Border Security System Left Open

7x7 writes "Wired News is running an article on documents they recovered via the Freedom of Information Act and a lawsuit. From the article:" A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News." It looks like Zotob made it in to the supposedly protected network."

Normal windows operations

[mtenhagen]

This sounds like normal windows operations:
  - an exploit (bug) is discoverd
  - the virus is released
  - a patch is relesead by microsoft
  - the administrators dont trust the patch (cant see what it exactly does) so need to test
  - in the mean time the virus is spreading
  - there should be a profit line here, but I gues microsoft already made a profit before all of this started.

Re:Normal windows operations

[mrchaotica]

the administrators dont trust the patch (cant see what it exactly does) so need to test

So what? It's not as if they can see exactly what Windows itself does either!

If they're going to run proprietary software, they might as well have blind faith that everything the vendor does is right, 'cause they have no choice anyway -- they've already chosen to trust it with the existing system. (This is why foreign governments are switching to Free Software, by the way -- they'd have to be run by morons to trust Microsoft.)

Re:Normal windows operations

- there should be a profit line here, but I gues microsoft already made a profit before all of this started.

No, think about this. Microsoft has been anxiously pushing their particular brand of DRM for a while now. Done right, with Microsoft DRM, machines could actually be made that wouldn't run anything but Windows.

It is to their benefit to make sure that any and all exploits on Windows cause as much trouble as possible to make sure that, in the end, people clamor for Microsoft's DRM method to put an end to what, after all, is nothing but a Microsoft created problem in the first place. Then nobody can run anything except Windows!

There's your profit!

Should have used dumb terminals.

[khasim]

These machines will sit in border offices, staffed by government employees.

I wouldn't even trust *nix workstations in that environment.

Not to mention the WHY of this. From TFA:

The system has processed more than 52 million visitors, and allowed border officials to intercept more than 1,000 wanted criminals and immigration violators, according to DHS.

Great. 1,000 people. Didn't I see something on the news recently about 11 million illegal aliens in this country?

The documents raise new questions about the $400 million US-VISIT program, a 2-year-old system aimed at securing the border from terrorists by gathering biometric information from visiting foreign nationals and comparing it against government watch lists.

1,000 people at a cost of $400 million.

$400,000 per person caught?

Someone REALLY needs to pitch the LTSP to the government.

Re:Should have used dumb terminals.

[geekoid]

Most illegal immigrants aren't on any wanted list.

it is used to scan everyone, so it's cost is perperson scan. People catch criminals.

Re:Should have used dumb terminals.

[ezzzD55J]

I'd be happy if a government computer system cost $400,000,000 and caught 1000 people so long as it didn't materially help terrorists.

It does, because it's such a huge waste of money.

Re:Failures are routine apparently

[TubeSteak]

But two CBP reports obtained under the Freedom of Information Act show that the virulent Zotob internet worm infiltrated agency computers the day of the outage, prompting a hurried effort to patch hundreds of Windows-based US-VISIT workstations installed at nearly 300 airports, seaports and land border crossings around the country.

If there wasn't a Freedom of Information Act, would the public ever really know what had happened?

I'm surprised the information wasn't classified as relevant to National Security. Weaknesses in computer security are just as bad as weaknesses in physical security.

Re:Let me get this straight

[javaxman]

What next, making Ron Jeremy the pornography czar?

That would actually make a lot more sense than running mission-critical security-sensitive apps on an unpatched Windows installation. If you like porn, that is.

Heck, it would make more sense even if you *didn't* like porn, now that I think about it...

But hey, remember, this is from the administration that brought you Iraq's WMDs and the post-Katrina disaster recovery response. Poor decisions ? Bungling?

I'm shocked, I tell you, SHOCKED!!

Beta stuff?

[TubeSteak]

"Replacement of these systems and improved biometric systems will be required."

[Former White House cybersecurity adviser Howard] Schmidt agrees, though he says the problem is hardly limited to US-VISIT. "We have to start moving at industry speed, not government speed, when it comes to the deployment of new technologies," says Schmidt. Instead of running Windows 2000, "I'd be racing to run the beta of the next generation of operating system ... and not worry about legacy stuff that we know isn't going to be supported too much longer and has had issues."

I'm glad this guy is "Former" and not current. Why does he think a beta OS is going to be any more secure than 'legacy' OSes?

Windows?

[Cthefuture]

Instead of running Windows 2000, "I'd be racing to run the beta of the next generation of operating system ... and not worry about legacy stuff that we know isn't going to be supported too much longer and has had issues."

Or how about this: Run a secure operating system that is stable and still maintained. Linux, OpenBSD, FreeBSD, anything other than Windows. No forced upgrade required since many of the old Linux distros are still maintained.

I mean it's Microsoft forcing them to upgrade even though Windows 2000 is still a perfectly fine OS.

Non-computer Q about US Visit

Except for really dumb criminals, how does US Visit actually improve security? The terminals are away from the gates, you don't need to pass special check points between the domestic and international terminals and ID doesn't get rechecked at the gate. So unless I am gravely mistaken an easy way around it would be

-subject A buys international ticket
-subject B buys domestic ticket
-both pass security
-A checks out at US Visit terminal
-A and B swap tickets
-B gets on international flight
-A gets on domestic flight or leaves the terminal
-B gets off the plane outside the country and uses his or her own passport to pass the border control. IIRC, most countries including the US don't feed back who passes passport controls back to the airlines or country of origination. But even if, B could just take a fake passport to a third world country without scanners or live database hookup instead of Europe, Japan or the like.

Re:Non-computer Q about US Visit

[Ollierose]

As a person who has suffered this proceedure, I think I can shed some insight.

As the people above have suggested, its not about keeping their eye on Americans (of the North sort, not the United States sort), but keeping their eye on Foreigners in general.

When I flew in from London last summer, my flight was routed to go through a "Port of Entry" which is a location where they have installed the US-Visit fingerprint scanners and such. Lucky me, I got to go to Detroit as my first port of call into the US on my way down to Florida. On the transatlantic flight, they gave out a form which was different for where you started out - the guy next to me was a US citizen, so he got a blue form while I got a green one.

In between arriving at Detroit and hooking up with the connecting flight south, there is a security bank where you need to collect your luggage from the inbound carrier, cart it across to another more sensitive luggage and body scanner (which picked up coins in my pocket that weren't noticed at Gatwick), check that on to your new flight, then go see the guy in the pseudo-military DHS uniform to make sure that you're not trying to overthrow the country. They then take your mugshot and index fingerprints on the scanner, part of the form you filled in on the plane inbound, and then over to the gates for the next stage of the trip.

What is supposed to happen on the way out is that you return through the same process to make sure you leave in line with the form, and they use a standalone fingerprint scanner to make sure you're the you that checked in. Flight delays put paid to that, so I was sent on a direct flight out instead of the hop back to Detroit.

I believe this privilege is reserved for countries that have an agreement with the US on such things, so the previous Visa system is still an option for entry if you pick a suitable source and destination airport.

The DHS website has a list downloadable that shows which airports are ports of entry, so it might be worth checking if you have a trip to the US planned. I'd say most inbound flights from the UK are routed through entry ports, as my return trip has been organised to go through Atlanta this year.

Interesting...

[nawcom]

An interesting question is to the Administrators:

If you don't trust the patch that software developer provides for its product, then why trust to use the product at all?

It sounds like someone saying, "Our OS has security holes in it, but we don't trust the fixes because they will just open up more holed until we verify for sure.. .. but since 90% of the world use this "hole-y" OS we'll just do what works. Like reporting a planned virus infection. *all hail bill*"

-nawcom

Re:Interesting...

[Jose]

If you don't trust the patch that software developer provides for its product, then why trust to use the product at all?

good admins..heck, even half decent admins don't trust any new software, including patches. Not neccessarily because they will introduce holes, but because they might break something. Even if it is not security patches, they still need to be tested to make sure they don't break anything in their particular environment.

I'd wager that at least 90% of admins do not test patches for new security problems. Effectively testing patches for new security problems is very hard.

I am not an MS fanboy. This goes for every single piece of software written.

Re:Patch Cycle

[LiquidCoooled]

No it wouldn't.

With a border router nothing stops an infected laptop from attacking on the inside.

Those dollars are earmarked.

[twitter]

says Schmidt. Instead of running Windows 2000, "I'd be racing to run the beta of the next generation of operating system ... and not worry about legacy stuff that we know isn't going to be supported too much longer and has had issues."

It's amazing someone who was in that position thinks the next Windoze won't have the same problems every other version has had. What a total waste of money.

Re:Those dollars are earmarked.

[biglig2]

It's amazing that someone worried about security thinks running a beta of a security system is the way to go.

This is of course the great counter to the "but FOSS doesn't have any support". "The US Government can't get support for W2K, what makes you think you can?"

Re:Those dollars are earmarked.

[HiThere]

Maybe it means the "Homeland Security" has a different job than the PR claims...and *that* is where it's attention lies.

Don't believe what they say, watch what they do. They lie constantly, but you can't even depend on that.

Watch your legislator. When they claim to be against something, but they vote for it, you know one of the things they are lying about.

One born every minute.

[twitter]

Why does he think a beta OS is going to be any more secure than 'legacy' OSes?

Because someone lied to him.

How many times M$ can get away with the same lie? "This OS is totally new and improved and does not have the problems our last one did." It's sickening to hear the head of a US government agency buy such stuff while perfectly usable and secure free software is available.

Configuration Control

[Detritus]

Because in large and complex systems, you don't install patches until they have been tested for unintended side effects. That may mean scheduling, running and evaluating some very complex tests. This can take weeks or months, depending on budgets, priorities, and operational commitments.

Re:should have used unix

[sh4na]

The question is not that you can filter packets coming in... the question is how in the hell did those packets ever get in to the network in the first place! I mean this is a private, supposedly isolated network we're talking here, not some house-brewed workgroup to play around with. You don't activate packet filtering in 3000 machines because they're supposed to be as isolated as it can be, with identified points of entry secured with *real* firewalls.

There was a mention about a network not being secure if a laptop is plugged in, but a secure network does not allow unauthorized connections of any sort into it, for example, every device should only plug in to a single plug, identified and filtered by mac address. It's a lot of work, but that's what secure means. These are not workstations for checking mail and chatting away while watching movs.

The virus coming in means someone was incompetent in setting it up, or someone was really smart in putting the virus in. Not updating the machines with the patch was correct, it shouldn't be a problem if the network was correctly setup, you can't be updating everything every time a new patch comes out without tests. Independently of the OS used, in a controlled environnment patches are not a means of security, frontend workstations should not be a point of breakage.

So this is what homeland security means in the states eh? Why doesn't it surprise me? pffft...

Re:Let me get this straight

[LurkerXXX]

Certainly that port shouldn't be open to the internet. That goes without saying. But more than one network totally disconnected from the internet has gotten nuked before when a repair technician, etc, plugged an infected laptop into that private LAN. With a network the size if the one we are talking about, it's only a matter of time before something infected from outside gets plugged in somewhere. Patching is still neccessary unless you absolutely know that no infected machine will ever have the possibility of being plugged into the net behind the firewall. With a national network, there's never going to be that certainty.

Re:This shouldn't come as a surprise

[stinky+wizzleteats]

First Homeland Security runs Windows which in itself isn't bad if it's properly patched and maintained.

...

Big difference between *nix and Windows?
*nix needs techs with a decent amount of computer aptitude.

Well now wait a minute. Windows is OK if it is properly maintained, but those who run Windows are generally less capable of doing so, because they don't have to? That doesn't make any sense.

Rather than trying to figure out which is the chicken and which is the egg in your causality loop there, why don't we admit to ourselves, and most importantly, the rest of the world, that Windows is just inherently insecure? How many more years is the IT community going to pretend that this elephant is not in the room? 5? 10? 20?