Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Interior Dept. Unplugged... Again

Posted by ryuzaki0 on from the is-there-a-sysadmin-in-the-house? dept.

IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."

27 of 299 comments (clear)

  1. I wonder about the old paper systems by Ckwop · · Score: 4, Insightful

    If people can't secure the computer systems i wonder how secure the old paper based systems were?

    I mean, with a physical system u need physical access but I bet those old systems were probably quite easy to subvert :P

    Simon.

    1. Re:I wonder about the old paper systems by millahtime · · Score: 4, Insightful

      " I bet those old systems were probably quite easy to subvert"

      I doubt they were easy to subvert. First you have to gain access to the facility, then you have to have access to that area and then you have to have access to the files. It is not that easy to just stroll in there and get a copy of them.

      Secure data would be physically secure. It's not like you can just walk in a building and get that stuff that is locked up. It's pretty tough.

      --
      Evolution or ID?
    2. Re:I wonder about the old paper systems by jsprat · · Score: 5, Insightful
      Unless you're the garbage man...


      You'd be surprised what people will just throw in the trash.

    3. Re:I wonder about the old paper systems by roboros · · Score: 3, Insightful

      If people can walk into a secure mainframe room and steal mainframes, a determined person should be able to steal papers. Social engineering can be very powerful, just ask Kevin.

    4. Re:I wonder about the old paper systems by AllenChristopher · · Score: 5, Insightful
      "Secure data would be physically secure. It's not like you can just walk in a building and get that stuff that is locked up. It's pretty tough."

      You need to read "Surely You're Joking, Mr. Feyman." Feyman raids the safes that contain the plans for the atomic bomb repeatedly, both for entertainment and to get work done faster. He walks through a hole in the fence around Los Alamos repeatedly, always exiting through the gate. The guard doesn't catch on until he's done it many times.

      I was able to get almost anywhere in my university dorms with a penknife, despite locked doors at the end of every hall.

      The problem with locks and guard and secure areas is that they're so visually impressive, it's easy to assume that they will work. With bicycle couriers and janitors moving around all the time, workers get used to unfamiliar faces and forget to check ID.

    5. Re:I wonder about the old paper systems by wytcld · · Score: 4, Insightful

      i wonder how secure the old paper based systems were

      That's the center of the legal case. DOI systematically lost records which - if kept and honored - would have resulted in billions of dollars in lease payments to Indian tribes for natural resources (mining and oil) extracted from their reservations by corporations contracted with DOI. The judge may be less concered with security from outside hackers, than with the likelihood of DOI insiders continuing to corrupt and alter the records by setting up the systems so that they themselves can continue to engage in behaviors which have already resulted in judges holding DOI in contempt of court.

      It's not enough that we took most of the Indians' land; we've been continuing (through our kindly federal government) to steal from under what little land they have left. Even under Clinton DOI wasn't playing straight on this; you can imagine how much better it's been under Bush. The problem is that under any reasonable estimate there are enough billions involved to qualify as a serious budget item. Of course, the Indians have oil and other natural resources, and in the past behaved as "terrorists," so if anything we're consistent....

      --
      "with their freedom lost all virtue lose" - Milton
    6. Re:I wonder about the old paper systems by Obfiscator · · Score: 2, Insightful
      The difference being, of course, that he was a trusted employee who happened to be working on the bomb, not just someone who came in off the street.


      But I dunno, maybe a bum just passing through town could have done the same thing.

      --
      "Nothing shocks me. I'm a scientist." -Indiana Jones
    7. Re:I wonder about the old paper systems by innerweb · · Score: 2, Insightful

      workers get used to unfamiliar faces

      Maybe in your experiences, but where I worked, that behaviour would have gotten that unfamiliar face shot. Noone messed with the rules. The SPs carried live loaded ammo. They did shoot one person while I was there. He lived, but went to jail.

      InnerWeb

      --
      Freud might say that Intelligent Design is religion's ID.
    8. Re:I wonder about the old paper systems by k_head · · Score: 2, Insightful

      What's amazing to me is how little of this has hit the maintsream press. Wasn't Gale Norton held in contempt byt he court? Imagine if a clinton cabinet secy was held in contempt how the press would pounce on it.

      Billions of dollars were literally stolen and the networks were ordered shut down at least three times and not a peep from the press.

      So much for the "liberal press" theory.

      --
      The best way to support the US war effort is to continue buying American products.
  2. "Larry, Moe & Curly Consulting" by grub · · Score: 5, Insightful


    Why would systems with access to funds be connected directly to the net? No system with that level of risk should ever be connected to the net unless there's a damn good reason. Even online banking webservers are throughouly isolated from the core banking systems. This is just sheer stupidity.

    --
    Trolling is a art,
    1. Re:"Larry, Moe & Curly Consulting" by ackthpt · · Score: 4, Insightful
      Firstly you can blame the system.

      What about when the people who spam fake PayPal, BofA, Fleet, etc. try their luck spamming for native americans, to con them out of their ID/Pin/Password, whatever to steal their money? At some point good security depends upon the end user.

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:"Larry, Moe & Curly Consulting" by kfg · · Score: 5, Insightful

      In the old days it used to be hard to get small businesses to expose themselves to the net at all. They were paranoid about running so much as a webserver for simple customer services.

      Nowadays it's getting tough to convince them they need to keep a computer offline to protect sensitive core business data, even if it means a bit of sneaker netting now and again.

      Perhaps times will change again as they swing back to paranoid.

      Real men may upload their data to ftp and let everyone else mirror it. Smart men pull the ethernet cord. If nothing else you don't want the IRS/SEC to be able to pull your data off of someone else's server. You can't wipe what you don't have sole possession of.

      KFG

  3. DOI understands Firewater instead of Firewalls by James+McP · · Score: 5, Insightful

    This is really sad. I first heard of the DOI's incredible mishandling of the Indian trust here on slashdot a few years ago when they were shut down the first time.

    I can understand having problems recompiling literally centuries of data for tens of thousands of people. But c'mon, you can't figure out how to set up firewalls with VPN connections between disparate groups?

    Could you imagine any private organization like a mutual fund or retirement investor leaving SSNs and customer information online on websites? Imagine the smack down from the government! But if it's the gov't itself nada. Thank god (or Great Spirit, whatever) that there's at least one judge willing to do the right thing.

    --
    I've been on slashdot so long I'm starting to get out of touch with the cool stuff if it ain't on slashdot.
  4. Re:Since the article doesn't mention, I'll ask: by andih8u · · Score: 5, Insightful

    Well, if you've ever contracted for the government, you'd know that trying to get anything done is close to impossible. Any step you take has to be combed through by several beurocrats who have no more interest in anything other than plodding through their days on the way to retirement. Even if you do manage to get all of the systems designed and get ready to roll the upgrades out, someone will just come along and axe the plan while they try to figure out if this move will make them risk their neck in the slightest.

    Trying to work for people who essentially can't be fired is a nightmare.

    --


    slashdot, news for crazed liberal socialist zealots
  5. Re:Guess the Indians shot themselves in the foot . by Tihstae · · Score: 2, Insightful
    Doesn't look like this will do anything positive for the Native Americans.

    No, there is no way that protecting their privacy and keeping the money that is rightfully theirs from being stolen is doing anything good for them. Give me a break, read the article and not just the headline.

    Oops, this is Slashdot. (Rosanne Roseannadana Voice) Nevermind!!
  6. Re:Here's the original occurence by skrysakj · · Score: 5, Insightful

    There are no such things as rules of engagement. All bets are off, all techniques are viable, no holds barred.

    Dress up as a tech guy and talk you way in? Go for it.
    Hack through someone's PC, why not?
    Send in a small remote control vehicle to snoop? Definitely.
    Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....

    That's how it's done "for real", so why not train that way? Why not TEST that way?

    What's wrong with "Train like you fight, fight like you train"?

    I'm glad they were shut down if they threw a hissy fit because they couldn't agree on "rules of engagement". Wake up to the real world ladies and gentlemen.

  7. Re:Here's the original occurence by Piquan · · Score: 5, Insightful

    Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....

    ...mug the IT manager for his SecureID, blackmail the tape monkey for backups, assassinate the night guardsman, sure, whatever.

    Less severe? One part of a real attack might involve calling in a bomb threat to get one key employee away from his desk. I suspect that it may be better to simulate that part rather than panic the entire building: have one of the high-ups that you're working with call the employee away from his desk for a half hour. Or something.

    Yes, the real world doesn't play by rules. But if testing causes more harm than it would have prevented, then it shouldn't take place.

  8. Re:No web at work ... the humanity ... by yoriknme · · Score: 2, Insightful

    I work for the government, and I'm still here. Nothing like stereotypes.

  9. Re:Technology vs. Indians by osu-neko · · Score: 2, Insightful
    There's no reason we should still be paying penance for the actions of our ancestors. If my father went out and killed someone, I wouldn't get in any trouble for it, so why do natives still deserve the support we give them, and why do we still feel obligated to give it to them?

    If your grandfather killed my grandfather, I wouldn't expect you to be punished for it. On the other hand, if your grandfather stole my grandfather's property, and I'm my grandfather's rightful heir, were this fact uncovered, you should be expected to give me back the property that is now rightfully mine. That's not punishing you for a crime your grandfather committed, that's not penance, that's just doing what's right.

    Now, if we want to give the natives of North America back what rightfully is theirs, we European decendants need to get on ships and sail back to the Old Country, set up shop in London or whereever. Personally, I don't want to do it. So, if I'm not going to give back what is rightfully theirs, I should at least pay rent on it, no?

    Again, I'm not interest in punishment, which I don't deserve, or penance, when I don't need. What I'm interested in is doing what's right...

    --
    "Convictions are more dangerous enemies of truth than lies."
  10. What right does the court have? by cheeser · · Score: 2, Insightful

    Why is the court telling the DOI to unplug? Is there a lawsuit I'm missing? The court's job is to rule on lawsuits brought before not define public policy or run about ordering people around. So unless there's a lawsuit about the DOI's systems, the court should stfu.

    --

    --
    http://cheeser.blog-city.com

  11. Re:my step dad works for the Dept of Interior by Vellmont · · Score: 2, Insightful

    Incorrect. I used to work for the US Geological Survey, and they used Data General unix systems about 10 years ago. I seriously doubt they've dropped all the unix machines as science has a strong history of using Unix. The Dept of Interior is also a huge department, so it'd be very difficult for them to have ONLY windows machines throughout the entire organization.

    --
    AccountKiller
  12. Re:Here's the original occurence by cmowire · · Score: 4, Insightful

    If critical backups get messed up because of security testing, that would be a security hole.

    Having the sys admin go spastic is a good thing for them, because that means that there's somebody watching for stuff. If they know the IP addresses, they can just block those addresses if they don't want the results to turn out bad.

    --
    Gentoo Sucks
  13. Culprit is... by bonch · · Score: 3, Insightful

    ...the sysadmins.

    Linux was shown as the most-breached OS on the net according to that study Slashdot posted, remember.

  14. A passing grade for security is not easy for Feds by donheff · · Score: 3, Insightful

    I don't know anything about Interior's problems with the Indian accounting systems, but I can assure you that the security scorecards for Federal systems are tough. OMB and the Hill have appropriately set a very high bar to push agencies to the limit. The intent is to make government systems a model for security best practices - they don't get marked "green" unless they jump through a lot of hoops. There are plenty of bright people on /. who could teach the Feds and anyone else a lot about secure systems. But there are also a whole lot of us who, truth be known, are running critical systems that couldn't come close to passing muster against the standards used to rate the Feds on security.

    I also haven't seen any specifics about why the Judge is hammering DOI. I wouldn't be surprised if they are simply battling with the Judge over the oversight processes she wants to impose - granted that might be a dumb battle to fight.

  15. Re:Since the article doesn't mention, I'll ask: by 0x0d0a · · Score: 2, Insightful

    See, the problem was having 10 people involved in the initial decision-making.

    Having *feedback* from lots of people is okay. Having more than three people involved in actually making a decision is, IMHO, a bad idea.

    --
    May we never see th
  16. Re:Department of Interior? by Warlok · · Score: 3, Insightful

    Department of the Interior, in charge of everything outdoors in the U.S. of A. Like Gallagher said, they picked the word that didn't fit.

    --
    ...and you run and you run and you can't stop what's been done...
  17. Re:Here's the original occurence by MoneyT · · Score: 2, Insightful

    but even if it is a hole there should be a specific day that that testing is run so that an additional backup can be made. Just because you are testing the security of your system doesn't mean you shouldn't be able to recover if you find a fatal problem.

    --
    T Money
    World Domination with a plastic spoon since 1984