especially against bolt cutters, guns, explosives, etc. You know the things criminals use.
Especially seeing how we can easily get all of these on airplanes too.
Come on! They wouldn't even let me bring on a RJ-45 crimper in my carry on baggage! Much like bolt cutters, guns, explosives, etc.
All this, and they don't have tab completion by default, and it sucks even if you do enable it.
XP has tab completion enabled by default and works fairly well. It is not as good as *nix, but it gets the job done. 2000 does NOT have it enabled by default and once enabled completely sucks.
Try reading The reluctant messenger. It is in the fiction section but has its own cult growing with it. It makes a good argument on the basis of our various religions, how they tie together, and how evolution fits into it all. Everytime these damn evolution vs. ID threads come into place I wish everyone would just shutup and read the book. I'm not trying to say anything, but this book really gets you thinking.
If you're asking about this (publicly - on slashdot!), then you shouldn't be in charge of this!
I beg to differ. I do not see any problem discussing the problems and pros vs cons in building a secure computer. The closest I have to an ISSO is our FSO and he/she has not had any experience with setting up secure machines. He/she contacted DoD and they sent us outdated material. We are currently waiting for the correct documentation. What I have gone over I do not have a problem with, but as it is my first setup I wanted to know what to expect. Discussing non secure and non classified information anonymously in the public not only helps others who want to secure their computer to DoD standards but also does not compromise OPSEC. Thanks for your opinion though. We'll probably go with a vendor for convenience and experience and your post helped influence that decision. Thanks.
This guys is a bonehead asking for advice on/. "Dear/., I want to make a secure boxen to do top secret security stuff on. How do I do it?" How about "don't tell the world you're setting up a secure box, and don't take advice from strangers. Talk to the DoD yourself!
Welll, I bet you're fun at partys.
I can make my own secure box. I have the documentation. That is not the problem. The problem is that the documents are so minimal to the requirements that we can not have an open mind on building it. I'm asking/. the pros and cons of vendors vs. building it yourself. I'm asking/. what unexpected challenges they may have come accross in setting up the machine. I'm not asking for secure information. I'm asking questions that the computer illiterate DoD person can't answer. Can you do that? Or are you to high on your horse to admit you don't know? If anything else may I recommend you try not to talk trash in situations in which you assume?
Our FSO is not very experienced with secure computers and definatly not an IT person. I posted this on/. for a more techinical viewpoint. I have the information to secure a computer and call in an auditer to certify it. OPSEC is not being violated here. All information being discussed is public knowledge and you don't know who I am or who or which company I may work for. I'm just asking a whatif. Heck, I could even be a high school student researching this for an English paper or wanting to know how to do it if I choose to go into a classified IT job. In all reality, I just want to know the pros and cons of going through a vendor as opposed to building it yourself and what steps can be taken to go beyond the minimal requirements.
Blah blah blah troll troll troll. My writing was to a nonsense forum in a nonbuisness environment in a situation I did not expect to get posted. I don't care what you think of my writing when I'm writing in a relax, personal environment. Documents I write on buisness time show a much higher level of thought and education. I couldn't care less here on Slashdot.
Links! Thats what I really needed. Our building and company is already certified, we're just adding computers to the list now. What I was really trying to get at in my question was, what should I expect and what is the pros and cons of purchasing the computer from a vendor and building itself.
Yeah, we're way past that. I'm really more looking for insight on what unexpected I should expect. What steps should I take to go beyond the minimal requirements. The pros and cons of having a vendor do it as opposed to building the machine yourself. Our FSO knows the minimal requirements to secure a computer but he/she is not IT nor can look at this with an open mind. I'm wanting to have this certify for what we need it now with the most flexibility for future growth.
If you have to set up a secured computer and your Facility Security Officer can't direct you how (roughly), then there's no way you'll get classified information on the system. It's not like you can set up a computer and all of a sudden the government will trust you to put secure information on it. You need to have a written, approved procedure for doing so. Your DIS rep has to authorize you to put stuff on the system.
That we have. What I really want to know is what unexpected I should expect. The pros and cons with going through vendors as opposed to building the machine yourself. What extra steps did you take to go beyond the minimal requirements?
Because there are very specific and well-documented protocols for procuring and securing a computer to deal with "secret" level material. Consulting with Slashdot is not one of those methods.
And that I have and can do with ease. What I want to know is what unexpected should I expect? Pros and cons with vendors as opposed to building it yourself. Nothing that would comprimise OPSEC.
Slashdot geeks have NO idea what you're talking about when it comes to DoD red-tape.
Then by all means share some of your insight. The point of the question was not to discuss classified information or to disclose information that will compromise your system, but to share your insight on problems you may have had with vendors or what you may have done to go beyond the minimum requirements. Building the dang thing is a no brainer, what I want to know is what unexpected should I expect?
And that is why I am a sysadmin and not an English teacher. That and I didn't proofread. I submitted the question with two other articles and didn't expect any of them to go through. Besides, it's Slashdot, not my grammar/spelling teacher. My documents by far show a much higher level of thought and education.
But anyway, other posters are right: either he can't do it because he doesn't have those specs, or he has the specs, and then it is simply a matter of following these. So either way, why the hell is he asking/. ?
I have the specs and can follow them. However, the specs are very minimum in details. I'm asking/. not for a "how to" but for "your experience". I'm curious to know of any problems you may have had, if their is any more steps I should take that is not required in the documentation, any unique setups you may have done, etc. It's not a matter of being ill prepared, but going the extra step and being ready for the unexpected.
Well, we would have it setup so all classified information would be on a hard drive locked away. Any unclassified information would be on its own hard drive with its own operating system. The only thing the two would have in common would be RAM, CPU, etc. But I do agree with you. While it could be feasible with it behind locked doors while classified and in a public place while unclassified, it leaves to much room for error. That and it wouldn't look good.
Good luck. Because if you're asking here, you'll need it.:)
Ha. I'm asking here to hear a unique POV. From the trolls to the pros. From the "use SeLinux and not windowz" to "see DoD". I can meet the standards requested without a problem rather through a vendor or self built, I'm just here for perhaps a little more insight or ideas of well tested methods. We can already create a machine that will have a removable hard drive and meet the standards, but I wanted to hear if anyone had any unique way of installing Windows or any other bit of advice. I don't see how I violated OPSEC as it is just really discussion of public knowledge. You can't tie me to which company I may be working for or if I just threw this question out for the hell of it. Nothing of how or which company this is for or even for what customer. You could get more information from press releases.
All you need to have is a removable hard drive. When the computer is to be secured, the hard drive must be removed and placed into a safe rated for Secret information.
Thats what I keep reading pretty much. Stickers to show tampering on case and a very detailed audit log seems to be the only other addition to the requirements to have a computer rated for classified information.
First of all, soliciting advice on the construction of a computer that meets DoD compliance on Slashdot , of all places, is probably not the brightest of ideas...you might want to keep this from your employers if you are interested in keeping your job.
I don't see a problem with it. Information on how to classify a computer is not classified.
Second, security stickers on their own simply aren't adequate to the task at hand. Remember, you're looking for tamper-proof, not merely tamper-evident.
The stickers are DoD required to prove that the system has not been tampered with. They are not a means of securing the computer.
My suggestion would be to disable floppy as well as USB, and only allow transmission of information to and from this system via CD. USB is right out
We weren't going to add a floppy drive not only for security, but because of how outdated and unusued it is here. CDs and printing are going to be to the most common methods of transmitting the data. USB is still thrown up in the air. I'm very uncomfortable with it but our client uses it quite often to transfer data. I'm sure the line on that is somewhere though not in the documentation I've been given.
only allow data to be transferred to and from a protected 'sandbox' area on the system, and make certain that autorun of CD-ROMs is disabled in the registry. One more thing: keep the system in a locked room, and personally supervise, if not actually conduct, all data transfers.
Considering licensing is per computer, not install, each secure project will have its own hard drive with Windows and all other required applications installed with it. No need to worry about unauthorized users having access to any cached data. Also, considering the only information going to be rated classified is what is on the hard drive, we're trying to see if we can use the machine in a nonclassified environment as well and only secure it for classified data when needed. That is a question I'm leaving for DoD though. I seriouslly doubt we'll be able to do it without having it audited and certified each time. However, when being used for classified data it will always be in a locked room designed to hold secret data.
Slashdot Mirror
especially against bolt cutters, guns, explosives, etc. You know the things criminals use.
Especially seeing how we can easily get all of these on airplanes too.
Come on! They wouldn't even let me bring on a RJ-45 crimper in my carry on baggage! Much like bolt cutters, guns, explosives, etc.
"...I put on women's clothing, and hang around in bars..."
All this, and they don't have tab completion by default, and it sucks even if you do enable it.
XP has tab completion enabled by default and works fairly well. It is not as good as *nix, but it gets the job done. 2000 does NOT have it enabled by default and once enabled completely sucks.
How did you recover encrypted NTFS files?
And if you notice, it is just an April Fools joke.
Just try to purchase it.
Try reading The reluctant messenger. It is in the fiction section but has its own cult growing with it. It makes a good argument on the basis of our various religions, how they tie together, and how evolution fits into it all. Everytime these damn evolution vs. ID threads come into place I wish everyone would just shutup and read the book. I'm not trying to say anything, but this book really gets you thinking.
What?
If you're asking about this (publicly - on slashdot!), then you shouldn't be in charge of this!
I beg to differ. I do not see any problem discussing the problems and pros vs cons in building a secure computer. The closest I have to an ISSO is our FSO and he/she has not had any experience with setting up secure machines. He/she contacted DoD and they sent us outdated material. We are currently waiting for the correct documentation. What I have gone over I do not have a problem with, but as it is my first setup I wanted to know what to expect. Discussing non secure and non classified information anonymously in the public not only helps others who want to secure their computer to DoD standards but also does not compromise OPSEC. Thanks for your opinion though. We'll probably go with a vendor for convenience and experience and your post helped influence that decision. Thanks.
This guys is a bonehead asking for advice on /. "Dear /., I want to make a secure boxen to do top secret security stuff on. How do I do it?" How about "don't tell the world you're setting up a secure box, and don't take advice from strangers. Talk to the DoD yourself!
/. the pros and cons of vendors vs. building it yourself. I'm asking /. what unexpected challenges they may have come accross in setting up the machine. I'm not asking for secure information. I'm asking questions that the computer illiterate DoD person can't answer. Can you do that? Or are you to high on your horse to admit you don't know? If anything else may I recommend you try not to talk trash in situations in which you assume?
Welll, I bet you're fun at partys. I can make my own secure box. I have the documentation. That is not the problem. The problem is that the documents are so minimal to the requirements that we can not have an open mind on building it. I'm asking
Don't know why you were modded troll. Their is a lot of insight to your post.
Our FSO is not very experienced with secure computers and definatly not an IT person. I posted this on /. for a more techinical viewpoint. I have the information to secure a computer and call in an auditer to certify it. OPSEC is not being violated here. All information being discussed is public knowledge and you don't know who I am or who or which company I may work for. I'm just asking a whatif. Heck, I could even be a high school student researching this for an English paper or wanting to know how to do it if I choose to go into a classified IT job. In all reality, I just want to know the pros and cons of going through a vendor as opposed to building it yourself and what steps can be taken to go beyond the minimal requirements.
Blah blah blah troll troll troll. My writing was to a nonsense forum in a nonbuisness environment in a situation I did not expect to get posted. I don't care what you think of my writing when I'm writing in a relax, personal environment. Documents I write on buisness time show a much higher level of thought and education. I couldn't care less here on Slashdot.
Links! Thats what I really needed. Our building and company is already certified, we're just adding computers to the list now. What I was really trying to get at in my question was, what should I expect and what is the pros and cons of purchasing the computer from a vendor and building itself.
Thanks, your post was one of the few good ones.
Yeah, we're way past that. I'm really more looking for insight on what unexpected I should expect. What steps should I take to go beyond the minimal requirements. The pros and cons of having a vendor do it as opposed to building the machine yourself. Our FSO knows the minimal requirements to secure a computer but he/she is not IT nor can look at this with an open mind. I'm wanting to have this certify for what we need it now with the most flexibility for future growth.
Come to think of it, I'm pretty sure it's illegal for you to even disclose the fact that you're building computers for a classified project...
It is not.
If you have to set up a secured computer and your Facility Security Officer can't direct you how (roughly), then there's no way you'll get classified information on the system. It's not like you can set up a computer and all of a sudden the government will trust you to put secure information on it. You need to have a written, approved procedure for doing so. Your DIS rep has to authorize you to put stuff on the system.
That we have. What I really want to know is what unexpected I should expect. The pros and cons with going through vendors as opposed to building the machine yourself. What extra steps did you take to go beyond the minimal requirements?
Because there are very specific and well-documented protocols for procuring and securing a computer to deal with "secret" level material. Consulting with Slashdot is not one of those methods.
And that I have and can do with ease. What I want to know is what unexpected should I expect? Pros and cons with vendors as opposed to building it yourself. Nothing that would comprimise OPSEC.
Slashdot geeks have NO idea what you're talking about when it comes to DoD red-tape.
Then by all means share some of your insight. The point of the question was not to discuss classified information or to disclose information that will compromise your system, but to share your insight on problems you may have had with vendors or what you may have done to go beyond the minimum requirements. Building the dang thing is a no brainer, what I want to know is what unexpected should I expect?
And that is why I am a sysadmin and not an English teacher. That and I didn't proofread. I submitted the question with two other articles and didn't expect any of them to go through. Besides, it's Slashdot, not my grammar/spelling teacher. My documents by far show a much higher level of thought and education.
But anyway, other posters are right: either he can't do it because he doesn't have those specs, or he has the specs, and then it is simply a matter of following these. So either way, why the hell is he asking /. ?
/. not for a "how to" but for "your experience". I'm curious to know of any problems you may have had, if their is any more steps I should take that is not required in the documentation, any unique setups you may have done, etc. It's not a matter of being ill prepared, but going the extra step and being ready for the unexpected.
I have the specs and can follow them. However, the specs are very minimum in details. I'm asking
Well, we would have it setup so all classified information would be on a hard drive locked away. Any unclassified information would be on its own hard drive with its own operating system. The only thing the two would have in common would be RAM, CPU, etc. But I do agree with you. While it could be feasible with it behind locked doors while classified and in a public place while unclassified, it leaves to much room for error. That and it wouldn't look good.
Thanks
Good luck. Because if you're asking here, you'll need it. :)
Ha. I'm asking here to hear a unique POV. From the trolls to the pros. From the "use SeLinux and not windowz" to "see DoD". I can meet the standards requested without a problem rather through a vendor or self built, I'm just here for perhaps a little more insight or ideas of well tested methods. We can already create a machine that will have a removable hard drive and meet the standards, but I wanted to hear if anyone had any unique way of installing Windows or any other bit of advice. I don't see how I violated OPSEC as it is just really discussion of public knowledge. You can't tie me to which company I may be working for or if I just threw this question out for the hell of it. Nothing of how or which company this is for or even for what customer. You could get more information from press releases.
All you need to have is a removable hard drive. When the computer is to be secured, the hard drive must be removed and placed into a safe rated for Secret information.
Thats what I keep reading pretty much. Stickers to show tampering on case and a very detailed audit log seems to be the only other addition to the requirements to have a computer rated for classified information.
First of all, soliciting advice on the construction of a computer that meets DoD compliance on Slashdot , of all places, is probably not the brightest of ideas...you might want to keep this from your employers if you are interested in keeping your job.
I don't see a problem with it. Information on how to classify a computer is not classified.
Second, security stickers on their own simply aren't adequate to the task at hand. Remember, you're looking for tamper-proof, not merely tamper-evident.
The stickers are DoD required to prove that the system has not been tampered with. They are not a means of securing the computer.
My suggestion would be to disable floppy as well as USB, and only allow transmission of information to and from this system via CD. USB is right out
We weren't going to add a floppy drive not only for security, but because of how outdated and unusued it is here. CDs and printing are going to be to the most common methods of transmitting the data. USB is still thrown up in the air. I'm very uncomfortable with it but our client uses it quite often to transfer data. I'm sure the line on that is somewhere though not in the documentation I've been given.
only allow data to be transferred to and from a protected 'sandbox' area on the system, and make certain that autorun of CD-ROMs is disabled in the registry. One more thing: keep the system in a locked room, and personally supervise, if not actually conduct, all data transfers.
Considering licensing is per computer, not install, each secure project will have its own hard drive with Windows and all other required applications installed with it. No need to worry about unauthorized users having access to any cached data. Also, considering the only information going to be rated classified is what is on the hard drive, we're trying to see if we can use the machine in a nonclassified environment as well and only secure it for classified data when needed. That is a question I'm leaving for DoD though. I seriouslly doubt we'll be able to do it without having it audited and certified each time. However, when being used for classified data it will always be in a locked room designed to hold secret data.