Slashdot Mirror
Border Security System Left Open
7x7 writes "Wired News is running an article on documents they recovered via the Freedom of Information Act and a lawsuit. From the article:"
A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News." It looks like Zotob made it in to the supposedly protected network."
The government agency in charge of US security runs windows?
What next, making Ron Jeremy the pornography czar?
This whole border monitoring and attempt at an omniscient fed is just plain silly. As for the terrorists, wouldn't it just be easier not to invade other countries and invoke the ire of the natives??
And illegal immigrants wouldn't be streaming into the US if the dollar wasn't being artificially propped up. Probably would see the reverse if the free market would be allowed to work its course.
The great wall of China was also ineffective at keeping out intruders.In military terms, these walls are more frontier demarcations than defensive fortifications of worth.
This sounds like normal windows operations:
- an exploit (bug) is discoverd
- the virus is released
- a patch is relesead by microsoft
- the administrators dont trust the patch (cant see what it exactly does) so need to test
- in the mean time the virus is spreading
- there should be a profit line here, but I gues microsoft already made a profit before all of this started.
200GB/2TB $7.95 Coupon: SAVE90DOLLAR
"of Windows 2000 Professional workstations installed at U.S. points of entry" Oh snaps! Seriously though, as a formers Windows user, 2000 was the most robust and best OS MS ever put out. The best choice in windows OS still failed to do it's job
I got you an Andes mint, but it melted in my pocket
I guess when you run Windows, failures are routine...
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
So maybe a better name than "Department of Homeland Security" might be "Single Point of Failure of Homeland Security".
Let's give this system to Iran, then we can avoid a war in August - while they figure out their problems with illegals, terrorists and Bill O'Reilly commentaries! :-)
In Soviet America, the border opens you!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
I wouldn't even trust *nix workstations in that environment.
Not to mention the WHY of this. From TFA:Great. 1,000 people. Didn't I see something on the news recently about 11 million illegal aliens in this country?1,000 people at a cost of $400 million.
$400,000 per person caught?
Someone REALLY needs to pitch the LTSP to the government.
[Fuck Beta]
o0t!
Instead of running Windows 2000, "I'd be racing to run the beta of the next generation of operating system ... and not worry about legacy stuff that we know isn't going to be supported too much longer and has had issues."
Or how about this: Run a secure operating system that is stable and still maintained. Linux, OpenBSD, FreeBSD, anything other than Windows. No forced upgrade required since many of the old Linux distros are still maintained.
I mean it's Microsoft forcing them to upgrade even though Windows 2000 is still a perfectly fine OS.
The ratio of people to cake is too big
Except for really dumb criminals, how does US Visit actually improve security? The terminals are away from the gates, you don't need to pass special check points between the domestic and international terminals and ID doesn't get rechecked at the gate. So unless I am gravely mistaken an easy way around it would be
-subject A buys international ticket
-subject B buys domestic ticket
-both pass security
-A checks out at US Visit terminal
-A and B swap tickets
-B gets on international flight
-A gets on domestic flight or leaves the terminal
-B gets off the plane outside the country and uses his or her own passport to pass the border control. IIRC, most countries including the US don't feed back who passes passport controls back to the airlines or country of origination. But even if, B could just take a fake passport to a third world country without scanners or live database hookup instead of Europe, Japan or the like.
If anyone is surprised by the incompetence of governmental bureaucracy, please email me about my new perpetual motion machine that taps the unlimited energy of herbal pills.
The government agency in charge of US security runs windows?
It doesn't matter - it's just security theatre anyway. There are thousands of ways around the current systems.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Yow-ser, yow-ser, it just does that.
Friends don't help friends install M$ junk.
line 2: Fomr the article:
The reasons they give in the article for not pushing the patch make sense. If you have a plug and play patch that you need to push to that many workstations with plug and play devices to immediately push the patch would be gross folly.
The mention the real problem in the article, why is there a connection to this network from the public internet? They are just inviting problems like this. At the very least there should be some perimeter security with an IDS of some kind. Even a $40 linksys router with the "firewall" and NAT enabled could have stopped this.
IMO that is a much bigger concern than why they held back the patch.
If you don't trust the patch that software developer provides for its product, then why trust to use the product at all?
It sounds like someone saying, "Our OS has security holes in it, but we don't trust the fixes because they will just open up more holed until we verify for sure.. .. but since 90% of the world use this "hole-y" OS we'll just do what works. Like reporting a planned virus infection. *all hail bill*"
-nawcom
The failure here was not that the Windows boxes weren't patched. It's stupid to be patching thousands of systems that are in use w/o serious testing first. Full testing of patches in a world where new viruses/security holes appear every day is effectively impossible. Untested patches may cause new problems for the systems that could actually be worse than a problem caused by a virus.
No, the problem here is that these systems are even on the Internet to begin with. Shouldn't such a network exist in an airspace as a totally private net, with no outside access? Of course, at the core of the private network must be some sort of control mechanism/database with some connectivity to an outside network. But that should be a chokepoint, the only source of ingress/egress to the private network, with no other access than what's needed to serve the system from the local DHS network. That limited access should not include web/email/instant messaging, etc. Just whatever custom/specialized protocol is needed to serve the system.
I'm constantly amazed at the high profile companies/government offices that get nailed by viruses. It's inexcusable.
It's amazing someone who was in that position thinks the next Windoze won't have the same problems every other version has had. What a total waste of money.
Friends don't help friends install M$ junk.
I don't know where the 400 million source is, but- that's couldn't cover more than a month or two over a single year
& wit_id=2961
so- in two years, 800,000 per person caught.
see below, FY 05 budget for US-Visit was 340million (for one year) which is 10mill more than the prior year
http://judiciary.senate.gov/testimony.cfm?id=1034
US-VISIT Budget Requests In FY 2003, CBP processed 412.8 million passengers and pedestrians arriving in the U.S. - 327 million at land borders, 70.8 million at international airports, and 15 million at sea ports. The FY 2005 budget seeks $2.7 billion for border security inspections and trade facilitation at ports of entry and $1.8 billion for border security and control between ports of entry. This includes $10 million for Unmanned Aerial Vehicles testing and $64 million for border enforcement technology, such as sensors and cameras. The FY'05 budget provides $340 million for US-VISIT, an increase of $10 million over the FY 2004 funding. Only one month old, US-VISIT has successfully and efficiently recorded the entry of 1,114,119 passengers and the exit of 3,067 travelers without causing delays at ports of entry or hindering
every day http://en.wikipedia.org/wiki/Special:Random
Why do I see these guys as "Dubyas SS"...
Just like the old SS, only incompetent.
Mainly though, the dumb fuckwits^h^h^h^h^hskilled operators don't get a chance to load porn/itunes/email/IM and use the box for uncontrolled purposes which cause all kinds of problems (overloaded networks, IT headaches,...).
All up, this could only lead to improved productivity and better security.
Engineering is the art of compromise.
Because someone lied to him.
How many times M$ can get away with the same lie? "This OS is totally new and improved and does not have the problems our last one did." It's sickening to hear the head of a US government agency buy such stuff while perfectly usable and secure free software is available.
Friends don't help friends install M$ junk.
We hear a lot about how open source systems are more secure because security bugs are exposed. But in this case, the system failed precisely because the security bug was exposed, even though there was already a fix.
Meanwhile, it was less than a week after the uSoft announcement of the fix that the worm was created, so the problem happened precisely because of exposure.
So let's say, bug is found (in this case by the good guys), code is written, tested, release created, then there is the window during which the millions of users need to apply the new image. In the closed source case of this bug, the hackers only got a chance to violate security after there was already a release image. In the open source world, they get access to the bug much earlier, presumably shortly after it is found or latest after code is written.
Ed Barbar, President and General Manager, Furnit USA
I spent ten years as a government contractor and this shouldn't surprise anyone. First Homeland Security runs Windows which in itself isn't bad if it's properly patched and maintained.
The danger comes from the the people in government who control the money who have no technical knowledge. This is positively RAMPANT in government. Many times agencies just go with the cheapest bid and contractors give cheaper bids by hiring fairly inexperienced and not so knowledgable techs.
Many government agencies can get by with using Windows but really important agencies whose security cannot be left to chance should not be using Windows....period. Sadly Homeland Security and NSA are both starting to deploy more Windows units and that's only going to be bad for everyone.
Biggest reason why? Strong security requires techs that actually have technical knowledge and can do more than just set up insecure boxes by pointing and clicking. Big difference between *nix and Windows?
*nix needs techs with a decent amount of computer aptitude.
Windows does not
The person attacking you, or entity, or rogue state will not be using script kiddies. This only gets worse from here. "Homeland Security" is fast becoming an oxymoron.
Because in large and complex systems, you don't install patches until they have been tested for unintended side effects. That may mean scheduling, running and evaluating some very complex tests. This can take weeks or months, depending on budgets, priorities, and operational commitments.
Mea navis aericumbens anguillis abundat
It looks like Zotob made it in to the supposedly protected network.
I'm supposed to be surprised that the department that is there to "protect" us from attack fell to an easily preventable virus?
Not when that same agency appoints Gator (now Claria) executive, D. Reed Freeman, to their Data Privacy and Integrity Advisory Committee or when that very same agency hired its own Chief Privacy Officer from Doubleclick.
No, I couldn't muster less shock at the irony if my nutsack depended on it.
Tom Caudron
http://tom.digitalelite.com/politics.html
-Tom
Never mind Homeland Security: I've got to say, I find the (recent?) introduction of just the term "Homeland" into the political lexicon rather troubling.
All other [mumble]-land places I can think of did not have enlightened and benign regimes: "Motherland" (Russia, during the Soviet Union era), "Fatherland" (Germany during the 3rd Reich). Any more for the list?
T&K.
Political language
"Perhaps most significantly, the pages do not reveal how the Zotob virus made its way onto the private CBP network -- an ominous migration that demonstrates that computers used in protecting U.S. borders are accessible, via some path, from the public internet, and could be subject to tampering." ...
You know, that might be a problem, too
.. paranoid crackpot leftover from the days of Amiga.
government-issue tech staff? The examples of this occuring that I've always heard about were always vendor technicians bringing in infected laptops. Not government-issue techs. I think you give way too much credit to hadware/software vendors tech staffs.
You know, when you think about, wouldn't you want government agencies that need tight security to run a propritairy OS? Maybe base it off Linux, so you still have app availablity, but change enough that its guts work different from Linux itself, and only use it within the government itself (Perhaps call it LinUS, though Torvalds may get a little cheesed.) Use dumb terminals when possible. Restrict access to the servers to a select few.
After all, it would be much harder to create a virus for a system that few people have real access to. Think of it as a master lock-picker coming to a new and complex lock that no one has seen before. After quite some time he might be able to pick it, but chances are that guards would come by and pick him up first.
As much as I like Microsoft as a regular user, there's no way in hell I plan to run servers on it.
While stating "deliberately held back a security patch" might be factually correct and a good catch line, I think it's highly misleading: it directs the reader towards many of the wrong conclusions.
Later in the article: "Officials -- not unreasonably, say security experts -- wanted to test the patch before installing it." Well, duh. This is the interesting story. They couldn't get through the tests that they SHOULD do fast enough.
The problem is agility and testability of the systems and deployment. The easiest solution has nothing to do with MS, nothing to do with windows, and everything to do with giving your test group more respect and resources.
This is not a problem inherently Microsoft's making. You can argue up and down that patches should be faster, product more secure etc. In the end, it's plausible that discovery, patch, exploit can come with bad timing in any system. System admins and project managers that don't plan for this are asking for trouble.
Elaboration: I push very hard to ensure that all my products have automated tests. My company's Desktop Engineering department requires automated tests of all its myriad apps (DE is not my department, won't take credit). I force redesign if a product can't be tested cheaply. The benefit is: I need new feature x tomorrow (maybe some suprise regulation) or company needs patch y tomorrow (e.g. Zotob worm). Where we've achieved our test automation goals (haven't in all cases, but our coverage is good enough), we can hit a few buttons, run our tests. Repeat on all 20 configurations / platforms. 90% of the time, we find no problems, and can deploy. If it's critical, you take the risk and deploy. If not, you go on to slower manual testing to complete coverage.
Had this US-VISIT program implemented adequate and automated tests, they could have deployed in a few days, not a few weeks. The methods and tools to do so have nothing to do with Microsoft. They don't even make the type of test automation tool required for this - although I know they have one for internal use.
My motto: "A cat is no trade for integrity."
Get Chloe O'Brien to set up your servers, it works for Jack Bower :)
P
-- My dog can beat up your dog.
Let's give this system to Iran, then we can avoid a war in August
That's rather interesting. This is offtopic, but I'm curious as to what software/system the Iranians are using in their government. If there's a significant Microsoft implementation, I kind of would feel safer. Nuclear technology is very risky, and if they've got any failsafes depending on Microsoft technology (blackmarketed or licensed) they might end up with a massive nuclear disaster of there own making, like the Mayak disaster in the Soviet Union.
3 things about computers: they're alive, they're self-aware, and they hate your guts.
I'm confused. Who will clean my Walmart now?
"Instead of criticizing, please, take a moment to say thank you next time."
Thank you for that link.
It seems that every time I travel, when I get to my destination, I have a little note in my luggage from the TSA saying, "We searched your bag." I've been trying to think of something to do next time I travel.
This will be perfect. Thank you very much.
Someone mentioned that homeland security is becoming an oxymoron. That appears to be the case if you confuse an idea of homeland security -(strong friendly americans keeping bad guys from blowing up your house) - with the actual department of homeland security. The department was not actually created to protect you or me - so why should it use the tightest os, or hire the smartest people? Remember the slashdot article about goverment agencies making the grade? Agenicies like the EPA, where you would expect dumping used oil to be more important than security, recieved an A.
The DHS was created for one reason - to diseminate fear and confusion, a job which it does quite effectively.
Can anyone say "slashdot bias"?
Slashdot didn't go to court to get this story, Wired News did. The fact that Wired had to file a federal lawsuit to get the information regarding a massive computer failure involving border, national, and homeland security, and that a coverup was attempted, is worthy of film at 6, 10, and 11.
Can you say "Microsoft fanboy?"
3 things about computers: they're alive, they're self-aware, and they hate your guts.
If they insist on running Microsoft software on kiosks, they should be running XP Embedded, where you only configure in the stuff you need, not the kitchen-sink approach Microsoft uses in their desktop distros.
Bauer. Sheesh - you don't want to piss him off by getting his name wrong.
So Homeland are too busy 'rolling up' CTU to take care of their own systems... Figures.
I guess all those boarders better make a run for the border.
border
1 : an outer part or edge.
boarder
one that boards.
Drop me a line at:
Key ID: 0x54D1D809
"Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News."
They actually were collecting incriminating evidence against the virus.
OSS having extra outside eyes looking at the code is only a problem if the technical expertise of the bad people outweight the technical expertise of the good people. So unless more that 50% of the people looking are naughty people, it is necessarily a benefit. Open source has bugs found faster than closed source. Black-hats find bugs faster and White Hats even faster. While white-hats have to work out how to stop it being a problem, black-hats have to work out how to exploit it. Both have to then pass on this information, so we can figure this to be a tie.
A german friend of mine recently pointed out that the phraze "Unamerican" only rang one bell for him. Undeutch! Again, from an era best rembered but never relived.
Because you can - or because you should?
One - per the diagram in the article, these aren't kiosks
Two - Embedded XP probably isn't going to support "the array of peripherals hanging off of the US-VISIT workstations -- fingerprint readers, digital cameras and passport scanners --" identified in the article.
Who said anything about M$? You'd have done better to accuse me of being a DHS/CBP fanboy. (Which isn't true either, but YMMV.) If I deserve to be tarred for anything, it would have to be for suggesting that the failure of DHS to push the patch immediately was just a routine error.
For instance, I didn't mention that -- get your fanboy stamp ready -- M$ had the patch ready in time.
The only interesting thing in the whole piece is that the spokesman in December tried to deny that they'd been hit by a virus. That a government department has a cobbled together computer system full of M$ products that doesn't work, inconveniences people, and costs too much -- that's just routine. I submit that the reason news outlets (Wired, slashdot, etc.) care about this example of government waste is that they don't like DHS. Suppose the Social Security Administration, Medicaid, or Sallie Mae had a 1-day nationwide computer failure. Odds of that making slashdot are pretty slim.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
A good way to get over the obsession with correcting the spelling of strangers is to read Shakespear to let you know that something can be good without formalised spelling. I'm a little touchy on the subject since a series of insulting spelling correction flames from people who didn't know better when I used the english spelling of aluminium and not the US version.
Let's get back on topic and "Lat every fellowe tell his tale about" - and use our reading comprehension skills instead.