Slashdot Mirror
Computer Security Lacking at Homeland Security
peter303 writes "The New York Times (reg. required) reports that computer backup procedures are woefully inadequate at 19 centers of the Department of Homeland Security. Should this agency strive to be good example for the rest of the country and protect against extreme hackers? " From the article: "Adequate backups were lacking for networks that screen airline passengers, that inspect goods moving across borders and that communicate with department employees and outside officials.
Those same agencies, the auditors found, have in most cases failed to prepare sufficiently written disaster recovery plans that would guide operations if a main office or computer system was knocked out."
Don't take this as flamebait but I have the feeling that nobody's really trying hard enough to protect us. We stand an hour longer in the security line just so that people can bring explosives through in their shoes? Now they make us take our shoes off. What if someone brings explosives through in their pants?
Same here...they pretend to try to catch terorists when in reality the next power failiure could knock the whole list out.
~Ilyanep
To get message, take amount of carrier pigeons at each stage mod 2. Then decode binary.
"I'm sorry, Sir, you can't board. Our screening system is down."
"I've got a ticket. I've shown you my papers. You (and every RFID hacker within 50 feet of my entire path through this airport) have scrutinized my RFID passport. I've given my decilitre of blood for biometric screening. The plane is about to close door and push off. I'm returning home after 18 months dodging RPGs and Kalashnikov fire in Bagdhad, and I'm still in uniform. And you're telling me I can't board because you can't be sure I'm actually not bin Laden in extremely clever disguise?"
"No, Sir, I'm telling you that you can't board. Our screening system is down."
"This is unacceptable. Who is your supervisor?"
"That is classified. Please wait here. [whispers into radio: "Got another Gitmo client for ya."]
Welcome to the Panopticon. Used to be a prison, now it's your home.
This reminds me of a story. I once worked for a company that specialized in tape backup software, name withheld. (I worked on Long Island then, not the on the plains of CHEYENNE, so don't try to guess the name of the company.) A few months after I stopped working there, I received a phone call from my ex-manager that went something like this:
Mgr: So how's it going? Blah blah blah...
Me: It's fine. Blah blah blah...
Mgr: So..um..did you ever "borrow" a copy of the source code to the Disaster Recovery solution that you single-handedly wrote? You know, for "posterity" reasons?
Me: Of course I didn't. That wouldn't be ethical for sure and probably would be illegal. Why do you ask?
Mgr: Well, it seems that the hard drive that your machine used crashed and we don't have a backup.
Yep. That's because no one is looking at the systems and processes with the intent of actually improving them.
Instead, we have knee-jerk reactions from people who do NOT understand security who attempt to compensate for previous attacks with new rules/regs.
And the "pretend" is the problem. That's exactly what they're doing. And they're hoping that the public will accept that as them actually doing something about the problem.
It's all about the public perception of the issue.
The same as it is in all aspects of politics.
As long as there isn't a power outage, they're doing a "good" job, as far as the public is concerned.
If there is a power outage, then it comes down to whom they can blame.
It's a lot easier and far more cost effective for the politicians to be re-active rather than pro-active.
Which is why security is NOT something that ANYONE should allow a politician to be involved in.
From the summary (no, I'm not going to RTFA when the subject and summary are so far out of whack):
Adequate backups were lacking for networks that ... in most cases failed to prepare sufficiently written disaster recovery plans that would ..."
So, if I have valid backups of all the patient data here, I guess those HIPAA security requirements are met, eh? Or do I have to have valid backups and a DR plan to achieve 'computer security' nirvana?
Now, if the issue were that their backup tapes were going offsite, unsecured and unencrypted, then the subject might make sense. But, this is silliness. Almost as silly as the DHS itself (hint: The Department of Homeland Security isn't supposed to keep the people safe from terrorists, it's supposed to keep the government safe...think about that one), but...whatever. (sigh)
Security? The same argument may be applied to politicians running the economy and creating legislation and regulations, too.
Perhaps we ought to look into education so our peasants aren't so damn gullible to the wiles of politicians.
"Provided by the management for your protection."