Slashdot Log In
U.S. Interior Dept. Unplugged... Again
Posted by
michael
on Tue Mar 16, 2004 04:43 PM
from the is-there-a-sysadmin-in-the-house? dept.
from the is-there-a-sysadmin-in-the-house? dept.
IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."
This discussion has been archived.
No new comments can be posted.
U.S. Interior Dept. Unplugged... Again
|
Log In/Create an Account
| Top
| 299 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
I wonder about the old paper systems (Score:5, Insightful)
(http://www.ckwop.me.uk/)
I mean, with a physical system u need physical access but I bet those old systems were probably quite easy to subvert
Simon.
Re:I wonder about the old paper systems (Score:5, Insightful)
(http://millahtime.blogspot.com/ | Last Journal: Friday July 15 2005, @01:00PM)
I doubt they were easy to subvert. First you have to gain access to the facility, then you have to have access to that area and then you have to have access to the files. It is not that easy to just stroll in there and get a copy of them.
Secure data would be physically secure. It's not like you can just walk in a building and get that stuff that is locked up. It's pretty tough.
Re:I wonder about the old paper systems (Score:5, Insightful)
You'd be surprised what people will just throw in the trash.
Shred them, m'boy, shred them! (Score:5, Interesting)
(http://www.freetobemarlo.net/)
Most government facilities have the lowest level of classified information ("Secret"). Very few have "Top Secret" or higher. And even with Secret, there are very extensive procedures in place in terms of document storage, personnel access, etc.; you're not going to be able to get in with a penknife, leastways not when the document is in a 2-ton graphite safe with 70-point rotary dial behind an armed guard gate.
And as for the guy who found a 10-Base T hub? Dude. That's nothing. We throw old junk away all the time. I just threw 5 Betacam SP decks, worth about $6000 each, in the trash last week. Remember, the agencies can't sell equipment; only the GSA sells surplus, and that's at auction. And it's not like the agencies get credit for turning stuff in. So there is no financial incentive for the agencies to save old equipment, and the paperwork is far too much of a hassle to deal with, just to get it transferred off the books to surplus. (You have to verify condition and certify it, blah blah blah.) So we just get it written off as damaged beyond repair, and toss it.
Believe me, I'd take the stuff home if I could, but then I'd technically be stealing. It has to be officially thrown away first.
God Bless America.
Re:I wonder about the old paper systems (Score:5, Insightful)
You need to read "Surely You're Joking, Mr. Feyman." Feyman raids the safes that contain the plans for the atomic bomb repeatedly, both for entertainment and to get work done faster. He walks through a hole in the fence around Los Alamos repeatedly, always exiting through the gate. The guard doesn't catch on until he's done it many times.
I was able to get almost anywhere in my university dorms with a penknife, despite locked doors at the end of every hall.
The problem with locks and guard and secure areas is that they're so visually impressive, it's easy to assume that they will work. With bicycle couriers and janitors moving around all the time, workers get used to unfamiliar faces and forget to check ID.
Re:I wonder about the old paper systems (Score:5, Insightful)
(http://www.thetao.info/tao/whitecloud1.htm)
That's the center of the legal case. DOI systematically lost records which - if kept and honored - would have resulted in billions of dollars in lease payments to Indian tribes for natural resources (mining and oil) extracted from their reservations by corporations contracted with DOI. The judge may be less concered with security from outside hackers, than with the likelihood of DOI insiders continuing to corrupt and alter the records by setting up the systems so that they themselves can continue to engage in behaviors which have already resulted in judges holding DOI in contempt of court.
It's not enough that we took most of the Indians' land; we've been continuing (through our kindly federal government) to steal from under what little land they have left. Even under Clinton DOI wasn't playing straight on this; you can imagine how much better it's been under Bush. The problem is that under any reasonable estimate there are enough billions involved to qualify as a serious budget item. Of course, the Indians have oil and other natural resources, and in the past behaved as "terrorists," so if anything we're consistent....
No web at work ... the humanity ... (Score:5, Funny)
*thinks about what he does at work*
So they're letting everybody go home early then?
Re:No web at work ... the humanity ... (Score:5, Funny)
So they're letting everybody go home early then?
It's the government, they already left.
Here's the original occurence (Score:5, Informative)
"For the second time in less than two years, a federal judge has ordered the Interior Department to disconnect from the Internet in order to protect $1 billion in American Indian money managed by the agency.
U.S. District Judge Royce Lamberth said Interior's refusal to cooperate with a court-appointed master who wanted to test the security of Interior's systems, prompted the decision. The government claimed it did not cooperate with Security Assurance Group of Annapolis, Md., because they could not agree on the "rules of engagement."
Re:Here's the original occurence (Score:5, Insightful)
(http://www.skrysak.com/ | Last Journal: Friday October 01 2004, @05:37PM)
Dress up as a tech guy and talk you way in? Go for it.
Hack through someone's PC, why not?
Send in a small remote control vehicle to snoop? Definitely.
Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....
That's how it's done "for real", so why not train that way? Why not TEST that way?
What's wrong with "Train like you fight, fight like you train"?
I'm glad they were shut down if they threw a hissy fit because they couldn't agree on "rules of engagement". Wake up to the real world ladies and gentlemen.
Re:Here's the original occurence (Score:5, Insightful)
(http://www.wirewd.com/wh/)
Having the sys admin go spastic is a good thing for them, because that means that there's somebody watching for stuff. If they know the IP addresses, they can just block those addresses if they don't want the results to turn out bad.
Re:Here's the original occurence (Score:5, Insightful)
Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....
...mug the IT manager for his SecureID, blackmail the tape monkey for backups, assassinate the night guardsman, sure, whatever.
Less severe? One part of a real attack might involve calling in a bomb threat to get one key employee away from his desk. I suspect that it may be better to simulate that part rather than panic the entire building: have one of the high-ups that you're working with call the employee away from his desk for a half hour. Or something.
Yes, the real world doesn't play by rules. But if testing causes more harm than it would have prevented, then it shouldn't take place.
Re:Here's the original occurence (Score:5, Funny)
Let me guess, you work for the Interior Department? Nice try.
"Larry, Moe & Curly Consulting" (Score:5, Insightful)
(http://www.grub.net/blog/index.html | Last Journal: Wednesday June 27, @08:48AM)
Why would systems with access to funds be connected directly to the net? No system with that level of risk should ever be connected to the net unless there's a damn good reason. Even online banking webservers are throughouly isolated from the core banking systems. This is just sheer stupidity.
Re:"Larry, Moe & Curly Consulting" (Score:4, Insightful)
(http://www.dragonswest.com/ | Last Journal: Monday November 05, @07:35PM)
What about when the people who spam fake PayPal, BofA, Fleet, etc. try their luck spamming for native americans, to con them out of their ID/Pin/Password, whatever to steal their money? At some point good security depends upon the end user.
Re:"Larry, Moe & Curly Consulting" (Score:5, Informative)
(http://www.grub.net/blog/index.html | Last Journal: Wednesday June 27, @08:48AM)
then how exactly do they update your bank account?
Online banking allows you to play with your accounts. If it's hacked it's your data they screw with. The entire bank doesn't become a victim.
Your[sic] one of those bozo's that says "I'll never use my credit card online"
I use my card online all the time.
Not to mention a number of "private" networks use the internet as a backbone.
They're called "VPNs". Good luck hacking a properly maintained one anytime soon.
I know exactly what I'm speaking about. Go back to sleep.
Re:"Larry, Moe & Curly Consulting" (Score:4, Informative)
That has nothing to do with your original statement. You said they are not connected. Explain properly.
Well, you asked nicely. When a customer connects to an online bank they aren't directly connected to the banking core. They're on a webserver that's isolated well enough to prevent compromising the main banking systems. The passwords and login credentials aren't usually stored on the web machines, rather the info is passed through to other secured machines. This way if the web server is comprimised the passwords are safe. There are usually firewalls or other security between all these systems.
The key is to isolate the systems and only allow the bare minimum amount of talk to get the job done.
Re:"Larry, Moe & Curly Consulting" (Score:5, Interesting)
it's even worse than that. i know a guy who works at a credit union. his job is to do end-of-day, end-of-month, etc processing. one of his jobs, is to ftp the transactions to/from visa everynight. it's not sftp or any other encrypted connection. just plan text ftp right over the internet. no one at the place will listen to him about how insecure that is! and just think, if visa is doing that for this credit union, i imagine that they're doing it for all the banks/retailers they deal with.
Re:"Larry, Moe & Curly Consulting" (Score:5, Informative)
(Last Journal: Friday June 11 2004, @12:41PM)
Yes, FTP using Plaintext is risky. That's why Vital (Visanet) would force the LINK/LINE between the companies to be a. encrypted, or b. a VPN.
No retailer want's to spend the $10,000USD on a business class version of PGP (I've investigated it before). Canadian retailers generally get the retail version and make it some guy's duty to manually encrypt the files.
nope (Score:5, Informative)
Almost all of them use pgp for anything remotely confidential, and many use md5 checksums to make sure nothing got changed in-transit.
I dont know the prices myself but im pretty sure its not $10k. Even if it is, thats peanuts for most banks, especially for something as critical as that.
Plus, I have software out there that many companies dealing with credit cards use. If you apply for a Target credit card, your application (after it has been scanned) goes through my application. Guess what, coming into and going out of, its encrypted.
Maybe you havent worked with banks lately, I'll agree it was pretty bad maybe 6 years ago, but they have got up to speed quickly and most are more secure than your average large company.
Re:"Larry, Moe & Curly Consulting" (Score:4, Funny)
(http://www.michaelmoore.com/ | Last Journal: Wednesday February 02 2005, @10:27PM)
I've heard stories about people in Korea not seeing their family members for 50 years because of the DMZ, but I never realized they were just waiting in line for their driver's license. And I thought is was bad wasting a Saturday afternoon at the DMV/MVD/BMV/whatever. Guess I shouldn't complain.
Re:"Larry, Moe & Curly Consulting" (Score:5, Informative)
(http://www.ioerror.us/ | Last Journal: Sunday May 22 2005, @06:28AM)
My understanding of the history of this is that DOI has had the least secure computer systems of any U.S. government agency, and have been virtually overrun with cracker activity. It's pretty obvious that someone who knows little about information security, or knowing the government, a LOT of someones, led to this occurring, as I pointed out, for the third time.
As you said, there's no excuse for sensitive systems such as that to be exposed to the Internet, but it's not the first time and probably won't be the last. In the book At Large [amazon.com], author David Freeman points out that at one point, the controls for the Hoover Dam were accessible from the Internet. That's asking for people to DIE, and that's not cool...
Excuse me, someone's at the door. He says he's from Homeland Security...
Re:"Larry, Moe & Curly Consulting" (Score:5, Insightful)
Nowadays it's getting tough to convince them they need to keep a computer offline to protect sensitive core business data, even if it means a bit of sneaker netting now and again.
Perhaps times will change again as they swing back to paranoid.
Real men may upload their data to ftp and let everyone else mirror it. Smart men pull the ethernet cord. If nothing else you don't want the IRS/SEC to be able to pull your data off of someone else's server. You can't wipe what you don't have sole possession of.
KFG
Awww, man... (Score:5, Funny)
No OS mentioned in the article (Score:3, Interesting)
(Last Journal: Monday March 08 2004, @12:15AM)
Culprit is... (Score:4, Insightful)
Linux was shown as the most-breached OS on the net according to that study Slashdot posted, remember.
Since the article doesn't mention, I'll ask: (Score:5, Interesting)
Is their continuing failure to secure their system due to lack of will/lack of money/what they're using or some combo of the three?
Re:Since the article doesn't mention, I'll ask: (Score:5, Insightful)
Trying to work for people who essentially can't be fired is a nightmare.
Re:Since the article doesn't mention, I'll ask: (Score:4, Interesting)
(http://www.evercrest.com/)
The above is absolutely true, and during some contracting work with the military, I was even told pretty much exactly what's said above.
When it comes to Government IT, the only thing that can really get you fired is if you opened a new security vulnerability. The way the admins deal with that is by not allowing any changes to occur under their watch. It's extremely infuriating.
Looking Inward.. (Score:5, Funny)
(http://www.dragonswest.com/ | Last Journal: Monday November 05, @07:35PM)
Seems rather appropriate. What software are they running?
silly silly Jessica... (Score:4, Funny)
(http://slashdot.org/)
Simpson, whose verbal gaffes are also legendary, pulled another one Sunday visiting the White House, our sources say. The singer was introduced to Interior Secretary Gale Norton and gushed: "You've done a nice job decorating the White House."
Source: washingtonpost.com [washingtonpost.com]
ironically true (Score:5, Funny)
DOI understands Firewater instead of Firewalls (Score:5, Insightful)
I can understand having problems recompiling literally centuries of data for tens of thousands of people. But c'mon, you can't figure out how to set up firewalls with VPN connections between disparate groups?
Could you imagine any private organization like a mutual fund or retirement investor leaving SSNs and customer information online on websites? Imagine the smack down from the government! But if it's the gov't itself nada. Thank god (or Great Spirit, whatever) that there's at least one judge willing to do the right thing.
Priorities (Score:5, Funny)
(http://n1vg.net/)
As an Indian, I can say this (Score:5, Funny)
I'm Here To Help The Government (Score:4, Funny)
(http://www.wilcoxon.org/~sewilco | Last Journal: Monday November 26, @11:31PM)
I emailed the Department of the Interior, pointing out that they should consider selling any unsolicited copies of software so as to not waste the value of gifts. They shouldn't use gift material as that bypasses the intent of normal acquisition processes.
Now I know why I got no response...
Anonymous Coward...how insecure (Score:3, Funny)
Well, I feel sorry for the systems. It is really rough working for the government and having self esteem issues. If I worked for the gov't, I would be a little insecure my self : P
It's a political thing (Score:5, Interesting)
"We are working closely with the Department of Justice to quickly respond to this order in the appropriate legal venue," the agency said in a faxed statement.
It's a political thing. Probably not much of a technical problem here at all. Somebody's making a move for power somewhere and now all of this BS. They are punishing the Interior by taking down links with schools on them rather than just blocking traffic via access lists and firewalls.
If they really had a problem with some of the services being provided as insecure they could have either firewalled those services or just blocked them at the router. Since, they did not take a rational approach to solving the problem, the problem is likely a political one from one greybearded idiot to another.
Been a consultant for the government. Seen it. I once went almost 4 months doing nothing but earning good money while waiting for the Chicago Tollway to resolve some political infighting. 4 months of sitting at home, watching TV and basically chilling out on Illinois tax dollars.
It was lovely.
2001? (Score:5, Informative)
"Web wanderers looking for information on national parks, government mapping services or geological disasters will need to get their information from non-official websites for a while.
U.S. District Judge Royce Lamberth issued the order late Wednesday after a report showed that the computer system which handles $500 million annually in royalties from Indian land has major security holes that make it easy to access the system, alter records and possibly divert funds."
Arrgh... (Score:3, Informative)
(http://www.hintz.org/)
my step dad works for the Dept of Interior (Score:5, Informative)
(http://www.squeezer.net/)
Re:my step dad works for the Dept of Interior (Score:5, Funny)
May It Please The Court... (Score:5, Funny)
(http://www.wilcoxon.org/~sewilco | Last Journal: Monday November 26, @11:31PM)
"(g) No Refusal Gift Acceptance Policy [doi.gov]
All Department of the Interior employees may accept gifts offered to them by representatives of Indian Tribes, Alaska Native Organizations, Insular and foreign governments when refusal to accept such gifts would be likely to cause offense or embarrassment or otherwise adversely affect relations with the United States."
Too busy picking wallpaper... (Score:3, Funny)
[Jessica] Simpson, whose verbal gaffes are also legendary, pulled another one Sunday visiting the White House, our sources say. The singer was introduced to Interior Secretary Gale Norton and gushed: "You've done a nice job decorating the White House.
(source [washingtonpost.com], near the bottom, after W. refers to the Ford Theatre as the Lincoln Theatre.)
Not all of DOI is offline. (Score:5, Informative)
Funky People (Score:3, Interesting)
A few years back we had a run-in with the DOI. We found very strange things in our web and FTP logs and traced them back to a Denver office of the DOI. Basically what they were doing was spending hours every night (way after office hours) digging and digging and digging to see what they could find. There were tons of 501s because these guys would enumerate when directory listing was turned off.
My colleage wrote to the DOI in Washington and asked 'what's up'. Because of the evidence we could show, the DOI Washington office decided to put a sniffer on the Denver line. Great, we thought, soon this wil be cleared up. As if.
A week goes by, and the Washington DOI people contact us. Their sniffer thing didn't work. When they were about to install it, some dork went around the Denver office barking, 'OK EVERYBODY HAS TO GO HOME EARLY TONIGHT WE'RE INSTALLING A SNIFFER ON THE LINE'.
Now if you believe that story (and that's how they told it) is another matter. We did not - and ever since, at regular intervals, they're back again.
Funky group. Very funky!
We can't pay because, uh.... (Score:3, Funny)
(Last Journal: Thursday August 12 2004, @10:56PM)
uh... (For updating to a new accounting system for this very account? Damn, used that in '92... there's got to be a good excuse here somewhere... I know!..)
Oh, yeah it's a security issue! That's it, a security issue... can't mess with security now, can we? Not after 9-11!...
(Good one!)
Yes, we'll get back to you about that $700,000,000.00 we owe you after all of this is sorted out...
Oh, sure. As soon as possible...
Don't worry about it, we've got everything under control. Thanks for being so understanding...
Oh yeah, I almost forgot, your access is going to be out for a while...
That's right, no email, no web...
Yes, there'll be no distance learning at the schools either for the time being...
Really, that's not fair. Why don't you people just hire more teachers?
What's that?
$700 Million?
It's funny how technical problems always plague the DOI every time this issue [denverpost.com] comes up.
A passing grade for security is not easy for Feds (Score:3, Insightful)
I also haven't seen any specifics about why the Judge is hammering DOI. I wouldn't be surprised if they are simply battling with the Judge over the oversight processes she wants to impose - granted that might be a dumb battle to fight.
Re:Technology vs. Indians (Score:5, Informative)
(http://thepeckfamily.us/ | Last Journal: Wednesday November 28, @01:55PM)
Re:Technology vs. Indians (Score:3, Informative)
Re:Technology vs. Indians (Score:5, Informative)
(http://www.bloodshed.org/)
Firstly, there is no Indian "race" or "nation" that was in conflict with the United States.
There were many conflicts with many tribes and there are many settlements which differ in scope and letter of the agreement.
Since the closing of the Frontier in 1890 and the end of major military action with the American Indians around the same time the rights of the American Indians have changed and the role of the government in thier lives has changed.
The crux of this arguement between the DOI/BIA and the folks suing them isn't about monetarily reimbursing for "or practically annahilating their race" it's about mismangement of natural resources on lands which are on Reservations or were on Reservations which are held in trust by the United States Government who act as stewards of the resources, both discovered and undiscovered.
Basicly the DOI/BIA has lost billions of dollars of money that should have been paid out to various tribes and various private citizens. Not only that, but they can't figure out a webserver that holds confidental information on the monies going out to private citizens that can't be exploited.
Ironic (Score:3, Funny)
(http://toshimo.com/)