Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

State Department Hit With Many More Break-Ins 143

Posted by ScuttleMonkey
from the crackers-and-hackers-and-press-oh-my dept.
adjust28 writes to tell us CNN is reporting that the US State Department has been dealing with a number of computer break-ins with regards to their headquarters and offices dealing with China and Korea over the past couple of weeks. From the article: "Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking."
This discussion has been archived. No new comments can be posted.

State Department Hit With Many More Break-Ins

Comments Filter:
  • Lack of motivation (Score:5, Interesting)

    by Anonymous Coward on Wednesday July 12, 2006 @02:48AM (#15703862)

    The government seems to have never placed much importance on computer security. I recently read Cliff Stoll's 1989 chronicle of a hacking, The Cuckoo's Egg [amazon.com] . Back then the government was slow to respond and pretty unmotivated, and it seems like little has changed today. Yet, once they catch someone, they give him a draconian punishment that ruins his life, just look at Mitnick. The government can't seem to decide it's priorities. It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts.

    • by penix1 (722987)
      "The government can't seem to decide it's priorities. It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts."

      sarcasm
      Who needs secure systems when you have draconian punishments? /sarcasm

      That aside, systems are no more secure or insecure as the people behind them. I have been in places where they have implemented "high security passwords" only to have the secretary simply write the thing down on a post-it and stick it to their monitor.

      B.
      • by Tony Hoyle (11698) <tmh@nodomain.org> on Wednesday July 12, 2006 @05:36AM (#15704124) Homepage
        I have been in places where they have implemented "high security passwords" only to have the secretary simply write the thing down on a post-it and stick it to their monitor.

        That's because so-called "high security passwords" are nothing of the sort - once you reach a certain level of complexity people will simply write them down.. a password that someone can remember is far more secure than a 'high security' one that has to be written down somewhere.

        I suspect they only went that route because they were too cheap to buy securid.
        • by MECC (8478) *
          Has everyone forgotten about FIPS-181? Making a non-word password pronounceable at least increases the chances it won't get written down. Then at least if someone steals one part of two factor authentication, there's less of a chance that the password hasn't been lifted as well.

        • That's how it works at my workplace. Passwords must have characters from three of four groups, Capitals, lower-case, numbers and symbols, and must be updated every 40 days (with a 'heads up' after 30 days). People hated this, and just recently we got little biometric finger readers for those who wanted them.

          For me... creating hard to guess passwords that use a variety of characters but are eay to remember is the one single thing l337 speak is still useful for. Sadly, there aren't enough l337d00ds aroun
      • All security is in implementation. When I interned in congress, I was surprised at how lax some things seemed. Same thing with some parts of airports. The only really secure place I've seen (tech and physical security) was the hospital where I did rotations during my EMT training.
    • by rolfwind (528248) on Wednesday July 12, 2006 @02:58AM (#15703892)
      And also at the same time, we "have to" entrust them with our information. Which they seem to have a voracious appetite for these days. Sad, really.
    • Remember a while back the guy that got fired for hacking back?

      Maybe he should have been rewarded and/or his bold personal vendetta recognized as a necessary response to seemingly state sponsored hacking of US computer systems (critical infrastructure).
    • The horse has bolted (Score:5, Interesting)

      by jdbartlett (941012) on Wednesday July 12, 2006 @03:10AM (#15703918)

      I don't want to trigger a Windows/Linux debate, but relevant is this quote from a recently slashdotted interview with McKinnon:

      "I found out that the US military use Windows," said Mr McKinnon in that BBC interview. "And having realised this, I assumed it would probably be an easy hack if they hadn't secured it properly."

      Source here [bbc.co.uk]

      Even if it is considered right to treat such breakins so seriously: how many times must the horse bolt before the barn door?

      • by stunt_penguin (906223) on Wednesday July 12, 2006 @04:26AM (#15704026)
        It would seem that unfortunately this particular horse has managed to build himself a back door as well, unfortunately.
      • It depends which version... MS are slowly getting the 'secure by default' idea, and Win2003 is reasonably secure out of the box. It remains to be seen what happens with vista.. I suspect UAC will be weakened in the same way that NX was in XP, simply to 'improve the user experience'.
      • I don't want to trigger a Windows/Linux debate

        And then you turn right around and quote somebody saying something about the military using Windows machines. I wasn't aware that the State Department is a branch of the US Military. Am I wrong about that? Or are you using unrelated quotes to to flamethrow?

        And then the second half of your misapplied quote, "it would probably be an easy hack if they hadn't secured it properly." Now *nix would be an easy hack if not secured properly as well, now wouldn't it?
        • The The United States Department of State and The United States Department of Defense (which controls the US military) are both organizations of the United States government that use Windows OS. Am I wrong about that? I've only lived in this country for a couple of years, apologies if I'm wrong.

          As I said, I didn't want to start a Win/Linux debate. Perhaps I should have emphasized the phrase "if they hadn't secured it properly". The horse is not Windows, the horse is impropperly secured systems in many organ
      • ...it would probably be an easy hack if they hadn't secured it properly

        Is there any OS that doesn't apply to? Isn't every system "an easy hack" if it's not properly secured?
        • My guess is the guy probably new nothing of Unix and only knew Windows. Therefore Windows for him would be much easier to hack than trying to learn Unix. Good ole security through obscurity.
    • And this is bad? (Score:5, Insightful)

      by SmallFurryCreature (593017) on Wednesday July 12, 2006 @03:34AM (#15703957) Journal
      Do we really want have a goverment that can keep things secret? A state that can keep things from being investigated by having it totally secure, privileged eyes only, any leak easily traced?

      I think not. Just remember the whole fuzz about journalists being bugged so that anyone calling them with secret information can be traced. How can the press then do its job?

      If total security is achieved say goodbye to all those leaks and exposes. You will have a system that makes the KGB look like childsplay. Not because they will abuse it but because if they want to they can, without ever being found out. All that would need to happen is for someone to come along who wishes to abuse it. Do you trust any party so much you want to give them complete secrecy?

      Democracy and free press are nasty things. They conflict immidiatly with the need to keep things hidden. Even such a simple thing as the skunk works is a direct violation of the principles of free press and accountable goverment. How the hell can we judge our goverment if they can keep what they are doing hidden from us?

      The only alternative is to accept a certain level insecurity and just go after the people that go to far. A very strange state of affairs but better then living in a police state.

      Mitnick ain't a victim. He is a stupid criminal and deserves everything he is going to get. He was not a journalist seeking the truth, he was just a cracker messing around with computers that were not his.

      If I do not lock my door that does not give you the right to enter my house. Neither do I want to live in a world where the goverment is behind closed doors.

      • Re:And this is bad? (Score:2, Informative)

        by CRCulver (715279)

        Do we really want have a goverment that can keep things secret? A state that can keep things from being investigated by having it totally secure, privileged eyes only, any leak easily traced? I think not. Just remember the whole fuzz about journalists being bugged so that anyone calling them with secret information can be traced. How can the press then do its job?

        The Pentagon Papers trial created a fine balance that is worth preserving. The government can keep things secret in the interest of security, b

        • by Animaether (411575) on Wednesday July 12, 2006 @06:54AM (#15704306) Journal
          ...there are certainly dire consequences -if- the government wants there to be. Just look at the money tracing operations and their exposure: President Bush openly and fiercely attacked those newspapers who have reported on it, stating that they have hurt the U.S.'s cause in tracking down terrorists -and- have done damage to the security of the United States and its citizens. He has done this repeatedly, with the full support of other government officials and branches, and guess what? Recent polls showed that the nation is divided roughly in half on the issue at this time, while when the story was published most people really just didn't care too much -or- were outraged that the U.S. government once again pried in their personal affairs. That is now 50% of people agreeing that they feel less secure now that papers, specifically The New York Times, reported on this secret program, and that they shouldn't have done it and -should- be prohibited from doing so in the future. The U.S. government is doing a great job of making the papers out to be 'the bad guys', and one can only imagine that it's certainly not helping their subscribership.

          So yes, they can report whatever they want, but the government can very much make them feel sorry for doing so in financial terms. Thankfully the majority of the papers who have reported it -don't- feel sorry in terms of 'doing the right thing'; as one of the editors said - if they can't report on this, then what's next? Not reporting on Abu Ghraib? Not reporting on 'accidental' bombings of civilians? All in the name of supposed national security.

          I can understand - and papers should certainly be wise enough to make this decision for themselves - that papers should -not- publish information regarding specific individuals or programs that would severely compromise those individuals or programs; e.g. operatives abroad who have infiltrated: you don't go publishing their names and photos. Investigations into a terrorist sleeper cell in Hicksville: you don't go publishing that they are under investigation. But for something as broad as "The U.S. government is tracking your international money transfers", there is -no- compromise of the program. If nothing else, sad as it is, most people probably expect that the U.S. government was doing that already, and the U.S. government can happily continue doing so; they can't honestly believe that terrorists will suddenly go "oh dear, I say... they are tracing our money wires.. perhaps we should stop using that.".

          Elections must be coming up again soon...
          • The U.S. government is doing a great job of making the papers out to be 'the bad guys', and one can only imagine that it's certainly not helping their subscribership.


            Actually, I'd guess that in this political climate, it's helping their subscribership quite a bit.

            Two things:

            1) The Bush administration has failed to realize that the "trust us, we know what we're doing" meme has died. Every time they push it these days their numbers go down.
            2) The facts of this particular story was out YEARS before the NYT (and two other papers, btw) put it in the public eye. As those facts come out (and they have been) it will exascerbate #1 above.

            Gov: "Realeasing this information will kill us all!!"
            NYT: "So why did you release it on government websites two years ago?"
            Gov: "UUUhhhhhh.... MMmmmmmMMmmm...."

        • I didn't read teh details of the Pentagon Papers trial, however I hope there was an exception included that them being allowed to print whatever was leaked did not extend to things like say battle-plans or such stuff (which they may be allowed to print, but not before the operation reached a conclusion).
        • The Pentagon Papers trial created a fine balance that is worth preserving. The government can keep things secret in the interest of security, but at the same time it's not illegal for the press to print whatever is leaked to it.

          That's the difference between the Pentagon Papers and the State Department cracks.

          The Papers were leaked by an insider, in the June incident, foreign nationals probably working for a semi-enemy country cracked into goverment computers.

      • by ijakings (982830)
        I am so sick of that comparison. Entering a computer that has no password or no security is NOTHING like not locking the door of a house. It is what it is, someone logging on to an unsecure system, stop trying to compare it or dumb it down for the masses, this is slashdot, not congress.
        • Entering a computer that has no password or no security is NOTHING like not locking the door of a house.

          I can sympathise with a desire to see the correct terminology used, but in this instance, I'm not sure I can see the harm.

          The trouble is that hacking is, in terms of human society, comparatively new. Everyone understands the times when it is right or wrong to enter someone else's house. The same is not clear for remote computer access.

          So, it makes sense to look for an situation analagous to unat

      • by Crash Culligan (227354) on Wednesday July 12, 2006 @06:07AM (#15704184) Journal
        Do we really want have a goverment that can keep things secret? A state that can keep things from being investigated by having it totally secure, privileged eyes only, any leak easily traced?

        Actually, yes we do. As long as we have to trust it with our things, we want it to be able to hold onto those things and not let just anybody see them or use them against us. If the government expects to claim that it's protecting us and our personal information, it has to deliver on that protection.

        However, you're conflating security with transparency , when in fact they're both important. Security is the ability to keep the secret things secret against prying eyes. Transparency is the ability to unlock and inspect certain documents on demand to make sure that the government is functioning as it should. And ideally, the minimum amount of information should be classified secret: the smaller the pile of sensitive information is and the less it moves around, the less likely it'll get violated.

        Democracy and free press are nasty things. They conflict immidiatly with the need to keep things hidden. Even such a simple thing as the skunk works is a direct violation of the principles of free press and accountable goverment. How the hell can we judge our goverment if they can keep what they are doing hidden from us?

        The role of the free press is to report. It could be said that the role of the free press in a healthy democracy is to act as watchdog, to report when the system's security breaks so people can be warned and take measures for their own security, or to use the transparency to report problems. And it could be further argued that when transparency breaks down and secrets are kept unnecessarily, the best thing a reporter can do is intentionally break that bad kind of security. When the Pentagon Papers were exposed and the illegal acts of the Nixon administration were revealed, that was the free press's finest hour.

        Nowadays, government security and government transparency are both oxymorons, and the "free press" provides spin, runs interference, and distracts people with the missing-blond-girl-du-jour (I'm looking at you, Fox "News"). Oh, and a significant portion of the people are okay with that.

        My question is, where do we start the triage? Any one we start to fix will give us trouble from the other three.

      • by hyfe (641811)

        I think not. Just remember the whole fuzz about journalists being bugged so that anyone calling them with secret information can be traced. How can the press then do its job?

        Is it now?

        If total security is achieved say goodbye to all those leaks and exposes. You will have a system that makes the KGB look like childsplay.

        If your system is counting on access failures for transparency and fail-checking there is something wrong with the system you've designed.

        Just as CEO's should be personally responsible

      • If I do not lock my door that does not give you the right to enter my house. Neither do I want to live in a world where the goverment is behind closed doors.

        That is a bad, bad analogy. Instead, imagine you have an idiot savant who keeps your records for you. If you don't tell him not to, he's happily blurt out the info to anybody who will talk to him. Who is at fault if he answers a request for imformation you were supposed to keep secret?

        "Only tell me this," you'll tell your records keeper, but he's an idi
    • by asuffield (111848) <asuffield@suffields.me.uk> on Wednesday July 12, 2006 @04:36AM (#15704045)
      Yet, once they catch someone, they give him a draconian punishment that ruins his life, just look at Mitnick.


      While this is generally fairly accurate, in the case of Mitnick they seem to have made him a career, not ruined his life. Before he was nobody; now he's getting all kinds of stuff because of all the publicity the government paid for. I'm really not sure what they thought they were doing.
    • "Back then the government was slow to respond and pretty unmotivated, and it seems like little has changed today. Yet, once they catch someone, they give him a draconian"

      The level of security shouldn't have anything to do with the punishment. You don't go to jail longer for breaking into a home with 3 dead-bolts and an alarm vs one with a single lock. It isn't up to the victim to keep the criminal out of trouble.
      "It'll punish you more for cracking than for murder"
      Last time I checked murder was punishable
    • by vertinox (846076)
      It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts.

      That's not even half the problem. What happens if the hacker is in China and can't be arrested because he is actually in the basement of the People's Army and employed by the Chinese government.

      Seriously, if I was a lead intelligence expert in China or Russia, I'd be having a heyday of compromising US military computers and trying to get as much information out of them as possible.

      If so
  • by Palal (836081) on Wednesday July 12, 2006 @02:53AM (#15703870) Homepage
    Ask Slashdot: Why do gov't 'puters have net access?
    • So they can continue to wage the War on Child Pr0n, of course.
    • by TrappedByMyself (861094) on Wednesday July 12, 2006 @04:37AM (#15704046)
      Ask Slashdot: Why do gov't 'puters have net access?

      Why shouldn't they? They need to do work and send email to people outside the government like the rest of us. How do you think, for example, all the tax forms show up on IRS.gov? Magic?

      Classified computers do not have access to the normal internet, so when you see these break-in stories, no classified information was compromised, unless some dope went out of his way to get info from a class system to an unclass one.
      • by jferguson (871036) on Wednesday July 12, 2006 @08:29AM (#15704741)
        At least as of five years ago, most State Department computers had a single monitor, keyboard and mouse plugged into a switch that in turn ran to two different CPUs. One CPU, with big red stickers on it, was the classified ("class") machine; the other, with big green stickers on it, was the unclassified ("unclass") machine. The class machine had an ethernet hookup to the State Department intranet, to handle Lotus Notes and access to Cable Express, the computerized version of State's old Telex cable system. That intranet was completely disconnected from the internet. The unclass machine had a connection to the internet.

        The hard disk in the class machine had a barrel lock on it. At the end of the working day, you powered down your machine, unlocked and removed the hard drive, and locked the drive in your safe. (The safe is less fancy than it sounds: a standard four-drawer file cabinet with two u-flanges welded onto it; you slid a long steel bar through both flanges and padlocked it into place. Cheap, but pretty effective.) The unclass machine's hard disk remained in place, and those machines were rarely turned off.

        As the story mentioned, most of the hacks target unclass machines, for the simple reason that they can't reach class machines. Give State some credit; on the hardware side at least, they did the right thing by building two networks.

        The problem with this setup is this: say you're writing a report that will include some classified information but that will also have background research perhaps from the internet. In theory, you should write the report on the class machine. You should do the internet research on the unclass machine, write up whatever you want to add to the report, copy it to a floppy or flash drive, and copy it onto the class machine. The document from the class machine should never appear on the floppy or the flash drive, much less the unclass machine. In practice, as you can imagine, people often put the file on the portable medium so that they can avoid wrangling with version control (most foreign-service officers don't know what version control is, but they know they don't like to wrangle with it). Once you start doing that, it's only a matter of time before classified information ends up on an unclassified machine.

        Just for the record, a lot of classified information is, frankly, uninteresting. If an embassy staffer covers a rally in the foreign capital and writes a cable that has six paragraphs of description of the rally and one paragraph of commentary on the rally, he'll often mark his comments confidential; this in turn makes the cable classified. This tendency to classify TOO MANY THINGS only adds to the report-writing problem I mentioned above, since often the necessary reference material is unclassified description within a classified cable.

        Frankly, if you can come up with a way to sort out this state of affairs, I think the State Department would be pretty willing to listen to it. At least, based on watching diplomatic security officers tear their hair out at the potential security breaches that their own employees commit, I think they would be.
      • Right....Classified systems are on a seperate network...until, that is, some network eng. patches them together to make his/her job easier. Have you ever done a audit of a military/government network? I personally have, and found over 60 paths to so called "Secured" networks from a machine which was Internet accessable...Let's stop cherry picking, and call it like it is...totally kludged up, non-functonal, messy security at best.
    • Why do gov't 'puters have net access?

      Without direct access to microsoft servers the OS can't automatically update itself. Does this mean that airgapped systems are less secure?

  • by jdbartlett (941012) on Wednesday July 12, 2006 @02:55AM (#15703880)
    The Pentagon warned earlier this year that China's army is emphasizing hacking as an offensive weapon. It cited Chinese military exercises in 2005 that included hacking "primarily in first strikes against enemy networks."

    Of course, that's what the bayonet is for!

  • by Ohreally_factor (593551) on Wednesday July 12, 2006 @02:56AM (#15703884) Journal
    This could put the State Department ahead of MySpace as the #1 destination site.
  • by mcrbids (148650) on Wednesday July 12, 2006 @02:56AM (#15703885) Journal
    I spent a few months not so long ago tracking down a cracker who had compromised a mail server for an ISP. He'd gotten root, and installed rootkit style stuff that hid directories, etc.

    It was a long process to penetrate all his defenses. Finally, I ended up chatting with the cracker a la Yahoo Chat, including video. He was from Romania, and liked diet 7-up.

    So, I get all the sources together with which he compromised the server. I had everything, down to IP addresses. I called the FBI and they referred me to some web page that didn't even allow enough upload to report everything I had found.

    I submitted what I could. I didn't even gt a "thank you" email. I would have been happy with a "thank you" message. But I got nothing.

    My opinion of the dept of Homeland Security as well as the FBI sank immeasurabily as a result.
    • by dclocke (929925) on Wednesday July 12, 2006 @03:08AM (#15703907)

      Unfortunately, the government just doesn't have the resources to investigate every single incident of computer trespassing. It would be nice if they could, but until then I can understand why an intrusion of an ISP mail server would not be very high on their priority list. As many incidents as there are like this that occur every day, it simply isn't possible to follow up on every one. Although, if what you say is true, it seems like you did most of the work for them. Hopefully they would at least file the information away for a rainy day, but my guess is they they didn't.

      However, if this incident caused your opinion of the FBI and DHS to sink that much, I think you may have been overly generous with your opinion of the two agencies to begin with :)

    • I've submitted several well documented (IMHO) "events" to the FBI. I got a call once (RE: hacking of AT&T wireless website for new account sign-up). Didn't go any further. And I got an email another time (fraud) in effect saying sorry, try the local PD.
    • by Anonymous Coward on Wednesday July 12, 2006 @04:00AM (#15703991)
      I submitted what I could. I didn't even gt a "thank you" email. I would have been happy with a "thank you" message. But I got nothing.

      My opinion of the dept of Homeland Security as well as the FBI sank immeasurabily as a result.


      Your error was that you failed to realize what the priorities of these agencies are. Report the incident again only this time put the words 'terrorist' and 'activity' in the subject line. Wait an hour and then turn on the TV, switch to a news channel and you should hear reports of massive USAF airstrikes somewhere in Romania. For shorter response times try adding the word 'Osama' to the subject line. Just be careful when using the words 'bin' and 'Laden' since combining those with the other three in one subject line might lead to a tactical nuclear strike.
    • This guy was just another hacker. If you want homeland security to go after him you need to paint him as a liberal who protests the war or Bush. If he was an arab you would not have to do that but he is a white guy so that's your best bet.
    • I spent a few months not so long ago tracking down a cracker who had compromised a mail server for an ISP. ... He was from Romania ... I called the FBI and they referred me to some web page ...I submitted what I could. I didn't even gt a "thank you" email. ... My opinion of the dept of Homeland Security as well as the FBI sank immeasurabily as a result.

      You do know that FBI is part of the DOJ, not the DHS, right? Surely you also realize that some dork in Romania compromising an ISP mail server is not a cri

  • Outsourcing (Score:3, Funny)

    by Umbral Blot (737704) on Wednesday July 12, 2006 @02:58AM (#15703891) Homepage
    Maybe they shouldn't have been outsourcing. (that's a joke people)
  • by Anonymous Coward on Wednesday July 12, 2006 @03:00AM (#15703894)
    Great now they'll get buried in viagra ads. Guys they aren't trying to steal secrets they just wanted your security down so they can sell you dick pills and cheap pirate software. Oh and by the way that nice guy in Nigeria wants to take money out of your account not put it in.
  • Reality check... (Score:2, Insightful)

    by flynns (639641)
    (1) The classified servers are physically disconnected from the Internet. They have to be.

    (2) Every time I read a headline like this, I remember playing Uplink, and chuckling over the poor bastards when what I did hit the headlines. Somewhere in Korea, someone is chuckling hard.
    • by TubeSteak (669689) on Wednesday July 12, 2006 @05:14AM (#15704086) Journal
      (3) If you compile enough *sensitive information...
      you can end up with a information that would be classified: see (1)

      *limited official use (now sensitive but unclassified), controlled, for official use only, internal use only, variations on sensitive, etc etc etc.
    • (1) The classified servers are physically disconnected from the Internet. They have to be.

      Oh...

      So that's why the VA let's people carry around laptops will million of Social Security Numbers. Because they aren't allowed to connect to a network (via the internet).
    • Yes, there are suppose to be airgaps everywhere around classified systems. On the other hand, wasn't there an incident where a DoD Tiger team used the Internet to access systems on a carrier and through it were able to access a navigation system on an aircraft? Luckily it was a DoD Tiger Team so in the end they didn't attempt to do anything.

      Airgaps are very good security when they are followed religiously. In practice, this is rare because of the requirements for support.

  • by bblboy54 (926265) on Wednesday July 12, 2006 @03:35AM (#15703959) Homepage
    After the State Department break-ins, many employees were instructed to change their passwords.

    The root password is now "god" instead of "sex"
  • by overbaud (964858) on Wednesday July 12, 2006 @03:42AM (#15703965)
    The password for the defense department computers in question was 'Joshua'.

    If you don't get this your not geek enough, hang your head in shame.
    • That's a WOPR of a statement ;)
    • Answer,ROT13, for those that aren't full awake/alive: Sebz gur svyz Jnetnzrf (1983). Frr uggc://jjj.vzqo.pbz/gvgyr/gg0086567/
      • Thanks for the answer even though I don't remember Joshua used in the movie, but then it has been years (only saw it once) since I saw it. :)
    • Oh... So North Korea didn't really fire those missiles?
    • I don't know why, but your posting has left me hungry for a W.O.P.R. I guess I'll head to Burger King or NORAD for lunch.

      Will someone please arrest/sue Matthew Broderick's co-stars. They were the ones that told us all about the "back doors". An obvious national security breach.
    • When my company was using a 3rd party "managed" firewall service, they'd always ask you three security questions before you could open a ticket, make change requests, etc. You were able to create the questions that they would ask you, and then of course specify what the correct answers were.

      One of my questions was: "What is your favorite question?"
      My response had to be: "Shall we play a game?"

      Another question I had was "What is your favorite color?"
      My response had to be "Red, no blue!"

      Most of 'em didn't ge
    • Yes, but was the Global Thermonuclear Warfare game available to be played? If not, I suppose I'll have to settle for tic-tac-doe.

      I just hope they changed the password from "pencil".
  • Keep it off the network!!!
  • by witte (681163) on Wednesday July 12, 2006 @04:02AM (#15703993)
    One has to wonder if this is for real or if this is just another stab at fear-mongering so more propositions to cripple net neutrality / online privacy / ... can be passed.
    If they really experienced that much security breaches I doubt CNN would be allowed to publicize this.

    OTOH, TFA mentions a lot of scary evil things like North-Korean missiles and Chinese Hackers.

    I'm not sure whether I prefer this article to be for real or propaganda, both possibilities imply information warfare on the US people.
    • If all posible scanrios lead to a conspiracy theory maybe you should be thinking about why you see conspiracy theories in all possible scenarios.
      • Thats a pretty subtle way to say I'm a paranoid basketcase.

        Remember that power brings out the worst in people. Show me someone who wants to get on top of the pile and i'll show you someone who will go over corpses to achieve his goal. (If enough is at stake, literally.)
        This may be hyperbolic, but that's the way human society works. The egotistical/powerhungry maniacs that are smart enough to tell the right lies to woo everybody into believing they *need* them (eg. through fear for an external enemy --> "
    • by Meneguzzi (935620) on Wednesday July 12, 2006 @04:28AM (#15704030) Homepage Journal
      I think that news such as these underline the fact that the American's are putting their money on the wrong kind of project for their "homeland security". I bet that monitoring the net and phone traffic of a huge number of people costs quite a great deal of money, money which could have been spent training people to better protect sensitive, or even not that sensitive systems (the tiniest security hole can always widen and become a real liability, if you ask me).
      Wholesale monitoring of communications is as useful as trying to read all the content on the internet, for every useful bit of information you read, you get a 1000 useless bits. So training people to understand the subtleties of "the enemy" would seem a more sensible solution.
      • Yes, but net surveillance is a mechanistic solution, that doesn't depend on anyone to act. Yes, throwing money down a surveillance rathole is going to generate (if you're damn lucky) perhaps a %0.0001 useful data return. But it's nearly assured you're going to get SOMETHING, and in the meanwhile, you can always PROVE to your constituencies that you are doing something useful, even if we all acknowlege it is trivial. It's not all that different from hiring umpteen-gajillion TSA screeners to make airports
    • Did you just say "allowed" to publicize this? You mean the way the other leaks regarding secret and illegal government surveilance was "allowed"?

      Look, if a government is going to be respected by the people and/or the press, they either have to be well organized and competant or they have to use a lot of guns. For the moment, they seem to be using the guns approach as they are arming themselves with laws that are abused on a pretty frequent basis giving law enforcement and the executive unprecedented power
  • by freaker_TuC (7632) on Wednesday July 12, 2006 @04:19AM (#15704016) Homepage Journal
    Nothing news about this; this is a dupe [slashdot.org]; there was already an article before of the US being the #1 destination for Internet traffic.
  • Why bother? (Score:4, Insightful)

    by 99luftballon (838486) on Wednesday July 12, 2006 @04:19AM (#15704017)
    Since most state computer security seems to be so laughably weak. UK 'hacker' Gary McKinnon, currently being extradited to the US, got into US Navy logistics computers by just typing in admin and password to login screens for Windows NT for goodness sake. If the most advanced military force on the planet is using an unsupported operating system I dread to think what the state department's systems must be like.
  • "said U.S. officials familiar with the hacking"

    When did they hire anyone like that? I call their bluff!

    Perhaps they hired some first-rate plumbers - they know how to "hack" into tubes.
  • Disabling security (Score:3, Interesting)

    by Mr. Freeman (933986) on Wednesday July 12, 2006 @04:53AM (#15704062)
    After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet.
    Wait a minute, they actually disabled their security after they got hit with an attack??!? Someone tell me if I'm wrong about secure sockets layer being a security measure of sorts.
    • The department also temporarily disabled a technology known as secure sockets layer
      Wait a minute, they actually disabled their security after they got hit with an attack??!?

      I suspect that was poorly worded. What it probably meant to say was they disabled transfer of encrypted information over the internet, instead opting to just not transfer the information at all.

    • SSL is good news for you when you try to connect to your bank, but very bad ones when you don't know your machine has been changed into a server by a trojan.
      I believe their target were the incoming SSL connexions.
  • stupid security (Score:3, Insightful)

    by Exter-C (310390) on Wednesday July 12, 2006 @05:01AM (#15704073) Homepage
    Any company or government department that has any internet exposed servers that hold critical or sensitive information must be soo stupid they deserve to be broken into. What ever happened to having separated internet from internal servers etc..
    • The problem with government departments 'deserving' this is that it's MY government (albeit not run well, nor by folks I'm particularly proud of) and MY data and MY country that is being put at risk.

      The department may well deserve a drubbing, but said drubbing probably shouldn't consist of their computers which I bought and paid for, being run as part of a botnet by Joe Pyongyang.
  • by Anonymous Coward

    This is a clear case of cracking, not hacking. Please tag this article as such, as if IT experts use the correct tems for activities, maybe the word "hacking" can be saved?

    RMS or such other famous nerd: I'm a hacker
    Justice, influenced by Fox: Off to Gitmo for you then, hacker means computer terrorist.

    • by cshirky (9913) * on Wednesday July 12, 2006 @05:32AM (#15704115) Homepage
      This battle has been fought and lost. The term 'cracker' was a belated attempt to create a good witch/bad witch distinction after the press took a dim view of hacking, but it is totally artificial. To take but one example, Ken Thompson's seminal Reflections on Trusting Trust [acm.org], spends some time moralizing (his word) about the 414 and Dalton gangs, saying "The acts performed by these kids are vandalism at best and probably trespass and theft at worst. It is only the inadequacy of the criminal code that saves the hackers from very serious prosecution." This is from the mid-80s, when breaking and entering was clearly described as hacking by one of the giants of the field. Hacking historically covered all forms of unapproved exploration of computer systems; in a more halcyon time, the gray area was wide, and the black area was not too black. Times have changed, but the fact that some hacking is now explicitly criminal, as Thompson predicted, does not make it not hacking.
  • 1.) Announce problem...place blame on shoulders of nearest competitor in need of demonizing
    2.) Request new budget to deal with problem
    3.) Call architect about new weekend home in the mountains...

    I don't care if it is the local Highway Patrol or Congress, you can bet the only 'problem' these wonks always have is figuring a way to line their pockets.
  • This is why.... (Score:2, Insightful)

    by SupremoMan (912191)
    This is exactly why I am agianst allowing the government to implement OS level backdoor. They will simply lose the information on the backdoor to hackers and then no computer will be safe!
  • I'm wondering whether these are real break-ins, or just the common crap that I am removing from Windoze machines every day?
  • fire the moron who decided that it was okay to put sensitive information in
    a machine that was online.

"Show business is just like high school, except you get paid." - Martin Mull

Working...