Slashdot Mirror
Federal Computers Fail Hacker Test
Nintendork writes: "An article by the Associated Press, published on CNN tells of the latest network security report cards earned by Federal agencies. The Department of Defense along with several others failed. I hope terrorists that pose physical threats don't have any script kiddies in their arsenal."
I wish they would have gone into more detail about what tests were ran and how they were failed. It's easy to criticize the government but where are the facts?
I can't believe that they could have scored at F on any security test. Am I naive?
Is it physical security or through the internet or what?
Does anyone have any links that show what tests were done and how they scored on each one?
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
DoD still runs Windows?
A boss of mine a few years back was an ex-administrator on a private mil network. I picked his brain about some of the stuff and he explained that they use NT on the public networks (IE: for email to friends and family and other trivial things) and a hommade UNIX version for their private/secure networks. Of course this was just for his area of the military.
As for the DOJ, I met a guy who was arested for cracking into it when he was 19. He explained that it is a lot easier than people think and he cracked it about 11 times before he was caught. He now works for a large security consulting group.
Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.
Top Most Bizarre/Disturbing Error Messages
Federal computers fail security tests? That IS news. This IS sarcasm.
Is there still a person alive that doesn't realise that government computers are generally less secure than the mean? Complicated systems fused with apathy, ignorance and stupidity. It will nail you every time.
Remember, it takes 42 muscles to frown and only 4 to pull the trigger of a sniper rifle.
I hope terrorists that pose physical threats don't have any script kiddies in their arsenal
So, Al Queda is going to deface the DOD's webpage? Who cares? The article mentioned the ever present password list taped to a computer, which would imply physical access. I doubt the average script kiddie has the social skills to get that.
Reboot macht Frei.
I'm not sure I agree that international hackers re the greatest threat here. If I were the US government, I'd be more concerned about the American script kiddies (for example when the CIA site was defaced).
Personally, I don't buy the article because it doesn't tell which computers failed the tests. Somehow, I doubt there's any sensitive, highly classified information stored on 95% of government computers - most government workers simply don't have access to that type of data or knowledge.
I'm scared at the fact that someone could report on this with so little attention to detail. It's an article simply designed to scare people into thinking that the US government isn't more prepared than they are.
An 'F' is the worst possible grade, so does this mean that there is no possible way for those agencies to have done worse?
I found the results from last year here. It's interesting that it was released on September 11 2000.
I used to bulls-eye womp-rats in my pants
There is potentially more at stake here than their website. For all we know, sensitive data could be vulnerable.
I used to bulls-eye womp-rats in my pants
It's been known for quite some time that government agencies are quite an easy target. The fact is, most agencies are not centrally controlled as to what software they need to run, much less what service packs/security patches that need to be installed.
I was on an independant team to go over several different agencies policies and security models concerning the Internet, and this is what we found.
1) Most of the time we could find a vulnerable host on a network to exploit from the Internet with an off the shelf exploit.
2) The hosts and their networks usually tend to not have much information worth a terrorists time. I'm not saying that this is an excuse, merely pointing out the fact that if they're running a default install of IIS4, most of the time there isn't much on the network worth the time invested.
3) Most networks with something worth looking for, have some levels of security in place.
All of that said, I can assure you that most skript kiddies (the ones that posted to attrition.net, etc) don't have the knowledge to gain access to anything more than a default install on a jpl or nasa.gov host.
Reb
Does 'F' imply no password protection?
Does 'D' imply posted password?
Does 'C' imply password?
Does 'B' imply encryption?
Does 'A' imply near perfection?
I presume an 'A+' is un-obtainable. If it has a way in, then, can't it be cracked?
::strong arabian accent::
Hello, sir, um, secretary, sir, um, could you, um, read the words taped onto your screen?
"k5jd930d03DfA"
Praise Allah!
*click*
Of course they don't want to publish the details of the tests they ran. Don't be daft. Talk about a recipe for hackers that want to exploit the holes. Get Smart.
When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.
This makes it apparent that the IT department is extremly mismanged. Standards and procedures for dealing with hacker attacks, critical loss, and computer abuse are the core requirements of ant IT support. I'm guessing that alot of gov't computers have access to the internet that do not require access for its job function. Every terminal thats connected is a security risk that must be addressed. Probably setup by very underpaid gov't worker that was "trained" in a day.
"Get them before they get....
I do volunteer work at a local elementary school. I have been helping them repair computers that got damaged due to renovations during the summer and weird things the teachers do.
Now, teachers are somewhat educated people. You can't just instantly become a teacher (as you could get some other bureaucratic positions) yet they are technophobic or just plain computer illiterate. Heck, I have to help them set up their vcrs! The extent of computer security that they can handle is putting a password on the Accelerated Reader program so that kids don't change their grades.
These people are not stupid or ignorant in general. They just know jack about computers. If these teachers, being more educated than your standard bureaucrat might be, can't deal with computer security then how could a standard bureaucrat be expected to?
Government systems administrators? School networks don't have system admins. They have librarians that know a little bit about computers. That is who will be maintaining the network at the school I volunteer at when I eventually leave. As far as I can tell, they never have had a dedicated computer person in the entire school district who maintains these systems. I know there is a woman in the district who is going to be working on installing more computer equipment, but fixing things doesn't seem to be a normal part of her job.
Just putting things in perspective.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
Once in awhile we have to upgrade the older versions, in which case the older stuff is simply destroyed and replaced with newer operating systems, and operators.
Microsoft should be so pragmatic.
"any" key, which knowing the government, probaly is listed under the 500 dollar hammer.
I hate to rag on government employees (in some respect I "R" one) but we are not talking about the best and the brightest in the business.
Most are administration, working joes/janes who just want to do thier job...not unix/window/computer security professionals.
Does the "F" surprise me? Nope. Can this be improved...oh yes it can. Of course the optimist in me (and the cynic, too) thinks everything above an "F" is an improvement, and I'd be right.
Let's just hope they don't discover the wonders of Passport because knowing how secure Passport is and the grade they made it would probably be best not to see "if it can get any worse".
My Humble Opinion.
If it is not on fire, it is a software problem.
When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.
I wish they had defined "illegal, electronic counterattack." What exactly did he do? I bet he did just what any one of you would have done, he performed portscan to see if there were any open ports suggesting a compromised system.
Edith Keeler Must Die
The FBI and CIA have been known to do turnabouts on hackers. Just ask Max Vision. The gov't fought long and hard to demonize and criminalize even the whitest hats of hacking, and Ashcroft's pushing to get them labeled as terrorist acts on top of that.
The DoD's had it's fair share of smudged histories. Be Alert. Keep your pistol handy.
Yes, you can be useful in combatting terrorism. Just make sure you know where the line is getting drawn and be on the correct side of it.
And realize that some of combatting terrorism may go against projects you've been supporting, like anonymous remailers, strong crypto for everyone, anti-censorship protections, and the elusive set of projects working to enable dissidents in countries such as China to safely communicate with the outside world. These and other tools can also be used by the bad guys, and will no doubt become targets
.
anyone old enough to remember various management styles, would probably refer to this as the "Open Door Policy".
In my brief stint at a Panasonic refurbishing depot, the management there also had the same policy.
"My door is always open, as long as you never walk in, it will remain so."
"First rule of management; EVERYTHING is your fault" --Hopper, A Bug's Life.
(note: misfiring neurons due to my son startling me awake at 5am. sigh.)
If it is not on fire, it is a software problem.
OK, you know .. if there was some sort of grammar recognizing Perl or CGI script that could link to a dictionary. Something that gives the basic structure of an English sentence and if something violates that structure it doesn't get posted. *shrugs* But I'm not sure if that would work.
Does anyone find it odd that Microsoft has more security measures on their internal processes than the Department of Defense?
Seems to be indicative of Microsoft's sense of self-importance and the DOD's sense of self-security...
-Chardish
If indeed these grades are based no self-evaluation reporting then it is possible that the agencies in question reported terrible problems in an effort to gain additional financial resources. I believe the fact that they reported poor performance to the Office of Management and BUDGET is in line with such a theory.
Perhaps in effect they said, "We dunno nothin' 'bout dem puters securin matters. Duh. Maybe you give us money to get dat der schoolin? Or maybe we could hire someone whats smarter 'en us?"
A few things come to mind, they need to be more worried about dumb ass script kiddies, even an idiot can run a program and do something, crackers would be their next likely problem. If they want some help, I'm sure there are many hackers that would jump at the chance to work for them. It is a tough time in the technology field right? Besides, who is more likely to know about all the exploits, crackers for sure, but a very good chance that it is the hackers who were the people that originaly found the exploit.
We don't have our noses's burried in books and reading the "latest and greatest" security information for no reason.
Om, nomnomnom...
Now, we all know that geeks don't like girls except for the electronic kind so there is no danger of Iraqi geekettes showing their favors to Western geeks thereby offering them a better deal than they have gotten in the West -- particularly not when the likes of Jon Katz are granting the Western geeks the favor of writing stuff about the wonders of globalization of the West at which geeks are allowed to gawk for simulated exhilaration.
Seastead this.
At a school I volunteer at, they are still running win95 and win3.1 Nobody has talked about how they are going to maintain the new lan, nobody on site knows a whole lot about computers (myself excluded, but I am not an employee). Security patches are a non-issue; they aren't even being considered. There simply isn't anyone there to do it.
This area is powered by old hydroelectric generators; we get significant spikes daily. This school was barely able to scrape together the money for surge protectors. They plugged their computers straight into the wall before they got some. They will be lucky to get security patches every few years.
If they could barely handle the one-time expense of getting surge protectors, they certainly aren't getting any tech people any time soon.
On the other hand, there isn't much people would want. Other than elementary level skript kidz trying to mess up the school's computer for fun, they don't really have alot of security concerns. Terrorists aren't likely to attack these machines, and if someone does get in the worst they can do is make the network unusable for a while.
At least, that is what everyone hopes.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
F is for Fedral
It is also for fixed ideas, fubar, etc. very simply, if you think you have the answers, you will not look in the right places.
which is why you get situations like that.
Fotunately, or maybe not so fortunately, a lot of terrorist are not so interested in computer stuff as tools for their actions. they are more into things that go boom.
"It is a greater offense to steal men's labor, than their clothes"
Actually, if you carry a clipboard and act like you know what you're doing, or carry a pizza delivery bag, you can get in just about anywhere. There was an article a few weeks ago
here talking about just that.
Denver Isuzu Suzuki
I contracted for an audit department for the DoD and they had nothing but accounting on their computers (novell and windows). Big deal, are people going to hack in and see what their are paying their various contractors. I'm sure that the stuff that should be really secure IS really secure.
I did a small job working for Compaq installing NT4 boxen for the local SSAs (Social Security Agency)(s). They used a Centralized NT 4 server with SP3 (Yes, service pack 3) and the administrator password was... get this... "password1". The client machines loged in to the PDC on a TokenRing network which took minutes just to download a 50k profile. The man who was in charge of all of this was being overpaid, since I could tell that some of these older machines still had virii on them. :\ and the server crashed twice because of a tokenring bug in service pack 3, and they din't know what it was, nor did they know that SP6a was available. The assistant din't even know what Windows2000 was, much less BSD/Linux.
Yes, the governement does have very terrible security. I thought our taxdollars were paying for more than this? Im not bashing, or trying to be a troll, but wouln't some form of UNIX like BSD, or Linux reduce our tax rates, providing the admins know how to use it? I know they are paying thousands just for that ONE NT4 server running on a Pentium Pro 200, with 128mb ram.
--------------------------
Is this a sig?
--------------------------
Having worked for the government for awhile, both in and out of the military, there are several insights for that part of the network. For awhile, the official architecture was Windows NT. Regardless of it's strengths or weaknesses. We were using Novell at the time and under constant pressure from on high to get with the official architecture. Fortunately, my boss was more concerned with costs and effectiveness than official position. However, security wasn't an issue. Even in '98 we didn't have a firewall and the director didn't see the need for one. And since he didn't see the need for one, there wasn't going to be one. Only secure networks were using firewalls, and they weren't using NT for that. You might say, "I thought you just said the official architecture was to use NT?" and you would be correct. But even MS couldn't overcome the obligation for classified networks to look at security and stability first and evangelism second. The firewalls were manned by *nix boxen or other platforms and people that knew how to configure them.
Another problem is the civil service. You can have someone rise from a computer background to head a major department responsible for all IT and Telecomm issues that can barely use an e-mail client and can't explain one difference between ISDN and POTS. Then, they hire based on longevity. If you show up with the qualifications for a gs-9/10/11 position but haven't been in civil service, don't even think about it. Come in as a 4 or 5 and work your way up. Those inside the system feel that the higher position should be their's by virtue of having "put in their time". Promotions should be based on how long you've been in the system, not whether or not you can do it. My wife, who was in the civil service was once warned not to even think about applying for a specific position. Despite have a degree in the field and current certifications (medical field where those things frequently mean something) she hadn't been there long enough to deserve to apply for it. The woman who warned her used to have current qualifications, but had stopped bothering to stay current over 10 years ago. Nor attend any sort of training or classes to at least stay up on developing techniques. Not smart in any field. This sort of personnel system doesn't encourage people to stay or even to try to hire on. At this particular installation, those of us that could move on, did. Oh, did I mention that the pay isn't one of the more enticing features? I started at a large corporation making more than the director of that organization. Not that I make that much, they make that little.
Let's see, forced system architectures from the top down. A system that rewards longevity at the expense of competence. No central policies to control and/or coordinate at the command level, let alone service level, let alone within the civilian side of the house. And an incredibly low pay scale. I can't imagine why there would there would be any deficiencies. The good news is that there still exist some competent, dedicated people within this structure. Which is why any of the networks and/or machines passed at all.
You must be the change you wish to see in the world - Ghandi
Anyone who has put in a few years doing IT or security at a big organization (University, large corporation, whatever) can attest to the fact that the people who are ultimately in charge of the Big Security Decisions (i.e. the ones that can write the checks or sign-off on policy) are often the ones that have the least clue about it. They don't see the "Bad Guys" parked outside with their tools and getaway cars, waiting to break in while your not looking, so they think worrying about security and user education is either a waste of time and that you're too paranoid for always talking about "security", or they've bought whatever line they were sold by whomever sold them the promise of "security" and delivers instead a world of Macro Viruses and Code Red worms.
While I have to believe the "really important super-secret stuff" is kept safely locked away by geeks wiser and smarter than us, it cannot come as a surprise that the state of government computer security is about the same as security on the internet at large... it mostly sucks. Why? We can blame the software companies that release easily exploited code, and maybe we should start making them more accountable, but as long as people keep picking dumb passwords, administrators keep letting them, and they in turn keep following poor practices (fricken clear-text password lists!?!), then this what happens.
What would you do if some group offered you to perform some hacking job for a silly amount of money and you needed that money for survival (food, etc). Would you choose morals over survival if the hacking job didnt harm lives and was just some sort of DoS.
If it involved lives im sure morals would win in the majority of cases.
But what if...
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
I am currently a sysad for a small military unit that has 3 WinNT servers (one PDC and 2 BDCs) using MS Exchange 5.5. I have done all I can to lock/patch these monsters down, but it seems like every damn day I am patching this, reinstalling SP-whatever on that. As long as they rely on MS software, it is always going to fail. I have been screaming about getting a firewall for months and months now, but they just look at me and tell me "We don't have the money yet." DON'T HAVE THE MONEY YET!?!?!?! THIS IS THE FRICKIN' DoD WE ARE TALKING ABOUT! I have seen them waste more money on building electro-conference rooms and overhead projectors for useless cheese slides! My nets get scanned by outsiders at least 3 or 4 times a day, and that is only because I HAVEN'T had them registered in the .mil DNS system. If I did, the number would go up.
The Emperor has no clothes, gentlemen, and I have no sympathy for ANY Government network that gets hacked, when it could have been prevented.
Damn. I knew computer AI was not advanced enough to simulate real intelligence, but I thought by now computers would be smart enough to pass a hacking test, since the pseudo-intelligence required to perform as well as scrip-kiddies is so low. But some Israeli firm even claimed to have a computer which was as smart as a 2 year old. I guess give that child/computer 10 years and we'll be there.
http://www.gao.gov/new.items/d02231t.pdf
those are worse than even my mid-term grades!
Yeah, I'd probably stick them into the firing chamber and lob them at the enemy too... that's about all they're good for.
Trapped in Time... Surrounded by Evil... Low on Gas.
were the NSA and DISA included? what were their scores?
... that's probably classified
n/m
This doesn't surprise me a bit. I work for a law firm who does a fair bit of work dealing Federal courts who REQUIRE electronic filings. You can't submit a brief or pleading on paper; you have to submit a .PDF file of the document to the court through their web site.
Guess what systems have been widely infected by Code Red. And Code Red II. And NIMDA. These are organizations who are expected to serve a public trust, and who are DEPENDENT on their web servers to stay up. Not only do they fail to keep up with security patches (Code Red), they fail to apply patches when it becomes obvious they've failed to do so (Code Red II). They don't even apply patches or take servers offline when they've been rooted (NIMDA).
I couldn't figure out where all the Code Red etc. worms were still coming from until I discovered this while working with an attorney to file a brief with an infected court system. Your tax dollars at work.
I don't know for sure, but I would guess most terrorists are more interested in blowing people up than hacking. Kiddies and pranksters hack. Terrorists kill people. This isn't a tough one.
Now, if you are Education or Social or etc, that's fine. But what about Defense...that could hurt when someone finds a backdoor into weapons orders. Or Transportation...or just general integrity of systems. A good hacker that took out major Fed networks could cause major chaos, and open the door for terrorists. But Al Quaeda is never gonna post to a newsgroup that they hacked the DoE's computers. Or anything like that. They don't care. They want death. So i'm not too worried about terrorists...just idiots.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
An even more possible threat of this would be the after marketing.
If a hacker to access the Gov systems, extract the information they wanted and then with the increasingly more intelligent virii/worms being developed, attach the information to a worm and set it loose in the wild. The virii/worm wouldn't even need to be malicious. Imagine the ramifications of someone obtianing 'real' govermental Area 51 information or President Kennedy assasination cover-up documentation and distibuting it.
The information alone could cause a government break down from within the US and distrust in our leaders.
The potential problems of anything less then an A+ could be severe! - Henry Smith
Never try to beat a professional at his own game!
Found some interesting SPAM coming from FAA.GOV. The machine was running MS software of course, and was in an RBL list, so had probably been active for awhile. I noted that the FAA is running IIS for their webserver as well. While warning one of their representitives of the problem by phone, they mentioned that they didn't believe Linux had proven itself enough...
.MIL domains. One wonders how weak the security is on those email relays...
I've also seen SPAM from
http://catless.ncl.ac.uk/Risks/21.73.html#subj1
Freedom of Information. For once, the feds have chosen the most efficient way to implement something.
-- Another senseless waste of fine bytes.
It's a well known fact that the Department of Defense pretty high on hackers' hit lists. I think it's up there right under AOL and Microsoft.
Holy crap, man! How insecure federal government computers, along with AOL and other huge companies, have shown to be! It almost makes me think that it's *difficult* to completely secure an entire /8 subnet when you have tens of thousands of employees responsible for different pieces of it.
My guess is, they may have hacked into a few desktops running winders, but getting into shell.int.us.mil is still relatively difficult.
Likely the most sensitive sites are built on some custom UNIX stuff, but isn't a good portion of the U.S. government simply standardized on Microsoft products?
Well, when you're tapdancing through a minefield, you shouldn't be surprised when you wind up legless.
~Philly
I'm currently a Network/Security Engineer for one of the larger DOD networks (appox 10th largest Class B network in the world) Since I've started working here, I've realized a lot of things that are slightly disturbing about the way security is managed. I have had my boss tell me that he didn't care if a new business process would completely undermine our security infrastructure as long the users don't have to login second time. The point I'm trying to make is that there are a lot of very intelligent and hard working people in the federal networks. The problem is a management system that promotes 'appearance' over 'reality'. If we had our way and had the authority to enforce our security model on all of our sites our network would be tight as a drum. One thing to note though. When the GAO did audit our security, they weren't able to get far enough into out network to even perform basic mapping. On top of it, they whined when we blocked them after detecting the attacks on our IDS consoles. I guess the moral is, you can bring your manager a cup of water, but you can't make him drink it.
10th largest Class B network in the world
Umm, last time I checked, all Class B networks were the exactly same size.
Or did you mean "class B network with the 10th largest number of active hosts?"
Yeah.. but then again.... Its always been a fact that the Yanks can`t keep a server secure to save themselves. How many times have you seen a server attached to the UK government being hacked? Answer = twice How many times have you seen a server attached to the US government being hacked? Answer = EEEEK!!!
You know, as a security engineer laid off from a telecom recently, I think there is an interesting perspective here. I don't know when the report was written, but if you remember, the government spent the past three or four years prior to this preparing for Y2K. These same folks gave most of the government F grades on their Y2K preparedness, but come 1 January, 2000, the government computers didn't shut down, nuclear reactors didn't melt down, aircraft didn't fall out of the sky and the air traffic control system didn't go off the air.
Now, in the post-September 11 landscape, this report hits the streets. Do you think the GAO had time to go and do a complete survey in the last two months? No. the legwork for most of this report was probably done this year, but I think the government's views have changed, at least on the higher levels, since 9/11.
Are there still sites which put their password list within view of the computer? Yes. Are there lazy or slothful admins in government service? Yes. Are there good and secure networks within the government? Absolutely. Are there similar problems in the civilian market. You betcha.
As I said, I was laid off from a telecom. I have seen, since 9/11 that the government is hungry for security folks. The civilian market seems to be taking the approach that if they don't change the status quo, they are safe. There has not been much change in the requirements for security folks, where the government has seen the light.
The other thing I have seen is that your biggest problem is with upper management when it comes to security. Even if they do sign the checks, they are also the ones who feel that the rules don't apply to them. They think that its the rank-and- file's problem, and that they are above the law. User education is hardest in dealing with upper management.
All in all, I think the government is moving in the right direction. I wonder about industry...
--Storm
The USA seems to be characterized by a fanatical stubbornness about avoiding placing effective security in place.
Enby in Waltham
Don't you mean 'cracker test'?
(Woot, now my
Washington, DC: It's like Hollywood for ugly people.
1. Would the idiots who keep saying things like "there's nothing but accounting data on these systems and the important stuff is safe" please make an emergency appointment to see the clue fairy? The kiddies don't know what's on the system till they break in, and they don't want your lame secrets, anyway. What they're looking for is lots of bandwidth so they can blow some other idiot off of his IRC server. A few of them also want to smear some unsuspecting web site with an ill-conceived political message or a pathetic declaration of unrequited love. The point is that the vast majority of compromises are frivolous pursuits, and it doesn't matter whether the victimized system is serving some sensitive function. These kids are scanning whole class Bs -- do you think they have any idea what they're hitting?
2. Congress refused to approve computer security funding requested by some government agencies (notably Commerce) last year. The GAO is a branch of Congress, not of the executive. You connect the dots.
3. What ever happened to the $2 billion proposed by Clinton in January 2000 for combating cyberterrorism?
4. Isn't it ironic, Alanis, that NASA got relatively high marks and has suffered two web defacements in the last two days?
5. The GAO, like any government organization, must be extremely cautious in assessing security on government computer systems. It'd be pretty embarrassing if, for example, they took down a weather-predicting computer with an nmap scan and a severe storm subsequently killed a few people because forecasters couldn't issue a warning. This is why a lot of security assessment is done by self-reporting and not by tiger teams.
Fact: People are stupid.
This implies that people don't think when they choose they're password.
Fact: People are lazy.
Fact: "1234" is a helluva lot easier to remember than "jE9kNq^"
Thus stupid people choose stupid passwords.
Quick Fix:
Access Card, Fingerprint ID, Retinal Scan, Voiceprint ID, Facial ID, or combination thereof.
If your working for the department of defense and have information worth protecting, the least you could do is swipe a card and say "Hello, My name is ______ ____, My voice is my passport, verify me" before using your computer. Then only people as smooth as the guys in Sneakers could crack it.
Fight or flight its all the same
Live to die another day
--Ryan
I can attest first had why the DoD has failed security tests. I am an electronics technician in the Navy, and as one of my collateral duties I play network administrator, the actual administrator is not to knowledgable to be kind. The reason that I say 'play' is that my main job is to make sure that all of my HF/UHF/SHF radios are maintained and all working, this takes priority over everything else, I have to fit administration in on the side. The rating in the navy that would actually be responsible for the computers would be the information technicians. The problem is, is that most of them don't know how to operate a computer, let alone administer one. The school that they send the network administrators to is a 3 month crash course in basic computers and very basic administration, then they come straight to their network admin job and become in charge of the whole network. The organization of the military, unfortunately allows for people to be in charge of something that they know nothing at all about. When I came to my current command, the person running the network had used his first computer 6 months prior, needless to say the network was administered horrible. None of the computers had virus scanners (or had one, but it was disabled and never updated). Most of the passwords used were something that could be guessed using a very basic dictionary. Luckily we were behind a pretty good firewall, managed somewhere else by someone who knew what they were doing. This network that I am speaking of is for unclassified information. The network that is for classifications above that is set up pretty good, and uses some pretty advanced technology to guarentee that nobody can snoop in. Although like any computer, if you have access to the local machine, you can get anything you want off it.
Thank you for that. Excuse me while I wipe a tear from my face.
I am curious as to what operating systems and daemons the government sites are currently using. I would like to see a list of this to see as to:
1: How much is spent on computer security.
2: Salary of these so called admins for these networks.
3: What OSes the government has standardized on.
4: To determine if one OS is better than the other.
Since each different division uses different software, which OSes are the least vulnerable and start converting to those OSes.
Another thing that should be pointed out is that the departments that got "F" marks should suspend/fire the admin without pay or atleast get a new admin and send the current admin to a 1-2 year course on the specific platforms.
Another thing I have noticed is that there really is NO security schools to help admins get a better knowledge of securing OSes. Maybe this idea can be a new niche market for anyone out there interested in teaching computer security.
*Headline News* censorship shuts down the Internet! More at 6PM!
Okay, over here in Europe the network personnel structure looks like this:
The main entity for all Army networks in Europe is the mighty 5th Signal Command, which is comprised of many smaller sub-commands (like 2nd Signal Brigade), which are then, in turn, divided into smaller signal battlaions (102nd Signal Battalion, etc). Each battalion is given a geographical area in which to run all computer networks AND telephones for the Army. Now, as far as networks go, they have what are called NSCs, or Network Service Centers, for each smaller area, usually a grouping of installations. The problem is that you usually have 3 (maybe 4 if they are lucky) people to run everything on a network with 8000+ users. When I ask about when they are getting more people, they just tell me the money isn't there. It is being spent on "other" projects. Also, where I am at least, there is an Army job call 74B or 74C that is a network technician/server admin, problem is that those jobs are not authorized below the Division/Corps level, and the majority of the servers are actually at the BRIGADE level. At those levels, interviews are scheduled for aspiring SYSADs and the one with the most knowledge wins. The brigades don't care what the soldier's normal job is, as long as they can keep the networks and servers running as part of an "additional" duty. But I DO know they are looking at hiring out to civilians to run them, so at least they KNOW it is broken and are trying to fix them.
...i don't work for the government, i work for a commerical multinational. as far as i know, we have an excellent security team, with great policies. but my co-workers on my team just reek out loud. while they are not as stupid as the jerks who use "password" as a password, we do have superuser accounts that anyone can easily guess. and it violates the standing rules. now, i have ranted and raved and engaged management about this issue until i have been labeled a troublemaker and "not a team player". it is unreal what passes for profressional, it is unreal how lazy this so-called sysadmins are. with admins like this, is there any help that the users will be educated? i grow tired of my constant rearguard action and i am about really to relocate so that i can work with grown ups. the moral is, it does not matter what operating system or software you are using. it does not matter how good your policies are if they are not followed. and if you hire system admin we are out of diapers but have not grown much since then, there is no hope at all.
I don't see why computers don't all come with a diceware program or a pronouncable password generator. Random, secure passwords are pretty easy to comy by, assuming
I could come up with a good 2,048 word list off the top of my head, which would mean 11 bits of entropy per word. Random capitilization of the first and last letters means 13 bits per word. That's five words for about the strength of 64-bit encryption. Anyone should be able to remember 5 words. Assuming account lockouts for 15 minutes or so after 3 failed logins, this should be sufficient. Of course, Windows networking sends salted hashed passwords in the clear, right? That would mean you probably want at least about 80-bit strong passwords.
I really need to just sit down and write that password generator I've been meaning to get arround to. The hardest part is the 2,048 word list.
see diceware for a simple way to generate secure passwords.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
The decision to use NT over viable alternatives such as UNIX or Novell could certainly be questioned.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
First, 43 times is a lot more than the absurd "twice" claimed by the original poster. Your retort is anemic at best.
.gov. And that's just web servers.
Second, 305 is about 600% more than 43. You can say it's 7 times as many, if you're trying to be honest.
Third, the U.S. government maintains far more hosts on the 'Net than the U.K. government does. Netcraft records only 1073 web sites in gov.uk, and 6290 -- that's nearly 5.86 times as many -- hosts in
I don't claim the U.S. is a whole lot better at securing their hosts than the U.K., but the converse is certainly unsupported by the evidence.