This system is worthless because there are no actions associated with the different levels. Strange that DHS has always been at yellow or orange but the military's FPCON has always been at Alpha+ or Bravo. What we really need to do is replace the system with DoDs FPCON and be done with it.
lower level soldiers can get there net access cut back or removed when needed to provide command guaranteed access to the network when they need it.
Ding Ding Ding. This is taking what we already have in the DSN military phone system and applying it to the tactical and strategic networks. This is more of an issue on the tactical Joint Network Node (JNN) networks as the military continues to expand with the entire BCS suite. CPOF alone demands priority networks to work well between sites. As everything gets digitized the network is getting saturated and it cant grow like this without some sort of traffic control. A JNN can take a good amount of load but the associated Command Post Nodes (CPN) max out real quick.
In a DoD environment I Tunes, Amazon Downloader, and other legal forms of downloading music are prohibited from being on the systems as being outside the baseline. I can only speak for the Army but the regulation does not consider music in general stealing. Quoting from AR 25-2 page 27...
(7) Certain activities are never authorized on Army networks. AUPs will include the following minimums as prohibited. These activities include any personal use of Government resources involving: pornography or obscene material (adult or child); copyright infringement (such as the sharing of copyright material by means of peer-to-peer software); gambling; the transmission of chain letters; unofficial advertising, soliciting, or selling except on authorized bulletin boards established for such use; or the violation of any statute or regulation.
In short DISA wrote bad flash training on this one scenario. DoD 8500 series and agency specific regulations DO NOT refer to it as stealing.
Chrome does not install in/programs, so it can be installed in machines at work with ease; kind of a big FU from google to MS and IT departments. I wish the installers for all other browsers followed suit.
While is might be OK to say FU to MS, saying FU to IT departments ensures that it wont be installed per company policy. Anything that you want business to adopt on a serious scale has to be something they can manage across the company with ease. For Windows that means being able to mange settings and restrictions through group policy and having an MSI installer. Without that company policy will not really change because IE's management cost is already accepted as part of the enterprise while you have to have a separate process for Firefox. If your running MS on the desktop, the plan is built in for IE making any other cost extra. I realize that both are available for Firefox BUT they come from organizations other than Mozilla. While IT might be fine with getting it from an outside source, management defiantly balks on this.
3. Inspector then moves on to the server room, where Linux is installed. Inspector can't determine that "latest Microsoft patches are installed", so machines are marked as non-compliant.
The FederalGgovernment uses Linux as well and there are published security standards for it. The NSA and DISA both publish security guides and implementation guidelines for Linux. NSA Secure Configuration Guides DISA STIGS . This will require training for your typical enforcement droid but is not out of reach. To say that regulation would require Microsoft only is ignoring the fact that *nix is very much in use in the Federal Government
The multiple computer problem in a domain is solved by setting up a PKI through certificate services. This combined with a logon script to encrypt the profile directory takes care of those problems. If you are doing EFS on a large scale in a domain you would be crazy not to use a PKI. Another advantage to this is should the certificate get lost you can set recovery keys that a admin can use to decrypt the data.
This can also in a windows domain be used to create bitlocker keys as well which encrypts the entire system.
Shouldnt you not have to define your unit of productivty since this should have been specified in your Service Level Agreement? I know for me my SLA tells me not only what my systems are supposed to maintain as a standard but also how I will be measured
I understand that a military flight vs a civilian flight is totally different, but c'mon. You let me bring my GUN on the plane?\
You might have had your M-16 or M4 on the plane, but did you have ammo? I know of no unit that had ammo on the plane. You dont get your rounds until Kuwait even if you Force Protection. Even then you get your FP rounds on the ground at Kuwait International Airport. There are no rounds on the plane. CSM Grippy would have had a fit. As for knives, I know alot of guys who had knives on them leaving Campbell. Except for ammo, we were able to take preety much what we could carry as long as it looked military. CSM Grippy encouraged it so we looked like a fighting force.
A country's armed forces ought to have the power to demand the full source code of every application running on their computers, and the resources to write all their own software wherever necessary.
You have obviously never had to administer Army software. As bad as you may think Windows software is ( and I admint at times its real bad), contractor supplied software (mostly ABCS systems) for internal Army use suck. BCS3,MC4,ASAS,CHIMS,AFATADS, etc are the most frustrating systems I have ever had to admin. The documentation and support given to these systems is poor. The contractors sent to be local subject matter experts usually have almost no more training than I do. They can't be patched normally and the they can't integrate systems that obviously go together. Apply a reasonable domain group policy and they freak out. The list goes on. Software design aint DoD's strong point.
Having said that, what makes you think the Army could do any better than the commerical sector? If we cant get some simple thing like sending trops to war with appropriate body armor straight, why would we be good at software development? Even bigger question is do we want the army to spend the money to devlop an OS? Shouldnt we be figuring out how to fight wars? We have a budget crunch as is just to get maintence costs taken care of for things like tanks and humvees. Image the budget crunch if we went into the software development world at the just OS level. If we went into making the full application stack, we would be in an even worse budget crunch than we are now. Linux is too hard for most Army admins to admin. Heck some of the windows deployments I have seen in the army are preety screwed up. It's easier to get officers and NCO's to use windows and go through the pain of securing it than rewriting it from scratch. Open source is good, but its not a starting point for the vast majority of the Army user base.
As for getting access to the source, your not so clueless as to think we dont have access to the source code for Windows and major apps do you? The NSA, DISA, and other government agencies have the code and they certify what we use.
This is no different; currently it doesn't support multicasting and so although it's 'revolutionary' (read: RIS) it still doesn't beat the ability to push down and image to a workstation is less than 20 minutes...oops, did I say a workstation, I meant a lab.
Windows Deployment Services, the replacement for RIS that will be comming out around the same time Vista ships, does exactly that. RIS only does the OS install well. Once you create your master image, you can place that onto a WDS server and multicast it out to as many computers as you have bandwidth. My current image when run deployed with imageX comes in at 25% less space (both images on max compression) and deploys in aprox 12 min for the image copy, plus the normal mini-setup time.
Ghost aint going away, but it will be eaten away from at the bottom with WDS.
It may even be the case that they did configure things accordingly with strong encryption available and everything. But maybe no effort was made to ensure it actually got used.
This is similar to the current implementation of CAC cards for the military. Since about two years ago every soldier, DA Civilian, and DA Contractor has had a CAC card with working crypto keys intended one day to be used for CAC Logon, Email Signing, and EFS style keys. I joined the Army in 2002 and pushing out the CAC card readers has been one of the main issues IA wanted to push. It was supposed to be used for access to the Army Knowledge Online (AKO) portal as well, but no one used it. After two years of availablity, only aprox 20,000 soldiers has registered their CAC cards with AKO. Then they made it mandatory comming up here very soon. CAC Regristtion has soared to ~190,000, with ~40,000 users using their CAC for every logon.
As with any federal agency, the only way to ensure that security happens is to make the punishment factor ( in this case no access) high. DoD has spent a long time settig up the PKI, generating the CAC cards, and trying to push the training to everyone so they will use it. Making it available is not enough. Executive Orders like this are the only way enforcement will actually happen.
vistic said... "Google Toolbar is a good program for those who use IE (I think it's totally unnecessary for Mozilla) but Google or not, bundled software is just obnoxious""
Its not just obonxious, its adding an software that we cant use to an otherwise useful program. Extra toolbars from Google, Yahoo, or anyone else for that matter are a violation of the security policy where I work. This means that I have to start figuring out how to remove them from the system or worse, stop using their programs. Its a shame that as an administrator I cant use a program becuase of the bundled extra crap.
When will software vendors realise that users want to install just a single program and dont need or want bundled extra crud? Maybe more important, how do we stop this trend with Windows programs?
You have hit the nail on the head. The problem is in most cases political instead of technical. As for users whining to you that they cant install something, you just need thick skin. Users are the weakest link in the chain regardless of what system you use. In Windows case, you limit the ability to make new group policies to a trusted few and make them give a good reason to make them a local admin.
You think that some companies dont want to hire a decent IT staff? Try working for the military, where the tech support you get it what you recruit. I dont care what you get from industry, recruits in most cases are worse. What we tend to put on the sholders of privates these days is intense considering the lack of training they have overall. And we have an even larger mission; if we screw up people may die. Having said all that, we still have decent security (at least at my unit, I cant speak for the military as a whole). Less than 5% of our users have admin rights of some type, less than 1% have more than 20 computers at their control. If we can make it work when lives are on the line with not enough soldiers to go around, a larger company SHOULD be able to get it done as well.
Most of the problems we have in my workspace are custom apps that were written poorly in the first place OR were made with poor installers. Repacking those installers has solved most of my problems; Restricted groups solve the rest. Not having local admin rights has not stopped my workplace from being productive.
Having said that, if you are doing this often enough why do you not have an image? Imaging spares you this work and you also get all of your applications as well. Your more likey to mess something up the more manual rebuilds you do, especially if you have a non trivial configuration. Better yet, with a little work with sysprep you can add drivers for multiple models. Bâshrat the Sneaky's DriverPacks
works for most hardware and takes minimal effort. I currently use the same image for about 15 different models of laptops. Having one image for all of my on site hardware makes updates a snap.
The First was meant to protect religions from dominance by one over another, not to put them all out of the public eye.
While the parent is correct in that the intent of the First was to prevent sectarian preferance, it should be noted that the number of non religious in America has greatly increased. The SCOTUS is treating atheists, infidels, and others as a seperate sect.
It should also be noted that in most cases, it's Christ and his fan club against the infidel. A prime example is the various Ten Commandment cases. It should be clear that the Ten Commandments are religious; after all the first one declares a specific God. Apparently this is not as self evident or Christ and his fan club have more pressing reasons for putting them there.
Im not for activly fighting religion, Id rather it fade away peacefully and we can move on with our lives. The First amendment should do no harm to religion per se, but by the same token it should not be activly helping it remain relevant.
Its not a conspiracy against theists, its just being neutral. Many theists dont see it that way, they see it as religion hostile. If they want to see a hostile policy, they should look at themselves.
How can you call yourself a paranoid when you're using XP? Real paranoids don't use commercial software... real paranoids write their own OS!
Really? Cause DoD doesn't do that. But we know our sytems are secure because we filter our TLA stack multiple times and have a fully dedicated monitoring team (RCERT). Even better, if your doing something really secret, get hardware crypto, encrypt the links between, have a closed network, and change the key often.
Windows XP can be just as secure as any other OS. Simply hardning down the TCP/IP stack, removing uneccessary services, and testing softwrae before deployment cuts down on most risks you can have. Password filters and a good group policy works well for that too. Dumb users will always be your worst problem, but if your really wanting to do something secure, force a security indoctrination on them and make it mandatory for retraining regardless of position every six months. For your SysAdmins, force them to audit the network at least once a week. Invite higher echelons in the company to penetration tests of your network and close any holdes you find.
Paranoia is one thing, but in some cases a SysAdmin is paid to be paranoid. Better paranoid than too trusting.
Even though most people run as root in Windows, that is still no longer an excuse. Microsoft's own people do not encourage this from a security perspective. I run IE with a stripped down user. I accomplish this with DropMyRights.msi as explained at Microsoft's Security Developer Center. That having been said, Microsoft should take this tool and add it to the OS and make the default IE shortcut with it for the administrator. Most people will just click on whatever they are given. Since fixing ActiveX is unfortunatly the much harder problem to solve (at least until Longhorn when they can fix it if they want), as a secondary measure they should secure the box beforehand.
Doesnt prevent user stupidity, but its better than nothing.
The Army has had a similar operation going on for over three years now, open to family members as well. All you need is an Army Knowledge Online (AKO, www.us.army.mil) account. Accounts are open for anyone that a soldier can sponsor for an account. Registration for the portal is automatic for soldiers and provides access to the portal. Sounds like what the US Air Force has done is copmore of the same. I know that the Navy has their own internal portal as well called unsuprisingly Navy Knowledge Online. Its just a sign of the times.
At least Linux comes with 99% of drivers pre-installed. With Windows you have to find them on the net first, then find some way of getting them to the target system (because you don't have a NIC driver, remember?).
Apparentyl you have never heard of Remote Installation Services. Assuming that you have your systems all coming from the same vendor or similar vendors, its actually not as hard as one might think. Most corrporate deployments are like this. Turn on DHCP and have them boot off of it. RIS can take care of that if you have done it right.
Read the article. EDS applied a patch intended to update 7 Windows XP boxes to 60,000 Windows 2000 machines. The TCO here applies to the contract to EDS, not the software.
This sounds like they were pushing out the upgrade via SMS. Checking that the upgrade was on an appropriate system here would not have mattered since the upgrade path from win2k to WinXP is legitimate. This sounds more like sysadmins instead of applying to a custom collection applying to the "All Systems" container. The real question here is why are so many systems under one system and even better why did the sysadmins who did this application not check to ensure the advertisement was sent to the proper container.
In theory yes, but in practice no. The military really has three different levels of off duty.
1. Off Duty. Must be within 65 miles of post. Must be able make a 3 hour recall for nonessential personnell, those designated on 1.5 hour recall. Exception to this is a brushfire alert (rare), which means complete checks required then report back to higher in two hours.
2. On Pass. Must remain in state ( country if outside the US) but are allowed to exceed 100 miles from post. Must be able to be back in 12 hours.
3. On Leave. Gone for an extended period of time. Dont count on them for anything while on leave. If they are that essential, have alternate take care of it. Alternate and primary cannot be on pass or leave at the same time.
Those in an Off Duty status, especially those in recall status cannot be outside of contact. Those on pass must be in contact or check back in perodically to be sure they didnt miss something.
Its not a complete lockdown, but cell reception is definatly a plus. Either that or they know your going camping so they know how to reach you.
Is it really necessary to be reachable while you're at the cinema ? No. And if it is necessary, you shouldn't be at the cinema.
For me definatly YES. My work requires me to be on in some cases very quick recall. As a military system administrator sometimes I am called back for emergency drills, riots near post gates, and other emergency functions. Hopefully I never have to use my cell for this, but its also my notification for if another attack happens and I need to go back to base and hunker down. Does this mean that I cant go and enjoy a movie at a real theater? Nope, I have a right to a real life with real entertainment as well. I work hard and I should be able to enjoy the fruits of my labor as I please. While I am personally not in a life or death situation, the same argument can be made for medical, fire, and police personell whom ARE working life and death.
What we really need is for more people to put their cell phones on vibrate when they go to public functions like this. If the cell phone goes off, I step out of the room and call them back. Being out of touch in this case is not an option. For those of us working in emergency servies, that call can be the difference between life and death. Id rather piss off a few people in a movie rather than lose a life because no one can reach me. Especially when my battle buddy was counting on me to be reachable.
Since when do you or I get to vote on how the military handles its own housekeeping? It's not up to you or I (or Glen) to establish military policy. All we can do is ask that they please address the issue.
Well, I am one of those that help in establishing military policy. I work in the Theater Network Operation and Security Center - Korea (TNOSC-K). I can tell you that the policy is all there already. The Army has established AR 25-1, Information Systems Security, which specifically addresses NIPER vs SIPER, p2p, spam, and what should be on the firewalls, routers,clients, etc. Problem is the military DOES NOT uniformly enforce said policy. It even sets standards by which you can be punished in the Uniform Code of Military Justice (UCMJ). Network Enterprise Tech Command (NETCOM) has set forth huge amounts of info on policy. And we do our best to insure that its at least as secure as the guidance sent to us from NETCOM.
As a TNOSC member, however, I can only do so much. Sure I can block out info from various subnets, block ports, and attempt to destroy all unauthorized software. It wont mean a dang thing unless I get the platoon leaders and company commanders on board to help me. Dumb users in the military, just as in the real world, outnumber sysadmins by a huge marign. It could even be worse in that the ones in charge may eb the dumb user! Right now most units are stretched thin, more thin that they need to be. For an infantry unit maintaining guns and tatical profenciancy ranks above computer maintence and COMSEC. Its just a fact of infantry life. Infantry shoot guns; computers are secondary. I don't want to imply that infantry are stupid (I used to have a very smart platoon leader that was Ranger Infantry); they are however mostly ignorant on computer security. If thats what we have to deal with when we call and say somethings wrong, we are already going to have a problem catching up. We need them to understand our concerns ( which means bringing them up to speed, a non trival task in itself), and then getting them to fix themselves to our standard. Its no wonder then that these tasks lag behind.
In short, policy people from NETCOM are on top of policy. Everyone else just needs to follow and actually implment it.
SPC John Gruhn
TNOSC-K, Systems Management Branch
1st Signal BDE, Korea
Hurricanes, First to Communicate!
Why rebuild them at all right now? Security over ther sucks right now. The average Iraqi wants us to leave. Going over and rebuilding the conutry is all well and good in intnet, but when there are truck bombs and beheadings and such in theather, WTF difference does it make? Its bad enough that the new Iraqi government has declared they may resort to Martial Law. Why go and rebuild a place until they can calm down enough to actually use it? Im all for giving them goodwill, they need it, but the insurgents must be conquered first. Right now, if you build it, it will just get torn down.
If we get security under control, we can start to make some progress on the rebuilding part. Even better, once security comes in, we wont be alone in building. We can lead them to water all we want, but right now they wont drink.
SPC Gruhn
TNOSC-K, SMB
1st Signal BDE
Keyboard Infanrty since 2002
Windows can be almost, if not as secure as Linux or OSX if you just know what you're doing and keep up to date with the patches.
Thats true with anything. The main problem is that Windows tends to ship insecure. Linux or OSX on the other hand requires you to turn on stuff that may go bad. Not to say that educating users is a bad thing, it most definatly is a Good Thing (TM), but that takes work. Most Linux and OSX advocates know something about the computer field, even more so for BSD's and Unix in general. Its simple really because more of those are used for server installs, not desktops. Most desktop users however are more into the "It Just Works" method of running a computer. They care that their word processor, spredsheet, or game works. Security for others? That to them is a side issue and they wont complain until it affects their user experence.
I lock down my users at work. Being in the military helps on that. Id be more interested to see how many of the spam relays are corporate computers vs home users. Corporate users being a spam relay is the network admins fault and XP SP2 wont help them much. Home users on the other hand will get better once XP SP2 comes out, as its more on defense.
Now if only we can get the home user to care enough and play ball. Somehow I get the feeling that the new security features will turn off more lazy users as paranoia when its really a part of the live and let live policy on the internet. Especially the new firewall for those not used to a stateful firewall. We shall see soon enough though. Microsoft is leading them to water, lets hope they drink.
Slashdot Mirror
This system is worthless because there are no actions associated with the different levels. Strange that DHS has always been at yellow or orange but the military's FPCON has always been at Alpha+ or Bravo. What we really need to do is replace the system with DoDs FPCON and be done with it.
lower level soldiers can get there net access cut back or removed when needed to provide command guaranteed access to the network when they need it.
Ding Ding Ding. This is taking what we already have in the DSN military phone system and applying it to the tactical and strategic networks. This is more of an issue on the tactical Joint Network Node (JNN) networks as the military continues to expand with the entire BCS suite. CPOF alone demands priority networks to work well between sites. As everything gets digitized the network is getting saturated and it cant grow like this without some sort of traffic control. A JNN can take a good amount of load but the associated Command Post Nodes (CPN) max out real quick.
In a DoD environment I Tunes, Amazon Downloader, and other legal forms of downloading music are prohibited from being on the systems as being outside the baseline. I can only speak for the Army but the regulation does not consider music in general stealing. Quoting from AR 25-2 page 27...
(7) Certain activities are never authorized on Army networks. AUPs will include the following minimums as
prohibited. These activities include any personal use of Government resources involving: pornography or obscene
material (adult or child); copyright infringement (such as the sharing of copyright material by means of peer-to-peer
software); gambling; the transmission of chain letters; unofficial advertising, soliciting, or selling except on authorized
bulletin boards established for such use; or the violation of any statute or regulation.
In short DISA wrote bad flash training on this one scenario. DoD 8500 series and agency specific regulations DO NOT refer to it as stealing.
Chrome does not install in /programs, so it can be installed in machines at work with ease; kind of a big FU from google to MS and IT departments. I wish the installers for all other browsers followed suit.
While is might be OK to say FU to MS, saying FU to IT departments ensures that it wont be installed per company policy. Anything that you want business to adopt on a serious scale has to be something they can manage across the company with ease. For Windows that means being able to mange settings and restrictions through group policy and having an MSI installer. Without that company policy will not really change because IE's management cost is already accepted as part of the enterprise while you have to have a separate process for Firefox. If your running MS on the desktop, the plan is built in for IE making any other cost extra. I realize that both are available for Firefox BUT they come from organizations other than Mozilla. While IT might be fine with getting it from an outside source, management defiantly balks on this.
3. Inspector then moves on to the server room, where Linux is installed. Inspector can't determine that "latest Microsoft patches are installed", so machines are marked as non-compliant.
The FederalGgovernment uses Linux as well and there are published security standards for it. The NSA and DISA both publish security guides and implementation guidelines for Linux. NSA Secure Configuration Guides DISA STIGS . This will require training for your typical enforcement droid but is not out of reach. To say that regulation would require Microsoft only is ignoring the fact that *nix is very much in use in the Federal Government
The multiple computer problem in a domain is solved by setting up a PKI through certificate services. This combined with a logon script to encrypt the profile directory takes care of those problems. If you are doing EFS on a large scale in a domain you would be crazy not to use a PKI. Another advantage to this is should the certificate get lost you can set recovery keys that a admin can use to decrypt the data.
This can also in a windows domain be used to create bitlocker keys as well which encrypts the entire system.
Shouldnt you not have to define your unit of productivty since this should have been specified in your Service Level Agreement? I know for me my SLA tells me not only what my systems are supposed to maintain as a standard but also how I will be measured
I understand that a military flight vs a civilian flight is totally different, but c'mon. You let me bring my GUN on the plane?\
You might have had your M-16 or M4 on the plane, but did you have ammo? I know of no unit that had ammo on the plane. You dont get your rounds until Kuwait even if you Force Protection. Even then you get your FP rounds on the ground at Kuwait International Airport. There are no rounds on the plane. CSM Grippy would have had a fit. As for knives, I know alot of guys who had knives on them leaving Campbell. Except for ammo, we were able to take preety much what we could carry as long as it looked military. CSM Grippy encouraged it so we looked like a fighting force.
A country's armed forces ought to have the power to demand the full source code of every application running on their computers, and the resources to write all their own software wherever necessary.
You have obviously never had to administer Army software. As bad as you may think Windows software is ( and I admint at times its real bad), contractor supplied software (mostly ABCS systems) for internal Army use suck. BCS3,MC4,ASAS,CHIMS,AFATADS, etc are the most frustrating systems I have ever had to admin. The documentation and support given to these systems is poor. The contractors sent to be local subject matter experts usually have almost no more training than I do. They can't be patched normally and the they can't integrate systems that obviously go together. Apply a reasonable domain group policy and they freak out. The list goes on. Software design aint DoD's strong point.
Having said that, what makes you think the Army could do any better than the commerical sector? If we cant get some simple thing like sending trops to war with appropriate body armor straight, why would we be good at software development? Even bigger question is do we want the army to spend the money to devlop an OS? Shouldnt we be figuring out how to fight wars? We have a budget crunch as is just to get maintence costs taken care of for things like tanks and humvees. Image the budget crunch if we went into the software development world at the just OS level. If we went into making the full application stack, we would be in an even worse budget crunch than we are now. Linux is too hard for most Army admins to admin. Heck some of the windows deployments I have seen in the army are preety screwed up. It's easier to get officers and NCO's to use windows and go through the pain of securing it than rewriting it from scratch. Open source is good, but its not a starting point for the vast majority of the Army user base.
As for getting access to the source, your not so clueless as to think we dont have access to the source code for Windows and major apps do you? The NSA, DISA, and other government agencies have the code and they certify what we use.
This is no different; currently it doesn't support multicasting and so although it's 'revolutionary' (read: RIS) it still doesn't beat the ability to push down and image to a workstation is less than 20 minutes...oops, did I say a workstation, I meant a lab.
Windows Deployment Services, the replacement for RIS that will be comming out around the same time Vista ships, does exactly that. RIS only does the OS install well. Once you create your master image, you can place that onto a WDS server and multicast it out to as many computers as you have bandwidth. My current image when run deployed with imageX comes in at 25% less space (both images on max compression) and deploys in aprox 12 min for the image copy, plus the normal mini-setup time.
Ghost aint going away, but it will be eaten away from at the bottom with WDS.
It may even be the case that they did configure things accordingly with strong encryption available and everything. But maybe no effort was made to ensure it actually got used.
This is similar to the current implementation of CAC cards for the military. Since about two years ago every soldier, DA Civilian, and DA Contractor has had a CAC card with working crypto keys intended one day to be used for CAC Logon, Email Signing, and EFS style keys. I joined the Army in 2002 and pushing out the CAC card readers has been one of the main issues IA wanted to push. It was supposed to be used for access to the Army Knowledge Online (AKO) portal as well, but no one used it. After two years of availablity, only aprox 20,000 soldiers has registered their CAC cards with AKO. Then they made it mandatory comming up here very soon. CAC Regristtion has soared to ~190,000, with ~40,000 users using their CAC for every logon.
As with any federal agency, the only way to ensure that security happens is to make the punishment factor ( in this case no access) high. DoD has spent a long time settig up the PKI, generating the CAC cards, and trying to push the training to everyone so they will use it. Making it available is not enough. Executive Orders like this are the only way enforcement will actually happen.
vistic said ... "Google Toolbar is a good program for those who use IE (I think it's totally unnecessary for Mozilla) but Google or not, bundled software is just obnoxious""
Its not just obonxious, its adding an software that we cant use to an otherwise useful program. Extra toolbars from Google, Yahoo, or anyone else for that matter are a violation of the security policy where I work. This means that I have to start figuring out how to remove them from the system or worse, stop using their programs. Its a shame that as an administrator I cant use a program becuase of the bundled extra crap.
When will software vendors realise that users want to install just a single program and dont need or want bundled extra crud? Maybe more important, how do we stop this trend with Windows programs?
You have hit the nail on the head. The problem is in most cases political instead of technical. As for users whining to you that they cant install something, you just need thick skin. Users are the weakest link in the chain regardless of what system you use. In Windows case, you limit the ability to make new group policies to a trusted few and make them give a good reason to make them a local admin.
You think that some companies dont want to hire a decent IT staff? Try working for the military, where the tech support you get it what you recruit. I dont care what you get from industry, recruits in most cases are worse. What we tend to put on the sholders of privates these days is intense considering the lack of training they have overall. And we have an even larger mission; if we screw up people may die. Having said all that, we still have decent security (at least at my unit, I cant speak for the military as a whole). Less than 5% of our users have admin rights of some type, less than 1% have more than 20 computers at their control. If we can make it work when lives are on the line with not enough soldiers to go around, a larger company SHOULD be able to get it done as well.
Most of the problems we have in my workspace are custom apps that were written poorly in the first place OR were made with poor installers. Repacking those installers has solved most of my problems; Restricted groups solve the rest. Not having local admin rights has not stopped my workplace from being productive.
As has been pointed out earlier in this story, the best you can do is http://unattended.msfn.org/
Having said that, if you are doing this often enough why do you not have an image? Imaging spares you this work and you also get all of your applications as well. Your more likey to mess something up the more manual rebuilds you do, especially if you have a non trivial configuration. Better yet, with a little work with sysprep you can add drivers for multiple models. Bâshrat the Sneaky's DriverPacks works for most hardware and takes minimal effort. I currently use the same image for about 15 different models of laptops. Having one image for all of my on site hardware makes updates a snap.
SGT Gruhn
BCT1, 101 ABN DIV(AASLT)
The First was meant to protect religions from dominance by one over another, not to put them all out of the public eye.
While the parent is correct in that the intent of the First was to prevent sectarian preferance, it should be noted that the number of non religious in America has greatly increased. The SCOTUS is treating atheists, infidels, and others as a seperate sect. It should also be noted that in most cases, it's Christ and his fan club against the infidel. A prime example is the various Ten Commandment cases. It should be clear that the Ten Commandments are religious; after all the first one declares a specific God. Apparently this is not as self evident or Christ and his fan club have more pressing reasons for putting them there.
Im not for activly fighting religion, Id rather it fade away peacefully and we can move on with our lives. The First amendment should do no harm to religion per se, but by the same token it should not be activly helping it remain relevant.
Its not a conspiracy against theists, its just being neutral. Many theists dont see it that way, they see it as religion hostile. If they want to see a hostile policy, they should look at themselves.
How can you call yourself a paranoid when you're using XP? Real paranoids don't use commercial software... real paranoids write their own OS!
Really? Cause DoD doesn't do that. But we know our sytems are secure because we filter our TLA stack multiple times and have a fully dedicated monitoring team (RCERT). Even better, if your doing something really secret, get hardware crypto, encrypt the links between, have a closed network, and change the key often.
Windows XP can be just as secure as any other OS. Simply hardning down the TCP/IP stack, removing uneccessary services, and testing softwrae before deployment cuts down on most risks you can have. Password filters and a good group policy works well for that too. Dumb users will always be your worst problem, but if your really wanting to do something secure, force a security indoctrination on them and make it mandatory for retraining regardless of position every six months. For your SysAdmins, force them to audit the network at least once a week. Invite higher echelons in the company to penetration tests of your network and close any holdes you find.
Paranoia is one thing, but in some cases a SysAdmin is paid to be paranoid. Better paranoid than too trusting.
Even though most people run as root in Windows, that is still no longer an excuse. Microsoft's own people do not encourage this from a security perspective. I run IE with a stripped down user. I accomplish this with DropMyRights.msi as explained at Microsoft's Security Developer Center. That having been said, Microsoft should take this tool and add it to the OS and make the default IE shortcut with it for the administrator. Most people will just click on whatever they are given. Since fixing ActiveX is unfortunatly the much harder problem to solve (at least until Longhorn when they can fix it if they want), as a secondary measure they should secure the box beforehand.
Doesnt prevent user stupidity, but its better than nothing.
The Army has had a similar operation going on for over three years now, open to family members as well. All you need is an Army Knowledge Online (AKO, www.us.army.mil) account. Accounts are open for anyone that a soldier can sponsor for an account. Registration for the portal is automatic for soldiers and provides access to the portal. Sounds like what the US Air Force has done is copmore of the same. I know that the Navy has their own internal portal as well called unsuprisingly Navy Knowledge Online. Its just a sign of the times.
At least Linux comes with 99% of drivers pre-installed. With Windows you have to find them on the net first, then find some way of getting them to the target system (because you don't have a NIC driver, remember?).
Apparentyl you have never heard of Remote Installation Services. Assuming that you have your systems all coming from the same vendor or similar vendors, its actually not as hard as one might think. Most corrporate deployments are like this. Turn on DHCP and have them boot off of it. RIS can take care of that if you have done it right.
Read the article. EDS applied a patch intended to update 7 Windows XP boxes to 60,000 Windows 2000 machines. The TCO here applies to the contract to EDS, not the software.
This sounds like they were pushing out the upgrade via SMS. Checking that the upgrade was on an appropriate system here would not have mattered since the upgrade path from win2k to WinXP is legitimate. This sounds more like sysadmins instead of applying to a custom collection applying to the "All Systems" container. The real question here is why are so many systems under one system and even better why did the sysadmins who did this application not check to ensure the advertisement was sent to the proper container.
EDS takes the blame for this, not MS.
Keyboard Infantry since 2002
In theory yes, but in practice no. The military really has three different levels of off duty.
1. Off Duty. Must be within 65 miles of post. Must be able make a 3 hour recall for nonessential personnell, those designated on 1.5 hour recall. Exception to this is a brushfire alert (rare), which means complete checks required then report back to higher in two hours.
2. On Pass. Must remain in state ( country if outside the US) but are allowed to exceed 100 miles from post. Must be able to be back in 12 hours.
3. On Leave. Gone for an extended period of time. Dont count on them for anything while on leave. If they are that essential, have alternate take care of it. Alternate and primary cannot be on pass or leave at the same time.
Those in an Off Duty status, especially those in recall status cannot be outside of contact. Those on pass must be in contact or check back in perodically to be sure they didnt miss something.
Its not a complete lockdown, but cell reception is definatly a plus. Either that or they know your going camping so they know how to reach you.
Is it really necessary to be reachable while you're at the cinema ? No. And if it is necessary, you shouldn't be at the cinema.
For me definatly YES. My work requires me to be on in some cases very quick recall. As a military system administrator sometimes I am called back for emergency drills, riots near post gates, and other emergency functions. Hopefully I never have to use my cell for this, but its also my notification for if another attack happens and I need to go back to base and hunker down. Does this mean that I cant go and enjoy a movie at a real theater? Nope, I have a right to a real life with real entertainment as well. I work hard and I should be able to enjoy the fruits of my labor as I please. While I am personally not in a life or death situation, the same argument can be made for medical, fire, and police personell whom ARE working life and death.
What we really need is for more people to put their cell phones on vibrate when they go to public functions like this. If the cell phone goes off, I step out of the room and call them back. Being out of touch in this case is not an option. For those of us working in emergency servies, that call can be the difference between life and death. Id rather piss off a few people in a movie rather than lose a life because no one can reach me. Especially when my battle buddy was counting on me to be reachable.
HHD, 1st Sig BDE
"First to Communicate!"
Since when do you or I get to vote on how the military handles its own housekeeping? It's not up to you or I (or Glen) to establish military policy. All we can do is ask that they please address the issue.
Well, I am one of those that help in establishing military policy. I work in the Theater Network Operation and Security Center - Korea (TNOSC-K). I can tell you that the policy is all there already. The Army has established AR 25-1, Information Systems Security, which specifically addresses NIPER vs SIPER, p2p, spam, and what should be on the firewalls, routers,clients, etc. Problem is the military DOES NOT uniformly enforce said policy. It even sets standards by which you can be punished in the Uniform Code of Military Justice (UCMJ). Network Enterprise Tech Command (NETCOM) has set forth huge amounts of info on policy. And we do our best to insure that its at least as secure as the guidance sent to us from NETCOM.
As a TNOSC member, however, I can only do so much. Sure I can block out info from various subnets, block ports, and attempt to destroy all unauthorized software. It wont mean a dang thing unless I get the platoon leaders and company commanders on board to help me. Dumb users in the military, just as in the real world, outnumber sysadmins by a huge marign. It could even be worse in that the ones in charge may eb the dumb user! Right now most units are stretched thin, more thin that they need to be. For an infantry unit maintaining guns and tatical profenciancy ranks above computer maintence and COMSEC. Its just a fact of infantry life. Infantry shoot guns; computers are secondary. I don't want to imply that infantry are stupid (I used to have a very smart platoon leader that was Ranger Infantry); they are however mostly ignorant on computer security. If thats what we have to deal with when we call and say somethings wrong, we are already going to have a problem catching up. We need them to understand our concerns ( which means bringing them up to speed, a non trival task in itself), and then getting them to fix themselves to our standard. Its no wonder then that these tasks lag behind.
In short, policy people from NETCOM are on top of policy. Everyone else just needs to follow and actually implment it.
SPC John Gruhn
TNOSC-K, Systems Management Branch
1st Signal BDE, Korea
Hurricanes, First to Communicate!
Why rebuild them at all right now? Security over ther sucks right now. The average Iraqi wants us to leave. Going over and rebuilding the conutry is all well and good in intnet, but when there are truck bombs and beheadings and such in theather, WTF difference does it make? Its bad enough that the new Iraqi government has declared they may resort to Martial Law. Why go and rebuild a place until they can calm down enough to actually use it? Im all for giving them goodwill, they need it, but the insurgents must be conquered first. Right now, if you build it, it will just get torn down.
If we get security under control, we can start to make some progress on the rebuilding part. Even better, once security comes in, we wont be alone in building. We can lead them to water all we want, but right now they wont drink.
SPC Gruhn
TNOSC-K, SMB
1st Signal BDE
Keyboard Infanrty since 2002
Windows can be almost, if not as secure as Linux or OSX if you just know what you're doing and keep up to date with the patches.
Thats true with anything. The main problem is that Windows tends to ship insecure. Linux or OSX on the other hand requires you to turn on stuff that may go bad. Not to say that educating users is a bad thing, it most definatly is a Good Thing (TM), but that takes work. Most Linux and OSX advocates know something about the computer field, even more so for BSD's and Unix in general. Its simple really because more of those are used for server installs, not desktops. Most desktop users however are more into the "It Just Works" method of running a computer. They care that their word processor, spredsheet, or game works. Security for others? That to them is a side issue and they wont complain until it affects their user experence.
I lock down my users at work. Being in the military helps on that. Id be more interested to see how many of the spam relays are corporate computers vs home users. Corporate users being a spam relay is the network admins fault and XP SP2 wont help them much. Home users on the other hand will get better once XP SP2 comes out, as its more on defense. Now if only we can get the home user to care enough and play ball. Somehow I get the feeling that the new security features will turn off more lazy users as paranoia when its really a part of the live and let live policy on the internet. Especially the new firewall for those not used to a stateful firewall. We shall see soon enough though. Microsoft is leading them to water, lets hope they drink.
SPC Gruhn
TNOSC-K, SMB
SysAdmin
Keyboard Infantry since 2002