Slashdot Mirror
Information Security On An Olympic Scale
jeffy124 writes: "Wired is running a story about the man in charge of securing the computer systems at the Salt Lake City Olympic Games next February. Matt McClung discusses how he's withstanding an 'overhype' in the media on the possibility getting his systems cracked and what he's doing to prevent it in the first place. With 4500 PCs and 550 servers, that shall be a daunting task, especially given the reliability problems at the '96 Atlanta games."
Seems rather high. Is this Microsoft at work?
Urmmm... I work in a small company (50 employees) so I've never seen really big networks. But somehow, 2000 computers doesn't seem like that compares in any way to various military and Fortune 500 networks. By an order or two of magnitude.
So, is somebody who has never seen (let alone worked with) this many machines the right guy for the job? Sounds like he is in over his head a bit.
(Now, if this IS an incredibly huge/large network, please bitchslap me)
Jesus was all right but his disciples were thick and ordinary. -John Lennon
just don't hook one single system up to the Internet. Establish a private network (not VPN - actually private) for the entire thing.
:)
Use dedicated hosting boxes, with ALL DYNAMIC FUNCTIONS OFF, that run NOTHING but the http server on the public interface. The secure FTP server runs on a dialup connection that only connects to the private network, with hardware authentication of the modems to each other.
Choose a bare-bones http server, with no bells and whistles. Both IIS and Apache are out. Maybe thttpd? Not familiar enough with it, to be honest.
Yes, you're going to have to work around not having dynamic portions or ubiquitous connectivity, but you're having to choose, flexibility or security.
Would this make for an enjoyable online olympics? Probably not, but that wasn't really what the story addressed.
This can't be right...
1337 h4x0r5 5cH001 r0x0r5
(Must be an Eastern Europe immigrant...)
I was a relatively low level voluteer, assigned to a specific area at a single venue. My badge said as much in codes that every security person was supposed to know.
I was able to access behind the scenes areas, chat with athletes and celebrities, watch events at other venues, all without a single question from a security person. (Most of them were volunteers too). Even when I was out of my uniform, all I had to do was flash my badge and I was never denied access to even the most sensitive areas. Part of it has to do with attitude of course. If you act like you belong, they assume you do, and I consider myself a Master of Social Engineering, but even then, I should have at least been questioned when I walked into the athletes change area. (There were none there).
I'm pretty sure that Salt Lake City will be more secure, if only because of all the money being poured into it now. But what they need to realize is no matter how many $B you spend on security, you still need people with the balls to say "I'm sorry sir, your badge doesn't allow you in this area" and to stick to it.
Reality has a liberal bias
The man in charge of the security? Is it just me or does this seem like they are setting up a fall guy for the inevitable failure of their network security... Give the guys name out well in advance so we have someone to blame when everything gets hacked...
Pretty smart...
---
Programming is like sex... Make one mistake and support it the rest of your life.
...Don't use Winblows, use OpenBSD. All your security worries will just vanish into the night. :D
Pain(n): when you're telnetting into a box doing somethin cool, and some luser calls for help with a 'critical error' ad
Sounds like they have a good site set-up for the Cracker Olympics. If they don't secure those well, they might have the Cracker Olympics held there as well. :)
No replies made to AC posts. Please log in.
I never really understood the need for hundreds of servers for a task like this, especially for the public website. There is no need for true dynamic content when they can come 99.9% as close with static content on a small farm of servers that's continually updated (say, on a 5 minute interval) by one or two dynamic "feeder" servers. Granted, they'll want one or two backup machines for every production machine, but that's far from a server farm warehouse. Sounds to me like a large scale "because we can" project moreso than a conservative project.
IT security is all fine and dandy for scoring and such, but what about real-world things? I can recall that in Atlanta, the very few busses actually ran at the end of the games (the rest broke down from overuse). Also, things like logistics, feeding people, etc, that were poorly orgainized and often failed. Imagine all the problems they'll be having with things other then IT!
-Michael Roy Some people are like Slinkies. Not really useful, but you can't help smiling when you see one tumble down
... because they wanted to control it all, including everything on the Olympics.com Web site.
http://www.forbes.com/2000/08/23/feat.html
Stupid job ads, weird spam, occasional insight at
Hmm... with a little hacking, and I could be the first person in my family to win a gold medal for figure skating.
Swannie
:q!
Come on man, these sound like entertaining hacks:
Olympic "insiders" were said to be worried that hackers would disrupt the Games by placing false press releases on the official website, change scores by accessing the computerized scoreboard system and disrupt the Games by tinkering with the system that handled the transport and traffic systems.
Tiny network, maybe, but the world's eyes will be upon it. If anything, this story makes the Olympics more of a point of interest for those that would ordinarily ignore it.
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
and what the hell do you do with 60 kids, anyway?
With enough pelts, you can make a stunning fur coat.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Atlanta has issues all of the place due to the city government. Anything they touch is just f*cked up all over the place! Well, they touched the olympics and the olympic computer systems back in '96, and well you saw the results. Just be glad you don't have to live with said government. :-)
Derek Greene
...only that it was the most complex network he'd ever seen.
Personally, I can think of some rather complex topologies for even a twelve-computer network, even ignoring multi-homing possibilities. Depending on how the network structure is designed, as well as how many other networkable devices are involved and how they are connected (I'd assume a rather large contingent of wireless devices as well), this network might well be more complex than anything you or I have seen or even visualized.
The reason I bring this up is that the article mentions the "great hack of 2000" where it was thought that the Sydney Olympics network would be compromised.
Given the current state of affairs, current legislation, and this soon to be widely publicised network, are we going to be seeing any "Terrorist Attacks" against these games? Seems that it would be a very convenient situation for the US gov to prove the neccesity of the U.S.A. legislation just recently passed.
Secure the equipment!!!!
If the guy from Atlanta was right, it does absolutely no good to put up firewalls, anti-virus, or intrusion detection. If any volunteer can take his limited badge and walk anywhere in the complex, then someone could volunteer, camp out around the IT room(s) and do their work from the inside.
And then there is the ever present wireless links. Walk into the games with a laptop loaded with packet sniffers and a wireless NIC and wallah!!...you have all the info you need, even if you don't hack from inside the games, you have still obtained the needed info to go sit at home and go to work.
I cannot believe that security was that bad at the '96 games, but I am not really all that surprised.
testify. the olympic games is a joke. the performance enhancing drugs that dont even have a name yet, the bribes, the dictatorship control of the board. the olympic games is the perfect example of everything that is wrong with the world. it hasnt been about national pride in years. its about packing advertisements everwhere, bending rules, etc.
No, it isn't legal to have more than one wife in Utah, and hasn't been since before the territory of Utah achieved statehood in 1896 (which was one of the conditions of statehood).
Also, although scandalous, bribing IOC officials was found to be the standard fare for most host-site hopefuls. Utah wasn't the first to do so. Utah was just the first to be prosecuted. IOC officials from previous years admitted to such.
Check your facts before you troll.
__
Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup...
Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup.
We might already be too late to help them. :-/
The Ultimate Test
Fill the servers up with pr0n and serve it to the public, for free! If it withstands that, the Olympics will be a piece of cake.Hey, I'm serious ...
Did you know you can fertilize your lawn with used motor oil?
We, the taxpayers, have had to fund more shit -- all in the name of the Olympics and World Peace -- only to get little in return. Yeah, we have wider highways, but they're already as congested as they were before I-15 construction began. We have a light rail in town, but they had to up sales tax for that (and I'm sure it won't go back down when its done). The U. just lost a few thousand parking lots to accomodate the games -- and I'm sure all of you University admins know how parking on a large campus already sucks.
I'm so sick of these fucking Olympic organizations. The IOC and the SLOC (with phony Mr Romney at the helm), are are a bunch of corporate whores who rape the local communities for getting a few bucks in return.
This whole thing really pisses me off, if you haven't figured that out by now. If the network is hacked, I'll be laughing my ass off. I'm gonna fly my Corporate Flag on my car when I crawl through downtown traffic when I'm on my way to/from work during the "games". Not that it'll change anything, but at least I'll feel better.
Method of processing duck feet
these are the Olympic websites, which implies that there will be many live video feeds and even more saved clips. your "proposed solution" is very simplistic, failing to take into account the enormous bandwidth requirements (the condition which separates this network from any other generic Big Net).
for something like this, you need to think about multihoming (Akamai-style), server location, special hosting... sorry, can't just set up a few Linux servers in the phone room and call it quits.
However, I will not tollerate the State supporting the children via welfare with my taxes.
Method of processing duck feet
And now for our ceremony:
Gold medal - France - l'intrus d'élite vous possède
Silver medal - Spain - el hacker de la élite le posee
Bronze medal - USA - 133t h4x0r 0wnz joo!!!!
From the article:
McClung declined to give specifics about the system, but said the network is protected by standard security methods such as firewalls and a virus detection application.
See? Security thru obscurity!! It's working already!
Whadda ya mean we "have to wait until after the Olympics are over?"
Aw, man!
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
I apologize in advance for my trolling, but anytime we have a server farm article, you can pretty much sum up all the posts as:
... just like this post :-)
40% M$ sucks. Use Linux,BSD for all the servers.
30% Matt McClung [insert name here] is not me and, as such, a moron.
15% First post, Stephen King is dead, grammer cop, and goatsex.
10% Trolls
5% Informative posts.
... and what is more spectacular than the Olympics?
The Utah-based company where my day-job is has had a hand in the ticket sales side of the Winter Olies and I've noticed that whenever something this big comes around, people come out of the woodwork to make it go wrong or atleast cause general mayhem.
A lot of people don't like the olympics, and a lot downright hate it to the point where they'll do anything they can to sabatage it including -- you guessed it -- hitting my company so that tickets cannot be sold online for the events.
Now that they're imminently upon us things have calmed down a bit, but a while ago not a day would go by that we didn't get DOS'ed, Skript Kiddie'd and even had a near hit/miss with a domain hijacking, and a lot of the action carried nice little messages saying things like "death to those who promote globalization" and soforth. I can feel for Matt in this, especially since in a little over 2 months it's going to be his systems on centre stage along with the atheletes. The Olympics are too high-profile of a target for anyone lacking in self-esteem to pass up becuase it'll so "so 31337" to say "I changed the name of a frech competitor to 'Le Shithead' on the statz page! W00h00!"
Maybe in 2004 Firewall configuration should be made an Olympic sport?
Hilary Rosen's speech was about her love of money and her desire to roll around naked in a pile of money.
Meanwhile, the Olympics are going to be held in the US in two months and as far as I can tell, no one besides me cares. I've seen a handful of commercials but there's absolutely no buzz. And judging from the tickets the organizers keep pleading for me to buy (men's hockey medal round games, women's skating long program, other really high-profile events) they're having a lot of trouble moving tickets.There was the bribery scandal a few years back (as if that wasn't how every previous Olympics was offered) and now the fuss about terrorism, but are people really bothered by that? I suppose the WTC attack, and the subsequent war and anthrax have driven everything else out of peoples' minds.
Come on, like terrorists are really coming to Utah to blow up a bobsled run? I've eaten plenty of meals in the McDonalds you see in the pictures of the Jerusalem bombing last Saturday -- I can't bring myself to get too worried about going to Snowbird.
What I'm listening to now on Pandora...
4500 pcs, 550 serverS?
how many computers were used in the 70's and 80's, why is it just getting more complex?
in 2020 they will need, 50,000 computers despite the fact that computer of those areas will be 100x faster and with more storage device.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
http://uptime.netcraft.com/up/graph?&site=www.salt lake2002.com
Bronze == Solaris with 144.81 days of up time
Silver == Linux with 130.78 days of uptime
and the winner and still champion of the world in the Network Server Crash
Gold == Win2k with and astounding 28.8 days of uptime!
Way to go Microsoft you've proven again that innovation and crashes go hand in hand.
This
I live near Baltimore/Washington, and say a prayer of thanks every time we don't get the Olympics. I mean, we just built about $1billion in stadiums (two in Baltimore, one near DC) and, uhh... We haven't gotten quite that much benefit out of them. I can only imagine the insanity of the Olympic games.
My cousin lived near Atlanta. Had a bunch of leave saved up (gov't job). Took it all during the games. She wasn't alone.
(BTW, nice flag)
Jesus was all right but his disciples were thick and ordinary. -John Lennon
All the reports, thousands of them, will be filing hourly reports from the games back to their editors. I'm not sure how they plan to do it, but I suspect they'll use the provided "public" terminals so they can fire off results and other tidbits to those waiting at home. I don't suppose they'd let reports jack in with their own laptops, too much security risk there.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
ahem
since the 96 games (in america), and the upcoming games, in America there have been two other olympiads that may have gone unnoticed (perhaps due to not being held in America?).
And while I'm sure they had their hairy moments in the back-room the tech side seemed to run OK...
America is not the ENTIRE world you know.
'There is a Light that never goes out.'
I'm sorry but this is only a sporting event. It's not as though the security of it is that important. And besides, why would crackers want to attack such an event - what information would there be to steal/alter?
In addition to what has been said about size of the network vs. complexity here;
Would the fact that English may not the only language used by the users add to the complexity?
forma3
I don't get it.
What has javascripts to do with anything?
What has not using https on a *public* site has to do with security on the network that is being set up?
And I don't even see the point with pointing out the asp pages. Granted, that is a poor choice for security *if* the admins aren't very thourough and alert, but that has still nothing to do with what will come, has it?
Put the p0rn and stuff up for half a day, then turn on the security measures... not *that* will be the real test.
My bet is that a regular stopwatch at a few bucks will be well enough to measure the time it will stand. Hehe.
... and what is more spectacular than the Olympics?
Erm, the World Cup? The European Championships? The FA Cup final? Face it, the Olympics is shit. People only watch it because of the hype. Who wants to sit there for hours on end watching countless rounds of long jump and 400m? Why does the Olympics revolve round such dull sports?
No-one ever rushes out to buy a paper, and flicks to the back page to find out who won the latest game of javelin or 100m hurdles. How can people get so excited about something they'd rank lower than paint drying the rest of the year?
It's completely absurd.
We'll take 'em! The last time we had them here in L.A., the traffic got BETTER, not worse!!!!!
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Dude, perhaps you have heard of the website that generally runs during the Olympics? You know, the one that gives (semi-)realtime results, so you don't have to wait five days for NBC to get its act together?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Yeah, feel better as you're one of the people clogging traffic instead of using the new light rail line going from downtown to the university. The university contributed a large chunk of money to that project. Try using it in eleven days when it goes into service.
I think that most people reading this thread have a common misunderstanding about what all of those systems will be used for. None of the 500 servers that were mentioned are used for serving web pages. All of them, however, are used for accreditation, information diffusion, Xerox printing, commentator information systems, and other necessary mission-critical servers.
MSNBC (read NBC) is an official sponsor of the Games, and as such are maintaining the Olympic website as part of their sponsorship agreement, hence the use of W2K and IIS/5.0.
I can assure you that there are many different types of technologies doing the REAL work behind the scenes.
---- nohup: appending output to `/nev/dull'