U.S. Gov't Sponsors InfoSec Defense Training

Anomolous Cow Herd writes: "CNN is reporting that the U.S. government is awarding scholarships to a select few computer science students to study information security, with the caveat that they must agree to work for a government agency for at least two years afterwards. This is in response to the general state of paranoia that has ensued since 9/11, with 'cybersecurity' as a high priority. Considering that a vast majority of government agencies run on Windows NT and derivatives, it's no wonder that they consider the eventual graduating class of 180 'doesn't have a chance.'"

Good for Linux?

[SecretMethod70]

Granted, the US government runs mainly under Windows systems, but if these students are getting good educations in computer security and are supposedly going to be an influential voice in what the government buys as far as new equipment and such, do you think this will help Linux to be used more in government? I think if this were to happen, it would, consequently, generate great PR among other copmanies that are concerned with keeping their information secure.

This is old news

[chiaroscuro03]

Old news.

http://www.wired.com/news/politics/0,1283,46567, 00 .html

Bash boy, bash

Yeah, because if they were running some UNIX flavor, their systems would be more secure ah? Just subscibe to some security mailing lists and try to filter out Windows*/UNIX vulnerabilities/exploits.

Quite amazingly you will realise that most of them are UNIX (vast majority Linux, then some HPUX/Solaris/IRIX).

Not a flamebait, but really disguss me all these creeps that try to bash Microsoft at the first chance.

Kisses.

Re:Bash boy, bash

[Biolo]

The difference is that all of the Linux/BSD exploits are out in the open, and a large percentage come from people looking at the source code and going "oops!".

Whilst I know the "many-eyes" theory isn't as good as many people think, I'm sure that the average line of code in an open source app gets more eye time that the average line of code in a proprietary, closed source one, so we find a higher percentage of our security problems. Now, just what percentage of security issues do you think that Microsoft et al actually openly admit to? I don't think there have been more than a couple of occasions where microsoft has said, without someone sticking the proverbial gun in their back, hey - security issue, we fess up, come and get the fix. Do you believe they don't find many more? Sure they do, they either just ignore them or quietly fix them and slip it in a servicepack.

Quite clearly you can't compare the numbers just by taking them at face value. Filter out all those with "theoretical exploits" for a start. Next, take out all the duplicates - a patch released by RedHat may be for an identical issue to one released by SuSE and Mandrake - how many times did you count it? One? Three? Or do you just look at one distro? Which one? The one with the most patches - maybe they're really good at looking for problems and putting out fixes, on the other hand maybe they really screwed up the original release. The one with the least patches? Probably not paying attention.

Now a more interesting exercise would be to have a couple of groups of security experts sit down for a few months with the complete source of a recent Linux system and that of WinXP and tot up the number of security issues they can come up with. How about an independent study, draw up a set of rules, have MS put up 50% of the money and one (or more ) linux companies put up the other 50.

Re:Bash boy, bash

[JordanH]

• There was a patch available months before CodeRed was even heard of, put people didn't install it, and now everyone points to CodeRed as the perfect example of MS vulnerability.

Yes! A perfect example. A perfect example of how difficult it is to keep up with the dizzying array of patches from Microsoft. Why, Microsoft can't even do it. Gartner advised customers to ditch IIS exactly because you can't patch fast enough.

Further, the Microsoft patches, available for a long time, cause other problems, and I quote:

Speaking of patches, I've read a couple of recent posts on the Bugtraq mailing list that indicate a problem might exist with the Microsoft patch listed in bulletin MS01-033. A few people have reported that after they installed the patch, their systems remain immune to Code Red infection. However, when an infected system attempts to connect to their system to infect it, several IIS services (e.g., FTP, the default Web site, the administrative Web site, and the proxy service) stop processing.

Motivation

[_Sprocket_]

Oddly enough the submission reads:

This is in response to the general state of paranoia that has ensued since 9/11, with 'cybersecurity' as a high priority.

While the VERY FIRST PARAGRAPH of the article reads:

Long before September 11 and last year's virus-like attacks over the Internet, the United States government announced plans to train an elite corps of computer security experts to guard against cyberterrorism.

Ya know what? Other than putting some additional paranoia in the public (and management) mind, infosec has little to do with terrorism. Sure, the politicians like the run around screaming "digital pearl harbor". But the general state of most organizations' infosec stance has been in shambles well before 9/11. And those vulnerabilities mean that these organizations are much more likely to be attacked by a random attack-of-opportunity than a coordinated terrorist activity.

And that includes the US Government. It might go especially for the US Government where "security" is usually dealt with a Cold War mentality. One that has little to do with the current state of information security. Instead, government agencies tend to rely heavily on prosecution (which kicks in well after the damage has been done). Change to this mindset is hampered by limited budgets which make hiring experts (or retaining anyone with the appropriate skillset) difficult. A couple years ago, the FBI even complained to congress that they could not attract experts in the field due to their uncompetative pay.

So to wrap it all up. Government computer systems tend to make suprisingly easy targets. This program is part of the awakening and catch-up the government is undergoing on this issue. It has very little to do with terrorism and 9/11. And even the very article referred to states that.

Re:Working for the government?

[goldspider]

I really hate to feed a troll, but I suspect alot of people here might actualy believe the subject line of the parent.

I work for the government, and in these times when the economy is still on shaky ground, the job security alone enough was enough to get me to take the position.

The fact is that IT positions in the government actually pay quite well. Considering the area I live in, my starting salary was quite competetive with what the private sector was willing to pay. Not to mention the famous government benefits packages.

The U.S. government does indeed have alot of NT servers. The Powers That Be (TM) understand the vulnerability, and apparently are willing to pay handsomely to fix it. In a time of a job market that's uncertain at best, I can think of worse situations than a free education and a 2-yr. job guarantee.

OT: College slacking strategies

[swb]

When I was in college, I found that the overall grade for a course was usually about 50% exams and 50% coursework. The coursework usually invovled applying some basic elements of the class that were usually identifiable from the syllabus or the first day's class outline lecture.

The exams were usually well over 80% based on the course lectures, which tended to be an overview of the reading. The better professors threw in some easy nuggets that were never discussed in class, only in the readings. The weaker ones lectured basically the books plus some fill-in material, but the fill in was just glue to give the course some coherency.

I found that I could ace most classes if I wrote an A paper and scored an A on the exam. The work it took to do this involved light reading of research material and great class notes. The actual assigned reading I generally just skimmed to make sure there was no great deviation from the lectures. I seldom if ever actually "read" it, except for literature assignments. Just going to class, writing notes and doing the paper was all it took.

I discussed this with a friend who is a history professor and he said that undergrad land its pretty difficult to have significant test material on assigned readings without 2/3s of the class getting Ds or Fs -- even if he announces on day 1 that 50% of the exams will be taken exclusively from readings not lectured in class. He thinks its legit to do this, but hes gotten flak from department people who say its beyond the scope of the average undergrad to assimilate meaning from academic readings.

I would assume at serious classes at high-end academic places like Harvard would have lectures that didn't cover the readings AND readings not included in the lectures, making it impossible (without notes from somebody who WAS there) to get more than C if you skipped lectures.

At other schools (mine was a big 10 university), skipping lectures was suicide but skipping the reading was not.

DOD has a long road ahead

[cicci0]

Considering the fact that the DOD is a monster beauracracy with more security holes that swiss cheese, the task of pinning down info sec is monumental. The manpower required to really get the job would be 10 fold the proposed graduating class. As a former member of Air Force communications squadron, I cringe when thinking about the lack of sophistication involved in managing their networks. NT is embraced as the desktop OS of choice but so is it amongst a majority of large corporations. The difference is the backend, also NT based couple with Novell, or so it was 5 years ago. Network outages were common place, I remember one time email and internet access being down the entire day! I wasn't behind the scenes to give actual specifics, but I was close enough to say it was a two bit operation. Take into account that this sort of operation is found in every squadron (20 or so) on each base and we at the communication squadron were supposed to be the experts. Now take this scenario and apply it to the rest of the bases throughout the world and don't forget to factor in the Army, Navy, Marines, and you end up with a nightmare of a situation.

Here in Mississippi

[Traicovn]

We had the security emphasis full paid scholarship last spring BEFORE 9/11 happened. It's been available for about a year now, however after 9/11 happened the emphasis to get people interested in it increased. It's a brand new program nationwide and at Mississippi State, so I know that it's not entirely the 9/11 'experience' that started the program, since we began school in August and they announced the program in the spring... However 9/11 has definitely fueled the program, funneled more money into it, and increased interest. They give you a ton of money to be in the program, thousands of dollars, however you are required to do so much internship time with the gov't and then you have to go into a gov't security position WHEREVER THEY WANT TO PUT YOU when you graduate. I considered it at first, but I'm not sure it would have been the best route for me personally to take.
At least the gov't is trying to get some better sysadmins into there workforce. Not to insult any gov't sysadmins out there, but it's obvious that they want more people checking each others work so that there are fewer holes, hopefully/theoretically.