Federal Computers Fail Hacker Test

Nintendork writes: "An article by the Associated Press, published on CNN tells of the latest network security report cards earned by Federal agencies. The Department of Defense along with several others failed. I hope terrorists that pose physical threats don't have any script kiddies in their arsenal."

Typical useless gov't reports

[baptiste]

Note this from teh article:

The grades are based on information the departments gave to the Office of Management and Budget (OMB). Under a new federal law, agencies must report regularly to OMB on their efforts to keep computers safe.

Please - this was just an audit of what agencies SAID they did. Can you imagine the grade they'd get if they actually scanned the systems and networks for vulnerabilities? A monumental task no doubtm but still scary to contemplate.

Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.

Re:I don't buy it...

[Nick+Number]

I can't believe that they could have scored at F on any security test. Am I naive?

Well the following paragraph of the article gives some blatant examples of poor practices that were found:

The GAO routinely hacks into federal computers to test security and rarely fails. At the Commerce Department, for example, the GAO in August found some computers didn't require any passwords; some used "password" as the password; and entire lists of passwords were stored in plain view on the computers themselves. When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.

This isn't all that hard to believe. These networks are huge, and there will always be some people who value convenience over security. The question is whether the admins are understaffed, inexperienced, or simply lax in enforcing policies.