State Department Hit With Many More Break-Ins

adjust28 writes to tell us CNN is reporting that the US State Department has been dealing with a number of computer break-ins with regards to their headquarters and offices dealing with China and Korea over the past couple of weeks. From the article: "Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking."

Ask Slashdot: Why do gov't 'puters have net access

[Palal]

Ask Slashdot: Why do gov't 'puters have net access?

Re:Lack of motivation

[penix1]

"The government can't seem to decide it's priorities. It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts."

sarcasm
Who needs secure systems when you have draconian punishments? /sarcasm

That aside, systems are no more secure or insecure as the people behind them. I have been in places where they have implemented "high security passwords" only to have the secretary simply write the thing down on a post-it and stick it to their monitor.

B.

Re:Lack of motivation

[rolfwind]

And also at the same time, we "have to" entrust them with our information. Which they seem to have a voracious appetite for these days. Sad, really.

Re:Homeland security is a joke

[dclocke]

Unfortunately, the government just doesn't have the resources to investigate every single incident of computer trespassing. It would be nice if they could, but until then I can understand why an intrusion of an ISP mail server would not be very high on their priority list. As many incidents as there are like this that occur every day, it simply isn't possible to follow up on every one. Although, if what you say is true, it seems like you did most of the work for them. Hopefully they would at least file the information away for a rainy day, but my guess is they they didn't.

However, if this incident caused your opinion of the FBI and DHS to sink that much, I think you may have been overly generous with your opinion of the two agencies to begin with :)

Reality check...

[flynns]

(1) The classified servers are physically disconnected from the Internet. They have to be.

(2) Every time I read a headline like this, I remember playing Uplink, and chuckling over the poor bastards when what I did hit the headlines. Somewhere in Korea, someone is chuckling hard.

And this is bad?

[SmallFurryCreature]

Do we really want have a goverment that can keep things secret? A state that can keep things from being investigated by having it totally secure, privileged eyes only, any leak easily traced?

I think not. Just remember the whole fuzz about journalists being bugged so that anyone calling them with secret information can be traced. How can the press then do its job?

If total security is achieved say goodbye to all those leaks and exposes. You will have a system that makes the KGB look like childsplay. Not because they will abuse it but because if they want to they can, without ever being found out. All that would need to happen is for someone to come along who wishes to abuse it. Do you trust any party so much you want to give them complete secrecy?

Democracy and free press are nasty things. They conflict immidiatly with the need to keep things hidden. Even such a simple thing as the skunk works is a direct violation of the principles of free press and accountable goverment. How the hell can we judge our goverment if they can keep what they are doing hidden from us?

The only alternative is to accept a certain level insecurity and just go after the people that go to far. A very strange state of affairs but better then living in a police state.

Mitnick ain't a victim. He is a stupid criminal and deserves everything he is going to get. He was not a journalist seeking the truth, he was just a cracker messing around with computers that were not his.

If I do not lock my door that does not give you the right to enter my house. Neither do I want to live in a world where the goverment is behind closed doors.

pass the salt please

[witte]

One has to wonder if this is for real or if this is just another stab at fear-mongering so more propositions to cripple net neutrality / online privacy / ... can be passed.
If they really experienced that much security breaches I doubt CNN would be allowed to publicize this.

OTOH, TFA mentions a lot of scary evil things like North-Korean missiles and Chinese Hackers.

I'm not sure whether I prefer this article to be for real or propaganda, both possibilities imply information warfare on the US people.

Why bother?

[99luftballon]

Since most state computer security seems to be so laughably weak. UK 'hacker' Gary McKinnon, currently being extradited to the US, got into US Navy logistics computers by just typing in admin and password to login screens for Windows NT for goodness sake. If the most advanced military force on the planet is using an unsupported operating system I dread to think what the state department's systems must be like.

Re:pass the salt please

[Meneguzzi]

I think that news such as these underline the fact that the American's are putting their money on the wrong kind of project for their "homeland security". I bet that monitoring the net and phone traffic of a huge number of people costs quite a great deal of money, money which could have been spent training people to better protect sensitive, or even not that sensitive systems (the tiniest security hole can always widen and become a real liability, if you ask me).
Wholesale monitoring of communications is as useful as trying to read all the content on the internet, for every useful bit of information you read, you get a 1000 useless bits. So training people to understand the subtleties of "the enemy" would seem a more sensible solution.

Re:Lack of motivation

[asuffield]

Yet, once they catch someone, they give him a draconian punishment that ruins his life, just look at Mitnick.

While this is generally fairly accurate, in the case of Mitnick they seem to have made him a career, not ruined his life. Before he was nobody; now he's getting all kinds of stuff because of all the publicity the government paid for. I'm really not sure what they thought they were doing.

stupid security

[Exter-C]

Any company or government department that has any internet exposed servers that hold critical or sensitive information must be soo stupid they deserve to be broken into. What ever happened to having separated internet from internal servers etc..

Cracking vs. Hacking

[Anonymous Coward]

This is a clear case of cracking, not hacking. Please tag this article as such, as if IT experts use the correct tems for activities, maybe the word "hacking" can be saved?

RMS or such other famous nerd: I'm a hacker
Justice, influenced by Fox: Off to Gitmo for you then, hacker means computer terrorist.

Re:Reality check...

[TubeSteak]

(3) If you compile enough *sensitive information...
you can end up with a information that would be classified: see (1)

*limited official use (now sensitive but unclassified), controlled, for official use only, internal use only, variations on sensitive, etc etc etc.

Re:And this is bad?

[ijakings]

I am so sick of that comparison. Entering a computer that has no password or no security is NOTHING like not locking the door of a house. It is what it is, someone logging on to an unsecure system, stop trying to compare it or dumb it down for the masses, this is slashdot, not congress.

Re:Lack of motivation

[Tony Hoyle]

I have been in places where they have implemented "high security passwords" only to have the secretary simply write the thing down on a post-it and stick it to their monitor.

That's because so-called "high security passwords" are nothing of the sort - once you reach a certain level of complexity people will simply write them down.. a password that someone can remember is far more secure than a 'high security' one that has to be written down somewhere.

I suspect they only went that route because they were too cheap to buy securid.

Security and transparency

[Crash Culligan]

Do we really want have a goverment that can keep things secret? A state that can keep things from being investigated by having it totally secure, privileged eyes only, any leak easily traced?

Actually, yes we do. As long as we have to trust it with our things, we want it to be able to hold onto those things and not let just anybody see them or use them against us. If the government expects to claim that it's protecting us and our personal information, it has to deliver on that protection.

However, you're conflating security with transparency , when in fact they're both important. Security is the ability to keep the secret things secret against prying eyes. Transparency is the ability to unlock and inspect certain documents on demand to make sure that the government is functioning as it should. And ideally, the minimum amount of information should be classified secret: the smaller the pile of sensitive information is and the less it moves around, the less likely it'll get violated.

Democracy and free press are nasty things. They conflict immidiatly with the need to keep things hidden. Even such a simple thing as the skunk works is a direct violation of the principles of free press and accountable goverment. How the hell can we judge our goverment if they can keep what they are doing hidden from us?

The role of the free press is to report. It could be said that the role of the free press in a healthy democracy is to act as watchdog, to report when the system's security breaks so people can be warned and take measures for their own security, or to use the transparency to report problems. And it could be further argued that when transparency breaks down and secrets are kept unnecessarily, the best thing a reporter can do is intentionally break that bad kind of security. When the Pentagon Papers were exposed and the illegal acts of the Nixon administration were revealed, that was the free press's finest hour.

Nowadays, government security and government transparency are both oxymorons, and the "free press" provides spin, runs interference, and distracts people with the missing-blond-girl-du-jour (I'm looking at you, Fox "News"). Oh, and a significant portion of the people are okay with that.

My question is, where do we start the triage? Any one we start to fix will give us trouble from the other three.

Re:And this is bad?

[hyfe]

I think not. Just remember the whole fuzz about journalists being bugged so that anyone calling them with secret information can be traced. How can the press then do its job?

Is it now?

If total security is achieved say goodbye to all those leaks and exposes. You will have a system that makes the KGB look like childsplay.

If your system is counting on access failures for transparency and fail-checking there is something wrong with the system you've designed.

Just as CEO's should be personally responsible for what their companies do, government employees should be responsible for their own actions. Participate in illegal spying, fine'em. Ordering illegal spying, jail'em. Went to other countries, captured citizens and then refuse them any legal status, jail'em. Every single, bloody one responsible.

It might be painfull the first years, but the law is there to be followed. Even corporations. Even government. Personal responsibility is the way to go.

How the hell can we judge our goverment if they can keep what they are doing hidden from us?

The government isn't something magical being. They're the people you voted for. Start voting for certifiably sane people.

He is a stupid criminal and deserves everything he is going to get.

There are levels of criminality. Why are people so fast to brand someone a criminal, and then practically demand the death-penalty for any little simple thing. Trying to balance out low risk of getting caught with extreme punishments is a really dangerous method of creating a lawfull society.

It may not be illegal, but...

[Animaether]

...there are certainly dire consequences -if- the government wants there to be. Just look at the money tracing operations and their exposure: President Bush openly and fiercely attacked those newspapers who have reported on it, stating that they have hurt the U.S.'s cause in tracking down terrorists -and- have done damage to the security of the United States and its citizens. He has done this repeatedly, with the full support of other government officials and branches, and guess what? Recent polls showed that the nation is divided roughly in half on the issue at this time, while when the story was published most people really just didn't care too much -or- were outraged that the U.S. government once again pried in their personal affairs. That is now 50% of people agreeing that they feel less secure now that papers, specifically The New York Times, reported on this secret program, and that they shouldn't have done it and -should- be prohibited from doing so in the future. The U.S. government is doing a great job of making the papers out to be 'the bad guys', and one can only imagine that it's certainly not helping their subscribership.

So yes, they can report whatever they want, but the government can very much make them feel sorry for doing so in financial terms. Thankfully the majority of the papers who have reported it -don't- feel sorry in terms of 'doing the right thing'; as one of the editors said - if they can't report on this, then what's next? Not reporting on Abu Ghraib? Not reporting on 'accidental' bombings of civilians? All in the name of supposed national security.

I can understand - and papers should certainly be wise enough to make this decision for themselves - that papers should -not- publish information regarding specific individuals or programs that would severely compromise those individuals or programs; e.g. operatives abroad who have infiltrated: you don't go publishing their names and photos. Investigations into a terrorist sleeper cell in Hicksville: you don't go publishing that they are under investigation. But for something as broad as "The U.S. government is tracking your international money transfers", there is -no- compromise of the program. If nothing else, sad as it is, most people probably expect that the U.S. government was doing that already, and the U.S. government can happily continue doing so; they can't honestly believe that terrorists will suddenly go "oh dear, I say... they are tracing our money wires.. perhaps we should stop using that.".

Elections must be coming up again soon...

Slashdot's irrational +5 insightful assumptions

[Anonymous Coward]

Can we at least have a 2-sided discussion here? I mean, for example:

Must we assume that whatever was compromised was an unpatched machine that was unusually vulnerable? Call me crazy, but 0-day exploits?

Must we, by the same reasoning, can we assume that it wasn't some fool-headed diplomat's lackey that opened "worldpeace.exe" hoping to save US/China relations?

Must we assume that the shutdown of SSL afterwards was a stupid move? What if the exploit involved services running SSL, or if the worm/virus/trojan/badthing used SSL to communicate?

Must we just go and flatly state that because a government entity can be hacked, we should never give them our information? If you want to use that logic, then I suggest you go ahead and move off the Internet entirely and go be an off-the-grid tinfoil hat wearer. You're assuming the government is *always* purposefully irresponsible with your data, and you're also assuming things listed above. Hey, keep reading, there will be time after this for people to post about the V.A. data exposure, so we can lump every gov. agency together with that mistake and be +X insightful.

And holy crap people...you gave "why do gov. computers have internet access" a +4 insightful? GET A GRIP. You know what? A better idea. Let us take away Internet access from every agency and company, and just watch that productivity skyrocket because they aren't getting hacked from the outside anymore. I'm sure the modern world can safely go back to doing business over the phone and through snail-mail.

Sometimes these discussions end up being rumor-driven, speculation-rewarded, techno-mob mentality flame fests. Way to be logical about it all folks and to think this through.

I'm not trying to go out of my way to defend the government here, but when it's such a one-sided argument, a rational Devil's Advocate has little choice.

This is why....

[SupremoMan]

This is exactly why I am agianst allowing the government to implement OS level backdoor. They will simply lose the information on the backdoor to hackers and then no computer will be safe!

Re:Lack of motivation

[vertinox]

It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts.

That's not even half the problem. What happens if the hacker is in China and can't be arrested because he is actually in the basement of the People's Army and employed by the Chinese government.

Seriously, if I was a lead intelligence expert in China or Russia, I'd be having a heyday of compromising US military computers and trying to get as much information out of them as possible.

If some bright guy in the UK can do it... Why not trained teams of government spies with millions of dollars in their budget?