U.S. Agencies Earn "D" For Computer Security

Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology." Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."

How did

[dan+dan+the+dna+man]

the Department of Homeland Security do?

Re:How did

[KDan]

It got an F.

Daniel

Re:How did

[Kenja]

They're not saying, however they've issued a guava alert.

Re:How did

[flamingnight]

According to the ZDNet article,

The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission.

Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.

Re:How did

[16K+Ram+Pack]

Maybe they should get put in detention?

There's a centre built for it, somewhere in Cuba.

Re:How did

[TedCheshireAcad]

Like any organization, they've outlined a strategic plan to assess the situation and assigned a mission-critical task force to consolidate committees and subcommittees on bleeding-edge decision making processes. They've empowered the new paradigm, they're looking down the road, and keeping their feet out of the mud.

Yeah, they're right on top of it.

Re:How did

[Davak]

Please mod parent up. They did actually receive an F.

See quote from article.

The Department of Homeland Security was one of eight agencies that received a grade of F for its network security efforts.

Davak

Re:How did

[Yarn]

A bunch of idiots battling the bureaucracy and losing, I assume.

Re: How did

I'm a contractor doing part of the TSA network buildout. I'm kind of curious to know how they evaluated the DHS. DHS is largely a rollup of a lot of pre-existing agencies. I don't think any of those agencies have had their IT functions touched by DHS yet. As far as I know the only IT components of DHS that have really been built by the DHS since it's inception is the DHS HQ. DHS inherited TSA from the DOT as a project already in progress. Furthermore DHS/TSA aren't even doing their own IT, it's all outsourced to a large, Blue Bell, PA based integrator.

Re:How did

[kevlar]

I'm sure there is little to no standard on de-classified computer systems in the govt. When it comes to classified systems and networks, the government is pretty damn secure.

The problem as I see it from the ZDNet article is that secretaries and such have unsecured linux/windows/etc machines sitting under a desk running some support application. Nobody really cares enough to secure it (if they even know it exists).

Re:How did

[Walterk]

Are you sure it isn't a maroon alert?

Re:How did

[Strange+Ranger]

Good!

If they're so completely ineffective at one of the most fundamental tasks they've been assigned, maybe they'll be ineffective at further eroding our civil rights.

They got off to a bad start much earlier, when they created the department, named it, and put Ridge in charge. Apparently he is well atuned to the media though...

Remarks by Secretary Tom Ridge at the National Cyber Security Summit

For Immediate Release
Office of the Press Secretary
December 3, 2003
** Remarks as Prepared **

I was going to pull out some quotes, but the fact that it came out 6 days before their 'F' says quite a bit already.

Re:How did

[Mullen]

Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.

I think you nailed it on the head. I work at a large company that is very bureaucratic and it is absolutely soul crushing. No matter what you want to do or what needs to be done, there is always someone who will undermined you, attack you or make you jump through hoops. You can gain ground, but you will never win.

I completely understand why government agencies never have good computer systems or security. It is just not possible.

Re:How did

[jgabby]

Here says that the DHS scored a 34 ... the lowest of all the agencies surveyed. Way to go, guys!

Re:How did

[56ker]

Here's a link to the actual hearings page and the Computer Security Report Card 2003 (pdf file).

Re:How did

[cptgrudge]

I work for a mid-size school district. I found many of these problems in front of me when I started, but then I orchestrated the removal of my boss and took his job. Now I am the head of IT and I am somewhat of an ambassador of technology to the administration. Things are going well now.

It's a political game. You gotta play it to get ahead or get things changed.

(It really wasn't as bad as it sounds. I'm not a bad person, I don't think.)

Re:How did

[whovian]

No matter what you want to do or what needs to be done, there is always someone who will undermined you, attack you or make you jump through hoops. You can gain ground, but you will never win.

Consistent with this idea is the possibility that the top dogs want it to appear that the people in charge of security are largely inept. That could provide the "evidence" for demanding more fundage from the Administration. Just look at the so-called war on drugs....

Please remember: Just because I might sound paranoid does not necessarily mean I am entirely wrong.

Re:How did

[calyphus]

When it comes to classified systems and networks, the government is pretty damn secure.

That's wishful thinking on your part. The point of the review is to review all systems.

Chairman Putnam added, "One of the most disturbing findings is that 19 of the 24 agencies reviewed had not completed an inventory of their mission critical systems. Obviously, an agency can't ensure its systems are secure if it can't account for all of its mission critical systems.

If they can't even identify and inventory 'mission critical systems,' can't be claimed that those critical systems are secure.

Re:How did

[demachina]

I haven't read the details of how this report is generated but the Washington Post said the agencies self report the data. As a result the whole thing should be taken with a grain of salt. Getting an "F" could be a cynical ploy by an agency to make itself look bad and get billions more dollars to spend on new computers. These are bureacracies and they tend to work this way especially when it comes to maximizing their budgets and the deficit.

The report would be much be much more creditable if an independent inspector general or analyst audited the agencies and probed their defences. Perhaps someone who knows can describe how the report is produced and how likely it is to be a meaningful assessment of real security,

Re:How did

[mog007]

What do you expect? The root password was bushrules...

Re:How did

But they failed to think outside the box.

Re:How did

[HBI]

I'm sure there is little to no standard on de-classified computer systems in the govt.

Totally not true. SBU systems (sensitive but unclassified) have very clear standards. Encryption and interconnection standards are very precise. Drives get wiped, etc.

I know in DoD these are taken seriously. In other departments? I think things are more slack at the Dept of Agriculture, for instance. :-)

Re:How did

[NastyGnat]

I'll vote on the idiots side of it.

A) Homeland Security E-mail is NOT encrypted and it is regularly sent to hotmail and other "webmail" based accounts. What IDIOT would allow that? (note: They are taking step to get rid of the webmail accounts)

B) The bunch of folks I've been working with in regards to other homeland security stuff don't know the difference between a passive and active FTP session.

I'm not saying they are all idiots... but toss a few idiots in with the PHBs and don't expect anything graceful to come out of it.

Re:How did

[Analogy+Man]

My thoughts exactly! As the executive branch is hell bent on removing the checks and balances our founding fathers intended and pursuing a martial/fascist agenda it is strangely comforting that they may have a soft white underbelly should they go too far.

Re:How did

[hackstraw]

When it comes to classified systems and networks, the government is pretty damn secure.

I can't remember specifically who owned the system, but there is a supercomputing facility for the military where all input and output files are hand carried, aka sneakernetted, into and out of the facility. There is 0 networking into or outof the room.

Re:How did

Why not.... "\."?

Because /. is a site for nerds and the majority of nerds like, use, or would like to use *nix and *nix has forward slashes in the paths.

QED.

Re:How did

[ivanmarsh]

Suggesting that the Dept of Homeland Security got an "F" for it's security rating is an act of terrorism under the Patriot act... even though it's true.

Re:How did

[msmikkol]

I know in DoD these are taken seriously. In other departments? I think things are more slack at the Dept of Agriculture, for instance. :-)

Also Department of Energy takes things seriously, at least the National Nuclear Security Administration part of it. As HBI said, there are clear standards for "unclassified sensitive" systems.

Re:How did

BOFH!

Re: How did

[MindNumbingOblivion]

I understand that DHS is Department of Homeland Security, but what is TSA?
[/probably moronic question]

Re:How did

Actually, it's not.

It's to do with the URL, so if you had to pronounce the slashdot URL, it would be:

"http colon slash slash slashdot dot org"

Thus the big funny.

Re:How did

I, for one, welcome our new K-12 IT overlords!

Re:How did

The basic problem so far is not one of actually securing individual computers, but rather getting an accurate count of the total number of computers... This has to do with the lack of adequate categorization of the inventory. So, Computers cannot be easily seperated out and therefore we cannot gauge overall progress. Like the report states, you have to start somewhere and the first step should be maintaining a proper list of computer systems and their uses. Then you can go around and make sure that everything on the list is accounted for, but until then some unpatched/insecure hardware is probably lurking in someone's closet which could be plugged in at any time.

Once you have a master list it just becomes a basic computer administration task of maintaining appropriate configurations. But this first step is labor intensive and might involve people going around with clipboards and looking in all the closets. This becomes expensive and time consuming when organizations are tens of thousands of people with tens of thousands of computers. But it needs to be done.

Likely they will be asking for more money, but given enough time, I'm sure existing personnel could do the job.

Re:How did

[rifter]

Actually, it's not.

It's to do with the URL, so if you had to pronounce the slashdot URL, it would be:

"http colon slash slash slashdot dot org"

Thus the big funny.

But the urls use / as well. What are you talking about?

Re: How did

[Atryn]

TSA = Transportation Security Administration... Remember when they killed off all of the private security companies at airports and then re-hired everyone as gov't employees? :)

Re: How did

[MindNumbingOblivion]

Ah. Thanks.

Re:How did

[edmac3]

Alright, 'Dan Dan theDan..." asks an easy question and then "Kdan" conveniently has the anwser. I smell a set up for.... karma

Re:How did

But the urls use / as well. What are you talking about?

You are either trying to make a bad joke, or an idiot. Please note that the URL does not have any '\' in it, hence why saying wwwdotbackslashdotdotorg isnt as funny as saying wwwdotslashdotdotorg.

Re:How did

[rifter]

But the urls use / as well. What are you talking about?

You are either trying to make a bad joke, or an idiot. Please note that the URL does not have any '\' in it, hence why saying wwwdotbackslashdotdotorg isnt as funny as saying wwwdotslashdotdotorg.

Erm, I guess you did not know that / is forward slash and \ is backslash. And the url is http://slashdot.org. So there is no reason to say "backslash" because the URL does not have one, it has a slash. Why then are you suggesting it should be a backslash?

Again, not a surprise

[cspenn]

As long as the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks, the government will continue to be insecure. Compound that with the fact that the government remains married to Redmond for the majority of its end user systems, and it's no surprise that they received a "D".

Frankly, I wouldn't be surprised if the USG turns around and tries to pass additional "information security protection" legislation in response to this study, just like software vendors now do for reviewers. You can't say anything about USG systems under the rubric of anti-terrorism.

Sigh.

Re:Again, not a surprise

[GoofyBoy]

>the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks

What makes you think that its the fault of contractors? Nothing in the articles say this. In fact one of them blames internal, highlevel staff.

From the ZDNet article;
"We must get those at the very top, the decision makers, the ones accountable to the shareholders, the customers or the electorate, to recognize that lack of network security in an organization is a material weakness and one that deserves necessary resources and immediate action." "

Re:Again, not a surprise

[ubrgeek]

That's the biggest load of crap I've ever heard unless what you mean contracting "companies" rather than the contractors themselves and even then I'd have to disagree. A _vast_ majority of the contractors working on cyber security issues have a huge, personal interest in keeping things secure. And, furthermore, the "profit motive" is very clear: Contracts are won and lost on the report card. If a company is hired to protect a gov't network and that network is shown to have been compromised (or vulnerable) then that company will not be selected to continue on the contract when it comes time to renew. Further, the USG has passed "information security protection" legislation, in terms of the Office of Management and Budget, along with all Inspector General offices are holding the agencies to task for securing their networks, to the point of witholding funding if they don't. As someone replied to one of my (unrelated) postings, "Get your facts straight."

Re:Again, not a surprise

[nemaispuke]

Yes there are a lot of contractors and Government employees who don't have a clue. The bigger problem is what guidance is given to people who have to secure those systems (particularly Unix). All Information Assurance personnel want to hear is whether the machines are C2 or not (never mind TCSEC was declared dead March 11, 1999). And this only covers auditing, so they are concerned about trust, not security.

The last project I worked on we had to use the Defense Informations Systems Agency STIG as if it was the bible of Unix security. Here is the mentality of DISA, the Solaris section covered 2.5.1, the AIX section covered 4.3 (but not 5L) and for the most part only was concerned about auditing. Check it out for yourself at:

http://csrc.nist.gov/pcig/cig.html

If you have administrators who are limited by inept guidance, what do you expect!

Re:Again, not a surprise

[Davak]

I am assuming that you are not trolling.

I have seen the contractor system work very well in the past... however, it took multiple redundant contractors to complete one system.

For example, we recently setup a system in a clinic that deals with medical records. One contractor brought in the boxes, networked them, and left. Then we brought in our security contractors that locked down the boxes as tight as possible. After that, we had our internal security guru try to pick apart their security... and they came back and corrected the problems they left.

The security guys are not the general installation guys.

Save your energy... and get seperate contractors.

Davak

Re:Again, not a surprise

[cspenn]

I used to work for a government contractor a couple of years ago. Security - even when we got security guidelines, my fellow coders picked and chose which of them they actually felt like coding.

Now, should they have been canned? Absolutely. Were they? No. Is that the government's fault? Only partially, in the sense that the government didn't have any way of verifying whether the work we were doing met the standards they specified. Management at the government and at the contractor simply agreed that things looked good, and that was that.

Hence my comment.

Re:Again, not a surprise

[div_2n]

The only thing that WOULD be good in my opinion is setting up liability legislation. If any contractor or software company KNOWINGLY designs and deploys a system whether hardware or software without making security a key design consideration in the interest of making the lowest bid, then they should be liable.

There comes a point of accountability when contractors should stand up and say, "I won't do this project if you won't fund the proper security design issues."

You wouldn't knowingly make cuts that would effect whether a system actually operates or not. Security shouldn't be any different.

I have turned down jobs before when I knew that what they asked was completely at odds with the client's best interest. I told them that and they understood.

Equally should agencies and companies be held liable if they knowingly deploy a system that is fundamentally insecure in the interest of just "getting it done." A bank would be held liable if they left their front doors wide open and their vault unlocked overnight. Leaving security unconsidered in computer and software systems should be treated equally if not more harshly.

Re:Again, not a surprise

[ekephart]

Until security is as measurable as the price of a contract, it will always take a back seat.

Unfortunately measuring security is difficult. One may conduct an extensive (and expensive) study like this report card. Alternatively, most measure security by what *doesn't happen* (viz. successful attacks), which is insufficient.

Re:Again, not a surprise

And now that the study is done, and some guidlines were not met, perhaps they contractors should be sued in these cases for breach of contract?

Re:Again, not a surprise

[frodo+from+middle+ea]

Very well put.

From my observations, I have conculded the following two reasons ,being responcible for security breaches in computer systems.

One:- Not knowing your priorities. Even if you hire the best security personels in the industry, If you don't know what is THE MOST important aspect of your business you want to guard, you are destined to be owned. People talk about security without implying what exactly are they securing, this leads to lots of holes in your security .

This leads to common mistakes like putting your Database in the same DMZ as your Websever, even if your webserver is running SSL, this is disaster waiting to happen.

Second point is the inability to recognize your enemy. Knowing your enemy goes a long way in implementing your security strategies. Contrary to the popular belif , the people who attack your network are not some internation +3rr0r15+5 but people who are interested in your money (i.e Credit card details, bank statements, finanacial records) etc, or some prick who who just wants to prove a point. Having paranoidal dillusions about your enemy does not really help.

Re:Again, not a surprise

Contracting out security is nearly impossible. The contractor doesn't have the *authority* to make the social changes necessary to secure a system. They can deploy all the security infrastructure they want, but without authority over the people who will be using the system daily there's little point in trying to secure it.

Re:Again, not a surprise

[pointbeing]

I'm a sysadmin for an agency under DoD - those contractors work for me, sort of.

The government's responsibility in IT is project management - at least in the agency I work for. You wouldn't expect your CIO or any other manager to be 100% up to speed on latest IA trends - that's what we have contractors for. Government IT professionals make decisions based on input from the people who actually do the work.

I've worked both sides of the fence. I spent four years in this agency as a contractor heading up desktop support - at the time we had 3200 users in >100 locations. I started as a federal employee two years ago and now supervise the same contractors I was working with.

I'm not bashing you, but if the government doesn't pay you enough, maybe getting another job is an idea? I don't know anyone who was forced to take a job with the feds - it's reasonable to expect IT professionals to do the best job they can and identify where their employer is deviating from best practices.

That's why they call them professionals.

Re:Again, not a surprise

[div_2n]

You missed the point. If a company comes to me and says, "We want to do credit card transactions for our web site. We only run Windows. Due to our network setup, the server would have to run in our DMZ unprotected by a firewall."

Not that this scenario is likely, but it _could_ happen. I would honestly laugh and then tell them they needed to find someone else willing to do something that was a monumentally bad idea.

Re:Again, not a surprise

[bleh-of-the-huns]

I happen to be one of those contractors (although the agency I am in is not listed thankfully, but I have not been able to find the full text of who got what report).

This is not an issue with contractors or subcontractors. This is an issue of money, plane and simple, you try to hire enough personel.. buy the right equipment, when there is no money to do so.

We work with what we have, and do our best, until those people in the position to fund security departments better, security will always be adhoc

Re:Again, not a surprise

[pointbeing]

If you have administrators who are limited by inept guidance, what do you expect!

Being a federal employee and a sysadmin I expect the contractor to inform his government.

I just used the DoD Wireless STIG to draft an 802.11 policy for the agency I work for. It actually wasn't a bad piece of work :)

DISA is still trying to make 802.11 impossible in DoD - but we're working out the kinks now.

Re:Again, not a surprise

[poot_rootbeer]

Wait... so you KNEW that coders working on government contracts were failing to provide adequate implementations of required security measures?

While I'm not one to use the word "treason", if you failed to alert anyone to this behavior, that could certainly be construed as a failure to fulfill your civic duties.

Re:Again, not a surprise

[SlamMan]

However, youve also got to remeber that as a contractor, there's certain things you're not allowed to do that an governmetn work would, including saysmething like "this needs to be done". That apprently financially obligates your contracting company to get it done (as screwy as that sounds).

Re:Again, not a surprise

[cspenn]

Oh, I made mention of it.

Guess what?

I got canned for mentioning it.

Re:Again, not a surprise

[calyphus]

You've never heard the phrase 'close enough for government work," have you?

Re:Again, not a surprise

[pointbeing]

Every government IT contract includes a "statement of work" that outlines what the government expects the contractor to do and the contractor doesn't have to do anything that's not in that statement of work. Maintaining IT security is part of the day-to-day operation of a government network and generally no modification to the contract is necessary.

But - when something falls outside the realm of normal IT operations the contractor can ask for more money - as an example we bought about a hundred firewalls to deploy to satellite offices. The contract we have with IT support staff allows X number of billable hours per job description. Installing and maintaining those firewalls was not factored into the contract so the contract was modified and IA staff increased by four people.

"This needs to be done" doesn't necessarily obligate the contractor. It does if it's part of the normal duties outlined in the contract, but if it exceeds time and materials outlined in the contract the contractor has the right to ask for more money.

Re:Again, not a surprise

[k12linux]

I work for one of these contractors. Frankly, we do exactly what they ask us to do.

If these departments want to be secure, they need to give guidelines up front

Frankly I'm not surprised. The whole "lowest bidder" framework is crap in most cases. Here is the process for building our last new school (from a tech standpoint anyhow) if anybody is intersted:

1. Meet with contractor and give very detailed instructions about required wireing closets, cabling, cable drops, etc.
2. Eventually get a copy of the bid specs and floor plans.
3. Go over very thick specs book with your stuff scattered all over it and look over floorplans.
4. Meet with contractor again and point out that a) there are NO wireing closets, b) drops are not marked on plans, c) none of the fiber you asked for is included, and d) the cable types are not what you specified.
5. Recieve adendum to specs which appear to fix everything.
6. Specs go out for bid
7. Vendor who you have worked with before realizes things still aren't right and doesn't want to lose out on the bid but doesn't want to get a bad image with you either sets up a meeting to point out all of the remaining problems with the specs. (This only happens if you are lucky.)
8. Send revision request to the contractor/architech again and another adendum to the specs is released.
9. Finally get everything out to bid.
10. Choose who gets the bid (again, this was fortunate because often it just goes to the low bidder.)
11. Sub-contractor contacts you to point out that architech put some copper runs over 400 feet long despite the fact that a wiring closet was right accross the hall.(This often doesn't happen with low bidder.. they just do the job as the specs/plans say... any mistakes.. too bad the job is up to spec.)
12. Eventually building is done and you still find stuff that isn't right.

With the "lowest bidder" mentality, your specs better be PERFECT and include EVERY little detail on the setup and configuration. You can't assume ANYTHING. You had better include all the details or at least reference standards which do. The vendors who care to do a good job won't get the contract because they'll come in with a higher bid.

The ones who don't care usually win because they bid exactly what is in the specs... no more, no less. If there is a mistake, they'll build it with the mistake in place. If there is a security hole, guess what.. it goes into the system. And if you aren't writing the specs yourself, watch out. You might get an architech like we had who in one meeting finally admitted, "Well, I really don't know much about this computer cabling stuff."

Re:Again, not a surprise

[ghostmagic]

Exactly. Gov't contracts are performed by the lowest bidders. Just like our nukes.... Makes you feel safe, huh?

Re:Again, not a surprise

[4of12]

seperate contractors.

That's more economical, to be sure.

But it only works if you have that internal security guru that knows the nuts and bolts of what is being installed.

If you don't have a good expert that's willing to call `em as he sees `em, then choosing multiple contractors will provide a blame diffusion mechanism with the contractors pointing fingers at each other.

Consequently, more than a few government entities scarce on IT knowledge have little choice but pay premium prices for All-in-One services.

It's a shame, but it happens.

Re:Again, not a surprise

[pointbeing]

Consequently, more than a few government entities scarce on IT knowledge have little choice but pay premium prices for All-in-One services.

I can't argue this at all. The reason I'm a federal employee instead of a contractor now is that I have nine years of military service that counts toward retirement if I work for Uncle Sam instead of the contractor. Took me four years to find a government position in my location commensurate with my salary and experience. I took a $10k salary hit but I'll get to quit working almost ten years earlier than I would as a contractor :)

IMO if you can't do your job you need to be trained or fired - and that applies to federal employees as well. I have pretty close to 20 years IT experience - 18 of them in the civilian sector, a reasonably long list of certifications and a whole pile of corporate experience. Project managers don't need to be the alpha geek on the team but they do need to be able to speak intelligently to IT contractors - and like I said, if they can't they need to be trained or fired.

My current rant: Three years ago the DoD agency I work for decided to migrate a terminal-based Unix application to web application from a Major Relational Database Company Who Shall Remain Nameless.

I said at the time that users at remote sites would see fairly major performance issues because it's the nature of HTML to refresh entire screens instead of single characters like the terminal emulator did. To make a long story short the government didn't include application performance as a criteria in the statement of work.

The contractor finished the application - which is currently unusable by 2/3 of our employees who connect to the application across a WAN. Since nobody wrote performance metrics into the contract we ended up paying the contractor $6M for the application and then modifying the contract at pretty significant cost to get the performance issues fixed.

See? If everybody listened to me the government would run much smoother :)

Re:Again, not a surprise

[pointbeing]

And again, I'm not picking on you, honest. I like contractors - I used to be one. My mistake for assuming that when you said the government didn't pay enough for people to put out 110% you were talking about your own compensation. My apologies.

I don't work with desktops any more - my job is corporate IT architecture these days.

Your thoughts here are the same as the ones I see in my own organization - contractors spend so much time putting bandaids on things that the real problem doesn't get addressed.

But you're right - the contractor lowballs the job so they'll get the contract and there often isn't enough money in the contract to do the job right, because if the contractor bid enough to do the job correctly they'd price themselves right out of the competition.

Best the contractor can do is get in the door and then try to get the contract modified to get the job done right - and then they run right into the federal bean counters and that's about as far as it goes.

Again, my apologies. I thought you were bitching about your salary and saying you weren't paid enough to do a good job. The bottom line is that in order to win the contract you have to show an attractive bottom line - and the mentality in the government these day is to do it cheap rather than doing it right.

We do spend more money on stupid stuff than they do in the private sector, though :)

Re:Again, not a surprise

[GSloop]

Trying to "guess" your enemy might be slightly productive, but often is taken way too far. In short, I can't think of who my enemies might be - thus I must not have any, and don't have to worry about security.

Can you figure out when and why you'll be a vicim of valdalism? Nope. Security's much the same game. The real focus should be - what's the potential damage and it's associated costs. These issues will guide you in knowing how to secure, how much to spend and related issues.

(I know, I'm preaching to the choir, but anyway...)

Cheers,
Greg

news alert: not shocking

[jaredmauch]

I think that until there is significant user-education on this topic, some of the issues raised (weak passwords for example) won't ever be fixed. I think that the movement to a smart-card (oh wait, directv will sue you if you try this but ..) based approach of authentication is the best way. You need the card and a PIN or other text-based password in order to authenticate yourselves. This is how a lot of people work, with these private tokens (eg: SecureID). They are a PITA, but help keep unwanted people out.

Scary

[tuxette]

The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission.

I gladly await their lame excuses. Otherwise, reading this sends a chill up my spine.

Re:Grades

[nberardi]

You really think the department of homeland security uses Windows to protect the outer wall of their network? Come on stop spreading FUD, I don't know many companies that use Windows to protect their out network. Even Microsoft uses FreeBSD in alot of their outer layers of their network for it's firewall's.

Re:Naturally

[grub]

Bah humbug, fire the lot of them.

Firing these people would help security how exactly?

let me get this straight

[perlchild]

As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State.

so let me get this straight, if all those failed security provisions are hacked, you'd get:
1) hacked into the place that controls whether or not you go to prison(funny they're also the ones that investigate election fraud if I recall, I could be wrong, I'm Canadian)
2) hacked into the place that controls nuclear power plants
3) hacked into debt(identity theft) through the place that controls employment, etc...
4) hacked into the place that determines if there is war or not
(agriculture, interior, and "housing and urban development weren't good targets)

*notices how Canada doesn't announce that kind of thing, I think they're embarassed at how badly they do*

Re:let me get this straight

*notices how Canada doesn't announce that kind of thing, I think they're embarassed at how badly they do*

WTF are you talking about. That has to be the sixth least coherent resemblance of a sentence structure which has sullied the pages of Slashdot to date.

Kudos to you sir! Despite all efforts to the contrary, you managed to avoid any form of education or higher learning.

Re:let me get this straight

[Savage-Rabbit]

4) hacked into the place that determines if there is war or not

Phew!!! One shudders to think what would have happened if Saddam Hussein had known this back in March, "Operation Canadian freedom" ????

Re:let me get this straight

[corbettw]

3) hacked into debt(identity theft) through the place that controls employment, etc...

Actually, DHHS controls medicare and related programs, not unemployment. Unemployment details are left at the state level down here. Though if the IRS (part of the Treasury deparment) were hacked, you would get completely screwed. (DHHS is also the office of the Surgeon General, so maybe tobacco companies could use this to get a ringing endorsement.)

Also, the State Department controls things like visas, so hacking in there could be a step to getting into the country in the first place.

Hacking the Interior and Agriculture departments could be useful to get yourself some free money. They both have pretty large budgets for either grants or subsidies. I believe the Indian Bureau is part of the Interior, too, so maybe some random tribe could use it to get more money.

Housing and Urban Development gives money to poor people in the inner city, so someone could easily use them to embezzle obscene amounts of money.

The one I'm most scared of is the Department of Energy. They're responsible for keeping nuclear weapons from being smuggled into the country. If someone tried to float a nuke up the Chesapeake, for instance, the boys in the Energy Department have the tools to notice it and alert the Navy and Coast Guard. So getting root there means you can wave your fingers and tell everyone "this is not the tanker you're looking for."

Re:let me get this straight

[poot_rootbeer]

It's unfair to say that any of these agencies "control" anything. They may establish macro-level policies, but it's not as if by hacking the Justice Dept. you can get a friend released from prison, or by hacking the Dept. of Energy you can initiate a core meltdown in one of the nation's (privately-owned) nuclear power plants.

Our government doesn't make all of our decisions for us. (Yet...?)

Re:let me get this straight

[hackstraw]

Yeah, and even if a canadian (just kidding) can figure out what can be done after reading a 5 minute blurb on slashdot, think about a halfway bright and motivated hacker might do.

My question, if these systems are so easy to get into, is there any kind of disclosure by the govn't regarding these breaches? It seems to me like it might be important.

Btw, I'm at a DOE lab right now. I havn't tried breaking into anything, but it appears as though security is pretty tight here and we don't have any really interesting data that people might want to steal. Every machine here is behind a firewall, and I believe that there are only a handful of ports and services that are available to the outside world, and those are watched pretty good.

Re:let me get this straight

It's written in Canadian, that's why you don't understand it. Let me translate it for you to American:

"Y'all notice that them dumbass Canadian hicks don't announce that ass stuff, huh! That's cause their ass is too embarassed at harboring terrorists, huh! God bless America, and may our children's ass be protected from the evil sight of women's nipples. Yo yo yo!"

Re:Naturally

[Gizzmonic]

Tell me, spirits, are these h4x0rz that must be, or shades of what might be?

High Expectations.

Let's flip this 180. Is there anything those agencies would get an "A" on? Didn't think so, so why should we be disappointed with this news?

Here's the score and grade breakdown

[dat00ket]

Agriculture 40 F
AID 70.5 C-
Commerce72.5 C-
DOD* 65.5 D
Education77 C+
Energy 59.5 F
EPA 74.5 C
GSA 65 D
HHS 54 F
DHS 34 F
HUD 40 F
Interior43 F
Justice 55.5 F
Labor 86.5 B
NASA 60.5 D-
NRC 94.5 A
NSF 90.5 A-
OPM 61.5 D-
SBA 71 C-
SSA 88 B+
State 39.5 F
Transportation 69 D+
Treasury* 64 D
VA* 76.5 C

Government-wide Average 65 D

Re:Here's the score and grade breakdown

[TedCheshireAcad]

Well that's before the curve. We're probably looking at a B- if the professor isn't a dick.

Re:Here's the score and grade breakdown

[kiwimate]

Looks like they need to bring in some university professors as consultants on grade inflation.

Re:Here's the score and grade breakdown

[WebMasterJoe]

Slight correction on NASA's score - that's in metric, should actually be 92.4.

Re:Here's the score and grade breakdown

So the Department Of Homeland Security actually got the lowest grade of them all? And the State Department following closely.. what a fucking joke. What's the budget of the DHS again? WTF are they doing with that cash??

Re:Here's the score and grade breakdown

FBI Late result
CIA No score draw

Re:Here's the score and grade breakdown

[Petronius]

Exactly. Expect the Bush whitehouse spin machine to kick in anytime soon.

Re:Here's the score and grade breakdown

[bourdeau]

I'm a bit surprised by the D- for NASA. I was a NASA contractor for many years, and about 5 years ago NASA got very serious about implementing the requirments of OMB Circular A-130 Security Management of Federal Automated Information Resources. In particular, NASA developed a set of its own stricter guidelines to respond to Section III of the OMG circular. NASA referred to this as NPG 2810 and instructed all program-related data centers and contractors to implement post-haste.

Money was added to our contract to facilitate the implementation, the NASA CIO oversaw the implementation effort and assigned both security contractors and internal security managers to coordinate the implementation. The schedule was fast paced, and within 3 months we had completed 3 detailed plans: Risk Assessment, IT Security, and Contingency. We then had 6 months to implement. After 6 months we were audited by a independent security team. We were audited every 6 months with proactive scanning, plan checks, security background checks, and other auditing methods.

About 1.5 years after kicking this effort off, we asked to begin penetration testing, and NASA hired an independent contractor to conduct an aggressive penetration test. NASA demanded compliance, we were responsive, and NASA provided the resources (including training). While I don't know how comprehensively NASA applied this same attitude to all of its programs, they were very aggressive with all contractors as well as NASA-run data centers within the same program area. I'm flabbergasted to see a D-grade for them!

Re:Here's the score and grade breakdown

[corbettw]

DHS 34 F

Who's surprised that the department charged with protecting our nation's infrastructure got the lowest score?

Tell me again that government is the answer to all life's problems.

Re:Here's the score and grade breakdown

[MrNybbles]

I will sleep much better knowing that I will have power (NRC), People permoting Science (NSF), and Social Security which I will pay into all my life and not get my money's worth (SSA).

Who needs the Department of Agriculture anyway? It's not like crops will stop growing if the compuers are hacked, right?

As for the DOD getting a D, well it already has two D's so how much could a third D hurt?

The EPA got a C. So what if they are hacked. It's not like all of a sudden I can't see the mountains in California, I can't see them now anyway. What's the worst that could happen? Someone hacks the EPA, screws up the computers and. . ., and what? The EPA looses track of who polluted what maybe?

**cough never underestimate the human potential to create chaos cough**

Re:Here's the score and grade breakdown

[jd]

To put this in a bit of context, the DoE has its own network intrusion detector package, which is encrypted so that only DoE people can use it. (Which is dumb, as it also means nobody can audit it, and it's so much extra work, it's likely little used.)

NASA passed a directive over 5 years ago that all machines were to be behind a firewall, and that public webservers were to be accessed via proxies. In practice, a lot of servers stayed outside of the firewall and security procedures are often ignored.

Probably the worst cases are servers that are accessed by rsh (not ssh - just plain rsh) with .rhosts enabled and used. These servers are amazingly vulnerable. Why? For three reasons.

• First, the servers need to be accessed by archaic scripts on a range of external servers. This would almost be a reasonable excuse, if other authentication systems didn't exist.
  
• Second, NASA (and other Govt agencies) are kept rigidly to the FIPS-180 standard. So rigidly, in fact, that many Govt. agencies are extremely wary of using software that is not specifically stated as approved, even if all the internals are approved. For example, let's say you have an approved implementation of DES, and you then have either NIST's or the DoD's version of IPSec use that for the encryption. Sorry, not OK. IPSec is not on the list. It may be 1000% better than rsh with .rhosts, it may eliminate one of the stupidest vulnerabilities, but they aren't authorized to use it.
  
• Ancient software. This is a killer for many organizations. We are not talking a few weeks out of date, here. We're talking five to ten YEARS out of date, where there are more advisories on vulnerabilities than there are lines of code. In a few cases, vulnerable code that is decades old is still used. I've seen this in virtually every place I've worked. If you want to be secure, you can't just ignore these things. So why do they? There's no incentive to clean things up. Admins get paid to keep the bosses happy. They are not paid to perform major in-depth security audits, and are certainly not paid to find problems. Those cost money to fix. Finding problems is BAD.
  

Why are skript kiddies so successful? Because their code is any good? Don't make me laugh. They're successful because the rules and regulations any organization needs to be successful are wantonly abused, preventing essential maintenance, often because reloading from backup tape is a cost that can be written off, whereas paying for decent security might hurt the balance sheet.

In the case of Government, cost is usually not the reason. Power politics, computer-illiterate officials and self-preservation are far more common. Hackers can be passed off as inevitable. Finding gross failures in the system, though - that would be embarassing and potentially fatal to a career.

It's time to wake up. It's time forn Government departments to realize that the rules are intended to promote security, by ensuring that buggy code is prevented from being used. The rules were never intended to impose buggy code! Nor were they intended to encourage faulty practices.

I do not consider it acceptable that an organization that has taken on the responsibility of running the country cannot be relied upon to even run a server properly. If you cannot be trusted with something minor, how can you be trusted with something major?

This will never happen, but I believe that any Government agency that scores below a "B" on any task that it performs should be relieved of that task. I would like to see something similar in the private sector, with shareholders actively enforcing high standards (and thereby raising the value of the stock) rather than relying on the price to magically rise of its own accord.

These are the kinds of standards an employee would be held to, for designated work. Why, then, should implicit work be held to a lesser standard?

Re:Here's the score and grade breakdown

[GMFTatsujin]

In other news: President Bush announced today that as part of his "No Government Agency Left Behind" plan, any agency that could not show marked improvement in performance within 16 weeks would be grounded, have its allowance withheld, and would not be allowed to go to Prom. In related developments, the NRC and NSF would like their lunch money back.

Re:Here's the score and grade breakdown

[MindNumbingOblivion]

I wish your professor were grading my Modern physics test...

*sigh*

Re:Here's the score and grade breakdown

[Sloppy]

More insightful than funny. The curve is exactly what will happen. Consider who judges government's performance, and how they do it.

Ever hear this one: "If you don't like America, name a better place."? Suddenly, despite its problems, America gets an A.

The professor isn't a dick. In fact, he's very generous and forgiving.

Re:Here's the score and grade breakdown

Thanks for pointing out why NASA got a D-.

Re:Here's the score and grade breakdown

[adamruck]

in more related news Bush says all government agencies must be above average

think about it

Re:Here's the score and grade breakdown

[shis-ka-bob]

I agree with most of this. However, the government didn't take control. The citizens of the US seized control and formed a government. If we allow ourselves to think that 'the government' does things without our consent, we must fight so that the electorate keeps its control. The government must DERIVE its power from us.

Exercise your power by writing to your representatives. If that is not enough, do more. We dare not expect the government to act unless we do.

Re:Here's the score and grade breakdown

[Ray+Radlein]

I'm amazed that Interior managed to achieve a grade as high as "F" -- frankly, I would have expected them to have to invent entirely new letters to fully encompass the magnitude of insecurity in their computer systems.

On several occasions, Interior has been forced to take their entire public network offline due to rampant insecurity, especially in the portions of the network which control the billions of dollars in the Bureau of Indian Affairs' American Indian Trust Fund, which is still offline (with good reason, due to the fact that it had, essentially, no security, and that no one actually knows how much money should be in the Trust Fund, which would make detecting any electronic diversion of those funds pretty damned difficult). The Bureau and the Department have spent millions of dollars commissioning security reports which they later admitted to not having read; they have spent tens of millions of dollars to secure their networks, only to have to admit that they are still completely insecure.

I'm pretty sure that on at least one occasion a twelve year old playing "Super Mario Tetris Cart 2001" accidentally sold the state of Utah to the Seminole indians by pressing Up-Left-Triangle-Right-Circle-Circle-Down on the "High Score" menu.


The truly scary thing is that State got an even lower grade on security than Interior.

Actually, now that I think about it, this makes a lot of sense: Many recent foreign policy decisions we have made can best be explained as the work of a bunch of bored teenaged l33t haxors who have gained control of State's network.

Re:Here's the score and grade breakdown

[jd]

I agree with the political theory, and honestly believe that the US Govt would not only have better computer security but would be better all round if it did derive its power from its citizenry.

This, after all, is the logical way to run a Government and has been seen as the "ideal" since 1250 AD.

If half of Slashdot's readers put the same kind of pressure on their representitives as they do on poor, innocent webservers every time there is a new article posted, it would be hard to ignore. The poential, even if it's never used for actual change, but just results in more aware questions being asked, is considerable.

While politicised geeks are unlikely to occur overnight (most people who pursue knowledge for the sake of it are unlikely to pursue power for the sake of it), I do believe it is a concept that is worth investigation. Problems are often allowed to fester and become unmanagable, because knowledge and power so rarely do coincide.

CmdrTaco for President, anyone?

This is no surprise!

[Psychron]

But then again, I don't think they're too terribly concerned about it. They're the U.S. Government. If they have a problem with someone breaking into their system, they'll either bomb the heck out of that country, or send a bunch of Feds in to arrest/confiscate/execute said hacker and related equipment.

So I don't know if it's really that big of a deal when you really think about it. We squash those that choose to meddle in our affairs. :) Gotta love this country!

Re:This is no surprise!

Like for the 9/11 attacks?

Re:This is no surprise!

[segment]

However, to redo the systems right now, and have them made secure by professional people would probably cost even more, so... Not necessarily so. Trusted Solaris meets gov C2 security specs out of the box. It would cost a slight bit more as opposed to normal Solaris, but the TCO in the long run is better than using normal Solaris.

Security breaches are pretty rare because physical security people are everywhere in these places, (james bond stuff aside). Unsure of what's been going on nowadays since I stay away from the security scene, but in the mid - late 90's gov servers were getting hit up pretty much everyday.

Hacking I can't comment on because I don't really know how often that happens, but if it does, i'm sure they wouldn't tell anyone... ;) That's not the case either. The gov would do everything to whore a case like that out in order to fetch more money for their departments. "We need X_AMOUNT more to secure our systems against hackers." You would then see an entire slew of arrests for anything and everything under the sun. If you take the time to view the casefiles at Cybercrime.gov, you will see a boom in cases. I heard a `rumor' a while back that some database system was initiated during the Janet Reno regime, that the feds undertook to map out aliases with names, etc., and whenever they needed some budget funds, they yanked names out of this DB. This is only a rumor however, and even if I could prove it, I wouldn't obviously.

Do some quick analysis of cases, crimes, and the govs response to situations, something isn't always picture perfect, but at times it is understandable as they aren't clued in to what exactly is happening at times. It's how they make laws sometimes

Re:This is no surprise!

[jon3k]

You're assuming they recognize the attack and identify the perpetrator. These people are so clueless that they're probably being used to relay spam for god's sake.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Hey..

[56ksucks]

... The US Government has crappy computer security! Let's tell everyone!

Re:Hey..

haha

Re:Hey..

[snatcheroo]

You mean you didn't know already?

NSF got A

[KD5YPT]

See what we get when there's an agency ran mostly by the intellects and not bureaucrats?

Re:NSF got A

They are probably run by the same nerds that screwed up the curve in my math class.

bastards.

Re:NSF got A

[jc42]

So what deep, dark secrets does the NSF have to protect?

Aren't they one of the agencies that pretty much publicizes nearly everything they do? Yeah, I suppose some of their funding discussions are kept quiet until they make a decision. But then the results (and much of the reasoning) are put online for anyone to read.

Now if we could just make the rest of the government open and accountable ...

Possible reasons

[vchoy]

This is MHO:

Look how much is spent on 'physical' security and you will see why. A Government agency that is physically attacked (eg bomb, chemical, bio) usually results in human casualties/lives...and is very hard to cover up.

Now look at attacks on computer security (eg cyber attacks, worms, compromised systems). A Government agency that is 'electronically' attacked 'APPEARS' to not result in human casualties/lives.

Notice I stressed the word 'appears' in my last comment. I say this because it may be the real situation OR it maybe we don't know as previous cases have been covered up...as it is easier for an organisation to cover up these types of attacks.

Time to learn .....

[Archangel+Michael]

from Battlestar Gallactica.

The best security is good old fashioned non-networked computers. Wireless is bad. Know the source (code), and don't by applications and OSes from shifty A-Moral uber Geeks, even if they are smarter than you.

"The war is over, we lost"

Re:Time to learn .....

[Archangel+Michael]

and I was going for "Troll" or "Funny" not "Insightful". Oh well.

I'm surprised it wasn't an 'F' Overall

[instantkarma1]

After my experiences dealing with DOD contractors, and their use of firewalls. Specifically, firewalls were used to strip out javascript on the fly; they were not used to block unauthorized access (that, of course, was left up to the administrator of each individual server).

Needless to say, this does not lend itself to a centralized, comprehensive security plan.

Re:Naturally

Well to start with, it would large numbers of incompetent, L.I.F.E.R.S. (Lazy, Inefficient, Fuckoffs,Expecting, Retirement) off of the Public Teat. This would mean that younger, less entrenched lard asses, would take their place. Younger people have grown up with the technology, I did not say understand the technology, and would be more open to ideas on security, than their predecessors. Having seen the former crop of LIFERS being purged, they would be motivated to increase their knowledge of the subject, lest they be part of the next purge. It is all good UNLESS you are one of the presently entrenched lard asses. Ipso Facto. Plain as your outstretched hand, expecting free money from m.

Makes me wonder

Well, the Dept of Energy received a failing grade. It's no wonder the power went out on the east coast on 8/14.

Sad..

[hookedup]

Added Chairman Davis, "I'm deeply concerned that too many agencies have not yet responded to FISMA's requirements; for example, the fact that 79 percent of agencies don't even have accurate system inventories casts doubt over the entire reporting process."

I work in IT for a govt. agency here in Canada, and to not have an accurate inventory of our hardware is absolutely unthinkable. 79% of agencies having no idea where their systems are (and arent) is a recipe for disaster.
This whole thing reminds me of a couple of years back, when a CSIS (Canada's spy agency) agent went to an Ottawa Senators hockey game, leaving her laptop in her car, only to have it stolen when the car was broken into.

Gee...

[Stingr]

"agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State.""

I'm glad no important goverment agencies failed the test... oh wait.

Re:Grades

[thinkliberty]

Actually they were using Linux (from netcraft.com Microsoft-IIS/6.0 25-Nov-2003 63.208.194.46) until they switched to 2003 server on 11/26/2003.

Ugh.

[dwaggie]

The main problem with ALL government agencies is that almost all of their actually employed work is 90% opened only to internal candidates. And they try to fill it in that way. Why? Because background checks cost a lot of money, and getting clearance for people up into the higher echelons would cost even more. That's the main part of your problem right there, really. If they hired more people externally, and paid them what they're worth, no problem at all.

Re:Ugh.

[mengel]

I don't think that's the real reason. Even in the non-security-clearance corners of the government, it takes 3 months on average to get approval to actually hire someone. Most folks who are worth hiring have found another job by then, and don't want to wait another 2 months to see if the request to hire them gets approved...

Re:Ugh.

An upper level government employee gets 50k a year before taxes. The government contractors may get paid more, but it's usually not that much more. Government operates on a lowest bidder mentality, even for it's contractor work which will equate to low paid employees.

The highly skilled people in government work are taken full advantage of. Eventually they get tired of low pay and the long hours and they go find a private company who can pay them 80k+ a year to administer their systems/networks/applications or develop software.

So, unless you get a person who is good at their job, and will accept low pay in trade for the pride of doing your duty as a patriot(which is quickly becomming a mocked trait), the cream almost always gets taken by the private industry.

Then there's the fat. Because of beurocracy and unions, it's nigh impossible to fire a waste of space employee. Those are generally the people who get shuffled around a lot. A lot of the rules that the government has been put into place to protect the employee from being shafted has allowed useless people to come in and collect a paycheck every week.

So, now that we know the problem, what's the solution? Do we raise taxes so that it's IT can be paid competitive wages? Do we abolish laws that protect the disabled, or the laws that protect employees rights?

I know I would love to have a solution. It's embarassing to be immediately be associated with ineptitude because I'm government IT.

Re:Ugh.

[dwaggie]

It still sort of feeds into the 90% of the openings being for internals. I mean, if you're in, it's easy to move you around, etc. . . if you're out, well, then you're screwed ;)

Comment removed

[account_deleted]

Comment removed based on user account deletion

here's how bad it is...

[theMerovingian]

This report card was supposed to be classified.

True to form, though, you have to say

[ianscot]

The "Department of Homeland Security" is easily the most Orwellian Government entity ever, right down to its name, and it's accomplishing exactly what you'd expect -- giving people the soft fuzzies about someone important working on our security while actively undermining the constitutional protections that've kept us secure.

Welcome to the new America, where the "Forest Service" has finally completed its transformation into a lumber industry-owned and -operated body, the "Immigration and Naturalization Service" uses a voluntary registration program to evict the foreign residents who show up, and the "Environmental Protection Agency" has its rules set by the industries who're meant to be restrained by them. Meanwhile "Family Planning" is about keeping information away from women -- or about pushing false information to do with bogus correlations between abortions and breast cancer. Oh, and did I mention that when terrorists blow our kids' legs off that's a good thing, because it means we're fighting them where they live? (When they don't blow up our kids, naturally, that's also proof we're winning...)

We've had our moments before -- the idea of Nuclear deterrent never did quite convince anyone that "Peacemaker" was the perfect name for a missile -- but truly, there's never been a more quintessentially Orwellian moment in American history. This is the real goods. Take a look at that name: "Homeland Security."

Re:True to form, though, you have to say

[grub]

Excellent comment, however I suspect there will be a knock at your door in.. three.. two.. one..

Re:True to form, though, you have to say

[dkleinsc]

I think you have it somewhat wrong on the Homeland Security Dept. Here's my analysis: If the Homeland Security Dept is supposed to be protecting the citizens of the United States from outside attackers, then what is the Defense Dept defending?

Take it with a grain of salt

[ViolentGreen]

Did you actually expect anything different? Most anytime a report comes out about a government agencey, it is bad. The whole point of having a report is to show that it is bad. I sure the points that are raised are valid but I hardly think that the report was supposed to be balanced.

Physical Access

[rf0]

You can have all the cyber security (firewalls, IDS ) etc you want however there is still the risk of someone just stealing a laptop and getting access to a load of secret files.

Your security is only as strong as your weakest link

Rus

Re:Physical Access

what was the point of such garbage? You are banned from /.

Re:Naturally

[Lipongo]

I agree that firing them would do nothing to improve the situation except create alot of disgruntled ex-employees. What should be done is training as well as checks to make sure they are secure, not once a year but randomly and often enough to motivate people to increase thier role.

errata yadda yadda

[segment]

Compsec... and they had so called mapped out plans for years now too... (NATIONAL PLAN FOR INFORMATION SYSTEMS PROTECTION EXECUTIVE SUMMARY). One quote I will always remember is something to the extent of "the feds are good at carrying guns not locking down machines."

There are so many variables involved with government, that they are the ones shooting themselves in the foot. Considering if you're using a machine right, and you know it's insecure, if you took it upon yourself to fix it, you could be charged with a crime. Hell slightly off topic but look at what the gov did with the so called chaplain spy (charged with downloading porn).

I'm sure gov's IT staff throughout the branches are overwhelmed with things, so it's a bit unfair to call them all clueless gimps or similar. However, and I will throw this out as a `story` someone stated they worked for a gov agency. Person stated the procedures for daily wipes to ensure things are wiped, etc., ... According to person he had never seen it done, because they never bothered with it.' Now imagine if one of these machines were thrown out and the machine had material on it that was highly sensitive. It happens more often than some think.

Re:Grades

[nberardi]

Oh okay I knew it was somekind of *nix they were using. I didn't realize that they just recently switched.

How long before a wakeup call?

[csnydermvpsoft]

The only reason that government agencies are able to get away with this is because nothing embarassing has happened yet. Wait until a hacker manages to get a few thousand social security numbers from a government agency computer - then we'll see some real change.

Re:How long before a wakeup call?

Already done, a few years back they had a list of all active duty military officers SSN's on the net. It included name rank and SSN.
Emails we going out to all the officers recommending that they do frequent credit reports to see if they had been the victim of identity theft.

Re:How long before a wakeup call?

They have.

As an employee

[blankmange]

of the Fed, I would have to agree. Where I work at, we rely (almost 100%) on Microsoft products (OS, applications built with Office, etc), so we are bombarded with updates, patches, and alerts. Also, I am the tech support in the District Office here, so whenever there is a problem with a workstation, it is usually (75% or so) user-related. In other words, they didn't know what the hell they were doing. My agency is one of the few that actually improved since last year, but we have a very long way to go before I would put my trust in them.

In addition, those of you who sound surprised, try reading The Myth of Homeland Security by Marcus Ranum (here. It is surprisingly accurate, and not just another 'chicken little' diatribe.

Re:As an employee

[Kyoya]

Well that may be true internally but a spot check of that server list listed all 4 that I looked up as running Solaris with Netscape.

Kyoya

Re:As an employee

[blankmange]

That may be true as well, but all the workstations and servers are running Windows 2000 or XP (believe me, it is true).

Re:As an employee

I'm also an employee of a federal agency, and one thing I do have to say is there are two distinct levels of security.

There are the workstations, which are all Win2k, with tons of security holes, and we still have a horrible blaster/welchia/nachi problem. However, while they are insecure, they primarily deal with administrative stuff. The most you'd be able to get from hacking 90% of these systems is like a calendar or memo's about the christmas party.

The REAL data is all kept off-site, locked down in unix machines, with real, professional systems administrators and far, far, better security. You're not even allowed to LOOK at secure data unless you've gone through an IT security course.

We've also got a firewall that's locked down pretty tight, and very tight controls on outside access to the network -- very few people get in through the firewall, and they all have to use secureID and the access is monitored closely.

So, while there's SOME reason to be concerned, I don't think the problem is NEARLY as bad as this makes it seem. Basically, I think the main worry with regards to security are internal things like disgruntled employees, not external threats like hacking.

That said, after I read about what happened to Valve with the Half-Life 2 binaries, I think we are probably vulnerable to a determined cracker like that, who knows exactly what he wants and how to get to it. But then you're talking about a serious criminal endeavor and I don't know how many systems could withstand that kind of attack.

Government Secret Agencies....

[digitalchinky]

rlogin - nfs - solaris. You've got access, even if you don't... really, you do. Internal security does not exist... The theory from anyone with half a brain is that you have a high level security clearance, thus you 'can' be trusted implicitly. Management have no concept of computer security. After all, most of them think this internet thing is brand new anyway...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Update

[tds67]

They're not saying, however they've issued a guava alert.

The problem has been traced to kindergarten hackers and has been fixed. Please disregard the following terror-alert color codes:

Brick Red
Flesh
Lemon Yellow
Prussian Blue
Spring Green

Sincerely,
Homeland Security

Re:Update

[Safety+Cap]

What?! No "Burnt Umber"??

Re:Update

Been a while since you played with crayons, hasn't it? "Prussian Blue" hasn't existed since 1958 and the color "flesh" was removed in 1962 'cause not everyone's flesh is that color.

See also http://www.crayola.com/mediacenter/CrayolaTrivia.d oc for more trivia.

Re:Update

[allism]

I seem to remember that Burnt Umber is one of the colors that Crayola is discontinuing, at least from the crayons, but I can't find a link to support it.

Re:Update

It's probably a "Bloom County" reference.

Re:Update

Only link I could find

Burnt Umber has apparently been discontinued.

Re:Update

[BadCable]

No...

That was "Burt Siena" and they're not discontinuing it.

Re:Update

[allism]

Oh, yes, I believe you are right.

That would explain why I couldn't find verification.

(slaps self on hand) Bad, bad poster.

Re:Update

[operagost]

They renamed "flesh" to "peach" back in the 1970s - a master stroke for the burgeoning Political Correctness movement.

Re:Update

That's it!

I'm moving to Canada!!

Re:Update

You remember wrong. It was Burnt Sienna. In any case, there's no such thing as Burnt Umber, you probably mean Burnt Amber. Amber is kinda dark-yellow/orange/brownish, and is basically solidified tree sap.

Re:Update

No such thing?

Link to the Actual Report Card

[richg74]

Here is the link to the actual page containing the report card.

Bad? Yes. Surprise? No.

[Dr.+Nnivel]

Yes, this is truly pathetic. But honestly, folks... how many people are surprised by it? The U.S. government has something of a history of neglect when it comes to technology, as several have pointed out. After all, it's a sad day when major government systems can be compromised by worms of any sort. It simply shouldn't happen. Period. And yet it has. And then, there are the constant sad stories coming out of the U.S.P.O., where people are patenting things that are blatantly not their own.

So, here's what we need: A government office that is responsible for the electronic welfare of the country. Not merely a minor department in some other place, but a significant entity of its own. It would be able to stop all these government technological blunders before they happen, being comprised of tech-savvy individuals. Or at least, it would have some people who specialized in the field. Yes, it may sound Orwellian, but it wouldn't be much more so than what we have now: Now, several government agencies work completely apart from one another to regulate electronics, and each government department is responsible for its own security. This would simply take this task out of the hands of the overworked and unknowledgable, and might actually boost those grades.

Re:Bad? Yes. Surprise? No.

[HiThere]

Ah! The answer to bad government is more government!

Orwellian isn't the only problem with that answer. I'll grant you, it's one of them.

If you notice a systemic problem, you should presume that there is a basic design flaw in the system. I'm sure that one could create models that would display similar characteristics, and then compare them to see what characteristics of the system cause the problems. What would fix them. And what the expectable side effects of the fix would be. This should be a project for a Sociology Thesis or so, and should be done at a University. (I.e., outside of the government.) What the government should do is establish an annual prize for the best computer models of government activity. Possibly accompanied by a few SMALL grants to get it started. (Say enough to hire one grad student full time [What's the going rate?] and buy said student a fancy [$5,000] computer.) Start with several small grants, each to a different school. The winning project gets, say, $300,000 to be divided equaly between the student, the professor, and the department.

Re:Bad? Yes. Surprise? No.

[leerpm]

No, I think we should hold those in government personally accountable for security flaws. Just like CEOs and CFOs are now required to sign off on financial statements. Senior government officials should be required to certify their agencies are secure. Then we should have yearly audits of this, and those that report vastly misleading results or fail to do anything about them get canned.

Re:Bad? Yes. Surprise? No.

"Say enough to hire one grad student full time [What's the going rate?]"

Cheap.

Actually its indifference.

[Shivetya]

Government employees are not truly accountable. A friend of mine will routinely pass me stories of just how out of whack with reality government employment is.

Hold their jobs on the line, that is if you can get pass the miles of red tape and union rules.

A private organization could have their board taken to the cleaners by their stockholders, let alone various "Government" regulating bodies.

Remember, rules don't apply to those who enforce them.

Is it really the user?

[HarveyBirdman]

it is usually (75% or so) user-related. In other words, they didn't know what the hell they were doing.

Is that really user related in all cases, though? Or can it me MS products simply don't lend themselves of a deep level of understanding because of their bloat and sometimes deliberate seeming obfuscation of even the simplest tasks?

The PCs around my work regularly do wacky things for no reason anyone can fathom. Just people using them normally and no mucking about with anything sensitive, and sometimes the PCs just start refusing to do simple things. Our MSCE techs come out and scratch their heads for a while before backing up any project data doing the old reformat/reinstall.

Re:Is it really the user?

[Dhalka226]

Is that really user related in all cases, though?

I would guess very little can be accurate in "all cases" in situations like this, and I certainly have plenty of blame for Microsoft and other shoddy software developers that are a cause of a lot of completely innocent crashes, lock-ups, lags, etc., from the user's perspective. However, some blame does have to be assigned to the users.

In my family, both my brother and I are fairly geeky folks (I take the cake of course!). My parents? They're the sort who are afraid to even hook up their own computer hardware--and I'm not talking about internal stuff here. Why? Because they can't match up two pieces of the same color and connect them? Nah, because technology intimidates them for some reason--even the simplest tasks. Now my dad has an excuse: He's a printer, so he doesn't work with computers at all during the day. My mom, however, is a nurse and deals with computers all day, even if it just software for scheduling/patient records/referrals/etc and of course email.

In short, they're bothered because they don't think they understand the task and would much rather call me over to do it for them than actually learn to do it themselves. Now imagine them in an environment where they have to plug along on their own because a call to tech support is a waste of everybody's time and money. They'll be clicking all sorts of things which they have no idea how to use! Hell, at home my dad managed to install one of those little porn dancers on his computer. Those things are a bitch to track down! He insists he never clicked on anything to install it. Sure dad!

Point being, users do do stupid things. Some of it can be blamed on them not knowing things they probably shouldn't know, some of it can be blamed on them for not knowing things they probably should know. But a lot of things could be prevented by better educated users.

I'm sure I'll have a nice post full of blame for Microsoft later when the next stupid Microsoft issue comes up.

Terrorist threat.

[bludstone]

According to debkafile Al Qaeda's next attack "will consist of a series of surprise attacks that will cut America off from communication with its armies in Muslim countries."

Then I see this news.

I dont think people realize how big of a threat poor computer security can truly be. I hope that this is fixed before a "wakeup call."

Yikes.

Re:Terrorist threat.

Nothing ever gets changed before the proverbial "wakeup call" until tradgety occurs. Traffic lights aren't added to an unsafe intersection until a child is run over, bars aren't added to a shop in a bad neighborhood until the storeowner is shot, and the KKK isn't shut up until someone throws bombs into a crowd. Speaking of the KKK, they're the only people whom I've ever seen being protected by "Freedom of Speech". Isn't that sad?

Re:Terrorist threat.

[revscat]

I dont think people realize how big of a threat poor computer security can truly be. I hope that this is fixed before a "wakeup call."

Me too. I do wonder, though, how effective any kind of "cyber attack" could really be against the USG. The government has millions of computers, hundreds of different networks, and so forth. If al Qaeda did attempt something against the government's computer systems, I would imagine it would have to be a coordinated attack coming from several different sources at once. Otherwise the effects would not be as dramatic as al Qaeda has shown desire for.

It's always possible that there are a few systems that control communications, but these departments each have their own networks. Time will tell, I suppose. Other than virus released into the wild, though, I haven't seen evidence of any attack of this nature.

Correlation - unsat supplier -> unsat security

[SgtChaireBourne]

It [the dept. of homeland security] got an F.

I suppose there's a correlation there somehow. An unsatisfactory supplier leads to unsatisfactory security. Choose products more carefully next time.

It's not like there wasn't a warning ... for the last 10 years.

Another computer "security" planted story

[base3]

Notice how computer "security" gets a lot more press these days? Pretty soon, Joe Sixpack will be clamorning for his TCPA/Palladium/NGSCB "protected" PC that he believes will protect his data. Little do Joe and friends know what they'll be buying.

Sure, non-locked hardware won't be illegal right away, but it'll get a lot more expensive when it isn't mass-produced because it can't run Longhorn.

Re:Why Picard

WTF ?

Butting your head against a wall

[andih8u]

I did contracting work for the government and most of the blame lies in trying to do anything with a couple of goverment employees in charge of what actually gets done. The stereotype of them being lazy and generally slow to get anything accomplished is absolutely correct. When you mix a fast paced IT world with a "I can coast until retirement" attitude you get bad things happening. The other half of the problem is the users who put the password for their windows login and dialin on a stickynote on top of the laptop. On the other hand, any of the actual critical servers were well monitored and they would track down any breakin attempts, etc.

Winding Up for the Throw

[4of12]

All of these security problems at Federal Agencies, with Blaster, Welchia, spam, "piracy" etc. are going into a big hopper, where they will be used as reasons to justify TCPA, aka the Death of My Computer.

In a nutshell,

"Since IT security is in a such a poor state right now, the solution is obviously to put greater power in fewer hands."

Yeah, right.

Security is bad all around.

[MurrayTodd]

This comes as no surprise, but it's certainly not restricted to the government. Corporate security people tend to be idiots as well. I've worked for so many managers who really don't want to know how insecure their security is.

There's this nasty "kill the messenger" syndrome that makes (good) security specialists unpopular in corporations--and probably in the government as well. They are inevitably required to point out things that make other people look bad, and insecure managers are great at getting them fired.

The result is a bunch of Yes Men who don't point out security problems, but let management feel good about itself.

Typical Government

[grendel's+mom]

Anyone familiar with government IT personnel will have the slightest bit of surprise at this report. Most government IT people are poorly trained, lack the required knowledge and would never cut it in the private field.

So here's how it worked for us

I'm a sysadmin at a non-secret DOE national lab, which is run under contract by a non-profit corporation. I'm posting anonymously 'cause people higher up don't like this sort of thing discussed publicly.

So several years ago our Lab got handed an ultimatum that we had to come up with a security plan; our computing folks wrote up a proposal, it got sent back with issues needing clarification, there was another round, etc. This went on for about a year. Finally we get one of the drafts back, and we're told, in so many words, "this one's good, you have 6 months to have it in place".

So now we have 6 months to redo every system on site, with no added budget to do so and no relaxation of other goals. To have any appearance of complying we basically had to set up a system for granting exemptions where each system exempted had to present a timeline for when it would be completed, etc. So at the end of the 6 months we were able to say that everything was either under the security plan, or had an exemption on file saying when it would be under the plan, or how it would be put behind a firewall, etc.

But the real problem was that the proposal should have been met with discussion of a reasoned, planned schedule, and sufficient resources to implement it, rather than pretending a major security rework could be rolled out for free in 6 months. This goes all the way up to Congress, who passed this law about having agencies report on computer security, but so far as I know didn't designate any funds to pay anyone to do anything about it.

Ha Ha Ha ha heee hee hee hee

that was rich, Canadian spy agency... I think I peed my pants..

thanks for the laugh.

Re:Ha Ha Ha ha heee hee hee hee

Peeing your pants, huh? You must be a US spy, then.

it's no big deal

[theMerovingian]

The bad guys have even worse computer security than the US does. Besides, our hackers are better, anyway. (these guys owned an Arab bank to get Osama's account info).

I'm a govt network admin...

Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.

Not a federal govt IT guy, but I work for a state govt organization. The bureaucracy is a BIG PROBLEM. My fellow IT workers and myself are definitely not complete idiots. If we had our way, we'd ditch all the unsecure technology (i.e. MS stuff) in a heartbeat. The problem centers around our upper management *ordering* us to do insecure things, like place an unprotected windows server directly on a routeable internet segment outside of the firewall, because some cheesy piece of software they bought (and again, *ordered* us to install) will work no other way, and they just flat outright don't give a damn about our security concerns. Now when such a box gets hacked, all of a sudden it's our fault. This is much akin to the senior-ranking bigshots ordering the fire marshall to allow them to light up cigarettes at gas stations and/or ordering the police chief to not dare even think of hassle them for driving around while DUI.

Bureaucracy is the reason

[Ignorant+Aardvark]

My father is a lawyer for the Department of Justice, and part of the reason for the insecurity is the federal bureaucracy. I'm a Linux advocate and my dad is a pretty techie guy. He was running a webserver on the WAN for his colleagues and wanted me to help him set up Apache. That was shut down directly by his superiors: Microsoft IIS is the only webserver "supported and recognized" by the IT department, and anything else is not allowed. In addition, the only browser you are allowed to use is IE and the only mail reader you are allowed to use is Outlook. I really wanted to help my dad secure his workplace by switching him away from a mailviewer that executes all attachments and a webserver known for its insecurities. But the Microsoft culture is so entrenched there that it wouldn't fly.

Re:Bureaucracy is the reason

sooner or later some legal docs will be released into the wild and the govt will give get sued or lose a case

Re:Bureaucracy is the reason

[leerpm]

There is a partly valid point though there. Even though Apache may be more secure than IIS, having end-users running around and installing other software can be a problem. Otherwise anybody could install some network application, and the user may not keep it patched and up-to-date. Then when the network gets hit with a worm or something that is particular to the installed software, you have a problem because the IT department may not be trained to patch and administer that type of software.

Re:Bureaucracy is the reason

[damiam]

Outlook does not "execute all attachments". In fact current versions won't even allow the user to choose to execute an attachment without going through a few hoops. I dislike MS as much as anyone else, but please get the facts straight.

This is an unwinnable war.

[karmaflux]

The DoD is something I know about -- I can't even get rights to install another network printer. I'm in the Army Reserve, and we're told we have to talk to the "building network administrator," who isn't there on weekends... which is the only time we're there. In a DoD network, all this stuff comes down to one guy per building/unit/whatever. If he's not on the ball, the whole unit can go down in a blaze of MSBLAST.

You keep using that word...

[neocon]

You keep using that word... I do not think it means what you think it means...

Whatever you may think about the Department of Homeland Security, it has, in point of fact, the most honestly descriptive of almost any of the department names. That is to say, whether it does a good job or not, it is here to secure the American homeland.

Now, if you want to talk about `Orwellian' names, meaning names like 1984's Ministry of Truth (which handled propaganda), Ministry of Peace (which handled war), and Ministry of Love (which handled torture and brainwashing), let's look at some of the big social-program departments which you seem more fond of:

• The Department of Agriculture -- which pays farmers not to grow crops
• The Department of the Interior -- which mainly handles subsidies for Indian casinos
• The Department of Labor -- which pays the unemployed not to work

just to pick a few examples.

Of course, since the rest of your post is at least as confused as your use of the work ``Orwellian'', right down to your last example (the `Peacemaker', of course, was a famous Colt firearm, as used by the sherrif in just about any old western -- though if you want to wax philosophical, even Gorbachev has admitted that it was the inability to keep up with American defense spending that brought about the Soviet Union's collapse, so the missile made peace in a very literal sense as well), and the general tendentiousness of your claims shows that your looking for political points more than accuracy anyhow...

Re:You keep using that word...

[calyphus]

You are confusing Orwellian with doublespeak. That's double plus ungood.

Re:You keep using that word...

[neocon]

Actually, when one refers to language as ``Orwellian'', it is exactly to doublespeak that he is referring -- one of history's supreme ironies, since Orwell himself, of course, was a constant advocate against such political speech-games, as in his famous essay Politics and the English Language.

This is the claim which the original poster was attempting to make about the name ``Department of Homeland Security'', and it is a claim which rings false, inasmuch as, competent or not (and that remains to be seen), the department's purpose is, in fact, to secure the American homeland.

Re:You keep using that word...

[HiThere]

You believe that? I've got this nice bridge...

Actually, under some interpretations that would be true, but they don't have much to do with official US history, and more to do with Germany of around 60 years ago. (I say official because such organizations have appeared at a more local level in the past. They were all ultimately suppressed by the feds, usually without violence [toward them].)

The organization is clearly unconstitutional in both it's authorization and in it's favored modes of operations. It is designed more to suppress than to protect the citizens. As such, I feel that Orwellian is a very good description of it.

Re:You keep using that word...

[neocon]

Leaving Godwin aside for a moment, do you actually have a point here? Would you care to actually back up any of your claims?

You assert that the creation of DHS is `unconstitutional', for example, yet you fail to give any argument why combining several federal agencies which had existed for decades could be `unconstitutional' if the prior existence of the agencies themselves was not.

You suggest that the `favored mode of operation' of DHS is to `suppress' people, but surely you agree that this is mere FUD if you cannot provide any examples.

And finally, you suggest that DHS is not interested in protecting the homeland (the only claim which might make the original poster's claim that the name `Department of Homeland Security' is `Orwellian'), but you don't back this claim up either, nor explain whether you think the customs service, the coast guard, the office of the postal inspector-general and the other organizations which were merged to form the DHS were ``oppressive'' before they merged, or if cutting through the bureaucratic mess which made these agencies so ineffective before is what makes them ``oppressive'' in your view.

Well? Or are you just blowing hot air?

Re:You keep using that word...

The difference between your post and your parent is that you chose one program within each organization to critique.

Your parent cited fundamental flaws in who seemingly exerts influence within each organization.

...even Gorbachev has admitted that it was the inability to keep up with American defense spending that brought about the Soviet Union's collapse, so the missile made peace in a very literal sense as well

So maybe we can attribute the massive nuclear arms buildup, and the very real current risk of nuclear proliferation to terrorist states and "rogue nations" to the "peacemaker" and as well??? Thats not what I call peace.

Re:You keep using that word...

[neocon]

Your parent cited fundamental flaws in who seemingly exerts influence within each organization.

No, no the parent post did not. It made vague claims about the `nature' of DHS, without providing any of the specifics which might, if true, make such claims anything more than FUD.

So maybe we can attribute the massive nuclear arms buildup, and the very real current risk of nuclear proliferation to terrorist states and "rogue nations" to the "peacemaker" and as well??? Thats not what I call peace.

If you could provide us with any reason to believe that the Soviets would not have built nuclear weapons without the Peacemaker, you might be able to make this claim -- you'd still have to explain why you're so eager to blame a weapons program which the Soviets failed to reproduce for the weapons the Soviets had made in earlier decades, however -- as well as why, if building the MX Misslie is what leads to proliferation, it is Soviet warheads, and not the MX Missile, which are the weapons actually at risk of being proliferated.

Well?

Re:You keep using that word...

If you could provide us with any reason to believe that the Soviets would not have built nuclear weapons without the Peacemaker, you might be able to make this claim

you answered all these questions yourself!!! Sure the soviets would still have produced nukes -- but they wouldn't have tried to make SO MANY that it bankrupted their country! (and now we have to go in and try to account for each and every one of those before someone unsavory obtains access to them with cash...

the US challenged the soviets to make as many nukes as they could, because they knew (I guess?) that the Soviets couldn't keep up. Sure the Soviets collapsed but the end result makes the detonation of a nuclear device inside the US greater, not less.

Re:You keep using that word...

[neocon]

If proliferation were a factor of the number of weapons produced, you could argue that this was the case. However, as I just pointed out, were this the case, the US and the Soviet stockpiles would both be proliferation sources. Since, in actual fact, the US stockpile is not such a source, it's clear that it is the mismanagement of existing stockpiles by both the Soviet Union and post-Soviet Russia which produces a proliferation risk.

That means that unless you are arguing that the Soviets would not have produced a stockpile of nuclear weapons in any case, you're in no position, try as you might, to blame the US for the handling of Soviet weapons -- and in any case, you can't blame the weapons system which the Soviets failed to produce for proliferation of those they did produce.

But there's more to the picture even so -- that the threat model we are now worried about is a terrorist group or rogue state with one, or two, or five warheads, rather than a global human-life-on-earth-destroying thermonuclear war shows that the end of the Soviet Union was a huge win even if you find some way to `Blame America First' for Soviet mismanagement of nuclear munitions. And this holds even if you, incorrectly, assume that ``what didn't happen was thus never likely'' and thus hold that nuclear war was not a very real possiblity had deterrence failed.

Re:You keep using that word...

Exactly how did the U.S. think a bankrupted country could protect all its massive nuclear stockpile after it fell? With its vast cash reserves? Its underpaid and spread too thin army? Maybe just loving trust developed under all those decades of tyrannical rule that former Soviet states would kindly return the nukes to Russia... pretty please with a cherry on top?

ha. you are too funny.

Re:You keep using that word...

are you just blowing hot air?

You do enough of that for everyone, neocon. We're just here to see you meltdown as your stupidity reaches critical mass.

Re:You keep using that word...

[neocon]

All of which misses two big facts here: a.) the former Republics did, in fact, almost universally return not only all nuclear munitions and missiles, but most other weapons systems to Russia when the Soviet Union broke up, and it is from Russia that proliferation is a concern, and b.) far from being `bankrupt', Russia is a large economy, a net oil exporter, and likely soon to be a major world economic player.

Is it really your position that Russia was `too poor' to keep track of its nuclear weapons, yet somehow not too poor to maintain a large military, and to keep purchasing new conventional weapons systems?

Do not mistake ``too poor to maintain a vast empire'' with ``too poor to function as an independent country''. North Korea is hardly an economic powerhouse (much of its population is on the verge of starvation), yet it continues to produce nuclear weapons, for instance.

Re:You keep using that word...

[neocon]

I'll take your resort to childish insult as an admission that you don't have any rational position to present, thank you very much.

I suspect most readers of this thread will do the same. :-)

Re:You keep using that word...

I'll take your lame retort as an admission that you are full of hot air, thank you very much.

I suspect that everyone knows I'm right. :-)

neocom

Re:You keep using that word...

[neocon]

Then as long as we're both content in our positions, its time to let the readers decide. :-)

Re:You keep using that word...

The readers have decided that you are a troll
Now go away

Re:You keep using that word...

Is it really your position that Russia was `too poor' to keep track of its nuclear weapons, yet somehow not too poor to maintain a large military, and to keep purchasing new conventional weapons systems?

No. it is my position that Russia has not shown the vigor that the United States does in securing and accounting for its vast nuclear stockpile, only created in a pissing match with the US. That will lead to proliferation- I don't see how the US saw it any other way???

Re:You keep using that word...

[neocon]

And, again, unless your position is that the Soviets would not have built a nuclear stockpile in the absence of a US buildup, the US buildup has nothing to do with proliferation of the Soviet stockpile.

And if proliferation is entirely at the feet of the Soviet system, we should be happy that that system is no more (this is but one among the many reasons we should be happy for the decline of that system, of course). That that occurred through US maintenance of a credible deterrent (as even Gorbachev now acknowledges) is a strong argument that that deterrent was a good idea.

Re:You keep using that word...

[ClioCJS]

Yea. You wasted my time.

Re:You keep using that word...

Ouch... so many people who think you're full of it, eh, neocon? Must make slashdot a barrel of laughs as you make things up to troll people about.

neocom

Why not see this as an opportunity to do good?

[LazloToth]

Okay, I know, I know - - I'm the soft-hearted liberal who still thinks government does some good and stops some evil. Anyway, with such lousy marks coming out, why don't some of the Slashdot geniuses who are not yet employed go into consulting, get some security contracts, and make some dough while improving things for all of western society?

Just a thought . . . .

On the other hand, we could just go on talking about how lousy the government is in every aspect and wait for the whole thing to implode like a cow patty.

Re:Why not see this as an opportunity to do good?

[Peridriga]

Because I'm a Republican and I don't want a pay cut because you already take too many taxes from me.
I can't afford any less...

Re:Why not see this as an opportunity to do good?

[John+Hasler]

> ...whole thing to implode like a cow patty.

We can only hope.

Re:Why not see this as an opportunity to do good?

[starseeker]

I'm betting any improvements would have to be a matter of policy, not just throwing up a firewall and cleaning up some security problems. I doubt government systems will ever be secure, simply because they aren't allowed to move fast enough.

hah

Is there a spaceship leaving soon for your planet?

Count the number of board-feet harvested from national and state land, it's plunged to about 10% what it was 13 years ago.

The EPA is hopeless, it was started by Richard Nixon. INS is a joke, its estimate of illegal immigrants is "between 8 and 30 million."

Planned Parenthood has never liked adoption, and it's never faced up to the fact that abortion does have a morbidity/mortality rate. Especially since most who perform abortions are not even doctors.

The cancer link is for women who aborted their first pregnancy. Records from 30 states going back 25 years have been sifted, the evidence is overwhelming. If a woman aborts her first pregnancy, she has a 1 in 9 risk of breast cancer, elevated from 1 in 50.

Re:hah

[heironymouscoward]

If a woman aborts her first pregnancy, she has a 1 in 9 risk of breast cancer, elevated from 1 in 50.

This proves only a relationship, not a cause and effect. Women having children (including full term and lactation) have a lower breast cancer risk. Women aborting their first pregnancy have children later, possibly never.

A valid study would compare age at first prenancy/lactation with breast cancer. I suspect there are other factors that appear to link even more strongly with breast cancer than abortion:

- career (since working women have children later)
- fertility (since fertile women have children earlier)
- look&feel (since ugly women have children earlier)
- education (since women with more education have children later).

So, you should be against educating women, allowing them to work, allowing them to protect themselves against STDs that can lower their fertility,...

Come to think of it, you probably are.

It's really not that bad

[thepuma]

If I remember from college, it's all graded on a curve, so as long as everyone gets a "D", it's cool!

That darn smartass NRC is always spoiling the curve for everyone!

Here in Cleveland...

[orbit0r]

First Energy Corp. got a big fat "F".

Our rivers catch fire and then we cause a massive blackout? I'm moving.
-orbit0r

Re:Here in Cleveland...

Our rivers catch fire and then we cause a massive blackout? I'm moving.

The Cuyahoga river catching fire happened over 30 years ago when EPA legislation was non-existent. Talk about beating a dead horse. Should I recommend against moving to Atlanta because they support slavery down there? Better avoid Europe too with that whole threat of communist invasion. ;-)

Re:The test is biased!!!

[zulux]

We can't have this much failure in the US Govenment!!!

These security grades are obviously created by the MAN to keep their security grades up while making everybody else look BAAAAAAD.

We need a newer test that encompases more to make it fair. I sugues we measure the following to determine if their security grades.

Are their packet-filter inclusive?
Do they secure Appletack, Tokenring or just Ethernet?
To the set aside special days and allow special packets in?
To they support 2 letter passwords, and not just the 8 letter ones that advantaged people can type?
Do their proxy servers filter out gender discriminatory words like 'He' or 'Mister'?
Do their computers have master/slave IDE systems?

Just and example of how the curent test is biasedh

Where's the Money?

As someone who worked on government networks for many years, I would blame top-level management. Agencies are good at producing standards documents on software development processes and security practices. The problem is, at least in my experience, that they never allocate the funding needed to implement those standards. It's as if waving the document over the computer is going to make it secure. In many places there are no professional systems administrators. What you have are engineers, programmers and local "experts", who do systems administration as an unacknowledged extra duty, in addition to their primary job.

Too bad...

...They cancelled the funding that was going to the OpenBSD project...

I Work At Agriculture ...

[saudadelinux]

I'm surprised the networks were up long enough to be tested :( In my agency (USDA is comprised of about 20 agencies) we generally have a good 5 - 10 hours a month of network outtages. I mean everything: LAN share drives, our Exchange servers, all Internet...it's very frustrating.

govt IT

I work for one of the agencies that failed (and thus am posting AC because I don't think they'd like this).

I'm in a general research facility (nothing classified, etc.) with about 70 people, most of whom have one or more computers. We have 30% of one person's time as IT staff because our agency will not give us funding to hire anyone else. This person has little or no training in computer security. I worked as a unix sysadmin for a few years, and know more about the nuts & bolts of IT security than our IT person. Given the way the govt determines pay grade, we couldn't hire a compenent IT person even if we had the money, because we couldn't offer enough money.

Anyway, what this boils down to is that everyone is responsible for the security on their own computer. With no training, and no time allocated for doing so, since everyone has a full slate of tasks of their own (yes, despite being federal employees we do work pretty hard). My location doesn't have an enforced security policy, even on things so definitely hazardous as enforcing the use of antivirus, not using un-passworded windows shares, etc.

Even worse, the agency in question requires admin staff to use custom-written and obsolete administrative programs that won't run on an OS newer than Windows 98. The people dealing with payroll and personnel data have the least securable computers. Nice, no?

Our regional IT staff don't seem to have much formal security training, and have made some decisions I consider questionable. The agency IT staff have also done some odd things, like recently forcing us all to switch our email to GroupWise.

From my perspective, yes, we deserved our failing grade. It's primarily due to lack of support for creating and maintaining a coherent security policy. There's no substantive training, and very little awareness among the higher-ups of the needs of facilities like mine, where everyone has different technology requirements to perform their duties. The administrative legacy software issues don't help either.

just sign me... not admitting to anything. :)

Re:govt IT

I work for a government agency where the IT folks go crazy on security and add all sort of unneccesary security barriers to protect science data that should be in the public domain by law. Stupid firewalls that disconnect ssh sessions to machines outside of the firewall for connections longer than an hour, passwords changing all of the time, with password rules so hard that everyone writes down thier password on a slip of paper instead of memorizing it.

I have yet to meet a security expert that doesn't overreact with tons of gloom and doom rhetoric that is really more focused on padding their budget than really protecting security.

Too much security reduces productivity and squanders budget money.

Why the @#$@! do I have to run a virus checker on Mac... If I get a windows email vius I can spot it without having to run a virus checker that scans every frickin CD I put in my system... argh!

I Fought the Idiots and the Idiots Won

[edward.virtually@pob]

Speaking as someone who spent many years fighting various Good Fights against government idiots, I will say that government agencies will continue to get failing grades on security because they place the whims of incompetent managers above the advice of their technically competent employees. Not all government IT people are idiots, but most of them have no interest in challenging their pointed-haired bosses because those who do suffer pay discrimination and -- if they're really stubborn -- termination. So government sites will remain a monoculture of poorly patched and insecurely configured MS products just waiting for a new virus to slip in and lay waste to everything in site. In other words, most government sites are like most corporate sites, and for similar reasons.

Re:I Fought the Idiots and the Idiots Won

I'd rather have the govt run windows - that way if they didn't patch they'd get hit by some lame-o virus like Blaster, and know they had a problem.

If they were running unpatched linux boxes who knows how long it'd take for them to figure out that they've been hacked.

Patriot Act

[QEDog]

The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission

The sad thing is that instead of fixing these things, they go on and take away liberties from the citizens to prevent ' terrorism '. Patriot Act anyone? So, for their ineptitude, we lose our rights.

Re:Patriot Act

[the_mad_poster]

What the hell are you talking about? Now, I'm no fan of PATRIOT by far, but how on Earth do you draw the conclusion that "civil liberties are eroding" from "the department of homeland security's computers are as secure as a wet paper bag"? There is no connection there. None. Just... I can't even...

Do you people even THINK before you post or do you just have random spasms in your fingers that cause that sort of illogical garbage to fly out?

A much more plausible and less utterly ridiculous conclusion you could've drawn without bothering to back it up would be that "taxes are going up" because "the department of homeland security's computers are as secure as a wet paper bag and they want more money to buy gadgets". It could still be patently false, but at least it's not so utterly ludicrous, especially since Homeland Security had barely been alive a month before PATRIOT finished rushing through Congress.

Re:Patriot Act

[GSloop]

I'll donate a clue...

He wasn't drawing any causation at all.

He was simply compating the lunacy of the two.

DHS can't secure their own systems. But, to "secure" us, we need the USA Patriot Act.

Seems...No... It *IS* hypocritical. Start at home first. Once that's down pat, then look elsewhere.

I could rant for hours, and sometimes do about this whole subject, but I'll let it die there.

Cheers,
Greg

Re:Patriot Act

[the_mad_poster]

Please see the full response to this post in my journal (well, if you're interested anyway). You can skip the first part of the entry since it's about a completely unrelated post.

Re:Patriot Act

[GSloop]

You're a sick pedantic... LOL

Point taken - still - when one has to write thoughts out long hand, one can understand the shortcuts taken in clairity - even if not really defensible.

Cheers,
Greg

Re:I'm a govt network admin...

I work for a government agency (also not federal but state.) And I'll back up what you are claiming. I'm probably one of the highest ranking technical people in the dept and definately the highest ranking in regards to network security. It's not uncommon for non-tech superiors to order very insecure things to be done, especially if their proprietary app "requires" it to work.

I wanted to replace TELNET access with SSH to our most important server (manages all budgets, accounting, payroll, and also contains a LOT of data that would be considered a privacy breach if released.) I was informed that this could not be done because a hand full of people use an app from the vendor which requires telnet access to work. This server is on a LAN which is accessed by several hundred members of the public daily.

So I ran ettercap and showing how trivial it was to capture my boss's password and capture the whole telnet session including root password. I was again told that "Yeah, that is a risk, however, you still can't disable TELNET. It is required."

Of course, the right thing for my boss to have done would have been to pressure the vendor to move to SSH on their app. But that would have cost money after all. I couldn't even filter telnet from the public access systems because it was some of them which actually needed to run the application. In the end all I could do was send a memo detailing the risk to my boss so I could cover my own ass if something happened.

If only...

...there appeared on that list the department of student loans!

Not nice

[fetus]

"hackers and other cyberterrorists"

mod me Troll if you will, but I feel it needs to pointed out that that is a bad statement. If you need to be told why then you suck.

Security Clearance Process Filters Out...

[That's+Mister+Jesus]

...smart and creative people. Having personally worked for the Department of Energy (I took another job because I got the sense my clearance wouldn't come through), I can tell you that I've never met so many IT people who didn't like computers. Laziness and apathy are rampant on the very computer systems used to...wait for it...control the manufacture of atomic weapons. Office politics and backbiting are also a serious problem.

I'm sure you'd all agree that the kind of rocket scientist discrete math cipherpunks we need protecting these networks are either bonkers or have skeletons in their closets.

Creative people take risks and people who take risks make mistakes. Essentially, if you've ever had a DUI, taken any drug other than marijuana, bounced a check, or been in therapy you won't get a clearance.

Network security is a black art, my friends. It involves inuition, mastery of a jillion different disciplines, paranoia, ego, and poor personal hygiene - pricisely the kind of personality bureaucrats are most afraid of. The feds want IT people who are avid golfers and college football fans. No self respecting nerd would be caught dead on the back nine. It takes too much time away from writing 2 line perl scripts that draw ASCII pictures of Terri Hatcher.

Re:Security Clearance Process Filters Out...

[jasonsfa98]

I resent that.

I love to golf, although I spend more time killing grass than actually hitting the balls.

Re:Security Clearance Process Filters Out...

[azaris]

Creative people take risks and people who take risks make mistakes. Essentially, if you've ever had a DUI, taken any drug other than marijuana, bounced a check, or been in therapy you won't get a clearance.

Maybe, but people with unstable personal lives still pose a greater statistical risk of going "rogue". Would you really want someone like Adrian Lamo working for your government?

Network security is a black art, my friends. It involves inuition, mastery of a jillion different disciplines, paranoia, ego, and poor personal hygiene - pricisely the kind of personality bureaucrats are most afraid of.

Absolute, unmitigated bullshit. Paranoia - maybe up to a healthy level. Ego and poor hygiene haven't got anything to do with knowing your way in and out of information systems. What you've described is your average cracker/virus-writer who thinks very highly of himself but in truth has only a deep but very narrow (and not necessarily all that useful) knowledge base and almost no social skills so that employing them as anything other than a lone wolf is fruitless. Plus the fact the fact that such people simply can't be trusted, which is the ultimate problem of hiring people to administer your information systems.

Re:Security Clearance Process Filters Out...

Essentially, if you've ever had a DUI, taken any drug other than marijuana, bounced a check, or been in therapy you won't get a clearance.

Obviously this does not apply to the current President of the United States. Maybe they give you the clearance if you are a coke snorting drunk that found religion ...

Re:Security Clearance Process Filters Out...

Some people can't take a joke.

Re:I'm a govt network admin...

CYA is an important skill. Don't let them blame you for their imcompetence.

Parent deserves some mod points just for saying it.

In the end all I could do was send a memo detailing the risk to my boss so I could cover my own ass if something happened.

A paper trail is your friend when dealing with gov't crap.

Bureaucracy takes many forms...

[Iphtashu+Fitz]

I'm a sysadmin at a company that has hundreds of linux servers. About a year ago we hired a guy who is a former IS guy from the US Coast Guard (now a part of the Dept. of Homeland Security). He decided to quit the USCG when they told him that he had to move into a completely unrelated position in order to give somebody else a chance at working in IS. Apparently this is the way the USCG works - every couple of years pretty much everybody switches jobs. They wanted this guy, who is a top-notch linux admin, to move into something like finance. Rather than be forced into doing something he had absolutely no desire to do he decided to quit the USCG altogether and move into the private sector.

Definately NOT a good way for the government to hold on to talented people...

Hackers and Other Cyberterrorists

[ReadParse]

I was surprised that this story wasn't pummelled with comments about the submitter's usage of "hackers and other cyberterrorists," suggesting again that hacking is terrorism. There are a couple of valid points to bring up:

1) The people you seem to be talking about are crackers, not hackers. Crackers are the bad guys (in most cases) and hackers aren't necessarily good or bad. We just hack around, for whatever reasons.

2) I have nothing good to say about crackers, but I hesitate to classify them as "terrorists". Terrorists kill or threaten to kill innocent civilians to instill terror on a society in hopes of encouraging that society to change it's behavior or policies. A server getting cracked is certainly a bad thing, and I don't tolerate or condone it, but to classify the fear of getting cracked as a terror comparable to a car bomb going off in your neighborhood is an insult to those who are terrorized every day.

I realize it wasn't intended as an insult. I'm just making a point. That point is that the protection should be "from crackers and cyberterrorists" and not "from hackers and other cyberterrorists.

RP

Re:Hackers and Other Cyberterrorists

[jasonsfa98]

As soon as you put "crackers" in a headline, 90% of the population will think it's a racist attack on white men. We know what it means, but "they" don't.

But I do agree with what you said.

Re:Hackers and Other Cyberterrorists

[cK-Gunslinger]

And my response to this is "get over yourself." It isn't like people are confusing astrophysicists with mall security guards. You're trying to argue that what you do is "better' than what a cracker does based solely on your "intentions." Whatever. I guess some bank robbers should be referred to as humanitarians, since they were getting the money to help those less fortunate. And if you wake up at 3:00 with some stranger snooping around your house, don't call the police until he actually takes something and leaves. After all, he might just be "hacking around."

Give it up, you've lost the fight. The term hacker typically has negative connotations in the mind of the public. Just like pirate and revolutionist.

Re:Hackers and Other Cyberterrorists

As soon as you put "crackers" in a headline, 90% of the population will think it's a racist attack on white men. We know what it means, but "they" don't.

But I do agree with what you said.


Just call 'em Malicious Hackers! That's what Kevin Mitnick calls them.

Re:Hackers and Other Cyberterrorists

And besides, nobody cares about being racist against whites. They only care about being racist to everyone else. Remember: the white people are EEEVIl. EEEEEEEVVIIIILLL.

Re:Hackers and Other Cyberterrorists

[John+Hasler]

> You're trying to argue that what you do is
> "better' than what a cracker does based solely on
> your "intentions."

So you don't consider what Linus Torvalds does 'better' than what a cracker does? Hint: hacking has nothing to do with breaking into computers.

Re:Hackers and Other Cyberterrorists

[cK-Gunslinger]

So you don't consider what Linus Torvalds does 'better' than what a cracker does? Hint: hacking has nothing to do with breaking into computers.

My argument is that the term hacker now means "person who breaks into unauthorized computer systems" to 90% of the general public. Yes, some people think they are hackers because they write code. Some people think they are hackers because they steal credit card numbers. Some people think they are hackers because they kick a little sack around with their feet. Some people with a chronic cough from smoking probably refer to themselves as hackers, as well.

My point is, who cares? As long as you know who are are and what you do, what difference does it make? I don't kick and scream when someone refers to me as a computer nerd, versus the more accurate computer "geek." I don't point out my lack of thick glasses and a pocket protector. BECAUSE IT DOESN"T MATTER!

PS: How many people do you think would cry foul if they read on the front page of the Times, "World Famous Computer Hacker, Linus Torvalds..."

Re:Hackers and Other Cyberterrorists

I second the 'whatever' sentiment. I've seen fevered arguments saying the exact reverse of these definitions, or some other bullshit like 'crackers just wanna look around and hackers destroy things'. Who cares?

As for cyber-terrorism, I think that's a perfectly valid name. Real terrorists aren't pushing for social change, they're just inept assholes who can't get anyone to pay attention to themselves in a positive fashion, so they throw a tantrum and destroy things. Just because script-kiddies don't kill anyone doesn't mean it's an invalid comparison.

Re:Hackers and Other Cyberterrorists

[ReadParse]

I realize this discussion is already old in slashdot time, but I just read this reply and needed to respond to it. I never said that I or any other "hackers" broke into computers. I quite frankly don't have the knowledge to break into most computers, even if I did have that kind of interest. Yes, I could get it online I'm sure, along with the tools. The point is that being a "hacker" has nothing to do with breaking into computers. It's somebody who "hacks", which applies to computers the same way it applies to a playing the piano (I'm also that kind of hack) or dancing (I'm also that kind of hack). Somebody who gets by and can do some pretty interesting things, but who doesn't do it the "right" way or have a lot of formal training. That's a "hack", and it's that sense of the word that "hacker" has always been based on.

Yes, the public has a different interpretation of the word. But this is Slashdot, where we don't have to use the general public's glossary. Oh, and my real beef with the story was that fact that they equated hackers to cyberterrorists.

Thanks,
RP

Re:I'm a govt network admin...

[lucabrasi999]

The problem centers around our upper management *ordering* us to do insecure things, like place an unprotected windows server directly on a routeable internet segment outside of the firewall

This thype of activity, and other similar activity is, unfortunately, not limited to Goverment agencies. Managers everywhere simply don't grasp the need for security. My present client, which is in NOT in the government, acutally had a Production Environment web server residing, fully exposed, on the DMZ. The project manager wanted it that way. At least, he did so until we started asking why they didn't move it fully behind the firewall.

In short, inside every manager is a pointy-haired boss. It's not just limited to government.

About time for a new Government standard.

The government shouldn't care about money or paying companies. The government should just put in the fine print of the law that any government contractor that leaves the government open to any type of attack is liable for severe monetary damages, severe criminal penalities, & government ownership. That would make folks think twice about cheating the government.

Remember to pay your rent to the government or you'll be evicted.

That's what they get...

...for using Microsoft Servers.

They've got nobody to blame but themselves.

Re:I'm a govt network admin...

[hackstraw]

Yeah, that is a risk, however, you still can't disable TELNET. It is required."

I was in a similar situation, and I modified the telnet daemon so that a password wasn't required and put the telnet app on a different port and tcp wrappered that port. Granted this wasn't financial info, but I could not have a plaintext password going to a mission critical system.

Gee, I wonder why

[LPetrazickis]

Labor 86.5 B
NRC 94.5 A (Nuclear Regulatory Commission)
NSF 90.5 A- (National Science Foundation)
SSA 88 B+ (Social Security Administration)

These are the only four departments with decent grades. I find the presence of SSA to be the most interesting.

IMHO, they are there because they are not allowed to make a single slip-up. If they do, the "my-life-will-never-get-screwed-up-so-lower-my-tax es" crowd that US is full off moves from mutter mode to full-blown attack mode. The SSA is not allowed to err on the side of comfort and is instead forced to insulate itself in layer after bristly layer of unplesantness that makes it less effective.

Paranoia will destroy you...

[Lodragandraoidh]

Great, one more thing to make the government even more paranoid than it already is...

What's next, abolition of the internet and reinstatement of the tickertape machine?

Of course, their paranoia could be feeding my own paranoia - or it might be the other way around.

I, for one

feel more secure than ever before! /sarcasm

It's not just the government who's at fault!!

• 
  It's also the guys who write the "security" software. Don't believe me? Take a look at THIS:
• http://www.grc.com/dos/xpconference.htm

Re:It's not just the government who's at fault!!

Steve Gibson is paranoid about DDOS attacks, not security. This frantic argument of his has earned him the ire of several IT info sites, since it turned out to be publicity and not fact, and nothing has materialized to prove his ranting.

Bad person, probably not

[h8macs]

You are most likely not evil, you just look like it because you like to get the job done, period.

I have worked in several different companies in the IT field from small to very large. One trend that I have noticed is that a knowledgable "technical" manager is a rarity. Some may argue that this is not true, I apologize to those managers that are 'actually' hands on at least a little with their admins. I have been lucky and have had a couple of these rare species, to learn from

From what I have seen, most managers are hired for the position because they have a degree, not a technical degree mind you but a degree (usually management).

This is appropriate in the managerial sense, however I still feel that to be an appropriate 'technology' manager you can not base your technical experience on your "Intro to Microcomputers" (ASU - consisted of 8 weeks of introductory Java and 8 weeks of Autocad...WTF), or "Using Excel/Powerpoint" classes alone.

I would be more inclined to have an highly (or moderately so) technical manager who merely has a BS in computer science (minor in business). Shows that his interest lies in the technical domain and supporting his employees in the proper ways (ie...training, mentoring, etc.), rather than someone with an MBA "climbing the ladder" to the next butt-kiss.

Re:Bad person, probably not

technical manager who merely has a BS in computer science

That's a BSc, you insensitive clod!

hacker != cracker

[John+Hasler]

> ...hackers and other cyberterrorists...

So hackers are now not only to be equated with crackers but with "terrorists" as well?

Even the wakeup call won't work.

[leerpm]

Look at what they have done after 9/11. Instead of working to fix the root of the problems, anti-americanism, GWB goes on a shooting spree invading countries without regard for any consequences.

Re:Even the wakeup call won't work.

[neocon]

Let's see if I understand your argument here: ``a bunch of fanatics who want to destroy any country which does not match their idea of what God wants a government and society to look like are receiving state sponsorship which makes their attacks much more deadly. So the right solution is not to set about removing these state sponsors (which are also horribly oppressive of their own people), but to try and convince these madmen to like us, so they won't attack us again''.

That doesn't even pass the laugh test...

Consulting Jobs w/the Feds?

[BoRegardless]

Looks like to me that this is a full employment opportunity for hackers who want to turn white hat.

You have missed the point

[leerpm]

It doesn't matter when an agency uses Windows, Linux, Unix or Macs. If you don't have the right security processes in place, you can be running the most secure operating in the world and you will still get a failing grade. The products you choose are only a small part of security, its how you use them and continually work to secure them against intruders that matters.

Just a warning for future reference..

Anonymous coward isn't truly anonymous anymore. They tie your IP address to your comment posting...

Re:Just a warning for future reference..

[mandolin]

If (s)he's running on a NAT'd network, that shouldn't matter. You'd more likely get in "trouble" when some hotshot starts analyzing the traffic flowing through the corporate/government firewall.

You guys are being too hard on US agencies...

[Aaron+England]

Remember, a D is still passing. (:

Freedom of Information Act, part 2

The gubmint that hides everything from the people and their pesky FOIA requests by abusing the excuse of "national security" can't secure its computers?

Let's see those .torrent files, people. :)

Who knows... the terrorists might break in and delete something important. A well-armed militia backs up the critical files of a government too lame to secure them itself.

1950: "My dog ate my homework."
2001: "My homework is classified for reasons of national security."
2003: "Some hackers deleted my homework."

Do you really want to hear Bush / Cheney / Ashcroft say "sorry folks, those files no longer exist, I guess some hackers deleted them. But we really did find WMD, I promise, and I'd show you the proof if those darn files hadn't been deleted"...?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Sad..Hidden Assets.

"I work in IT for a govt. agency here in Canada, and to not have an accurate inventory of our hardware is absolutely unthinkable. 79% of agencies having no idea where their systems are (and arent) is a recipe for disaster."

Do you have a Novell server behind a wall?

Re:Sad..Hidden Assets.

[hookedup]

I think i may be missing the point of the joke, but no, no Novell products here.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Some departments did well!

[lommer]

People are concentrating on many of the wrong departments. From the Forbes Article:

Fourteen agencies improved their grades, and the Nuclear Regulatory Commission and the National Science Foundation each received an "A." The Social Security Administration received a "B+" and the Department of Labor received a "B,"

The Nuclear regulatory commission, which is the department in charge of making sure nothing happens to or with nuclear shit got an A, and the Social Security administration (you can guess why you wouldn't want them to get hacked) did fairly well too. As for the NSF, well we already knew that they were fairly smart guys :-).

Specifically in response to your comment, the NRC actually plays a much bigger role in maintaining nuclear security around the country than the DOE does, so I wouldn't be too worried about that aspect of the DOE's grade. Still, the situation does need to be fixed for all the departments that got below a C.

Re:Some departments did well!

[Atryn]

Ok, so if the NSF received an "A", why doesn't DHS or DOE hire the NSF to audit their systems?

Re:I'm a govt network admin...

how about tunnelling telnet over ssh using port forwarding feature of ssh?

Comment removed

[account_deleted]

Comment removed based on user account deletion

The actual survey filled out...

[rice_burners_suck]

House Government Reform Subcommittee on Technology
Survey Questions

(1) Name of your government agency:
(2) Number of computers installed:
(3)Do any of your computers run Windows and/or other software from Microsoft?

Scoring: Use the following chart to score your agency's computer security:
Do NOT use Microsoft products: A.
Use Microsoft products: F.

Thank you for taking the time to fill out this survey.

NASA passed...

This is interesting because last summer I worked at Glenn Research Center in Cleveland and found out that NASA outsources their IT work across all their research, flight, and space centers through a program called ODIN (outsourced? desktop initiative for NASA). I wonder if this will urge for more privatization of IT within government...

Oh, and just in case anyone was interested what desktops ODIN supported, they were:
Windows 2000
MacOS
Solaris
and _not_ any distro of Linux (even though several people I knew ran Linux for a variety of purposes -- mainly Red Hat)

Re:NASA passed...

Okay, so NASA got a D-... Maybe socialization is the way to go, comrade.

Inventory of hardware in DoD labs...

[devphil]

...is performed by monkeys.

Er, well, that's an unfair exaggeration. I apologize to the monkeys.

Inventory was actually performed by the cheapest per-hour temp worker at the lowest-bidding contractor. He came around our branch with a label-printer and a notepad. The external hard drive array got labeled "computer" (whatever makes the most noise in the room is invariably labeled "the computer"). The monitors got labeled "computer". The actual computers got labeled "hard drive," or in one case, "backup system". The tape drive jukebox got labeled "CDR-OM" [sic].

The grandparent post is way way wrong; there are no government/military systems for which there is no standard. If it doesn't have a committee-decided standard, it isn't allowed. Period.

But when the systems can't even be found because the inventory list is a work of fiction, it's largely a waste.

Re:Inventory of hardware in DoD labs...

[kevlar]

The grandparent post is way way wrong; there are no government/military systems for which there is no standard. If it doesn't have a committee-decided standard, it isn't allowed. Period.

Thats a crock, my friend. Los Alamos was notorious for having machines stashed everywhere until the Dept of Energy started slamming the scientists after the Chinese stole secrets. Nobody cares about the Dept of Agriculture etc., so nobody has slammed them for their insecurities.

Every barrack in the military has their own freaking insecure webserver, so I fail to see how your claim is relevent.

When it comes to Top Secret networks, you can say they are strict in that regard.

Re:Inventory of hardware in DoD labs...

[devphil]

I said it isn't allowed. I didn't say it doesn't happen anyway.

*shrug* We were pretty good about following those rules, because we knew that if we didn't, we'd get hacked.

Here's something that's annoying

[homebrewmike]

To view the full report card go to http://www.reform.house.gov/tipirc/. Click on Hearings.

Why didn't they just hyperlink it? Big Brother, while pleanty powerful, is pretty freaking slow.

gov't eWelfare

[feyd_G4]

You mean something like.....NET FORCE!.

And the States are worse

[mgrennan]

Yes people, If you think the feds can't tell their ass from a router, state goverments don't know what an ass is.

Untill lately, the state I live in didn't have firewalls protecting anything. From their DNS to the payroll mainframe, all was open to the world.

The FTC needs to turn an eye inward.

Yes! Really!

[HiggsBison]

it's not as if by hacking the Justice Dept. you can get a friend released from prison, or by hacking the Dept. of Energy you can initiate a core meltdown in one of the nation's (privately-owned) nuclear power plants.

Yes. Yes you can. Really. And if you hack into Animal Control, you can make a cat or dog or mouse anywhere do anything, any time. Well... at least withing the United States' jurisdiction you can.

"Them bats are smart. They got radar."

No, best bosses are not technical!

[bluGill]

The best boss I ever had was not technical. He had only technical people working for him, and understood enough of the technology that his nods weren't trying to stay away. What he did though wasn't understand the technology, he translated the technical talk into managerese, and vise versa. He made sure we got the resources we needed, work to do, fair raises, and most of the time wasn't in our way.

Technical managers are better than average, but they suffer from wanting to be engineers. So they try to fit in, not remembering that it takes a long time to really understand a problem and they don't have the time to focus on any one problem to help, much less the particular problem each of us is solving now. A few have made the transisition, most fail.

Remember, everyone is hired to do a job. The worst manager I knew (bosses bosses boss) was an excellent manager, motivated and worked hard to get a lot of things that needed doing done. However in seeing and solving all the other problems that weren't her job, she ignored some things that were her job. Eventially she "resigned for personal reasons", but in the mean time those of us who needed her to get things done lost.

Yeah honestly who is suprised?

[wastedbrains]

I mean with how many computers our agencies have and how long it takes to maintain that many computers there is now way they are secure. Half if not more of the computers are probably maintained by someone that has no clue what their doing. I work at a CS research lab and we have so many machines and people working on projects we learn a old machine no one is using anymore was comprimised and there is really nothing that can be done since it was no ones machine. I guess we need to create an automated defense firewall that will protect all company computers from the TCP level... if there is a vulnrability in exisitance the firewall blocks the TCP sockets that the exploit uses until each machines IP is verified to be patched against the exploit. my friend dom is a turd burglar

On a related topic

[Cat_Byte]

I specialize in security & could use a job if one of these companies is reading this ;)

But seriously though, one of the very first cuts made when the economy started taking a dive was network/security admins. Now they try to fill the gap with job postings for Network admin/security admin/systems admin/programmer/mail admin/janitor for $5/hr.

Re:I'm a govt network admin...

If your hands are tied, then perhaps an alternative would be secure the connection from the remote user to a terminal server sitting next to your budgetry server, then at least TELNET is only in the clear across one hop on a switch.

Re:I'm a govt network admin...

[k12linux]

secure the connection from the remote user to a terminal server sitting next to your budgetry server, then at least TELNET is only in the clear across one hop on a switch.

One hop or 50, if the potential hacker knows (or can find out) the address of the endpoints (host and server, host and router, etc.) ettercap will work just fine.

Re:I'm a govt network admin...

[k12linux]

how about tunnelling telnet over ssh using port forwarding feature of ssh?

Would be nice, but the app required telnet in addition to several other ports (for Informix actually.) And it is a Windows app. The fact that the hosts which needed access were mixed in with other public hosts didn't help a lot either.

If this had been some kind of Linux app (or wasn't way too dependant on Windows to keep it from running in wine) I may have done something with iptables redirects and tunneling a connection to the server. As it was though, there wasn't any good solution which was cost effective (read free since I wouldn't be given any money to "fix" a working app.) Anything else I could think of would have just been a kludge and would have opened other more serious security holes.

I still think the ideal fix would have been for us to pressure the vendor to use some kind of SSH library for Windows in the app. Even if they didn't find a free one they could probably afford to include one considering we pay about $750 (PER SEAT!) for support/maintenance.

But the boss said "NO," I covered my own ass, and I still have a job (hopefully one I can keep due to the CYA memo.)

State

[FSGeek]

As an I.T. Guy in The State Dept. Our problem is: State Hired oodles of very sharp computer people, and then put them under managers who think computers are a fad. (a quote from a guy in charge of systems in my area.) The contractors try, but get the specs from same pointy heads. It's a mess. But I'm sure other governments love us for it.

Utterly amazing

[Uncle+Duke]

Havng worked for the gov't, I can tell first-hand stories about how the folks in the positions of responsibilty for security and even CIO's got to be where they are. It's not only frightening and comical, as a taxpayer it's downright outrageous! However, notice that no coverage is given to the elementary question of the "why are they failing" behind the obvious "why did they fail" of the failing grades. The good news is that at least there's a report card. The bad news is that it's not the kind you want to take home to mom & dad.