Slashdot Mirror

← Back to Stories (view on slashdot.org)

Information Security On An Olympic Scale

Posted by timothy on from the five-rings-of-fire dept.

jeffy124 writes: "Wired is running a story about the man in charge of securing the computer systems at the Salt Lake City Olympic Games next February. Matt McClung discusses how he's withstanding an 'overhype' in the media on the possibility getting his systems cracked and what he's doing to prevent it in the first place. With 4500 PCs and 550 servers, that shall be a daunting task, especially given the reliability problems at the '96 Atlanta games."

15 of 160 comments (clear)

  1. Is this the right man for the job? by gmhowell · · Score: 4, Insightful
    McClung said the Salt Lake City Olympic computer system, comprised of 4,500 PCs and 550 servers, is the most complex network he's ever seen.


    Urmmm... I work in a small company (50 employees) so I've never seen really big networks. But somehow, 2000 computers doesn't seem like that compares in any way to various military and Fortune 500 networks. By an order or two of magnitude.

    So, is somebody who has never seen (let alone worked with) this many machines the right guy for the job? Sounds like he is in over his head a bit.

    (Now, if this IS an incredibly huge/large network, please bitchslap me)
    --
    Jesus was all right but his disciples were thick and ordinary. -John Lennon
    1. Re:Is this the right man for the job? by Rogerborg · · Score: 3, Interesting
      • I work in a small company (50 employees) so I've never seen really big networks. But somehow, 2000 computers doesn't seem like [that many]

      5000+, not 2000. But 50 is an interesting number. It's approaching the limit of systems that one guy can set up and physically keep track of.

      Once you're over that number, you're delegating and trusting your minions and (heh heh) your users not to screw it up. The best initial setup in the world won't help if Vinny Volunteer decides to start screwing with it. If I was setting this up (god forbid), I'd be looking to install absolutely minimal systems with no floppy (or locked floppy), no CD-ROM and perhaps even (gasp) diskless workstations that boot from the network.

      If I was really freaked about security, I might even take a leaf out of Microsoft's book and ponder security through obscurity. Windows - no thanks. Every Joe Backoffice thinks he knows how to fiddle with that. Linux would be better, but Linux users tend to be tinkerers, and they might have a stab at BSD as well. MacOS - god knows if you can lock that down. Strange thought, but how about OS/2? Or even something wierder like VMS? Runs on a toaster, solid as a rock, you'd need nuts the size of Nebraska to try fiddling with it.

      --
      If you were blocking sigs, you wouldn't have to read this.
  2. Not that hard... by RollingThunder · · Score: 5, Interesting

    just don't hook one single system up to the Internet. Establish a private network (not VPN - actually private) for the entire thing.

    Use dedicated hosting boxes, with ALL DYNAMIC FUNCTIONS OFF, that run NOTHING but the http server on the public interface. The secure FTP server runs on a dialup connection that only connects to the private network, with hardware authentication of the modems to each other.

    Choose a bare-bones http server, with no bells and whistles. Both IIS and Apache are out. Maybe thttpd? Not familiar enough with it, to be honest.

    Yes, you're going to have to work around not having dynamic portions or ubiquitous connectivity, but you're having to choose, flexibility or security.

    Would this make for an enjoyable online olympics? Probably not, but that wasn't really what the story addressed. :)

    1. Re:Not that hard... by gmhowell · · Score: 3, Insightful

      There is no reason not to serve basic layouts (menubars, graphics, etc.) from thttpd, khttpd, or some of that sort. Let the 'content' be in the form of single stories placed within the framework. Run/served from a different machine.

      I mean, this is hardly rocket science, and it certainly isn't grounbreaking. It's merely applying existing tech and solutions.

      --
      Jesus was all right but his disciples were thick and ordinary. -John Lennon
  3. Olympic Security in Atlanta was a joke by CokeBear · · Score: 5, Insightful
    Olympic Security in Atlanta was a joke.
    I was a relatively low level voluteer, assigned to a specific area at a single venue. My badge said as much in codes that every security person was supposed to know.

    I was able to access behind the scenes areas, chat with athletes and celebrities, watch events at other venues, all without a single question from a security person. (Most of them were volunteers too). Even when I was out of my uniform, all I had to do was flash my badge and I was never denied access to even the most sensitive areas. Part of it has to do with attitude of course. If you act like you belong, they assume you do, and I consider myself a Master of Social Engineering, but even then, I should have at least been questioned when I walked into the athletes change area. (There were none there).

    I'm pretty sure that Salt Lake City will be more secure, if only because of all the money being poured into it now. But what they need to realize is no matter how many $B you spend on security, you still need people with the balls to say "I'm sorry sir, your badge doesn't allow you in this area" and to stick to it.

    --
    Reality has a liberal bias
  4. Gobs of servers? by Anonymous Coward · · Score: 3, Interesting

    I never really understood the need for hundreds of servers for a task like this, especially for the public website. There is no need for true dynamic content when they can come 99.9% as close with static content on a small farm of servers that's continually updated (say, on a 5 minute interval) by one or two dynamic "feeder" servers. Granted, they'll want one or two backup machines for every production machine, but that's far from a server farm warehouse. Sounds to me like a large scale "because we can" project moreso than a conservative project.

  5. IBM passed on the job by Lumpish+Scholar · · Score: 5, Interesting

    ... because they wanted to control it all, including everything on the Olympics.com Web site.

    http://www.forbes.com/2000/08/23/feat.html

    --
    Stupid job ads, weird spam, occasional insight at
  6. A chance to win... by Swannie · · Score: 5, Funny

    Hmm... with a little hacking, and I could be the first person in my family to win a gold medal for figure skating.

    Swannie

    --
    :q!
  7. He didn't say it was the LARGEST... by Tsar · · Score: 3, Insightful

    ...only that it was the most complex network he'd ever seen.

    Personally, I can think of some rather complex topologies for even a twelve-computer network, even ignoring multi-homing possibilities. Depending on how the network structure is designed, as well as how many other networkable devices are involved and how they are connected (I'd assume a rather large contingent of wireless devices as well), this network might well be more complex than anything you or I have seen or even visualized.

  8. Rule Number 1 by darrad · · Score: 4, Interesting

    Secure the equipment!!!!

    If the guy from Atlanta was right, it does absolutely no good to put up firewalls, anti-virus, or intrusion detection. If any volunteer can take his limited badge and walk anywhere in the complex, then someone could volunteer, camp out around the IT room(s) and do their work from the inside.

    And then there is the ever present wireless links. Walk into the games with a laptop loaded with packet sniffers and a wireless NIC and wallah!!...you have all the info you need, even if you don't hack from inside the games, you have still obtained the needed info to go sit at home and go to work.

    I cannot believe that security was that bad at the '96 games, but I am not really all that surprised.

  9. Re:ah, yes, salt lake city... by greebly · · Score: 3, Interesting
    In case you have been asleep for the last year, a certain Mr. Green just got busted for that very thing, and was sentenced in June.

    No, it isn't legal to have more than one wife in Utah, and hasn't been since before the territory of Utah achieved statehood in 1896 (which was one of the conditions of statehood).

    Also, although scandalous, bribing IOC officials was found to be the standard fare for most host-site hopefuls. Utah wasn't the first to do so. Utah was just the first to be prosecuted. IOC officials from previous years admitted to such.

    Check your facts before you troll.

    __
    Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup...

    --
    Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup.
  10. Security already not so great by imrdkl · · Score: 4, Informative
    Just looking at the Saltlake official webpage, I see only one link which uses encryption, and that's the signup link so that you can download a screensaver and get some kind of updates. Theres a tremendous amount of javascript there, and it's clearly being served already from M$.

    We might already be too late to help them. :-/

  11. The Test by Rolo+Tomasi · · Score: 5, Funny
    OK, after they've got all rigged up and ready to go, they're ready for

    The Ultimate Test

    Fill the servers up with pr0n and serve it to the public, for free! If it withstands that, the Olympics will be a piece of cake.

    Hey, I'm serious ...

    --
    Did you know you can fertilize your lawn with used motor oil?
  12. A Spectacle will always bring Spectators by Xunker · · Score: 3, Interesting

    ... and what is more spectacular than the Olympics?

    The Utah-based company where my day-job is has had a hand in the ticket sales side of the Winter Olies and I've noticed that whenever something this big comes around, people come out of the woodwork to make it go wrong or atleast cause general mayhem.

    A lot of people don't like the olympics, and a lot downright hate it to the point where they'll do anything they can to sabatage it including -- you guessed it -- hitting my company so that tickets cannot be sold online for the events.

    Now that they're imminently upon us things have calmed down a bit, but a while ago not a day would go by that we didn't get DOS'ed, Skript Kiddie'd and even had a near hit/miss with a domain hijacking, and a lot of the action carried nice little messages saying things like "death to those who promote globalization" and soforth. I can feel for Matt in this, especially since in a little over 2 months it's going to be his systems on centre stage along with the atheletes. The Olympics are too high-profile of a target for anyone lacking in self-esteem to pass up becuase it'll so "so 31337" to say "I changed the name of a frech competitor to 'Le Shithead' on the statz page! W00h00!"

    Maybe in 2004 Firewall configuration should be made an Olympic sport?

    --
    Hilary Rosen's speech was about her love of money and her desire to roll around naked in a pile of money.
  13. Anyone else going? Anyone else care? by Otter · · Score: 3, Interesting
    Since the moment they announced Salt Lake would be getting the Olympics, I've been planning to be at the men's moguls contest. I had bad luck in the lottery but was able to pick up a ticket in the regular sale to go with the one's I'd already gotten for women's downhill (Picabo's back!), women's halfpipe, luge, XC, hockey and pairs skating. I've got a plane ticket, a couch on which to crash and am getting more stoked by the day. The only letdown is that Jonny Moseley seems to have given up his FIS career to devote more time to groupies and big air contests.

    Meanwhile, the Olympics are going to be held in the US in two months and as far as I can tell, no one besides me cares. I've seen a handful of commercials but there's absolutely no buzz. And judging from the tickets the organizers keep pleading for me to buy (men's hockey medal round games, women's skating long program, other really high-profile events) they're having a lot of trouble moving tickets.There was the bribery scandal a few years back (as if that wasn't how every previous Olympics was offered) and now the fuss about terrorism, but are people really bothered by that? I suppose the WTC attack, and the subsequent war and anthrax have driven everything else out of peoples' minds.

    Come on, like terrorists are really coming to Utah to blow up a bobsled run? I've eaten plenty of meals in the McDonalds you see in the pictures of the Jerusalem bombing last Saturday -- I can't bring myself to get too worried about going to Snowbird.

    --
    What I'm listening to now on Pandora...