.
Additionally, you must go through far too much red tape in order to get anything accomplished, even when you know what you're doing.
Now, the one big benefit of working for the government is the bottomless pit of money. My team (5 people) have our own development environment of a Sun Enterprise 6500 and five 4500s. You don't get that in many other places.
Aside from that, the quality people that are still here enjoy what they do, and that's about all that's keeping them here.
Source code is a lot like a parachute; it needs to be open in order to function properly.
HOWEVER: The network they have to work on was only recently put beyind a firewall. And before that foreigners like them were especially vulnerable because they would not let them use ssh for Export Control reasons!
So a policy intended to "protect" U.S. interests, actually placed their own networks at risk!
Is this the promised end? Or image of that horror? KING LEAR
Can you say "Election Year Politics"?
Actually, the advantage to pressureized pipes is because if somebody cuts in to the pipe to get at the cable, you know just by glancing at a pressure meter. Filling them with nerve gas would be crazy; it would be damn near impossible to service them in a timely manner. And some idiot with a backhoe could wipe out the entire campus.
Vintage computer games and RPG books available. Email me if you're interested.
This "grading" , as far as I can tell from the article, was done by, in all likelyhood, a bunch of 75 year old bastards who couldn't f***in' turn on their computer without help from their 18 year old sex to.... I mean assistants. So they are operating on second hand knowledge from people who aren't even listed. And what about this "gained access almost every time" ? How many times did they try and did they friggin have a printout of every employees' password... There are some things missing here from the article that I would like to see before I pass judgement... That's just my two cents though.... -Craka
"Madness and Genius are separated solely by Degrees of Success." -Unknown
At my original college, F is for fun =)
---
-
ping -f 255.255.255.255 # if only
My case...
The leader of my department's HQ info security team once commented to my center's Asst. Director of IT "You have a lot of really good people working here... too bad none of them work for you." It was a stunning statement - and painfully true. IT is largely farmed out to contracts across the center. If you want an IT job at the center, most likely you'll be a contractor.
While this brings up questions of trust and conflicts of interest, it also creates a bigger problem - budget. Contracts are awarded to the lowest bidder; even if that bid is ridiculously low. The contract I worked for was reasonably sane, but still very tight. The fact that the company counted on a thrift bonus each quarter only increased the challenge. This lead to bare minimal staffing; more work for fewer workers. We had to be very careful to ensure that we only spent time on things we were going to be credited for. Do what you are paid to do - nothing more. And we weren't paid to do info security.
I, and a few coworkers, had an interesting exception. We were considered an important part of the info security community at the center and were included by the department. The contract made allowances for this since it brought good visibility. But we still had our "real" jobs to do. More work.
So while the center was becoming very clueful about infosec, it was not funding it. There had been some talks about improving this situation, but last I heard the talks had taken took a bad turn. When it came to budgets, security had a hard time making the cut.
The lure of decent pay, and small perks such as a training budget proved too much for me. I left my gov't job for private enterprise. And so did one of my co-workers (actually, the department has taken huge hits as IT workers have left in droves after dealing with worse contracts than mine - I often wonder how they're keeping things going). In fact, my new corporate team has recently recruited talent from a wide sampling of US Gov't organizations.
That alone is probably pretty telling.
Well, it's easy enough to use a SecurID or similar scheme, where you have a little LCD screen that is constantly cycling passwords according to an algorithm. Or better yet, the challenge/response system where it gives you a string of alphanumerics, you key it into your little calculator like thingy, and it spits out the response. If you're using static passwords, social engineering is the least of your worries.
Vintage computer games and RPG books available. Email me if you're interested.
Damn,.. only got a TRS80...... shit.
Dirty Pirate Hooker
It created the Internet.
Jeez people, get with the program... You're forgetting your priorities!
The REAL jabber has the /. user id: 13196
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
To be honest, I don't personally care if it is election year politics or not. I don't want sensitive information regarding things like SSN, tax information, or any other materiel to be able to be seen, malarkyed with, or erased. If congress is trying to discredit the current administration for problems, well, Al Gore did claim to be the father of the Internet, maybe he deserves a little heat for stupid claims not thoroughly thought out.
IBM had PL/1, with syntax worse than JOSS,
And everywhere the language went, it was a total loss...
It says 'system' directories and setting this would would be like users having access to /etc/* (in a unix system) as opposed /home/luser/* This is a problem for two reasons. 1) No you cant trust local users not to break/sabatoge soemthing if they have a chance. 2)When users have incorrect permissions it gives an outside 'crackers' more chances to compromise an account that has right to do real damage in this case 1100 chances.
I do agree that an explanation of the grading system would be useful.
Or in college: D is for Diploma!
Sig it.
I work for a government agency (USPS), and while my experience with them deals only with internet and intranet applications, it's worth noting that the biggest obstacle we face (and likely the other government agencies as well) is the pride of the people that create insecure applications.
If you happen to read something on slashdot, such as the IE cookie exploit, then dare report it to a division using cookies for sensitive information, you just get a heated debate.
It took me no more than thirty minutes to compromise the "secure" cookie of their application, and it contained sensitive information that could compromise the entire application in plain text!
Fortunately, the right people (suits) got wind of my experiment, and this security hole is actually being dealt with. With all the effort it takes to get people to open their eyes, I can understand why nothing gets done about such issues.
It's really like testing someone's program, only to have your feedback ignored.
What's the point?
Source code is a lot like a parachute; it needs to be open in order to function properly.
Name one thing the government does well. Grand prize is a cookie.
Bowie J. Poag
Bowie J. Poag
Ironic... if the government fairs so poorly for its own security, then wouldn't it be logical that their own tech for monitoring/big brothering the Net sucks? Perhaps there are assumptions that carnivore 'works.' Granted, it would help to see the code to determine this, but wouldn't the odds be strong that carnivore does not work as well as the claims? Do we really have anything to fear?
Maybe they talk the talk but don't code the code...
"typical of what you'd find in most Internet-linked systems"??
/.ers out there know that the Internet is very hard to secure. But they also know that it can be done with a good deal of practice and knowhow. So I'd say it's not that. I'd say it's more likely poor government performance that we're seeing there.
Sorry, doesn't wash.
Many
Ideally, the government should have the highest security and technological savvy of any entity in the country, in order to protect its citizens from threats from outside the country.
(Ideally, the government should also be protecting the rights of the citizens too rather than chipping away at them with an espresso spoon whereever any cartel like the MPAA or RIAA tells them to, but that's another rant entirely.)
So what's wrong? Either:
a) they don't have the knowhow to maintain system security, or
b) they have the knowhow, but aren't utilizing it correctly.
I'd like to see a correlation of government salaries in relation to similar positions in private industries. If they're dissimilar, and the government pays its workers less than the private sector, then I think it'll be safe to say where the talent's gone...
You cannot truly appreciate Dilbert until you read it in the original Klingon.
LOL, I posted in the wrong thread.
-TimmyC, Tech Guru
The government might just lose its reputation as one of our finest, most efficient, best run organizations.
I mean yeah, the govenment doesn't have the best web masters. They are not always the best people, maybe they just want to get a page or to up to try and stay current with the technology of the time. It's not like the people needed to properly secure a system are cheap. And the government doesn't work FAST so it's not like they can just go and hire these people whenever they need them.
I guess what I'm really tring to say it that you should take what they are saying with a grain of salt. Some reporters are just tring to make the gov look bad.
So what kind of internet box is safe? A box behind a router that only lets acceptions in on one randomly chosen port to a SSH connection where the password to log in is determined by a predetermined seed to a Secure ID card? Given enough time and pressure, anything is breakable. The only truely secure information doesn't exist. (They are dumb quotes, I made them up)
"The Norm" is that guy who drank lots of beer on "Cheers"!
(sorry for the multiple post, but..)
I suppose, since the US Military made their bed with the creation of TCP/IP, they now must lay in it! Get real, it's an ivory-tower protocol to begin with. Should the average user be able to traceroute machines; the little packets revealing the IP's of every system they swim past along the way?
Aren't "system security" websites creating more problems than they solve? Does a hard-working system administrator have as much time to read "rootshell.org" as a mischievous twenty year old college kid? If said college kid finds an exploit, compiles and uses it while you're out of the office, before you're even aware of it, does it mean you're a bad administrator?
Considering the level of knowledge distribution on the internet, particularly in the areas of networking, OS fuction, and security exploits/patches, can the "good guys" truly *ever* be that much ahead of the "bad guys" ?
To compound the problem, owners of ISP's don't need to demonstrate any level of competancy to purchase IP's; only supply the necessary funds. So basically any idiot with just enough smarts to get online creates a wonderful opportunity for the hacking elite. Spoof an IP here or there, root the Acme ISP, wipe their log files, and hop out from there - Exploit away!
Perhaps if the federal government applied the same type of licencing to the purchasing of IP addresses as they do FM & AM radio frequencies, and held the OWNERS of said IP's responsible for the usage of same, AND required some sort of certification process to even QUALIFY, 75% of the "computer security problem" would go away IMMEDIATELY?
THIS SPACE INTENTIONALLY LEFT BLANK.
I wonder who this bunch was. I work for a defense contractor, and none of the machines in the building which are on our internal classified network are connected in any way to the outside world. I'm posting this from my unclass PC. :)
Hide your harddrives behind the Xerox machine!
"..don't you eat that yellow snow."
This is all good (or not good) and whatnot, but what systems did they test? Did they try to hack the NSA computer security systems? Or did they simply peer at thomas.loc.gov?
I have a little more faith in the DoD protecting information. Hopefully they don't even place top secret data on machines connected.
hobbz
I don't know where those people worked, but where I worked doing DoD research we had pretty severe restrictions. For a while all the computers had to be Tempest approved (for low-emissions). If not, they were used inside "the can" which was a large metal room within another room. Both had massive combination locks on them and motion sensors. Once, we were throwing network cables above the drop-ceiling - we didn't know about the motions sensors - and when they went off we all shit a brick.
All machines had removable hard-drives that would be locked in safes. After use, the hard drive was removed and the machines power was cycled. None of these machines were networked. The only network was within "the can" and that didn't go external.
When photocopying classified, you had to run blank sheets through the copier when finished. And you had to have a second person with you to check everything when you were done.
When classified as to be destroyed (and that isn't easy to get approval) we had an incinerator in the building for it. We all wondered if we could use it to cremate deceased pets....
We were apart of a University with many foreign nationals. Part of the CS school had facilities in our building where the students would go. When security found out they kicked all foreign nationals out of the building. We lost a couple good grad students because of it.
Security violations were severe since we could potentially lose all funding if our clearance was revoked. Auditors came around yearly and quizzed randomly on procedures.
All in all, it wasn't a huge hassle to do all this stuff - it was part of the routine. Of course, I avoided classified work as much as possible...
-tim
for a group that relies on Microsoft products primarily, this does not surprise me.
Seth
$5 / month hosted VPS on linux = awesome!
That's the Department of D+efence now.
Well, it's easy enough to use a SecurID or similar scheme
That's the problem. It's not easy enough to do anything. The hoops you have to jump through to acquire software or hardware on a large scale (ie. agency wide) basis must be impressive. Otherwise the 18 month unsuccessfull trial of Bogus Notes 5.0 would have convinced them not to implement it nationally.
You might be able to pull something together locally by jumping through a different set of contracts and regulations, but you're still screwed. "Oh, our servers are ever so much more secure than the regional office."
That said I agree with you that SecureID type solution would be a positive step. Hopefully someone still in the agency is reading this too.
Wait... you mean you still haven't joined the ACLU?
Pretty scary when "Wargames" moves from the entertainment catagory to documentary
I will do security work for the .gov for tax breaks.
contact youre manager and tell him that they can secure the entire fscking government by hiring ppl like me to do the work and give me a year or two without having to pay tax as my only payment.
If they did this - they would have all the best security professionals REALLY securing that sh*t down.
Also the most disturbing thing about this whole situation is that when we go to war - the informational warfare is going to be insane. Think about it this way - in a third world country that is not even nearly as dependant on computers as th US it will not matter if their systems get whacked - but what they will gain from cracking the security within the US military or even public government systems...
> No, I'm sorry. The only way to get an A+ is to do everything without records in a haphazard fashion, without even knowing why you're doing it yourself.
So why do government departments score D-? Most government departments don't know why they do what they do..
Courtesy of the Regulation of Investagatory Powers bill (otherwise known as RIP), many government departments in the UK don't know why they have to intercept communications by people they don't know on subjects they don't care about, using technology they don't understand. This scores A+ by government standards. Why?
Hey man, at least they passed :)
Hey - I ran CP/M on my C=64... didn't have the cool speech synth, but I did have an acoustic modem (till I moved up to the 1200 baud model - yowsa!). Even now, most screens are still made of glass... 6510, Z-80 - bah!
--
"It's tough to be bilingual when you get hit in the head."
So...they may know things about you, but you'll know what they know! Or you might be able to change what they know about you.
This Carnivore thing might be kind of cool...
Blar.
I think it's the fear of getting busted by the government is what keeps most attacks at bay for the gov sites. It still doesn't help our national security.
Haven't any of you watched War Games?
Any kid with a C-64 can hack the Pentagon and set off a nuclear war.
Uh, it was a historical recreation, wasn't it?
--------
For an A, the computer must be vaporized by a nuclear blast.
For an A+ the computer must be hurled into a black hole (some information might be gathered from the trajectories of the particles thrown off by the nuclear blast).
--------
You can't expect them to devote all that energy to what everyone is doing and get their stuff together at the same time. Besides, if they manage to neuter everyone else, what do they need security for?
I read articles similar to this every year. They make it sound like they are going to start getting on top of it, but nothing ever happens. It's pure window dressing.
--
Hey, that's no problem, most of these cut 'n' paste 1337 5cr1p+ k1dd13s have only ever scraped a D- or E anyway.
- Derwen
http://fsfeurope.org/
you see, the problem with the government is they don't like to fix potential problems. I saw firsthand an example of this. The bandwidth of the new system was going to overpower the network. We knew it, we told them, they said it would be fine. So we switch on, it blows up. So now we've got to rewire this kludged/patched/duct taped network all the while the users are screaming at us for breaking their system. I don't think I can say any more specifics, but this did make the news last fall at the unclassified level.
As for the famous $500 hammer, that was probably still the lowest bid.
-----
Planning to be moderated ± 1: Bad Pun.
Yes certainly trust is a good thing but would you trust 1100 people even if you worked with them with. /etc/shadow
1) sensitive data
2) write permission on system executables/conf files.
3) read or write access to
Even the best hiring practices and background checks are likely to miss maybe %1 of the bad apples. So I would be willing to bet that there are at least 2 or 3 people in the organiztion that would be willing to use the info naughtily or use bad permisions to gain root.
Most systems don't have a root account, or any other type of user-limiting functions for that matter (windows/mac).
--
Soma: because a gramme is better than a damn.
And in related news, Microsoft has announced today that they will be submitting a proposal to the government that will outline a plan to quote "replace all those nasty, old 20th century *nix systems with state of the art 21st century Windows 2000 servers."
The company spokesperson went on to say that "organizations can not take full advantage of all the innovations(TM) in Microsoft software until viruses like Linux are purged from the network."
Linus Torvalds was not available for comment.
--
Scott Brady
Hey, what's so bad with D+?--it's passing, right? At least my parents thought so.
--
Have fun: Join D.N.A. (National Dyslexics Association)
The intro movie to the first System Shock game.
I would kill to see some script kiddie wet his pants as his door gets kicked in and laser scopes all situate themselves on his forhead...after using a root kit. Big Brother would have its advantages!
Sig it.
Sadly enough, this is amazingly true. Just before I opened up slashdot, this article caught my eye. This guy hacked a nuclear lab and yet they aren't charging him until almost a year later. They dont say if it was anything big, but the media eats these things up.
If corporations operated as insecurely over the internet as our government has, they would be hacked out of business. Why not employ those screwball G-men into companies like Sony, Compaq and Microsoft? We'd have a field day with the source code leaked!
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
I work with a horde of ex security people from .gov. While most of them are competant, they tend to be very focused on their area of expertise.
Which is all fine and dandy.. except when they decide to migrate their expertise into something that know relativly nothing about... i.e. programming. Disaster!
All in all, I think that (if the people I work with are any indication) the US gov is pretty well off. They offer good training (some very good UNIX people came from US gov, IIRC). They just have problems that ANY extremly large org will have.
Pan
I said no... but I missed and it came out yes.
Spend money that doesn't belong to them!
Only the State obtains its revenue by coercion. - Murray Rothbard
Having just got out of the Army recently, I have some first hand info. The non-classified systems run on Win NT 4 and mostly MS Exchange. Some places have good admins, others don't. The non-classified stuff is day to day email MS Office files that if were to get out to the public no damage would be done. The classified is a different animal. First to even process classified on a computer you have to accredit it. You have to write up a system profile of the hardware, software and which info you'll be accessing. THis has to be signed by a Colonel which is a very senior officer with about 23 years in the Army. Next you have to ask for permission to access a specific classified network which isn't connected to the Internet. You have to specify how you will be accessing and then you will receive a username and password. If you dial in to a classified network then you'll need a secure modem with a separate encryption key that has to be rekeyed at certain intervals. The dial in server won't even ask for your username if the encryption isn't synchronized. A network connection requires an encryption device at the computer and right before the Cat 5 cable enters the hub or switch. Since cables emanate energy the signal has to be encrypted. Then it is encrypted at the router and sent by fiber optic to it's next location. Security is strong in organizations that practice it. It's ususally better on the military side of the gov't.
My dad used to work with agencies that worked with the NSA. As of 15 years ago, the NSA had all their network cables in pressurized pipes.
What's the advantage of a pressurized pipe? It was pressurized with nerve gas!
Try tapping that, mister 133t h4x0r...
to accept the praise of personal wisdom is an affront to the very ideal i hold dear.
ah yes, the tart cart.
--
"It's tough to be bilingual when you get hit in the head."
Most system administrators in the government are doing it as an additional duty to their regular job. They have a limited amount of time to spend on system administration, which besides security, includes keeping software updated, doing backups, troubleshooting and fixing network and system problems.
In an ideal world, there would be full-time system administrators and security specialists to keep the systems secure and running smoothly. The reality is that very little money is budgeted for security or anything else that is perceived as not directly contributing to the mission.
Mea navis aericumbens anguillis abundat
This is how I assumed most of the government systems were. That was why Wargames seemed so trite was it was based on the idea of a system linked to the system capable of launching nukes being accessed from an outside telephone. The best digital security is simply allow no outside access. A stand alone comp can't be hacked remotely...of course it tends to be less useful than a networked one.
I would think the DoD would have a clear concept of compartmentalization as a security method.
This is not the way to build a lasting empire.
I used to be a contractor that sysadminned a handful of classified *nix boxes. The civil servant who was in charge of security auditing my systems had absolutely no knowledge of unix or networking, and could just barely log into a Windoze box themself. All this person had was a checklist that they filled out by asking me questions. A lot of it was multiple choice, and it was so out-of-date technologically that there was often no means to provide a correct response. Anyway, this techno-illiterate career clerk would check off what they personally perceived was the closest answer, so the result was horribly inaccurate. I tried a few times to get them to change something because I knew it was incorrect and they wouldn't. The whole thing was a complete joke, and a ridiculous waste of my time and taxpayer money.
The situation is probably worse than the study reported.
Of course you're right. Based on my experience, I would say that that situation exists in most of the private companies as well...
You are in a maze of twisty little passages, all alike.
That pretty much leaves the security in the hands of folks whith little or no experience. Based on that the report isn't surprising at all.
Of course, this is all second hand information. Perhaps some military/gov't (or ex) security folks here on /. (c'mon, we know you're here) could pipe up and correct me if I'm way off base?
--
Behold the Power of Cheese!
If you want it secure, don't connect it to the friggin' net! Hide it underground, under reinforced concrete, inside a faraday cage and behind a series of two foot blast doors. Place uzi toting guards with instructions to shoot anyone in sight outside the doors.
But whatever you do, do not connect anything to the net!
How the hell is this a troll?
This article goes to show attitude of most system (LAN/NT/UNIX) administrators (or at leat the old geezers that the US Gov't hires) - latest patches aren't applied, security news isn't read (at least rootshell.com or bugtraq or security focus or CERT), job function is minimized to only adding or deleting user accounts, and if it doesn't install "out of the box", unless you have a $5000/year service contract w/the vendor, you're scr00d. Admins are virtually the only culprits here. Can't even blame clueless users so much. A good admin would shield against dumb users on his/her intranet....
'A lie if repeated often enough, becomes the truth.' - Goebbels
Actually, that's a small typo. The Pentagon was trying out their new structured language, D++, and got it confused with the please-rate-your-network-security form they had to send back to the House Subcommittee.
--
Have fun: Join D.N.A. (National Dyslexics Association)
I'll bet a device of mass destruction that they're going to use the poor report as an excuse to get
"top people" budgeted to overhaul their computer security.
And where will that budgeted money actually go? A device of mass destruction, probably.
massive decoy effort? Seriously. One of the best ways to secure pretty much anything is to provide a very tempting decoy. So the U.S government sets-up a few boxes which are intentionally open enough to allow the script kiddies in and have a bit of fun, while protecting the actual machines from a full frontal assault.
It could happen. Remember you're dealing with a government that said they weren't planning to invade cuba, and then did. That said that the entire Iran-contra thing was pure fantasy---and then we found out that they weren't exactly truthful.
Possible, yes. Plausible? Perhaps.
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
Hey, moron! {knock, knock}
.gov and .mil joints are VASTLY unqualified or VASTLY corrupt.
Most government rigs do NOT run Windows. They are rated C2, the absolute LOWEST grade of 'secure', only when off a network!
Why d'ya think the Army.mil server is an APPLE?
The long and short of it is that the folks workin' as sysadmins on
Or both.
I mean, government pay scales suck!
I used to be someone else. Now I'm someone better.
Real life is underrated.
What is the bet that a few of the auditors for the report by the House Subcommittee on Government Management, walked into the agency to be audited, with clipboard in hand, and was shown the server room by a lanky and told that someone would be there from IT shortly.
I have tried this in a building with various companies, walked into a bank office armed with smart cloths, cliboard and an URL. I walked about the office pratically un-noticed, sat at an open terminal and gained root to the NT network via a few scripts sitting at a trusted site.
Not quite as stylish as a online crack but when you are in, you are in.
I had a SIG once... it was years ago.
Or perhaps:
> echo "#pragma launch" > boom.c
> gcc boom.c
#pragmas give me the heebie jeebies.
but I'd like to see what constitutes the scale. I think some examples of A B C D and F in organizations (possibly outside government if need be) would be helpful too.
/. should change Anonymous Coward to Anonymous Moron.
Good point. Also knowing how they screwed up would be nice, but they aren't going to share specifics because of all the script kiddies out there.
Makes me wonder, tho... Are they going to start stickering government agencies the same way resturants are?
D+
Comments:
Data entry personel did not wash hands upon returning to work.
Overclock processor left in uncooled area.
Dumped bits not swept up at end of day.
Nah, that would be a bit too much, wouldn't it?
NecroPuppy
--
It closer represents what they are.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
Walkin.
Find a corner with nobody around.
grab a cat-5, split wires off into a wireless transmitter.
hide cable away under a desk.
park a vehicle in parking lot of building with receiver inside, dumping to a laptop.
steal social security #s (most are unencrypted networks), personal info, address info, drivers license info, etc.
Enjoy. Guarenteed to work at your local DMV!
Ever need an online dictionary?
What with Al Gore having invented the internet and everything, you would have expected that the gubmint could have at least mustered a "B" ...
Sigh.
Curb CO2 emissions: Kill yourself today!
Noone cared.
I'll see if I can dig that up again...
... or, more likely, it's a report done by a Republican Congress to discredit a Democratic administration. They've been doing this all year. For example, when Bill Richardson (a Hispanic and therefore politically valuable) was a front-runner for the Democratic VP slot, Congress brought as much media blame as possible on him for apparent security leaks in the Energy Department.
FYI, Congressional panels and committees are generally controlled by the majority party of that branch of Congress, even when they're called "non-partisan".
I'm not endorsing Democrats or slamming Republicans here, I'm just pointing out politics as I see them. The same thing might happen if the parties' roles were reversed. I am neither Democratic nor Republican.
$$
-- CompTechNews Message Board: http://comptechnews.com/ --
Remember, 90% of DOD (department of Defense)macines have not so vital information like housing billets and sock prices. Only a slim percentage ofthe DOD machines have sensative info on them, and those machines are, as rule, on stand alone systems. that and most of the machines happen to be run by military wives or other non-specialised personell who do not have the training to be aware of basic IT security.
Of course the government is also in something of a double blind. If they actually institute security sufficient to keep all crackers out (presuming that such a thing is actually possible) they get accused of being paranoid and spending too much on security. If they relax to the point that there are breakins, people will be unhappy because they aren't taking security seriously enough. And, of course, for a lot of levels of security they get hit from both sides because their security still isn't good enough to please the security conscious, but their expense and paranoia are too much to please the other side.
Of course that's not to say that the current situation is a good middle ground. It sounds very much as though they're trying hard to achieve security but still not managing to do so, which is the worst of all possible situations. Still, though, you have to be at least a little bit sympathetic to the fact that the government gets very mixed signals about what people want it to do.
There's no point in questioning authority if you aren't going to listen to the answers.
Tragically, www.fbi.gov has huge security weaknesses. They left port 80 open, allowing us 31337 haxors to connect. Once connected, we can send specailly formed packets known as "|-|77P R3qu3575" to the remote host and retrieve files.
The government should just pack it in.
There's no way to protect a system from the likes of me.
--Shoeboy
Of course the systems they see are insecure. What kind of fools do they think the security agencies are?
--------
"Why doesn't it just check the .launch file?"
Mr. Ska
I worked with a DoD contractor (software development) for a while. The people taking care of the company web site were former NSA and military. And not long out of the DoD, either.
In dealing with these people, I have found that while there are some smart people in the military, there aren't many. For example: I sent an e-mail to a software developer in Russia (he had some GPL'd stuff we were using). Two days later, I was called in to the IT department and threatened with termination for "letting the Russians know we have an IP address!". I wish I were kidding you.
Another example: we needed a new e-mail server for one of the offices-- maybe thirty accounts. I talked with one of the guys, mentioned perhaps using OpenBSD and Sendmail. I asked him about it a few weeks later, and the response was: "No, a lot of our guys attach Microsoft Office documents to their e-mails, we need to make sure the server is compatible." (and this server was NOT supposed to scan documents and attachments for viruses).
Why does the DoD have such shitty security? They have idiots in charge. Idiots that talk a big talk, but have no fucking clue. They sling buzzwords around, they take credit for the other guys' work, and they get promoted with maximum time and grade. The military doesn't know the difference between a competent soldier and an incompetent soldier. God, it's irritating.
When I was in the military we had 3 guys supporting a 400 workstation network with 1100 users. Security! It was hard enough to explain to everyone that pressing the button on the monitor won't turn the computer on. There was no time or resourses for security.
Fsck you socialist pig, you have to work hard and pay for your MUMIA just like everyone else.
Attributed to David A. Guidry:
network security:
1. Kill all your users.
2. Remove all accounts.
3. Detach network and dialups.
4. Turn off machine.
So rather than encasing the computer in titanium and dumping it in the pacific ocean, we do that to the users. After all, computers don't cause computer insecurity -- people do. So securing the computer is peripheral (not to be confused with peripherals).
Of course, we have to be careful when suggesting things like #1 to the US Government. After all, national security is paramount...
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
Actually.. there's a very high order of probability that a BSD variant is used.
BSDi has popularity due to the strong encription and the fact that it's from Canada.
I used to be someone else. Now I'm someone better.
Real life is underrated.
FrontPostage? Oh please please.
no. These systems are NOT decoys, they are active systems connected to the Internet in some form or another. Many of them can be quite critical to security.
I have followed different "hackers" (to me, hackers also means hella good coders, not just security experts) through Air traffic control systems and DoD weapons inventory systems. Believe it or not, many are vulnerable. And they are LIVE systems.
Ever need an online dictionary?
Oh well, I guess when you assume, you make an ass out of you and me...
Friends don't let friends use multiple inheritance.
on the contrary, most of the non classified networks are on NT domains, which are possibly being converted to 2000 domains later this year. (I'm speaking from experience, but also of only airforce sites). Hence the implimentaion of SMS and the like. (Though I'm still amused that the AF bought L0phtCrack and didn't even spell it right on their lil slide show for me. :P )
Now, on the topic of the more sensitive networks, they are (to the best of my knowledge) typically M$ systems connected onto a *nix server. However these systems are not (supposed to be) connected to any outside network. Higher Sensivite systems (i hope) are using a more secure system, but for the most part, we're, um.....not.
In reference of the sysadmins on .gov and mil sites, well, i have to agree with you there, the ppl who knew what they are/were doing are few and far between and primarily have left for civilian jobs with a real paycheck and maybe even some benifits.
I mean, government pay scales suck!
--Can't argue that one....not at a lil over $1200 a month....
Before you try to poke a hole in the night's armor look where his sword arm is.
:).
Almost every bit of the information which recieved a D- was available to civilian employees, even though it is confidential. The NSA considers most of that information already comprimised to a certain degree. Dig a little deeper at the stuff they kind-of want to keep secret, and you'll find some hefty encryption if you can access it all from a public network. I personally know of non-public channels used to access secure networks which are using heavy encryption through closed protocols.
Last, but not least, all secret (and I assume top-secret, although I have never seen these) systems employ a government program which runs as an NT service and places a second encryption layer on top of application encryption for both internal and wide-area networks. This small program is packed with 1024 bit RSA and timed key pair switching. It even comes with an option to include port duplexing on random ports.
Just a little fyi
well it's your tax dollars that are used to pay for it
---
Bunghole. You put them together!
I think it's safe to figure that the "important" stuff doesn't sit on a network...
Or wait. What am I thinking.
-Erik-
just the russkie's deep diving ones (the alpha is the only one i can remember, but i'm sure there's more. the mike class maybe?)) are made of titanium. all u.s., and i think most russkie, are made of steel.
mas cerveza, por favor politically incorrect stu
We aren't allowed to turn off exectuable attachments, or even "speed bump" them, because "somebody might need them."
:) Of course, we have Lotus Notes, so executable attachments are already "speed bumped".
Sounds like General Motors...
My journal has hot
I work for a military intelligence battalion. Security is not an issue period. At all. Its rather interesting though. I would like to offer my services but don't know how really. There are no systems setup for such jobs; I would first have to switch my MOS but there really isn't an MOS in the army for such a position. The best thing that they could possibly do is add a new MOS(Military Occupational skill, btw) and get some educated civilians to train. I dunno. Oh well.. I plan to finish college and go to work in the civilian world as I'd learn more there than where I am now. I have 1 more year left and can't wait!
Back in the good old days of college years, I served as an intern for NASA. Part of my experience there was monitoring security processes for our group. There really weren't any. We were handling classified information including some military inventions and devices for our project and some of our trusted boxes (there was RSH used with .rhosts) were out of the box redhat 4.2 with no additional security precautions. I changed that as soon as possible, but the night before the last machine was to be worked on it was broken into.. how's that for irony.
However, my experience with commercial networks have been a lot worse. One company had two seperate networks, connected by a machine with two NIC's and it was expected to filter traffic between the two. Rather amusing approach to segregating between a private and public network. Their only problem is the gateway between private and public had an ancient version of sendmail serving mail as well.
Ahh.. I love the smell of poor management in the morning.
nerdfarm.org
Dacels Jewelers can't be trusted.
The report said accounts often remained open even after employees or contractors wound up their employment access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving ``overly broad access privileges to very large groups of users
Egad! This is horrible...
They really don't have someone working in the US government who enjoys his job as a systems administrator. On more then one occassion I have taken joy in removing the users account before they have recieved notice of termination. We have a very aggressive policy on privledged users...and in fact I have had employees admit to first believing they had been fired when in reality they had encountered authentication problems due to system failure.
It is a twisted world we live in, and I add a few more turns every day.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
I'll bet you dimes to doughnuts that the NSA, FBI, and CIA all have pretty tight security with nothing that even has a remote chance of being classified coming near the internet. DoD is slightly surprising, but hints at their arrogance - they believe they are superior and no one would be able to crack them.
As originally said though, and especially in light of the Western Union attack, this is probably the general state of all computer security.
This is not the way to build a lasting empire.
and studied like I told them to do, instead of sitting around the dorm smoking pot, they might have gotten some decent grades.
Damn kids today...
std::disclaimer<std::legalese> sig=new std::disclaimer; sig->dump(); delete sig;
All the problems listed are ones I or my fellow geeks have seen multiple times, and in some cases (open accounts, bad access decision) are purely human errors and laziness.
I'm not thrilled to see my government with such shoddy security, but it really isn't unusual when one takes a look at non-governmental computer security.
The problem today is people aren't using the technology available to them AND they aren't following (or being trained in) procedures to maintain security. Anywhere.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
So how long would it take some clever fellow to write a virus for outlook which emails copies of all the users mail to, say Iran or Russia or China, then deletes them off their computer?
That might get their attention.
-----------------------------
1,2,3,4 Moderation has to Go!
That depends upon what you mean by "most of the computers." Actually, most of the computers are typical office-type machines used for typical office-type tasks such as word processing, databases, email, web access, etc. Most departments have a LAN for this type stuff running an NT server. If you restrict yourself to special purpose and/or classified systems, you might be correct. I know there are a few flavors of *NIX in use. Solaris might very well be the most common.
I'm a well known activist on the topic of gov't abuse. This is a classic case of the most extreme hypocrisy. By both limiting these technologies in the corporate/consumer world on one hand, and failing to competently utilize the technology they've reserved for themselves on the other hand, the U.S. government is acting out the symptoms of the most aggressively bureaucratic tyranny imaginable. Think kafka's 'the trial' and you are getting close! I don't know much about the tech-head end of this, but I do know when my government has stepped over the line. whose with me? let's start a 'young persons' lobby and light a match under those chubby bums in the senate!
K.
I agree with you that biometrics are probably a good idea, working towards a good goal, but I think alot of the absurdness is that once you get access to the local computer, you open up Network Neighborhood, and you can browse through all 1100 computers that are listed there.
The security needs a good auditing, then a good dose of common sense.
Evil Overlord Rule #12:
One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.
Perhaps this is the solution to many of their problems?
Check out my sysadmin blog!
If the Department of Defense only gets a D+, that leaves Western Union somewhere along the lines of 'strongly advised to drop the class on the first day', right?
.sig: Now legally binding!
Yeah, those do, but it's the departments you don't care about that have the most "computers". The NSA and the Weather Service and stuff have a few huge machines, but the IRS and DOEdu and DoEnergy have more employees, each of whom has one or more machines.
But wait, it gets worse: When you study the computers at a location you have two areas: servers and clients. We have like 10 solaris boxes, all of which are counted together as "the server", then we have desktops for 150+ users, each of which is counted as "a computer." For security purposes, that's 151 "computers" that are counted, only one of which (the server stack) is under the direct day-to-day control of the IS group. Hell, our IS people aren't even in the same building as the majority of desktops. Those who were here before I started will tell you, security was much easier when everyone here ran xterms, but the users push for laptops and crap on their desk that couldn't be made secure if we rewrote it line-by-line. It's all we can do to keep them from saving their password in Eudora, or even getting them to use that instead of Outlook in the first place (that filipino iluvyou kid sure did me a big favor).
They have to do it that way because people use their machines in such a varied fashion, so rating security, for us, is really how secure your server is and how effective you are at enforcing network policy, which is much, much harder. Some of us are hoping the switch from 98 to 2k will help, as far as forcing people to save shit where it belongs, but the future doesn't look bright: I told the new accountant he had to cycle a dozen passwords for our grant requests, and he threatened my job!
You know, if we conveniently place sensitive terminals next to "molecular digitizing lasers", maybe we can store intruders on a zip disk and upload them to the Game Grid.... for the dumber crackers, we might be able to fit them onto a floppy.
--
Spindletop Blackbird, the GNU/Linux Cube.
then they lost it. Working for the Census has shown me the obscene waste of taxpayer cash, hiring the least competent, and total disorganization of the US Govt. Thanks Bill.
I want to delete my account but Slashdot doesn't allow it.
If this was such a big deal, wouldn't the government have already covered it up? :) Hopefully somewhere out there someone got access to the docs that will let the world know who really shot JFK!
If the barent's sea at a depth of 400 ft will do, the russians have one they'll sell you cheap.
Johan
Will of course give at best a D+ unless your really going out of your way and you get a C#
At one unnamed agency, all 1,100 users had been granted access to sensitive system directories and settings, the GAO found.
As far as this is concerned. I'd like to think that organizations can be secure enough in other ways to not have to have co-workers hiding information from co-workers that are possibly right next to them.
-Daniel
But as US Government, inc. has had more time than just about anyone else to deal with the Internet, one would hope they'd do better.
Unfortunately, like any gigantic corporation I've heard much about, US Government, inc., seems to be run by PHB's who are more influenced by marketing and PR than useful facts.
I guess they figure they'll just sue anybody who gets into the system (a la the MPAA) rather than take proper precautions.
Not that I'm cynical about the US Government or anything...
Joe Sixpack is dead!
Hacker Public Radio is our Friend
Up until recently I was a contractor for the Gov. More annoying than the fact that there securty sucks is the fact that instead of advertising a contract for the OS for the next 5-10 years is the fact that the Gov is allready moving to W2k. My particular office was running on Pentium 200's with 64-100 megs of ram and a 2gig HD. During my time there I was able to make the system extremley reliable for an NT network. Before leaving I asked all the users "What functionality are you missing from your desktop that stops you from being able to complete your work" The answer I got from every user was "NOTHING" So my question becomes WHY IS THE GOV GOING TO SPEND MILLIONS OF TAX DOLLARS ON W2K AND THEN MILLIONS MORE ON UPGRADING THEIR HARDWARE TO SUPPORT THE OS? Needless to say I asked many of my superiors this question and I was basically told to shut-up cause that's the way things work. They even had the nerve to tell me that the GOV has input on the way Microsoft writes it's OS's. I promptly quit after hearing this. Within the next 6 months at my former job the W2k upgrade will begin. Does anyone else see what hipocrits the gov is being supporting this OS? Just my 2 cents. which in the government only goes as far as .002 cents.
Bill - aka taniwha
--
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
It was rejected because it was already posted last week.
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
The government has never really been too "security-conscious" as far as I'm concerned.. just look at all the breakins that government agency websites have experienced in the past, and still experience - or the breakins that were publicized at least.. who knows how many more systems were just cracked into.
Seems they're thinking with their wallet and not their heads. They don't see a need to hire professionals to secure and monitor their network because they assume it's already secure. Wouldn't also surprise me if they thought the threat of prosecution were enough to keep crackers out. That's just plain stupid.
How much does it cost to install IDS systems on networks that should be secure (or any network, for that matter?). And a few paid professionals? You're trusting these people with your data. Social security numbers, tax records, etc. and they have little security at best.
--
Computer turned off, cast into solid titanium,
dropped somewhere in the Pacific?
Je t'aime Stéphanie
And 0-early-30 Sunday? Hey thats when they are still in the office surfing pr0n sites...
All opinions are my own - until criticized
It seems like crackers are focusing more on low-level hacks like web site defacement. That said, most of the major hacks (breaking into a classified server not immediately on the web and stealing its contents) seem to be at a low minimum.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Governments are simply higher profile, and that is what Crackers are interested in.
What Kudos does a Cracker get for hacking in to the local KMart's Inventory list, compared to the one that defaces the CIA home page.
The govenrment fails more often because more ppl try to crack it.
Simple Law of averages!
-- "To ask a question is to show ignorance; Not to ask a question means you'll remain ignorant."
I would agree with it being the latter. Most companies, agencies, and even a good portion of home users don't secure anything at all. Most systems have a common root password to eliminate several users who have to have superuser access on several machines from having to get an admin to login to it, or having to remember several passwords. There's not much in the way of security in most large companies in my experience, so why would the government?
:)
I think it's just plain average. Now, anyone know the IP addresses for DOD gateways or border routers?
"It's here, but no one wants it." - The Sugar Speaker
the report said accounts often remained open even after employees or contractors wound up their employment
access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving ``overly broad access privileges to very large groups of users
Sounds like it's less that the system isn't secure and more like they really need to give their employees a good lesson in security.
"Freedom of speech has always been the abstract red-headed stepchild of the Constitution"
"Freedom of speech has always been the abstract red-headed stepchild of the Constitution"
-Suck
Er... Czechoslavakia doesn't exist anymore.
It is now two countries: Czech Republic and Slovakia.
-- "To ask a question is to show ignorance; Not to ask a question means you'll remain ignorant."
Quite so. But it is complaining that limits taxes, and if there were more efficient govt [as there is in a number of places IMHO], there would be less complaining, hence more taxes.
The beauty of this piece of election year politics is that a Congressional mandate will undoubtedly surface requiring the offending agencies to clean up their acts, but with no resources provided for them to do so. Unfunded mandates make for great sound bites and the Congressmen who make them can posture and feign outrage when security inevitably breaks down. If they genuinely cared about security, however, they would allocate the resources for it rather than slather the pork thicker in their home districts.
Really, is this surprising to anyone? In any organization that is both a) that large and b) almost impossible to get fired from, not seeing massive lapses in security would be more of a surprise. I'm utterly amazed the government got an overall passing grade, especially massive, tecnologically outdate behemoths like the DOE. Add to this the fact that for a while there the federal government was passing out security clearances like Halloween candy, and it's amazing that something weird like the Chinese ending up with American missile te... oh, wait.
"This is your world. These are your people. You can live for yourself today, or help build tomorrow for everyone."
A friend of mine worked on a classified project for a DoD contractor, and I was appalled at his stories. He was set in front of a computer, and his boss called away on business before he could give my buddy a login id. The computer was named "Enterprise". On the bottom of the keyboard was a sticky with the word "Picard" on it. Yes, it was the root password. Similar stickys were to be found on the bottom of nearly every computer in the place.
Worse still, they would download very sensitive data from satellites using rsh to a root account with a .rhosts file! When he pointed out that this was probably the LEAST secure method they could possibly choose, they told him that this scheme was the recommendation of a DoD security consultant.
Their entire idea of security seemed to be putting up a bunch of cold war era posters with eagles playing poker against vodka swilling bears and wolves dressed in arabian garb, warning "Don't tip our hand!"
Admittedly, these weren't machines connected to the outside net, but it would've been trivial for any visitor or janitor to get access to EVERYTHING.
They don't need them. The FBI developed a system way the hell back when called AFIS: Automated Fingerprint Identification System. Every fingerpring card ever taken and submitted to any LE agency in the US is entered. Any time a latent print is lifted at a crime scene for examination, it gets entered into AFIS and automagically compared to the database.
As a term employee with the Forest Circus I was amazed at how little the employees understood about security. Any password that was not username1 or username2 was a pet/spouse/child's name. And root on the servers was just as simple.
When a temp asks you to restart a printer queue for the second time and you give him the server passwords and door combo, security isn't even a bad joke. Forget about DoD web pages getting "owned". The issue is a vast collection of financial, tax, and research data that's available to any techie who helps fix a federal employee's home computer and asks for a password to "test" the VPN. Until user security is adressed systematically, upgrading the firewalls is a waste of time and resources.
Wait... you mean you still haven't joined the ACLU?
This brings us right back to the question of - what is the scale? What standards are they auditing to? What can we compare this information to? Okay, the security probably pretty much sucks. With D-'s it obviously sucks to their standards. But, maybe their standards are higher than yours.
Do I think you shouldn't worry? Nope, not saying that. It's enough that it's bad by their standards. But, I don't think the article is incredibly informative either.
My Nokia phone is digital. Yet with a home wired plug I can put it into "test mode". Then I can input any channel number and listen in.
Ditigal cell phones are about as secure as digital DVDs.
The problems with articles like these is that you never know what is being reviewed.
For instance, does this include the many many DoD defense grant and contract holders who have sensitive information? I mean most of those are educational institutions and you know what their security is like. Lord knows anyone could break into my lab with little more than determination and a swift kick.
The other question is, while the system may be wide open, how important is the data that is available on it? The DoE and DoD like to keep all the nasty secrets behind air walls so there is no chance they are going to get out unless someone physically penetrates the building.
BTW I have seen people posting thinks saying that higher government security will produce to a smaller government. These people obviously don't understand how government works. More security means more government to provide this security (additional security personnel) and more government to make up for the inefficiency caused by more stringent security. If you want a drastically smaller government then I suggest you look elsewhere, like privatizing programs for added flexibility.
So far I've gotten all my Karma from telling people they are wrong... :)
Well, linuXgod.net has an A+ on security.
I ask people to try at it when in not using
the connection. Its fun to watch them. Like
little lemmings going for telnet first. Its
fun to sit back and laugh. THe M$ users are
the funniest of them all to watch.
When you consider that the government is the focus of most hackers, this rating is really scary. A D- is completely unacceptable in the security world, and the fact that our government is so unsecure well the thought is very frightening to me.
=================
Unix is very user friendly, it's just picky about who its friends are.
Do you really want efficient government?
Only if you believe they are benevolent. If you believe they are self-absorbed [as I do] or malevolent [as some do], then you want to limit their effectiveness.
I believe that govt expands to the limits of it's incompetence. Since I really don't want more govt, I must limit it's effectiveness, and accept the resulting bureaucratic inefficiency.
What would it cost to have a fingerprint scanner on each goverment computer.
About a billion dollars or 1000 times the budget for the National Endowment for the Arts. Exactly what information does the department of health have that they need to keep secret? What are these sensitive files? How about the department of education? Library of Congress? Disease control? Though the DOD definitely needs to be protected against espionage, many of the other gov. agencies do not, and should not. Greater security means lower efficiency, which means greater costs. As to DOS attacks, these are IT, software and hardware issues, not user access issues, and should be addressed, but the report appears to be a knee jerk reaction to the recent DOS attacks, and the Los Alamos leaks, and miss addresses the problems.
Of course C-128 != C-64. I was pretty sure that the C-128 had a Z-80 and could do CP/M. (But not 100% certain, as I'm not Jim Brain, maintainer of the comp.sys.cbm FAQ after all.) The C-64, with just its 6510, can't run CP/M without a CPU addon such as the one you mention here.
Thanks for the info! Always love tech info for old machines.
--Joe--
Program Intellivision!
It makes it so much easier to find out where those black helicopters are headed...
ALL most posts are rejected. That is why I think they hate my posts. ;-)
~~~~~~~~~~~~~~~~~~~~
I don't want a lot, I just want it all
Flame away, I have a hose!
Only 'flamers' flame!
Seriously... instead of handing out life sentences the government should seriously consider handing out paychecks. Face it, they need someone with a clue on their side.
Windows2000: Where do you think you're going today?
What is the purpose of secured networks and hacker-proof software when you can't even keep track of laptops (as in the State Department HQ) or removeable hard drives (as in Los Alamos National Labs).
Lesson: Frequently the most obvious and seemingly straightforward security efforts are the most often overlooked ones.
Certified Microsoft Notworking Specialist
You also need to give fingerprints to get a driver's license in some states (incl california).. HUGE chunks..
Trade the Lousy Pay, poor working conditions and lousy management of a Government job for good pay, poor working conditions and lousy management in the Private sector.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
And this isn't limited to just governments. Private business, which is supposedly smarter, harder working, etc than the government is FULL of convenience-minded people for whom security means nothing.
"Password restrictions? Filtering? Attachments? Get out! It might add 0.000023 seconds to my workload and as a Very Busy And Very Important Marketing Droid With Expensive Shoes And A Smart Haircut I don't have *time* to cope with that stuff!"
Of course, these are the same people who want you fired when the system is down at 0-early-30 on a Sunday morning for patching.
You're right that its insane, its totally out of control.
The only thing going for us is that Win95, which all the workstations except mine run, is usually so badly mangled by the end users that I don't think it could do much harm prior to blue screening..
There are so many things wrong with the last sysadmin where I work that I can't go into it without giving myself away. Suffice it to say that she gave me more gray hairs in the past few months as I went through her accounts, than my entire career in computers (20 years).
The main problem: because of the job market, people are becoming sysadmins because of the great pay. But these guys and gals can't troubleshoot their way out of paper sacks.
They are unable to figure out what's wrong because they don't see the entire picture. How the computer works, how software works, where things are.
They are not, in the truest terms, hackers!
And of course, if you don't know how to figure it out, how can you secure it? When I set up my firewall (here at home), I grabbed several copies of Linux and *BSD and installed until I found something that worked. I locked it down and then broke out the firewall book, the RFC, and figured it out. Now my system is fairly secure. But I still scan the logs and find out who's doing what.
They don't want to figure out how something works so they can understand it, they want to "fire and forget" and if it doesn't work, Reboot! If it still doesn't work, Reinstall! If it still doesn't work, Install Windows NT!
So they see this cool ad for CLC *spit* or AmeriTrain or any of several dozen others, stating that they just need to get certified to get the great paying jobs and then the PHB's foisting them off on us to round out the "training".
"But hey, she's certified! She *must* be right!"
Hell, that was one reason I got my certification. Not for the pay but to have PHB credibility.
Ahhh, rant rant rant.
AC
The Usenet: The Flaming rules.
Everything in there is pure 100% accurate information. Except this, apparently.
--------
Now, if they didn't have an internet connection, how would they download the good pr0n?
---
---
Gort! Klatu Barata Nikto!
Note: the government apparently does as poor a job using PowerPoint as they do securing their networks.
For the detail-minded, here's the report:
Computer Security Report Card
I just wish it was a little easier to read some of the details.
-Sharv
You forgot to add, "dumbass".
I thought that according to the DOD security grading system a D was pretty good, at least for a computer that's connected to other machines. It's baseline. After all, Windows NT gets a C under "certain conditions." Trusted IRIX gets what, a B or something?
:)
-Chris
On an off topic note, I submited a stroy that was rejected. Linux kernel 2.2.17 is out. I saw it at ftp.kernel.org. Yet slashdot hates my news stories so I post here so someone else can submit it. ;-)
~~~~~~~~~~~~~~~~~~~~
I don't want a lot, I just want it all
Flame away, I have a hose!
Only 'flamers' flame!
where do you get your information? most of the computers at the unmentioned tlas (CIA, NSA, FBI) run Solaris for the stability, network control and because they've had it for a while. or stuff on custom hardware. (which is really cool, but classified)
-----
Planning to be moderated ± 1: Bad Pun.
You know, there seems to be a trend in the headlines about Alphabet agencies getting hacked. Either they get their WindowsNT server running IIS 4.x hacked, or they have their secrets stolen through insecure employees.
No one solution will fix this, but learning about the problems inherent in the products that they use to keep their "top-secret" information top-secret is a good first step. They seem suprised every time another agency gets hacked, but they are all running the same software. They should get their NSA math guys to look for a pattern.
Also, teaching their employees to use safe computing seems rather important. I'm sure that they teach them, and give them handouts, but I wonder how many agent's PIN number is still their daughet's birthday, and other such sillyness. The rash of laptop theivery is just so mind-blowing that I don't know whether or not stupidity or spying is the case, and really I don't even want to know. I kind of hope for the latter, as I don't want to think that the people that are intrusted with our "most vital information" are incompetent enough to do things like that.
I guess I'm done ranting now...
Check out my sysadmin blog!
What would it cost to have a fingerprint scanner on each goverment computer.
I know when I co-oped for the Feds back in 1987, they took my fingerprints, so it's still probably policy to fingerprint each new employee.
Stick a little fingerprint reader on each workstation, and security gets a heck of a lot better (spare me the arguments about stealing or forging the fingerprint authentication file, I'm talking security against weak assualts).
Of course, when you have fingerprints of every person who worked for the Federal government, every criminal, and every welfare recipient, you have fingerprints on a big hunk of the country. All we need then is to fingerprint student loan borrrowers. Anyone know if the NSA has massive fingerprint recognition computers?
And once something has been proved to work for the Federal government, it's a much easier sell to get it into private industry. Who knows, we all may fingerprinted soon, in the name of better security. Bye bye rights. I think Voltaire said it best, those that would forgo a little freedom for security will soon have neither.
Around here, people continually circumvent routine security restrictions. Everything is run on Windows NT, but patches are not installed regularly. While all the paperwork is done, it often doesn't reflect reality.
Worst of all, everything runs outlook, and the various iloveyou kind of viruses spread through here like crazy. Can you imagine such a virus that didn't do anything *but* email all the documents on your computer to Czechloslavakia? But, guess what? We aren't allowed to turn off exectuable attachments, or even "speed bump" them, because "somebody might need them."
It's insane.