US Government Computer Security Evaluated 205
Logic Bomb writes "Yahoo is carrying a wire story about a report by the House Subcommittee on Government Management, Information and Technology. It gave the US government an overall grade of D- on computer security. That probably isn't a big surprise, but the details of the report are scary -- the Department of Defense got a D+. Isn't that lovely? The big question though is whether this is an example of particularly poor government performance or just typical of what you'd find in most Internet-linked systems. My guess is the latter."
d+ (Score:1)
-----
And they wonder why... (Score:3)
...people are wary of Carnivore, and don't believe the FBI's assurances of security and propriety. Any system that can be abused will be abused.
Perfect examples of why inefficiency/inadequacy are a definite risk.
Re:HEY MAN!! (Score:1)
----
Re:Mostly user ignorance. (Score:1)
I doubt if you would even need the stickies to get root on the other systems:
telnet voyager
login: root
password: *******
telnet ds9
login: root
password: *****
---------
I knew it... (Score:1)
Well of course... what else would you expect? They would have to report all the hacks/cracks they have had. I'm certain the other departments would have gotten away without public disclosure if they could. What about the FBI, NSA ect..
You're exactly right... (Score:1)
Here at the USPS, that is *exactly* the case. Other than myself, there are about five other people in this entire facility (app 500 people) with a clue.
The reason being that once people get a clue, they usually decide they want to get paid for having one and go elsewhere, thus this place turns into a training camp.
Government policies have an extremely hard time keeping up with the 21st century in a lot of ways. To pay people more money takes more political BS than I think most people realize. There are set positions with set salaries, and computer programmers are no exception, even though these salaries are about half of what you can find elsewhere.
Additionally, you must go through far too much red tape in order to get anything accomplished, even when you know what you're doing.
Now, the one big benefit of working for the government is the bottomless pit of money. My team (5 people) have our own development environment of a Sun Enterprise 6500 and five 4500s. You don't get that in many other places.
Aside from that, the quality people that are still here enjoy what they do, and that's about all that's keeping them here.
Conflicting policies cause problems! (Score:2)
HOWEVER: The network they have to work on was only recently put beyind a firewall. And before that foreigners like them were especially vulnerable because they would not let them use ssh for Export Control reasons!
So a policy intended to "protect" U.S. interests, actually placed their own networks at risk!
A Third Possibility (Score:1)
Can you say "Election Year Politics"?
Re:I'm pretty damn sure... (Score:1)
Now wait here a sec guys (and gals) (Score:1)
Re:HEY MAN!! (Score:2)
---
Good Call. (Score:2)
My case...
The leader of my department's HQ info security team once commented to my center's Asst. Director of IT "You have a lot of really good people working here... too bad none of them work for you." It was a stunning statement - and painfully true. IT is largely farmed out to contracts across the center. If you want an IT job at the center, most likely you'll be a contractor.
While this brings up questions of trust and conflicts of interest, it also creates a bigger problem - budget. Contracts are awarded to the lowest bidder; even if that bid is ridiculously low. The contract I worked for was reasonably sane, but still very tight. The fact that the company counted on a thrift bonus each quarter only increased the challenge. This lead to bare minimal staffing; more work for fewer workers. We had to be very careful to ensure that we only spent time on things we were going to be credited for. Do what you are paid to do - nothing more. And we weren't paid to do info security.
I, and a few coworkers, had an interesting exception. We were considered an important part of the info security community at the center and were included by the department. The contract made allowances for this since it brought good visibility. But we still had our "real" jobs to do. More work.
So while the center was becoming very clueful about infosec, it was not funding it. There had been some talks about improving this situation, but last I heard the talks had taken took a bad turn. When it came to budgets, security had a hard time making the cut.
The lure of decent pay, and small perks such as a training budget proved too much for me. I left my gov't job for private enterprise. And so did one of my co-workers (actually, the department has taken huge hits as IT workers have left in droves after dealing with worse contracts than mine - I often wonder how they're keeping things going). In fact, my new corporate team has recently recruited talent from a wide sampling of US Gov't organizations.
That alone is probably pretty telling.
Re:Social Engineering will get you Anything. (Score:2)
Re:Is this a surprise? (Score:1)
Re:Fed system security.. (Score:1)
Go ARMY! Beat NAVY! (Score:1)
Jeez people, get with the program... You're forgetting your priorities!
The REAL jabber has the /. user id: 13196
Re:Probably just election-year politics (Score:1)
Re:not to defend the defence guys (Score:2)
Re:HEY MAN!! (Score:2)
Pride (In the Name of Love) (Score:5)
I work for a government agency (USPS), and while my experience with them deals only with internet and intranet applications, it's worth noting that the biggest obstacle we face (and likely the other government agencies as well) is the pride of the people that create insecure applications.
If you happen to read something on slashdot, such as the IE cookie exploit, then dare report it to a division using cookies for sensitive information, you just get a heated debate.
It took me no more than thirty minutes to compromise the "secure" cookie of their application, and it contained sensitive information that could compromise the entire application in plain text!
Fortunately, the right people (suits) got wind of my experiment, and this security hole is actually being dealt with. With all the effort it takes to get people to open their eyes, I can understand why nothing gets done about such issues.
It's really like testing someone's program, only to have your feedback ignored.
What's the point?
Fed system security.. (Score:1)
Name one thing the government does well. Grand prize is a cookie.
Bowie J. Poag
Poor Government Techies (Score:2)
Maybe they talk the talk but don't code the code...
Never mind the cause... fix it! (Score:3)
Sorry, doesn't wash.
Many
Ideally, the government should have the highest security and technological savvy of any entity in the country, in order to protect its citizens from threats from outside the country.
(Ideally, the government should also be protecting the rights of the citizens too rather than chipping away at them with an espresso spoon whereever any cartel like the MPAA or RIAA tells them to, but that's another rant entirely.)
So what's wrong? Either:
a) they don't have the knowhow to maintain system security, or
b) they have the knowhow, but aren't utilizing it correctly.
I'd like to see a correlation of government salaries in relation to similar positions in private industries. If they're dissimilar, and the government pays its workers less than the private sector, then I think it'll be safe to say where the talent's gone...
Rofl, doh (Score:1)
Astounding! (Score:2)
Who does have a good grade? (Score:2)
I mean yeah, the govenment doesn't have the best web masters. They are not always the best people, maybe they just want to get a page or to up to try and stay current with the technology of the time. It's not like the people needed to properly secure a system are cheap. And the government doesn't work FAST so it's not like they can just go and hire these people whenever they need them.
I guess what I'm really tring to say it that you should take what they are saying with a grain of salt. Some reporters are just tring to make the gov look bad.
So what kind of internet box is safe? A box behind a router that only lets acceptions in on one randomly chosen port to a SSH connection where the password to log in is determined by a predetermined seed to a Secure ID card? Given enough time and pressure, anything is breakable. The only truely secure information doesn't exist. (They are dumb quotes, I made them up)
Re:The Norm (Score:1)
"The Norm" is that guy who drank lots of beer on "Cheers"!
At the Heart of the Matter pt. Deux (Score:2)
I suppose, since the US Military made their bed with the creation of TCP/IP, they now must lay in it! Get real, it's an ivory-tower protocol to begin with. Should the average user be able to traceroute machines; the little packets revealing the IP's of every system they swim past along the way?
Aren't "system security" websites creating more problems than they solve? Does a hard-working system administrator have as much time to read "rootshell.org" as a mischievous twenty year old college kid? If said college kid finds an exploit, compiles and uses it while you're out of the office, before you're even aware of it, does it mean you're a bad administrator?
Considering the level of knowledge distribution on the internet, particularly in the areas of networking, OS fuction, and security exploits/patches, can the "good guys" truly *ever* be that much ahead of the "bad guys" ?
To compound the problem, owners of ISP's don't need to demonstrate any level of competancy to purchase IP's; only supply the necessary funds. So basically any idiot with just enough smarts to get online creates a wonderful opportunity for the hacking elite. Spoof an IP here or there, root the Acme ISP, wipe their log files, and hop out from there - Exploit away!
Perhaps if the federal government applied the same type of licencing to the purchasing of IP addresses as they do FM & AM radio frequencies, and held the OWNERS of said IP's responsible for the usage of same, AND required some sort of certification process to even QUALIFY, 75% of the "computer security problem" would go away IMMEDIATELY?
Re:Par for the course (Score:1)
I wonder who this bunch was. I work for a defense contractor, and none of the machines in the building which are on our internal classified network are connected in any way to the outside world. I'm posting this from my unclass PC. :)
The only answer to this lack of National Security: (Score:1)
Critical Systems (Score:1)
I have a little more faith in the DoD protecting information. Hopefully they don't even place top secret data on machines connected.
hobbz
our security (Score:5)
All machines had removable hard-drives that would be locked in safes. After use, the hard drive was removed and the machines power was cycled. None of these machines were networked. The only network was within "the can" and that didn't go external.
When photocopying classified, you had to run blank sheets through the copier when finished. And you had to have a second person with you to check everything when you were done.
When classified as to be destroyed (and that isn't easy to get approval) we had an incinerator in the building for it. We all wondered if we could use it to cremate deceased pets....
We were apart of a University with many foreign nationals. Part of the CS school had facilities in our building where the students would go. When security found out they kicked all foreign nationals out of the building. We lost a couple good grad students because of it.
Security violations were severe since we could potentially lose all funding if our clearance was revoked. Auditors came around yearly and quizzed randomly on procedures.
All in all, it wasn't a huge hassle to do all this stuff - it was part of the routine. Of course, I avoided classified work as much as possible...
-tim
well (Score:1)
eagles playing poker against bears... (Score:1)
Seth
DoD (Score:1)
HEY MAN!! (Score:4)
Re:HEY MAN!! (Score:2)
Fear (Score:2)
Is this a surprise? (Score:5)
Any kid with a C-64 can hack the Pentagon and set off a nuclear war.
Uh, it was a historical recreation, wasn't it?
--------
That's just an A- (Score:4)
For an A+ the computer must be hurled into a black hole (some information might be gathered from the trajectories of the particles thrown off by the nuclear blast).
--------
Re:No surprise... (Score:2)
As for the famous $500 hammer, that was probably still the lowest bid.
-----
Re:not to defend the defence guys (Score:2)
1) sensitive data
2) write permission on system executables/conf files.
3) read or write access to
Even the best hiring practices and background checks are likely to miss maybe %1 of the bad apples. So I would be willing to bet that there are at least 2 or 3 people in the organiztion that would be willing to use the info naughtily or use bad permisions to gain root.
Breaking News... (Score:2)
The company spokesperson went on to say that "organizations can not take full advantage of all the innovations(TM) in Microsoft software until viruses like Linux are purged from the network."
Linus Torvalds was not available for comment.
Or (Score:2)
I would kill to see some script kiddie wet his pants as his door gets kicked in and laser scopes all situate themselves on his forhead...after using a root kit. Big Brother would have its advantages!
Re:Admins should be reamed (Score:2)
Most system administrators in the government are doing it as an additional duty to their regular job. They have a limited amount of time to spend on system administration, which besides security, includes keeping software updated, doing backups, troubleshooting and fixing network and system problems.
In an ideal world, there would be full-time system administrators and security specialists to keep the systems secure and running smoothly. The reality is that very little money is budgeted for security or anything else that is perceived as not directly contributing to the mission.
Re:Par for the course (Score:2)
This is how I assumed most of the government systems were. That was why Wargames seemed so trite was it was based on the idea of a system linked to the system capable of launching nukes being accessed from an outside telephone. The best digital security is simply allow no outside access. A stand alone comp can't be hacked remotely...of course it tends to be less useful than a networked one.
I would think the DoD would have a clear concept of compartmentalization as a security method.
Gov't security comes from Gov't employees... (Score:4)
That pretty much leaves the security in the hands of folks whith little or no experience. Based on that the report isn't surprising at all.
Of course, this is all second hand information. Perhaps some military/gov't (or ex) security folks here on /. (c'mon, we know you're here) could pipe up and correct me if I'm way off base?
--
Re:That's just an A- (Score:3)
Heck no. Then it could pop out anywhere! Then there's time machines...
No, I'm sorry. The only way to get an A+ is to do everything without records in a haphazard fashion, without even knowing why you're doing it yourself.
Oh, wait a minute...
Kevin Fox
Pentagon tries new high-level languages (Score:2)
Actually, that's a small typo. The Pentagon was trying out their new structured language, D++, and got it confused with the please-rate-your-network-security form they had to send back to the House Subcommittee.
--
Re:That's just an A- (Score:2)
I think I'll go do a bit of "tweaking" and have fun playing a real life version of Frogger with a guy in a wheelchair...
Re:I'm pretty damn sure... (Score:2)
The Dept of Motor Vehicles - quick hack (Score:3)
Find a corner with nobody around.
grab a cat-5, split wires off into a wireless transmitter.
hide cable away under a desk.
park a vehicle in parking lot of building with receiver inside, dumping to a laptop.
steal social security #s (most are unencrypted networks), personal info, address info, drivers license info, etc.
Enjoy. Guarenteed to work at your local DMV!
Probably just election-year politics (Score:3)
... or, more likely, it's a report done by a Republican Congress to discredit a Democratic administration. They've been doing this all year. For example, when Bill Richardson (a Hispanic and therefore politically valuable) was a front-runner for the Democratic VP slot, Congress brought as much media blame as possible on him for apparent security leaks in the Energy Department.
FYI, Congressional panels and committees are generally controlled by the majority party of that branch of Congress, even when they're called "non-partisan".
I'm not endorsing Democrats or slamming Republicans here, I'm just pointing out politics as I see them. The same thing might happen if the parties' roles were reversed. I am neither Democratic nor Republican.
Re:No surprise... (Score:2)
Of course the government is also in something of a double blind. If they actually institute security sufficient to keep all crackers out (presuming that such a thing is actually possible) they get accused of being paranoid and spending too much on security. If they relax to the point that there are breakins, people will be unhappy because they aren't taking security seriously enough. And, of course, for a lot of levels of security they get hit from both sides because their security still isn't good enough to please the security conscious, but their expense and paranoia are too much to please the other side.
Of course that's not to say that the current situation is a good middle ground. It sounds very much as though they're trying hard to achieve security but still not managing to do so, which is the worst of all possible situations. Still, though, you have to be at least a little bit sympathetic to the fact that the government gets very mixed signals about what people want it to do.
It's worse than you think. (Score:3)
The government should just pack it in.
There's no way to protect a system from the likes of me.
--Shoeboy
They way it Would have happened (Score:2)
"Why doesn't it just check the .launch file?"
They really have no sense of reality... (Score:3)
In dealing with these people, I have found that while there are some smart people in the military, there aren't many. For example: I sent an e-mail to a software developer in Russia (he had some GPL'd stuff we were using). Two days later, I was called in to the IT department and threatened with termination for "letting the Russians know we have an IP address!". I wish I were kidding you.
Another example: we needed a new e-mail server for one of the offices-- maybe thirty accounts. I talked with one of the guys, mentioned perhaps using OpenBSD and Sendmail. I asked him about it a few weeks later, and the response was: "No, a lot of our guys attach Microsoft Office documents to their e-mails, we need to make sure the server is compatible." (and this server was NOT supposed to scan documents and attachments for viruses).
Why does the DoD have such shitty security? They have idiots in charge. Idiots that talk a big talk, but have no fucking clue. They sling buzzwords around, they take credit for the other guys' work, and they get promoted with maximum time and grade. The military doesn't know the difference between a competent soldier and an incompetent soldier. God, it's irritating.
Re:Is this a surprise? (Score:3)
Re:This is for real (Score:2)
When I was in the military we had 3 guys supporting a 400 workstation network with 1100 users. Security! It was hard enough to explain to everyone that pressing the button on the monitor won't turn the computer on. There was no time or resourses for security.
Re:So how can you get an A+? (kill all users...) (Score:5)
network security:
1. Kill all your users.
2. Remove all accounts.
3. Detach network and dialups.
4. Turn off machine.
So rather than encasing the computer in titanium and dumping it in the pacific ocean, we do that to the users. After all, computers don't cause computer insecurity -- people do. So securing the computer is peripheral (not to be confused with peripherals).
Of course, we have to be careful when suggesting things like #1 to the US Government. After all, national security is paramount...
Re:M$ products.... (Score:2)
on the contrary, most of the non classified networks are on NT domains, which are possibly being converted to 2000 domains later this year. (I'm speaking from experience, but also of only airforce sites). Hence the implimentaion of SMS and the like. (Though I'm still amused that the AF bought L0phtCrack and didn't even spell it right on their lil slide show for me. :P )
Now, on the topic of the more sensitive networks, they are (to the best of my knowledge) typically M$ systems connected onto a *nix server. However these systems are not (supposed to be) connected to any outside network. Higher Sensivite systems (i hope) are using a more secure system, but for the most part, we're, um.....not.
In reference of the sysadmins on .gov and mil sites, well, i have to agree with you there, the ppl who knew what they are/were doing are few and far between and primarily have left for civilian jobs with a real paycheck and maybe even some benifits.
I mean, government pay scales suck!
--Can't argue that one....not at a lil over $1200 a month....
Re:This is for real (Score:2)
Sounds like General Motors...
Not a surprise. (Score:4)
However, my experience with commercial networks have been a lot worse. One company had two seperate networks, connected by a machine with two NIC's and it was expected to filter traffic between the two. Rather amusing approach to segregating between a private and public network. Their only problem is the gateway between private and public had an ancient version of sendmail serving mail as well.
Ahh.. I love the smell of poor management in the morning.
nerdfarm.org
Re:People are the problem (Score:2)
Egad! This is horrible...
They really don't have someone working in the US government who enjoys his job as a systems administrator. On more then one occassion I have taken joy in removing the users account before they have recieved notice of termination. We have a very aggressive policy on privledged users...and in fact I have had employees admit to first believing they had been fired when in reality they had encountered authentication problems due to system failure.
It is a twisted world we live in, and I add a few more turns every day.
Par for the course (Score:3)
I'll bet you dimes to doughnuts that the NSA, FBI, and CIA all have pretty tight security with nothing that even has a remote chance of being classified coming near the internet. DoD is slightly surprising, but hints at their arrogance - they believe they are superior and no one would be able to crack them.
As originally said though, and especially in light of the Western Union attack, this is probably the general state of all computer security.
Nothing we haven't seen before (Score:2)
I'm not thrilled to see my government with such shoddy security, but it really isn't unusual when one takes a look at non-governmental computer security.
The problem today is people aren't using the technology available to them AND they aren't following (or being trained in) procedures to maintain security. Anywhere.
But... (Score:2)
Re:smack! (Score:3)
But wait, it gets worse: When you study the computers at a location you have two areas: servers and clients. We have like 10 solaris boxes, all of which are counted together as "the server", then we have desktops for 150+ users, each of which is counted as "a computer." For security purposes, that's 151 "computers" that are counted, only one of which (the server stack) is under the direct day-to-day control of the IS group. Hell, our IS people aren't even in the same building as the majority of desktops. Those who were here before I started will tell you, security was much easier when everyone here ran xterms, but the users push for laptops and crap on their desk that couldn't be made secure if we rewrote it line-by-line. It's all we can do to keep them from saving their password in Eudora, or even getting them to use that instead of Outlook in the first place (that filipino iluvyou kid sure did me a big favor).
They have to do it that way because people use their machines in such a varied fashion, so rating security, for us, is really how secure your server is and how effective you are at enforcing network policy, which is much, much harder. Some of us are hoping the switch from 98 to 2k will help, as far as forcing people to save shit where it belongs, but the future doesn't look bright: I told the new accountant he had to cycle a dozen passwords for our grant requests, and he threatened my job!
Set a laser next to some terminals, like Tron... (Score:2)
--
Spindletop Blackbird, the GNU/Linux Cube.
not to defend the defence guys (Score:3)
At one unnamed agency, all 1,100 users had been granted access to sensitive system directories and settings, the GAO found.
As far as this is concerned. I'd like to think that organizations can be secure enough in other ways to not have to have co-workers hiding information from co-workers that are possibly right next to them.
-Daniel
Ex Gov Contractor (Score:2)
It ain't easy (Score:2)
Bill - aka taniwha
--
Re:not to defend the defence guys (Score:3)
I think some examples of A B C D and F
The school system got rid of the letter 'E' in grading and look what happens to our country's education system.
No surprise... (Score:5)
Seems they're thinking with their wallet and not their heads. They don't see a need to hire professionals to secure and monitor their network because they assume it's already secure. Wouldn't also surprise me if they thought the threat of prosecution were enough to keep crackers out. That's just plain stupid.
How much does it cost to install IDS systems on networks that should be secure (or any network, for that matter?). And a few paid professionals? You're trusting these people with your data. Social security numbers, tax records, etc. and they have little security at best.
--
Re:That's just an A- (Score:2)
No way you can get to those data.
So how can you get an A+? (Score:4)
dropped somewhere in the Pacific?
Re:This is for real (Score:2)
And 0-early-30 Sunday? Hey thats when they are still in the office surfing pr0n sites...
People are the problem (Score:4)
access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving ``overly broad access privileges to very large groups of users
Sounds like it's less that the system isn't secure and more like they really need to give their employees a good lesson in security.
"Freedom of speech has always been the abstract red-headed stepchild of the Constitution"
Re:Gov't security comes from Gov't employees... (Score:2)
An overlooked aspect, is the general need in many agencies for the sysadmin to have a security clearance. This cuts down on the available list of potential workers. Then again, once a person does obtain a security clearance, he/she becomes a more highly desirable employee who is then likely to leave to become a contractor.
So the problem is one of recruitment and retention. And you spelled out some of the problems; lower pay, poor working conditions, and mismanagement. Additionally, cutbacks in funding tend to affect the more junior staff employees. They don't have senority and are easier to RIF (reduction in force). Unfortunately, the ones affected by cutbacks include admin and support ppl.
In the section that I work in, I have seen about a 80% reduction in the computer staff. This has forced me to do sysadmin work (6 computers); I'm really suppose to be doing research. However, I do care about computer security and have spent a considerable amount of time working on this. In routine network security audits, none of my computers have turned up a single warning for the past two years. However, having me do computer security is not the proper way to operate.
Re:Never mind the cause... fix it! (Score:2)
And hell, you can barely find an IT worker in the private sector who knows his ass end from his elbows. I believe this means the Government is Doomed.
On the plus side, those of you who took out a second mortgage to finance that Y2K bunker might still find a use for it. Don't go selling those canned beans and shotgun shells just yet...
Re:Fed system security.. (Score:2)
Spend money on useless crap.
In fact, I think they do that better than anyone else.
Moderators, feel free to mod this down as Redundant and Troll. After all, we all know the government doesn't spend money uselessly;-).
Mostly user ignorance. (Score:5)
A friend of mine worked on a classified project for a DoD contractor, and I was appalled at his stories. He was set in front of a computer, and his boss called away on business before he could give my buddy a login id. The computer was named "Enterprise". On the bottom of the keyboard was a sticky with the word "Picard" on it. Yes, it was the root password. Similar stickys were to be found on the bottom of nearly every computer in the place.
Worse still, they would download very sensitive data from satellites using rsh to a root account with a .rhosts file! When he pointed out that this was probably the LEAST secure method they could possibly choose, they told him that this scheme was the recommendation of a DoD security consultant.
Their entire idea of security seemed to be putting up a bunch of cold war era posters with eagles playing poker against vodka swilling bears and wolves dressed in arabian garb, warning "Don't tip our hand!"
Admittedly, these weren't machines connected to the outside net, but it would've been trivial for any visitor or janitor to get access to EVERYTHING.
Social Engineering will get you Anything. (Score:3)
As a term employee with the Forest Circus I was amazed at how little the employees understood about security. Any password that was not username1 or username2 was a pet/spouse/child's name. And root on the servers was just as simple.
When a temp asks you to restart a printer queue for the second time and you give him the server passwords and door combo, security isn't even a bad joke. Forget about DoD web pages getting "owned". The issue is a vast collection of financial, tax, and research data that's available to any techie who helps fix a federal employee's home computer and asks for a password to "test" the VPN. Until user security is adressed systematically, upgrading the firewalls is a waste of time and resources.
Re:Is this a surprise? (Score:3)
Get it right. It's any kid with an IMSAI Z-80 based CP/M box, a glass TTY, a speech synthesizer box and an accoustic modem! The C-64's speak a much too advanced protocol for Josh^H^H^H^HWOPR to understand.
--Joe--
DoD and Security (Score:3)
The problems with articles like these is that you never know what is being reviewed.
For instance, does this include the many many DoD defense grant and contract holders who have sensitive information? I mean most of those are educational institutions and you know what their security is like. Lord knows anyone could break into my lab with little more than determination and a swift kick.
The other question is, while the system may be wide open, how important is the data that is available on it? The DoE and DoD like to keep all the nasty secrets behind air walls so there is no chance they are going to get out unless someone physically penetrates the building.
BTW I have seen people posting thinks saying that higher government security will produce to a smaller government. These people obviously don't understand how government works. More security means more government to provide this security (additional security personnel) and more government to make up for the inefficiency caused by more stringent security. If you want a drastically smaller government then I suggest you look elsewhere, like privatizing programs for added flexibility.
Is this a bad thing? (Score:3)
Only if you believe they are benevolent. If you believe they are self-absorbed [as I do] or malevolent [as some do], then you want to limit their effectiveness.
I believe that govt expands to the limits of it's incompetence. Since I really don't want more govt, I must limit it's effectiveness, and accept the resulting bureaucratic inefficiency.
Thank goodness! (Score:3)
Re:HEY MAN!! (Score:2)
"Evil beware: I'm armed to the teeth and packing a hampster!"
Re:I think it's both (Score:2)
~~~~~~~~~~~~~~~~~~~~
I don't want a lot, I just want it all
Flame away, I have a hose!
they should hire some h4x0rs (Score:3)
Start with Physical Security (Score:2)
Lesson: Frequently the most obvious and seemingly straightforward security efforts are the most often overlooked ones.
Mmm... (Score:2)
Re:This is for real (Score:3)
"Password restrictions? Filtering? Attachments? Get out! It might add 0.000023 seconds to my workload and as a Very Busy And Very Important Marketing Droid With Expensive Shoes And A Smart Haircut I don't have *time* to cope with that stuff!"
Of course, these are the same people who want you fired when the system is down at 0-early-30 on a Sunday morning for patching.
You're right that its insane, its totally out of control.
The only thing going for us is that Win95, which all the workstations except mine run, is usually so badly mangled by the end users that I don't think it could do much harm prior to blue screening..
Sorry, I was quoting the Internet Bible: (Score:2)
Everything in there is pure 100% accurate information. Except this, apparently.
--------
I think it's both (Score:5)
On an off topic note, I submited a stroy that was rejected. Linux kernel 2.2.17 is out. I saw it at ftp.kernel.org. Yet slashdot hates my news stories so I post here so someone else can submit it. ;-)
~~~~~~~~~~~~~~~~~~~~
I don't want a lot, I just want it all
Flame away, I have a hose!
smack! (Score:2)
-----
Dept. of X gets hacked (Score:2)
No one solution will fix this, but learning about the problems inherent in the products that they use to keep their "top-secret" information top-secret is a good first step. They seem suprised every time another agency gets hacked, but they are all running the same software. They should get their NSA math guys to look for a pattern.
Also, teaching their employees to use safe computing seems rather important. I'm sure that they teach them, and give them handouts, but I wonder how many agent's PIN number is still their daughet's birthday, and other such sillyness. The rash of laptop theivery is just so mind-blowing that I don't know whether or not stupidity or spying is the case, and really I don't even want to know. I kind of hope for the latter, as I don't want to think that the people that are intrusted with our "most vital information" are incompetent enough to do things like that.
I guess I'm done ranting now...
Probably a prelude to biometrics (Score:3)
I know when I co-oped for the Feds back in 1987, they took my fingerprints, so it's still probably policy to fingerprint each new employee.
Stick a little fingerprint reader on each workstation, and security gets a heck of a lot better (spare me the arguments about stealing or forging the fingerprint authentication file, I'm talking security against weak assualts).
Of course, when you have fingerprints of every person who worked for the Federal government, every criminal, and every welfare recipient, you have fingerprints on a big hunk of the country. All we need then is to fingerprint student loan borrrowers. Anyone know if the NSA has massive fingerprint recognition computers?
And once something has been proved to work for the Federal government, it's a much easier sell to get it into private industry. Who knows, we all may fingerprinted soon, in the name of better security. Bye bye rights. I think Voltaire said it best, those that would forgo a little freedom for security will soon have neither.
This is for real (Score:5)
Around here, people continually circumvent routine security restrictions. Everything is run on Windows NT, but patches are not installed regularly. While all the paperwork is done, it often doesn't reflect reality.
Worst of all, everything runs outlook, and the various iloveyou kind of viruses spread through here like crazy. Can you imagine such a virus that didn't do anything *but* email all the documents on your computer to Czechloslavakia? But, guess what? We aren't allowed to turn off exectuable attachments, or even "speed bump" them, because "somebody might need them."
It's insane.
Re:not to defend the defence guys (Score:2)