Slashdot Mirror
Pentagon Hid Magnitude of Data Loss From Recent Breach
blueton tips us to a brief story about recent revelations from the Pentagon which indicate that the attack on their computer network in June 2007 was more serious than they originally claimed. A DoD official recently remarked that the hackers were able to obtain an "amazing amount" of data. We previously discussed rumors that the Chinese People's Liberation Army was behind the attack. CNN has an article about Chinese hackers who claim to have successfully stolen information from the Pentagon. Quoting Ars Technica:
"The intrusion was first detected during an IT restructuring that was underway at the time. By the time it was detected, malicious code had been in the system for at least two months, and was propagating via a known Windows exploit. The bug spread itself by e-mailing malicious payloads from one system on the network to another."
The DoD doesn't need Windows, we need bunkers.
"The fight for freedom has only just begun." - Geert Wilders
So they snuck in through broken Windows?
What is it with you people? Is there no such thing as a state secret anymore? Should the Pentagon just list all its secrets on its Web site and get it over with? Let's just post all the targeting information, launch codes, encryption keys, advanced weapons and defense systems. etc. Let's just post it all on .mil in the interest of openness.
Not everything is a scandal folks! Nothing to see here, move along.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
This is Slashdot. The data wasn't stolen. It was copyright infringed.
When will everyone learn the difference?
The solution is obvious: sic the Mafiaa on the attackers.
In all seriousness, if it was a Windows exploit that had been known for months, there should have also been a fix I would think. So is the Pentagon not installing their security updates or what? This is ridiculous.
This author takes full ownership and responsibility for the unpopular opinions outlined above.
OK, all you government workers - especially those in the military, CIA, or NSA that are running Windows on open networks.
Compose a few Microsoft Word documents about a planned nuclear attack on Beijing on the opening day of their olympics. Make it sound nice and juicy, say a few things about ICBMs, nuclear submarines just off their coastline. Mention the proposed megatons and expected damage. Talk about a free Taiwan
Let them chew on that.
We're paying the Pentagon and the spy agencies over $500 BILLION a year. That's well over $3 TRILLION spent "protecting" us since the 9/11/2001 "wakeup call" that should have told us national security isn't merely a big army. The Vietnam War cost "only" about $600B, during the height of the Cold War.
Feel safer?
--
make install -not war
I think it is time for any signifcant secrets to be inside a separate network with a different operating system-- and one that is built from the ground up to be secure from buffer over run attacks and similar performance enhancing flaws.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Sysadmins must apply patches IF AND ONLY IF they are army approved.
Sounds decent so far, hmmm?
The army has some committee that regularly decides which patches to approve.
Still not too bad, hmmm?
The committee approves patches for things that are being actively exploited.
Ponder that one for a moment. It means that every security hole will be exploitable on the army networks. Every security hole gets a chance, since "not exploited yet" means "not a problem".
Me Chinese,
Exploit SOCKS
Me Put Malware
On Your Box
Me Chinese,
Go To Town,
Me Pull Fast,
Your Data Down
Me Chinese,
Make Cheap Shoe
Take You Secrets
Laugh At You
Me Chinese
Let You Think
Here You Go
Bring You Drink
Me Chinese,
Me Play Joke
Me Put Pee-Pee
In Your Coke
Who protects you from them now?
It goes from God, to Jerry, to me.
Gary McKinnon is accused of cracking into 97 United States military and NASA computers in 2001 and 2002.
He talked of blank MS passwords and using a tiny Perl script.
So maybe you do not crack or hack MS Pentagon computers but just surf on in.
http://news.bbc.co.uk/2/hi/programmes/click_online/4977134.stm
You know, one time we had a box DoS, for 12 hours. When it was all over, I walked up. We didn't find one of 'em, not one stinkin' Asian ip.
The smell, you know that Microsoft smell, the whole box. Smelled like... owned.
Domestic spying is now "Benign Information Gathering"
Vista wouldn't run (the box said the machines could handle Home Basic but it just didn't work out that way) so they rolled back to ME.
It goes from God, to Jerry, to me.
Is it one Microsoft hasn't patched? Was it on Vista or XP or 2000? Was it something that could have been prevented by system or user settings? Why was Outlook not switched to plaintext only to prevent malicious code from propagating?
This sounds more like an inept IT department than anything, and considering government pay grades if you aren't in _the_ top tier it wouldn't surprise me if that was the case really.
And to all you anti-Windows pro-Linux guys: How many groups of hackers does your OS have dedicated to breaking it? Microsoft damn sure has its flaws and issues, but most Windows exploits are found simply because Windows is _everywhere_ in the real world.
There is a reason NTFS was number two on the Slashdot FS poll, and it isn't because Windows and everything associated with it is total garbage. The 'open source attitude' is supposed to be about choice and sharing, not about elitism.
Sure, the default settings on Linux are more secure than on Windows. Linux is also not designed with the common man in mind. You shouldn't be surprised, especially IT guys, with how much of the problems with Windows are because of the marketing department rather than the actual coders. If the recent internal e-mails can't show that to you (what with the majority of the company bitching about how bad Vista was and how it shouldn't be released) then you are going through life blind.
Oh and yes, I use both Linux and Windows. Both have their uses. You don't throw out a screw driver when you get a power drill, and you don't throw out a ruler when you get a tape measure.
It's not the Chinese People's Liberation Army. It's the People's Liberation Army of China. The Chinese People's Liberation Army is a bunch of wankers.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Comment removed based on user account deletion
why the hell is any DoD network connected to the Internet????
Jesus saves souls and redeems them for valuable cash prizes
Here's the thing.... even putting the hyperbole in the title aside, Microsoft really does suck , and at so many many many levels.
.
I am in my 30's and I have been using Microsoft all my life, since I was about 9 years old (I started using computers when I was 7). I build their machines, I repair them, I even program them too. I also attempt to provide security on them as well. So I have been involved with Microsoft about as long as some people have been married. So I believe that I am entitled to get drunk occasionally and rant about the "Ex" for awhile. I earned it, so to speak.
Have people noticed that Microsoft is like a little sickly Boy in the Bubble? You have to protect him at all times.
You have to put up a router and a firewall at a minimum to protect your little herd of MS machines. Keep them safe from the big bad wolves and all that. Of course, these days you also need to have some really good routers with IDS, gateway anti-virus, etc. to do it even better. But that is not enough. Those little guys can get into trouble just "looking" out on the Internet. So you need anti-virus, anti-phishing, anti-spam, anti-spyware, anti-malware, etc.
When the Internet first started coming out, I remember telling people it would be cold day in hell before I hook my computer up to an unknown network in which anybody could send packets to my machines. Obviously, I had to get over that "shyness" and learn to adapt or die. However, since then, I have had to invest enormous amounts of time and energy and cold hard cash into preventative measures to keep my own Microsoft OS's from being hijacked by any asshat on the Internet.
There is billions being made, that's with a B folks, in 3rd party solution providers that specialize in providing the security solutions just to cover the fact that Microsoft can't code security if their "life depended on it".
Now that the Pentagon is using them, it would seem that in a roundabout way, Microsoft's life IS depending on it.
We can bash Microsoft all we want, and talk and talk and talk about it. What it really comes down to though, is that Microsoft just may not be a secure enough environment for our National Security apparatuses to be using. If we have to work that hard at it, with that many vendors, and have that many points in which someone can screw up and leave machines vulnerable, then we need another solution
On another side note, where the HELL are those super secured networks I keep hearing about that my tax dollars paid for huh? Apparently, the Pentagon's networks must be in really bad shape too. You would think that trillions of dollars could provide some pretty secure networks, communication infrastructures, and operating systems.
All that "bashing" on my part aside, Microsoft may make a decent OS for the little guy. The mom and pops at home with their families. Let's face it, it is easier to use then Linux, otherwise Linux would have a greater market share. Let's just not use it inside the Pentagon OK?
It reminds me of the Doonesbury comic years ago about Reagan's SDI shield, that was going to protect us from Soviet missiles by a single, always-perfect shield of protective devices. The comic was drawn in crayon, as I recall, with the voice of a little girl explaining that the world was beautiful because SDI was protecting us. Then in the last frame it said something abrupt to the effect of "Oops, one got through. Bye."
What makes this story so scary isn't just that something got broken into, it's the thing in the back of all our minds that says "my goodness, is that the place where All Knowledge of Everything is centrally stored?" Bad enough when someone breaks into your computer and gets all your bank accounts or passwords, but when someone breaks into The Government and gets all knowledge of launch codes, defensive systems, registries of guns in the US, files on who sympathizes with who, files on who calls who, etc. ... well, that info collected with the intent of defending us might suddenly be a liability.
That's why things like the telecom phone tapping, national IDs, etc. are so troublesome. The mere centralization of information at all for any reason is a risk that the Bush administration has been ignoring, working instead (for all we know, none of this being auditable) to pile all of everything in one fragile place. The founding fathers kept trying to decentralize things and minimize what in modern computer terms we'd call "single point of failure". They distributed power in a way that made it hard to just break in and take control, right down to making sure there was not a single head of government. It's too bad that in all the puffery we hear spouted about Constitutional original intent, the modern Republican leaders don't show more care about that kind of original intent.
Kent M Pitman
Philosopher, Technologist, Writer
We are supposed to protect ourselves except we all kinda forget that part of the Constitution.
The game.
Twenty thousand people work in the Pentagon, the bulk of them secretaries, flunkies, gophers, paper pushers and form filers. They have, naturally, a plain old typical big business e-mail system for sending memos back and forth about whether the proper signatures have been affixed to form eight six four nine nine stroke seven aitch. This is what got hacked. To the extent "sensitive" data was compromised, it would be stuff like the Assistant Associate Deputy Secretary's daily conference call schedule, which is "sensitive" in the sense that in the remote chance that someone wants to assassinate him they'd find such data mildly useful.
There is of course also a serious network of computers at the Pentagon which handles serious military secrets. It doesn't run Windows. It isn't physically connected to the Internet. The Chinese can't touch it.
This is a silly FUD nonstory. There's no reason for the Pentagon to treat random secretarial computers with the same attention to security as they give classified computers. It would be very expensive, and my taxes are high enough already, thank you.
It would not be the first time that a government has gone to great length to convince others that the stolen data they have is real, when really it is not, rather it is carefully crafted misinformation designed to fubar any project or plans it is used in.
Many of these systems would be communications between DOD and weapons builders. No doubt that there is more than just idiot chit-chat that was in the email. It would include a number of details of our new weapons. Now, it may not include full specs, but in parts, it speak about various aspect of it. Once spoken about that, allows others to try and guess. They will try to guess how to duplicate AND how to defend against it. Worse, it may speak of known weaknesses that we have. Perhaps china finds out that the ABL has a certain frequency of laser, as well as length of time that it runs. That would enable them to build shielding (mirrors of a certain thickness) against it. Perhaps in these email, data about China is mentioned. Now, they may put 5 and 5 together and figure out where the pigeon is. All in all, information IS power. And it is ALL valuable.
I prefer the "u" in honour as it seems to be missing these days.
Their network admins should be fired on the spot, that's ridiculous.
Yes it is ridiculous and someone should be fired.
But why does everyone go after the grunts and not the department heads? After all it is the department heads to allocate the money and resources to do such things as watch the network.
The local admin might be over worked, under trained, understaffed and no hardware to accomplish this task. Don't be so quick to pounce on the network person. This is a management issue pure an simple.
Much could be done as indicated by many here on /.
....
...), taking credit, and assigning blame. If you try to fix the management mess in DoD you'll get the 33% fired or forced into a back office hole ... the situation would get much worse.
... then you are a dogma don-dummy.
DoD has bought into Alpha-security (A-Sec). A-Sec is when all things are controlled by being identical or bunker-consolidated.
It is like a single point of failure looking for a place to happen. Someone once told me (or I read) about the blackberry network with one or two critical nodes (points of failure/attack/access). MS-products on most all DoD desktops is another single node. Server/Network help-desk-script Admin is another node. Things done the same way everyday is another node.
Who's in charge in DoD? I figure, about 66%, of C*Os (even in DoD...) rose through the management ranks by social skills (golf, fish, drink, lies
In the USA there is (at most) one in three managers/C*Os that are worth their pay plus, the 66% ain't fucking worth a janitor's pay. The past 50 years decline of the USA into stupidity was caused by 66% (or more) of the politicians, plutocrats, corporatist, and clergy being dogmatic dimwits.
Two i.e.4U
All government problems are caused by lazy government employees, if you want to believe politicians and senior managers like Dummy Don Rumsfeld
All our financial problems are caused by all the money spent on poor people or the elderly on retirement checks and free medical care.
If you want to believe this bull shit, then kill your parents before they can retire, or consider a concentration camp (called a nursing home poject) for the elderly could make sure that retired people die on a state sponsored schedule to manage money better.
Economics and Financial problems are caused by governments and business institutions being uncontrolled and irresponsible to the public/society. Businesses for decades have been looting retirement funds, getting government bailouts, setting up loan, housing, energy crises for US tax dollars. The New USA Welfare-State for Corporations, the old USA is vanishing, because far to many USA Citizens believe that god and wealth has all the answers (I know they're all lies).
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
It really does make what the NSA were doing look very suspicious and starts to look more like a domestic surveillance program searching for those who did not properly align themselves with the current administration. Opposition political leaders and political fund raisers, people who supported peace and not war, those that actually wanted to support the troops rather than just sending them off to bleed money out government and into the pockets of corporations whilst the soldiers bleed on the battlefield.
I wonder how much information got out about the corrupt nature of some of the practices going on in the pentagon that will later be used by the autocratic communist Chinese leadership to manipulate and control those in charge of the Us's national security. A whose who of those that will readily accept bribes regardless of the loss of life.
I bet there are a whole lot of people who now wish they had mandated the use of the NSA's SE Linux on desktops and file servers, the NSA really did now and attempted to do something constructive about the problems inherent in M$ windows before they were cut off by the corrupt M$ executive team and an equally corrupt republican administration.
Chaos - everything, everywhere, everywhen