Slashdot Mirror
U.S. Interior Dept. Unplugged... Again
IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."
...as reported by internet.com. Interestingly it seems that even the previous time was not really the first?
"For the second time in less than two years, a federal judge has ordered the Interior Department to disconnect from the Internet in order to protect $1 billion in American Indian money managed by the agency.
U.S. District Judge Royce Lamberth said Interior's refusal to cooperate with a court-appointed master who wanted to test the security of Interior's systems, prompted the decision. The government claimed it did not cooperate with Security Assurance Group of Annapolis, Md., because they could not agree on the "rules of engagement."
Much of the money that is handled 'for' the native americans is not federal money from taxes. It is money that is due native americans through things like mineral rights. Security should not even be at the top of the list though- plain mismanagement and incompentence that is criminal. But as is often the case- none of the big players are being held responsible to the extent they should. You can read about it all over the place - like this article
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Looks like the Interior Department has been having computer problems for a long time (December 2001!):
"Web wanderers looking for information on national parks, government mapping services or geological disasters will need to get their information from non-official websites for a while.
U.S. District Judge Royce Lamberth issued the order late Wednesday after a report showed that the computer system which handles $500 million annually in royalties from Indian land has major security holes that make it easy to access the system, alter records and possibly divert funds."
then how exactly do they update your bank account?
Online banking allows you to play with your accounts. If it's hacked it's your data they screw with. The entire bank doesn't become a victim.
Your[sic] one of those bozo's that says "I'll never use my credit card online"
I use my card online all the time.
Not to mention a number of "private" networks use the internet as a backbone.
They're called "VPNs". Good luck hacking a properly maintained one anytime soon.
I know exactly what I'm speaking about. Go back to sleep.
Trolling is a art,
You don't really understand what happened do you?
Firstly, there is no Indian "race" or "nation" that was in conflict with the United States.
There were many conflicts with many tribes and there are many settlements which differ in scope and letter of the agreement.
Since the closing of the Frontier in 1890 and the end of major military action with the American Indians around the same time the rights of the American Indians have changed and the role of the government in thier lives has changed.
The crux of this arguement between the DOI/BIA and the folks suing them isn't about monetarily reimbursing for "or practically annahilating their race" it's about mismangement of natural resources on lands which are on Reservations or were on Reservations which are held in trust by the United States Government who act as stewards of the resources, both discovered and undiscovered.
Basicly the DOI/BIA has lost billions of dollars of money that should have been paid out to various tribes and various private citizens. Not only that, but they can't figure out a webserver that holds confidental information on the monies going out to private citizens that can't be exploited.
and just so everyone knows, the dept of interior is 100% standardized on Microsoft Windows. They do not use any Unix/Linux/BSD anywhere. everything is windows. thats part of the problem of why they are so insecure
Does the name Pavlov ring a bell?
My understanding of the history of this is that DOI has had the least secure computer systems of any U.S. government agency, and have been virtually overrun with cracker activity. It's pretty obvious that someone who knows little about information security, or knowing the government, a LOT of someones, led to this occurring, as I pointed out, for the third time.
As you said, there's no excuse for sensitive systems such as that to be exposed to the Internet, but it's not the first time and probably won't be the last. In the book At Large, author David Freeman points out that at one point, the controls for the Hoover Dam were accessible from the Internet. That's asking for people to DIE, and that's not cool...
Excuse me, someone's at the door. He says he's from Homeland Security...
How am I supposed to fit a pithy, relevant quote into 120 characters?
That has nothing to do with your original statement. You said they are not connected. Explain properly.
Well, you asked nicely. When a customer connects to an online bank they aren't directly connected to the banking core. They're on a webserver that's isolated well enough to prevent compromising the main banking systems. The passwords and login credentials aren't usually stored on the web machines, rather the info is passed through to other secured machines. This way if the web server is comprimised the passwords are safe. There are usually firewalls or other security between all these systems.
The key is to isolate the systems and only allow the bare minimum amount of talk to get the job done.
It looks like the Park Service, USGS , and Office of Aircraft Services are still online. Yet there are some seemingly unrelated divisions offline that probably shouldn't be. I don't see why the National Interagency Fire Center is offline. It seems somewhat important!
Not quite. They _DON'T_ PGP encrypt it, it's sent plain text. EVER BANK I'VE WORKED WITH in USA uses plain text to transfer the file. I have seen the PGP encrypted file, but that's only for Canadian banks.
Yes, FTP using Plaintext is risky. That's why Vital (Visanet) would force the LINK/LINE between the companies to be a. encrypted, or b. a VPN.
No retailer want's to spend the $10,000USD on a business class version of PGP (I've investigated it before). Canadian retailers generally get the retail version and make it some guy's duty to manually encrypt the files.
Mod +5 Drunk
i write software for many many many banks in Minnesota.
Almost all of them use pgp for anything remotely confidential, and many use md5 checksums to make sure nothing got changed in-transit.
I dont know the prices myself but im pretty sure its not $10k. Even if it is, thats peanuts for most banks, especially for something as critical as that.
Plus, I have software out there that many companies dealing with credit cards use. If you apply for a Target credit card, your application (after it has been scanned) goes through my application. Guess what, coming into and going out of, its encrypted.
Maybe you havent worked with banks lately, I'll agree it was pretty bad maybe 6 years ago, but they have got up to speed quickly and most are more secure than your average large company.