Slashdot Mirror
U.S. Interior Dept. Unplugged... Again
IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."
If people can't secure the computer systems i wonder how secure the old paper based systems were?
:P
I mean, with a physical system u need physical access but I bet those old systems were probably quite easy to subvert
Simon.
DOI employees cannot use the Web or send or receive e-mail.
:)
*thinks about what he does at work*
So they're letting everybody go home early then?
...as reported by internet.com. Interestingly it seems that even the previous time was not really the first?
"For the second time in less than two years, a federal judge has ordered the Interior Department to disconnect from the Internet in order to protect $1 billion in American Indian money managed by the agency.
U.S. District Judge Royce Lamberth said Interior's refusal to cooperate with a court-appointed master who wanted to test the security of Interior's systems, prompted the decision. The government claimed it did not cooperate with Security Assurance Group of Annapolis, Md., because they could not agree on the "rules of engagement."
Why would systems with access to funds be connected directly to the net? No system with that level of risk should ever be connected to the net unless there's a damn good reason. Even online banking webservers are throughouly isolated from the core banking systems. This is just sheer stupidity.
Trolling is a art,
There goes my sweet FTP server with the 0 day warez and the fat pipe!
Is their continuing failure to secure their system due to lack of will/lack of money/what they're using or some combo of the three?
Seems rather appropriate. What software are they running?
A feeling of having made the same mistake before: Deja Foobar
Simpson, whose verbal gaffes are also legendary, pulled another one Sunday visiting the White House, our sources say. The singer was introduced to Interior Secretary Gale Norton and gushed: "You've done a nice job decorating the White House."
Source: washingtonpost.com
This is really sad. I first heard of the DOI's incredible mishandling of the Indian trust here on slashdot a few years ago when they were shut down the first time.
I can understand having problems recompiling literally centuries of data for tens of thousands of people. But c'mon, you can't figure out how to set up firewalls with VPN connections between disparate groups?
Could you imagine any private organization like a mutual fund or retirement investor leaving SSNs and customer information online on websites? Imagine the smack down from the government! But if it's the gov't itself nada. Thank god (or Great Spirit, whatever) that there's at least one judge willing to do the right thing.
I've been on slashdot so long I'm starting to get out of touch with the cool stuff if it ain't on slashdot.
That's cool. We'll just keep the casino money.
I emailed the Department of the Interior, pointing out that they should consider selling any unsolicited copies of software so as to not waste the value of gifts. They shouldn't use gift material as that bypasses the intent of normal acquisition processes.
Now I know why I got no response...
Coincidentally, The Dept of the Interior actually does decorate the White House.
"its systems were too insecure to be left open"
Well, I feel sorry for the systems. It is really rough working for the government and having self esteem issues. If I worked for the gov't, I would be a little insecure my self : P
"The Interior Department said the order "is a new frontier in this court's efforts to run the operations of executive branch agencies."
//
"We are working closely with the Department of Justice to quickly respond to this order in the appropriate legal venue," the agency said in a faxed statement.
It's a political thing. Probably not much of a technical problem here at all. Somebody's making a move for power somewhere and now all of this BS. They are punishing the Interior by taking down links with schools on them rather than just blocking traffic via access lists and firewalls.
If they really had a problem with some of the services being provided as insecure they could have either firewalled those services or just blocked them at the router. Since, they did not take a rational approach to solving the problem, the problem is likely a political one from one greybearded idiot to another.
Been a consultant for the government. Seen it. I once went almost 4 months doing nothing but earning good money while waiting for the Chicago Tollway to resolve some political infighting. 4 months of sitting at home, watching TV and basically chilling out on Illinois tax dollars.
It was lovely.
Much of the money that is handled 'for' the native americans is not federal money from taxes. It is money that is due native americans through things like mineral rights. Security should not even be at the top of the list though- plain mismanagement and incompentence that is criminal. But as is often the case- none of the big players are being held responsible to the extent they should. You can read about it all over the place - like this article
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Looks like the Interior Department has been having computer problems for a long time (December 2001!):
"Web wanderers looking for information on national parks, government mapping services or geological disasters will need to get their information from non-official websites for a while.
U.S. District Judge Royce Lamberth issued the order late Wednesday after a report showed that the computer system which handles $500 million annually in royalties from Indian land has major security holes that make it easy to access the system, alter records and possibly divert funds."
You don't really understand what happened do you?
Firstly, there is no Indian "race" or "nation" that was in conflict with the United States.
There were many conflicts with many tribes and there are many settlements which differ in scope and letter of the agreement.
Since the closing of the Frontier in 1890 and the end of major military action with the American Indians around the same time the rights of the American Indians have changed and the role of the government in thier lives has changed.
The crux of this arguement between the DOI/BIA and the folks suing them isn't about monetarily reimbursing for "or practically annahilating their race" it's about mismangement of natural resources on lands which are on Reservations or were on Reservations which are held in trust by the United States Government who act as stewards of the resources, both discovered and undiscovered.
Basicly the DOI/BIA has lost billions of dollars of money that should have been paid out to various tribes and various private citizens. Not only that, but they can't figure out a webserver that holds confidental information on the monies going out to private citizens that can't be exploited.
and just so everyone knows, the dept of interior is 100% standardized on Microsoft Windows. They do not use any Unix/Linux/BSD anywhere. everything is windows. thats part of the problem of why they are so insecure
Does the name Pavlov ring a bell?
"(g) No Refusal Gift Acceptance Policy
All Department of the Interior employees may accept gifts offered to them by representatives of Indian Tribes, Alaska Native Organizations, Insular and foreign governments when refusal to accept such gifts would be likely to cause offense or embarrassment or otherwise adversely affect relations with the United States."
It looks like the Park Service, USGS , and Office of Aircraft Services are still online. Yet there are some seemingly unrelated divisions offline that probably shouldn't be. I don't see why the National Interagency Fire Center is offline. It seems somewhat important!
I'm posting this AC for obvious reasons.
A few years back we had a run-in with the DOI. We found very strange things in our web and FTP logs and traced them back to a Denver office of the DOI. Basically what they were doing was spending hours every night (way after office hours) digging and digging and digging to see what they could find. There were tons of 501s because these guys would enumerate when directory listing was turned off.
My colleage wrote to the DOI in Washington and asked 'what's up'. Because of the evidence we could show, the DOI Washington office decided to put a sniffer on the Denver line. Great, we thought, soon this wil be cleared up. As if.
A week goes by, and the Washington DOI people contact us. Their sniffer thing didn't work. When they were about to install it, some dork went around the Denver office barking, 'OK EVERYBODY HAS TO GO HOME EARLY TONIGHT WE'RE INSTALLING A SNIFFER ON THE LINE'.
Now if you believe that story (and that's how they told it) is another matter. We did not - and ever since, at regular intervals, they're back again.
Funky group. Very funky!
...the sysadmins.
Linux was shown as the most-breached OS on the net according to that study Slashdot posted, remember.
Which is why secured government facilities are required to shred all classified documents. And as for Mr. Feynman's legendary escapades, Los Alamos was recently severely upbraided by the DOE for its lax security.
Most government facilities have the lowest level of classified information ("Secret"). Very few have "Top Secret" or higher. And even with Secret, there are very extensive procedures in place in terms of document storage, personnel access, etc.; you're not going to be able to get in with a penknife, leastways not when the document is in a 2-ton graphite safe with 70-point rotary dial behind an armed guard gate.
And as for the guy who found a 10-Base T hub? Dude. That's nothing. We throw old junk away all the time. I just threw 5 Betacam SP decks, worth about $6000 each, in the trash last week. Remember, the agencies can't sell equipment; only the GSA sells surplus, and that's at auction. And it's not like the agencies get credit for turning stuff in. So there is no financial incentive for the agencies to save old equipment, and the paperwork is far too much of a hassle to deal with, just to get it transferred off the books to surplus. (You have to verify condition and certify it, blah blah blah.) So we just get it written off as damaged beyond repair, and toss it.
Believe me, I'd take the stuff home if I could, but then I'd technically be stealing. It has to be officially thrown away first.
God Bless America.
I don't know anything about Interior's problems with the Indian accounting systems, but I can assure you that the security scorecards for Federal systems are tough. OMB and the Hill have appropriately set a very high bar to push agencies to the limit. The intent is to make government systems a model for security best practices - they don't get marked "green" unless they jump through a lot of hoops. There are plenty of bright people on /. who could teach the Feds and anyone else a lot about secure systems. But there are also a whole lot of us who, truth be known, are running critical systems that couldn't come close to passing muster against the standards used to rate the Feds on security.
I also haven't seen any specifics about why the Judge is hammering DOI. I wouldn't be surprised if they are simply battling with the Judge over the oversight processes she wants to impose - granted that might be a dumb battle to fight.
i write software for many many many banks in Minnesota.
Almost all of them use pgp for anything remotely confidential, and many use md5 checksums to make sure nothing got changed in-transit.
I dont know the prices myself but im pretty sure its not $10k. Even if it is, thats peanuts for most banks, especially for something as critical as that.
Plus, I have software out there that many companies dealing with credit cards use. If you apply for a Target credit card, your application (after it has been scanned) goes through my application. Guess what, coming into and going out of, its encrypted.
Maybe you havent worked with banks lately, I'll agree it was pretty bad maybe 6 years ago, but they have got up to speed quickly and most are more secure than your average large company.
Department of the Interior, in charge of everything outdoors in the U.S. of A. Like Gallagher said, they picked the word that didn't fit.
...and you run and you run and you can't stop what's been done...