Slashdot Mirror
U.S. Interior Dept. Unplugged... Again
IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."
Why would systems with access to funds be connected directly to the net? No system with that level of risk should ever be connected to the net unless there's a damn good reason. Even online banking webservers are throughouly isolated from the core banking systems. This is just sheer stupidity.
Trolling is a art,
This is really sad. I first heard of the DOI's incredible mishandling of the Indian trust here on slashdot a few years ago when they were shut down the first time.
I can understand having problems recompiling literally centuries of data for tens of thousands of people. But c'mon, you can't figure out how to set up firewalls with VPN connections between disparate groups?
Could you imagine any private organization like a mutual fund or retirement investor leaving SSNs and customer information online on websites? Imagine the smack down from the government! But if it's the gov't itself nada. Thank god (or Great Spirit, whatever) that there's at least one judge willing to do the right thing.
I've been on slashdot so long I'm starting to get out of touch with the cool stuff if it ain't on slashdot.
Well, if you've ever contracted for the government, you'd know that trying to get anything done is close to impossible. Any step you take has to be combed through by several beurocrats who have no more interest in anything other than plodding through their days on the way to retirement. Even if you do manage to get all of the systems designed and get ready to roll the upgrades out, someone will just come along and axe the plan while they try to figure out if this move will make them risk their neck in the slightest.
Trying to work for people who essentially can't be fired is a nightmare.
slashdot, news for crazed liberal socialist zealots
There are no such things as rules of engagement. All bets are off, all techniques are viable, no holds barred.
Dress up as a tech guy and talk you way in? Go for it.
Hack through someone's PC, why not?
Send in a small remote control vehicle to snoop? Definitely.
Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....
That's how it's done "for real", so why not train that way? Why not TEST that way?
What's wrong with "Train like you fight, fight like you train"?
I'm glad they were shut down if they threw a hissy fit because they couldn't agree on "rules of engagement". Wake up to the real world ladies and gentlemen.
You'd be surprised what people will just throw in the trash.
Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....
...mug the IT manager for his SecureID, blackmail the tape monkey for backups, assassinate the night guardsman, sure, whatever.
Less severe? One part of a real attack might involve calling in a bomb threat to get one key employee away from his desk. I suspect that it may be better to simulate that part rather than panic the entire building: have one of the high-ups that you're working with call the employee away from his desk for a half hour. Or something.
Yes, the real world doesn't play by rules. But if testing causes more harm than it would have prevented, then it shouldn't take place.
You need to read "Surely You're Joking, Mr. Feyman." Feyman raids the safes that contain the plans for the atomic bomb repeatedly, both for entertainment and to get work done faster. He walks through a hole in the fence around Los Alamos repeatedly, always exiting through the gate. The guard doesn't catch on until he's done it many times.
I was able to get almost anywhere in my university dorms with a penknife, despite locked doors at the end of every hall.
The problem with locks and guard and secure areas is that they're so visually impressive, it's easy to assume that they will work. With bicycle couriers and janitors moving around all the time, workers get used to unfamiliar faces and forget to check ID.