Slashdot Mirror
US CTO Tries To Wean the White House Off Floppy Disks
schnell writes: MIT grad and former Google exec Megan J. Smith is the third Chief Technical Officer of the United States and the first woman to hold the position created five years ago by President Obama. But, as a New York Times profile points out, while she fights to wean the White House off BlackBerries and floppy disks, and has introduced the President to key technical voices like Tim Berners-Lee and Vint Cerf to weigh in on policy issues, her position is deliberately nebulous and lacking in real authority. The President's United States Digital Service initiative to improve technology government-wide is run by the Office of Management and Budget, and each cabinet department has its own CIO who mandates agency technical standards. Can a position with a direct access to the President but no real decision-making authority make a difference?
It's high time to launch the "Don't floppy that copy!" campaign aimed at White House staffers.
Ezekiel 23:20
The impact she can have depends on the attitude of the President and those around him.
Well, I was using floppies well into the 90's. CD-ROMs were nice for large chunks of data but until I had broadband, sneakernet+floppies was usually a lot more efficient. Really the modern replacement is USB sticks, although they're not quite cheap enough to give away as floppies were.
wait... floppy disks are a particularly coarse-grained media, meaning that they are quite likely to survive (in storage) for a very long time. also, they don't contain silicon ICs. does anyone remember the great idea of SD Cards with built-in OSes and a WIFI antenna, and how those have been used as spyware tools? likewise USB sticks could have absolutely anything in them. so i don't think it's such a good idea for the whitehouse to move away from floppy disks.
blackberries on the other hand, i heard a story back in 2007 that the entire email infrastructure at the time ran off of *two* machines (two physical machines). one for the US, one for the rest of the world. i trust that the whitehouse email doesn't go through a single server. that would be... bad.
For a security sensitive place, like the US govt, I think lack of networking, and using floppy disks to transfer files is a good thing. It is harder to sneak out large amounts of data undetected. Doesn't the Kremlin use typewriters now?
There is a chance that the Whitehouse is using obsolete technologies because that's the way that things were always done. Yet there can be other reasons behind it.
Consider that floppy diskette. Assuming the OS is properly configured, a disk is a disk. Contrast that to a USB flash drive: is it behaving as a flash drive, or is the firmware causing it to behave as something else? Contrast that to a network connection: properly handled physical media has a clear chain of responsibility, while network connections (even internal ones) may be managed by many more people and have more access points. Yes, there are ways to deal with security in such situations. No, they are not foolproof. That's particularly true with high-stakes institutions like the Whitehouse.
Another consideration is the providence of the technology. It is bad enough when you have to go through a single vendor (e.g. Blackberry or Microsoft) or are dealing with contractors. Many modern technologies make things worse by being a service. Products become property of the government when purchased. Contractors can be replaced when contracts come up for renewal, or in the intervening period if terms are violated or appropriate clauses are added. Services are a different issue though, and that's exactly what a lot of modern "technologies" are. Does the Whitehouse want to create a situation where another party has control over their data. Even if they could guarantee the security and portability of the data, it could be difficult to find or create a replacement. Businesses take advantage of this difficulty all of the time, and literally milk the government because of it. In most cases it is because of the cost of complying with government regulations. In the case of services, it could simply be because there is no alternative.
(I know he is trolling. Nobody can be THAT stoopid.)
Mexicans working for a lower pay and take your job? That is how capitalism works. Are you a communist?
Don't fight for your country, if your country does not fight for you.
Floppy disks did not survive in storage or in everyday use. They were an unreliable temporary way to store data. They often developed bad sectors. Those of us around back then will remember people bringing disks to us that they could not longer read files off of, and having to use things like Norton Utilities to try to recover data, which was often as not unsuccessful.
I had a huge number of floppy disks in storage in the 1990s, and copied them to more reliable media - what I could of them - a lot of them had errors.
Exactly that and the article is full of bullshit. It mentions floppy disks, nowhere it is explained where they are still using them and for what purpose. It may be a marginal usage and for good reasons as well or it may be wide spread and completely idiotic. Nobody can judge from the article, the floppy disk is mentioned in the beginning and the end of the article. For the BlackBerries, there is currently new models and I don't see why they should switch to something else given the security required. Perhaps being a former exec from Google she is a little bit in conflit with the interests of her former employer.
What's the point about a 2013 laptop? I am very sorry, but as a CTO she doesn't need the latest technology for herself to enjoy, left this to the staff that really need it.
Last thing, a CTO with background in mechanical engineering and no real experience in IT, since she was heading a research division at Google, not the IT department. I am not sure this nomination was a good one. There is many other women better qualified for the job out there. With her background, if I was a CIO or CTO of another government division, I am not sure I would embrace everything in her vision.
Achille Talon
Hop!
I have a Z10 running 10.2.X. It's a very nice phone and a good replacement for the piece of garbage my iPhone 4S turned into when I made the mistake of switching to iOS 7. Cost me $200 for a well-designed handset that has user-replaceable batteries, a mini-SD card slot that cheerfully takes a $25 64GB card and runs plenty of Android apps. Personally, I even find the OS to behave much like how I WISE iOS would behave (hint: UI is very similar, but has some nice Androidish features like a file manager that is very well designed).
What's the argument? Not a lot of apps? That's an argument in its favor with the federal government. Enterprise management is very easy and straight forward for the federal government too. BYOP has absolutely no place in the federal government.
I was using boot floppies until about 2006. Currently CDs and USB thumb drives. I can see how govt would hate using thumb drives (a rogue thumb drive could mimic any USB device), but all the optical drives should be fine. Securely erasing them is impossible, so shred & melt...
j/k
To be fair, it depends on the context. A few years ago I was working for a company whose bank still required the large amount of end-of-month transactions for automated processing to be submitted via a 3.5" disk instead of an encrypted connection. Part of the reason why the company eventually switched to a major bank with a decent infrastructure.
Floppy disks are well-known weapons of mass destruction, especially the eight-inch floppy disk.
Iomega. They make USB-based floppy drives still.
Buck Feta. You know what to do.
Did you know that for $30 you can get a floppy-to-USB device?
It's the size of a floppy drive, installs in a floppy bay, plugs up to the floppy and power connectors, and provides a USB port, a couple of buttons, and a numeric display.
You plug in a USB stick, use the buttons to select which diskette image you want to use, and it presents it to the host machine like a floppy disk.
You often see them advertised for Roland keyboards, but they should work with most floppy applications.
I went back to school to learn computer programming on a part-time basis from 2002 to 2007. Assignments were turned in on floppies for the first few years. Emailing assignments and online classes became common towards the end. I turned in my final project -- creating an XML parser from scratch in Java without using any existing XML APIs -- on a CD because the source code, executable and documentation file were too big to email as a zip file. After five years of attending classes while working full-time, the dean handed back a floppy that I submitted for my very first class that he forgot to give back and found in his office. A month after I graduated with my A.S. degree, I made the president's for maintaining a 4.0 GPA in my major.
My motherboard (a bit over two years old, gamer-targeted) has the option to boot from USB floppy drive, but I don't believe it has actual headers for a floppy interface. I'm not sure it even has IDE, though. It apparently thinks that 12 SATA3 and 6 SATA2 connectors is enough... well, and a bunch of USB ports and headers, including USB3.
There's no place I could be, since I've found Serenity...
My father's one-ton flatbed truck blew a hole in the engine block. After it came out of the shop, he discovered that the mechanics had switched out the standard bolts for metric bolts. That pissed him off to no ends. He borrowed a metric tool set from a neighbor and we spent a summer day replacing all the bolts. Somehow we ended up with extra bolts -- both standard and metric -- than we started off. The truck ran. After ten years and a million miles, he sold the truck to a guy who lost his flatbed truck in a wreck but kept the engine block.
Hopefully the CTO is aspiring to get the white house off of floppy disks for a solid reason beyond just the age of the technology. There is likely a good reason why floppies are still being used and that needs to be taken into mind when trying to replace them with newer technology. After all, we saw an article not that long ago that the nuclear missile sites in the US still use 8 inch floppies, but there is no solid reason to get them away from that.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I worked at the executive office the president and I never saw a floppy used on any of the computers that were connected to any of the networks (unclassified and several classified).
Blackberries are still common, but you had the option of using your personal device with an app that kept the EOP data segregated. The IT folks were testing newer devices to replace the BBs and the switchover is supposed to be soon.
Overall, I did not find the IT outdated. They were not completely cutting edge, but I think if you account for security, managing common configurations, and procurement cycles I think EOP struck a good balance.
As for the age of the machines, consider the trade off between buying a new computer to replace a 2013 laptop or being able to send someone for training or travel for a meeting.
Isn't "CTO" a corporate term? Since when does our republic have corporate leadership?
Screw the floppies, I'm more concerned about the basically open announcement that our government is now fascist, in the most literal sense of the word.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Citations, please.
In Soviet Washington the swamp drains you.
Just booted up my Otrona Attache (circa 1982) with 64K of RAM, CPM 2.2 and a pair of DSDD floppy drives.
Still loads up WordStar....
PIP B: = A:*.*
Looks like it's time to mow the lawn.
Faster! Faster! Faster would be better!
I can see how govt would hate using thumb drives (a rogue thumb drive could mimic any USB device),
The government is large. A demand that any driver be signed by the maker (with the proper key loaded into the government PKI) would eliminate 99% of such attacks. All USB storage must have a key.txt in the root with a valid key.
Problems getting manufacturers going along with it? You are the US government. "Do what I ask, or we'll eliminate your stuff from procurement for someone that does. And if you complain publicly, we'll refuse to buy from anyone who uses your stuff."
Security doesn't happen until someone demands it (and pays for it). The government should be leading the charge, not NSA-style trying to hold everyone back. Double DES is good enough for anyone.
Learn to love Alaska
I was using boot floppies until about 2006. Currently CDs and USB thumb drives. I can see how govt would hate using thumb drives (a rogue thumb drive could mimic any USB device), but all the optical drives should be fine. Securely erasing them is impossible, so shred & melt...
The reason the government hates thumb drives is because they are very small, and can store LOTS of data. Even in unclassified areas, the government tends not to want them around anything even the slightest bit sensitive. I would be surprised if they're permitted anywhere near the white house, and wouldn't be surprised if most of the computers in the white house are configured to disallow them. A floppy is harder to smuggle, and carries less per disk. Enough floppies to store a gigabyte of data is nearly impossible to hide from the secret service (well, so one would hope, but then . . . )
Bush didn't tank a baseball team. He made millions off it. He bought in, used his "influence" (asking daddy for favors) to get the old stadium re-built at taxpayer expense, and sold off, for a massive profit. He didn't have any real duties, despite an inflated title, and was just there to grease political wheels for a new stadium.
Traditional Republican style, welfare for the rich. A millionaire made milions more off the taxpayers because he got a "free house" but God forbid we let a poor person stay in a state home for a while to get back on their feet after personal problems.
Learn to love Alaska
Thumb drives have been banned on Air Force networks - even Nipernet - for 4 or 5 years.
If you want news from today, you have to come back tomorrow.
This gets trotted out, but it isn't the reason. Small and stores lots of data is GOOD.
Here's the problems with thumb drives. This is why they can't be trusted:
1)- NO READ-ONLY MODE
Unlike CDs, which are read only without giant hoops to jump through, there's no write-protect switch for thumb drives, or ability to trivially make them read-only.
2)- USB drive, or viral keyboard?
Nothing inside a USB drive can make sure it's actually a damned USB drive. An infected CD won't run without autorun, but an infected USB stick could reasonably and actually become a keyboard and launch a binary itself by TYPING IN ITS OWN COMMANDS (this can really happen, easily). Since the U in USB is universal, and there's no reasonable way to force it to behave as a passive drive in a physically inspectable manner, it can't be trusted.
3)- Terrible OS design (mostly gone)
For whatever reason, most OSes properly treat removable media as removable, but often have a soft spot in their hearts for USB sticks. This is mostly fixed by now, but was absolutely an issue for years and until the older conception is gone, who knows.
tl;dr: Thumb drives being small and holding a lot isn't the issue, the idea of them secretly being generic USB devices (aka, absolutely anything) that are generally auto-trusted and can reasonably press OK to their own confirmation dialogs is, as is their entire lack of hardware accountability. Unlike a floppy or a CD, a USB stick can always be written to and can actually be any goddamned thing at all.
The following fundamental security features are missing:
IDE/SATA/SAS/USB: Write protection, physical.
IDE/SATA/SAS/USB: Write light (NOT read/write light, access light, or "I have power" light) with minimum duration of half a second per write
USB: Physical switch to force mode (media only, keyboard/mouse only, etc. on a given physical USB switch)
That's why they need brilliant people in the government.
I can see how govt would hate using thumb drives (a rogue thumb drive could mimic any USB device),
The government is large. A demand that any driver be signed by the maker (with the proper key loaded into the government PKI) would eliminate 99% of such attacks. All USB storage must have a key.txt in the root with a valid key.
USB keys don't contain drivers. The attack is that when you aren't looking your thumb drive presents itself as a Logitech USB keyboard and then proceeds to type in a rootkit or whatever. Since the government probably does buy Logitech USB keyboards the computer already has the signed logitech driver installed. Sure, the drive can only do things that you could do with a keyboard, but you'd be amazed just what you can do with only a keyboard.
USB keys don't contain drivers. The attack is that when you aren't looking your thumb drive presents itself as a Logitech USB keyboard and then proceeds to type in a rootkit or whatever.
To be an HID, it must announce itself as one (called "driver" even when it just announces itself and requests the default OS driver). To do so, it must authenticate with the host OS. If not, the HID functionality will be disabled.
Sure, the drive can only do things that you could do with a keyboard, but you'd be amazed just what you can do with only a keyboard.
I've been told the problem is when the USB drive is actually a storage device, but leaches power (but no connectivity to the host computer) to broadcast the contents of the device on WiFi to a listening attack machine outside (but in WiFi range). That would be theoretically undetectable, unless you have scanners and Faraday cages up all over the place. And my thought for signing is to sign per device, not that one keyboard would allow anything that announces itself as that keyboard (but without authentication) would get "root" access.
Learn to love Alaska