Slashdot Mirror
Border Security System Left Open
7x7 writes "Wired News is running an article on documents they recovered via the Freedom of Information Act and a lawsuit. From the article:"
A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News." It looks like Zotob made it in to the supposedly protected network."
The government agency in charge of US security runs windows?
What next, making Ron Jeremy the pornography czar?
This whole border monitoring and attempt at an omniscient fed is just plain silly. As for the terrorists, wouldn't it just be easier not to invade other countries and invoke the ire of the natives??
And illegal immigrants wouldn't be streaming into the US if the dollar wasn't being artificially propped up. Probably would see the reverse if the free market would be allowed to work its course.
The great wall of China was also ineffective at keeping out intruders.In military terms, these walls are more frontier demarcations than defensive fortifications of worth.
This sounds like normal windows operations:
- an exploit (bug) is discoverd
- the virus is released
- a patch is relesead by microsoft
- the administrators dont trust the patch (cant see what it exactly does) so need to test
- in the mean time the virus is spreading
- there should be a profit line here, but I gues microsoft already made a profit before all of this started.
200GB/2TB $7.95 Coupon: SAVE90DOLLAR
I guess when you run Windows, failures are routine...
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Let's give this system to Iran, then we can avoid a war in August - while they figure out their problems with illegals, terrorists and Bill O'Reilly commentaries! :-)
In Soviet America, the border opens you!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
I wouldn't even trust *nix workstations in that environment.
Not to mention the WHY of this. From TFA:Great. 1,000 people. Didn't I see something on the news recently about 11 million illegal aliens in this country?1,000 people at a cost of $400 million.
$400,000 per person caught?
Someone REALLY needs to pitch the LTSP to the government.
[Fuck Beta]
o0t!
Instead of running Windows 2000, "I'd be racing to run the beta of the next generation of operating system ... and not worry about legacy stuff that we know isn't going to be supported too much longer and has had issues."
Or how about this: Run a secure operating system that is stable and still maintained. Linux, OpenBSD, FreeBSD, anything other than Windows. No forced upgrade required since many of the old Linux distros are still maintained.
I mean it's Microsoft forcing them to upgrade even though Windows 2000 is still a perfectly fine OS.
The ratio of people to cake is too big
Except for really dumb criminals, how does US Visit actually improve security? The terminals are away from the gates, you don't need to pass special check points between the domestic and international terminals and ID doesn't get rechecked at the gate. So unless I am gravely mistaken an easy way around it would be
-subject A buys international ticket
-subject B buys domestic ticket
-both pass security
-A checks out at US Visit terminal
-A and B swap tickets
-B gets on international flight
-A gets on domestic flight or leaves the terminal
-B gets off the plane outside the country and uses his or her own passport to pass the border control. IIRC, most countries including the US don't feed back who passes passport controls back to the airlines or country of origination. But even if, B could just take a fake passport to a third world country without scanners or live database hookup instead of Europe, Japan or the like.
If anyone is surprised by the incompetence of governmental bureaucracy, please email me about my new perpetual motion machine that taps the unlimited energy of herbal pills.
If you don't trust the patch that software developer provides for its product, then why trust to use the product at all?
It sounds like someone saying, "Our OS has security holes in it, but we don't trust the fixes because they will just open up more holed until we verify for sure.. .. but since 90% of the world use this "hole-y" OS we'll just do what works. Like reporting a planned virus infection. *all hail bill*"
-nawcom
No it wouldn't.
With a border router nothing stops an infected laptop from attacking on the inside.
liqbase
The failure here was not that the Windows boxes weren't patched. It's stupid to be patching thousands of systems that are in use w/o serious testing first. Full testing of patches in a world where new viruses/security holes appear every day is effectively impossible. Untested patches may cause new problems for the systems that could actually be worse than a problem caused by a virus.
No, the problem here is that these systems are even on the Internet to begin with. Shouldn't such a network exist in an airspace as a totally private net, with no outside access? Of course, at the core of the private network must be some sort of control mechanism/database with some connectivity to an outside network. But that should be a chokepoint, the only source of ingress/egress to the private network, with no other access than what's needed to serve the system from the local DHS network. That limited access should not include web/email/instant messaging, etc. Just whatever custom/specialized protocol is needed to serve the system.
I'm constantly amazed at the high profile companies/government offices that get nailed by viruses. It's inexcusable.
It's amazing someone who was in that position thinks the next Windoze won't have the same problems every other version has had. What a total waste of money.
Friends don't help friends install M$ junk.
Because someone lied to him.
How many times M$ can get away with the same lie? "This OS is totally new and improved and does not have the problems our last one did." It's sickening to hear the head of a US government agency buy such stuff while perfectly usable and secure free software is available.
Friends don't help friends install M$ junk.
I spent ten years as a government contractor and this shouldn't surprise anyone. First Homeland Security runs Windows which in itself isn't bad if it's properly patched and maintained.
The danger comes from the the people in government who control the money who have no technical knowledge. This is positively RAMPANT in government. Many times agencies just go with the cheapest bid and contractors give cheaper bids by hiring fairly inexperienced and not so knowledgable techs.
Many government agencies can get by with using Windows but really important agencies whose security cannot be left to chance should not be using Windows....period. Sadly Homeland Security and NSA are both starting to deploy more Windows units and that's only going to be bad for everyone.
Biggest reason why? Strong security requires techs that actually have technical knowledge and can do more than just set up insecure boxes by pointing and clicking. Big difference between *nix and Windows?
*nix needs techs with a decent amount of computer aptitude.
Windows does not
The person attacking you, or entity, or rogue state will not be using script kiddies. This only gets worse from here. "Homeland Security" is fast becoming an oxymoron.
Because in large and complex systems, you don't install patches until they have been tested for unintended side effects. That may mean scheduling, running and evaluating some very complex tests. This can take weeks or months, depending on budgets, priorities, and operational commitments.
Mea navis aericumbens anguillis abundat
The question is not that you can filter packets coming in... the question is how in the hell did those packets ever get in to the network in the first place! I mean this is a private, supposedly isolated network we're talking here, not some house-brewed workgroup to play around with. You don't activate packet filtering in 3000 machines because they're supposed to be as isolated as it can be, with identified points of entry secured with *real* firewalls.
There was a mention about a network not being secure if a laptop is plugged in, but a secure network does not allow unauthorized connections of any sort into it, for example, every device should only plug in to a single plug, identified and filtered by mac address. It's a lot of work, but that's what secure means. These are not workstations for checking mail and chatting away while watching movs.
The virus coming in means someone was incompetent in setting it up, or someone was really smart in putting the virus in. Not updating the machines with the patch was correct, it shouldn't be a problem if the network was correctly setup, you can't be updating everything every time a new patch comes out without tests. Independently of the OS used, in a controlled environnment patches are not a means of security, frontend workstations should not be a point of breakage.
So this is what homeland security means in the states eh? Why doesn't it surprise me? pffft...
shana
It looks like Zotob made it in to the supposedly protected network.
I'm supposed to be surprised that the department that is there to "protect" us from attack fell to an easily preventable virus?
Not when that same agency appoints Gator (now Claria) executive, D. Reed Freeman, to their Data Privacy and Integrity Advisory Committee or when that very same agency hired its own Chief Privacy Officer from Doubleclick.
No, I couldn't muster less shock at the irony if my nutsack depended on it.
Tom Caudron
http://tom.digitalelite.com/politics.html
-Tom
While stating "deliberately held back a security patch" might be factually correct and a good catch line, I think it's highly misleading: it directs the reader towards many of the wrong conclusions.
Later in the article: "Officials -- not unreasonably, say security experts -- wanted to test the patch before installing it." Well, duh. This is the interesting story. They couldn't get through the tests that they SHOULD do fast enough.
The problem is agility and testability of the systems and deployment. The easiest solution has nothing to do with MS, nothing to do with windows, and everything to do with giving your test group more respect and resources.
This is not a problem inherently Microsoft's making. You can argue up and down that patches should be faster, product more secure etc. In the end, it's plausible that discovery, patch, exploit can come with bad timing in any system. System admins and project managers that don't plan for this are asking for trouble.
Elaboration: I push very hard to ensure that all my products have automated tests. My company's Desktop Engineering department requires automated tests of all its myriad apps (DE is not my department, won't take credit). I force redesign if a product can't be tested cheaply. The benefit is: I need new feature x tomorrow (maybe some suprise regulation) or company needs patch y tomorrow (e.g. Zotob worm). Where we've achieved our test automation goals (haven't in all cases, but our coverage is good enough), we can hit a few buttons, run our tests. Repeat on all 20 configurations / platforms. 90% of the time, we find no problems, and can deploy. If it's critical, you take the risk and deploy. If not, you go on to slower manual testing to complete coverage.
Had this US-VISIT program implemented adequate and automated tests, they could have deployed in a few days, not a few weeks. The methods and tools to do so have nothing to do with Microsoft. They don't even make the type of test automation tool required for this - although I know they have one for internal use.
My motto: "A cat is no trade for integrity."
I'm confused. Who will clean my Walmart now?
I guess all those boarders better make a run for the border.
border
1 : an outer part or edge.
boarder
one that boards.
Drop me a line at:
Key ID: 0x54D1D809