Thats not particularly more challenging than any other network attack. Yes, you have to have some basic idea of how the system works to break in...whatever the system is.
But doing damage can consist of something as simple as causing rotors to repeatedly and rapidly change directions till the system overheats and catches fire (yes, Ive seen video of this being done intentionally)
Yes, SCADA systems are vulnerable to attack. Yes, they use old technology and rely on obscurity to keep them safe. Yes, theyre - to a large extent - hooked up in various fashions to the internet. Yes, you can cause big machines to do bad things this way that cause them to screw themselves up physically or hurt people nearby.
The more interesting question here is why no one has seen (or at least admitted to have seen) an actual attack.
IP doesnt equal personal identity, but the article states and implies other behavioral evidence that seem to lend weight to that correlation in this case.
Completely agree here...and I think it's actually more specific than that. The "terrorists" want to provoke a large, over-the-top US reaction in the middle east and provide a unifying enemy for their own people so that they can topple the secular/corrupt governments there...resulting in states with power vacuums...and allowing them to create virtual states of their own (though not bound by borders or holding down land). And, since theyre not really interested in holding the territory, the US can't effectively combat them with an army anyway.
The best and only response is to de-escalate the situation and make friends with the people theyre trying to unite against us
Yeah, I largely agree with Schneier's position (in general and in that article in particular). The only exception with it I have is with this statement:
The TSA wants to be sure that if there's another airplane terrorist attack, it's not held responsible for letting it slip through.
I believe they're forever looking backwards, but the reasoning isn't as much to prevent themselves from being held responsible as it as to comply with direct, specific requests from Congress in combination with the facts that large bureaucracies have a hard time thinking creatively about risk avoidance (to do something "new" and "unknown" is traditionally viewed as a fairly large risk in and of itself) and there just aren't enough people who understand security floating around the upper echelons of government organizations.
Sigh. I know saying simplistic, emotionally charged things like that feels good, but really - do you believe that's the intent? Look at the country you live in and how it works in -every other situation- and apply that, instead of the paranoia.
Basically, congress (and through it's actions, TSA and DHS) need to look like theyre being strong and "doing something" about a threat amped up by the 24/7 media's need to have high impact news to generate revenue. People are -already- so paranoid and scared because of the reporting that if congress (TSA/DHS) did -not- "do something", there would be political hell to pay (their competition for their seats/jobs would shove down the average citizens throat how they're putting passengers at risk by not doing anything).
The problem is that the idea of using the same attack vector twice is somewhat silly and that there are no easy answers even if it wasn't. So, what does the US government do (and DHS/TSA)? They do the same thing the American people always let them get away with (because we derive our reality from TV and Hollywood) - they put in feel-good , highly visible measures regardless of whether or not theyre effective.
Now, Patriot Act, DHS stupidity, etc. may very well end up leading us into a Fascist or -insert your eee-vuhl government aparatus of choice here- state, but it's certainly not through some dark conspiracy of intent to do so.
Rather, we'll get there through the slow unintentional meandering of a government perfectly happy to cater to public who's more interested in being placated than served in the interest of getting re-elected.
The horrible thing is that you're wrong. Corporate interests do NOT control the government or the media. The government, the media, and large financial interests, and most of the US population is completely -complicit- in what goes on here. Thats what keeps me up at night. Even thought they CAN change things (if they couldnt, then they would be 'controled'), everyone is actually largely uninterested in doing things differently.
It's amazing how often this comes up. The media is -not- controled by the government. It doesn't have to be. All the US media is right now is a platform for whomever seems to know what theyre talking about to speak with the world unchallenged. We dont have a muzzled media, we just have an ignorant 24/7-entertainment-economy driven one. That means, without external control, it happens to coincidentally serve the interests of mobs, governments, and people wishing to dish out misinformation unchallenged (in any serious manner).
Who gets to get on the soapbox?
Wealthy People
Powerful People
Pretty People
(ie, your old high school popular-kids clique)
can't really of any valid reasons for bringing in video recording equipment into a cinema
Having brought relatively high quality video equipment into a theater with me recently, I can tell you: How about if you're fairly far from home on a trip, were video taping a family event, and everyone wants to go see a movie? Sorry, no, I have a camera in my pocket.
total lack of evidence for the existence of something, despite 10,000 years of continual searching, is pretty good evidence that the thing does not exist.
Thats disingenuous. There are plenty of things humanity has recently discovered that certainly weren't possible to observe until today. Your argument precludes any future discoveries of anything that people have been looking for for awhile. While a good indicator, it's far from a sure indicator.
A theory that includes a creator needs to explain both the existence and formation of the universe AND the existence and formation of a creator prior to the formation of the universe.
So it's an extra layer of "no evidence"...is that completelackofevidence++? If you've hit zero, you've hit zero....there are layers that have to be explained with all the other "scientific" origins speculation that goes on...not just with the idea of god.
Religion: Youre not incompatible with science, stop bitching and moaning
Science: You literally have nothing to say on the subject of god...you have no evidence for or against and you can work in either scenario with zero changes. Stop being (ironically) holier than thou
Huh? Our -government-'s stupidity???
Only -15%- of Americans (http://www.cbsnews.com/stories/2005/10/22/opinion /polls/main965223.shtml) believe evolution happened and God was not involved.
Given the fact that our education system is driven -locally-, not federally, I fail to see what our government has to do with anything here.
People need to stop blaming a representative government on their own cultural, social, and educational failures. It's not the cause, it's just a reflection.
Im assuming that such an objective, clear-headed individual such as yourself as some empirical evidence of that?
The reason I ask is because (and I speak as one of those unwashed masses I think your post was aimed at), all of the scientific theories Ive heard for the origins of the universe sound just about as implausible as the idea that a god of some sort created everything. My uneducated understanding here is that those scientific theories tend to work (sort of) mathematically, but there's not a whole lot of concrete evidence in support of any in particular.
Likewise, in my limited experience here (less than 3 decades), it has seemed to me that people will pretty much use anything to keep them in line - material or imaginary - but that a combination of guns and an economic stake in your way of existing seem to work far better for keeping people in line than religion does.
I havent seen any evidence of god that I cant explain with math or science, but I certainly havent seen any math or science that preclude the idea....but...since you're so sure of yourself...maybe you have some? It would certainly help me settle of couple of bets with my other uneducated friends.
This doesn't warrant a response, but at the risk of responding to a troll, I will anyway because its important (and scary that someone might not be able to put this together themselves):
Poster, "tech" comes from free scientific discourse. Censorship mutes discourse - both directly and indirectly. In the first case, as in the US, you find a government explicitly muting discourse on a particular scientific subject (stem cells and global warming). In the case of the article in question, there is no specific censorship of a technology subject, but there is a systemic attempt by a government to mute all discourse other than what is deemed acceptable. With that kind of muting, technological development stalls (or stays stalled). Given that China has the largest tech (or any other) market and given what kind of tech China COULD produce if they were allowed to speak freely, Id say censorship is directly related to Slashdot even at with the slimmest of "news for nerds" definitions.
(All this aside from the fact that it's technology theyre using to censor, technology theyre using to spread the news, etc).
Wrt patches, AV, etc: Just to cite a specific example, Ive found machines on (unclassed) networks which have had multi-MONTH long uninterrupted tcp-sessions transmitting data to countries they had -no- business connecting to for any reason whatsoever...on networks that employed regular patching, had up to date av (or so they thought), etc. It's just (as you point out later) the nature of the job - things happen and you do the best you can...which might potentially mean 800 security issues if you have a multi-domain hodgepodge of networks with seriously blurry boundaries.
Wrt: "Surely, an agency...should be able to better secure the data that they are responsible for"
The article never established that they hadnt done that, merely that the unclassed network had a number of incidents with undefined effects.
Given our government's proven serious addiction to over-classifying and restricting data (which I disagree with, I think relying on secrets is a crutch only to be used when nec.), it's a safe assumption that most of the real information was elsewhere than where these breaches occurred. Of course, I dont think -those- networks are protected to the level they should be, but we dont know that either for sure...certainly not from todays' info:)
(thanks for the convo, tho, I didnt mean for this thread to go on so long!:) )
First, it seriously sounds like you've never done security in anything resembling an enterprise environment (and no, Im not talking about "Networks have to use windows or MS"). Ill use a govt specific example just so you realize Im not flaming: Once you "snoop" something like web traffic, if it contains Personally Identifiable Information, you are - in a fed environment - required to protect that information. Web traffic often DOES contain PII, and thus snooping it generates additional security requirements which could add to the cost and effort required to secure a connection which or may not otherwise have sensitive information traversing it. Given that all protection systems only have n-resources (value of n being irrelevant accept that it's not unlimited), if you snoop -everything-, then you are vastly increasing the data you must review using those n-resources and reducing their effectiveness at the same time whereas you couldnt just left that un-looked at and put your eyes elsewhere on more important data and systems.
When you say things like " If you use a more custom OS, then nobody external can write software for it", you're flat wrong. People write and use attacks for custom code all the time. If everyone in every organization used custom code it would reduce the overall threat level, but in a targeted situation where youre trying to gain entry into one network, theres just a longer time impact to gaining entry to the systems, but an infinitely successful wall.
Also, writing and configuring custom applications, while more secure on an individual bases, is not a core competency of many (most) organizations. So, you have to create a repeatable process (internal or outsources) to guarantee secure code each and every release of each and every system (think of the scope of the DHS subentities) produced that also does not raise the cost of the systems to levels which are not realistically fundable without either sacraficing the core mission of the system or requiring congress to raise your taxes to levels you, as a citizen, are less interested in bearing than some potential security hole.
Second, it sounds like you know very little about the basic things fed agencies are on the hook to do (and execute on) - many (although not all) of which surpass your somewhat introductory lesson on system security
Third, each of the alternate vendors you described have -more than enough- security holes in them to allow people as much free reign as MS projects do. Maybe not as many, but plenty.
Fourth, and ***most importantly*** you can do all of the things you describe and still have data stolen, corrupted, or access denied whether through social engineering, custom application security holes, lost physical hardware, or unpublished and unpatched vulnerabilities, or misconfiguration (through mistake or ignorance).
Sure, and I happen to agree with you - but I also have information based on things other than the article we were discussing.
A few comments:
1. I actually think the computers I referenced constitute internal computers. As does every machine at every Border patrol facility in the entire US...etc. Those really are internal machines. The primary DHS assets are (mostly) just a bunch of paper pushers in the old GSA building in DC 'managing' all of the other preexisting entities which now fall under them. So all of these other machines can be "Customs" laptops and still be internal DHS laptops.
2. As said a couple of times now (and this really is my primary point), the question is whether or not an organization the size of DHS -can-, in optimal circumstances without interfering with their business requirements, prevent this sort of thing from happening, and the answer is a solid "no, they cant, it's impossible".
3. The GAO reviews information based on FISMA/C&A efforts - neither of which is known to be very focused on actually securing systems, merely making them process/policy compliant (not that thats bad, just that theres not always a solid connection between 'secure' and 'compliant').
Again, it's perfectly possible that DHS is completely riddled with every hacker east of the Atlantic and West of the Pacific, but TFA really doesnt indicate that one way or another and, from my experience (government, large private sector), 800 security incidents sounds fairly small at best and, at worst, well within the level of acceptable risk identified by every other unclassed network. (If we were talking classed networks, this would be a different conversation). At those levels, Id tend to blame the issues on a failed security industry, not programmatic DHS failures.
This is true, but once you get that many layers out from the data in question, there are many equaly plausible (or implausible, as the case may be) ways of getting to the sensitive information including people taking things home, direct social engineering completely bypassing the nonclassed networks, etc...in which case this thread's doesn't have anything new to say.
1a. We dont know that there were any serious security breaches at all. We just know there were breaches. Why dont we know if they were serious? As previously stated, we dont know what data they had access to, what the machines were used for, or how much access the breaches provided in general. Most of them very well could have been default-home-page resetters- common and far from serious.
1b. DHS includes, among many other things, -every single computer at every airport, even if that machine is just used for contracted plumbers to sign in for the day-. The article provides zero insight into what machines were affected
2. The issue I was bringing up, other than not being able to come up with a value judgement, was that even if you use the best practices and technology available in the security industry, you will still be broken into. Therefore, to complain about DHS's lack of capability is patently unfair and disengenuous. Yes, in theory the whole world should be perfectly secure. The question the article (and most of Slashdot so far) has not asked is: Is that possible and, if not, how close did they come by way of comparison?
3. Banks are broken into constantly. They dont tell you this for exactly the reasons you mention. So, say thanks to the legislation requiring federal agencies to report this kind of information on unclassed networks publicly.
And lo! Slashdot accidentally discovers the reason for the lucrative concept of "government contracting". Of course the government cant compete with pay - they also cant hire or fire in any reasonable manner, so most of the staff consists of long term contractors...which partially negates the "blame X on government employee salaries" habit in a lot of these conversations.
Actually, no. One of his specific (and accurate) points was that these were -not- sensitive networks that were involved. The attack data from -those- networks - the ones where data is actually of significance - are not findings you'll read in a news article like this because they are, well, "sensitive" (read: classified).
Considering the fact that there IS monitoring going on, Id say the 800 figure is probably much closer to the "truth" than a lot of other organizations' numbers who DONT monitor.
Exchange often attributed to an anonymous officer at DoD:
"My systems have never been broken into!"
"How do you know, have you looked?"
-Silence-
Point 1: Considering the complete inability of standard technical solutions to security problems to prevent a significant number of attacks/infections from being successful, this is not like the mechanics car getting fixed last. It's called "the security industry and standard methodologies continue their long history of consistent failure at organizations, both public and private"
Point 2: Those numbers are a completely meaningless abstraction without tying them back to type of attack, actual damage, importance of the data on those systems or their roles in launching further attacks, what kind of infections occurred and their damage potential, and finally what those numbers look like compared to other orgs of the same size.
Point 3: Homeland Security is comprised of multiple mostly-independant sub orgs (like Coast Guard, TSA, etc)....so..saying DHS had so many attacks is misleading without clarification
Point 4: Not saying theyre not making mistakes, just that those "facts" dont tell you either way what the actual state of things is.
...With voice, gone are the days where you're having 5 or 6 simultaneous private conversations with various people at once. As sneaky and underhanded as its uses CAN be, the fact that you can be having a group conversation while IMing someone else privately in the group at the same time is incredibly (and legitimately) useful. Its MUCH harder to typechat while voicechatting at the same time...
Slashdot Mirror
Thats not particularly more challenging than any other network attack. Yes, you have to have some basic idea of how the system works to break in...whatever the system is. But doing damage can consist of something as simple as causing rotors to repeatedly and rapidly change directions till the system overheats and catches fire (yes, Ive seen video of this being done intentionally)
Yes, SCADA systems are vulnerable to attack. Yes, they use old technology and rely on obscurity to keep them safe. Yes, theyre - to a large extent - hooked up in various fashions to the internet. Yes, you can cause big machines to do bad things this way that cause them to screw themselves up physically or hurt people nearby. The more interesting question here is why no one has seen (or at least admitted to have seen) an actual attack.
IP doesnt equal personal identity, but the article states and implies other behavioral evidence that seem to lend weight to that correlation in this case.
Completely agree here...and I think it's actually more specific than that. The "terrorists" want to provoke a large, over-the-top US reaction in the middle east and provide a unifying enemy for their own people so that they can topple the secular/corrupt governments there...resulting in states with power vacuums...and allowing them to create virtual states of their own (though not bound by borders or holding down land). And, since theyre not really interested in holding the territory, the US can't effectively combat them with an army anyway. The best and only response is to de-escalate the situation and make friends with the people theyre trying to unite against us
Yeah, I largely agree with Schneier's position (in general and in that article in particular). The only exception with it I have is with this statement:
The TSA wants to be sure that if there's another airplane terrorist attack, it's not held responsible for letting it slip through. I believe they're forever looking backwards, but the reasoning isn't as much to prevent themselves from being held responsible as it as to comply with direct, specific requests from Congress in combination with the facts that large bureaucracies have a hard time thinking creatively about risk avoidance (to do something "new" and "unknown" is traditionally viewed as a fairly large risk in and of itself) and there just aren't enough people who understand security floating around the upper echelons of government organizations.
Sigh. I know saying simplistic, emotionally charged things like that feels good, but really - do you believe that's the intent? Look at the country you live in and how it works in -every other situation- and apply that, instead of the paranoia.
Basically, congress (and through it's actions, TSA and DHS) need to look like theyre being strong and "doing something" about a threat amped up by the 24/7 media's need to have high impact news to generate revenue. People are -already- so paranoid and scared because of the reporting that if congress (TSA/DHS) did -not- "do something", there would be political hell to pay (their competition for their seats/jobs would shove down the average citizens throat how they're putting passengers at risk by not doing anything).
The problem is that the idea of using the same attack vector twice is somewhat silly and that there are no easy answers even if it wasn't. So, what does the US government do (and DHS/TSA)? They do the same thing the American people always let them get away with (because we derive our reality from TV and Hollywood) - they put in feel-good , highly visible measures regardless of whether or not theyre effective.
Now, Patriot Act, DHS stupidity, etc. may very well end up leading us into a Fascist or -insert your eee-vuhl government aparatus of choice here- state, but it's certainly not through some dark conspiracy of intent to do so.
Rather, we'll get there through the slow unintentional meandering of a government perfectly happy to cater to public who's more interested in being placated than served in the interest of getting re-elected.
Uh. Mostly because she's not sitting in a cube right now like me. Some days, I think Id prefer jail to this ;)
My. That was poorly edited. Sorry about that. Rushing too much today :)
The horrible thing is that you're wrong. Corporate interests do NOT control the government or the media. The government, the media, and large financial interests, and most of the US population is completely -complicit- in what goes on here. Thats what keeps me up at night. Even thought they CAN change things (if they couldnt, then they would be 'controled'), everyone is actually largely uninterested in doing things differently.
It's amazing how often this comes up. The media is -not- controled by the government. It doesn't have to be. All the US media is right now is a platform for whomever seems to know what theyre talking about to speak with the world unchallenged. We dont have a muzzled media, we just have an ignorant 24/7-entertainment-economy driven one. That means, without external control, it happens to coincidentally serve the interests of mobs, governments, and people wishing to dish out misinformation unchallenged (in any serious manner). Who gets to get on the soapbox? Wealthy People Powerful People Pretty People (ie, your old high school popular-kids clique)
can't really of any valid reasons for bringing in video recording equipment into a cinema
Having brought relatively high quality video equipment into a theater with me recently, I can tell you: How about if you're fairly far from home on a trip, were video taping a family event, and everyone wants to go see a movie? Sorry, no, I have a camera in my pocket.
Thats just dumb.
total lack of evidence for the existence of something, despite 10,000 years of continual searching, is pretty good evidence that the thing does not exist.
Thats disingenuous. There are plenty of things humanity has recently discovered that certainly weren't possible to observe until today. Your argument precludes any future discoveries of anything that people have been looking for for awhile. While a good indicator, it's far from a sure indicator.
A theory that includes a creator needs to explain both the existence and formation of the universe AND the existence and formation of a creator prior to the formation of the universe.
So it's an extra layer of "no evidence"...is that completelackofevidence++? If you've hit zero, you've hit zero....there are layers that have to be explained with all the other "scientific" origins speculation that goes on...not just with the idea of god.
Religion: Youre not incompatible with science, stop bitching and moaning
Science: You literally have nothing to say on the subject of god...you have no evidence for or against and you can work in either scenario with zero changes. Stop being (ironically) holier than thou
Huh? Our -government-'s stupidity??? Only -15%- of Americans (http://www.cbsnews.com/stories/2005/10/22/opinion /polls/main965223.shtml) believe evolution happened and God was not involved.
Given the fact that our education system is driven -locally-, not federally, I fail to see what our government has to do with anything here.
People need to stop blaming a representative government on their own cultural, social, and educational failures. It's not the cause, it's just a reflection.
he only exists in your mind
Im assuming that such an objective, clear-headed individual such as yourself as some empirical evidence of that?
The reason I ask is because (and I speak as one of those unwashed masses I think your post was aimed at), all of the scientific theories Ive heard for the origins of the universe sound just about as implausible as the idea that a god of some sort created everything. My uneducated understanding here is that those scientific theories tend to work (sort of) mathematically, but there's not a whole lot of concrete evidence in support of any in particular.
Likewise, in my limited experience here (less than 3 decades), it has seemed to me that people will pretty much use anything to keep them in line - material or imaginary - but that a combination of guns and an economic stake in your way of existing seem to work far better for keeping people in line than religion does.
I havent seen any evidence of god that I cant explain with math or science, but I certainly havent seen any math or science that preclude the idea....but...since you're so sure of yourself...maybe you have some? It would certainly help me settle of couple of bets with my other uneducated friends.
This doesn't warrant a response, but at the risk of responding to a troll, I will anyway because its important (and scary that someone might not be able to put this together themselves): Poster, "tech" comes from free scientific discourse. Censorship mutes discourse - both directly and indirectly. In the first case, as in the US, you find a government explicitly muting discourse on a particular scientific subject (stem cells and global warming). In the case of the article in question, there is no specific censorship of a technology subject, but there is a systemic attempt by a government to mute all discourse other than what is deemed acceptable. With that kind of muting, technological development stalls (or stays stalled). Given that China has the largest tech (or any other) market and given what kind of tech China COULD produce if they were allowed to speak freely, Id say censorship is directly related to Slashdot even at with the slimmest of "news for nerds" definitions. (All this aside from the fact that it's technology theyre using to censor, technology theyre using to spread the news, etc).
Wrt patches, AV, etc: Just to cite a specific example, Ive found machines on (unclassed) networks which have had multi-MONTH long uninterrupted tcp-sessions transmitting data to countries they had -no- business connecting to for any reason whatsoever...on networks that employed regular patching, had up to date av (or so they thought), etc. It's just (as you point out later) the nature of the job - things happen and you do the best you can...which might potentially mean 800 security issues if you have a multi-domain hodgepodge of networks with seriously blurry boundaries.
:)
:) )
Wrt: "Surely, an agency...should be able to better secure the data that they are responsible for"
The article never established that they hadnt done that, merely that the unclassed network had a number of incidents with undefined effects.
Given our government's proven serious addiction to over-classifying and restricting data (which I disagree with, I think relying on secrets is a crutch only to be used when nec.), it's a safe assumption that most of the real information was elsewhere than where these breaches occurred. Of course, I dont think -those- networks are protected to the level they should be, but we dont know that either for sure...certainly not from todays' info
(thanks for the convo, tho, I didnt mean for this thread to go on so long!
First, it seriously sounds like you've never done security in anything resembling an enterprise environment (and no, Im not talking about "Networks have to use windows or MS"). Ill use a govt specific example just so you realize Im not flaming: Once you "snoop" something like web traffic, if it contains Personally Identifiable Information, you are - in a fed environment - required to protect that information. Web traffic often DOES contain PII, and thus snooping it generates additional security requirements which could add to the cost and effort required to secure a connection which or may not otherwise have sensitive information traversing it. Given that all protection systems only have n-resources (value of n being irrelevant accept that it's not unlimited), if you snoop -everything-, then you are vastly increasing the data you must review using those n-resources and reducing their effectiveness at the same time whereas you couldnt just left that un-looked at and put your eyes elsewhere on more important data and systems.
When you say things like " If you use a more custom OS, then nobody external can write software for it", you're flat wrong. People write and use attacks for custom code all the time. If everyone in every organization used custom code it would reduce the overall threat level, but in a targeted situation where youre trying to gain entry into one network, theres just a longer time impact to gaining entry to the systems, but an infinitely successful wall.
Also, writing and configuring custom applications, while more secure on an individual bases, is not a core competency of many (most) organizations. So, you have to create a repeatable process (internal or outsources) to guarantee secure code each and every release of each and every system (think of the scope of the DHS subentities) produced that also does not raise the cost of the systems to levels which are not realistically fundable without either sacraficing the core mission of the system or requiring congress to raise your taxes to levels you, as a citizen, are less interested in bearing than some potential security hole.
Second, it sounds like you know very little about the basic things fed agencies are on the hook to do (and execute on) - many (although not all) of which surpass your somewhat introductory lesson on system security
Third, each of the alternate vendors you described have -more than enough- security holes in them to allow people as much free reign as MS projects do. Maybe not as many, but plenty.
Fourth, and ***most importantly*** you can do all of the things you describe and still have data stolen, corrupted, or access denied whether through social engineering, custom application security holes, lost physical hardware, or unpublished and unpatched vulnerabilities, or misconfiguration (through mistake or ignorance).
Sure, and I happen to agree with you - but I also have information based on things other than the article we were discussing. A few comments: 1. I actually think the computers I referenced constitute internal computers. As does every machine at every Border patrol facility in the entire US...etc. Those really are internal machines. The primary DHS assets are (mostly) just a bunch of paper pushers in the old GSA building in DC 'managing' all of the other preexisting entities which now fall under them. So all of these other machines can be "Customs" laptops and still be internal DHS laptops. 2. As said a couple of times now (and this really is my primary point), the question is whether or not an organization the size of DHS -can-, in optimal circumstances without interfering with their business requirements, prevent this sort of thing from happening, and the answer is a solid "no, they cant, it's impossible". 3. The GAO reviews information based on FISMA/C&A efforts - neither of which is known to be very focused on actually securing systems, merely making them process/policy compliant (not that thats bad, just that theres not always a solid connection between 'secure' and 'compliant'). Again, it's perfectly possible that DHS is completely riddled with every hacker east of the Atlantic and West of the Pacific, but TFA really doesnt indicate that one way or another and, from my experience (government, large private sector), 800 security incidents sounds fairly small at best and, at worst, well within the level of acceptable risk identified by every other unclassed network. (If we were talking classed networks, this would be a different conversation). At those levels, Id tend to blame the issues on a failed security industry, not programmatic DHS failures.
This is true, but once you get that many layers out from the data in question, there are many equaly plausible (or implausible, as the case may be) ways of getting to the sensitive information including people taking things home, direct social engineering completely bypassing the nonclassed networks, etc...in which case this thread's doesn't have anything new to say.
1a. We dont know that there were any serious security breaches at all. We just know there were breaches. Why dont we know if they were serious? As previously stated, we dont know what data they had access to, what the machines were used for, or how much access the breaches provided in general. Most of them very well could have been default-home-page resetters- common and far from serious.
1b. DHS includes, among many other things, -every single computer at every airport, even if that machine is just used for contracted plumbers to sign in for the day-. The article provides zero insight into what machines were affected
2. The issue I was bringing up, other than not being able to come up with a value judgement, was that even if you use the best practices and technology available in the security industry, you will still be broken into. Therefore, to complain about DHS's lack of capability is patently unfair and disengenuous. Yes, in theory the whole world should be perfectly secure. The question the article (and most of Slashdot so far) has not asked is: Is that possible and, if not, how close did they come by way of comparison?
3. Banks are broken into constantly. They dont tell you this for exactly the reasons you mention. So, say thanks to the legislation requiring federal agencies to report this kind of information on unclassed networks publicly.
And lo! Slashdot accidentally discovers the reason for the lucrative concept of "government contracting". Of course the government cant compete with pay - they also cant hire or fire in any reasonable manner, so most of the staff consists of long term contractors...which partially negates the "blame X on government employee salaries" habit in a lot of these conversations.
Actually, no. One of his specific (and accurate) points was that these were -not- sensitive networks that were involved. The attack data from -those- networks - the ones where data is actually of significance - are not findings you'll read in a news article like this because they are, well, "sensitive" (read: classified).
Considering the fact that there IS monitoring going on, Id say the 800 figure is probably much closer to the "truth" than a lot of other organizations' numbers who DONT monitor. Exchange often attributed to an anonymous officer at DoD: "My systems have never been broken into!" "How do you know, have you looked?" -Silence-
Point 1: Considering the complete inability of standard technical solutions to security problems to prevent a significant number of attacks/infections from being successful, this is not like the mechanics car getting fixed last. It's called "the security industry and standard methodologies continue their long history of consistent failure at organizations, both public and private"
Point 2: Those numbers are a completely meaningless abstraction without tying them back to type of attack, actual damage, importance of the data on those systems or their roles in launching further attacks, what kind of infections occurred and their damage potential, and finally what those numbers look like compared to other orgs of the same size.
Point 3: Homeland Security is comprised of multiple mostly-independant sub orgs (like Coast Guard, TSA, etc)....so..saying DHS had so many attacks is misleading without clarification
Point 4: Not saying theyre not making mistakes, just that those "facts" dont tell you either way what the actual state of things is.
...With voice, gone are the days where you're having 5 or 6 simultaneous private conversations with various people at once. As sneaky and underhanded as its uses CAN be, the fact that you can be having a group conversation while IMing someone else privately in the group at the same time is incredibly (and legitimately) useful. Its MUCH harder to typechat while voicechatting at the same time...