Extent of Government Computers Infected By Bots Uncertain 96
Krishna Dagli writes to mention findings by the company Trend Micro on the extent of bot infection in U.S. Government computers. The article by Information Week indicates that, while the 'original' findings were much harsher, the security vendor has since backed down from some of its claims. Still, the extent to which information-stealing software has penetrated our national infrastructure is enough to take note. From the article: "While it may be tempting to discount the warnings of security vendors as self serving--bot fever means more business for Trend Micro--there's unanimity about the growing risk of cybercrime. In its list of the top 10 computer security developments to watch for in 2007, released last week, the SANS Institute warns that targeted attacks will become more prevalent, particularly against government agencies. 'Targeted cyber attacks by nation states against U.S. government systems over the past three years have been enormously successful, demonstrating the failure of federal cyber security activities,' SANS director of research Alan Paller says in an e-mail. 'Other antagonistic nations and terrorist groups, aware of the vulnerabilities, will radically expand the number of attacks.'"
Granny != Uncle Sam (Score:3, Interesting)
It's just the Patriot Act (Score:2, Interesting)
Speaking of which (Score:3, Interesting)
Re:Granny != Uncle Sam (Score:3, Interesting)
Neither is yours.
I work for a Federal agency (see my post below) and we have a large number of skilled IT workers (some as contractors, some as Feds) that diligently keep our network up, running, as as safe as several million dollars a year can manage.
For your (and the parent poster's) information, it is not as easy to manage millions of computers spread over the entire globe and keep them as safe as your granny's PC. If you think it is, then you need to find another profession.
Every Department is separately managed and funded. They all have different tasks, goals and operational requirements. Funding is and has been for years, getting slimmer and harder to come by. Virtually every government agency is underfunded just for core operations, never mind little things like computer operations.
If you think this is easy, then try working with us for a while; you'll not be so glib in just a month.
Re:And Yet Still Windows (Score:2, Interesting)
I am not convinced that OSS is really all that more secure than closed-source software. Not saying Windows is not vulnerable (otherwise we wouldn't be having this discussion), but let's be realistic here. The cheif advantage to OSS is the peer-review process, but in a large company like MS, peer review is probably mandatory as well. If you actually look at some of the technology coming out of Redmond, it's not a thousand monkeys banging on keyboards.
I think the real reason that you see so many security vulnerabilities is because you have experts (not just script kiddies, but blackhat experts) trying to break into Windows on a daily basis. Now ask yourself, how many people really concentrate on inflitrating Linux? Yeah. Not that many. The main (but certainly not only) reason Linux is so secure is that people just don't bother exploiting it. The same argument people use about Mac security applies here as well. If Linux took over 90% of the world's desktops and was used to in the majority of US government infrastructure, I bet you'd see a disproportionate number of vulnerabilities and exploits of Linux. Brain teaser: Would Windows be more or less secure if malware authors had access to the Windows source code?
Anyway, I'm not trying to start a flame war by saying Linux's security <= Windows' security. Another of Linux's strengths (and a weakness as well) is its diversity. An exploit will probably only work on a fraction of the boxes exposed. But with One Distro To Rule Them All (i.e., Windows XP, with Automatic Updates), you've got near zero diversity in the genepool. To ensure maximum application compatibility, MS has also ensured maximum malware compatibility. So I think the answer to the Fed's (and public's) problem with malware is to diversify the computing environment.
Re:And Yet Still Windows (Score:3, Interesting)
Government IT jobs are some of the lowest paying and have the absolutely lowest job satisfaction. Government does not want idea people, they want people that will do what they are told without question.
I know, I was there. Started my career as a Government IT employee. Hated it badly, and could not stand the supervisor that knew nothing about IT yet constantly micromanaged us, even telling us to do things that are insane-wrong then yelled when we did exactly what we were told screwed up something. I got my kicks out of listening to the council meetings where he tried to sound like he knew what was going on and knew his job while he threw around random acronyms. Many a public audience member snickered at thigs he said that were way off or nuts.
Funny part was I almost had him approve naming a new file server "PHUCK".... that last week there was the most fun I ever had
Gawd working for Govt sucked, working Govt IT sucked even more.
Re:Granny != Uncle Sam (Score:3, Interesting)
The US government is a large, diverse entity with over a million people working for it in places all over the world. It takes a lot of money to make it work, and as with any government, that money has to be coerced out of the population by law; You don't pay for services, mostly, as you would from, say, your local air conditioning service company.
In a lot of ways, I agree that many of the people, especially in Congress, fit your characterization, as do a few government managers. But by and large, most do not.
Sure, there are managers that don't always focus on the right ways to do things, often becasue they're looking in the wrong direction at the wrong time. But under the current fiscal constraints the government is working under, almost all agancies are working under very tight monetary conditions. It isn't easy for many agancies to just do their core mission, much less things Congress considers fripperies.
As always, it isn't easy to get the management to understand what we in IT need in order to do the job that they ask of us. They are not, after all, technically oriented. We, on the other hand, are technically oriented, but not always able to properly communicate to them in language they understand just what we need. So the wheel turns, and things some time go to shit.
But guess what? Things do that in private corporations, too! Or don't you read the news?
if you want to gripe, gripe about managers everywhere, not just in government.
If you'd read my posts, you would see that in my agency, the management is actually paying some attention to us, with good, predictable results.
Re:Don't bet on it (Score:4, Interesting)
Another notable environment I saw was one of the Office buildings in Quantico, VA. Each new building for the most part had it's own network design team that would configure the building prior to people moving in, and they would design and configure everything. Once the regular staff showed up, the design team would hand off control of the network to the local IT department. The guys at the Marsh Center had this down to a science. When I left Quantico, the only thing those networks would get out of their chairs for was to clear a printer jam or replace failed hardware. Everything else was locked down, automated, network pushed, and other whys control remotely. A truly beautiful environment for both the IT support team, and us developers.
-Rick