Slashdot Mirror
U.S. Interior Dept. Unplugged... Again
IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."
If people can't secure the computer systems i wonder how secure the old paper based systems were?
:P
I mean, with a physical system u need physical access but I bet those old systems were probably quite easy to subvert
Simon.
DOI employees cannot use the Web or send or receive e-mail.
:)
*thinks about what he does at work*
So they're letting everybody go home early then?
...as reported by internet.com. Interestingly it seems that even the previous time was not really the first?
"For the second time in less than two years, a federal judge has ordered the Interior Department to disconnect from the Internet in order to protect $1 billion in American Indian money managed by the agency.
U.S. District Judge Royce Lamberth said Interior's refusal to cooperate with a court-appointed master who wanted to test the security of Interior's systems, prompted the decision. The government claimed it did not cooperate with Security Assurance Group of Annapolis, Md., because they could not agree on the "rules of engagement."
Why would systems with access to funds be connected directly to the net? No system with that level of risk should ever be connected to the net unless there's a damn good reason. Even online banking webservers are throughouly isolated from the core banking systems. This is just sheer stupidity.
Trolling is a art,
There goes my sweet FTP server with the 0 day warez and the fat pipe!
I wonder who the culprit is.
Is their continuing failure to secure their system due to lack of will/lack of money/what they're using or some combo of the three?
Seems rather appropriate. What software are they running?
A feeling of having made the same mistake before: Deja Foobar
Simpson, whose verbal gaffes are also legendary, pulled another one Sunday visiting the White House, our sources say. The singer was introduced to Interior Secretary Gale Norton and gushed: "You've done a nice job decorating the White House."
Source: washingtonpost.com
This is really sad. I first heard of the DOI's incredible mishandling of the Indian trust here on slashdot a few years ago when they were shut down the first time.
I can understand having problems recompiling literally centuries of data for tens of thousands of people. But c'mon, you can't figure out how to set up firewalls with VPN connections between disparate groups?
Could you imagine any private organization like a mutual fund or retirement investor leaving SSNs and customer information online on websites? Imagine the smack down from the government! But if it's the gov't itself nada. Thank god (or Great Spirit, whatever) that there's at least one judge willing to do the right thing.
I've been on slashdot so long I'm starting to get out of touch with the cool stuff if it ain't on slashdot.
I think part of the problem with a lot of the corporations/departments having many security flaws, or systems open to the net that shouldnt be is the fact that many people still see the internet as an idealistic place for the exchange of ideas and commerce. People are still slow to realize the danger that lies in the internet, and the fact that it can be dangerous. If people knew more about the dangers of technology they might be more apt to work on protecting themselves.
That's cool. We'll just keep the casino money.
I emailed the Department of the Interior, pointing out that they should consider selling any unsolicited copies of software so as to not waste the value of gifts. They shouldn't use gift material as that bypasses the intent of normal acquisition processes.
Now I know why I got no response...
Coincidentally, The Dept of the Interior actually does decorate the White House.
"its systems were too insecure to be left open"
Well, I feel sorry for the systems. It is really rough working for the government and having self esteem issues. If I worked for the gov't, I would be a little insecure my self : P
"The Interior Department said the order "is a new frontier in this court's efforts to run the operations of executive branch agencies."
//
"We are working closely with the Department of Justice to quickly respond to this order in the appropriate legal venue," the agency said in a faxed statement.
It's a political thing. Probably not much of a technical problem here at all. Somebody's making a move for power somewhere and now all of this BS. They are punishing the Interior by taking down links with schools on them rather than just blocking traffic via access lists and firewalls.
If they really had a problem with some of the services being provided as insecure they could have either firewalled those services or just blocked them at the router. Since, they did not take a rational approach to solving the problem, the problem is likely a political one from one greybearded idiot to another.
Been a consultant for the government. Seen it. I once went almost 4 months doing nothing but earning good money while waiting for the Chicago Tollway to resolve some political infighting. 4 months of sitting at home, watching TV and basically chilling out on Illinois tax dollars.
It was lovely.
Much of the money that is handled 'for' the native americans is not federal money from taxes. It is money that is due native americans through things like mineral rights. Security should not even be at the top of the list though- plain mismanagement and incompentence that is criminal. But as is often the case- none of the big players are being held responsible to the extent they should. You can read about it all over the place - like this article
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Looks like the Interior Department has been having computer problems for a long time (December 2001!):
"Web wanderers looking for information on national parks, government mapping services or geological disasters will need to get their information from non-official websites for a while.
U.S. District Judge Royce Lamberth issued the order late Wednesday after a report showed that the computer system which handles $500 million annually in royalties from Indian land has major security holes that make it easy to access the system, alter records and possibly divert funds."
Uh, do you know what a "treaty" is? It is a legally binding contract. Despite having repeatedly violated the treaties, the Interior Department is legally bound to try to honor them. These "payments" are usually part of ongoing compensation for having deprived people of land that they were legally entitled to. The priciple of Eminent Domain does allow the government to kick people off their land, but stipulates that they must be compensated.
"Freedom means freedom for everybody" -- Dick Cheney
No, there is no way that protecting their privacy and keeping the money that is rightfully theirs from being stolen is doing anything good for them. Give me a break, read the article and not just the headline.
Oops, this is Slashdot. (Rosanne Roseannadana Voice) Nevermind!!
It's frustrating to be out of work and not getting offers, while knowing I'm considerably more competent than these fools who still seem to have jobs after b0rking it time and time again.
ehintz
You don't really understand what happened do you?
Firstly, there is no Indian "race" or "nation" that was in conflict with the United States.
There were many conflicts with many tribes and there are many settlements which differ in scope and letter of the agreement.
Since the closing of the Frontier in 1890 and the end of major military action with the American Indians around the same time the rights of the American Indians have changed and the role of the government in thier lives has changed.
The crux of this arguement between the DOI/BIA and the folks suing them isn't about monetarily reimbursing for "or practically annahilating their race" it's about mismangement of natural resources on lands which are on Reservations or were on Reservations which are held in trust by the United States Government who act as stewards of the resources, both discovered and undiscovered.
Basicly the DOI/BIA has lost billions of dollars of money that should have been paid out to various tribes and various private citizens. Not only that, but they can't figure out a webserver that holds confidental information on the monies going out to private citizens that can't be exploited.
and just so everyone knows, the dept of interior is 100% standardized on Microsoft Windows. They do not use any Unix/Linux/BSD anywhere. everything is windows. thats part of the problem of why they are so insecure
Does the name Pavlov ring a bell?
"(g) No Refusal Gift Acceptance Policy
All Department of the Interior employees may accept gifts offered to them by representatives of Indian Tribes, Alaska Native Organizations, Insular and foreign governments when refusal to accept such gifts would be likely to cause offense or embarrassment or otherwise adversely affect relations with the United States."
If irony was made of strawberries, we'd all be drinking a lot of smoothies right now.
Interior Dept unplugged from the Net
Judge orders agency to shut Internet system after concluding security holes are still a problem.
March 16, 2004: 2:46 PM EST
WASHINGTON (Reuters) - Wide swaths of the Interior Department were taken off the Internet again Tuesday after a federal judge concluded that the agency still has not fixed security holes that threaten payments owed to American Indians.
It was the third such shutdown for the Interior Department since 2001, when an investigator found that hackers could easily steal money from a system that allocates energy and mineral royalties to 300,000 Indians for use of their land.
U.S. District Court Judge Royce Lamberth said the system still remained vulnerable despite the department's assurances to the contrary, and the agency could not be trusted to fix the problem by itself.
"The feigned indignance of Interior aside, there is simply no other alternative. Interior brought this on themselves," Lamberth wrote in an opinion signed Monday.
The Interior Department said the order "is a new frontier in this court's efforts to run the operations of executive branch agencies."
"We are working closely with the Department of Justice to quickly respond to this order in the appropriate legal venue," the agency said in a faxed statement.
Lamberth, who serves in Washington, ordered Interior to pull all its computer systems offline except for those involved in vital police and fire services.
Bureaus that oversee national parks and provide geological information can also remain online as they have no relation to the trust data, he said.
Divisions that oversee wildlife management, oil and gas royalty payments and Indian affairs were offline Tuesday. Employees are unable to access the Web or send e-mail to those outside the agency, spokesman Dan DuBray said.
The order also shuts down a program that provides Internet access to schools on Indian reservations, the agency said.
Interior could bring its systems back online if an independent reviewer certified them as secure and monitored them on a monthly basis, Lamberth said.
The Interior Department consistently attracts failing computer-security grades from congressional reviewers.
The blackout stems from a class-action lawsuit between the agency and Indians who allege that it has mismanaged trust accounts set up in the late 19th century to handle proceeds from oil, gas and minerals extracted from Indian lands.
Lead plaintiff Elouise Cobell, a member of Montana's Blackfeet tribe, charges that the government has lost track of billions of dollars and wants the judge to transfer control of the accounts to a court-ordered receiver.
Working with a court-appointed overseer, the agency had been able to bring nearly all of its systems back online within a year after Lamberth ordered them unplugged in 2001. But Lamberth ordered some systems offline again in July 2003 after a dispute between the agency and the overseer.
... to worry about security.
[Jessica] Simpson, whose verbal gaffes are also legendary, pulled another one Sunday visiting the White House, our sources say. The singer was introduced to Interior Secretary Gale Norton and gushed: "You've done a nice job decorating the White House.
(source, near the bottom, after W. refers to the Ford Theatre as the Lincoln Theatre.)
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
It looks like the Park Service, USGS , and Office of Aircraft Services are still online. Yet there are some seemingly unrelated divisions offline that probably shouldn't be. I don't see why the National Interagency Fire Center is offline. It seems somewhat important!
If your grandfather killed my grandfather, I wouldn't expect you to be punished for it. On the other hand, if your grandfather stole my grandfather's property, and I'm my grandfather's rightful heir, were this fact uncovered, you should be expected to give me back the property that is now rightfully mine. That's not punishing you for a crime your grandfather committed, that's not penance, that's just doing what's right.
Now, if we want to give the natives of North America back what rightfully is theirs, we European decendants need to get on ships and sail back to the Old Country, set up shop in London or whereever. Personally, I don't want to do it. So, if I'm not going to give back what is rightfully theirs, I should at least pay rent on it, no?
Again, I'm not interest in punishment, which I don't deserve, or penance, when I don't need. What I'm interested in is doing what's right...
"Convictions are more dangerous enemies of truth than lies."
Why is the court telling the DOI to unplug? Is there a lawsuit I'm missing? The court's job is to rule on lawsuits brought before not define public policy or run about ordering people around. So unless there's a lawsuit about the DOI's systems, the court should stfu.
--
http://cheeser.blog-city.com
I'm posting this AC for obvious reasons.
A few years back we had a run-in with the DOI. We found very strange things in our web and FTP logs and traced them back to a Denver office of the DOI. Basically what they were doing was spending hours every night (way after office hours) digging and digging and digging to see what they could find. There were tons of 501s because these guys would enumerate when directory listing was turned off.
My colleage wrote to the DOI in Washington and asked 'what's up'. Because of the evidence we could show, the DOI Washington office decided to put a sniffer on the Denver line. Great, we thought, soon this wil be cleared up. As if.
A week goes by, and the Washington DOI people contact us. Their sniffer thing didn't work. When they were about to install it, some dork went around the Denver office barking, 'OK EVERYBODY HAS TO GO HOME EARLY TONIGHT WE'RE INSTALLING A SNIFFER ON THE LINE'.
Now if you believe that story (and that's how they told it) is another matter. We did not - and ever since, at regular intervals, they're back again.
Funky group. Very funky!
There's some irony in Wyatt Earp setting the record straight here :)
...the sysadmins.
Linux was shown as the most-breached OS on the net according to that study Slashdot posted, remember.
Which is why secured government facilities are required to shred all classified documents. And as for Mr. Feynman's legendary escapades, Los Alamos was recently severely upbraided by the DOE for its lax security.
Most government facilities have the lowest level of classified information ("Secret"). Very few have "Top Secret" or higher. And even with Secret, there are very extensive procedures in place in terms of document storage, personnel access, etc.; you're not going to be able to get in with a penknife, leastways not when the document is in a 2-ton graphite safe with 70-point rotary dial behind an armed guard gate.
And as for the guy who found a 10-Base T hub? Dude. That's nothing. We throw old junk away all the time. I just threw 5 Betacam SP decks, worth about $6000 each, in the trash last week. Remember, the agencies can't sell equipment; only the GSA sells surplus, and that's at auction. And it's not like the agencies get credit for turning stuff in. So there is no financial incentive for the agencies to save old equipment, and the paperwork is far too much of a hassle to deal with, just to get it transferred off the books to surplus. (You have to verify condition and certify it, blah blah blah.) So we just get it written off as damaged beyond repair, and toss it.
Believe me, I'd take the stuff home if I could, but then I'd technically be stealing. It has to be officially thrown away first.
God Bless America.
The computers are down for uh... (maintenance? No we cant say that... used it in 1980...)
..
...
...
uh... (For updating to a new accounting system for this very account? Damn, used that in '92... there's got to be a good excuse here somewhere... I know!..)
Oh, yeah it's a security issue! That's it, a security issue... can't mess with security now, can we? Not after 9-11!...
(Good one!)
Yes, we'll get back to you about that $700,000,000.00 we owe you after all of this is sorted out...
Oh, sure. As soon as possible...
Don't worry about it, we've got everything under control. Thanks for being so understanding...
Oh yeah, I almost forgot, your access is going to be out for a while...
That's right, no email, no web...
Yes, there'll be no distance learning at the schools either for the time being...
Really, that's not fair. Why don't you people just hire more teachers?
What's that?
$700 Million?
It's funny how technical problems always plague the DOI every time this issue comes up.
Read, L
I don't know anything about Interior's problems with the Indian accounting systems, but I can assure you that the security scorecards for Federal systems are tough. OMB and the Hill have appropriately set a very high bar to push agencies to the limit. The intent is to make government systems a model for security best practices - they don't get marked "green" unless they jump through a lot of hoops. There are plenty of bright people on /. who could teach the Feds and anyone else a lot about secure systems. But there are also a whole lot of us who, truth be known, are running critical systems that couldn't come close to passing muster against the standards used to rate the Feds on security.
I also haven't seen any specifics about why the Judge is hammering DOI. I wouldn't be surprised if they are simply battling with the Judge over the oversight processes she wants to impose - granted that might be a dumb battle to fight.
i write software for many many many banks in Minnesota.
Almost all of them use pgp for anything remotely confidential, and many use md5 checksums to make sure nothing got changed in-transit.
I dont know the prices myself but im pretty sure its not $10k. Even if it is, thats peanuts for most banks, especially for something as critical as that.
Plus, I have software out there that many companies dealing with credit cards use. If you apply for a Target credit card, your application (after it has been scanned) goes through my application. Guess what, coming into and going out of, its encrypted.
Maybe you havent worked with banks lately, I'll agree it was pretty bad maybe 6 years ago, but they have got up to speed quickly and most are more secure than your average large company.
The computer security can be laughable sometimes. Those of us who develop software, use Linux whenever possible. I NEVER boot my pc into windows except to allow the IT people to update my antivirus defs. You wouldn't believe the grief I get if I don't boot into windows at least once a week.
And what exactly is a "Department of Interior"? Please enlighten this curious non-American. This is the first time I've ever seen the name Department of Interior...
Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.
First you have to gain access to the facility, then you have to have access to that area and then you have to have access to the files. It is not that easy to just stroll in there and get a copy of them.
At least in the case of the indian stuff it wasn't an issue of getting copies of the information.
They "lost" essentially all of the indians' money - and the records were corrupted enough that it was no longer possible to trace who took it.
The bureaucrats in charge (the likely suspects) then took advantage of the insecure network to finger-point away from themselves. And the systems were taken offline when it was shown that they were STILL wide open.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Any distance learning classes are going to have some problems. So the court ruling affects the education of the next generation. It looks like US Geological Survey (the group that administers the bia.edu part) will be going to court to get the order lifted for the colleges so they can go on without interference.
PS
Also, it is believed that the amount of lost money for mineral / grazing rights on the trust land total around $10 billion.
Here's the breakdown of the judges' decree I read at work (at one of the DOI deparments) earlier today (and yes, internal email still works!)
:)
A couple years ago Cobell wanted to know how much money was in the trust fund. DOI stutters, says "uhhhh" and a lawsuit is filed. DOJ (Department of Justice) says to DOI "Your computers are not secure, you're cut off from the internet until they are secure." Internet is out for a few months. An appeal is filed, DOI says "We've fixed the problem!" DOJ says OK. Internet is restored, but as it happens nothing has really been secured. IBM is hired to hack at the servers, and for a month and a half of hacking NO ONE NOTICED or even attempted to take countermeasures.
Here's a kicker: when a security audit was planned for one of the machines, DOI pulled the plug when they knew it would be getting scanned! Needless to say, the judge is rightfully upset with DOI, and we probably deserve to have our internet shut off.
In the meantime, it really sucks to have to order stuff over phone and fax. I just hope this outage doesn't last for months. Today was long enough....
Cheers.