How Safe are Government Computers?

← Back to Stories (view on slashdot.org)

How Safe are Government Computers?

Posted by Cliff on Monday March 29, 2004 @12:30PM from the a-soft-underbelly? dept.

KingOfBLASH asks: "Recently, when I was in the local City Court to protest a parking ticket, I noticed that all of the computers were running Windows (some as old as Windows 95!), and there were definitely network cables snaked around them. The City Hall suffers from the same affliction. Given that some of these computers have passed the End of Life for support, and there are a number of known exploits, how safe our government computers? What damage could be done if they were attacked?" It would be interesting to note if it's just local governments that may be running lower-than-expected tech or regional governments, as well. It would also be worthwhile to hear how governments outside the US compare to their American counterparts.

24 of 35 comments (clear)

Min score:

Reason:

Sort:

Well what are they really running? by SmallFurryCreature · 2004-03-29 12:40 · Score: 2, Insightful

It may be like the police here that they run Windows as the base OS but really run the app on a Unix somewhere through a terminal session. Maybe even a mainframe.
On the other hand it would be easy to fit goverment with the latest in secure systems. Just pay more taxes.

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
1. Re:Well what are they really running? by Anonymous Coward · 2004-03-29 12:55 · Score: 1, Insightful
  
  On the other hand it would be easy to fit goverment with the latest in secure systems. Just pay more taxes.
  
  ...or install OpenBSD.
2. Re:Well what are they really running? by SpaceLifeForm · 2004-03-29 13:49 · Score: 2, Insightful
  
  Providing more money for government via increased taxes does not necessarily mean you can have more secure systems. I'm not saying that it won't help, but I know of a case where a government operation was caught with missing licenses for Windows, and as part of the settlement, they are now locked into Windows. They are still trying to upgrade everyone to W2k. So, just because they are upgrading does not mean that they are more secure.
  
  --
  You are being MICROattacked, from various angles, in a SOFT manner.
3. Re:Well what are they really running? by saden1 · 2004-03-29 17:46 · Score: 1
  
  I can tell you with 100% certainty that City of Seattle IT department is complete crap. Their IT people a bunch of clueless idiots. I wonder how they manage to still be employed.
  
  --
  
  -----
  One is born into aristocracy, but mediocrity can only be achieved through hard work.
4. Re:Well what are they really running? by caseydk · 2004-03-30 04:09 · Score: 1
  
  At the Department of Justice, as of Aug 2003, they were using Windows NT, SP5.
  
  To the best of my knowledge, SP6 has been out since atleast the summer of 2000...
  
  This is why they got ravaged by virii late last summer...
5. Re:Well what are they really running? by Ironsides · 2004-03-30 06:25 · Score: 1
  
  On the other hand it would be easy to fit goverment with the latest in secure systems. Just pay more taxes.
  
  You are assuming that they would actually spend the money upgrading the computers instead of some politicians pet project designed to get re-elected.
  
  I have a right to be cynical, I have to hear about politicians every night on the news.
  
  --
  Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
Probably no better than your average small busines by MerlynEmrys67 · 2004-03-29 12:42 · Score: 4, Informative

So government computers have old OSes, old network connections, and old hardware. This doesn't make them any more vulnerable when deployed in a correct networking environment (just because there are network cables - doesn't mean they are hooked up to the network). I would be a lot more wary if the computers were not locked down and you were able to start typing on the keyboard, or even better - just steal the whole darned thing.
In reality Windows 3.1 was a pretty secure OS - after all there was no networking built in (it was an add on) so very few remote vulnerabilities. That said - there were a LOT of vulnerabilities in the add on software to get them on the network. The other thing going for them is if they are old enough a lot of the vulnerabilities (various scripting flaws etc.) weren't built in to the level that they are today - making the current crop of random Trojan horses a lot less effective

--
I have mod points and I am not afraid to use them
private v. public by MacAndrew · 2004-03-29 12:46 · Score: 4, Interesting

how much information on these is machines is public record? how much of government records should be confidential? what i would worry more about is people tampering with the records, doubling my property tax and so on.

also, what if any liability does government have for misuse of information? an infamous case was a state (CA?) that gave out auto licence plate information promiscuously enabled a stalker to locate and kill a woman. for a time state governments were selling driver's license information to marketers, all the way down to the height and weight info. i worked on a proposed "violent gang database" collecting officer intelligence on alleged gang members, such as nicknames, residence, and so on -- i asked, what if the data falls in the hands on an enemy gang?

i would suggest that government should be held liable for negligent dissemination of private information, and that some sort of comprehensive plan regarding what is "private" and what is required to access private data. right now i can apparently find out how much my neighbor paid for her house, how much she gave to poilitical campaigns, where she's lived for the last 20 years -- questions i would hesitate to ask to her face (and she's nice!). what's going on here?

this touches a nerve, as you can see. :) don't get me started about identity theft! (like why is SSN used for anything OTHER THAN social security?)
1. Re:private v. public by grendel_x86 · 2004-03-29 17:21 · Score: 2, Interesting
  
  For the SSN, there was an article in the latest 2600 about how to live w/o your ssn. Living in Chicago, i have the joy of being in a place where the County accessor's office is online(Where the blues bros ended up at the end of the movie, before jail), so you can see photos, and values of any property in the city. They were driving around in unmarked vans photographing your house!!! Worse than this, the cops have small laptops hooked to a centralized db w/ all available info on you(regardless of if you have commited a crime). So when you get pulled over, they know the color of your house, how much in taxes you pay, and your mother's eye color. ( They demonstrate these so often, it isnt even novel anymore ) But there are benefits, for instance, you can see how bad the crime is in an area before you move there. I believe a balance can be struck, it just requires thought, something that is in short supply.
  
  --
  Im glad /. isnt the real world, that would really suck..
Public toilet by AtariAmarok · 2004-03-29 12:47 · Score: 2, Funny

Public computer, public toilet. City Hall *says* they are clean. Who am I to argue?

--
Don't blame Durga. I voted for Centauri.
As a county DBA/Network Technician by infohord · 2004-03-29 12:54 · Score: 5, Informative

As a county DBA / Network Technician, I can tell you that most government computers are secure and often more secure then some of the vendors/businesses we deal with. Unlike corporations, we have mandated audit processes. Our agency just went through an extensive IT audit conducted by a legally seperate internal auditor who hired out much of the audit work. From a technology stand point we are very secure (biggest problem was lack or written policy). We take great strides to make sure our network and systems are secure and most other local government IT people I talk to do the same thing.

We as taxpayers/employees take great pride in protecting the public's information. And while one respondent asked about public record, yes most are public but we MUST control the way in which the public gets access.
1. Re:As a county DBA/Network Technician by Anonymous Coward · 2004-03-29 13:36 · Score: 1, Interesting
  
  Yet you still do not have a written policy? Why doesn't the woman in charge of the dept get fired for not doing her job?
2. Re:As a county DBA/Network Technician by Anonymous Coward · 2004-03-29 14:39 · Score: 2, Interesting
  
  Ha! You must come from a wealthy county.
  
  The counties that I have dealt with bitch about replacing Windows 3.51 systems and refuse to keep computers on overnight to receive patches because they bitch about electricity usage.
3. Re:As a county DBA/Network Technician by John+Hasler · 2004-03-29 14:42 · Score: 2, Insightful
  
  > As a county DBA / Network Technician, I can tell
  > you that most government computers are secure...
  
  Including those at the US Dept. of Interior?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Basically, it sucks just about everywhere by Mr.+Piddle · 2004-03-29 13:02 · Score: 4, Insightful

When aquisitions are written into a contract or pre-set by an annual budget, this means they probably left out long-term maintenance, upgrades, and funds to pay anyone do to maintenance and upgrades. Welcome to basically every bureaucracy large and small on the whole planet.

For example, wasn't it the good ol' Department of Homeland Security that scored an 'F' for network security this last year? Wasn't the Department of the Interior that was ordered off-line for gross negligence? Large and small, they all fall.

Have a nice day.

--
Vote in November. You won't regret it.
Definately network cables ... by sparkie · 2004-03-29 13:08 · Score: 5, Insightful

snaked around them.

So what? Just because they have a network card and some cabling does not necessarily mean they are hooked to anything but another computer in the building.

I don't believe the question here is 'how prone to hacking are these computers' I believe the question is, 'how strong is the firewall protecting them.'

That is of course assuming they are 1 connected to the internet, and 2 firewalled.

The county government here has one computer on the internet, and it's isolated from the other computers, i.e. not networked in with them.
1. Re:Definately network cables ... by KingOfBLASH · 2004-03-29 15:08 · Score: 1
  
  The City Of Ithaca (Where I live), has a web site. That means that they are hosted somewhere. So, some city computers, somewhere, are connected to the net (note that this counts the possiblitiy they pay some one to host).
  
  I don't believe the question here is 'how prone to hacking are these computers' I believe the question is, 'how strong is the firewall protecting them.'
  
  Well, that may be so. But does the city have a competent IT department? And given the fact that even people who are supposed to be in the top of their field (Microsoft's source leak, Gnome.org hacking, Debian Compromise) get hacked every once in a while, isn't any increased possibility of a compromise a cause for concern?
2. Re:Definately network cables ... by sparkie · 2004-03-29 15:50 · Score: 1
  
  Having a website doesn't necessarily mean you have internet access either. In this case, a traceroute to The City of Ithaca (I live not too far from you) times out at gig0-0-0.mpls-asp-agw2.mpls.uswest.net (207.225.159.247) 17.866 ms 19.678 ms 17.808 ms, which is in minneapolis minnesota. I by no means the authority on routing.
  
  Incidentally, cityofithaca.com is hosted by http://www.govoffice.com/
Re:Terrorist! by SpaceLifeForm · 2004-03-29 13:53 · Score: 1

No, you're not the only one. I'm pretty sure it's not 'borderline' any longer.

--
You are being MICROattacked, from various angles, in a SOFT manner.
Re:Terrorist! by luckyleprecon666666 · 2004-03-29 14:12 · Score: 2, Funny

Hey who in here reading things like this hasn't been added to that list? ;-)
Where I work by blankmange · 2004-03-29 14:16 · Score: 4, Insightful

the weakest link is the employees -- minimal computer knowledge -- anything official-looking and these users will download and install anything.... Worse yet, when they do make a mess of their workstations, they never seem to know what they did to get there...
Try asking federal employee a few simple questions and you will find the majority of them know next to nothing about security (other than how to log on to their workstation).

--
...we are from the government - we are here to help...
1. Re:Where I work by Anonymous+Codger · 2004-03-30 01:40 · Score: 1
  
  > the weakest link is the employees -- minimal computer knowledge
  
  No, the weakest link is the software that requires more than minimal computer knowledge. My wife doesn't have to know how to do a brake job on her car in order to drive it safely. Why should users have to know all the intricacies of security (that even many slashdotters probably don't completely understand) in order to compute safely? Personal computers are just too damn complicated and insecure for their intended audience. What we need is a true appliance computer like Jef Raskin's original concept for the Macintosh, but everyone wants Windows/Office compatibility and the only way to get that is with an OS that is inexcusably complex and unsafe.
  
  --
  No sig? Sigh...
uh..... by gr8fulnded · 2004-03-29 14:37 · Score: 2, Funny

What damage could be done if they were attacked?

If anyone wants to take the chance of finding out how secure they are, can you get rid of those pesky parking tickets in my name?
State Govt by Jabber3776 · 2004-03-30 13:01 · Score: 1

I work for a state Govt agency finally got an upgraded pc this winter (promised last summer). It has xp. However, I am one of the few that have xp. My PC they just replaced was still on Win98 which is mostly what we run. I don't work in IT (I'm in marketing), but I can safely bet any of you that there's only ONE member of our IT staff (7 members) that is more qualified for the position than I am. Reason: because I am a geek at home, and my SO works in the industry. This is just the cabinet/department I work in. Now our state gov't has an entire IT department under the governor's office that the cabinet/department level IT staff report to, and they aren't much better. Governments can do a lot with the money that have, it is just they don't always hire the best people for all the reasons you've probably heard...and the dedication of the staff. It is the same with private and public businesses, it's all about who you know...