Border Security System Left Open

7x7 writes "Wired News is running an article on documents they recovered via the Freedom of Information Act and a lawsuit. From the article:" A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News." It looks like Zotob made it in to the supposedly protected network."

Let me get this straight

[pHatidic]

The government agency in charge of US security runs windows?

What next, making Ron Jeremy the pornography czar?

Re:Let me get this straight

As our enterprising leaders promote mandatory travel checkpoints, screening and recording every citizen who arrogates to move faster than bicycle-pace, I can practically feel myself tingling with safety.

How dare you joke about their ineptitude? Don't you realize that every dollar spent on Homeland security is a dollar that otherwise would have gone to some terrorist who snuck through the border and stole a job in preparation to launch a dirty nuclear bomb in the middle of a preschool, for God's sake?

Instead of criticizing, please, take a moment to say thank you next time.

Normal windows operations

[mtenhagen]

This sounds like normal windows operations:
  - an exploit (bug) is discoverd
  - the virus is released
  - a patch is relesead by microsoft
  - the administrators dont trust the patch (cant see what it exactly does) so need to test
  - in the mean time the virus is spreading
  - there should be a profit line here, but I gues microsoft already made a profit before all of this started.

Re:Normal windows operations

[mrchaotica]

the administrators dont trust the patch (cant see what it exactly does) so need to test

So what? It's not as if they can see exactly what Windows itself does either!

If they're going to run proprietary software, they might as well have blind faith that everything the vendor does is right, 'cause they have no choice anyway -- they've already chosen to trust it with the existing system. (This is why foreign governments are switching to Free Software, by the way -- they'd have to be run by morons to trust Microsoft.)

Failures are routine apparently

[frdmfghtr]

Publicly, officials initially attributed the failure to a virus, but later reversed themselves and claimed the incident was a routine system failure.

I guess when you run Windows, failures are routine...

Re:Failures are routine apparently

[TubeSteak]

But two CBP reports obtained under the Freedom of Information Act show that the virulent Zotob internet worm infiltrated agency computers the day of the outage, prompting a hurried effort to patch hundreds of Windows-based US-VISIT workstations installed at nearly 300 airports, seaports and land border crossings around the country.

If there wasn't a Freedom of Information Act, would the public ever really know what had happened?

I'm surprised the information wasn't classified as relevant to National Security. Weaknesses in computer security are just as bad as weaknesses in physical security.

Should have used dumb terminals.

[khasim]

These machines will sit in border offices, staffed by government employees.

I wouldn't even trust *nix workstations in that environment.

Not to mention the WHY of this. From TFA:

The system has processed more than 52 million visitors, and allowed border officials to intercept more than 1,000 wanted criminals and immigration violators, according to DHS.

Great. 1,000 people. Didn't I see something on the news recently about 11 million illegal aliens in this country?

The documents raise new questions about the $400 million US-VISIT program, a 2-year-old system aimed at securing the border from terrorists by gathering biometric information from visiting foreign nationals and comparing it against government watch lists.

1,000 people at a cost of $400 million.

$400,000 per person caught?

Someone REALLY needs to pitch the LTSP to the government.

Beta stuff?

[TubeSteak]

"Replacement of these systems and improved biometric systems will be required."

[Former White House cybersecurity adviser Howard] Schmidt agrees, though he says the problem is hardly limited to US-VISIT. "We have to start moving at industry speed, not government speed, when it comes to the deployment of new technologies," says Schmidt. Instead of running Windows 2000, "I'd be racing to run the beta of the next generation of operating system ... and not worry about legacy stuff that we know isn't going to be supported too much longer and has had issues."

I'm glad this guy is "Former" and not current. Why does he think a beta OS is going to be any more secure than 'legacy' OSes?

Windows?

[Cthefuture]

Instead of running Windows 2000, "I'd be racing to run the beta of the next generation of operating system ... and not worry about legacy stuff that we know isn't going to be supported too much longer and has had issues."

Or how about this: Run a secure operating system that is stable and still maintained. Linux, OpenBSD, FreeBSD, anything other than Windows. No forced upgrade required since many of the old Linux distros are still maintained.

I mean it's Microsoft forcing them to upgrade even though Windows 2000 is still a perfectly fine OS.

Non-computer Q about US Visit

Except for really dumb criminals, how does US Visit actually improve security? The terminals are away from the gates, you don't need to pass special check points between the domestic and international terminals and ID doesn't get rechecked at the gate. So unless I am gravely mistaken an easy way around it would be

-subject A buys international ticket
-subject B buys domestic ticket
-both pass security
-A checks out at US Visit terminal
-A and B swap tickets
-B gets on international flight
-A gets on domestic flight or leaves the terminal
-B gets off the plane outside the country and uses his or her own passport to pass the border control. IIRC, most countries including the US don't feed back who passes passport controls back to the airlines or country of origination. But even if, B could just take a fake passport to a third world country without scanners or live database hookup instead of Europe, Japan or the like.

Interesting...

[nawcom]

An interesting question is to the Administrators:

If you don't trust the patch that software developer provides for its product, then why trust to use the product at all?

It sounds like someone saying, "Our OS has security holes in it, but we don't trust the fixes because they will just open up more holed until we verify for sure.. .. but since 90% of the world use this "hole-y" OS we'll just do what works. Like reporting a planned virus infection. *all hail bill*"

-nawcom

Re:Borders

[Ohreally_factor]

Your plagiarism from wikipedia aside, the wall might have served another purpose, i.e., as a great public work, that would help accrue, consolidate, and maintain power for the ruling classes thru the use of "surplus" labor.

This shouldn't come as a surprise

[i_want_you_to_throw_]

I spent ten years as a government contractor and this shouldn't surprise anyone. First Homeland Security runs Windows which in itself isn't bad if it's properly patched and maintained.
The danger comes from the the people in government who control the money who have no technical knowledge. This is positively RAMPANT in government. Many times agencies just go with the cheapest bid and contractors give cheaper bids by hiring fairly inexperienced and not so knowledgable techs.

Many government agencies can get by with using Windows but really important agencies whose security cannot be left to chance should not be using Windows....period. Sadly Homeland Security and NSA are both starting to deploy more Windows units and that's only going to be bad for everyone.

Biggest reason why? Strong security requires techs that actually have technical knowledge and can do more than just set up insecure boxes by pointing and clicking. Big difference between *nix and Windows?
*nix needs techs with a decent amount of computer aptitude.
Windows does not
The person attacking you, or entity, or rogue state will not be using script kiddies. This only gets worse from here. "Homeland Security" is fast becoming an oxymoron.

Configuration Control

[Detritus]

Because in large and complex systems, you don't install patches until they have been tested for unintended side effects. That may mean scheduling, running and evaluating some very complex tests. This can take weeks or months, depending on budgets, priorities, and operational commitments.

Irony with a 60lb mallet

[caudron]

It looks like Zotob made it in to the supposedly protected network.

I'm supposed to be surprised that the department that is there to "protect" us from attack fell to an easily preventable virus?

Not when that same agency appoints Gator (now Claria) executive, D. Reed Freeman, to their Data Privacy and Integrity Advisory Committee or when that very same agency hired its own Chief Privacy Officer from Doubleclick.

No, I couldn't muster less shock at the irony if my nutsack depended on it.

Tom Caudron
http://tom.digitalelite.com/politics.html

It's about test automation, not MS

[Precipitous]

While stating "deliberately held back a security patch" might be factually correct and a good catch line, I think it's highly misleading: it directs the reader towards many of the wrong conclusions.

Later in the article: "Officials -- not unreasonably, say security experts -- wanted to test the patch before installing it." Well, duh. This is the interesting story. They couldn't get through the tests that they SHOULD do fast enough.

The problem is agility and testability of the systems and deployment. The easiest solution has nothing to do with MS, nothing to do with windows, and everything to do with giving your test group more respect and resources.

This is not a problem inherently Microsoft's making. You can argue up and down that patches should be faster, product more secure etc. In the end, it's plausible that discovery, patch, exploit can come with bad timing in any system. System admins and project managers that don't plan for this are asking for trouble.

Elaboration: I push very hard to ensure that all my products have automated tests. My company's Desktop Engineering department requires automated tests of all its myriad apps (DE is not my department, won't take credit). I force redesign if a product can't be tested cheaply. The benefit is: I need new feature x tomorrow (maybe some suprise regulation) or company needs patch y tomorrow (e.g. Zotob worm). Where we've achieved our test automation goals (haven't in all cases, but our coverage is good enough), we can hit a few buttons, run our tests. Repeat on all 20 configurations / platforms. 90% of the time, we find no problems, and can deploy. If it's critical, you take the risk and deploy. If not, you go on to slower manual testing to complete coverage.

Had this US-VISIT program implemented adequate and automated tests, they could have deployed in a few days, not a few weeks. The methods and tools to do so have nothing to do with Microsoft. They don't even make the type of test automation tool required for this - although I know they have one for internal use.

Re:Those dollars are earmarked.

[biglig2]

It's amazing that someone worried about security thinks running a beta of a security system is the way to go.

This is of course the great counter to the "but FOSS doesn't have any support". "The US Government can't get support for W2K, what makes you think you can?"

Re:Those dollars are earmarked.

[HiThere]

Maybe it means the "Homeland Security" has a different job than the PR claims...and *that* is where it's attention lies.

Don't believe what they say, watch what they do. They lie constantly, but you can't even depend on that.

Watch your legislator. When they claim to be against something, but they vote for it, you know one of the things they are lying about.