Slashdot Mirror
US Government Computer Security Evaluated
Logic Bomb writes "Yahoo is carrying a wire story about a report by the House Subcommittee on Government Management, Information and Technology. It gave the US government an overall grade of D- on computer security. That probably isn't a big surprise, but the details of the report are scary -- the Department of Defense got a D+. Isn't that lovely? The big question though is whether this is an example of particularly poor government performance or just typical of what you'd find in most Internet-linked systems. My guess is the latter."
...people are wary of Carnivore, and don't believe the FBI's assurances of security and propriety. Any system that can be abused will be abused.
Perfect examples of why inefficiency/inadequacy are a definite risk.
Karma: Excellent, but still won't get you laid.
HOWEVER: The network they have to work on was only recently put beyind a firewall. And before that foreigners like them were especially vulnerable because they would not let them use ssh for Export Control reasons!
So a policy intended to "protect" U.S. interests, actually placed their own networks at risk!
Is this the promised end? Or image of that horror? KING LEAR
At my original college, F is for fun =)
---
-
ping -f 255.255.255.255 # if only
My case...
The leader of my department's HQ info security team once commented to my center's Asst. Director of IT "You have a lot of really good people working here... too bad none of them work for you." It was a stunning statement - and painfully true. IT is largely farmed out to contracts across the center. If you want an IT job at the center, most likely you'll be a contractor.
While this brings up questions of trust and conflicts of interest, it also creates a bigger problem - budget. Contracts are awarded to the lowest bidder; even if that bid is ridiculously low. The contract I worked for was reasonably sane, but still very tight. The fact that the company counted on a thrift bonus each quarter only increased the challenge. This lead to bare minimal staffing; more work for fewer workers. We had to be very careful to ensure that we only spent time on things we were going to be credited for. Do what you are paid to do - nothing more. And we weren't paid to do info security.
I, and a few coworkers, had an interesting exception. We were considered an important part of the info security community at the center and were included by the department. The contract made allowances for this since it brought good visibility. But we still had our "real" jobs to do. More work.
So while the center was becoming very clueful about infosec, it was not funding it. There had been some talks about improving this situation, but last I heard the talks had taken took a bad turn. When it came to budgets, security had a hard time making the cut.
The lure of decent pay, and small perks such as a training budget proved too much for me. I left my gov't job for private enterprise. And so did one of my co-workers (actually, the department has taken huge hits as IT workers have left in droves after dealing with worse contracts than mine - I often wonder how they're keeping things going). In fact, my new corporate team has recently recruited talent from a wide sampling of US Gov't organizations.
That alone is probably pretty telling.
Well, it's easy enough to use a SecurID or similar scheme, where you have a little LCD screen that is constantly cycling passwords according to an algorithm. Or better yet, the challenge/response system where it gives you a string of alphanumerics, you key it into your little calculator like thingy, and it spits out the response. If you're using static passwords, social engineering is the least of your worries.
Vintage computer games and RPG books available. Email me if you're interested.
It says 'system' directories and setting this would would be like users having access to /etc/* (in a unix system) as opposed /home/luser/* This is a problem for two reasons. 1) No you cant trust local users not to break/sabatoge soemthing if they have a chance. 2)When users have incorrect permissions it gives an outside 'crackers' more chances to compromise an account that has right to do real damage in this case 1100 chances.
I do agree that an explanation of the grading system would be useful.
Or in college: D is for Diploma!
Sig it.
I work for a government agency (USPS), and while my experience with them deals only with internet and intranet applications, it's worth noting that the biggest obstacle we face (and likely the other government agencies as well) is the pride of the people that create insecure applications.
If you happen to read something on slashdot, such as the IE cookie exploit, then dare report it to a division using cookies for sensitive information, you just get a heated debate.
It took me no more than thirty minutes to compromise the "secure" cookie of their application, and it contained sensitive information that could compromise the entire application in plain text!
Fortunately, the right people (suits) got wind of my experiment, and this security hole is actually being dealt with. With all the effort it takes to get people to open their eyes, I can understand why nothing gets done about such issues.
It's really like testing someone's program, only to have your feedback ignored.
What's the point?
Source code is a lot like a parachute; it needs to be open in order to function properly.
Ironic... if the government fairs so poorly for its own security, then wouldn't it be logical that their own tech for monitoring/big brothering the Net sucks? Perhaps there are assumptions that carnivore 'works.' Granted, it would help to see the code to determine this, but wouldn't the odds be strong that carnivore does not work as well as the claims? Do we really have anything to fear?
Maybe they talk the talk but don't code the code...
"typical of what you'd find in most Internet-linked systems"??
/.ers out there know that the Internet is very hard to secure. But they also know that it can be done with a good deal of practice and knowhow. So I'd say it's not that. I'd say it's more likely poor government performance that we're seeing there.
Sorry, doesn't wash.
Many
Ideally, the government should have the highest security and technological savvy of any entity in the country, in order to protect its citizens from threats from outside the country.
(Ideally, the government should also be protecting the rights of the citizens too rather than chipping away at them with an espresso spoon whereever any cartel like the MPAA or RIAA tells them to, but that's another rant entirely.)
So what's wrong? Either:
a) they don't have the knowhow to maintain system security, or
b) they have the knowhow, but aren't utilizing it correctly.
I'd like to see a correlation of government salaries in relation to similar positions in private industries. If they're dissimilar, and the government pays its workers less than the private sector, then I think it'll be safe to say where the talent's gone...
You cannot truly appreciate Dilbert until you read it in the original Klingon.
The government might just lose its reputation as one of our finest, most efficient, best run organizations.
I mean yeah, the govenment doesn't have the best web masters. They are not always the best people, maybe they just want to get a page or to up to try and stay current with the technology of the time. It's not like the people needed to properly secure a system are cheap. And the government doesn't work FAST so it's not like they can just go and hire these people whenever they need them.
I guess what I'm really tring to say it that you should take what they are saying with a grain of salt. Some reporters are just tring to make the gov look bad.
So what kind of internet box is safe? A box behind a router that only lets acceptions in on one randomly chosen port to a SSH connection where the password to log in is determined by a predetermined seed to a Secure ID card? Given enough time and pressure, anything is breakable. The only truely secure information doesn't exist. (They are dumb quotes, I made them up)
(sorry for the multiple post, but..)
I suppose, since the US Military made their bed with the creation of TCP/IP, they now must lay in it! Get real, it's an ivory-tower protocol to begin with. Should the average user be able to traceroute machines; the little packets revealing the IP's of every system they swim past along the way?
Aren't "system security" websites creating more problems than they solve? Does a hard-working system administrator have as much time to read "rootshell.org" as a mischievous twenty year old college kid? If said college kid finds an exploit, compiles and uses it while you're out of the office, before you're even aware of it, does it mean you're a bad administrator?
Considering the level of knowledge distribution on the internet, particularly in the areas of networking, OS fuction, and security exploits/patches, can the "good guys" truly *ever* be that much ahead of the "bad guys" ?
To compound the problem, owners of ISP's don't need to demonstrate any level of competancy to purchase IP's; only supply the necessary funds. So basically any idiot with just enough smarts to get online creates a wonderful opportunity for the hacking elite. Spoof an IP here or there, root the Acme ISP, wipe their log files, and hop out from there - Exploit away!
Perhaps if the federal government applied the same type of licencing to the purchasing of IP addresses as they do FM & AM radio frequencies, and held the OWNERS of said IP's responsible for the usage of same, AND required some sort of certification process to even QUALIFY, 75% of the "computer security problem" would go away IMMEDIATELY?
THIS SPACE INTENTIONALLY LEFT BLANK.
I don't know where those people worked, but where I worked doing DoD research we had pretty severe restrictions. For a while all the computers had to be Tempest approved (for low-emissions). If not, they were used inside "the can" which was a large metal room within another room. Both had massive combination locks on them and motion sensors. Once, we were throwing network cables above the drop-ceiling - we didn't know about the motions sensors - and when they went off we all shit a brick.
All machines had removable hard-drives that would be locked in safes. After use, the hard drive was removed and the machines power was cycled. None of these machines were networked. The only network was within "the can" and that didn't go external.
When photocopying classified, you had to run blank sheets through the copier when finished. And you had to have a second person with you to check everything when you were done.
When classified as to be destroyed (and that isn't easy to get approval) we had an incinerator in the building for it. We all wondered if we could use it to cremate deceased pets....
We were apart of a University with many foreign nationals. Part of the CS school had facilities in our building where the students would go. When security found out they kicked all foreign nationals out of the building. We lost a couple good grad students because of it.
Security violations were severe since we could potentially lose all funding if our clearance was revoked. Auditors came around yearly and quizzed randomly on procedures.
All in all, it wasn't a huge hassle to do all this stuff - it was part of the routine. Of course, I avoided classified work as much as possible...
-tim
Hey man, at least they passed :)
I think it's the fear of getting busted by the government is what keeps most attacks at bay for the gov sites. It still doesn't help our national security.
Haven't any of you watched War Games?
Any kid with a C-64 can hack the Pentagon and set off a nuclear war.
Uh, it was a historical recreation, wasn't it?
--------
For an A, the computer must be vaporized by a nuclear blast.
For an A+ the computer must be hurled into a black hole (some information might be gathered from the trajectories of the particles thrown off by the nuclear blast).
--------
you see, the problem with the government is they don't like to fix potential problems. I saw firsthand an example of this. The bandwidth of the new system was going to overpower the network. We knew it, we told them, they said it would be fine. So we switch on, it blows up. So now we've got to rewire this kludged/patched/duct taped network all the while the users are screaming at us for breaking their system. I don't think I can say any more specifics, but this did make the news last fall at the unclassified level.
As for the famous $500 hammer, that was probably still the lowest bid.
-----
Planning to be moderated ± 1: Bad Pun.
Yes certainly trust is a good thing but would you trust 1100 people even if you worked with them with. /etc/shadow
1) sensitive data
2) write permission on system executables/conf files.
3) read or write access to
Even the best hiring practices and background checks are likely to miss maybe %1 of the bad apples. So I would be willing to bet that there are at least 2 or 3 people in the organiztion that would be willing to use the info naughtily or use bad permisions to gain root.
And in related news, Microsoft has announced today that they will be submitting a proposal to the government that will outline a plan to quote "replace all those nasty, old 20th century *nix systems with state of the art 21st century Windows 2000 servers."
The company spokesperson went on to say that "organizations can not take full advantage of all the innovations(TM) in Microsoft software until viruses like Linux are purged from the network."
Linus Torvalds was not available for comment.
--
Scott Brady
The intro movie to the first System Shock game.
I would kill to see some script kiddie wet his pants as his door gets kicked in and laser scopes all situate themselves on his forhead...after using a root kit. Big Brother would have its advantages!
Sig it.
Most system administrators in the government are doing it as an additional duty to their regular job. They have a limited amount of time to spend on system administration, which besides security, includes keeping software updated, doing backups, troubleshooting and fixing network and system problems.
In an ideal world, there would be full-time system administrators and security specialists to keep the systems secure and running smoothly. The reality is that very little money is budgeted for security or anything else that is perceived as not directly contributing to the mission.
Mea navis aericumbens anguillis abundat
This is how I assumed most of the government systems were. That was why Wargames seemed so trite was it was based on the idea of a system linked to the system capable of launching nukes being accessed from an outside telephone. The best digital security is simply allow no outside access. A stand alone comp can't be hacked remotely...of course it tends to be less useful than a networked one.
I would think the DoD would have a clear concept of compartmentalization as a security method.
This is not the way to build a lasting empire.
That pretty much leaves the security in the hands of folks whith little or no experience. Based on that the report isn't surprising at all.
Of course, this is all second hand information. Perhaps some military/gov't (or ex) security folks here on /. (c'mon, we know you're here) could pipe up and correct me if I'm way off base?
--
Behold the Power of Cheese!
Actually, that's a small typo. The Pentagon was trying out their new structured language, D++, and got it confused with the please-rate-your-network-security form they had to send back to the House Subcommittee.
--
Have fun: Join D.N.A. (National Dyslexics Association)
Vintage computer games and RPG books available. Email me if you're interested.
Walkin.
Find a corner with nobody around.
grab a cat-5, split wires off into a wireless transmitter.
hide cable away under a desk.
park a vehicle in parking lot of building with receiver inside, dumping to a laptop.
steal social security #s (most are unencrypted networks), personal info, address info, drivers license info, etc.
Enjoy. Guarenteed to work at your local DMV!
Ever need an online dictionary?
... or, more likely, it's a report done by a Republican Congress to discredit a Democratic administration. They've been doing this all year. For example, when Bill Richardson (a Hispanic and therefore politically valuable) was a front-runner for the Democratic VP slot, Congress brought as much media blame as possible on him for apparent security leaks in the Energy Department.
FYI, Congressional panels and committees are generally controlled by the majority party of that branch of Congress, even when they're called "non-partisan".
I'm not endorsing Democrats or slamming Republicans here, I'm just pointing out politics as I see them. The same thing might happen if the parties' roles were reversed. I am neither Democratic nor Republican.
Of course the government is also in something of a double blind. If they actually institute security sufficient to keep all crackers out (presuming that such a thing is actually possible) they get accused of being paranoid and spending too much on security. If they relax to the point that there are breakins, people will be unhappy because they aren't taking security seriously enough. And, of course, for a lot of levels of security they get hit from both sides because their security still isn't good enough to please the security conscious, but their expense and paranoia are too much to please the other side.
Of course that's not to say that the current situation is a good middle ground. It sounds very much as though they're trying hard to achieve security but still not managing to do so, which is the worst of all possible situations. Still, though, you have to be at least a little bit sympathetic to the fact that the government gets very mixed signals about what people want it to do.
There's no point in questioning authority if you aren't going to listen to the answers.
Tragically, www.fbi.gov has huge security weaknesses. They left port 80 open, allowing us 31337 haxors to connect. Once connected, we can send specailly formed packets known as "|-|77P R3qu3575" to the remote host and retrieve files.
The government should just pack it in.
There's no way to protect a system from the likes of me.
--Shoeboy
"Why doesn't it just check the .launch file?"
Mr. Ska
I worked with a DoD contractor (software development) for a while. The people taking care of the company web site were former NSA and military. And not long out of the DoD, either.
In dealing with these people, I have found that while there are some smart people in the military, there aren't many. For example: I sent an e-mail to a software developer in Russia (he had some GPL'd stuff we were using). Two days later, I was called in to the IT department and threatened with termination for "letting the Russians know we have an IP address!". I wish I were kidding you.
Another example: we needed a new e-mail server for one of the offices-- maybe thirty accounts. I talked with one of the guys, mentioned perhaps using OpenBSD and Sendmail. I asked him about it a few weeks later, and the response was: "No, a lot of our guys attach Microsoft Office documents to their e-mails, we need to make sure the server is compatible." (and this server was NOT supposed to scan documents and attachments for viruses).
Why does the DoD have such shitty security? They have idiots in charge. Idiots that talk a big talk, but have no fucking clue. They sling buzzwords around, they take credit for the other guys' work, and they get promoted with maximum time and grade. The military doesn't know the difference between a competent soldier and an incompetent soldier. God, it's irritating.
When I was in the military we had 3 guys supporting a 400 workstation network with 1100 users. Security! It was hard enough to explain to everyone that pressing the button on the monitor won't turn the computer on. There was no time or resourses for security.
Attributed to David A. Guidry:
network security:
1. Kill all your users.
2. Remove all accounts.
3. Detach network and dialups.
4. Turn off machine.
So rather than encasing the computer in titanium and dumping it in the pacific ocean, we do that to the users. After all, computers don't cause computer insecurity -- people do. So securing the computer is peripheral (not to be confused with peripherals).
Of course, we have to be careful when suggesting things like #1 to the US Government. After all, national security is paramount...
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
on the contrary, most of the non classified networks are on NT domains, which are possibly being converted to 2000 domains later this year. (I'm speaking from experience, but also of only airforce sites). Hence the implimentaion of SMS and the like. (Though I'm still amused that the AF bought L0phtCrack and didn't even spell it right on their lil slide show for me. :P )
Now, on the topic of the more sensitive networks, they are (to the best of my knowledge) typically M$ systems connected onto a *nix server. However these systems are not (supposed to be) connected to any outside network. Higher Sensivite systems (i hope) are using a more secure system, but for the most part, we're, um.....not.
In reference of the sysadmins on .gov and mil sites, well, i have to agree with you there, the ppl who knew what they are/were doing are few and far between and primarily have left for civilian jobs with a real paycheck and maybe even some benifits.
I mean, government pay scales suck!
--Can't argue that one....not at a lil over $1200 a month....
We aren't allowed to turn off exectuable attachments, or even "speed bump" them, because "somebody might need them."
:) Of course, we have Lotus Notes, so executable attachments are already "speed bumped".
Sounds like General Motors...
My journal has hot
Back in the good old days of college years, I served as an intern for NASA. Part of my experience there was monitoring security processes for our group. There really weren't any. We were handling classified information including some military inventions and devices for our project and some of our trusted boxes (there was RSH used with .rhosts) were out of the box redhat 4.2 with no additional security precautions. I changed that as soon as possible, but the night before the last machine was to be worked on it was broken into.. how's that for irony.
However, my experience with commercial networks have been a lot worse. One company had two seperate networks, connected by a machine with two NIC's and it was expected to filter traffic between the two. Rather amusing approach to segregating between a private and public network. Their only problem is the gateway between private and public had an ancient version of sendmail serving mail as well.
Ahh.. I love the smell of poor management in the morning.
nerdfarm.org
Dacels Jewelers can't be trusted.
The report said accounts often remained open even after employees or contractors wound up their employment access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving ``overly broad access privileges to very large groups of users
Egad! This is horrible...
They really don't have someone working in the US government who enjoys his job as a systems administrator. On more then one occassion I have taken joy in removing the users account before they have recieved notice of termination. We have a very aggressive policy on privledged users...and in fact I have had employees admit to first believing they had been fired when in reality they had encountered authentication problems due to system failure.
It is a twisted world we live in, and I add a few more turns every day.
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
I'll bet you dimes to doughnuts that the NSA, FBI, and CIA all have pretty tight security with nothing that even has a remote chance of being classified coming near the internet. DoD is slightly surprising, but hints at their arrogance - they believe they are superior and no one would be able to crack them.
As originally said though, and especially in light of the Western Union attack, this is probably the general state of all computer security.
This is not the way to build a lasting empire.
All the problems listed are ones I or my fellow geeks have seen multiple times, and in some cases (open accounts, bad access decision) are purely human errors and laziness.
I'm not thrilled to see my government with such shoddy security, but it really isn't unusual when one takes a look at non-governmental computer security.
The problem today is people aren't using the technology available to them AND they aren't following (or being trained in) procedures to maintain security. Anywhere.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
If the Department of Defense only gets a D+, that leaves Western Union somewhere along the lines of 'strongly advised to drop the class on the first day', right?
.sig: Now legally binding!
Yeah, those do, but it's the departments you don't care about that have the most "computers". The NSA and the Weather Service and stuff have a few huge machines, but the IRS and DOEdu and DoEnergy have more employees, each of whom has one or more machines.
But wait, it gets worse: When you study the computers at a location you have two areas: servers and clients. We have like 10 solaris boxes, all of which are counted together as "the server", then we have desktops for 150+ users, each of which is counted as "a computer." For security purposes, that's 151 "computers" that are counted, only one of which (the server stack) is under the direct day-to-day control of the IS group. Hell, our IS people aren't even in the same building as the majority of desktops. Those who were here before I started will tell you, security was much easier when everyone here ran xterms, but the users push for laptops and crap on their desk that couldn't be made secure if we rewrote it line-by-line. It's all we can do to keep them from saving their password in Eudora, or even getting them to use that instead of Outlook in the first place (that filipino iluvyou kid sure did me a big favor).
They have to do it that way because people use their machines in such a varied fashion, so rating security, for us, is really how secure your server is and how effective you are at enforcing network policy, which is much, much harder. Some of us are hoping the switch from 98 to 2k will help, as far as forcing people to save shit where it belongs, but the future doesn't look bright: I told the new accountant he had to cycle a dozen passwords for our grant requests, and he threatened my job!
You know, if we conveniently place sensitive terminals next to "molecular digitizing lasers", maybe we can store intruders on a zip disk and upload them to the Game Grid.... for the dumber crackers, we might be able to fit them onto a floppy.
--
Spindletop Blackbird, the GNU/Linux Cube.
At one unnamed agency, all 1,100 users had been granted access to sensitive system directories and settings, the GAO found.
As far as this is concerned. I'd like to think that organizations can be secure enough in other ways to not have to have co-workers hiding information from co-workers that are possibly right next to them.
-Daniel
Up until recently I was a contractor for the Gov. More annoying than the fact that there securty sucks is the fact that instead of advertising a contract for the OS for the next 5-10 years is the fact that the Gov is allready moving to W2k. My particular office was running on Pentium 200's with 64-100 megs of ram and a 2gig HD. During my time there I was able to make the system extremley reliable for an NT network. Before leaving I asked all the users "What functionality are you missing from your desktop that stops you from being able to complete your work" The answer I got from every user was "NOTHING" So my question becomes WHY IS THE GOV GOING TO SPEND MILLIONS OF TAX DOLLARS ON W2K AND THEN MILLIONS MORE ON UPGRADING THEIR HARDWARE TO SUPPORT THE OS? Needless to say I asked many of my superiors this question and I was basically told to shut-up cause that's the way things work. They even had the nerve to tell me that the GOV has input on the way Microsoft writes it's OS's. I promptly quit after hearing this. Within the next 6 months at my former job the W2k upgrade will begin. Does anyone else see what hipocrits the gov is being supporting this OS? Just my 2 cents. which in the government only goes as far as .002 cents.
Bill - aka taniwha
--
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
The government has never really been too "security-conscious" as far as I'm concerned.. just look at all the breakins that government agency websites have experienced in the past, and still experience - or the breakins that were publicized at least.. who knows how many more systems were just cracked into.
Seems they're thinking with their wallet and not their heads. They don't see a need to hire professionals to secure and monitor their network because they assume it's already secure. Wouldn't also surprise me if they thought the threat of prosecution were enough to keep crackers out. That's just plain stupid.
How much does it cost to install IDS systems on networks that should be secure (or any network, for that matter?). And a few paid professionals? You're trusting these people with your data. Social security numbers, tax records, etc. and they have little security at best.
--
Computer turned off, cast into solid titanium,
dropped somewhere in the Pacific?
Je t'aime Stéphanie
And 0-early-30 Sunday? Hey thats when they are still in the office surfing pr0n sites...
All opinions are my own - until criticized
the report said accounts often remained open even after employees or contractors wound up their employment
access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving ``overly broad access privileges to very large groups of users
Sounds like it's less that the system isn't secure and more like they really need to give their employees a good lesson in security.
"Freedom of speech has always been the abstract red-headed stepchild of the Constitution"
"Freedom of speech has always been the abstract red-headed stepchild of the Constitution"
-Suck
Spend money on useless crap.
In fact, I think they do that better than anyone else.
Moderators, feel free to mod this down as Redundant and Troll. After all, we all know the government doesn't spend money uselessly;-).
Bite my yammer.
A friend of mine worked on a classified project for a DoD contractor, and I was appalled at his stories. He was set in front of a computer, and his boss called away on business before he could give my buddy a login id. The computer was named "Enterprise". On the bottom of the keyboard was a sticky with the word "Picard" on it. Yes, it was the root password. Similar stickys were to be found on the bottom of nearly every computer in the place.
Worse still, they would download very sensitive data from satellites using rsh to a root account with a .rhosts file! When he pointed out that this was probably the LEAST secure method they could possibly choose, they told him that this scheme was the recommendation of a DoD security consultant.
Their entire idea of security seemed to be putting up a bunch of cold war era posters with eagles playing poker against vodka swilling bears and wolves dressed in arabian garb, warning "Don't tip our hand!"
Admittedly, these weren't machines connected to the outside net, but it would've been trivial for any visitor or janitor to get access to EVERYTHING.
As a term employee with the Forest Circus I was amazed at how little the employees understood about security. Any password that was not username1 or username2 was a pet/spouse/child's name. And root on the servers was just as simple.
When a temp asks you to restart a printer queue for the second time and you give him the server passwords and door combo, security isn't even a bad joke. Forget about DoD web pages getting "owned". The issue is a vast collection of financial, tax, and research data that's available to any techie who helps fix a federal employee's home computer and asks for a password to "test" the VPN. Until user security is adressed systematically, upgrading the firewalls is a waste of time and resources.
Wait... you mean you still haven't joined the ACLU?
The problems with articles like these is that you never know what is being reviewed.
For instance, does this include the many many DoD defense grant and contract holders who have sensitive information? I mean most of those are educational institutions and you know what their security is like. Lord knows anyone could break into my lab with little more than determination and a swift kick.
The other question is, while the system may be wide open, how important is the data that is available on it? The DoE and DoD like to keep all the nasty secrets behind air walls so there is no chance they are going to get out unless someone physically penetrates the building.
BTW I have seen people posting thinks saying that higher government security will produce to a smaller government. These people obviously don't understand how government works. More security means more government to provide this security (additional security personnel) and more government to make up for the inefficiency caused by more stringent security. If you want a drastically smaller government then I suggest you look elsewhere, like privatizing programs for added flexibility.
So far I've gotten all my Karma from telling people they are wrong... :)
Do you really want efficient government?
Only if you believe they are benevolent. If you believe they are self-absorbed [as I do] or malevolent [as some do], then you want to limit their effectiveness.
I believe that govt expands to the limits of it's incompetence. Since I really don't want more govt, I must limit it's effectiveness, and accept the resulting bureaucratic inefficiency.
It makes it so much easier to find out where those black helicopters are headed...
ALL most posts are rejected. That is why I think they hate my posts. ;-)
~~~~~~~~~~~~~~~~~~~~
I don't want a lot, I just want it all
Flame away, I have a hose!
Only 'flamers' flame!
Seriously... instead of handing out life sentences the government should seriously consider handing out paychecks. Face it, they need someone with a clue on their side.
Windows2000: Where do you think you're going today?
What is the purpose of secured networks and hacker-proof software when you can't even keep track of laptops (as in the State Department HQ) or removeable hard drives (as in Los Alamos National Labs).
Lesson: Frequently the most obvious and seemingly straightforward security efforts are the most often overlooked ones.
Certified Microsoft Notworking Specialist
Trade the Lousy Pay, poor working conditions and lousy management of a Government job for good pay, poor working conditions and lousy management in the Private sector.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
And this isn't limited to just governments. Private business, which is supposedly smarter, harder working, etc than the government is FULL of convenience-minded people for whom security means nothing.
"Password restrictions? Filtering? Attachments? Get out! It might add 0.000023 seconds to my workload and as a Very Busy And Very Important Marketing Droid With Expensive Shoes And A Smart Haircut I don't have *time* to cope with that stuff!"
Of course, these are the same people who want you fired when the system is down at 0-early-30 on a Sunday morning for patching.
You're right that its insane, its totally out of control.
The only thing going for us is that Win95, which all the workstations except mine run, is usually so badly mangled by the end users that I don't think it could do much harm prior to blue screening..
The Usenet: The Flaming rules.
Everything in there is pure 100% accurate information. Except this, apparently.
--------
On an off topic note, I submited a stroy that was rejected. Linux kernel 2.2.17 is out. I saw it at ftp.kernel.org. Yet slashdot hates my news stories so I post here so someone else can submit it. ;-)
~~~~~~~~~~~~~~~~~~~~
I don't want a lot, I just want it all
Flame away, I have a hose!
Only 'flamers' flame!
where do you get your information? most of the computers at the unmentioned tlas (CIA, NSA, FBI) run Solaris for the stability, network control and because they've had it for a while. or stuff on custom hardware. (which is really cool, but classified)
-----
Planning to be moderated ± 1: Bad Pun.
You know, there seems to be a trend in the headlines about Alphabet agencies getting hacked. Either they get their WindowsNT server running IIS 4.x hacked, or they have their secrets stolen through insecure employees.
No one solution will fix this, but learning about the problems inherent in the products that they use to keep their "top-secret" information top-secret is a good first step. They seem suprised every time another agency gets hacked, but they are all running the same software. They should get their NSA math guys to look for a pattern.
Also, teaching their employees to use safe computing seems rather important. I'm sure that they teach them, and give them handouts, but I wonder how many agent's PIN number is still their daughet's birthday, and other such sillyness. The rash of laptop theivery is just so mind-blowing that I don't know whether or not stupidity or spying is the case, and really I don't even want to know. I kind of hope for the latter, as I don't want to think that the people that are intrusted with our "most vital information" are incompetent enough to do things like that.
I guess I'm done ranting now...
Check out my sysadmin blog!
What would it cost to have a fingerprint scanner on each goverment computer.
I know when I co-oped for the Feds back in 1987, they took my fingerprints, so it's still probably policy to fingerprint each new employee.
Stick a little fingerprint reader on each workstation, and security gets a heck of a lot better (spare me the arguments about stealing or forging the fingerprint authentication file, I'm talking security against weak assualts).
Of course, when you have fingerprints of every person who worked for the Federal government, every criminal, and every welfare recipient, you have fingerprints on a big hunk of the country. All we need then is to fingerprint student loan borrrowers. Anyone know if the NSA has massive fingerprint recognition computers?
And once something has been proved to work for the Federal government, it's a much easier sell to get it into private industry. Who knows, we all may fingerprinted soon, in the name of better security. Bye bye rights. I think Voltaire said it best, those that would forgo a little freedom for security will soon have neither.
Around here, people continually circumvent routine security restrictions. Everything is run on Windows NT, but patches are not installed regularly. While all the paperwork is done, it often doesn't reflect reality.
Worst of all, everything runs outlook, and the various iloveyou kind of viruses spread through here like crazy. Can you imagine such a virus that didn't do anything *but* email all the documents on your computer to Czechloslavakia? But, guess what? We aren't allowed to turn off exectuable attachments, or even "speed bump" them, because "somebody might need them."
It's insane.