U.S. Interior Dept. Unplugged... Again

← Back to Stories (view on slashdot.org)

U.S. Interior Dept. Unplugged... Again

Posted by ryuzaki0 on Tuesday March 16, 2004 @09:43AM from the is-there-a-sysadmin-in-the-house? dept.

IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."

13 of 299 comments (clear)

Min score:

Reason:

Sort:

I wonder about the old paper systems by Ckwop · 2004-03-16 09:44 · Score: 4, Insightful

If people can't secure the computer systems i wonder how secure the old paper based systems were?

I mean, with a physical system u need physical access but I bet those old systems were probably quite easy to subvert :P

Simon.
1. Re:I wonder about the old paper systems by millahtime · 2004-03-16 09:57 · Score: 4, Insightful
  
  " I bet those old systems were probably quite easy to subvert"
  
  I doubt they were easy to subvert. First you have to gain access to the facility, then you have to have access to that area and then you have to have access to the files. It is not that easy to just stroll in there and get a copy of them.
  
  Secure data would be physically secure. It's not like you can just walk in a building and get that stuff that is locked up. It's pretty tough.
  
  --
  Evolution or ID?
2. Re:I wonder about the old paper systems by jsprat · 2004-03-16 10:09 · Score: 5, Insightful
  
  Unless you're the garbage man...
  
  You'd be surprised what people will just throw in the trash.
3. Re:I wonder about the old paper systems by AllenChristopher · 2004-03-16 10:29 · Score: 5, Insightful
  
  "Secure data would be physically secure. It's not like you can just walk in a building and get that stuff that is locked up. It's pretty tough."
  You need to read "Surely You're Joking, Mr. Feyman." Feyman raids the safes that contain the plans for the atomic bomb repeatedly, both for entertainment and to get work done faster. He walks through a hole in the fence around Los Alamos repeatedly, always exiting through the gate. The guard doesn't catch on until he's done it many times.
  I was able to get almost anywhere in my university dorms with a penknife, despite locked doors at the end of every hall.
  The problem with locks and guard and secure areas is that they're so visually impressive, it's easy to assume that they will work. With bicycle couriers and janitors moving around all the time, workers get used to unfamiliar faces and forget to check ID.
4. Re:I wonder about the old paper systems by wytcld · 2004-03-16 11:33 · Score: 4, Insightful
  
  i wonder how secure the old paper based systems were
  
  That's the center of the legal case. DOI systematically lost records which - if kept and honored - would have resulted in billions of dollars in lease payments to Indian tribes for natural resources (mining and oil) extracted from their reservations by corporations contracted with DOI. The judge may be less concered with security from outside hackers, than with the likelihood of DOI insiders continuing to corrupt and alter the records by setting up the systems so that they themselves can continue to engage in behaviors which have already resulted in judges holding DOI in contempt of court.
  
  It's not enough that we took most of the Indians' land; we've been continuing (through our kindly federal government) to steal from under what little land they have left. Even under Clinton DOI wasn't playing straight on this; you can imagine how much better it's been under Bush. The problem is that under any reasonable estimate there are enough billions involved to qualify as a serious budget item. Of course, the Indians have oil and other natural resources, and in the past behaved as "terrorists," so if anything we're consistent....
  
  --
  "with their freedom lost all virtue lose" - Milton
"Larry, Moe & Curly Consulting" by grub · 2004-03-16 09:46 · Score: 5, Insightful

Why would systems with access to funds be connected directly to the net? No system with that level of risk should ever be connected to the net unless there's a damn good reason. Even online banking webservers are throughouly isolated from the core banking systems. This is just sheer stupidity.

--
Trolling is a art,
1. Re:"Larry, Moe & Curly Consulting" by ackthpt · 2004-03-16 09:52 · Score: 4, Insightful
  
  Firstly you can blame the system.
  What about when the people who spam fake PayPal, BofA, Fleet, etc. try their luck spamming for native americans, to con them out of their ID/Pin/Password, whatever to steal their money? At some point good security depends upon the end user.
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
2. Re:"Larry, Moe & Curly Consulting" by kfg · 2004-03-16 10:13 · Score: 5, Insightful
  
  In the old days it used to be hard to get small businesses to expose themselves to the net at all. They were paranoid about running so much as a webserver for simple customer services.
  
  Nowadays it's getting tough to convince them they need to keep a computer offline to protect sensitive core business data, even if it means a bit of sneaker netting now and again.
  
  Perhaps times will change again as they swing back to paranoid.
  
  Real men may upload their data to ftp and let everyone else mirror it. Smart men pull the ethernet cord. If nothing else you don't want the IRS/SEC to be able to pull your data off of someone else's server. You can't wipe what you don't have sole possession of.
  
  KFG
DOI understands Firewater instead of Firewalls by James+McP · 2004-03-16 09:51 · Score: 5, Insightful

This is really sad. I first heard of the DOI's incredible mishandling of the Indian trust here on slashdot a few years ago when they were shut down the first time.

I can understand having problems recompiling literally centuries of data for tens of thousands of people. But c'mon, you can't figure out how to set up firewalls with VPN connections between disparate groups?

Could you imagine any private organization like a mutual fund or retirement investor leaving SSNs and customer information online on websites? Imagine the smack down from the government! But if it's the gov't itself nada. Thank god (or Great Spirit, whatever) that there's at least one judge willing to do the right thing.

--
I've been on slashdot so long I'm starting to get out of touch with the cool stuff if it ain't on slashdot.
Re:Since the article doesn't mention, I'll ask: by andih8u · 2004-03-16 09:52 · Score: 5, Insightful

Well, if you've ever contracted for the government, you'd know that trying to get anything done is close to impossible. Any step you take has to be combed through by several beurocrats who have no more interest in anything other than plodding through their days on the way to retirement. Even if you do manage to get all of the systems designed and get ready to roll the upgrades out, someone will just come along and axe the plan while they try to figure out if this move will make them risk their neck in the slightest.

Trying to work for people who essentially can't be fired is a nightmare.

--

slashdot, news for crazed liberal socialist zealots
Re:Here's the original occurence by skrysakj · 2004-03-16 10:07 · Score: 5, Insightful

There are no such things as rules of engagement. All bets are off, all techniques are viable, no holds barred.

Dress up as a tech guy and talk you way in? Go for it.
Hack through someone's PC, why not?
Send in a small remote control vehicle to snoop? Definitely.
Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....

That's how it's done "for real", so why not train that way? Why not TEST that way?

What's wrong with "Train like you fight, fight like you train"?

I'm glad they were shut down if they threw a hissy fit because they couldn't agree on "rules of engagement". Wake up to the real world ladies and gentlemen.
Re:Here's the original occurence by Piquan · 2004-03-16 10:24 · Score: 5, Insightful

Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....
...mug the IT manager for his SecureID, blackmail the tape monkey for backups, assassinate the night guardsman, sure, whatever.
Less severe? One part of a real attack might involve calling in a bomb threat to get one key employee away from his desk. I suspect that it may be better to simulate that part rather than panic the entire building: have one of the high-ups that you're working with call the employee away from his desk for a half hour. Or something.
Yes, the real world doesn't play by rules. But if testing causes more harm than it would have prevented, then it shouldn't take place.
Re:Here's the original occurence by cmowire · 2004-03-16 10:41 · Score: 4, Insightful

If critical backups get messed up because of security testing, that would be a security hole.

Having the sys admin go spastic is a good thing for them, because that means that there's somebody watching for stuff. If they know the IP addresses, they can just block those addresses if they don't want the results to turn out bad.

--
Gentoo Sucks