Border Security System Left Open 195
7x7 writes "Wired News is running an article on documents they recovered via the Freedom of Information Act and a lawsuit. From the article:"
A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News." It looks like Zotob made it in to the supposedly protected network."
Let me get this straight (Score:5, Funny)
What next, making Ron Jeremy the pornography czar?
Re:Let me get this straight (Score:2)
Those dollars are earmarked. (Score:3, Insightful)
It's amazing someone who was in that position thinks the next Windoze won't have the same problems every other version has had. What a total waste of money.
Re:Those dollars are earmarked. (Score:2, Interesting)
No kidding. Using Windows garbage for any Homeland Security tasks means that every Windows vulnerability (and there are many, many, many of them) becomes a National Security vulnerability. That's a fact, PERIOD. That the clowns responsible for the safety of the citizens of the US think that Windows is suitable for Homeland Security applications shows they are more concerned with protecting Microsoft's profits than protecting our families.
Re:Those dollars are earmarked. (Score:4, Insightful)
Don't believe what they say, watch what they do. They lie constantly, but you can't even depend on that.
Watch your legislator. When they claim to be against something, but they vote for it, you know one of the things they are lying about.
Re:Those dollars are earmarked. (Score:5, Insightful)
This is of course the great counter to the "but FOSS doesn't have any support". "The US Government can't get support for W2K, what makes you think you can?"
Re:Let me get this straight (Score:2)
Re:Let me get this straight (Score:3, Insightful)
Re:Let me get this straight (Score:2)
Warning, offtopic (Score:2)
Re:Warning, offtopic (Score:2)
Re:Warning, offtopic (Score:2)
Re:Let me get this straight (Score:3, Interesting)
Re:Let me get this straight (Score:2, Insightful)
That would actually make a lot more sense than running mission-critical security-sensitive apps on an unpatched Windows installation. If you like porn, that is.
Heck, it would make more sense even if you *didn't* like porn, now that I think about it...
But hey, remember, this is from the administration that brought you Iraq's WMDs and the post-Katrina disaster recovery response. Poor decisions ? Bungling?
I'm shocked, I tell you, SHOCKED!!
Re:Let me get this straight (Score:3, Funny)
How dare you joke about their ineptitude? Don't you realize that every dollar spent on Homeland security is a dollar that otherwise would have gone to some terrorist who snuck through the border and stole a job in preparation to launch a dirty nuclear bomb in the middle of a preschool, for God's sake?
Instea
Thank You! (Score:2)
Thank you for that link.
It seems that every time I travel, when I get to my destination, I have a little note in my luggage from the TSA saying, "We searched your bag." I've been trying to think of something to do next time I travel.
This will be perfect. Thank you very much.
Re:Let me get this straight (Score:3, Informative)
Zotob scanned for systems with port 445 open. In the name of the Flying Spaghetti Monster, why weren't those systems behind a firewall? On a closed network so that someone couldn't just plug in an infected laptop?
Then comes a vulnerability that Microsoft marks as "critical" and a patch that Microsoft says should be installed immediately. A sane patch management policy *might* delay installations but only if some temporary mitigation were i
Re:Let me get this straight (Score:2)
Security Theatre (Score:2)
It doesn't matter - it's just security theatre anyway. There are thousands of ways around the current systems.
Re:Let me get this straight (Score:2)
Re:Let me get this straight (Score:2)
Surely you could find more important things to worry about.
Territorial Pissing (Score:2, Funny)
And illegal immigrants wouldn't be streaming into the US if the dollar wasn't being artificially propped up. Probably would see the reverse if the free market would be allowed to work its course.
I feel safer already! :-) (Score:2, Funny)
In Soviet America, the border opens you!
Borders (Score:2, Interesting)
Re:Borders (Score:5, Interesting)
Re:Borders (Score:2)
Is this right?
Re:Borders (Score:2)
Normal windows operations (Score:5, Insightful)
- an exploit (bug) is discoverd
- the virus is released
- a patch is relesead by microsoft
- the administrators dont trust the patch (cant see what it exactly does) so need to test
- in the mean time the virus is spreading
- there should be a profit line here, but I gues microsoft already made a profit before all of this started.
Re:Normal windows operations (Score:2)
Re:Normal windows operations (Score:2, Redundant)
I hope that doesn't mean you think OS admins should patch away without testing, just because the code is available.
First of all, lots of admins aren't programmers. They might know some code, but for most of them, looking at a patch to some arcane TCP/IP code isn't going to be very easy to interpret. If it's a patch to a bug that got by the original coders, there's not that good of likelihood a typical administrator
Re:Normal windows operations (Score:2)
Some admins can read the patch.
Some admins will analyse the patch.
After there can be a discussion;
Why is there a change to qos when the patch should fix an igmp issue?
Is this because the two are related are is this patching another issue in the same time?
Could this qos change have side-effects, should I include qos in my testing?
When you get a binary patch you should run all you tests, which will probably take way too long. Instead of just testing the relevant parts.
Re:Normal windows operations (Score:2)
Re:Normal windows operations (Score:2)
1. Microsoft knows about but does not fix.
2. Some buyers rent the ho.
3. Profit!
Re:Normal windows operations (Score:5, Insightful)
If they're going to run proprietary software, they might as well have blind faith that everything the vendor does is right, 'cause they have no choice anyway -- they've already chosen to trust it with the existing system. (This is why foreign governments are switching to Free Software, by the way -- they'd have to be run by morons to trust Microsoft.)
Failures are routine apparently (Score:5, Funny)
I guess when you run Windows, failures are routine...
Re:Failures are routine apparently (Score:5, Insightful)
I'm surprised the information wasn't classified as relevant to National Security. Weaknesses in computer security are just as bad as weaknesses in physical security.
Re:Failures are routine apparently (Score:3, Interesting)
Even with the FOIA it took a lawsuit to get hold of these records, and they still have some unjustifiable omissions: "A public Microsoft security bulletin is included, but with the bulletin number (MS05-039) blacked out"
Oh, it get's better. (Score:2)
Yow-ser, yow-ser, it just does that.
Re:Failures are routine apparently (Score:3, Funny)
Beta stuff? (Score:5, Insightful)
Re:Beta stuff? (Score:2)
One born every minute. (Score:3, Insightful)
Because someone lied to him.
How many times M$ can get away with the same lie? "This OS is totally new and improved and does not have the problems our last one did." It's sickening to hear the head of a US government agency buy such stuff while perfectly usable and secure free software is available.
Re:One born every minute. (Score:2, Funny)
Nope, it has a whole new set of problems!
Fine print: it also has all the problems of the last one.
Re:One born every minute. (Score:2)
no... never... /sarcasm_tag = "on" what was the very first security patch for Vista then??? it was for the WMF hole... legacy code dating back to win 3
Re:Beta stuff? (Score:2)
Easy, because he is an average user, not a power user or programmer etc. People think newer is better.
For example I have a friend who insisted I upgrade her computer to XP from win2k. Instead of just doing that I asked her why. The response: "It'll be faster." I querried some more and the general idea for her was, "It's newer so it should run better."
It took me half an hour to explain that it wouldn't be faster, and if th
Re:Beta stuff? (Score:2)
I dunno, he may be on to something. But if next gen betas are good, bleeding edge alphas must be even better! Or better yet, he should build a Linux distro that monitors the source control repositories of all the software on the system and automatically fetches and builds any check-ins, to make sure you stay in the avant garde of security.
Windows? (Score:5, Insightful)
Or how about this: Run a secure operating system that is stable and still maintained. Linux, OpenBSD, FreeBSD, anything other than Windows. No forced upgrade required since many of the old Linux distros are still maintained.
I mean it's Microsoft forcing them to upgrade even though Windows 2000 is still a perfectly fine OS.
Re:Windows? (Score:2)
Not to mention that Windows 2000 will be receiving security updates through 2010 [msdn.com]...
Non-computer Q about US Visit (Score:5, Insightful)
-subject A buys international ticket
-subject B buys domestic ticket
-both pass security
-A checks out at US Visit terminal
-A and B swap tickets
-B gets on international flight
-A gets on domestic flight or leaves the terminal
-B gets off the plane outside the country and uses his or her own passport to pass the border control. IIRC, most countries including the US don't feed back who passes passport controls back to the airlines or country of origination. But even if, B could just take a fake passport to a third world country without scanners or live database hookup instead of Europe, Japan or the like.
Re:Non-computer Q about US Visit (Score:2)
Well, I have the feeling that if the government had simply deployed a bunch of dumb terminals instead of Windows machines, they'd have had a much easier time catching dumb criminals. Sometimes you really don't need a fancy-ass GUI to get the job done.
Re:Non-computer Q about US Visit (Score:2)
-subject A buys international ticket
-subject B buys domestic ticket
-both pass security
-A checks out at US Visit terminal
-A and B swap tickets
-B gets on international flight
-A gets on domestic fligh
Re:Non-computer Q about US Visit (Score:2)
Re:Non-computer Q about US Visit (Score:2)
I can confirm that on every single International flight I've been on since 9/11 (four or five trips annually), my passport was checked and compared against my boarding pass prior to boarding the plane. The procedure has been even more rigorous coming back to the US. We weren't even allowed into the sitting area at the gate without a comparison between boarding pass and passport and answering several questions (for like the umpteenth time)
Re:Non-computer Q about US Visit (Score:2)
http://www.csoonline.com/read/020106/caveat021706
Re:Non-computer Q about US Visit (Score:2)
- subject A buys international ticket
- A photoshops and prints an electronic boarding pass for another flight under a different name.
- A uses the boarding pass to get past security
- A throws the pass in the bin and uses the real ticket to get on the plane
Re:Non-computer Q about US Visit (Score:2, Insightful)
As the people above have suggested, its not about keeping their eye on Americans (of the North sort, not the United States sort), but keeping their eye on Foreigners in general.
When I flew in from London last summer, my flight was routed to go through a "Port of Entry" which is a location where they have installed the US-Visit fingerprint scanners and such. Lucky me, I got to go to Detroit as my first port of call into the US on
42 (Score:2, Funny)
Patch Cycle (Score:2)
The mention the real problem in the article, why is there a connection to this network from the public internet? They are just inviting problems like this. At the very least there should be some perimeter security with an IDS of some kind. Even a $40 linksys router with th
Re:Patch Cycle (Score:2, Insightful)
With a border router nothing stops an infected laptop from attacking on the inside.
Re:Patch Cycle (Score:2)
With a border router nothing stops an infected laptop from attacking on the inside.
True enough but I would think that a laptop would automatically not be a trusted device in that kind of network.
Re:Patch Cycle (Score:2)
Re:Patch Cycle (Score:2)
Re:Patch Cycle (Score:2)
Incompetence would install the most insecure OS available, but surround it with other measures. Apathy just plops down desktops and moves on to the next meeting. What could possibly go wrong?**
**Unofficial motto of the Bush Administration.
Interesting... (Score:5, Insightful)
If you don't trust the patch that software developer provides for its product, then why trust to use the product at all?
It sounds like someone saying, "Our OS has security holes in it, but we don't trust the fixes because they will just open up more holed until we verify for sure.. .. but since 90% of the world use this "hole-y" OS we'll just do what works. Like reporting a planned virus infection. *all hail bill*"
-nawcom
Configuration Control (Score:5, Insightful)
Re:Configuration Control (Score:3, Interesting)
These people don't know what they're doing.
Re:Configuration Control (Score:2)
These people don't know what they're doing.
How do you know that the just-released patch doesn't break something in a way that opens a new vulnerability?
Is the border more or less secure if border officials have to do things 'by hand' because their computer system is brought down by a troublesome patch? Overworked officials are going to be less thorough that usual, and
Re:Interesting... (Score:3, Insightful)
good admins..heck, even half decent admins don't trust any new software, including patches. Not neccessarily because they will introduce holes, but because they might break something. Even if it is not security patches, they still need to be tested to make sure they don't break anything in their particular environment.
I'd wager that at least 90% of admins do not test patches for new securi
Re:Interesting... (Score:2)
The article has it backwards (Score:2, Interesting)
No, the problem here is that these systems are even on the Internet to begin with. Shouldn't such a network exist in an air
This shouldn't come as a surprise (Score:5, Interesting)
The danger comes from the the people in government who control the money who have no technical knowledge. This is positively RAMPANT in government. Many times agencies just go with the cheapest bid and contractors give cheaper bids by hiring fairly inexperienced and not so knowledgable techs.
Many government agencies can get by with using Windows but really important agencies whose security cannot be left to chance should not be using Windows....period. Sadly Homeland Security and NSA are both starting to deploy more Windows units and that's only going to be bad for everyone.
Biggest reason why? Strong security requires techs that actually have technical knowledge and can do more than just set up insecure boxes by pointing and clicking. Big difference between *nix and Windows?
*nix needs techs with a decent amount of computer aptitude.
Windows does not
The person attacking you, or entity, or rogue state will not be using script kiddies. This only gets worse from here. "Homeland Security" is fast becoming an oxymoron.
Re:This shouldn't come as a surprise (Score:3, Insightful)
Big difference between *nix and Windows?
*nix needs techs with a decent amount of computer aptitude.
Well now wait a minute. Windows is OK if it is properly maintained, but those who run Windows are generally less capable of doing so, because they don't have to? That doesn't make any sense.
Rather than trying to figure out which is the chicken and which is the egg in your causality loop there, why don't
Irony with a 60lb mallet (Score:5, Informative)
I'm supposed to be surprised that the department that is there to "protect" us from attack fell to an easily preventable virus?
Not when that same agency appoints Gator (now Claria) executive, D. Reed Freeman, to their Data Privacy and Integrity Advisory Committee or when that very same agency hired its own Chief Privacy Officer from Doubleclick [digitalelite.com].
No, I couldn't muster less shock at the irony if my nutsack depended on it.
Tom Caudron
http://tom.digitalelite.com/politics.html [digitalelite.com]
The real meat of the article (Score:2)
You know, that might be a problem, too
Re:The real meat of the article (Score:2)
Government Insecurity... (Score:2)
After all, it would be much harder to create a virus for a system that fe
Re:Government Insecurity... (Score:2)
It's about test automation, not MS (Score:3, Informative)
Later in the article: "Officials -- not unreasonably, say security experts -- wanted to test the patch before installing it." Well, duh. This is the interesting story. They couldn't get through the tests that they SHOULD do fast enough.
The problem is agility and testability of the systems and deployment. The easiest solution has nothing to do with MS, nothing to do with windows, and everything to do with giving your test group more respect and resources.
This is not a problem inherently Microsoft's making. You can argue up and down that patches should be faster, product more secure etc. In the end, it's plausible that discovery, patch, exploit can come with bad timing in any system. System admins and project managers that don't plan for this are asking for trouble.
Elaboration: I push very hard to ensure that all my products have automated tests. My company's Desktop Engineering department requires automated tests of all its myriad apps (DE is not my department, won't take credit). I force redesign if a product can't be tested cheaply. The benefit is: I need new feature x tomorrow (maybe some suprise regulation) or company needs patch y tomorrow (e.g. Zotob worm). Where we've achieved our test automation goals (haven't in all cases, but our coverage is good enough), we can hit a few buttons, run our tests. Repeat on all 20 configurations / platforms. 90% of the time, we find no problems, and can deploy. If it's critical, you take the risk and deploy. If not, you go on to slower manual testing to complete coverage.
Had this US-VISIT program implemented adequate and automated tests, they could have deployed in a few days, not a few weeks. The methods and tools to do so have nothing to do with Microsoft. They don't even make the type of test automation tool required for this - although I know they have one for internal use.
So that would make this (Score:3, Funny)
I'm confused. Who will clean my Walmart now?
These are kiosks. Why are they running services? (Score:2)
If they insist on running Microsoft software on kiosks, they should be running XP Embedded, where you only configure in the stuff you need, not the kitchen-sink approach Microsoft uses in their desktop distros.
Spellcheckers do not catch all misspellings. (Score:3, Funny)
border
1 : an outer part or edge.
boarder
one that boards.
Virus is busted (Score:2)
They actually were collecting incriminating evidence against the virus.
Should have used dumb terminals. (Score:5, Insightful)
I wouldn't even trust *nix workstations in that environment.
Not to mention the WHY of this. From TFA:Great. 1,000 people. Didn't I see something on the news recently about 11 million illegal aliens in this country?1,000 people at a cost of $400 million.
$400,000 per person caught?
Someone REALLY needs to pitch the LTSP to the government.
Re:Should have used dumb terminals. (Score:2)
Re:Should have used dumb terminals. (Score:3, Insightful)
It does, because it's such a huge waste of money.
Re:Should have used dumb terminals. (Score:2)
actualy I belive the border agents ran somethign like 327 million people at land borders in 2004 alone. This brings the total down to around $1.20 -$1.50 a person screened. I would say that is a very efficent process for a government agency.
Actualy, If 327 million people come into
Re: (Score:2)
Re:Should have used dumb terminals. (Score:2)
Sure if Al Queda was our only concern. There are many threats out there and probably more developing everyday. If we spread it across our top ten threats, it probalby wouldn't amount to much money. I'm sure that there is money going to infiltrating and paying informers. If this little amount is going to make a big difference then we aren't trying enough already. Thats just my opinion though.
Re:Should have used dumb terminals. (Score:3, Insightful)
it is used to scan everyone, so it's cost is perperson scan. People catch criminals.
This'll really piss you off.. (Score:2)
so- in two years, 800,000 per person caught.
see below, FY 05 budget for US-Visit was 340million (for one year) which is 10mill more than the prior year
http://judiciary.senate.gov/testimony.cfm?id=1034& wit_id=2961 [senate.gov]
US-VISIT Budget Requests In FY 2003, CBP processed 412.8 million passengers and pedestrians arriving in the U.S. - 327 million at land borders, 70.8 million at international air
My thoughts too (Score:2)
Mainly though, the dumb fuckwits^h^h^h^h^hskilled operators don't get a chance to load porn/itunes/email/IM and use the box for uncontrolled purposes which cause all kinds of problems (overloaded networks, IT headaches,...).
All up, this could only lead to improved productivity and better security.
Re:My thoughts too (Score:2)
Another good thing is that you can to some degree control all the hourse of playing solitare or WOW at $18 an hour.
Re:Should have used dumb terminals. (Score:3, Funny)
Which is about the entire population of Canada.
Re:should have used unix (Score:3, Insightful)
There was a mention about a network not being secure if
Re:Homeland Security? (Score:2)
Just like the old SS, only incompetent.
Re:Homeland Security? (Score:2)
Never mind Homeland Security: I've got to say, I find the (recent?) introduction of just the term "Homeland" into the political lexicon rather troubling.
All other [mumble]-land places I can think of did not have enlightened and benign regimes: "Motherland" (Russia, during the Soviet Union era), "Fatherland" (Germany during the 3rd Reich). Any more for the list?
T&K.
Re:Great argument as to why *nix is no more secure (Score:2)
Oh, I see, the open source distrubtion is faster, and people accept it more readily
Are you saying that the OpenSource world takes longer than Microsoft to release patches for critical security issues? Because that is patently false.
Re:Great argument as to why *nix is no more secure (Score:2)
When does the security bug become visible in the open source world? Shortly after the discovery. The uSoft bug became only visible after the bug was found, fixed, QAd, built, and posted.
But there are also security bugs that are found, fixed, QAd, built and posted before (non-internal) discovery in the OpenSource world -- same as with closed source. You seem to be implying that bugs in the OpenSource world are only found externally, and then patched. That's not true. Fact is, both 'methodologies' are at le
Re:Great argument as to why *nix is no more secure (Score:2)
Open source by its very nature is meant to operate such that outsiders find the bugs, isn't it true? So how can you argue that open source is better than that?
No, it isn't, I'm not sure where you get that misconception from, the majority of opensource development work is done by core teams that often work full-time on projects --- exactly like closed source. The fact the outsiders can also look for and find bugs is just a "bonus". One can easily argue that open source is "better" by just comparing what ea
The spelling correctors are still here? (Score:2)