Slashdot Mirror
Information Security On An Olympic Scale
jeffy124 writes: "Wired is running a story about the man in charge of securing the computer systems at the Salt Lake City Olympic Games next February. Matt McClung discusses how he's withstanding an 'overhype' in the media on the possibility getting his systems cracked and what he's doing to prevent it in the first place. With 4500 PCs and 550 servers, that shall be a daunting task, especially given the reliability problems at the '96 Atlanta games."
Seems rather high. Is this Microsoft at work?
Urmmm... I work in a small company (50 employees) so I've never seen really big networks. But somehow, 2000 computers doesn't seem like that compares in any way to various military and Fortune 500 networks. By an order or two of magnitude.
So, is somebody who has never seen (let alone worked with) this many machines the right guy for the job? Sounds like he is in over his head a bit.
(Now, if this IS an incredibly huge/large network, please bitchslap me)
Jesus was all right but his disciples were thick and ordinary. -John Lennon
just don't hook one single system up to the Internet. Establish a private network (not VPN - actually private) for the entire thing.
:)
Use dedicated hosting boxes, with ALL DYNAMIC FUNCTIONS OFF, that run NOTHING but the http server on the public interface. The secure FTP server runs on a dialup connection that only connects to the private network, with hardware authentication of the modems to each other.
Choose a bare-bones http server, with no bells and whistles. Both IIS and Apache are out. Maybe thttpd? Not familiar enough with it, to be honest.
Yes, you're going to have to work around not having dynamic portions or ubiquitous connectivity, but you're having to choose, flexibility or security.
Would this make for an enjoyable online olympics? Probably not, but that wasn't really what the story addressed.
This can't be right...
1337 h4x0r5 5cH001 r0x0r5
(Must be an Eastern Europe immigrant...)
Mainly a fluff piece. Pretty skimpy on the details.
I was a relatively low level voluteer, assigned to a specific area at a single venue. My badge said as much in codes that every security person was supposed to know.
I was able to access behind the scenes areas, chat with athletes and celebrities, watch events at other venues, all without a single question from a security person. (Most of them were volunteers too). Even when I was out of my uniform, all I had to do was flash my badge and I was never denied access to even the most sensitive areas. Part of it has to do with attitude of course. If you act like you belong, they assume you do, and I consider myself a Master of Social Engineering, but even then, I should have at least been questioned when I walked into the athletes change area. (There were none there).
I'm pretty sure that Salt Lake City will be more secure, if only because of all the money being poured into it now. But what they need to realize is no matter how many $B you spend on security, you still need people with the balls to say "I'm sorry sir, your badge doesn't allow you in this area" and to stick to it.
Reality has a liberal bias
The man in charge of the security? Is it just me or does this seem like they are setting up a fall guy for the inevitable failure of their network security... Give the guys name out well in advance so we have someone to blame when everything gets hacked...
Pretty smart...
---
Programming is like sex... Make one mistake and support it the rest of your life.
...Don't use Winblows, use OpenBSD. All your security worries will just vanish into the night. :D
Pain(n): when you're telnetting into a box doing somethin cool, and some luser calls for help with a 'critical error' ad
Sounds like they have a good site set-up for the Cracker Olympics. If they don't secure those well, they might have the Cracker Olympics held there as well. :)
No replies made to AC posts. Please log in.
Are you aware that it is impossible to hold a plosive?
Actually, it's NOT technically okay to have a dozen wives (I won't go into the details), but you'd never know the difference from some of the loonies I hear live out in the boonies.
-lee...and what the hell do you do with 60 kids, anyway?
They post this drivel with no content, but not my post from the *same* website about selling the Moon.
Anywho, who really cares about this? It will go away when the winter games are over. It'll be amusing if it gets hacked. Probably, an anthrax scare or two (or 463) will get much more news attention.
Nerds do not care about the olympics. The olympics test how much Weight Gain 4000 a single person can consume and not have their liver fail (at least before the games.)
I still can't see why this was posted. This is a tiny network. Is it even critical? The games will still be playable if every single machine decides to melt.
Let's go back to our normal posts, mainly, 23 ways to bitch about MS.
I never really understood the need for hundreds of servers for a task like this, especially for the public website. There is no need for true dynamic content when they can come 99.9% as close with static content on a small farm of servers that's continually updated (say, on a 5 minute interval) by one or two dynamic "feeder" servers. Granted, they'll want one or two backup machines for every production machine, but that's far from a server farm warehouse. Sounds to me like a large scale "because we can" project moreso than a conservative project.
Actually, legally it's not okay, it's just kind of...overlooked. Also, what kind of nut would want a dozen wives? One, as I can see it, is a little difficult to handle, much less 12! Also, what business is it of the government's how many wives a person has?!?! If they have no sanity, and want 12 that should be there...warped but legal right. Also, instead of worrying about who is bribing the IOC officials, maybe one should worry about the fact that they are taking the bribes. Aside from that, Salt Lake City seems like a fairly nice venue, so no need to complain to much! :-)
Derek Greene
IT security is all fine and dandy for scoring and such, but what about real-world things? I can recall that in Atlanta, the very few busses actually ran at the end of the games (the rest broke down from overuse). Also, things like logistics, feeding people, etc, that were poorly orgainized and often failed. Imagine all the problems they'll be having with things other then IT!
-Michael Roy Some people are like Slinkies. Not really useful, but you can't help smiling when you see one tumble down
... because they wanted to control it all, including everything on the Olympics.com Web site.
http://www.forbes.com/2000/08/23/feat.html
Stupid job ads, weird spam, occasional insight at
Hmm... with a little hacking, and I could be the first person in my family to win a gold medal for figure skating.
Swannie
:q!
and what the hell do you do with 60 kids, anyway?
With enough pelts, you can make a stunning fur coat.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Atlanta has issues all of the place due to the city government. Anything they touch is just f*cked up all over the place! Well, they touched the olympics and the olympic computer systems back in '96, and well you saw the results. Just be glad you don't have to live with said government. :-)
Derek Greene
that always has been common practice for the olympics, (not saying its okay) so its not just a salt lake city problem. also what is the problem with having a dozen wives? in the moral sense it may be wrong (i personally dont care if someone else does it) but why is it legally wrong? where does it supposidly harm society etc? stop pushing your personal morals onto others that dont want them
...only that it was the most complex network he'd ever seen.
Personally, I can think of some rather complex topologies for even a twelve-computer network, even ignoring multi-homing possibilities. Depending on how the network structure is designed, as well as how many other networkable devices are involved and how they are connected (I'd assume a rather large contingent of wireless devices as well), this network might well be more complex than anything you or I have seen or even visualized.
The reason I bring this up is that the article mentions the "great hack of 2000" where it was thought that the Sydney Olympics network would be compromised.
Given the current state of affairs, current legislation, and this soon to be widely publicised network, are we going to be seeing any "Terrorist Attacks" against these games? Seems that it would be a very convenient situation for the US gov to prove the neccesity of the U.S.A. legislation just recently passed.
Hey, polygamy is a just another lifestyle choice! Those guys were probably born with a gene that led them to choose multiple wives! So lay off, ya polygamyphobe!
Secure the equipment!!!!
If the guy from Atlanta was right, it does absolutely no good to put up firewalls, anti-virus, or intrusion detection. If any volunteer can take his limited badge and walk anywhere in the complex, then someone could volunteer, camp out around the IT room(s) and do their work from the inside.
And then there is the ever present wireless links. Walk into the games with a laptop loaded with packet sniffers and a wireless NIC and wallah!!...you have all the info you need, even if you don't hack from inside the games, you have still obtained the needed info to go sit at home and go to work.
I cannot believe that security was that bad at the '96 games, but I am not really all that surprised.
No, it isn't legal to have more than one wife in Utah, and hasn't been since before the territory of Utah achieved statehood in 1896 (which was one of the conditions of statehood).
Also, although scandalous, bribing IOC officials was found to be the standard fare for most host-site hopefuls. Utah wasn't the first to do so. Utah was just the first to be prosecuted. IOC officials from previous years admitted to such.
Check your facts before you troll.
__
Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup...
Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup.
We might already be too late to help them. :-/
The Ultimate Test
Fill the servers up with pr0n and serve it to the public, for free! If it withstands that, the Olympics will be a piece of cake.Hey, I'm serious ...
Did you know you can fertilize your lawn with used motor oil?
Brent Lundberg: Oddly enough, Jim, the Chinese seem to have delt a crushing blow to the U.S. and Swiss top downhill contenders with times up to 45 seconds lower.
Jim: But the Chinese can't ski!
meanwhile in Beijing:
Xing Zhang: Muhahahahahahahaha
We, the taxpayers, have had to fund more shit -- all in the name of the Olympics and World Peace -- only to get little in return. Yeah, we have wider highways, but they're already as congested as they were before I-15 construction began. We have a light rail in town, but they had to up sales tax for that (and I'm sure it won't go back down when its done). The U. just lost a few thousand parking lots to accomodate the games -- and I'm sure all of you University admins know how parking on a large campus already sucks.
I'm so sick of these fucking Olympic organizations. The IOC and the SLOC (with phony Mr Romney at the helm), are are a bunch of corporate whores who rape the local communities for getting a few bucks in return.
This whole thing really pisses me off, if you haven't figured that out by now. If the network is hacked, I'll be laughing my ass off. I'm gonna fly my Corporate Flag on my car when I crawl through downtown traffic when I'm on my way to/from work during the "games". Not that it'll change anything, but at least I'll feel better.
Method of processing duck feet
these are the Olympic websites, which implies that there will be many live video feeds and even more saved clips. your "proposed solution" is very simplistic, failing to take into account the enormous bandwidth requirements (the condition which separates this network from any other generic Big Net).
for something like this, you need to think about multihoming (Akamai-style), server location, special hosting... sorry, can't just set up a few Linux servers in the phone room and call it quits.
However, I will not tollerate the State supporting the children via welfare with my taxes.
Method of processing duck feet
And now for our ceremony:
Gold medal - France - l'intrus d'élite vous possède
Silver medal - Spain - el hacker de la élite le posee
Bronze medal - USA - 133t h4x0r 0wnz joo!!!!
From the article:
McClung declined to give specifics about the system, but said the network is protected by standard security methods such as firewalls and a virus detection application.
See? Security thru obscurity!! It's working already!
Whadda ya mean we "have to wait until after the Olympics are over?"
Aw, man!
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Why they need computers connected to the internet at the olympic games ?
They need of course some data storage facilities for the information about the sportsmen, events, scores etc. But I don't see why these computers must be connected to the internet. The 100 meter runners will be very unlikely to surf on the net while stetting up the newest world record.
And personally i doubt that people who do so much sport can use computers without being helped.
We all know that strong physical action reduces the amount of oxygen in the brain killing thousand of nervous cells like alcohol.
They claim that they want to present the scores on the net, but this is just the useless usual internet hype. Which person who uses the internet is interested in sports ? Nobody, really. You might now say that there is AOL these days but you can't access the whole internet with AOL so this is no point.
This is a very good example how the goverments money is wasted all over I think next they'll raise our taxes and make us pay. These sports dudes don't need an expensive internet access and i wouldn't be surprised if these admin guys are the brothers-in-law of some sports burocrats in Washington, Alabama.
BTW: I weigh 200 lbs, does anyone know how to loose some weight ?
Owner of a Mensa membership card.
CrossCountryJava will be an event in next Olympic - much better than PerlBobsled.
I apologize in advance for my trolling, but anytime we have a server farm article, you can pretty much sum up all the posts as:
... just like this post :-)
40% M$ sucks. Use Linux,BSD for all the servers.
30% Matt McClung [insert name here] is not me and, as such, a moron.
15% First post, Stephen King is dead, grammer cop, and goatsex.
10% Trolls
5% Informative posts.
I have to agree with you. My sister is a student at the University of Utah. She got kicked out of her room so some fucking athelete can stay there. Landlords are raising the fucking rent/kicking out tennants in hopes that the familys will rent their apartments. And on top of that The construction in downtown SLC is horrible.
I hope the fucking olmypics fall flat on their asses.
.::[sianide]::.
... and what is more spectacular than the Olympics?
The Utah-based company where my day-job is has had a hand in the ticket sales side of the Winter Olies and I've noticed that whenever something this big comes around, people come out of the woodwork to make it go wrong or atleast cause general mayhem.
A lot of people don't like the olympics, and a lot downright hate it to the point where they'll do anything they can to sabatage it including -- you guessed it -- hitting my company so that tickets cannot be sold online for the events.
Now that they're imminently upon us things have calmed down a bit, but a while ago not a day would go by that we didn't get DOS'ed, Skript Kiddie'd and even had a near hit/miss with a domain hijacking, and a lot of the action carried nice little messages saying things like "death to those who promote globalization" and soforth. I can feel for Matt in this, especially since in a little over 2 months it's going to be his systems on centre stage along with the atheletes. The Olympics are too high-profile of a target for anyone lacking in self-esteem to pass up becuase it'll so "so 31337" to say "I changed the name of a frech competitor to 'Le Shithead' on the statz page! W00h00!"
Maybe in 2004 Firewall configuration should be made an Olympic sport?
Hilary Rosen's speech was about her love of money and her desire to roll around naked in a pile of money.
Please note: You just posted Germanys most famous classic citation.
If you want to post this again, please inpersonate the orginial creator of this phrase:
J.W. Goethe
Trolls must have a certain cultural quality.
Meanwhile, the Olympics are going to be held in the US in two months and as far as I can tell, no one besides me cares. I've seen a handful of commercials but there's absolutely no buzz. And judging from the tickets the organizers keep pleading for me to buy (men's hockey medal round games, women's skating long program, other really high-profile events) they're having a lot of trouble moving tickets.There was the bribery scandal a few years back (as if that wasn't how every previous Olympics was offered) and now the fuss about terrorism, but are people really bothered by that? I suppose the WTC attack, and the subsequent war and anthrax have driven everything else out of peoples' minds.
Come on, like terrorists are really coming to Utah to blow up a bobsled run? I've eaten plenty of meals in the McDonalds you see in the pictures of the Jerusalem bombing last Saturday -- I can't bring myself to get too worried about going to Snowbird.
What I'm listening to now on Pandora...
4500 pcs, 550 serverS?
how many computers were used in the 70's and 80's, why is it just getting more complex?
in 2020 they will need, 50,000 computers despite the fact that computer of those areas will be 100x faster and with more storage device.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
http://uptime.netcraft.com/up/graph?&site=www.salt lake2002.com
Bronze == Solaris with 144.81 days of up time
Silver == Linux with 130.78 days of uptime
and the winner and still champion of the world in the Network Server Crash
Gold == Win2k with and astounding 28.8 days of uptime!
Way to go Microsoft you've proven again that innovation and crashes go hand in hand.
This
I live near Baltimore/Washington, and say a prayer of thanks every time we don't get the Olympics. I mean, we just built about $1billion in stadiums (two in Baltimore, one near DC) and, uhh... We haven't gotten quite that much benefit out of them. I can only imagine the insanity of the Olympic games.
My cousin lived near Atlanta. Had a bunch of leave saved up (gov't job). Took it all during the games. She wasn't alone.
(BTW, nice flag)
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Yeah, seven is pretty much the max. Any higher and the mathmatics involved in determining who's sleeping in what bed beyond next week become too tedious.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
All the reports, thousands of them, will be filing hourly reports from the games back to their editors. I'm not sure how they plan to do it, but I suspect they'll use the provided "public" terminals so they can fire off results and other tidbits to those waiting at home. I don't suppose they'd let reports jack in with their own laptops, too much security risk there.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
He should use a mac if he wants real security.
There are hundreds of published exploits on Bug Traq for all OS's except mac.
Thats why the US Army uses WebStar on a Mac for security.
The mac has no command line to exploit from.
The mac is always running at root (kernel is rarely enterred and only done so using Gary Davidian's birthday in a particular register) But because all code is root, mac programmers take time to do things correctly.
The mac (os9 and older) cant execute a file merely because it is named a particular filename extension. It needs a resource fork. No mac web servers normally create these forks, nor do most helper apps that store data files. A mac data file cannot execute, it has one fork.
The mac is usually programmed using pascal style strings using a length limiting byte. Not ansi c library c strings. In fact the roms use these strings nearly exclusively. Pasacl straings cannot be used to exploit buffer overruns as in unix or pc code.
The mac stores return addresses differently than the lame way intel compilers set them up. This too helps prevent buffer stack exploits.
The Mac web servers, (such as WebStar), never execute cgis except from areas they should and the files are further limited by their file type. A mac file type is not easily spoofed or hacked from an app, it is determined by what compiled code sends the mac os when a file is created.
There are many more reasone that the mac web servers running standard WebStar is never exploitable remotely over the internet.
It has never been done, in any version of these tools and mac OS 9.1 or older.
Admittedly Mac OS X is BSD unix, but no sane mac web admin would ever want to use it. In fact Apple had to release three patches to Mac OS X exploits already!!!!!! Some were hilarious mistakes.
This olympic admin is a fool for choosing the worng hardware and OS.
Anyone will be able to break into his servers, if they are up enough weeks. Heck, you only need to read Bug Traq and then pounce Once the news is released after the short blackout tie period. If the news blackout is too long, then hanging out on IRC will yield some good info regardless.
ahem
since the 96 games (in america), and the upcoming games, in America there have been two other olympiads that may have gone unnoticed (perhaps due to not being held in America?).
And while I'm sure they had their hairy moments in the back-room the tech side seemed to run OK...
America is not the ENTIRE world you know.
'There is a Light that never goes out.'
Anyone who tries to "defend" that hick, backward state of Utah is out of it.
They don't call them Utahrds for nothing.
Yes, just look at the improved uptimes they have got since they switched OS. Maybe I will switch tooo.
I'm sorry but this is only a sporting event. It's not as though the security of it is that important. And besides, why would crackers want to attack such an event - what information would there be to steal/alter?
In addition to what has been said about size of the network vs. complexity here;
Would the fact that English may not the only language used by the users add to the complexity?
Right-on.
What steps are they taking to stop punks from running around the place clipping network cables? Forget clipping, even just scoring a cable in some discreet location would have a team of security specialists scratching their heads for a while. I bet a biatch with a pair of scissors or an exacto knife could do more long-lasting damage than any kind of DoS attack.
This should be a real concern, given the level of lax security given to volunteers as mentioned in the above posts.
I don't get it.
What has javascripts to do with anything?
What has not using https on a *public* site has to do with security on the network that is being set up?
And I don't even see the point with pointing out the asp pages. Granted, that is a poor choice for security *if* the admins aren't very thourough and alert, but that has still nothing to do with what will come, has it?
Put the p0rn and stuff up for half a day, then turn on the security measures... not *that* will be the real test.
My bet is that a regular stopwatch at a few bucks will be well enough to measure the time it will stand. Hehe.
... and what is more spectacular than the Olympics?
Erm, the World Cup? The European Championships? The FA Cup final? Face it, the Olympics is shit. People only watch it because of the hype. Who wants to sit there for hours on end watching countless rounds of long jump and 400m? Why does the Olympics revolve round such dull sports?
No-one ever rushes out to buy a paper, and flicks to the back page to find out who won the latest game of javelin or 100m hurdles. How can people get so excited about something they'd rank lower than paint drying the rest of the year?
It's completely absurd.
Ok dude, we have all read it before.. we dont care.. just post somthing informative. Stop wasting everyone's time with it. You think its great to be a troll.. ha.. wait a couple years... make the L on your forehead
We'll take 'em! The last time we had them here in L.A., the traffic got BETTER, not worse!!!!!
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
I guess that explains why half of California has moved in....
No need to hack. From my 9th floor apt I can see into the windows of SLOC's offices. Easy to watch them type in their passwords every day. And yes, they do use insecure wireless networks. It interferes regularly with mine. Some say I have a 'snipers view'.
Personally, I'm looking forward to a great party. A couple hundred thousand women I haven't hit on yet coming voluntarily to my town. But these slimy olympics people need to get the fuck out of town the very next day after closing ceremonies.
FBI troll: Mitt Romney' password is ******* and he eats pringles potato chips like they were olympic bribes. He regularly entertains, uhhh, 'guests' late at night. What he keeps in his top, right side drawer is also very interesting. I'm not a terrorist, just an american who will make $$$ for what I know from wathcing through the windows. Is that Larry Flynt calling?
Arbeit Macht Frei
-Birkenau Betty
Posting anonymously since I work there.
There are a lot of comments about the number of servers being used. While I can't comment on how many machines MSNBC will be using to host the web site, there are a large number of systems internal to the games that most people will never see. On-venue results and commentator systems at ten plus venues, games managment systems, central systems (Olympic intranet, print distribution, press feed, etc), the servers that allow all of these systems to talk to each other, plus many other systems that I'm forgetting at the moment. With many of these systems having two backup servers, it adds up quickly. True, it may be a lot of hardware to throw at it, but it's a high profile project. And it's not all Microsoft. Many of the central systems are running on Unix.
Yeah, feel better as you're one of the people clogging traffic instead of using the new light rail line going from downtown to the university. The university contributed a large chunk of money to that project. Try using it in eleven days when it goes into service.
I think that most people reading this thread have a common misunderstanding about what all of those systems will be used for. None of the 500 servers that were mentioned are used for serving web pages. All of them, however, are used for accreditation, information diffusion, Xerox printing, commentator information systems, and other necessary mission-critical servers.
MSNBC (read NBC) is an official sponsor of the Games, and as such are maintaining the Olympic website as part of their sponsorship agreement, hence the use of W2K and IIS/5.0.
I can assure you that there are many different types of technologies doing the REAL work behind the scenes.
---- nohup: appending output to `/nev/dull'
Amputate a leg. Legs are quite heavy, so you'll lose a lot of weight all at once.
If you're still too heavy, try another limb.