Slashdot Mirror
Information Security On An Olympic Scale
jeffy124 writes: "Wired is running a story about the man in charge of securing the computer systems at the Salt Lake City Olympic Games next February. Matt McClung discusses how he's withstanding an 'overhype' in the media on the possibility getting his systems cracked and what he's doing to prevent it in the first place. With 4500 PCs and 550 servers, that shall be a daunting task, especially given the reliability problems at the '96 Atlanta games."
Seems rather high. Is this Microsoft at work?
just don't hook one single system up to the Internet. Establish a private network (not VPN - actually private) for the entire thing.
:)
Use dedicated hosting boxes, with ALL DYNAMIC FUNCTIONS OFF, that run NOTHING but the http server on the public interface. The secure FTP server runs on a dialup connection that only connects to the private network, with hardware authentication of the modems to each other.
Choose a bare-bones http server, with no bells and whistles. Both IIS and Apache are out. Maybe thttpd? Not familiar enough with it, to be honest.
Yes, you're going to have to work around not having dynamic portions or ubiquitous connectivity, but you're having to choose, flexibility or security.
Would this make for an enjoyable online olympics? Probably not, but that wasn't really what the story addressed.
I never really understood the need for hundreds of servers for a task like this, especially for the public website. There is no need for true dynamic content when they can come 99.9% as close with static content on a small farm of servers that's continually updated (say, on a 5 minute interval) by one or two dynamic "feeder" servers. Granted, they'll want one or two backup machines for every production machine, but that's far from a server farm warehouse. Sounds to me like a large scale "because we can" project moreso than a conservative project.
... because they wanted to control it all, including everything on the Olympics.com Web site.
http://www.forbes.com/2000/08/23/feat.html
Stupid job ads, weird spam, occasional insight at
Secure the equipment!!!!
If the guy from Atlanta was right, it does absolutely no good to put up firewalls, anti-virus, or intrusion detection. If any volunteer can take his limited badge and walk anywhere in the complex, then someone could volunteer, camp out around the IT room(s) and do their work from the inside.
And then there is the ever present wireless links. Walk into the games with a laptop loaded with packet sniffers and a wireless NIC and wallah!!...you have all the info you need, even if you don't hack from inside the games, you have still obtained the needed info to go sit at home and go to work.
I cannot believe that security was that bad at the '96 games, but I am not really all that surprised.
No, it isn't legal to have more than one wife in Utah, and hasn't been since before the territory of Utah achieved statehood in 1896 (which was one of the conditions of statehood).
Also, although scandalous, bribing IOC officials was found to be the standard fare for most host-site hopefuls. Utah wasn't the first to do so. Utah was just the first to be prosecuted. IOC officials from previous years admitted to such.
Check your facts before you troll.
__
Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup...
Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup.
... and what is more spectacular than the Olympics?
The Utah-based company where my day-job is has had a hand in the ticket sales side of the Winter Olies and I've noticed that whenever something this big comes around, people come out of the woodwork to make it go wrong or atleast cause general mayhem.
A lot of people don't like the olympics, and a lot downright hate it to the point where they'll do anything they can to sabatage it including -- you guessed it -- hitting my company so that tickets cannot be sold online for the events.
Now that they're imminently upon us things have calmed down a bit, but a while ago not a day would go by that we didn't get DOS'ed, Skript Kiddie'd and even had a near hit/miss with a domain hijacking, and a lot of the action carried nice little messages saying things like "death to those who promote globalization" and soforth. I can feel for Matt in this, especially since in a little over 2 months it's going to be his systems on centre stage along with the atheletes. The Olympics are too high-profile of a target for anyone lacking in self-esteem to pass up becuase it'll so "so 31337" to say "I changed the name of a frech competitor to 'Le Shithead' on the statz page! W00h00!"
Maybe in 2004 Firewall configuration should be made an Olympic sport?
Hilary Rosen's speech was about her love of money and her desire to roll around naked in a pile of money.
Meanwhile, the Olympics are going to be held in the US in two months and as far as I can tell, no one besides me cares. I've seen a handful of commercials but there's absolutely no buzz. And judging from the tickets the organizers keep pleading for me to buy (men's hockey medal round games, women's skating long program, other really high-profile events) they're having a lot of trouble moving tickets.There was the bribery scandal a few years back (as if that wasn't how every previous Olympics was offered) and now the fuss about terrorism, but are people really bothered by that? I suppose the WTC attack, and the subsequent war and anthrax have driven everything else out of peoples' minds.
Come on, like terrorists are really coming to Utah to blow up a bobsled run? I've eaten plenty of meals in the McDonalds you see in the pictures of the Jerusalem bombing last Saturday -- I can't bring myself to get too worried about going to Snowbird.
What I'm listening to now on Pandora...
5000+, not 2000. But 50 is an interesting number. It's approaching the limit of systems that one guy can set up and physically keep track of.
Once you're over that number, you're delegating and trusting your minions and (heh heh) your users not to screw it up. The best initial setup in the world won't help if Vinny Volunteer decides to start screwing with it. If I was setting this up (god forbid), I'd be looking to install absolutely minimal systems with no floppy (or locked floppy), no CD-ROM and perhaps even (gasp) diskless workstations that boot from the network.
If I was really freaked about security, I might even take a leaf out of Microsoft's book and ponder security through obscurity. Windows - no thanks. Every Joe Backoffice thinks he knows how to fiddle with that. Linux would be better, but Linux users tend to be tinkerers, and they might have a stab at BSD as well. MacOS - god knows if you can lock that down. Strange thought, but how about OS/2? Or even something wierder like VMS? Runs on a toaster, solid as a rock, you'd need nuts the size of Nebraska to try fiddling with it.
If you were blocking sigs, you wouldn't have to read this.