Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
United States

US Government Computer Security Evaluated 205

Logic Bomb writes "Yahoo is carrying a wire story about a report by the House Subcommittee on Government Management, Information and Technology. It gave the US government an overall grade of D- on computer security. That probably isn't a big surprise, but the details of the report are scary -- the Department of Defense got a D+. Isn't that lovely? The big question though is whether this is an example of particularly poor government performance or just typical of what you'd find in most Internet-linked systems. My guess is the latter."
This discussion has been archived. No new comments can be posted.

US Government Computer Security Evaluated

Comments Filter:
  • by stubob ( 204064 )
    as long as no one screws up the curve, they're good.

    -----
  • by hiryuu ( 125210 ) on Monday September 11, 2000 @09:28AM (#787414)

    ...people are wary of Carnivore, and don't believe the FBI's assurances of security and propriety. Any system that can be abused will be abused.

    In addition, cracks in the system put huge caches of taxpayer and proprietary business information at risk of inappropriate disclosure, GAO said.

    Perfect examples of why inefficiency/inadequacy are a definite risk.

  • In spelling class D stands for "You Suck"
    ----
  • The computer was named "Enterprise". On the bottom of the keyboard was a sticky with the word "Picard" on it. Yes, it was the root password. Similar stickys were to be found on the bottom of nearly every computer in the place.

    I doubt if you would even need the stickies to get root on the other systems:

    telnet voyager
    login: root
    password: *******


    telnet ds9
    login: root
    password: *****

    ---------

  • Computer security at the Central Intelligence Agency was not rated ``because of the nature of its work'' but the spy agency gave a classified briefing to panel members, subcommittee spokeswoman Bonnie Heald said.

    Well of course... what else would you expect? They would have to report all the hacks/cracks they have had. I'm certain the other departments would have gotten away without public disclosure if they could. What about the FBI, NSA ect..


  • Here at the USPS, that is *exactly* the case. Other than myself, there are about five other people in this entire facility (app 500 people) with a clue.

    The reason being that once people get a clue, they usually decide they want to get paid for having one and go elsewhere, thus this place turns into a training camp.

    Government policies have an extremely hard time keeping up with the 21st century in a lot of ways. To pay people more money takes more political BS than I think most people realize. There are set positions with set salaries, and computer programmers are no exception, even though these salaries are about half of what you can find elsewhere.

    Additionally, you must go through far too much red tape in order to get anything accomplished, even when you know what you're doing.

    Now, the one big benefit of working for the government is the bottomless pit of money. My team (5 people) have our own development environment of a Sun Enterprise 6500 and five 4500s. You don't get that in many other places.

    Aside from that, the quality people that are still here enjoy what they do, and that's about all that's keeping them here.
  • I have a friend, who is a foreign national, working at a DOE lab on ENTIRELY nonclassified, nonsensitive research. All classified activity is separated from the unclassified world by an air gap - totally beyond their reach, as it should be.

    HOWEVER: The network they have to work on was only recently put beyind a firewall. And before that foreigners like them were especially vulnerable because they would not let them use ssh for Export Control reasons!

    So a policy intended to "protect" U.S. interests, actually placed their own networks at risk!

  • From the Post:
    The big question though is whether this is an example of particularly poor government performance or just typical of what you'd find in most Internet-linked systems
    A third possibility is that the grades were issued for political reasons, and therefore may bear only a limited relationship to reality. The original report was issued by the General Accounting Office, which has a reputation as being authoritatative and non-partisan, but the GAO did not issue "grades". The "grades" (which are more value-laden, and have more PR appeal) were issued by a House committee, which is controlled by the Republicans. And they are criticizing governmental departments, which are controlled by the Clinton/Gore administration. In particular they are criticizing the technology performance of those departments, supposedly a Gore strong-point.

    Can you say "Election Year Politics"?

  • Actually, the advantage to pressureized pipes is because if somebody cuts in to the pipe to get at the cable, you know just by glancing at a pressure meter. Filling them with nerve gas would be crazy; it would be damn near impossible to service them in a timely manner. And some idiot with a backhoe could wipe out the entire campus.
  • This "grading" , as far as I can tell from the article, was done by, in all likelyhood, a bunch of 75 year old bastards who couldn't f***in' turn on their computer without help from their 18 year old sex to.... I mean assistants. So they are operating on second hand knowledge from people who aren't even listed. And what about this "gained access almost every time" ? How many times did they try and did they friggin have a printout of every employees' password... There are some things missing here from the article that I would like to see before I pass judgement... That's just my two cents though.... -Craka
  • At my original college, F is for fun =)

    ---
  • the general consensus from them seems to be this: most of the good, talented technology people (security, programming, etc.) bail of military/gov't service because of the lousey pay (as compared to the commercial world), poor working conditions, and mis-management. As near as I can tell from talking to these people, the gov't wants security and quality without spending the needed amounts of money and (perhaps more importantly) energy on it.
    I'd call that a fair assessment. I'd caution that there is still a fair amount of talented individuals in Gov't service - mainly because they believe in the mission of their appropriate department. But even these dedicated workers may not be allowed to improve the situation.

    My case...

    The leader of my department's HQ info security team once commented to my center's Asst. Director of IT "You have a lot of really good people working here... too bad none of them work for you." It was a stunning statement - and painfully true. IT is largely farmed out to contracts across the center. If you want an IT job at the center, most likely you'll be a contractor.

    While this brings up questions of trust and conflicts of interest, it also creates a bigger problem - budget. Contracts are awarded to the lowest bidder; even if that bid is ridiculously low. The contract I worked for was reasonably sane, but still very tight. The fact that the company counted on a thrift bonus each quarter only increased the challenge. This lead to bare minimal staffing; more work for fewer workers. We had to be very careful to ensure that we only spent time on things we were going to be credited for. Do what you are paid to do - nothing more. And we weren't paid to do info security.

    I, and a few coworkers, had an interesting exception. We were considered an important part of the info security community at the center and were included by the department. The contract made allowances for this since it brought good visibility. But we still had our "real" jobs to do. More work.

    So while the center was becoming very clueful about infosec, it was not funding it. There had been some talks about improving this situation, but last I heard the talks had taken took a bad turn. When it came to budgets, security had a hard time making the cut.

    The lure of decent pay, and small perks such as a training budget proved too much for me. I left my gov't job for private enterprise. And so did one of my co-workers (actually, the department has taken huge hits as IT workers have left in droves after dealing with worse contracts than mine - I often wonder how they're keeping things going). In fact, my new corporate team has recently recruited talent from a wide sampling of US Gov't organizations.

    That alone is probably pretty telling.

  • Well, it's easy enough to use a SecurID or similar scheme, where you have a little LCD screen that is constantly cycling passwords according to an algorithm. Or better yet, the challenge/response system where it gives you a string of alphanumerics, you key it into your little calculator like thingy, and it spits out the response. If you're using static passwords, social engineering is the least of your worries.
  • Damn,.. only got a TRS80...... shit.

  • It created the Internet.

  • Of course they passed! If they failed, they couldn't play football next semester!

    Jeez people, get with the program... You're forgetting your priorities!

    The REAL jabber has the /. user id: 13196

  • To be honest, I don't personally care if it is election year politics or not. I don't want sensitive information regarding things like SSN, tax information, or any other materiel to be able to be seen, malarkyed with, or erased. If congress is trying to discredit the current administration for problems, well, Al Gore did claim to be the father of the Internet, maybe he deserves a little heat for stupid claims not thoroughly thought out.
  • It says 'system' directories and setting this would would be like users having access to /etc/* (in a unix system) as opposed /home/luser/* This is a problem for two reasons. 1) No you cant trust local users not to break/sabatoge soemthing if they have a chance. 2)When users have incorrect permissions it gives an outside 'crackers' more chances to compromise an account that has right to do real damage in this case 1100 chances. I do agree that an explanation of the grading system would be useful.
  • Or in college: D is for Diploma!

  • by Grasshopper ( 153602 ) on Monday September 11, 2000 @09:29AM (#787432)

    I work for a government agency (USPS), and while my experience with them deals only with internet and intranet applications, it's worth noting that the biggest obstacle we face (and likely the other government agencies as well) is the pride of the people that create insecure applications.

    If you happen to read something on slashdot, such as the IE cookie exploit, then dare report it to a division using cookies for sensitive information, you just get a heated debate.

    It took me no more than thirty minutes to compromise the "secure" cookie of their application, and it contained sensitive information that could compromise the entire application in plain text!

    Fortunately, the right people (suits) got wind of my experiment, and this security hole is actually being dealt with. With all the effort it takes to get people to open their eyes, I can understand why nothing gets done about such issues.

    It's really like testing someone's program, only to have your feedback ignored.

    What's the point?


  • Name one thing the government does well. Grand prize is a cookie.


    Bowie J. Poag
  • Ironic... if the government fairs so poorly for its own security, then wouldn't it be logical that their own tech for monitoring/big brothering the Net sucks? Perhaps there are assumptions that carnivore 'works.' Granted, it would help to see the code to determine this, but wouldn't the odds be strong that carnivore does not work as well as the claims? Do we really have anything to fear?

    Maybe they talk the talk but don't code the code...
  • by Crash Culligan ( 227354 ) on Monday September 11, 2000 @09:31AM (#787435) Journal
    "typical of what you'd find in most Internet-linked systems"??

    Sorry, doesn't wash.

    Many /.ers out there know that the Internet is very hard to secure. But they also know that it can be done with a good deal of practice and knowhow. So I'd say it's not that. I'd say it's more likely poor government performance that we're seeing there.

    Ideally, the government should have the highest security and technological savvy of any entity in the country, in order to protect its citizens from threats from outside the country.

    (Ideally, the government should also be protecting the rights of the citizens too rather than chipping away at them with an espresso spoon whereever any cartel like the MPAA or RIAA tells them to, but that's another rant entirely.)

    So what's wrong? Either:
    a) they don't have the knowhow to maintain system security, or
    b) they have the knowhow, but aren't utilizing it correctly.

    I'd like to see a correlation of government salaries in relation to similar positions in private industries. If they're dissimilar, and the government pays its workers less than the private sector, then I think it'll be safe to say where the talent's gone...
  • LOL, I posted in the wrong thread.
  • The government might just lose its reputation as one of our finest, most efficient, best run organizations.
  • Which web sites got a good grade?

    I mean yeah, the govenment doesn't have the best web masters. They are not always the best people, maybe they just want to get a page or to up to try and stay current with the technology of the time. It's not like the people needed to properly secure a system are cheap. And the government doesn't work FAST so it's not like they can just go and hire these people whenever they need them.

    I guess what I'm really tring to say it that you should take what they are saying with a grain of salt. Some reporters are just tring to make the gov look bad.

    So what kind of internet box is safe? A box behind a router that only lets acceptions in on one randomly chosen port to a SSH connection where the password to log in is determined by a predetermined seed to a Secure ID card? Given enough time and pressure, anything is breakable. The only truely secure information doesn't exist. (They are dumb quotes, I made them up)

  • No! No! No! No! NO!

    "The Norm" is that guy who drank lots of beer on "Cheers"!

  • (sorry for the multiple post, but..)

    I suppose, since the US Military made their bed with the creation of TCP/IP, they now must lay in it! Get real, it's an ivory-tower protocol to begin with. Should the average user be able to traceroute machines; the little packets revealing the IP's of every system they swim past along the way?

    Aren't "system security" websites creating more problems than they solve? Does a hard-working system administrator have as much time to read "rootshell.org" as a mischievous twenty year old college kid? If said college kid finds an exploit, compiles and uses it while you're out of the office, before you're even aware of it, does it mean you're a bad administrator?

    Considering the level of knowledge distribution on the internet, particularly in the areas of networking, OS fuction, and security exploits/patches, can the "good guys" truly *ever* be that much ahead of the "bad guys" ?

    To compound the problem, owners of ISP's don't need to demonstrate any level of competancy to purchase IP's; only supply the necessary funds. So basically any idiot with just enough smarts to get online creates a wonderful opportunity for the hacking elite. Spoof an IP here or there, root the Acme ISP, wipe their log files, and hop out from there - Exploit away!

    Perhaps if the federal government applied the same type of licencing to the purchasing of IP addresses as they do FM & AM radio frequencies, and held the OWNERS of said IP's responsible for the usage of same, AND required some sort of certification process to even QUALIFY, 75% of the "computer security problem" would go away IMMEDIATELY?

  • DoD is slightly surprising, but hints at their arrogance - they believe they are superior and no one would be able to crack them.

    I wonder who this bunch was. I work for a defense contractor, and none of the machines in the building which are on our internal classified network are connected in any way to the outside world. I'm posting this from my unclass PC. :)

  • Hide your harddrives behind the Xerox machine!
  • This is all good (or not good) and whatnot, but what systems did they test? Did they try to hack the NSA computer security systems? Or did they simply peer at thomas.loc.gov?

    I have a little more faith in the DoD protecting information. Hopefully they don't even place top secret data on machines connected.

    hobbz
  • by tdrury ( 49462 ) on Monday September 11, 2000 @10:35AM (#787444) Homepage
    I don't know where those people worked, but where I worked doing DoD research we had pretty severe restrictions. For a while all the computers had to be Tempest approved (for low-emissions). If not, they were used inside "the can" which was a large metal room within another room. Both had massive combination locks on them and motion sensors. Once, we were throwing network cables above the drop-ceiling - we didn't know about the motions sensors - and when they went off we all shit a brick.

    All machines had removable hard-drives that would be locked in safes. After use, the hard drive was removed and the machines power was cycled. None of these machines were networked. The only network was within "the can" and that didn't go external.

    When photocopying classified, you had to run blank sheets through the copier when finished. And you had to have a second person with you to check everything when you were done.

    When classified as to be destroyed (and that isn't easy to get approval) we had an incinerator in the building for it. We all wondered if we could use it to cremate deceased pets....

    We were apart of a University with many foreign nationals. Part of the CS school had facilities in our building where the students would go. When security found out they kicked all foreign nationals out of the building. We lost a couple good grad students because of it.

    Security violations were severe since we could potentially lose all funding if our clearance was revoked. Auditors came around yearly and quizzed randomly on procedures.

    All in all, it wasn't a huge hassle to do all this stuff - it was part of the routine. Of course, I avoided classified work as much as possible...

    -tim
  • by duncan ( 16437 )
    for a group that relies on Microsoft products primarily, this does not surprise me.


  • Could you do me a favor and ask your friend where my company would be able to order a few of those posters? We could really use the security upgrade over here.



    Seth
  • by SEWilco ( 27983 )
    That's the Department of D+efence now.
  • by AntiTuX ( 202333 ) on Monday September 11, 2000 @09:15AM (#787452) Homepage
    Hey man, at least they passed :)
  • "We don't want to hurt your feelings. You're a year older, so we'll pass you on to the next administration. Work harder next year, you bureacracy."
  • I think it's the fear of getting busted by the government is what keeps most attacks at bay for the gov sites. It still doesn't help our national security.
  • by TheDullBlade ( 28998 ) on Monday September 11, 2000 @09:18AM (#787457)
    Haven't any of you watched War Games?

    Any kid with a C-64 can hack the Pentagon and set off a nuclear war.

    Uh, it was a historical recreation, wasn't it?

    --------
  • by TheDullBlade ( 28998 ) on Monday September 11, 2000 @09:32AM (#787459)
    For an A, the computer must be vaporized by a nuclear blast.

    For an A+ the computer must be hurled into a black hole (some information might be gathered from the trajectories of the particles thrown off by the nuclear blast).

    --------
  • you see, the problem with the government is they don't like to fix potential problems. I saw firsthand an example of this. The bandwidth of the new system was going to overpower the network. We knew it, we told them, they said it would be fine. So we switch on, it blows up. So now we've got to rewire this kludged/patched/duct taped network all the while the users are screaming at us for breaking their system. I don't think I can say any more specifics, but this did make the news last fall at the unclassified level.

    As for the famous $500 hammer, that was probably still the lowest bid.

    -----
  • Yes certainly trust is a good thing but would you trust 1100 people even if you worked with them with.
    1) sensitive data
    2) write permission on system executables/conf files.
    3) read or write access to /etc/shadow

    Even the best hiring practices and background checks are likely to miss maybe %1 of the bad apples. So I would be willing to bet that there are at least 2 or 3 people in the organiztion that would be willing to use the info naughtily or use bad permisions to gain root.
  • And in related news, Microsoft has announced today that they will be submitting a proposal to the government that will outline a plan to quote "replace all those nasty, old 20th century *nix systems with state of the art 21st century Windows 2000 servers."

    The company spokesperson went on to say that "organizations can not take full advantage of all the innovations(TM) in Microsoft software until viruses like Linux are purged from the network."

    Linus Torvalds was not available for comment.
  • The intro movie to the first System Shock game.
    I would kill to see some script kiddie wet his pants as his door gets kicked in and laser scopes all situate themselves on his forhead...after using a root kit. Big Brother would have its advantages!

  • I don't usually respond to idiots, but in your case, I'll make an exception.

    Most system administrators in the government are doing it as an additional duty to their regular job. They have a limited amount of time to spend on system administration, which besides security, includes keeping software updated, doing backups, troubleshooting and fixing network and system problems.

    In an ideal world, there would be full-time system administrators and security specialists to keep the systems secure and running smoothly. The reality is that very little money is budgeted for security or anything else that is perceived as not directly contributing to the mission.

  • none of the machines in the building which are on our internal classified network are connected in any way to the outside world

    This is how I assumed most of the government systems were. That was why Wargames seemed so trite was it was based on the idea of a system linked to the system capable of launching nukes being accessed from an outside telephone. The best digital security is simply allow no outside access. A stand alone comp can't be hacked remotely...of course it tends to be less useful than a networked one.

    I would think the DoD would have a clear concept of compartmentalization as a security method.

  • by kabir ( 35200 ) on Monday September 11, 2000 @09:36AM (#787484)
    The main problem with government security is that it must be enacted by government employees. Now, I'm not saying that government employees are inherently stupid, or anything like that. But I have run into a lot of security guys who are ex-gov't or ex-military, and the general consensus from them seems to be this: most of the good, talented technology people (security, programming, etc.) bail of military/gov't service because of the lousey pay (as compared to the commercial world), poor working conditions, and mis-management. As near as I can tell from talking to these people, the gov't wants security and quality without spending the needed amounts of money and (perhaps more importantly) energy on it.

    That pretty much leaves the security in the hands of folks whith little or no experience. Based on that the report isn't surprising at all.

    Of course, this is all second hand information. Perhaps some military/gov't (or ex) security folks here on /. (c'mon, we know you're here) could pipe up and correct me if I'm way off base?
    --

  • by KFury ( 19522 ) on Monday September 11, 2000 @09:39AM (#787488) Homepage
    For an A+ the computer must be hurled into a black hole (some information might be gathered from the trajectories of the particles thrown off by the nuclear blast).

    Heck no. Then it could pop out anywhere! Then there's time machines...

    No, I'm sorry. The only way to get an A+ is to do everything without records in a haphazard fashion, without even knowing why you're doing it yourself.

    Oh, wait a minute...

    Kevin Fox
  • It gave the US government an overall grade of D- on computer security. The Department of Defense got a D+.

    Actually, that's a small typo. The Pentagon was trying out their new structured language, D++, and got it confused with the please-rate-your-network-security form they had to send back to the House Subcommittee.

    --

  • Hmmm, Hawking's not into security?

    I think I'll go do a bit of "tweaking" and have fun playing a real life version of Frogger with a guy in a wheelchair...

  • Anyone feel like coding the SendNerveGas( ) API?
    Make it a COM object and a JavaBean. That way, you can call it from all of your apps, and build in that physical security that can only be guarenteed by DNA-altering, instantly fatal nerve gas.
  • by x-empt ( 127761 ) on Monday September 11, 2000 @11:02AM (#787500) Homepage
    Walkin.

    Find a corner with nobody around.

    grab a cat-5, split wires off into a wireless transmitter.

    hide cable away under a desk.

    park a vehicle in parking lot of building with receiver inside, dumping to a laptop.

    steal social security #s (most are unencrypted networks), personal info, address info, drivers license info, etc.

    Enjoy. Guarenteed to work at your local DMV!
  • by jsm ( 5728 ) <james@jmarshall.com> on Monday September 11, 2000 @09:42AM (#787505) Homepage
    The big question though is whether this is an example of particularly poor government performance or just typical of what you'd find in most Internet-linked systems.

    ... or, more likely, it's a report done by a Republican Congress to discredit a Democratic administration. They've been doing this all year. For example, when Bill Richardson (a Hispanic and therefore politically valuable) was a front-runner for the Democratic VP slot, Congress brought as much media blame as possible on him for apparent security leaks in the Energy Department.

    FYI, Congressional panels and committees are generally controlled by the majority party of that branch of Congress, even when they're called "non-partisan".

    I'm not endorsing Democrats or slamming Republicans here, I'm just pointing out politics as I see them. The same thing might happen if the parties' roles were reversed. I am neither Democratic nor Republican.

  • The government has never really been too "security-conscious" as far as I'm concerned.. just look at all the breakins that government agency websites have experienced in the past, and still experience - or the breakins that were publicized at least.. who knows how many more systems were just cracked into.

    Of course the government is also in something of a double blind. If they actually institute security sufficient to keep all crackers out (presuming that such a thing is actually possible) they get accused of being paranoid and spending too much on security. If they relax to the point that there are breakins, people will be unhappy because they aren't taking security seriously enough. And, of course, for a lot of levels of security they get hit from both sides because their security still isn't good enough to please the security conscious, but their expense and paranoia are too much to please the other side.

    Of course that's not to say that the current situation is a good middle ground. It sounds very much as though they're trying hard to achieve security but still not managing to do so, which is the worst of all possible situations. Still, though, you have to be at least a little bit sympathetic to the fact that the government gets very mixed signals about what people want it to do.

  • by Shoeboy ( 16224 ) on Monday September 11, 2000 @09:44AM (#787509) Homepage
    Tragically, www.fbi.gov has huge security weaknesses. They left port 80 open, allowing us 31337 haxors to connect. Once connected, we can send specailly formed packets known as "|-|77P R3qu3575" to the remote host and retrieve files.
    The government should just pack it in.
    There's no way to protect a system from the likes of me.
    --Shoeboy
  • I was watching this with about 10 other engineers one night in a dank basement aparment on a small crappy TV. We got to the part where WHOPR (or whatever the supercomputer was called) was hacking the launch sequences digit by digit. My friend pipes up,

    "Why doesn't it just check the .launch file?"

  • by Anonymous Coward on Monday September 11, 2000 @09:57AM (#787512)
    I worked with a DoD contractor (software development) for a while. The people taking care of the company web site were former NSA and military. And not long out of the DoD, either.

    In dealing with these people, I have found that while there are some smart people in the military, there aren't many. For example: I sent an e-mail to a software developer in Russia (he had some GPL'd stuff we were using). Two days later, I was called in to the IT department and threatened with termination for "letting the Russians know we have an IP address!". I wish I were kidding you.

    Another example: we needed a new e-mail server for one of the offices-- maybe thirty accounts. I talked with one of the guys, mentioned perhaps using OpenBSD and Sendmail. I asked him about it a few weeks later, and the response was: "No, a lot of our guys attach Microsoft Office documents to their e-mails, we need to make sure the server is compatible." (and this server was NOT supposed to scan documents and attachments for viruses).

    Why does the DoD have such shitty security? They have idiots in charge. Idiots that talk a big talk, but have no fucking clue. They sling buzzwords around, they take credit for the other guys' work, and they get promoted with maximum time and grade. The military doesn't know the difference between a competent soldier and an incompetent soldier. God, it's irritating.
  • by Anonymous Coward on Monday September 11, 2000 @09:44AM (#787513)
    Strangely enough, it came out at the same time as E.T. which basically told the public that extraterrestials are our friends -- which, of course, couldn't be any farther from the truth.
  • Around here, people continually circumvent routine security restrictions.

    When I was in the military we had 3 guys supporting a 400 workstation network with 1100 users. Security! It was hard enough to explain to everyone that pressing the button on the monitor won't turn the computer on. There was no time or resourses for security.

  • Attributed to David A. Guidry:

    network security:

    1. Kill all your users.
    2. Remove all accounts.
    3. Detach network and dialups.
    4. Turn off machine.

    So rather than encasing the computer in titanium and dumping it in the pacific ocean, we do that to the users. After all, computers don't cause computer insecurity -- people do. So securing the computer is peripheral (not to be confused with peripherals).

    Of course, we have to be careful when suggesting things like #1 to the US Government. After all, national security is paramount...

  • on the contrary, most of the non classified networks are on NT domains, which are possibly being converted to 2000 domains later this year. (I'm speaking from experience, but also of only airforce sites). Hence the implimentaion of SMS and the like. (Though I'm still amused that the AF bought L0phtCrack and didn't even spell it right on their lil slide show for me. :P )

    Now, on the topic of the more sensitive networks, they are (to the best of my knowledge) typically M$ systems connected onto a *nix server. However these systems are not (supposed to be) connected to any outside network. Higher Sensivite systems (i hope) are using a more secure system, but for the most part, we're, um.....not.

    In reference of the sysadmins on .gov and mil sites, well, i have to agree with you there, the ppl who knew what they are/were doing are few and far between and primarily have left for civilian jobs with a real paycheck and maybe even some benifits.

    I mean, government pay scales suck!

    --Can't argue that one....not at a lil over $1200 a month....

  • We aren't allowed to turn off exectuable attachments, or even "speed bump" them, because "somebody might need them."

    Sounds like General Motors... :) Of course, we have Lotus Notes, so executable attachments are already "speed bumped".

  • by Xerithane ( 13482 ) <xerithane@@@nerdfarm...org> on Monday September 11, 2000 @09:45AM (#787531) Homepage Journal
    Back in the good old days of college years, I served as an intern for NASA. Part of my experience there was monitoring security processes for our group. There really weren't any. We were handling classified information including some military inventions and devices for our project and some of our trusted boxes (there was RSH used with .rhosts) were out of the box redhat 4.2 with no additional security precautions. I changed that as soon as possible, but the night before the last machine was to be worked on it was broken into.. how's that for irony.
    However, my experience with commercial networks have been a lot worse. One company had two seperate networks, connected by a machine with two NIC's and it was expected to filter traffic between the two. Rather amusing approach to segregating between a private and public network. Their only problem is the gateway between private and public had an ancient version of sendmail serving mail as well.
    Ahh.. I love the smell of poor management in the morning.

    nerdfarm.org
  • The report said accounts often remained open even after employees or contractors wound up their employment access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving ``overly broad access privileges to very large groups of users

    Egad! This is horrible...

    They really don't have someone working in the US government who enjoys his job as a systems administrator. On more then one occassion I have taken joy in removing the users account before they have recieved notice of termination. We have a very aggressive policy on privledged users...and in fact I have had employees admit to first believing they had been fired when in reality they had encountered authentication problems due to system failure.

    It is a twisted world we live in, and I add a few more turns every day.
  • by Luminous ( 192747 ) on Monday September 11, 2000 @09:46AM (#787534) Journal
    Seeing that the State Department, Department of Energy, and Capital Hill all were lambasted for poor physical security, is it any surprise that the government has poor digital security?

    I'll bet you dimes to doughnuts that the NSA, FBI, and CIA all have pretty tight security with nothing that even has a remote chance of being classified coming near the internet. DoD is slightly surprising, but hints at their arrogance - they believe they are superior and no one would be able to crack them.

    As originally said though, and especially in light of the Western Union attack, this is probably the general state of all computer security.

  • All the problems listed are ones I or my fellow geeks have seen multiple times, and in some cases (open accounts, bad access decision) are purely human errors and laziness.

    I'm not thrilled to see my government with such shoddy security, but it really isn't unusual when one takes a look at non-governmental computer security.

    The problem today is people aren't using the technology available to them AND they aren't following (or being trained in) procedures to maintain security. Anywhere.
  • If the Department of Defense only gets a D+, that leaves Western Union somewhere along the lines of 'strongly advised to drop the class on the first day', right?
  • by Anonymous Coward on Monday September 11, 2000 @10:02AM (#787542)
    Yeah, those do, but it's the departments you don't care about that have the most "computers". The NSA and the Weather Service and stuff have a few huge machines, but the IRS and DOEdu and DoEnergy have more employees, each of whom has one or more machines.

    But wait, it gets worse: When you study the computers at a location you have two areas: servers and clients. We have like 10 solaris boxes, all of which are counted together as "the server", then we have desktops for 150+ users, each of which is counted as "a computer." For security purposes, that's 151 "computers" that are counted, only one of which (the server stack) is under the direct day-to-day control of the IS group. Hell, our IS people aren't even in the same building as the majority of desktops. Those who were here before I started will tell you, security was much easier when everyone here ran xterms, but the users push for laptops and crap on their desk that couldn't be made secure if we rewrote it line-by-line. It's all we can do to keep them from saving their password in Eudora, or even getting them to use that instead of Outlook in the first place (that filipino iluvyou kid sure did me a big favor).

    They have to do it that way because people use their machines in such a varied fashion, so rating security, for us, is really how secure your server is and how effective you are at enforcing network policy, which is much, much harder. Some of us are hoping the switch from 98 to 2k will help, as far as forcing people to save shit where it belongs, but the future doesn't look bright: I told the new accountant he had to cycle a dozen passwords for our grant requests, and he threatened my job!
  • You know, if we conveniently place sensitive terminals next to "molecular digitizing lasers", maybe we can store intruders on a zip disk and upload them to the Game Grid [voyager.net].... for the dumber crackers, we might be able to fit them onto a floppy.




    --
    Spindletop Blackbird, the GNU/Linux Cube.
  • by daniell ( 78495 ) on Monday September 11, 2000 @09:20AM (#787549) Homepage
    but I'd like to see what constitutes the scale. I think some examples of A B C D and F in organizations (possibly outside government if need be) would be helpful too.

    At one unnamed agency, all 1,100 users had been granted access to sensitive system directories and settings, the GAO found.
    As far as this is concerned. I'd like to think that organizations can be secure enough in other ways to not have to have co-workers hiding information from co-workers that are possibly right next to them.

    -Daniel

  • Up until recently I was a contractor for the Gov. More annoying than the fact that there securty sucks is the fact that instead of advertising a contract for the OS for the next 5-10 years is the fact that the Gov is allready moving to W2k. My particular office was running on Pentium 200's with 64-100 megs of ram and a 2gig HD. During my time there I was able to make the system extremley reliable for an NT network. Before leaving I asked all the users "What functionality are you missing from your desktop that stops you from being able to complete your work" The answer I got from every user was "NOTHING" So my question becomes WHY IS THE GOV GOING TO SPEND MILLIONS OF TAX DOLLARS ON W2K AND THEN MILLIONS MORE ON UPGRADING THEIR HARDWARE TO SUPPORT THE OS? Needless to say I asked many of my superiors this question and I was basically told to shut-up cause that's the way things work. They even had the nerve to tell me that the GOV has input on the way Microsoft writes it's OS's. I promptly quit after hearing this. Within the next 6 months at my former job the W2k upgrade will begin. Does anyone else see what hipocrits the gov is being supporting this OS? Just my 2 cents. which in the government only goes as far as .002 cents.
  • You normally have to balance between security and useability. The ultimate in internet security (pull the connection) kindof defeats the purpose and the ultimate in usability (wide open), is, well, not such a good idea. Things would be much easier the software was more reliable (eg no buffer overflows) and people (in general) weren't so easy to social engineer. Unfortunatly, I don't think the latter is going to change any time soon, but at least the former is slowly improving.

    Bill - aka taniwha
    --

  • by xianzombie ( 123633 ) on Monday September 11, 2000 @09:21AM (#787555)

    I think some examples of A B C D and F

    The school system got rid of the letter 'E' in grading and look what happens to our country's education system.

  • by kgasso ( 60204 ) <kgassoNO@SPAMblort.org> on Monday September 11, 2000 @09:22AM (#787557) Homepage
    The government has never really been too "security-conscious" as far as I'm concerned.. just look at all the breakins that government agency websites have experienced in the past, and still experience - or the breakins that were publicized at least.. who knows how many more systems were just cracked into.

    Seems they're thinking with their wallet and not their heads. They don't see a need to hire professionals to secure and monitor their network because they assume it's already secure. Wouldn't also surprise me if they thought the threat of prosecution were enough to keep crackers out. That's just plain stupid.

    How much does it cost to install IDS systems on networks that should be secure (or any network, for that matter?). And a few paid professionals? You're trusting these people with your data. Social security numbers, tax records, etc. and they have little security at best.
    --
  • No the proper way is to have all your sensitive data on a non-backed up Wintel combined with an absolute deadline...

    No way you can get to those data.

  • by SpanishInquisition ( 127269 ) on Monday September 11, 2000 @09:22AM (#787559) Homepage Journal
    Computer turned off, cast into solid titanium,
    dropped somewhere in the Pacific?
  • It might add 0.000023 seconds to my workload and as a Very Busy And Very Important Marketing Droid With Expensive Shoes And A Smart Haircut I don't have *time* to cope with that stuff!

    ... which of course translates to "Hey I want to see them funny attachments everyone is talking about"

    And 0-early-30 Sunday? Hey thats when they are still in the office surfing pr0n sites...

  • by TJ6581 ( 182825 ) on Monday September 11, 2000 @09:23AM (#787564)
    the report said accounts often remained open even after employees or contractors wound up their employment
    access was not promptly cut off nor curtailed to reflect changes in responsibilities. And managers were routinely giving ``overly broad access privileges to very large groups of users

    Sounds like it's less that the system isn't secure and more like they really need to give their employees a good lesson in security.
    "Freedom of speech has always been the abstract red-headed stepchild of the Constitution"
  • While the management of government computers is performed by government employees, much of the actual hands on admin work is done by contractors. This has been the general trend (contracting out) that is pervasive as the government has reduced their workforce. Additionally, the government is good at training people (sending them to classes, etc...). However, once trained, some ppl then leave to enter the more lucrative private sector.

    An overlooked aspect, is the general need in many agencies for the sysadmin to have a security clearance. This cuts down on the available list of potential workers. Then again, once a person does obtain a security clearance, he/she becomes a more highly desirable employee who is then likely to leave to become a contractor.

    So the problem is one of recruitment and retention. And you spelled out some of the problems; lower pay, poor working conditions, and mismanagement. Additionally, cutbacks in funding tend to affect the more junior staff employees. They don't have senority and are easier to RIF (reduction in force). Unfortunately, the ones affected by cutbacks include admin and support ppl.

    In the section that I work in, I have seen about a 80% reduction in the computer staff. This has forced me to do sysadmin work (6 computers); I'm really suppose to be doing research. However, I do care about computer security and have spent a considerable amount of time working on this. In routine network security audits, none of my computers have turned up a single warning for the past two years. However, having me do computer security is not the proper way to operate.

  • I seem to recall that the going salary for a government employee in an IT position is about 1/3rd what the employee could make in the private sector. Although it's great if you can code 1 and a half lines of COBOL a day.

    And hell, you can barely find an IT worker in the private sector who knows his ass end from his elbows. I believe this means the Government is Doomed.

    On the plus side, those of you who took out a second mortgage to finance that Y2K bunker might still find a use for it. Don't go selling those canned beans and shotgun shells just yet...

  • Name one thing the government does well. Grand prize is a cookie.

    Spend money on useless crap.

    In fact, I think they do that better than anyone else.

    Moderators, feel free to mod this down as Redundant and Troll. After all, we all know the government doesn't spend money uselessly;-).
  • by brad.hill ( 21936 ) on Monday September 11, 2000 @09:51AM (#787576)
    I'm sure that this forum will be filled with flames about MS software, which is admittedly insecure, but a lot of it is just ignorance, and even the best Unix systems can be made very insecure this way.

    A friend of mine worked on a classified project for a DoD contractor, and I was appalled at his stories. He was set in front of a computer, and his boss called away on business before he could give my buddy a login id. The computer was named "Enterprise". On the bottom of the keyboard was a sticky with the word "Picard" on it. Yes, it was the root password. Similar stickys were to be found on the bottom of nearly every computer in the place.

    Worse still, they would download very sensitive data from satellites using rsh to a root account with a .rhosts file! When he pointed out that this was probably the LEAST secure method they could possibly choose, they told him that this scheme was the recommendation of a DoD security consultant.

    Their entire idea of security seemed to be putting up a bunch of cold war era posters with eagles playing poker against vodka swilling bears and wolves dressed in arabian garb, warning "Don't tip our hand!"

    Admittedly, these weren't machines connected to the outside net, but it would've been trivial for any visitor or janitor to get access to EVERYTHING.

  • As a term employee with the Forest Circus I was amazed at how little the employees understood about security. Any password that was not username1 or username2 was a pet/spouse/child's name. And root on the servers was just as simple.

    When a temp asks you to restart a printer queue for the second time and you give him the server passwords and door combo, security isn't even a bad joke. Forget about DoD web pages getting "owned". The issue is a vast collection of financial, tax, and research data that's available to any techie who helps fix a federal employee's home computer and asks for a password to "test" the VPN. Until user security is adressed systematically, upgrading the firewalls is a waste of time and resources.

  • by Mr Z ( 6791 ) on Monday September 11, 2000 @10:11AM (#787583) Homepage Journal

    Get it right. It's any kid with an IMSAI Z-80 based CP/M box, a glass TTY, a speech synthesizer box and an accoustic modem! The C-64's speak a much too advanced protocol for Josh^H^H^H^HWOPR to understand.

    --Joe
    --
  • by Life Blood ( 100124 ) on Monday September 11, 2000 @10:13AM (#787586) Homepage

    The problems with articles like these is that you never know what is being reviewed.

    For instance, does this include the many many DoD defense grant and contract holders who have sensitive information? I mean most of those are educational institutions and you know what their security is like. Lord knows anyone could break into my lab with little more than determination and a swift kick.

    The other question is, while the system may be wide open, how important is the data that is available on it? The DoE and DoD like to keep all the nasty secrets behind air walls so there is no chance they are going to get out unless someone physically penetrates the building.

    BTW I have seen people posting thinks saying that higher government security will produce to a smaller government. These people obviously don't understand how government works. More security means more government to provide this security (additional security personnel) and more government to make up for the inefficiency caused by more stringent security. If you want a drastically smaller government then I suggest you look elsewhere, like privatizing programs for added flexibility.

  • by redelm ( 54142 ) on Monday September 11, 2000 @09:24AM (#787591) Homepage
    Do you really want efficient government?
    Only if you believe they are benevolent. If you believe they are self-absorbed [as I do] or malevolent [as some do], then you want to limit their effectiveness.

    I believe that govt expands to the limits of it's incompetence. Since I really don't want more govt, I must limit it's effectiveness, and accept the resulting bureaucratic inefficiency.
  • by cowboy junkie ( 35926 ) on Monday September 11, 2000 @09:24AM (#787594) Homepage
    It makes it so much easier to find out where those black helicopters are headed...
  • At my college, "D is for Done"...

    "Evil beware: I'm armed to the teeth and packing a hampster!"
  • ALL most posts are rejected. That is why I think they hate my posts.
    ~~~~~~~~~~~~~~~~~~~~
    I don't want a lot, I just want it all ;-)
    Flame away, I have a hose!
  • by CmdrGordita ( 227448 ) on Monday September 11, 2000 @09:26AM (#787599) Homepage
    Seriously... instead of handing out life sentences the government should seriously consider handing out paychecks. Face it, they need someone with a clue on their side.
  • What is the purpose of secured networks and hacker-proof software when you can't even keep track of laptops (as in the State Department HQ) or removeable hard drives (as in Los Alamos National Labs).

    Lesson: Frequently the most obvious and seemingly straightforward security efforts are the most often overlooked ones.
  • Trade the Lousy Pay, poor working conditions and lousy management of a Government job for good pay, poor working conditions and lousy management in the Private sector.
  • by swb ( 14022 ) on Monday September 11, 2000 @11:27AM (#787603)
    And this isn't limited to just governments. Private business, which is supposedly smarter, harder working, etc than the government is FULL of convenience-minded people for whom security means nothing.

    "Password restrictions? Filtering? Attachments? Get out! It might add 0.000023 seconds to my workload and as a Very Busy And Very Important Marketing Droid With Expensive Shoes And A Smart Haircut I don't have *time* to cope with that stuff!"

    Of course, these are the same people who want you fired when the system is down at 0-early-30 on a Sunday morning for patching.

    You're right that its insane, its totally out of control.

    The only thing going for us is that Win95, which all the workstations except mine run, is usually so badly mangled by the end users that I don't think it could do much harm prior to blue screening..

  • The Usenet: The Flaming [sjgames.com] rules.

    Everything in there is pure 100% accurate information. Except this, apparently.

    --------
  • by josepha48 ( 13953 ) on Monday September 11, 2000 @09:26AM (#787612) Journal
    Having worked in a goverment agency in the past, I'd have to say it is a little of both. Keeping a internet connected network secure is a difficult job, but goverment workers are usually not the most motivated. The US goverment also has a tendancy to contract out much of its IT work, so they do not have any internel experts. Sure they say they do but most of there experts are not people whom actually are experts. Think of it this way. In the USPTO it was not till 1997 that they actually outfitted all the patent examiners with computers. Many other agencies are the same way. Most of these people were reluctant at first to even answere there email let alone use the computer (yes this is true there was a big issue over this in the USPTO). They contracted out all the installation and had formal training. This is how you log in this is how you log out. When the goverment contracts out they do not always go for the best company. They have a unique system for determining who gets the contract and sometimes who gets it does not deserve it. With no experts and probably not the best company doing the work, how can they be secure. Also with people who generally don't care, this tends to be the norm. I bete if they polled more gov agencies they woudl find this to be a very common thing.

    On an off topic note, I submited a stroy that was rejected. Linux kernel 2.2.17 is out. I saw it at ftp.kernel.org. Yet slashdot hates my news stories so I post here so someone else can submit it.
    ~~~~~~~~~~~~~~~~~~~~
    I don't want a lot, I just want it all ;-)
    Flame away, I have a hose!

  • where do you get your information? most of the computers at the unmentioned tlas (CIA, NSA, FBI) run Solaris for the stability, network control and because they've had it for a while. or stuff on custom hardware. (which is really cool, but classified)

    -----
  • You know, there seems to be a trend in the headlines about Alphabet agencies getting hacked. Either they get their WindowsNT server running IIS 4.x hacked, or they have their secrets stolen through insecure employees.
    No one solution will fix this, but learning about the problems inherent in the products that they use to keep their "top-secret" information top-secret is a good first step. They seem suprised every time another agency gets hacked, but they are all running the same software. They should get their NSA math guys to look for a pattern.
    Also, teaching their employees to use safe computing seems rather important. I'm sure that they teach them, and give them handouts, but I wonder how many agent's PIN number is still their daughet's birthday, and other such sillyness. The rash of laptop theivery is just so mind-blowing that I don't know whether or not stupidity or spying is the case, and really I don't even want to know. I kind of hope for the latter, as I don't want to think that the people that are intrusted with our "most vital information" are incompetent enough to do things like that.

    I guess I'm done ranting now...

  • by Hairy_Potter ( 219096 ) on Monday September 11, 2000 @09:26AM (#787615) Homepage
    What would it cost to have a fingerprint scanner on each goverment computer.

    I know when I co-oped for the Feds back in 1987, they took my fingerprints, so it's still probably policy to fingerprint each new employee.

    Stick a little fingerprint reader on each workstation, and security gets a heck of a lot better (spare me the arguments about stealing or forging the fingerprint authentication file, I'm talking security against weak assualts).

    Of course, when you have fingerprints of every person who worked for the Federal government, every criminal, and every welfare recipient, you have fingerprints on a big hunk of the country. All we need then is to fingerprint student loan borrrowers. Anyone know if the NSA has massive fingerprint recognition computers?

    And once something has been proved to work for the Federal government, it's a much easier sell to get it into private industry. Who knows, we all may fingerprinted soon, in the name of better security. Bye bye rights. I think Voltaire said it best, those that would forgo a little freedom for security will soon have neither.
  • by Anonymous Coward on Monday September 11, 2000 @09:26AM (#787616)
    I work for the DoD, in a sensitive but unclassified environment.

    Around here, people continually circumvent routine security restrictions. Everything is run on Windows NT, but patches are not installed regularly. While all the paperwork is done, it often doesn't reflect reality.

    Worst of all, everything runs outlook, and the various iloveyou kind of viruses spread through here like crazy. Can you imagine such a virus that didn't do anything *but* email all the documents on your computer to Czechloslavakia? But, guess what? We aren't allowed to turn off exectuable attachments, or even "speed bump" them, because "somebody might need them."

    It's insane.

  • Most cracks in a corporation come from inside. To be secure, you must not EVER trust your users..

"The chain which can be yanked is not the eternal chain." -- G. Fitch

Working...