Slashdot Mirror
U.S. Department of Interior Ordered Offline
The whole of the U.S. Department of Interior has been forced off of the internet as a result of a court case Cobell v. Babbit. This was the result of compromises with the Microsoft Windows servers. A judge decided to take the whole of the organization down. Should this judge have this much power? Info here on the
indian trust web site. This includes the BLM, USGS and the Park Service. Staggering, really. CD: Hold off on the blaming of MS, it's still not clear.
This would be like the Government sending my tax return in cash -- it's irresposible because anyone could easily open my mailbox and find almost $3 of totally spendible money ready and waiting.
It seems to be that forcing the whole system offline until it's ready for the modern internet was the only responsible course of action here.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Well at least there is one competent judge in the US. Personally this decision makes alot of sense, as in previously posted... if you can't keep confidential information confidential then you shouldn't have the information. All and all a good decision. I wonder how this affects Microsoft? Maybe now their get their collectively large asses moving and fix those damn security issues before each major release so we don't have to go updating to Microsoft Windows Service Pack 143.
can't sleep slashdot will eat me
Of course the judge should have this much power.. it's what we called a "check" in civics class. The executive branch is sucking, and nobody could make it stop sucking if the judicial branch had no power.
so a judge cut off a computer network because it housed sensitive data important to particular individuals which was not secure.
whats the problem here? i wish this would happen more often.
I know I ruined my slashdot credibility by actually READING THE ARTICLE, but this applies only to systems that provide access to the Indian Trust data, and its an emergency order designed to protect the people whose data is stored there. This was a "computer infrastructure so easily penetrable that a court investigator and his team of security experts were able to break in and repeatedly access, modify and even create trust data -- all without raising a response from the government." This involves the finances of over 300,000 people, I don't think the judge was out of bounds in ordering it closed.
It may seem a bit extreme to make the ruling so pervasive, but then again that may be the only way to get those brain-dead govt managers to create a real system (like perhaps without MS software to start).
*That's* what I call abuse of power. This strikes me more as steps to help ensure that the carelessness of a dimwitted government agency doesn't end up hurting anyone unnecessarily.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Yes, absolutely, a Federal Judge should have this much power. It's one of the best checks against the possibility of tyranny.
Since the Executive and Legislative branches of government routinely ignore the U.S. Constitution, it is extremely important that we can count on the check of the Judiciary.
Wikia
Good point; Quoth Netcraft
The site www.doi.gov is running Apache/1.3.12 (Unix) on Solaris
Other sub-domains are Netscape Enterprise on Solaris and Lotus Domino on NT4/98.
Laugh while you can, monkey boy!
...on the indian trust web site...
You'd think they would use apache...
Patrick Cable II
This was the result of compromises with the Microsoft Windows servers.
However, I see no mention of the operating/database that was compromised. Following one of the background links there is reference to an IBM mainframe.
Among the facts omitted was the name of the Denver firm that maintains the IBM computer mainframe for the trust system
Just thought that should be pointed out.
Now the webservers may be IIS but the database being hacked was IBM. Most likely just a poor implementation.
Lots of information is available at the Indian Trust: Cobell v. Norton web site. Press releases plus offical court documents.
Of particular interest is this document, which more fully explains why the judge ordered all Internet access to the Department of Interior. Apparently, court investigators were able to break in and modify lots of important information without any response from the DoI.
Seems like this sets a legal precendence for locking down an entire business, organization, or corporation involved in a legal situation. If it can be demonstrated that it would be possible for an outside entity to modify data crucial to the proceeding of the case (such data would be subpeonaed), the judge can order all external access to that data cut off.
Since simply running a some Microsoft software makes it possible for a large number of outside entities to modify such data without difficulty, and to know that doing so is possible without having to figure it out, I could see this becoming a problem for businesses and organizations that run said Microsoft software.
However, it also means that lax UNIX administrators could have their systems' access cut off if court investigators demonstrate that they are able to get in. Sounds like Mac OS 9 is the best protection against this now.
"In a sweeping action with far-reaching but unclear ramifications, U.S. District Judge Royce Lamberth granted the emergency request, which was brought on behalf of 300,000 American Indians whose assets are housed on a computer infrastructure so easily penetrable that a court investigator and his team of security experts were able to break in and repeatedly access, modify and even create trust data -- all without raising a response from the government."
/. wants to see liability extended to the same absurd levels of product and contingent liability that have been demonstrated in the McDonalds and other Python-esque liability cases, BUT...
it's actually well past time for the courts to hold organizations whose systems are busted by 12 year old scriddies running "canned scripts" from Toolz sites
how would you feel if this were your families' or your companie's sensitive and/or private information??? Information about your 502 or your daughter's rape, or your son's juvenille arrest for possessing underage TeleTubbie Pr0n?
"Coupled with the judge's action were criticisms from members of Congress about the security failures. "The GAO told us five years ago that the fund was in shambles," said Rep. Jim Hansen (R-Utah,) chairman of the House Resources Committee, which has jurisdiction over Indian affairs. "Now we learn that a computer security system deployed in 1999 is virtually worthless," he said."
i don't think anyone on
...isn't it about time the direct creators, distributors and managers of dangerously insecure computer systems have at least SOME small legal responsible (and limited accompanying monetary liability)????
If the facts on the Indian Trust website ARE true, DOI (and Congress) have long been aware of the problems and have been ducking the bullet on fixing it...if this were my money/info, I'd sure be upset...
Ten quid, she's so easy to blind. And not a word is spoken...
Entering via the Internet, the "hackers" found they could break many of the passwords protecting accounts, using a tool called a "cracker." Many of the passwords, according to the report, were easy to guess, particularly one -- "passwd" -- which was frequently used.
This had nothing to do with the fact that they were running IIS, Apache, Joe's Web Server, etc. The issue was weak database passwords.
netcraft shows lots of different OS and servers are being used. The security breach could have been done through anyone of them, or the bad security could've been on the database itself.
... then again, that's not the sort of information they want to make public if the DOI wasn't addressing the problem.
For example :
The site doi.gov is running Lotus-Domino/5.0.8 on NT4/Windows 98.
The site www.den.doi.gov is running Netscape-Enterprise/4.0 on Solaris 8.
The site www.ios.doi.gov is running Apache/1.3.12 (Unix) on unknown.
The site www.doi.gov is running Apache/1.3.12 (Unix) on Solaris
I couldn't spot a document on indiantrust.org which went into technical details either
http://www.thehungersite.com
Comment removed based on user account deletion
Laugh at stupidity: mod idiots +1 Funny.
The site www.doi.gov is running Apache/1.3.12 (Unix) on Solaris.
The site www.blm.gov is running Apache/1.3.22 (Unix) PHP/4.0.6 on unknown.
The site www.nps.gov is running Netscape-Enterprise/4.1 on Solaris.
Oh, and nps is still up....
This is what happens when you disobey a lawful order from a judge. Now, the teachers may still be doing the right thing, but if you want to practice civil disobedience, you might end up in the clink.
Judges do not have the luxury of ignoring the law, or just saying "oh well" when people fail to follow their lawful orders. Again, this isn't flamebait...teachers may be doing the right thing by standing up for themselves, but the judge is also doing the right thing in enforcing the law.
From Netcraft's Survey:
The site www.doi.gov is running Apache/1.3.12 (Unix) on Solaris.
Of course, we don't know whether this was the system which the government investigators broke in, or whether it's something in this domain.
Bush Lies Watch
This is bad. There have been many, many reports and firestorms about these computer systems according to the Special Master's Report released as a court document.
.gov agency has the report detailing their secuirity holes, they left many of them wide open. So much so that Predictive could add bogus accounts and transfer real monies from real accounts into the bogus accounts, get sensitive documents and lots of other mischief. Really bad.
Predictive (the security company) broke in and documented abysmal security -- no firwalls, blank administrator passwords, other stuff that would make any script kiddie drool. The response of the B. of Indian Affairs was "naw, it's not that bad; you cheated".
So Predictive did it again. Got basically the same results. So after the
In classic Dilbertesque style, the Gov blames the messenger, says it's not really that bad (again) and promises to do a whole lot of nothing -- just like it has been doing for 10 years according to the special master's report you can click on here:
http://www.indiantrust.org/documents.cfm
This is bad. Real bad. Sad to say this judicial action was necessary. Sad.
Umm... why is there a link to the DoI website if they've been forced off line...?
With permission from U.S. District Judge Royce Lamberth, the special master's team logged onto computer servers, accessed databases, broke into Interior and Bureau of Indian Affairs networks, discovered they could modify and erase sensitive data and even created an Individual Indian Money (IIM) trust account in Balaran's name. All of these breaches occured repeatedly and with ease -- and all without being noticed, or even tracked, by the Interior's own computer officials.
Here's a rundown of how it happened.
Predictive originally planned a two-phase test of the Interior's computer infrastructure. First, it would try to access the system from the public Internet; and second, it would test the network from within.
However, the company soon found it could scrap the second phase because protections were non-existent.
"Early on in the testing it became apparent that it was possible to access the sensitive internal data from the Internet and that the internal on-site testing phase was not needed due to the lack of overall perimeter security," Predictive wrote in August after a first round of hacking.
Using widely available, and free, tools employed by hackers all over the world, Predictive tapped into a number of systems the Interior deemed "critical" to bringing its trust duties into the 21st century. These systems included:
Predictive was able to break into a TAAMS server because it had "no password." As a result, the firm could perform administrative, high-level functions typically not available to low-level users.
Also, Predictive could access TAAMS because the BIANET, a BIA network accessible via the Internet, had "blank" passwords. Through this vulnerability, the firm gained administrative powers that allowed it to access data stored in a TAAMS database.
TAAMS is housed on two AS/400 servers, made by IBM, in Addison, Texas. The servers, the database and all its associated logic (coded in dBase) are fully owned by a third party, Applied Terravision Systems, because the Interior failed to consider long-term ownership and development issues.
A so-called "legacy" system in use since 1982, Predictive was able to gain "complete access" to IRMS, which tracks leases and distributes payments to account holders. Weaknesses on the BIANET allowed the firm to see every IRMS account that has ever existed.
Predictive could modify and delete user accounts, meaning it could prevent authorized Interior users from entering the system and give access to non-authorized outsiders.
Further, Predictive gained "complete control" to an IRMS server because it had a "blank" password. The firm was able to copy files and create links to sensitive data to outside networks via standard and highly vulnerable Microsoft Windows capabilities.
IRMS is coded in Cobol 74, an outmoded but pervasive language, and is composed of six databases -- including individual and tribal ownership and leasing data -- that reside on a Unisys Clearpath NX server in Reston, Virginia. Reston is the location of the BIA's Office of Information Resources Management, whose controversial move from Albuquerque, New Mexico, was temporarily halted by Lamberth.
Additionally, Predictive found numerous problems on a number of systems, most of which are not specifically named because information in the report is redacted. The firm was able to access "sensitive" information including "gigabytes" of BIA e-mail, configuration files, log reports, and all usernames and passwords on an unnamed system. Many of these systems had weak password or no password protections.
Certain Interior computers were also running web servers, file transfer programs, remote access servers and other technologies that could allow anonymous access by outsiders. Other systems were prone to well-known hacking techniques, including denial of service, buffer overflows, "Trojan Horse" programs and Microsoft Windows "scripting" attacks -- all of which are typically preventable by applying readily available "patches" to fix security holes.
All of this hacking -- which took place between June 24 and July 8 -- led Predictive to conclude in an August report that the BIA lacks "basic security" measures. "Even if every security vulnerability in this report was corrected, BIA's overall lack of a secure network perimeter would still leave BIA exposed to additional risk," the firm wrote.
Predictive recommended the BIA implement such standard protections as a firewall and intrusion devices. Along with Balaran, the firm informed BIA of the numerous problems at a meeting with Brian Bowker, then-director of OIRM.
Despite Predictive's damaging report, Bowker indicated the company was successful only because he had "turned over the keys to the store." Balaran said he felt Bowker was trying to "discount" the findings, so he again instructed Predictive to break into the system on August 30.
It was during this time that Predictive created a trust account for Balaran, whose report is not specific as to which system was accessed to perform this incredible breach. Predictive was able to create its own trust data and modify existing data on an unnamed system, leading the firm yet again to warn BIA of problems and make a number of specific recommendations to correct the deficiencies.
-- ;-)
Kuro5hin.org: where the good times never end.
You know.. I just thought of something. There is the WayBack Machine which lets you get past copies of ANY website. Do you think one could get a copy of the DOI and get cached copies of the data, or some such stuff?
One good whore deserves another, I suppose.
The power of judicial review is not "ignoring the law". Judicial review is the power to say that a given law violated the terms of another, "higher" law -- in the US, that's the Constitution. A judge cannot (or at least should not) choose to ignore a law on the basis of "I just don't like it".
The power the judge is exercising in this case, is the ability for a judicial or quasi-judicial authority (ie: a congressional committee) to hold someone in contempt. When one violates the order of a judge in a given situation -- that is, a case is brought before him/her, and in the course of that proceeding orders a certain thing to be done, or not be done -- and that order is violated, they can be held until such time as they satisfy the judge that they will comply, or until suitably punished. Yes, the power of holding someone in contempt is broad, with only the barest hint of restraint (many jurisdictions only allow someone to be held on contempt for a year or less).
This says nothing of the laws themselves -- where one is charged, tried, and formally sentenced to a given term in accordance with the law violated.
I managed to get in before it all went down. I am now officially 3/4 Cherokee and the legitimate owner of South Dakota.
Thank you Microsoft.
-Rothfuss
CD: Hold off on the blaming of MS, it's still not clear.
/., they said it'd help.
Can I still bash Microsoft if I really, really want to?
I just couldn't help blaming Microsoft whenever I see 'Microsoft Windows' in the news roundup. This is something like complusory-anti-microsoft something, I think I've medical clearance to back my action. People in 'Anti-Microsoft Anonymous' recommends me to post in
"Actually, that McDonald's case you're so quick to dismiss is exactly like this."
/.'rs are stupid. The DOI/Indian Trust case is about the DOI failing to exercise due diligence in the handling of the Indian Trust, to wit, the irresponsible and deleterious handling of both trust fiduciary assets and confidential trust data on its participants and beneficiaries Its ***NOT*** about Bottom Feeding Contingent Liability Lawyers who are sucking this country dry. I hope the Judge in the DOI case breaks it off at the knee in the DOI.
...the "us" you were talking about. There is NO "McDonald's". The judgement was also paid for by McD's shareholders.
since you seem to be defending a legal system that perceived as rampantly irresponsible by most Americans (in poll after poll*n)...to be precise, i wasn't dismising the McDonald's lawsuit, I was ridiculing it for illustrative purposes.
The DOI/Indian Trust case is not a product/contingent liabilty civil suit, you must think that all
People who support extremely irresponsible and irrational jury decisions, such as the McDonald's case, are costing everybody in America both money and opportunity, here's why:
1."McDonald's profit on coffee sales for two days. That is hardly a burdensome amount - enough to get your attention, but probably something like $20-$50 for us..."
THE SETTLEMENT DIDN'T COST MCDONALD'S ONE NICKEL, IT WAS PAID FOR BY MCDONALD'S ***CUSTOMERS***,
2. By encouraging people like that the person that sued McD, you create a society that values litigation over common sense.
I don't WANT to be on the road with someone who doesn't grasp that "coffee is hot". Like Stella Liebeck. I hope Stella (and her blood sucking attorney) remain objects of ridicule for every day of the rest of their lives. I also don't want to be on the road with someone who can't identify and manage simple threats to their personal safety.
"Consumer" Lawyers (contingent liability bottomfeeders specifically -- there are many lawyers who contribute to society and do great work for the poor and the needy) create an environment that discourages innovation and makes everyone American intelligent enough to grasp the (scalding liquids = personal danger) equation feel like the legal system is a bad joke designed for morons and con-artists.
Liability insurance add huge dollars to the cost of ***EVERY PRODUCT WE BUY***, it adds enormous costs to every startup company that wants to produce a item for public consumption/operation. When I bought my first Honda Interceptor I was trolling through the Owner's Manual and there in 20pt "Liability Lawyer Bold" was an instruction NOT TO DRINK THE BATTERY ACID!
Bob Heinlein used to have some of his literary characters joke that the standard you should have to meet in order to be allowed to reproduce was the ability to grasp and perform rudimentary integral calculus....I wonder what Bob would think about people who had be instructed that "hot coffee is hot" or "don't drink lethal chemicals"?
BONUS ROUND: Last year/b4 in Canada, some poor kid, during finals, had been on a classic "study to you drop" push, after a particular exam (Math???), he went on a drinking binge with his friends, got good and tanked (hadn't had much sleep/food for a coupla days)...sometime, early AM, he went to get a Coke from the dorm vending machine, he didn't have any change, so he shook the machine to loosen a Coke...didn't work too well, the machine fell over and crushed him to death (suffocation)....
his parents are sueing (Coke and the College) for big $$$$, claiming that Coca-Cola hadn't met the Canadian labeling laws for "dangerous machinery", by not providing an instructional label....they parents are angry and grief stricken and some a'hole attorney is looking to collect his 40-50% on their grief...Let's see; drunk, stealing a coke, shaking a several hundred pound vending machine with no one in sight, couldn't get out of the way in time...yeah, sure sounds like Coke's fault to me
.....
Ten quid, she's so easy to blind. And not a word is spoken...
Today, before the Senate, John Aschroft, the Attorney General of the United States, stated in plain terms that any criticism of Ashcroft's policies of extrajudicial military tribunals and other suspensions of civil and human rights will help terrorism. (LINK) .
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.
Folks, this is not rocket science. The easiest way to determine if the DOI is on the net or not is to try to connect to the DOI homepage itself. As of this moment (1:00 AM Central time), the entire DOI is off the net. It's not just the BIA or the agencies and sites directly related to it. It's the entire DOI. I am a DOI contractor and I can assure you that our facility (which has nothing to do with the Bureau of Indian Affairs) was most certainly yanked off the net this afternoon, and it remains off the net.
This is really causing pandemonium at our workplace. We cannot access our electronic timesheets because the server is external to our network, and as a result, I've just finished filling out my timesheet from home (because otherwise, it's not going to get done.) The silly part of it is that the facility that I work at has quite robust security, and yet we were still forced offline. This is not an "intelligent decision." This is a knee-jerk reaction that is going to end up inconveniencing a lot of people that have paid a lot of money for Earth science data. It's going to cost the government (and, as a result, you, the taxpayer) a lot of money.
By the time you read this comment, the whole issue may have been rendered moot; there was some hope that the court order might be rescinded overnight. If the order was rescinded and you are able to connect to the above links, then I'm glad (because I'll be able to do my job tomorrow.) But rest assured that the entire DOI lost network connectivity this afternoon. This is judicial idiocy, plain and simple; there is no more diplomatic way to put it.
We're going down, in a spiral to the ground