Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Disconnects Interior Dept., Again

Posted by timothy on from the just-like-texas-justice dept.

jeremycec writes "Evidently, nothing's been resolved since 2001, when this happened the first time. In these Memorandum Opinion and Preliminary Injunction documents from Judge Royce C. Lamberth of the U.S. District Court for Washington, D.C., we see how the court stepped in to pull the plug on a system, which, through its abject lack of due care, left someone's important financial information wide open to attackers. According to the former CIO of the Bureau of Indian Affairs: 'For all practical purposes, we have no security, we have no infrastructure, ... Our entire network has no firewalls on it. I don't like running a network that can be breached by a high school kid.' So, when the BIA could get no relief through Interior's IT Dept., it went to the courts. Source: Government Computer News "

11 of 246 comments (clear)

  1. BIA IT DEPT DOA by theblackdeer · · Score: 4, Informative

    it's true .... my mother in-law works at the BIA, and hasn't had email for years. i've offered to do real cheap contracting to help them set up a small, secure network in their regional office, to no avail. they were still waiting for the gov IT dept to work it out.

  2. It's politics, nothing more. by RatBastard · · Score: 4, Informative

    The simple fact is that the Department of The Interior hates the BIA. They resent them like hell and are doing nothing to help them at all. Standards, routers, etc... have nothing to do with this.

    It's high time that the BIA be moved from Interior to the Department of State anyway. The American-Indiands issue isn't a land issue, it's a deplomacy issue. But that's just more politics and not relevant to the story at hand.

    --
    Boobies never hurt anyone. - Sherry Glaser.
    1. Re:It's politics, nothing more. by bwcbwc · · Score: 2, Informative

      Another factor: Most Republicans hate the DOI. Remember James Watt? So DOI is just about last in the queue when it comes to fighting for budget dollars. Can you name one division of the DOI that has enough money to do its job? Certainly not the National Park Service or the BoIA. It wouldn't surprise me if their procurement processes result in $40 routers costing $4,000, so the budget crunch is even worse.

      --
      We are the 198 proof..
  3. Re:Are there standards? by Xzzy · · Score: 2, Informative

    > are all different federal entities left to simply
    > come up (or not come up) with their own standards?

    I can only speak for the one I work for, but from what I can tell, the answer is yes. The branch I'm involved in seems to revolve mostly around scanning any net-connected machine for known vulnerabilities and generating scary warnings if a problem is found.

    Most of our security is dictated by the site-local security team which is thankfully pretty darn good, because the probe and hope model is fearfully insufficient. Every machine online uses kerberos, they actively sniff the network for cleartext passwords (and warn you strongly when they catch you doing it), and they monitor for traffic spikes to track down compromised machines. Services like httpd or smtp require being up to date on patches, or the machine's port on the switch is shut off. Any offsite accessible website has to have a hole punched in the border router.. the list goes on.

    None of this matches any security model I've learned about in other government branches (which seem to prefer the 'firewall it all' philosophy), leading support to the idea that each branch manages itsef it's own way.

  4. understatement of the year by Anonymous Coward · · Score: 1, Informative

    I've been fighting with them for about two years now over land issues. Corrupt and lazy don't even begin to describe them.

  5. You should know better than to believe the writeup by Anonymous Coward · · Score: 5, Informative

    This is slashdot, after all.

    The BIA isn't suing anyone. They're *being* sued.

    The case is Cobell v. Norton -- the plaintiffs are Native Americans and Norton being the Interior department, of which BIA is a part. (Side note: Gail Norton has been held in contempt of court at least twice that I know of as part of this case.)

    So, what we have here, is a suit by individuals (more or less) against the Interior department.

    Yes, WE get to pay for the government's defense, and, when the government loses, the full judgement to the (fully deserving, IMHO) plaintiffs.

    Go pursue your anti-governemnt, anti-PC campaign elsewhere: it isn't relevant here.

    Lawsuits aren't worthless here, they're pretty much the only lever the endlessly screwed-over Native Americans have against the interior depatment. I'm happy to see them succeeding at it.

  6. Actually it's not BIA by Anonymous Coward · · Score: 1, Informative

    It's a lawsuit over the Indian Trust Funds that's been going on for 7 years now. The plaintiffs are a couple of Indians from various tribes. Cobell vs. Dept. of Interior. http://www.indiantrust.com has a summary of what's been going on.

  7. Re:No wonder by deanj · · Score: 4, Informative

    The other flaw with this is the following:

    "The preliminary injunction followed a hearing this morning in which the plaintiffs in the Cobell v. Norton litigation, who represent American Indian trust beneficiaries, sought the injunction. The goal of the injunction is to protect American Indian trust accounts from intrusion via the Internet. "

    The American Indians requested that the injunction be put into place, and it was granted.

    This has nothing to do with what administration is in power.

  8. This is actually a dick swinging contest by MemRaven · · Score: 5, Informative
    Rather than everybody babbling about crap based on the original case, I read the memorandum document. Basically, the status here is:
    • The government agreed to secure machines that had certain types of sensitive information, and to allow someone to verify that those machines were secure.
    • One machine was discovered to be insecure because apparently it WAS in the DMZ for a legitimate use and thus could be portscanned (it was just insecure)
    • The people scanning it told the gov't that they were going to do a full penetration scan (so that they didn't get prosecuted), which everybody had agreed to and agreed would be private (i.e. nobody would try to secure the box in advance of the penetration)
    • The machine magically vanished off the network right before the penetration scan with a bit of a bogus explaination
    • The government and the guy responsible for doing the scans got into a big pissing contest that they refused to settle peacefully.
    In other words, it seems like some parts of the government was attempting to do the right thing here, but some other parts got seriously upset when they discovered that the Special Master (the guy responsible for verifying compliance that the machines were actually secure) was actually doing his job and not just taking their word that they hadn't leaked information about the machine that was going to be penetrated, fearing the consequences.

    Quite frankly, I'm a little confused as to why the government had to allow a full exploit to take place rather than accepting the warning of "this machine is insecure, secure it now," except that maybe it's with an eye towards preparing for the day when the courts aren't constantly portscanning them.

  9. Re:Mod Parent up! by Wyatt+Earp · · Score: 2, Informative

    Since we have a link to Free Peltier, here is a link to the No Parole Peltier Association.

    http://www.noparolepeltier.com/
    http://www.nopa rolepeltier.com/shootout.html

    Two FBI agents went down to Pine Ridge to arrest someone. The agents end up in a cross-fire between two houses. Two FBI agents end up dead, thier cars were hit 125 times with .223 rounds from an AR. 114 .223 shell casings were found, 39 of which matched Peltier's AR-15.

    The agents were wounded initially, then executed with point-blank shots fired at thier heads from rifles.

    Agent Coler may have fired from his service revolver, but his bullet pouch was still full, one shot from a 12-gauge shotgun and one shot from a .308 rifle. He received an initial wound nearly severing his right arm, a wound to the top of his head, and a second to his jaw, both delivered at contact range with a high-powered rifle.

    Agent Williams while calling for help on his radio, may have fired briefly from his service revolver and was wounded initially in his left arm, left side, and foot. A fatal shot fired at contact range went through his right hand and into his face.

    Their vehicles received a total of 125 bullet holes, not counting those that either missed or went through the shattered windows and were not recovered.

  10. The real story behind this by Shoten · · Score: 3, Informative

    In a nutshell, the Special Master for the court has brought in an outside consultant to do pen-testing of DOI systems. The problem is that this guy is just hacking away willy-nilly, and there are no rules of engagement or lines of communication. In short, there's no way for DOI to know this guy's attacks apart from those of any black-hat, and there's no way to prevent him from doing more harm than good (or notifying DOI should he screw something up, as is prone to happen in pen-testing). SAIC, the company working to improve DOI security, has asked for some changes to this, and was turned down. As a result, the DoJ has intervened, pointing out that what the consultant has been doing is not legal and is actually hacking in the very illegal sense of the word. This is the backlash from the Special Master in return for that.

    --

    For your security, this post has been encrypted with ROT-13, twice.