Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Information Security On An Olympic Scale 160

jeffy124 writes: "Wired is running a story about the man in charge of securing the computer systems at the Salt Lake City Olympic Games next February. Matt McClung discusses how he's withstanding an 'overhype' in the media on the possibility getting his systems cracked and what he's doing to prevent it in the first place. With 4500 PCs and 550 servers, that shall be a daunting task, especially given the reliability problems at the '96 Atlanta games."
This discussion has been archived. No new comments can be posted.

Information Security On An Olympic Scale

Comments Filter:
  • by Anonymous Coward
    Seems rather high. Is this Microsoft at work?
  • by gmhowell ( 26755 ) <gmhowell@gmail.com> on Tuesday December 04, 2001 @04:45PM (#2655686) Homepage Journal
    McClung said the Salt Lake City Olympic computer system, comprised of 4,500 PCs and 550 servers, is the most complex network he's ever seen.


    Urmmm... I work in a small company (50 employees) so I've never seen really big networks. But somehow, 2000 computers doesn't seem like that compares in any way to various military and Fortune 500 networks. By an order or two of magnitude.

    So, is somebody who has never seen (let alone worked with) this many machines the right guy for the job? Sounds like he is in over his head a bit.

    (Now, if this IS an incredibly huge/large network, please bitchslap me)
    • by Anonymous Coward
      First, 4500 + 550 != 2000, it equals 5050. As to your main point, I think you're right- big networks are on the scale of 50,000 PCs, not 5000. Still, 5000 is quite a few, and not something to sneer at. IIRC, Google uses somewhere around that number.
    • ...Don't use Winblows, use OpenBSD. All your security worries will just vanish into the night. :D
      • Don't use Winblows, use OpenBSD. All your security worries will just vanish into the night. :D

        Not true. While OpenBSD is infinitely more secure than windows, thats only a small portion of the problem. You've got to train people to use decent passwords, audit the data so that you can tell exactly where the info is coming from, and design a contingency plan so that if someone does get through, the damage done is minimal. OBSD may be a better foundation, but it's far from being a magic bullet. Much of OpenBSDs security comes from the fact that the admins start with a sense of paranoia; it's very possible to have the same security level with other OSes, its just you've got to know what you're doing.

    • ...only that it was the most complex network he'd ever seen.

      Personally, I can think of some rather complex topologies for even a twelve-computer network, even ignoring multi-homing possibilities. Depending on how the network structure is designed, as well as how many other networkable devices are involved and how they are connected (I'd assume a rather large contingent of wireless devices as well), this network might well be more complex than anything you or I have seen or even visualized.
      • I work in a small company (50 employees) so I've never seen really big networks. But somehow, 2000 computers doesn't seem like [that many]

      5000+, not 2000. But 50 is an interesting number. It's approaching the limit of systems that one guy can set up and physically keep track of.

      Once you're over that number, you're delegating and trusting your minions and (heh heh) your users not to screw it up. The best initial setup in the world won't help if Vinny Volunteer decides to start screwing with it. If I was setting this up (god forbid), I'd be looking to install absolutely minimal systems with no floppy (or locked floppy), no CD-ROM and perhaps even (gasp) diskless workstations that boot from the network.

      If I was really freaked about security, I might even take a leaf out of Microsoft's book and ponder security through obscurity. Windows - no thanks. Every Joe Backoffice thinks he knows how to fiddle with that. Linux would be better, but Linux users tend to be tinkerers, and they might have a stab at BSD as well. MacOS - god knows if you can lock that down. Strange thought, but how about OS/2? Or even something wierder like VMS? Runs on a toaster, solid as a rock, you'd need nuts the size of Nebraska to try fiddling with it.

      • We've actually got two people (myself and another) doing the computer stuff here. Both of us know not to touch stuff we are clueless about. It works fairly well, except that sometimes a user has a problem, and the first person to get the call has to get the other to fix it. But, with only 50, it's not too bad.

        Given that this is a fairly short term thing (the computer setup for the olympics) I must say that adding security through obscurity as another layer is probably a good idea. In no way should anyone count on it, but it can't hurt. What would really help would be to document everything for release later, so that it can be reviewed prior to 2004.
        • Trouble is, that if it works, then people might use the system in future Olympics.

          Which would make the security by obscurity feature completely useless, as it won't be obscure any more (people intent on doing things will be able to get hold of more info over four years).

          Except people will continue touting that success (if there was any) as a reason to use the system again, ignoring one of the reasons it worked in the first place (assuming it did).

          Just a thought :-)

        • Maybe this IS security through obscurity. Maybe the article is just a front for what will actually be running on the servers. "Let's tell them we'll be running W2K and have all of the service fingerprints report as though we actually where, but then install xxxxxxx"

          It could be. ;)

          .
      • Just FYI, Mac OS X is about as easy/difficult to lock down as FreeBSD. Give or take NetInfo. And netbooting makes it easy to dodge Vinny Volunteer's efforts. All of a sudden, the iMac makes so much more sense - no floppy drive, you can keep the OS on a locked down server...

        itachi
    • by Anonymous Coward
      This is typical of the way things work in Utah.

      He's only in that position because:

      1. He's related to the person that hires for that position.
      2. He's Mormon.
      3. He's a Mormon "returned missionary."
      4. His parents called and asked for him to get the job. (Yes, it does happen in Utah...all the time.)
    • In addition to what has been said about size of the network vs. complexity here;

      Would the fact that English may not the only language used by the users add to the complexity?
    • But somehow, 2000 computers doesn't seem like that compares in any way to various military and Fortune 500 networks.

      Or, for the more obvious - the college network. Just the dorms at a big school exceed 2000 computers, let alone labs, offices...

      I have a feeling that quote that will haunt McClung forever, sort of like the 640k one for Billy Boy.
  • Not that hard... (Score:5, Interesting)

    by RollingThunder ( 88952 ) on Tuesday December 04, 2001 @04:46PM (#2655689)
    just don't hook one single system up to the Internet. Establish a private network (not VPN - actually private) for the entire thing.

    Use dedicated hosting boxes, with ALL DYNAMIC FUNCTIONS OFF, that run NOTHING but the http server on the public interface. The secure FTP server runs on a dialup connection that only connects to the private network, with hardware authentication of the modems to each other.

    Choose a bare-bones http server, with no bells and whistles. Both IIS and Apache are out. Maybe thttpd? Not familiar enough with it, to be honest.

    Yes, you're going to have to work around not having dynamic portions or ubiquitous connectivity, but you're having to choose, flexibility or security.

    Would this make for an enjoyable online olympics? Probably not, but that wasn't really what the story addressed. :)
    • by gmhowell ( 26755 )
      There is no reason not to serve basic layouts (menubars, graphics, etc.) from thttpd, khttpd, or some of that sort. Let the 'content' be in the form of single stories placed within the framework. Run/served from a different machine.

      I mean, this is hardly rocket science, and it certainly isn't grounbreaking. It's merely applying existing tech and solutions.
    • Choose a bare-bones http server, with no bells and whistles. Both IIS and Apache are out. Maybe thttpd?

      publicfile [cr.yp.to] is a good choice for both http and ftp.
    • Choose a bare-bones http server, with no bells and whistles. Both IIS and Apache are out. Maybe thttpd? Not familiar enough with it, to be honest.

      I see no reason not to use Apache, as long as it is properly configured. Using thttpd would work too, but you wouldn't be able to do as much IMHO.

    • I think the point of view that you're looking at this from is incorrect. You need to assess the risks of what happens when someone finds an open switch port and plugs their laptop into it -- in addition to worrying about remote DOS or intrusions via the internet.
      • Very good point there, and I feel like a schmuck for forgetting that. :)

        I know that cisco switches can be configured in a very paranoid setup, so that if the mac address changes, it locks the port. That's one method to attack the problem, but ye gods, the manpower that'd take....
    • these are the Olympic websites, which implies that there will be many live video feeds and even more saved clips. your "proposed solution" is very simplistic, failing to take into account the enormous bandwidth requirements (the condition which separates this network from any other generic Big Net).

      for something like this, you need to think about multihoming (Akamai-style), server location, special hosting... sorry, can't just set up a few Linux servers in the phone room and call it quits.
    • just don't hook one single system up to the Internet. Establish a private network (not VPN - actually private) for the entire thing.

      I realize you were being somewhat tongue-in-cheek, but what about internal security? All it takes is for someone to tap into the network at any one of thousands of potential points, or to insert a virus-infected floppy into one of the 5000 nodes, and they score. And if they use wireless anywhere at all, it's open season.

      You can't have physical security *everywhere* on the network, because presumably it stretches across a large open area. If someone wants to tap in bad enough, they will. There has to be significant internal security so that soft chewy center becomes hard-boiled, making it harder for intruders to break through from the inside.

      I agree with you on most of the other stuff tho.
    • also regarding IPing that network. Use DHCP - but map a specific addy to each MAC of each machine. Then if for somereason a MAC comes online that is not in the table - blacklist it.

      dedicate 25 or more of those 550 servers to traffic logging (actually prolly more like 150) and dump all logs to line printers.

      Im sure carnivore and eschelon will be in full effect during this. So stay off the phone. Learn to speak gibberish.
  • by Anonymous Coward
    This can't be right...

    1337 h4x0r5 5cH001 r0x0r5

    (Must be an Eastern Europe immigrant...)
  • by CokeBear ( 16811 ) on Tuesday December 04, 2001 @04:51PM (#2655727) Journal
    Olympic Security in Atlanta was a joke.
    I was a relatively low level voluteer, assigned to a specific area at a single venue. My badge said as much in codes that every security person was supposed to know.

    I was able to access behind the scenes areas, chat with athletes and celebrities, watch events at other venues, all without a single question from a security person. (Most of them were volunteers too). Even when I was out of my uniform, all I had to do was flash my badge and I was never denied access to even the most sensitive areas. Part of it has to do with attitude of course. If you act like you belong, they assume you do, and I consider myself a Master of Social Engineering, but even then, I should have at least been questioned when I walked into the athletes change area. (There were none there).

    I'm pretty sure that Salt Lake City will be more secure, if only because of all the money being poured into it now. But what they need to realize is no matter how many $B you spend on security, you still need people with the balls to say "I'm sorry sir, your badge doesn't allow you in this area" and to stick to it.

  • The man in charge of the security? Is it just me or does this seem like they are setting up a fall guy for the inevitable failure of their network security... Give the guys name out well in advance so we have someone to blame when everything gets hacked...

    Pretty smart...
  • Sounds like they have a good site set-up for the Cracker Olympics. If they don't secure those well, they might have the Cracker Olympics held there as well. :)
  • Gobs of servers? (Score:3, Interesting)

    by Anonymous Coward on Tuesday December 04, 2001 @04:56PM (#2655770)
    I never really understood the need for hundreds of servers for a task like this, especially for the public website. There is no need for true dynamic content when they can come 99.9% as close with static content on a small farm of servers that's continually updated (say, on a 5 minute interval) by one or two dynamic "feeder" servers. Granted, they'll want one or two backup machines for every production machine, but that's far from a server farm warehouse. Sounds to me like a large scale "because we can" project moreso than a conservative project.
    • this is because almost all 'webmasters' are clueless sots.
      theres nothing like throwing 10 dollars at a 1 dollar solution, sheesh.
    • I was wondering why they had listed such a huge number. I am guessing that Microsft has massive involvement in the games. This means a lot of different computers doing jobs. Like the parent post says, I bet they could eliminate net access for all the inside machines and KISS by only have the scores and stats updated every 5 min or so. Another poster linked to netcraft, and that is some scary stats. IIS yeash. I am just waiting for this to come crashing down. If that does happen, may be _finally_ the average Joe Six Pack of US and other nations will get a clue about MS's crappy software.

      robi
    • Who reads the results on the weeb dynamically anyway? Isn't that what the tele is for?
    • Perhaps, but the Olympics is somewhat unique in that the most recent websites have strived to over real time content. IE. you can find out the times or a marathon, swim contest, or what have you. I don't know how much this takes, but certainly 5 minute updates isn't what this is about.
  • IT security is all fine and dandy for scoring and such, but what about real-world things? I can recall that in Atlanta, the very few busses actually ran at the end of the games (the rest broke down from overuse). Also, things like logistics, feeding people, etc, that were poorly orgainized and often failed. Imagine all the problems they'll be having with things other then IT!
  • by Lumpish Scholar ( 17107 ) on Tuesday December 04, 2001 @04:58PM (#2655779) Homepage Journal
    ... because they wanted to control it all, including everything on the Olympics.com Web site.

    http://www.forbes.com/2000/08/23/feat.html [forbes.com]
    • I worked at the 2000 olympics. From what I understand, all the sponsors give their services and all they get in return are signage rights and hopefully enough publicity to generate enough increase in sales to make up the money.

      It's amazing that so many companies compete to give their time and money away for coverage like this.
      • It's not amazing when you figure in all the free, hard-to-get-into event tickets, lodging and other on-site goodies the senior execs that donate stuff get in return, in addition to signage.

        Remember that whenever there's a corporate giveaway there's somebody getting a blowjob for it. It doesn't happen on hopes of increased sales.
  • by Swannie ( 221489 ) on Tuesday December 04, 2001 @04:58PM (#2655780) Homepage
    Hmm... with a little hacking, and I could be the first person in my family to win a gold medal for figure skating.

    Swannie
  • Atlanta has issues all of the place due to the city government. Anything they touch is just f*cked up all over the place! Well, they touched the olympics and the olympic computer systems back in '96, and well you saw the results. Just be glad you don't have to live with said government. :-)
  • Remember Atlanta? (Score:2, Insightful)

    by Grelli ( 98061 )
    My memory may be fuzzy, but I seem to remember there being a small explosion at the Atlanta games.

    The reason I bring this up is that the article mentions the "great hack of 2000" where it was thought that the Sydney Olympics network would be compromised.

    Given the current state of affairs, current legislation, and this soon to be widely publicised network, are we going to be seeing any "Terrorist Attacks" against these games? Seems that it would be a very convenient situation for the US gov to prove the neccesity of the U.S.A. legislation just recently passed.

    • Interestingly, the Ancient Greeks were more civilized than we are today. They slaughtered each other most of the time, but during the Olympics, they ceased all hostilities. No one would dare to disturb the Olympics.
      • That's because the Olympics were religious in nature, and the gods would nail their asses to the wall if they messed with them.

        Today, you've got people who want to kill in the name of G-d, so of course they'll try to mess with the Olympics.
  • Rule Number 1 (Score:4, Interesting)

    by darrad ( 216734 ) on Tuesday December 04, 2001 @05:02PM (#2655797) Homepage
    Secure the equipment!!!!

    If the guy from Atlanta was right, it does absolutely no good to put up firewalls, anti-virus, or intrusion detection. If any volunteer can take his limited badge and walk anywhere in the complex, then someone could volunteer, camp out around the IT room(s) and do their work from the inside.

    And then there is the ever present wireless links. Walk into the games with a laptop loaded with packet sniffers and a wireless NIC and wallah!!...you have all the info you need, even if you don't hack from inside the games, you have still obtained the needed info to go sit at home and go to work.

    I cannot believe that security was that bad at the '96 games, but I am not really all that surprised.
  • by imrdkl ( 302224 ) on Tuesday December 04, 2001 @05:06PM (#2655819) Homepage Journal
    Just looking at the Saltlake official webpage [saltlake2002.com], I see only one link which uses encryption, and that's the signup link so that you can download a screensaver and get some kind of updates. Theres a tremendous amount of javascript there, and it's clearly being served already from M$.

    We might already be too late to help them. :-/

  • The Test (Score:5, Funny)

    by Rolo Tomasi ( 538414 ) on Tuesday December 04, 2001 @05:08PM (#2655829) Homepage Journal
    OK, after they've got all rigged up and ready to go, they're ready for

    The Ultimate Test

    Fill the servers up with pr0n and serve it to the public, for free! If it withstands that, the Olympics will be a piece of cake.

    Hey, I'm serious ...

    • Screw porn. Fill the servers up with DivX movies/anime and MP3 files. Then announce it on Slashdot. That is the ultimate test of bandwidth.
      • Let's agree on pr0n, DivX and mp3s. But putting it on /. is no good idea, could bring the whole net down ...
        • Put the p0rn and stuff up for half a day, then turn on the security measures... not *that* will be the real test.

          My bet is that a regular stopwatch at a few bucks will be well enough to measure the time it will stand. Hehe.
  • I work at the University of Utah. I'm no Mormon, but I wish these Olympic assholes would just get the fuck out of my life.

    We, the taxpayers, have had to fund more shit -- all in the name of the Olympics and World Peace -- only to get little in return. Yeah, we have wider highways, but they're already as congested as they were before I-15 construction began. We have a light rail in town, but they had to up sales tax for that (and I'm sure it won't go back down when its done). The U. just lost a few thousand parking lots to accomodate the games -- and I'm sure all of you University admins know how parking on a large campus already sucks.

    I'm so sick of these fucking Olympic organizations. The IOC and the SLOC (with phony Mr Romney at the helm), are are a bunch of corporate whores who rape the local communities for getting a few bucks in return.

    This whole thing really pisses me off, if you haven't figured that out by now. If the network is hacked, I'll be laughing my ass off. I'm gonna fly my Corporate Flag [adbusters.org] on my car when I crawl through downtown traffic when I'm on my way to/from work during the "games". Not that it'll change anything, but at least I'll feel better.

    • I live near Baltimore/Washington, and say a prayer of thanks every time we don't get the Olympics. I mean, we just built about $1billion in stadiums (two in Baltimore, one near DC) and, uhh... We haven't gotten quite that much benefit out of them. I can only imagine the insanity of the Olympic games.

      My cousin lived near Atlanta. Had a bunch of leave saved up (gov't job). Took it all during the games. She wasn't alone.

      (BTW, nice flag)
  • And now for our ceremony:

    Gold medal - France - l'intrus d'élite vous possède

    Silver medal - Spain - el hacker de la élite le posee

    Bronze medal - USA - 133t h4x0r 0wnz joo!!!!

  • From the article:
    McClung declined to give specifics about the system, but said the network is protected by standard security methods such as firewalls and a virus detection application.

    See? Security thru obscurity!! It's working already!

    Whadda ya mean we "have to wait until after the Olympics are over?"

    Aw, man!
  • I apologize in advance for my trolling, but anytime we have a server farm article, you can pretty much sum up all the posts as:

    40% M$ sucks. Use Linux,BSD for all the servers.
    30% Matt McClung [insert name here] is not me and, as such, a moron.
    15% First post, Stephen King is dead, grammer cop, and goatsex.
    10% Trolls ... just like this post :-)
    5% Informative posts.
  • by Xunker ( 6905 ) on Tuesday December 04, 2001 @05:29PM (#2655943) Homepage Journal

    ... and what is more spectacular than the Olympics?

    The Utah-based company where my day-job is has had a hand in the ticket sales side of the Winter Olies and I've noticed that whenever something this big comes around, people come out of the woodwork to make it go wrong or atleast cause general mayhem.

    A lot of people don't like the olympics, and a lot downright hate it to the point where they'll do anything they can to sabatage it including -- you guessed it -- hitting my company so that tickets cannot be sold online for the events.

    Now that they're imminently upon us things have calmed down a bit, but a while ago not a day would go by that we didn't get DOS'ed, Skript Kiddie'd and even had a near hit/miss with a domain hijacking, and a lot of the action carried nice little messages saying things like "death to those who promote globalization" and soforth. I can feel for Matt in this, especially since in a little over 2 months it's going to be his systems on centre stage along with the atheletes. The Olympics are too high-profile of a target for anyone lacking in self-esteem to pass up becuase it'll so "so 31337" to say "I changed the name of a frech competitor to 'Le Shithead' on the statz page! W00h00!"

    Maybe in 2004 Firewall configuration should be made an Olympic sport?

    • ... and what is more spectacular than the Olympics?

      Erm, the World Cup? The European Championships? The FA Cup final? Face it, the Olympics is shit. People only watch it because of the hype. Who wants to sit there for hours on end watching countless rounds of long jump and 400m? Why does the Olympics revolve round such dull sports?

      No-one ever rushes out to buy a paper, and flicks to the back page to find out who won the latest game of javelin or 100m hurdles. How can people get so excited about something they'd rank lower than paint drying the rest of the year?

      It's completely absurd.
  • by Otter ( 3800 ) on Tuesday December 04, 2001 @05:31PM (#2655954) Journal
    Since the moment they announced Salt Lake would be getting the Olympics, I've been planning to be at the men's moguls contest. I had bad luck in the lottery but was able to pick up a ticket in the regular sale to go with the one's I'd already gotten for women's downhill (Picabo's back!), women's halfpipe, luge, XC, hockey and pairs skating. I've got a plane ticket, a couch on which to crash and am getting more stoked by the day. The only letdown is that Jonny Moseley seems to have given up his FIS career to devote more time to groupies and big air contests.

    Meanwhile, the Olympics are going to be held in the US in two months and as far as I can tell, no one besides me cares. I've seen a handful of commercials but there's absolutely no buzz. And judging from the tickets the organizers keep pleading for me to buy (men's hockey medal round games, women's skating long program, other really high-profile events) they're having a lot of trouble moving tickets.There was the bribery scandal a few years back (as if that wasn't how every previous Olympics was offered) and now the fuss about terrorism, but are people really bothered by that? I suppose the WTC attack, and the subsequent war and anthrax have driven everything else out of peoples' minds.

    Come on, like terrorists are really coming to Utah to blow up a bobsled run? I've eaten plenty of meals in the McDonalds you see in the pictures of the Jerusalem bombing last Saturday -- I can't bring myself to get too worried about going to Snowbird.

    • Maybe they should charge less?
      I would also like to point the the Olympics are not supposed to be about the money.
    • they have the Olympics ever 40 days or something now. Used to only be on Leap Year, no wonder it isn't special. The have pro atheletes competing, no wonder no one cares. The whole thing is like a Visa commercial, it's interesting for 30 seconds and then you forget all about it.
    • Yeah, I wouldn't be too worried about going to Snowbird either, considering the fact that : THE OLYMPICS AREN'T AT SNOWBIRD. For someone so excited about going, I'm surprised you don't even know the venues
    • The reason no-one cares is because the Olypmics are boring. Who wants to sit on a crap seat all day watching sports like running and the long-jump? All the decent sports like football are taken up by the World Cup etc, so only the crap sports are left.

      Yes, the Olypics has football etc, but only worthless friendly tournaments. The trouble with including so many sports, is that there's no real focus, no excitement. Whereas other sports have standalone tournaments, the Olypmics has loads of little sports, so there's nothing to really get excited about.

      And as for the traditional sports such as athletics, they have their own tournaments anyway. The Olympics is pointless. And then they have the cheek to charge fucking extortionate amounts to get in. The Commonweath Games (A sort of cut-down version of the Olympics for Commonwealth counties) are in Manchester soon, and for the same reasons I won't be going to see them.
  • 4500 pcs, 550 serverS?
    how many computers were used in the 70's and 80's, why is it just getting more complex?
    in 2020 they will need, 50,000 computers despite the fact that computer of those areas will be 100x faster and with more storage device.
  • http://uptime.netcraft.com/up/graph?&site=www.salt lake2002.com

    Bronze == Solaris with 144.81 days of up time
    Silver == Linux with 130.78 days of uptime
    and the winner and still champion of the world in the Network Server Crash
    Gold == Win2k with and astounding 28.8 days of uptime!

    Way to go Microsoft you've proven again that innovation and crashes go hand in hand.
  • ahem

    since the 96 games (in america), and the upcoming games, in America there have been two other olympiads that may have gone unnoticed (perhaps due to not being held in America?).

    And while I'm sure they had their hairy moments in the back-room the tech side seemed to run OK...

    America is not the ENTIRE world you know.
  • I'm sorry but this is only a sporting event. It's not as though the security of it is that important. And besides, why would crackers want to attack such an event - what information would there be to steal/alter?

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...