Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
United States The Internet

U.S. Interior Dept. Unplugged... Again 299

IO ERROR writes "The U.S. District Court ordered the Department of Interior to take all its systems offline for the third time, saying that its systems were too insecure to be left open. Among the systems to go offline are those that process payments owed to American Indians and Internet access in schools on Indian reservations. DOI employees cannot use the Web or send or receive e-mail."
This discussion has been archived. No new comments can be posted.

U.S. Interior Dept. Unplugged... Again

Comments Filter:
  • by Ckwop ( 707653 ) * <Simon.Johnson@gmail.com> on Tuesday March 16, 2004 @05:44PM (#8582642) Homepage
    If people can't secure the computer systems i wonder how secure the old paper based systems were?

    I mean, with a physical system u need physical access but I bet those old systems were probably quite easy to subvert :P

    Simon.
    • by millahtime ( 710421 ) on Tuesday March 16, 2004 @05:57PM (#8582815) Homepage Journal
      " I bet those old systems were probably quite easy to subvert"

      I doubt they were easy to subvert. First you have to gain access to the facility, then you have to have access to that area and then you have to have access to the files. It is not that easy to just stroll in there and get a copy of them.

      Secure data would be physically secure. It's not like you can just walk in a building and get that stuff that is locked up. It's pretty tough.
      • by jsprat ( 442568 ) on Tuesday March 16, 2004 @06:09PM (#8582958)
        Unless you're the garbage man...


        You'd be surprised what people will just throw in the trash.

        • Like a 24 port 10Base-T hub with 23 working ports that my friend found dumpster diving at a government building in 1997. Quite a find, at the time. Not sensative material, but still.

          ~Will
        • by Evil Schmoo ( 700378 ) on Tuesday March 16, 2004 @07:19PM (#8583728) Homepage
          Which is why secured government facilities are required to shred all classified documents. And as for Mr. Feynman's legendary escapades, Los Alamos was recently severely upbraided by the DOE for its lax security.

          Most government facilities have the lowest level of classified information ("Secret"). Very few have "Top Secret" or higher. And even with Secret, there are very extensive procedures in place in terms of document storage, personnel access, etc.; you're not going to be able to get in with a penknife, leastways not when the document is in a 2-ton graphite safe with 70-point rotary dial behind an armed guard gate.

          And as for the guy who found a 10-Base T hub? Dude. That's nothing. We throw old junk away all the time. I just threw 5 Betacam SP decks, worth about $6000 each, in the trash last week. Remember, the agencies can't sell equipment; only the GSA sells surplus, and that's at auction. And it's not like the agencies get credit for turning stuff in. So there is no financial incentive for the agencies to save old equipment, and the paperwork is far too much of a hassle to deal with, just to get it transferred off the books to surplus. (You have to verify condition and certify it, blah blah blah.) So we just get it written off as damaged beyond repair, and toss it.

          Believe me, I'd take the stuff home if I could, but then I'd technically be stealing. It has to be officially thrown away first.

          God Bless America.
      • If people can walk into a secure mainframe room and steal mainframes [slashdot.org], a determined person should be able to steal papers. Social engineering can be very powerful, just ask Kevin.
      • by AllenChristopher ( 679129 ) on Tuesday March 16, 2004 @06:29PM (#8583160)
        "Secure data would be physically secure. It's not like you can just walk in a building and get that stuff that is locked up. It's pretty tough."

        You need to read "Surely You're Joking, Mr. Feyman." Feyman raids the safes that contain the plans for the atomic bomb repeatedly, both for entertainment and to get work done faster. He walks through a hole in the fence around Los Alamos repeatedly, always exiting through the gate. The guard doesn't catch on until he's done it many times.

        I was able to get almost anywhere in my university dorms with a penknife, despite locked doors at the end of every hall.

        The problem with locks and guard and secure areas is that they're so visually impressive, it's easy to assume that they will work. With bicycle couriers and janitors moving around all the time, workers get used to unfamiliar faces and forget to check ID.

      • Everything about their facility was insecure.

        they were infiltrated [mail-archive.com] by the judge's appointed special master, a lawyer named Alan Balaran, with only minimal social engineering.

      • Well, I don't know. There was a story on the news this morning that I heard before I left for work. Some dude (or dudette) broke into a major IRS facility, easily bypassing all the "security systems" that were in place. Interestingly, the reports indicate that no confidential tax information or anything else of consequence was stolen, however (and this is remarkable) the pop machines were ripped off. In any event, I'm not sure that your belief that physically secure is all that secure is true. This per
      • First you have to gain access to the facility, then you have to have access to that area and then you have to have access to the files. It is not that easy to just stroll in there and get a copy of them.

        At least in the case of the indian stuff it wasn't an issue of getting copies of the information.

        They "lost" essentially all of the indians' money - and the records were corrupted enough that it was no longer possible to trace who took it.

        The bureaucrats in charge (the likely suspects) then took advantag
      • Apparently you've not read about the millions of dollars stolen from the American Indians by past operators of the BLM->Office of Indian Affairs... an office can only be as secure as the crooks, er, I mean beaurocrats that operate it...

        Genda
    • by wytcld ( 179112 ) on Tuesday March 16, 2004 @07:33PM (#8583859) Homepage
      i wonder how secure the old paper based systems were

      That's the center of the legal case. DOI systematically lost records which - if kept and honored - would have resulted in billions of dollars in lease payments to Indian tribes for natural resources (mining and oil) extracted from their reservations by corporations contracted with DOI. The judge may be less concered with security from outside hackers, than with the likelihood of DOI insiders continuing to corrupt and alter the records by setting up the systems so that they themselves can continue to engage in behaviors which have already resulted in judges holding DOI in contempt of court.

      It's not enough that we took most of the Indians' land; we've been continuing (through our kindly federal government) to steal from under what little land they have left. Even under Clinton DOI wasn't playing straight on this; you can imagine how much better it's been under Bush. The problem is that under any reasonable estimate there are enough billions involved to qualify as a serious budget item. Of course, the Indians have oil and other natural resources, and in the past behaved as "terrorists," so if anything we're consistent....
      • What's amazing to me is how little of this has hit the maintsream press. Wasn't Gale Norton held in contempt byt he court? Imagine if a clinton cabinet secy was held in contempt how the press would pounce on it.

        Billions of dollars were literally stolen and the networks were ordered shut down at least three times and not a peep from the press.

        So much for the "liberal press" theory.
  • by petabyte ( 238821 ) on Tuesday March 16, 2004 @05:46PM (#8582661)
    DOI employees cannot use the Web or send or receive e-mail.

    *thinks about what he does at work*
    So they're letting everybody go home early then? :)
  • by klipsch_gmx ( 737375 ) on Tuesday March 16, 2004 @05:46PM (#8582662)
    ...as reported by internet.com [internet.com]. Interestingly it seems that even the previous time was not really the first?

    "For the second time in less than two years, a federal judge has ordered the Interior Department to disconnect from the Internet in order to protect $1 billion in American Indian money managed by the agency.

    U.S. District Judge Royce Lamberth said Interior's refusal to cooperate with a court-appointed master who wanted to test the security of Interior's systems, prompted the decision. The government claimed it did not cooperate with Security Assurance Group of Annapolis, Md., because they could not agree on the "rules of engagement."
    • by skrysakj ( 32108 ) on Tuesday March 16, 2004 @06:07PM (#8582925) Homepage Journal
      There are no such things as rules of engagement. All bets are off, all techniques are viable, no holds barred.

      Dress up as a tech guy and talk you way in? Go for it.
      Hack through someone's PC, why not?
      Send in a small remote control vehicle to snoop? Definitely.
      Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....

      That's how it's done "for real", so why not train that way? Why not TEST that way?

      What's wrong with "Train like you fight, fight like you train"?

      I'm glad they were shut down if they threw a hissy fit because they couldn't agree on "rules of engagement". Wake up to the real world ladies and gentlemen.
      • Well that's not nessesarily what's meant by ROE, they may mean things like between hours X and Y no tests can be made because critical backups are being done. While no attacker will wait for backups to finish, this is a reasonable request unless the security people feel the need to test the backup software.

        There are a few legitimate rules that you need to set in place before you can do something like this, like a set of IP ranges to be used or something. They can find their way in, but there's no point in
        • by cmowire ( 254489 ) on Tuesday March 16, 2004 @06:41PM (#8583325) Homepage
          If critical backups get messed up because of security testing, that would be a security hole.

          Having the sys admin go spastic is a good thing for them, because that means that there's somebody watching for stuff. If they know the IP addresses, they can just block those addresses if they don't want the results to turn out bad.
          • If critical backups get messed up because of security testing, that would be a security hole.

            Amen. My point in a nutshell.

            This a critical system, this is the real world. No holds barred. Now, abomb threat to clear the building as a "test" is severe, yes. It's costly, causes a panic, and may not be appropriate. But, it needs to be tested for as well (maybe in conversation, such as "What are your procedures for a bomb threat? Do you lock the doors behind you and log out?) or do it on a Saturday. Hell, even
          • but even if it is a hole there should be a specific day that that testing is run so that an additional backup can be made. Just because you are testing the security of your system doesn't mean you shouldn't be able to recover if you find a fatal problem.
      • by Piquan ( 49943 ) on Tuesday March 16, 2004 @06:24PM (#8583104)

        Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....

        ...mug the IT manager for his SecureID, blackmail the tape monkey for backups, assassinate the night guardsman, sure, whatever.

        Less severe? One part of a real attack might involve calling in a bomb threat to get one key employee away from his desk. I suspect that it may be better to simulate that part rather than panic the entire building: have one of the high-ups that you're working with call the employee away from his desk for a half hour. Or something.

        Yes, the real world doesn't play by rules. But if testing causes more harm than it would have prevented, then it shouldn't take place.

      • by Anonymous Coward on Tuesday March 16, 2004 @06:29PM (#8583157)
        Fake some IDs, listen to employee conversations at a nearby bar after work, sleep with employees and get them to tell secrets, go through trash, make phone calls, take photos, plant bugs, rob, steal, cheat, lie.....

        Let me guess, you work for the Interior Department? Nice try.
  • by grub ( 11606 ) <slashdot@grub.net> on Tuesday March 16, 2004 @05:46PM (#8582672) Homepage Journal

    Why would systems with access to funds be connected directly to the net? No system with that level of risk should ever be connected to the net unless there's a damn good reason. Even online banking webservers are throughouly isolated from the core banking systems. This is just sheer stupidity.
    • by ackthpt ( 218170 ) * on Tuesday March 16, 2004 @05:52PM (#8582745) Homepage Journal
      Firstly you can blame the system.

      What about when the people who spam fake PayPal, BofA, Fleet, etc. try their luck spamming for native americans, to con them out of their ID/Pin/Password, whatever to steal their money? At some point good security depends upon the end user.

    • by IO ERROR ( 128968 ) <error.ioerror@us> on Tuesday March 16, 2004 @06:08PM (#8582943) Homepage Journal
      Why would systems with access to funds be connected directly to the net? No system with that level of risk should ever be connected to the net unless there's a damn good reason. Even online banking webservers are throughouly isolated from the core banking systems. This is just sheer stupidity.

      My understanding of the history of this is that DOI has had the least secure computer systems of any U.S. government agency, and have been virtually overrun with cracker activity. It's pretty obvious that someone who knows little about information security, or knowing the government, a LOT of someones, led to this occurring, as I pointed out, for the third time.

      As you said, there's no excuse for sensitive systems such as that to be exposed to the Internet, but it's not the first time and probably won't be the last. In the book At Large [amazon.com], author David Freeman points out that at one point, the controls for the Hoover Dam were accessible from the Internet. That's asking for people to DIE, and that's not cool...

      Excuse me, someone's at the door. He says he's from Homeland Security...

    • by kfg ( 145172 ) on Tuesday March 16, 2004 @06:13PM (#8582988)
      In the old days it used to be hard to get small businesses to expose themselves to the net at all. They were paranoid about running so much as a webserver for simple customer services.

      Nowadays it's getting tough to convince them they need to keep a computer offline to protect sensitive core business data, even if it means a bit of sneaker netting now and again.

      Perhaps times will change again as they swing back to paranoid.

      Real men may upload their data to ftp and let everyone else mirror it. Smart men pull the ethernet cord. If nothing else you don't want the IRS/SEC to be able to pull your data off of someone else's server. You can't wipe what you don't have sole possession of.

      KFG
    • While your respondents sound like jackasses, you're still wrong if you think banks do this stuff perfectly (or even very well). I've had a few too many friends working in IT at banks to be so confident.
  • by Anonymous Coward on Tuesday March 16, 2004 @05:46PM (#8582674)
    There goes my sweet FTP server with the 0 day warez and the fat pipe!
  • by $calar ( 590356 ) on Tuesday March 16, 2004 @05:48PM (#8582693) Journal
    I wonder who the culprit is.
  • by burgburgburg ( 574866 ) <splisken06@email . c om> on Tuesday March 16, 2004 @05:48PM (#8582697)
    Does anyone know what system(s) they are running? What (if anything) are they using as firewall(s)? What types of servers are they using? What database(s)?

    Is their continuing failure to secure their system due to lack of will/lack of money/what they're using or some combo of the three?

    • by andih8u ( 639841 ) on Tuesday March 16, 2004 @05:52PM (#8582741)
      Well, if you've ever contracted for the government, you'd know that trying to get anything done is close to impossible. Any step you take has to be combed through by several beurocrats who have no more interest in anything other than plodding through their days on the way to retirement. Even if you do manage to get all of the systems designed and get ready to roll the upgrades out, someone will just come along and axe the plan while they try to figure out if this move will make them risk their neck in the slightest.

      Trying to work for people who essentially can't be fired is a nightmare.
      • Hmmm, sounds like my job, everything takes a group of like 10 people to decide, then after 1300 man hours implementing it, they decided to throw it away (yes, all of it) and take an entirely different approach.
      • by Chester K ( 145560 ) on Tuesday March 16, 2004 @06:43PM (#8583342) Homepage
        Even if you do manage to get all of the systems designed and get ready to roll the upgrades out, someone will just come along and axe the plan while they try to figure out if this move will make them risk their neck in the slightest. Trying to work for people who essentially can't be fired is a nightmare.

        The above is absolutely true, and during some contracting work with the military, I was even told pretty much exactly what's said above.

        When it comes to Government IT, the only thing that can really get you fired is if you opened a new security vulnerability. The way the admins deal with that is by not allowing any changes to occur under their watch. It's extremely infuriating.
    • Does anyone know what system(s) they are running?

      the last time this happened it was Windows servers. it sounds like they're resistant to change so i wouldn't be surprised if it's still Microsoft Swiss Cheese Server.

    • Does anyone know what system(s) they are running? What (if anything) are they using as firewall(s)? What types of servers are they using? What database(s)?

      I would venture: Yes, yes, and yes. Why do you think they are shut down? :-)

  • by ackthpt ( 218170 ) * on Tuesday March 16, 2004 @05:49PM (#8582701) Homepage Journal
    Dept of Interior can't get outside of itself.

    Seems rather appropriate. What software are they running?

  • by wo1verin3 ( 473094 ) on Tuesday March 16, 2004 @05:49PM (#8582702) Homepage
    In a recent visit with Gale Norton (Secretary of the Interior) the following happened:

    Simpson, whose verbal gaffes are also legendary, pulled another one Sunday visiting the White House, our sources say. The singer was introduced to Interior Secretary Gale Norton and gushed: "You've done a nice job decorating the White House."

    Source: washingtonpost.com [washingtonpost.com]

  • by James McP ( 3700 ) on Tuesday March 16, 2004 @05:51PM (#8582729)
    This is really sad. I first heard of the DOI's incredible mishandling of the Indian trust here on slashdot a few years ago when they were shut down the first time.

    I can understand having problems recompiling literally centuries of data for tens of thousands of people. But c'mon, you can't figure out how to set up firewalls with VPN connections between disparate groups?

    Could you imagine any private organization like a mutual fund or retirement investor leaving SSNs and customer information online on websites? Imagine the smack down from the government! But if it's the gov't itself nada. Thank god (or Great Spirit, whatever) that there's at least one judge willing to do the right thing.
  • Priorities (Score:5, Funny)

    by Rorschach1 ( 174480 ) on Tuesday March 16, 2004 @05:51PM (#8582735) Homepage
    Obviously the Secretary of the Interior needs to spend less time decorating the White House [go.com].

  • The Internet eh? (Score:2, Interesting)

    by goosebane ( 740956 )
    I think part of the problem with a lot of the corporations/departments having many security flaws, or systems open to the net that shouldnt be is the fact that many people still see the internet as an idealistic place for the exchange of ideas and commerce. People are still slow to realize the danger that lies in the internet, and the fact that it can be dangerous. If people knew more about the dangers of technology they might be more apt to work on protecting themselves.
  • by tacokill ( 531275 ) on Tuesday March 16, 2004 @05:53PM (#8582760)
    That's cool. We'll just keep the casino money.

  • by SEWilco ( 27983 ) on Tuesday March 16, 2004 @05:56PM (#8582791) Journal
    Oops.
    I emailed the Department of the Interior, pointing out that they should consider selling any unsolicited copies of software so as to not waste the value of gifts. They shouldn't use gift material as that bypasses the intent of normal acquisition processes.

    Now I know why I got no response...

  • by Anonymous Coward on Tuesday March 16, 2004 @05:57PM (#8582802)
    "its systems were too insecure to be left open"
    Well, I feel sorry for the systems. It is really rough working for the government and having self esteem issues. If I worked for the gov't, I would be a little insecure my self : P
  • by Anonymous Coward on Tuesday March 16, 2004 @05:57PM (#8582806)
    "The Interior Department said the order "is a new frontier in this court's efforts to run the operations of executive branch agencies."

    "We are working closely with the Department of Justice to quickly respond to this order in the appropriate legal venue," the agency said in a faxed statement. //

    It's a political thing. Probably not much of a technical problem here at all. Somebody's making a move for power somewhere and now all of this BS. They are punishing the Interior by taking down links with schools on them rather than just blocking traffic via access lists and firewalls.

    If they really had a problem with some of the services being provided as insecure they could have either firewalled those services or just blocked them at the router. Since, they did not take a rational approach to solving the problem, the problem is likely a political one from one greybearded idiot to another.

    Been a consultant for the government. Seen it. I once went almost 4 months doing nothing but earning good money while waiting for the Chicago Tollway to resolve some political infighting. 4 months of sitting at home, watching TV and basically chilling out on Illinois tax dollars.

    It was lovely.
  • 2001? (Score:5, Informative)

    by klipsch_gmx ( 737375 ) on Tuesday March 16, 2004 @05:58PM (#8582830)
    Looks like the Interior Department has been having computer problems for a long time [wired.com] (December 2001!):

    "Web wanderers looking for information on national parks, government mapping services or geological disasters will need to get their information from non-official websites for a while.

    U.S. District Judge Royce Lamberth issued the order late Wednesday after a report showed that the computer system which handles $500 million annually in royalties from Indian land has major security holes that make it easy to access the system, alter records and possibly divert funds."
  • Arrgh... (Score:3, Informative)

    by ehintz ( 10572 ) on Tuesday March 16, 2004 @06:01PM (#8582870) Homepage
    It's frustrating to be out of work and not getting offers, while knowing I'm considerably more competent than these fools who still seem to have jobs after b0rking it time and time again.
  • and just so everyone knows, the dept of interior is 100% standardized on Microsoft Windows. They do not use any Unix/Linux/BSD anywhere. everything is windows. thats part of the problem of why they are so insecure
  • by SEWilco ( 27983 ) on Tuesday March 16, 2004 @06:09PM (#8582947) Journal
    • The US Department of the Interior [doi.gov] web site is not responding.
    • We Slashdot users are glad to assist in ensuring that DOI web servers can not function for the next 48 hours.
    • The DOI is required to accept gifts from Indian Tribes under several circumstances. Are the DOI mail servers and web servers properly accepting gifts from tribe representatives?

      "(g) No Refusal Gift Acceptance Policy [doi.gov]
      All Department of the Interior employees may accept gifts offered to them by representatives of Indian Tribes, Alaska Native Organizations, Insular and foreign governments when refusal to accept such gifts would be likely to cause offense or embarrassment or otherwise adversely affect relations with the United States."

    • Are DOI machines accepting gifts from Indian Tribe servers which are equipped with generous worm programs?
  • article text (Score:2, Informative)

    by Anonymous Coward
    Interior Dept unplugged from the Net

    Judge orders agency to shut Internet system after concluding security holes are still a problem.
    March 16, 2004: 2:46 PM EST

    WASHINGTON (Reuters) - Wide swaths of the Interior Department were taken off the Internet again Tuesday after a federal judge concluded that the agency still has not fixed security holes that threaten payments owed to American Indians.

    It was the third such shutdown for the Interior Department since 2001, when an investigator found that hackers coul
  • And this is exactly why you should not depend on the government to do anything with any degree of compentency. Every time someone suggests handing over some large project or economic or social program to the federal government, I cringe. Large organizations are inherently inefficent, and the larger they are, the more inefficent they are. Governments are some of the largest organizations out there, and in fact, the U.S. Government is the single largest organizational entity on the planet. [cia.gov]

    Obviously, there a
  • by NaugaHunter ( 639364 ) on Tuesday March 16, 2004 @06:21PM (#8583072)
    ... to worry about security.

    [Jessica] Simpson, whose verbal gaffes are also legendary, pulled another one Sunday visiting the White House, our sources say. The singer was introduced to Interior Secretary Gale Norton and gushed: "You've done a nice job decorating the White House.

    (source [washingtonpost.com], near the bottom, after W. refers to the Ford Theatre as the Lincoln Theatre.)
  • by BubbaFett ( 47115 ) on Tuesday March 16, 2004 @06:22PM (#8583083)
    It looks like the Park Service [nps.gov], USGS [usgs.gov] , and Office of Aircraft Services [oas.gov] are still online. Yet there are some seemingly unrelated divisions offline that probably shouldn't be. I don't see why the National Interagency Fire Center is offline. It seems somewhat important!
  • Why is the court telling the DOI to unplug? Is there a lawsuit I'm missing? The court's job is to rule on lawsuits brought before not define public policy or run about ordering people around. So unless there's a lawsuit about the DOI's systems, the court should stfu.
  • Government computers are insecure and Native Americans get the shaft from the federal government.

    Wow. In what way is this news?
  • Funky People (Score:3, Interesting)

    by Anonymous Coward on Tuesday March 16, 2004 @06:50PM (#8583432)
    I'm posting this AC for obvious reasons.

    A few years back we had a run-in with the DOI. We found very strange things in our web and FTP logs and traced them back to a Denver office of the DOI. Basically what they were doing was spending hours every night (way after office hours) digging and digging and digging to see what they could find. There were tons of 501s because these guys would enumerate when directory listing was turned off.

    My colleage wrote to the DOI in Washington and asked 'what's up'. Because of the evidence we could show, the DOI Washington office decided to put a sniffer on the Denver line. Great, we thought, soon this wil be cleared up. As if.

    A week goes by, and the Washington DOI people contact us. Their sniffer thing didn't work. When they were about to install it, some dork went around the Denver office barking, 'OK EVERYBODY HAS TO GO HOME EARLY TONIGHT WE'RE INSTALLING A SNIFFER ON THE LINE'.

    Now if you believe that story (and that's how they told it) is another matter. We did not - and ever since, at regular intervals, they're back again.

    Funky group. Very funky!
  • by qtp ( 461286 ) on Tuesday March 16, 2004 @07:34PM (#8583878) Journal
    The computers are down for uh... (maintenance? No we cant say that... used it in 1980...)

    uh... (For updating to a new accounting system for this very account? Damn, used that in '92... there's got to be a good excuse here somewhere... I know!..)

    Oh, yeah it's a security issue! That's it, a security issue... can't mess with security now, can we? Not after 9-11!...

    (Good one!)

    Yes, we'll get back to you about that $700,000,000.00 we owe you after all of this is sorted out...

    Oh, sure. As soon as possible...

    Don't worry about it, we've got everything under control. Thanks for being so understanding...

    Oh yeah, I almost forgot, your access is going to be out for a while...

    That's right, no email, no web...

    Yes, there'll be no distance learning at the schools either for the time being...

    Really, that's not fair. Why don't you people just hire more teachers? ..

    What's that? ...

    $700 Million? ...

    It's funny how technical problems always plague the DOI every time this issue [denverpost.com] comes up.

  • by donheff ( 110809 ) <donheffernan.yahoo@com> on Tuesday March 16, 2004 @07:36PM (#8583891)
    I don't know anything about Interior's problems with the Indian accounting systems, but I can assure you that the security scorecards for Federal systems are tough. OMB and the Hill have appropriately set a very high bar to push agencies to the limit. The intent is to make government systems a model for security best practices - they don't get marked "green" unless they jump through a lot of hoops. There are plenty of bright people on /. who could teach the Feds and anyone else a lot about secure systems. But there are also a whole lot of us who, truth be known, are running critical systems that couldn't come close to passing muster against the standards used to rate the Feds on security.

    I also haven't seen any specifics about why the Judge is hammering DOI. I wouldn't be surprised if they are simply battling with the Judge over the oversight processes she wants to impose - granted that might be a dumb battle to fight.

"The chain which can be yanked is not the eternal chain." -- G. Fitch

Working...