Information Security On An Olympic Scale

jeffy124 writes: "Wired is running a story about the man in charge of securing the computer systems at the Salt Lake City Olympic Games next February. Matt McClung discusses how he's withstanding an 'overhype' in the media on the possibility getting his systems cracked and what he's doing to prevent it in the first place. With 4500 PCs and 550 servers, that shall be a daunting task, especially given the reliability problems at the '96 Atlanta games."

Is this the right man for the job?

[gmhowell]

McClung said the Salt Lake City Olympic computer system, comprised of 4,500 PCs and 550 servers, is the most complex network he's ever seen.

Urmmm... I work in a small company (50 employees) so I've never seen really big networks. But somehow, 2000 computers doesn't seem like that compares in any way to various military and Fortune 500 networks. By an order or two of magnitude.

So, is somebody who has never seen (let alone worked with) this many machines the right guy for the job? Sounds like he is in over his head a bit.

(Now, if this IS an incredibly huge/large network, please bitchslap me)

Re:Is this the right man for the job?

[Rogerborg]

• I work in a small company (50 employees) so I've never seen really big networks. But somehow, 2000 computers doesn't seem like [that many]

5000+, not 2000. But 50 is an interesting number. It's approaching the limit of systems that one guy can set up and physically keep track of.

Once you're over that number, you're delegating and trusting your minions and (heh heh) your users not to screw it up. The best initial setup in the world won't help if Vinny Volunteer decides to start screwing with it. If I was setting this up (god forbid), I'd be looking to install absolutely minimal systems with no floppy (or locked floppy), no CD-ROM and perhaps even (gasp) diskless workstations that boot from the network.

If I was really freaked about security, I might even take a leaf out of Microsoft's book and ponder security through obscurity. Windows - no thanks. Every Joe Backoffice thinks he knows how to fiddle with that. Linux would be better, but Linux users tend to be tinkerers, and they might have a stab at BSD as well. MacOS - god knows if you can lock that down. Strange thought, but how about OS/2? Or even something wierder like VMS? Runs on a toaster, solid as a rock, you'd need nuts the size of Nebraska to try fiddling with it.

Re:Is this the right man for the job?

[gmhowell]

We've actually got two people (myself and another) doing the computer stuff here. Both of us know not to touch stuff we are clueless about. It works fairly well, except that sometimes a user has a problem, and the first person to get the call has to get the other to fix it. But, with only 50, it's not too bad.

Given that this is a fairly short term thing (the computer setup for the olympics) I must say that adding security through obscurity as another layer is probably a good idea. In no way should anyone count on it, but it can't hurt. What would really help would be to document everything for release later, so that it can be reviewed prior to 2004.

Re:Is this the right man for the job?

[uberdood]

But somehow, 2000 computers doesn't seem like that compares in any way to various military and Fortune 500 networks.

Or, for the more obvious - the college network. Just the dorms at a big school exceed 2000 computers, let alone labs, offices...

I have a feeling that quote that will haunt McClung forever, sort of like the 640k one for Billy Boy.

Not that hard...

[RollingThunder]

just don't hook one single system up to the Internet. Establish a private network (not VPN - actually private) for the entire thing.

Use dedicated hosting boxes, with ALL DYNAMIC FUNCTIONS OFF, that run NOTHING but the http server on the public interface. The secure FTP server runs on a dialup connection that only connects to the private network, with hardware authentication of the modems to each other.

Choose a bare-bones http server, with no bells and whistles. Both IIS and Apache are out. Maybe thttpd? Not familiar enough with it, to be honest.

Yes, you're going to have to work around not having dynamic portions or ubiquitous connectivity, but you're having to choose, flexibility or security.

Would this make for an enjoyable online olympics? Probably not, but that wasn't really what the story addressed. :)

Re:Not that hard...

[gmhowell]

There is no reason not to serve basic layouts (menubars, graphics, etc.) from thttpd, khttpd, or some of that sort. Let the 'content' be in the form of single stories placed within the framework. Run/served from a different machine.

I mean, this is hardly rocket science, and it certainly isn't grounbreaking. It's merely applying existing tech and solutions.

Re:Not that hard...

[RollingThunder]

Very good point there, and I feel like a schmuck for forgetting that. :)

I know that cisco switches can be configured in a very paranoid setup, so that if the mac address changes, it locks the port. That's one method to attack the problem, but ye gods, the manpower that'd take....

Winning the gold for America...

This can't be right...

1337 h4x0r5 5cH001 r0x0r5

(Must be an Eastern Europe immigrant...)

Re:Server to Desktop ratio

[homer_ca]

Those servers aren't just for their internal network. They are hosting the Olympic website too.

Olympic Security in Atlanta was a joke

[CokeBear]

Olympic Security in Atlanta was a joke.
I was a relatively low level voluteer, assigned to a specific area at a single venue. My badge said as much in codes that every security person was supposed to know.

I was able to access behind the scenes areas, chat with athletes and celebrities, watch events at other venues, all without a single question from a security person. (Most of them were volunteers too). Even when I was out of my uniform, all I had to do was flash my badge and I was never denied access to even the most sensitive areas. Part of it has to do with attitude of course. If you act like you belong, they assume you do, and I consider myself a Master of Social Engineering, but even then, I should have at least been questioned when I walked into the athletes change area. (There were none there).

I'm pretty sure that Salt Lake City will be more secure, if only because of all the money being poured into it now. But what they need to realize is no matter how many $B you spend on security, you still need people with the balls to say "I'm sorry sir, your badge doesn't allow you in this area" and to stick to it.

Re:Olympic Security in Atlanta was a joke

[geekoid]

more importantly, you need supervisor who will back you when you make a decesion based on policy.
I worked as a security gaurd in college, and it sucks to be told that nobody is allowed in without a badge, and then get fired for not letting a VP in who doesn't have a badge.

In hollywood, shortly after 9/11, there was a studio security guy who wouldn;t lket Spielberg on the lot with out his badge, even though he knew it was Spielberg. After much digging around, he found his badge, then later sent the gaurd a 100 bucks for a job well done!
thats the attitude that creates good security.

Re:Olympic Security in Atlanta was a joke

[Syberghost]

OTOH, a buddy of mine bought a pin from some guy on the street, and ended up face first in the concrete with half a dozen Secret Service agents standing on his extremities. Seems the pin was property of the SS, only to be worn by their agents.

So that pin was really secure. Probably while the backpack bomb was being planted on the other end of the block...

Re:Olympic Security in Atlanta was a joke

[heliocentric]

Do you have linkage to info about that tale? If I were to reference it conversation saying a CNN article told me so sounds way better than a /. poster told me so. However, I think tabloid TV (read: eXtrak, ET, etc...) probably ranks some where below /.

Re:Olympic Security in Atlanta was a joke

[heliocentric]

Only on slashdot can one call social interaction social engineering :)

You should read the 2600 magazine a little more often - it's not just a term used on /. - it came from someplace else.

Re:Olympic Security in Atlanta was a joke

[Foogle]

Uh, der. He was making fun of the fact that most posters here are total losers, and can barely interact socially, let alone 'engineer'.

Re:Olympic Security in Atlanta was a joke

[Amazing+Quantum+Man]

The Spielberg story may be an urban legend... I seem to recall having heard it too...

I used to work for a defense contractor, in a classified area. Access list was need-to-know, and visitors were to be escorted at all times. Policy was to challenge all unknown people. Someone once challenged the division president (no, he wasn't on the list ... no need-to-know), and got an attaboy for it.

Re:Olympic Security in Atlanta was a joke

[geekoid]

Actually, I know someone in his office and got the story that way. I believe them, but I don't blame you for not believing me! ;)

hmm

[Quasar1999]

The man in charge of the security? Is it just me or does this seem like they are setting up a fall guy for the inevitable failure of their network security... Give the guys name out well in advance so we have someone to blame when everything gets hacked...

Pretty smart...

Gobs of servers?

I never really understood the need for hundreds of servers for a task like this, especially for the public website. There is no need for true dynamic content when they can come 99.9% as close with static content on a small farm of servers that's continually updated (say, on a 5 minute interval) by one or two dynamic "feeder" servers. Granted, they'll want one or two backup machines for every production machine, but that's far from a server farm warehouse. Sounds to me like a large scale "because we can" project moreso than a conservative project.

Re:Gobs of servers?

[geekoid]

this is because almost all 'webmasters' are clueless sots.
theres nothing like throwing 10 dollars at a 1 dollar solution, sheesh.

IBM passed on the job

[Lumpish+Scholar]

... because they wanted to control it all, including everything on the Olympics.com Web site.

http://www.forbes.com/2000/08/23/feat.html

Re:IBM passed on the job

[Kanasta]

I worked at the 2000 olympics. From what I understand, all the sponsors give their services and all they get in return are signage rights and hopefully enough publicity to generate enough increase in sales to make up the money.

It's amazing that so many companies compete to give their time and money away for coverage like this.

Re:IBM passed on the job

[swb]

It's not amazing when you figure in all the free, hard-to-get-into event tickets, lodging and other on-site goodies the senior execs that donate stuff get in return, in addition to signage.

Remember that whenever there's a corporate giveaway there's somebody getting a blowjob for it. It doesn't happen on hopes of increased sales.

A chance to win...

[Swannie]

Hmm... with a little hacking, and I could be the first person in my family to win a gold medal for figure skating.

Swannie

Re:A chance to win...

[sharkey]

Make sure to protect your virtual kneecap! Those texture-mapped crow-bars can really put a stop to your dream.

He didn't say it was the LARGEST...

[Tsar]

...only that it was the most complex network he'd ever seen.

Personally, I can think of some rather complex topologies for even a twelve-computer network, even ignoring multi-homing possibilities. Depending on how the network structure is designed, as well as how many other networkable devices are involved and how they are connected (I'd assume a rather large contingent of wireless devices as well), this network might well be more complex than anything you or I have seen or even visualized.

Remember Atlanta?

[Grelli]

My memory may be fuzzy, but I seem to remember there being a small explosion at the Atlanta games.

The reason I bring this up is that the article mentions the "great hack of 2000" where it was thought that the Sydney Olympics network would be compromised.

Given the current state of affairs, current legislation, and this soon to be widely publicised network, are we going to be seeing any "Terrorist Attacks" against these games? Seems that it would be a very convenient situation for the US gov to prove the neccesity of the U.S.A. legislation just recently passed.

Re:Remember Atlanta?

[Amazing+Quantum+Man]

That's because the Olympics were religious in nature, and the gods would nail their asses to the wall if they messed with them.

Today, you've got people who want to kill in the name of G-d, so of course they'll try to mess with the Olympics.

Rule Number 1

[darrad]

Secure the equipment!!!!

If the guy from Atlanta was right, it does absolutely no good to put up firewalls, anti-virus, or intrusion detection. If any volunteer can take his limited badge and walk anywhere in the complex, then someone could volunteer, camp out around the IT room(s) and do their work from the inside.

And then there is the ever present wireless links. Walk into the games with a laptop loaded with packet sniffers and a wireless NIC and wallah!!...you have all the info you need, even if you don't hack from inside the games, you have still obtained the needed info to go sit at home and go to work.

I cannot believe that security was that bad at the '96 games, but I am not really all that surprised.

Re:ah, yes, salt lake city...

[greebly]

In case you have been asleep for the last year, a certain Mr. Green just got busted for that very thing, and was sentenced in June.

No, it isn't legal to have more than one wife in Utah, and hasn't been since before the territory of Utah achieved statehood in 1896 (which was one of the conditions of statehood).

Also, although scandalous, bribing IOC officials was found to be the standard fare for most host-site hopefuls. Utah wasn't the first to do so. Utah was just the first to be prosecuted. IOC officials from previous years admitted to such.

Check your facts before you troll.

__
Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup...

Security already not so great

[imrdkl]

Just looking at the Saltlake official webpage, I see only one link which uses encryption, and that's the signup link so that you can download a screensaver and get some kind of updates. Theres a tremendous amount of javascript there, and it's clearly being served already from M$.

We might already be too late to help them. :-/

The Test

[Rolo+Tomasi]

OK, after they've got all rigged up and ready to go, they're ready for

The Ultimate Test

Fill the servers up with pr0n and serve it to the public, for free! If it withstands that, the Olympics will be a piece of cake.

Hey, I'm serious ...

Re:The Test

[jandrese]

Screw porn. Fill the servers up with DivX movies/anime and MP3 files. Then announce it on Slashdot. That is the ultimate test of bandwidth.

And the winners are...

[Spackler]

And now for our ceremony:

Gold medal - France - l'intrus d'élite vous possède

Silver medal - Spain - el hacker de la élite le posee

Bronze medal - USA - 133t h4x0r 0wnz joo!!!!

Re:Tip for McClung...

[ocelotbob]

Don't use Winblows, use OpenBSD. All your security worries will just vanish into the night. :D

Not true. While OpenBSD is infinitely more secure than windows, thats only a small portion of the problem. You've got to train people to use decent passwords, audit the data so that you can tell exactly where the info is coming from, and design a contingency plan so that if someone does get through, the damage done is minimal. OBSD may be a better foundation, but it's far from being a magic bullet. Much of OpenBSDs security comes from the fact that the admins start with a sense of paranoia; it's very possible to have the same security level with other OSes, its just you've got to know what you're doing.

Re:Server to Desktop ratio

[Anonymous+DWord]

Funny how the downward slope just happens to coincide with when they switched from Linux and Solaris to W2K. Well, maybe they're getting the bugs out. Or something.

A Spectacle will always bring Spectators

[Xunker]

... and what is more spectacular than the Olympics?

The Utah-based company where my day-job is has had a hand in the ticket sales side of the Winter Olies and I've noticed that whenever something this big comes around, people come out of the woodwork to make it go wrong or atleast cause general mayhem.

A lot of people don't like the olympics, and a lot downright hate it to the point where they'll do anything they can to sabatage it including -- you guessed it -- hitting my company so that tickets cannot be sold online for the events.

Now that they're imminently upon us things have calmed down a bit, but a while ago not a day would go by that we didn't get DOS'ed, Skript Kiddie'd and even had a near hit/miss with a domain hijacking, and a lot of the action carried nice little messages saying things like "death to those who promote globalization" and soforth. I can feel for Matt in this, especially since in a little over 2 months it's going to be his systems on centre stage along with the atheletes. The Olympics are too high-profile of a target for anyone lacking in self-esteem to pass up becuase it'll so "so 31337" to say "I changed the name of a frech competitor to 'Le Shithead' on the statz page! W00h00!"

Maybe in 2004 Firewall configuration should be made an Olympic sport?

Anyone else going? Anyone else care?

[Otter]

Since the moment they announced Salt Lake would be getting the Olympics, I've been planning to be at the men's moguls contest. I had bad luck in the lottery but was able to pick up a ticket in the regular sale to go with the one's I'd already gotten for women's downhill (Picabo's back!), women's halfpipe, luge, XC, hockey and pairs skating. I've got a plane ticket, a couch on which to crash and am getting more stoked by the day. The only letdown is that Jonny Moseley seems to have given up his FIS career to devote more time to groupies and big air contests.

Meanwhile, the Olympics are going to be held in the US in two months and as far as I can tell, no one besides me cares. I've seen a handful of commercials but there's absolutely no buzz. And judging from the tickets the organizers keep pleading for me to buy (men's hockey medal round games, women's skating long program, other really high-profile events) they're having a lot of trouble moving tickets.There was the bribery scandal a few years back (as if that wasn't how every previous Olympics was offered) and now the fuss about terrorism, but are people really bothered by that? I suppose the WTC attack, and the subsequent war and anthrax have driven everything else out of peoples' minds.

Come on, like terrorists are really coming to Utah to blow up a bobsled run? I've eaten plenty of meals in the McDonalds you see in the pictures of the Jerusalem bombing last Saturday -- I can't bring myself to get too worried about going to Snowbird.

Re:Anyone else going? Anyone else care?

[geekoid]

Maybe they should charge less?
I would also like to point the the Olympics are not supposed to be about the money.

Re:Anyone else going? Anyone else care?

[ellem]

they have the Olympics ever 40 days or something now. Used to only be on Leap Year, no wonder it isn't special. The have pro atheletes competing, no wonder no one cares. The whole thing is like a Visa commercial, it's interesting for 30 seconds and then you forget all about it.

Re:This is *not* the place! (rant!) ;-)

[gmhowell]

I live near Baltimore/Washington, and say a prayer of thanks every time we don't get the Olympics. I mean, we just built about $1billion in stadiums (two in Baltimore, one near DC) and, uhh... We haven't gotten quite that much benefit out of them. I can only imagine the insanity of the Olympic games.

My cousin lived near Atlanta. Had a bunch of leave saved up (gov't job). Took it all during the games. She wasn't alone.

(BTW, nice flag)

Re:The Cracker Olympics?

[heliocentric]

Saltine or Ritz?

What kinds of topings did you have in mind? The cheese variety or maybe something along the lines of Seafood Sald?

Oh wait, maybe I need to askin h4x0r speek:

541+in3 0r R1+2?

amero-centric

[child_of_mercy]

ahem

since the 96 games (in america), and the upcoming games, in America there have been two other olympiads that may have gone unnoticed (perhaps due to not being held in America?).

And while I'm sure they had their hairy moments in the back-room the tech side seemed to run OK...

America is not the ENTIRE world you know.

Re:amero-centric

[child_of_mercy]

you'd think in that case that you'd want to be paying more attention to what goes on in it?

Re:Server to Desktop ratio

[instinctdesign]

Yup, its at least partially MS. Check out this article about the software from InternetWorld for details. A quote:

The sites will run on Microsoft's Windows 2000 Datacenter Edition, the company's high availability, highly scalable server OS. The software will run on hundreds of Compaq ProLiant 8500 servers, each with eight 700-MHz Xeon processors and 4 GB of RAM.

Re:This is *not* the place! (rant!) ;-)

[Amazing+Quantum+Man]

We'll take 'em! The last time we had them here in L.A., the traffic got BETTER, not worse!!!!!

Re:This might be all useless.

[Amazing+Quantum+Man]

Dude, perhaps you have heard of the website that generally runs during the Olympics? You know, the one that gives (semi-)realtime results, so you don't have to wait five days for NBC to get its act together?