What happens when some kid with a summer internship is working in some lab, brings his laptop in, uses it to do his job, and figures out he can use the modem to go grab some mp3s on the internet?
That depends, if he hasn't signed anything, he will be fired.
If he HAS signed something, he could potentially go to jail. [ie: If the network contains information graded secret or above].
surely getting 100% of everyone using a private network to NOT link up to the net is impossible.
At least one company [ie: the one I work for] manages this, if you connect an external interface, they will know about it VERY QUICKLY, and have the ability to disable that section of the network remotely, or just call the local manager and have it rectified at that end.
Re:GOVNET would not solve all govt security proble
on
GOVNET In the Works
·
· Score: 1
The point is they are unable to be 0wned because they are not on the internet. I can not see any reason why this would not be at least as secure as a normal corporate network. [And they can be damn secure]
Re:This is the dumbest thing I've ever heard of
on
GOVNET In the Works
·
· Score: 1
This is our government's security expert? This is his big plan to keep government data safe?
Not only is this a secure plan, it is the ONLY secure plan. Think back to when people have been hacked in years passed, and covered on/. IIRC, the response has always been: "Well, if they wanted it secure, it shouldn't have been on the internet."
The Internet is everywhere. It's so purvasive that there is zero chance you can have any isolated network. The second some low-level government flunkie at the Bureau of Railroad Employee Retirement signed onto AOL to check his e-mail, boom, there's a gateway.
Wrong, the company I work for now has X thousand desktops, and they are all isolated from the internet. We do have a web proxy, but you could turn that off, and we would be 100% 'secure'.
My thinking is that they plan to use GOVNET as an excuse to be lazy. Everything will have minimal authentication because there's no way big bad hackers can get on the network, right? Except that any PC on the network can easily become a gateway. There are plenty of examples of "private" and "secure" networks that were breached through classic hacking techniques like social engineering and wardialing.
So your argument is because all sorts of networks have vulnerable points, they should choose the one that has the MOST vulnerable points>
This is stupid. What bout PPTP/VPN? Why can't they just make a virtual network that runs over the Internet like every other business is doing? The infrastructure costs are minimal because you aren't running redundant wiring. It's just as secure, in fact, it's more secure because you are going to be extra paranoid about things like password schemes and encryption levels if it has to survive some public data transfer points.
Because those sort of systems are only as secure as the encryption system that you run the data through. Do you want to bet that in 10 years terrorists won't be able to crack 3DES?
A few years ago, AOL tried to market this to companies. They called it EOL for Enterprise OnLine. Basically, for a fixed fee per user, all your employees got AOL accounts and access to a private keyword with your company's Intranet.
Except no one but Century21 ever signed up, as I suspect they got a good deal for being a test case. No one saw the point when security, done properly, is going to produce a much more versitile and cheaper result.
The reason why this failed is that:
This is not 100% secure, and corporations want SURITY.
To make an analogy, this guys is suggesting that every government office get a tin can and a string so that they can communicate securely because there's alwaye the potential for someone to tap the phone lines.
That's potentially the worst analogy I've ever heard. Sorry. THOUSANDS of companies have intranets for security reasons, do you want banks to start using PPTP to move your money around? Why should the government be using less secure methodology then banks?
The solutions to this are simple:
i) Put in a firewall that doesn't allow direct IP connections.
ii) Fire anyone who connects a modem or other network device to the inside of the system.
This simple system works for many many corporations, even today!
Isn't the ONLY sort of guaranteed security the physical kind?
ie: keeping my computer off the internet, and standing next to it with a loaded gun to make sure there is no unauthorised access.
I suspect that 'lost orders over the internet' would be a fraction of lost revenue.
More revenue loss comes from:
- Idle staff or staff not working on business critical activities. Say you have 100 staff and they can not work for a day. That costs the big monies.
- Failed SLA's or deliverables. If your company promised to deliver a report on widgets by 5pm, but failed, they lose credibility, and probably money out of a penalty clause.
It doesn't have to be connected to the internet to be 'hacked'. Take one elaborately crafted computer virus. [I dare say it would have to be tailor made for the system.] Pay a staff member, or sneak in yourself and 'install' it.
I don't know if it could be considered treason if it was a foreign national doing it. Although I am equating treason to betrayal by an American Citizen.
It won't be long before a $500 office printer can produce counterfeit currency that will fool anyone who doesn't have special equipment and at appear page cost that allows U$5 to be printed en mass.
A lot of countries are switching to 'plastic money' that is much harder to counterfeit.
rpm -i python-dev-blah
Error: Can not install python-dev-blah, you need the latest ssl libraries.
Aha! I think, I'll go and install the latest open-ssh, but I can't because:
rpm -i latest-open-ssh
Error: Installing the latest open ssh would break all of these apps. [Include Samba and about 20 more]
rpm -U latest-open-ssh
Error: Can't do this upgrade, because it would break all of that stuff up there.
Not wanting to admit defeat, I went to speak to the local linux guru [and the trust second linux guru]. Neither of them could give me any useful advise short of 'uninstall all of those dependancies and reinstall'.
Not wanting to do this, I did a forced install of the open-ssh thinking 'Ha, they are likely to be backwards compatable. But alas they were not, and I broke my samba install [among other things].
A few minutes of diligent panicing later, I managed to uninstall everything and reinstall the old version. [Debian is looking pretty tempting right about now.]
Well, given that it's a company that earns thousands of dollars at 2 in the morning, it's bound to have clustering or some sort of fall-over solution [including prebuilt backup servers that you can bring up at a flick of a switch].
ALL of our mission critical sites have this, [even the non-24 hour ones].
How about a power plant? Or a military system? There are plenty of 'targets' for terrorist hackers that won't have cilivian casualties, but will still cause 'grave damage' to national interests.
Perhaps this law isn't so much to protect credit card information, but to protect the IS systems which the world relies on.
ie: Air Traffic Control systems, the control systems for various kinds of power plants, anything military [especially important during the coming war].
Now a lot of you may say that these things are off line and will not be 'hacked', BUT, they are just as broken if you manage to sneak into the installation with a copy of INSTAKILL-9000 on disc.
Say someone hax0rs an air traffic control system, do they deserve life imprisonment?
[I think so].
There are plenty of situations where hacking DOES deserve a life sentence. Or even a death sentence. [Say 20 or 30 planes drop out of the sky as a result.]
Well, it's built into the O/S not into the kernel. However many people don't seem to realise that you can run them in separate processes just by selecting the correct 'advanced' option.
Even when my explorer does crash, I just reload it up again. No mess, no fuss.
How much money would an advertiser pay to retrieve a database of people who flew in to Kansas City yesterday? A dollar per person? Am I to be sold for less than the slaves of 1835?
But it's not piracy because you still have the original copy of yourself! [insert more foaming about why warez is not illegal].
[insert more badly thought out arguments about how information wants to be free]
[insert comments about how if I don't really want the information I shouldn't have to pay to get it]
Slashdot Mirror
That's a pretty weak argument. Our network can not be 100% secure without being turned off, so lets keep it 'weaker' then we could otherwise make it.
That depends, if he hasn't signed anything, he will be fired.
If he HAS signed something, he could potentially go to jail. [ie: If the network contains information graded secret or above].
surely getting 100% of everyone using a private network to NOT link up to the net is impossible.
At least one company [ie: the one I work for] manages this, if you connect an external interface, they will know about it VERY QUICKLY, and have the ability to disable that section of the network remotely, or just call the local manager and have it rectified at that end.
The point is they are unable to be 0wned because they are not on the internet. I can not see any reason why this would not be at least as secure as a normal corporate network. [And they can be damn secure]
Not only is this a secure plan, it is the ONLY secure plan. Think back to when people have been hacked in years passed, and covered on /. IIRC, the response has always been: "Well, if they wanted it secure, it shouldn't have been on the internet."
The Internet is everywhere. It's so purvasive that there is zero chance you can have any isolated network. The second some low-level government flunkie at the Bureau of Railroad Employee Retirement signed onto AOL to check his e-mail, boom, there's a gateway.
Wrong, the company I work for now has X thousand desktops, and they are all isolated from the internet. We do have a web proxy, but you could turn that off, and we would be 100% 'secure'. My thinking is that they plan to use GOVNET as an excuse to be lazy. Everything will have minimal authentication because there's no way big bad hackers can get on the network, right? Except that any PC on the network can easily become a gateway. There are plenty of examples of "private" and "secure" networks that were breached through classic hacking techniques like social engineering and wardialing.
So your argument is because all sorts of networks have vulnerable points, they should choose the one that has the MOST vulnerable points>
This is stupid. What bout PPTP/VPN? Why can't they just make a virtual network that runs over the Internet like every other business is doing? The infrastructure costs are minimal because you aren't running redundant wiring. It's just as secure, in fact, it's more secure because you are going to be extra paranoid about things like password schemes and encryption levels if it has to survive some public data transfer points.
Because those sort of systems are only as secure as the encryption system that you run the data through. Do you want to bet that in 10 years terrorists won't be able to crack 3DES?
A few years ago, AOL tried to market this to companies. They called it EOL for Enterprise OnLine. Basically, for a fixed fee per user, all your employees got AOL accounts and access to a private keyword with your company's Intranet.
Except no one but Century21 ever signed up, as I suspect they got a good deal for being a test case. No one saw the point when security, done properly, is going to produce a much more versitile and cheaper result.
The reason why this failed is that:
This is not 100% secure, and corporations want SURITY.
To make an analogy, this guys is suggesting that every government office get a tin can and a string so that they can communicate securely because there's alwaye the potential for someone to tap the phone lines.
That's potentially the worst analogy I've ever heard. Sorry. THOUSANDS of companies have intranets for security reasons, do you want banks to start using PPTP to move your money around? Why should the government be using less secure methodology then banks?
i) Put in a firewall that doesn't allow direct IP connections.
ii) Fire anyone who connects a modem or other network device to the inside of the system.
This simple system works for many many corporations, even today!
And it's not too much of a stretch to say that the government is the largest company around. They can afford it.
More to the point, what rights do you lose by the government doing this?
Isn't the ONLY sort of guaranteed security the physical kind? ie: keeping my computer off the internet, and standing next to it with a loaded gun to make sure there is no unauthorised access.
Not wanting to sound redundant, but 'me too'.
As many of these hax0rs reach work age, and have to get a job, perhaps they will understand what we are talking about..
I suspect that 'lost orders over the internet' would be a fraction of lost revenue.
More revenue loss comes from:
- Idle staff or staff not working on business critical activities. Say you have 100 staff and they can not work for a day. That costs the big monies.
- Failed SLA's or deliverables. If your company promised to deliver a report on widgets by 5pm, but failed, they lose credibility, and probably money out of a penalty clause.
I don't know if it could be considered treason if it was a foreign national doing it. Although I am equating treason to betrayal by an American Citizen.
A lot of countries are switching to 'plastic money' that is much harder to counterfeit.
Have you had rpm hell?
rpm -i python-dev-blah
Error: Can not install python-dev-blah, you need the latest ssl libraries.
Aha! I think, I'll go and install the latest open-ssh, but I can't because:
rpm -i latest-open-ssh
Error: Installing the latest open ssh would break all of these apps. [Include Samba and about 20 more]
rpm -U latest-open-ssh
Error: Can't do this upgrade, because it would break all of that stuff up there.
Not wanting to admit defeat, I went to speak to the local linux guru [and the trust second linux guru]. Neither of them could give me any useful advise short of 'uninstall all of those dependancies and reinstall'.
Not wanting to do this, I did a forced install of the open-ssh thinking 'Ha, they are likely to be backwards compatable. But alas they were not, and I broke my samba install [among other things].
A few minutes of diligent panicing later, I managed to uninstall everything and reinstall the old version. [Debian is looking pretty tempting right about now.]
Alas, I still have no python installed.
I though /. was for Linux, anyway...
Hint, the title says news for nerds, not news for linux fanatics.
ALL of our mission critical sites have this, [even the non-24 hour ones].
How about a power plant? Or a military system? There are plenty of 'targets' for terrorist hackers that won't have cilivian casualties, but will still cause 'grave damage' to national interests.
Certainly it was a stupid thing to do, but by no means do you deserve to have your car stolen.
Just another kid grown up on IRC, skripting and warez I guess.
ie: Air Traffic Control systems, the control systems for various kinds of power plants, anything military [especially important during the coming war].
Now a lot of you may say that these things are off line and will not be 'hacked', BUT, they are just as broken if you manage to sneak into the installation with a copy of INSTAKILL-9000 on disc.
[I think so].
There are plenty of situations where hacking DOES deserve a life sentence. Or even a death sentence. [Say 20 or 30 planes drop out of the sky as a result.]
In some ways, a lot of people in this forum are is detached from reality as those who claim they need an automatic weapon to go hunting.
Well, it's built into the O/S not into the kernel. However many people don't seem to realise that you can run them in separate processes just by selecting the correct 'advanced' option. Even when my explorer does crash, I just reload it up again. No mess, no fuss.
But it's not piracy because you still have the original copy of yourself! [insert more foaming about why warez is not illegal].
[insert more badly thought out arguments about how information wants to be free]
[insert comments about how if I don't really want the information I shouldn't have to pay to get it]
[have a heart attack and collapse]
That's what the law is all about.
Why not ask a hard one?