State Department Hit With Many More Break-Ins 143
adjust28 writes to tell us CNN is reporting that the US State Department has been dealing with a number of computer break-ins with regards to their headquarters and offices dealing with China and Korea over the past couple of weeks. From the article: "Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking."
Lack of motivation (Score:5, Interesting)
The government seems to have never placed much importance on computer security. I recently read Cliff Stoll's 1989 chronicle of a hacking, The Cuckoo's Egg [amazon.com] . Back then the government was slow to respond and pretty unmotivated, and it seems like little has changed today. Yet, once they catch someone, they give him a draconian punishment that ruins his life, just look at Mitnick. The government can't seem to decide it's priorities. It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts.
Re:Lack of motivation (Score:3, Insightful)
sarcasm
Who needs secure systems when you have draconian punishments?
That aside, systems are no more secure or insecure as the people behind them. I have been in places where they have implemented "high security passwords" only to have the secretary simply write the thing down on a post-it and stick it to their monitor.
B.
Re:Lack of motivation (Score:5, Insightful)
That's because so-called "high security passwords" are nothing of the sort - once you reach a certain level of complexity people will simply write them down.. a password that someone can remember is far more secure than a 'high security' one that has to be written down somewhere.
I suspect they only went that route because they were too cheap to buy securid.
Re:Lack of motivation (Score:3, Informative)
Re:Lack of motivation (Score:1)
For me... creating hard to guess passwords that use a variety of characters but are eay to remember is the one single thing l337 speak is still useful for. Sadly, there aren't enough l337d00ds aroun
Re:Lack of motivation (Score:2)
Re:Lack of motivation (Score:5, Insightful)
Re:Lack of motivation (Score:2)
Maybe he should have been rewarded and/or his bold personal vendetta recognized as a necessary response to seemingly state sponsored hacking of US computer systems (critical infrastructure).
The horse has bolted (Score:5, Interesting)
I don't want to trigger a Windows/Linux debate, but relevant is this quote from a recently slashdotted interview with McKinnon:
Source here [bbc.co.uk]
Even if it is considered right to treat such breakins so seriously: how many times must the horse bolt before the barn door?
Re:The horse has bolted (Score:5, Funny)
Re:The horse has bolted (Score:3, Informative)
Re:The horse has bolted (Score:1, Flamebait)
And then you turn right around and quote somebody saying something about the military using Windows machines. I wasn't aware that the State Department is a branch of the US Military. Am I wrong about that? Or are you using unrelated quotes to to flamethrow?
And then the second half of your misapplied quote, "it would probably be an easy hack if they hadn't secured it properly." Now *nix would be an easy hack if not secured properly as well, now wouldn't it?
Re:The horse has bolted (Score:2)
As I said, I didn't want to start a Win/Linux debate. Perhaps I should have emphasized the phrase "if they hadn't secured it properly". The horse is not Windows, the horse is impropperly secured systems in many organ
Plug and Play Missile Launchers!!! (Score:2)
Re:The horse has bolted (Score:2)
Is there any OS that doesn't apply to? Isn't every system "an easy hack" if it's not properly secured?
Re:The horse has bolted (Score:2)
And this is bad? (Score:5, Insightful)
I think not. Just remember the whole fuzz about journalists being bugged so that anyone calling them with secret information can be traced. How can the press then do its job?
If total security is achieved say goodbye to all those leaks and exposes. You will have a system that makes the KGB look like childsplay. Not because they will abuse it but because if they want to they can, without ever being found out. All that would need to happen is for someone to come along who wishes to abuse it. Do you trust any party so much you want to give them complete secrecy?
Democracy and free press are nasty things. They conflict immidiatly with the need to keep things hidden. Even such a simple thing as the skunk works is a direct violation of the principles of free press and accountable goverment. How the hell can we judge our goverment if they can keep what they are doing hidden from us?
The only alternative is to accept a certain level insecurity and just go after the people that go to far. A very strange state of affairs but better then living in a police state.
Mitnick ain't a victim. He is a stupid criminal and deserves everything he is going to get. He was not a journalist seeking the truth, he was just a cracker messing around with computers that were not his.
If I do not lock my door that does not give you the right to enter my house. Neither do I want to live in a world where the goverment is behind closed doors.
Re: (Score:2, Informative)
It may not be illegal, but... (Score:5, Insightful)
So yes, they can report whatever they want, but the government can very much make them feel sorry for doing so in financial terms. Thankfully the majority of the papers who have reported it -don't- feel sorry in terms of 'doing the right thing'; as one of the editors said - if they can't report on this, then what's next? Not reporting on Abu Ghraib? Not reporting on 'accidental' bombings of civilians? All in the name of supposed national security.
I can understand - and papers should certainly be wise enough to make this decision for themselves - that papers should -not- publish information regarding specific individuals or programs that would severely compromise those individuals or programs; e.g. operatives abroad who have infiltrated: you don't go publishing their names and photos. Investigations into a terrorist sleeper cell in Hicksville: you don't go publishing that they are under investigation. But for something as broad as "The U.S. government is tracking your international money transfers", there is -no- compromise of the program. If nothing else, sad as it is, most people probably expect that the U.S. government was doing that already, and the U.S. government can happily continue doing so; they can't honestly believe that terrorists will suddenly go "oh dear, I say... they are tracing our money wires.. perhaps we should stop using that.".
Elections must be coming up again soon...
Re:It may not be illegal, but... (Score:4, Interesting)
Actually, I'd guess that in this political climate, it's helping their subscribership quite a bit.
Two things:
1) The Bush administration has failed to realize that the "trust us, we know what we're doing" meme has died. Every time they push it these days their numbers go down.
2) The facts of this particular story was out YEARS before the NYT (and two other papers, btw) put it in the public eye. As those facts come out (and they have been) it will exascerbate #1 above.
Gov: "Realeasing this information will kill us all!!"
NYT: "So why did you release it on government websites two years ago?"
Gov: "UUUhhhhhh.... MMmmmmmMMmmm...."
Re:And this is bad? (Score:2)
Re:And this is bad? (Score:2)
That's the difference between the Pentagon Papers and the State Department cracks.
The Papers were leaked by an insider, in the June incident, foreign nationals probably working for a semi-enemy country cracked into goverment computers.
Re:And this is bad? (Score:2, Insightful)
The Ethics Of Housebreaking (Score:3, Interesting)
I can sympathise with a desire to see the correct terminology used, but in this instance, I'm not sure I can see the harm.
The trouble is that hacking is, in terms of human society, comparatively new. Everyone understands the times when it is right or wrong to enter someone else's house. The same is not clear for remote computer access.
So, it makes sense to look for an situation analagous to unat
Re:The Ethics Of Housebreaking (Score:1)
> and reason from that starting point. A lot of people, myself included, find
> the housebreaking metaphor apt.
>
> Do you think the analogy is unhelpful? Do you have a better starting point?
> I can't see how else to approach the problem.
I think a better metaphor would be coming across an abandoned looking building while out on a hike. You know it must belong to someone, but obviously they don't care to lock it up o
Re:The Ethics Of Housebreaking (Score:2)
FNORD!
--Hagbard
Re:The Ethics Of Housebreaking (Score:2)
Re:The Ethics Of Housebreaking (Score:2)
Security and transparency (Score:5, Insightful)
Actually, yes we do. As long as we have to trust it with our things, we want it to be able to hold onto those things and not let just anybody see them or use them against us. If the government expects to claim that it's protecting us and our personal information, it has to deliver on that protection.
However, you're conflating security with transparency , when in fact they're both important. Security is the ability to keep the secret things secret against prying eyes. Transparency is the ability to unlock and inspect certain documents on demand to make sure that the government is functioning as it should. And ideally, the minimum amount of information should be classified secret: the smaller the pile of sensitive information is and the less it moves around, the less likely it'll get violated.
The role of the free press is to report. It could be said that the role of the free press in a healthy democracy is to act as watchdog, to report when the system's security breaks so people can be warned and take measures for their own security, or to use the transparency to report problems. And it could be further argued that when transparency breaks down and secrets are kept unnecessarily, the best thing a reporter can do is intentionally break that bad kind of security. When the Pentagon Papers were exposed and the illegal acts of the Nixon administration were revealed, that was the free press's finest hour.
Nowadays, government security and government transparency are both oxymorons, and the "free press" provides spin, runs interference, and distracts people with the missing-blond-girl-du-jour (I'm looking at you, Fox "News"). Oh, and a significant portion of the people are okay with that.
My question is, where do we start the triage? Any one we start to fix will give us trouble from the other three.
Re:And this is bad? (Score:3, Insightful)
Is it now?
If your system is counting on access failures for transparency and fail-checking there is something wrong with the system you've designed.
Just as CEO's should be personally responsible
Re:And this is bad? (Score:1)
That is a bad, bad analogy. Instead, imagine you have an idiot savant who keeps your records for you. If you don't tell him not to, he's happily blurt out the info to anybody who will talk to him. Who is at fault if he answers a request for imformation you were supposed to keep secret?
"Only tell me this," you'll tell your records keeper, but he's an idi
Re:Lack of motivation (Score:4, Insightful)
While this is generally fairly accurate, in the case of Mitnick they seem to have made him a career, not ruined his life. Before he was nobody; now he's getting all kinds of stuff because of all the publicity the government paid for. I'm really not sure what they thought they were doing.
Re:Lack of motivation (Score:1)
Re:Lack of motivation (Score:2)
The level of security shouldn't have anything to do with the punishment. You don't go to jail longer for breaking into a home with 3 dead-bolts and an alarm vs one with a single lock. It isn't up to the victim to keep the criminal out of trouble.
"It'll punish you more for cracking than for murder"
Last time I checked murder was punishable
Re:Lack of motivation (Score:3, Insightful)
That's not even half the problem. What happens if the hacker is in China and can't be arrested because he is actually in the basement of the People's Army and employed by the Chinese government.
Seriously, if I was a lead intelligence expert in China or Russia, I'd be having a heyday of compromising US military computers and trying to get as much information out of them as possible.
If so
Ask Slashdot: Why do gov't 'puters have net access (Score:4, Insightful)
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:3, Funny)
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:2)
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:4, Informative)
Why shouldn't they? They need to do work and send email to people outside the government like the rest of us. How do you think, for example, all the tax forms show up on IRS.gov? Magic?
Classified computers do not have access to the normal internet, so when you see these break-in stories, no classified information was compromised, unless some dope went out of his way to get info from a class system to an unclass one.
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:4, Informative)
The hard disk in the class machine had a barrel lock on it. At the end of the working day, you powered down your machine, unlocked and removed the hard drive, and locked the drive in your safe. (The safe is less fancy than it sounds: a standard four-drawer file cabinet with two u-flanges welded onto it; you slid a long steel bar through both flanges and padlocked it into place. Cheap, but pretty effective.) The unclass machine's hard disk remained in place, and those machines were rarely turned off.
As the story mentioned, most of the hacks target unclass machines, for the simple reason that they can't reach class machines. Give State some credit; on the hardware side at least, they did the right thing by building two networks.
The problem with this setup is this: say you're writing a report that will include some classified information but that will also have background research perhaps from the internet. In theory, you should write the report on the class machine. You should do the internet research on the unclass machine, write up whatever you want to add to the report, copy it to a floppy or flash drive, and copy it onto the class machine. The document from the class machine should never appear on the floppy or the flash drive, much less the unclass machine. In practice, as you can imagine, people often put the file on the portable medium so that they can avoid wrangling with version control (most foreign-service officers don't know what version control is, but they know they don't like to wrangle with it). Once you start doing that, it's only a matter of time before classified information ends up on an unclassified machine.
Just for the record, a lot of classified information is, frankly, uninteresting. If an embassy staffer covers a rally in the foreign capital and writes a cable that has six paragraphs of description of the rally and one paragraph of commentary on the rally, he'll often mark his comments confidential; this in turn makes the cable classified. This tendency to classify TOO MANY THINGS only adds to the report-writing problem I mentioned above, since often the necessary reference material is unclassified description within a classified cable.
Frankly, if you can come up with a way to sort out this state of affairs, I think the State Department would be pretty willing to listen to it. At least, based on watching diplomatic security officers tear their hair out at the potential security breaches that their own employees commit, I think they would be.
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:3, Interesting)
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:2)
Without direct access to microsoft servers the OS can't automatically update itself. Does this mean that airgapped systems are less secure?
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:2)
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:2)
I had to ask because I am not a windows person myself. The windows admins where I work have a fairly kludgy tool which they run to remotely install stuff on the windows boxen. It occasionally raises dialogs on our screens asking questions like "do you want to continue?", etc. I wondered if the update mechanism could be used to cleanly feed config and binary changes to the workstations and based on your reply this seems to be the case. Its a pity it doesn't get used.
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:2)
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:4, Informative)
B.
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:2)
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:2)
"With respect to information dissemination, the Director shall develop and oversee the implementation of policies, principles, standards, and guidelines to--
apply to Federal agency dissemination of public information, regardless of the form or format in which such information is disseminated; and
promote public access to public information and fulfill the purposes of this chapter, including through the effective use of information technology."
B.
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:5, Funny)
For a bunker shot, they'd use a sand wedge.
Re:Ask Slashdot: Why do gov't 'puters have net acc (Score:1)
Hacking: an offensive weapon (Score:3, Funny)
Of course, that's what the bayonet is for!
What about MySpace? (Score:5, Funny)
Homeland security is a joke (Score:5, Interesting)
It was a long process to penetrate all his defenses. Finally, I ended up chatting with the cracker a la Yahoo Chat, including video. He was from Romania, and liked diet 7-up.
So, I get all the sources together with which he compromised the server. I had everything, down to IP addresses. I called the FBI and they referred me to some web page that didn't even allow enough upload to report everything I had found.
I submitted what I could. I didn't even gt a "thank you" email. I would have been happy with a "thank you" message. But I got nothing.
My opinion of the dept of Homeland Security as well as the FBI sank immeasurabily as a result.
Re:Homeland security is a joke (Score:4, Insightful)
Unfortunately, the government just doesn't have the resources to investigate every single incident of computer trespassing. It would be nice if they could, but until then I can understand why an intrusion of an ISP mail server would not be very high on their priority list. As many incidents as there are like this that occur every day, it simply isn't possible to follow up on every one. Although, if what you say is true, it seems like you did most of the work for them. Hopefully they would at least file the information away for a rainy day, but my guess is they they didn't.
However, if this incident caused your opinion of the FBI and DHS to sink that much, I think you may have been overly generous with your opinion of the two agencies to begin with :)
Re:Homeland security is a joke (Score:1)
Why the hell not????
Re:Homeland security is a joke (Score:2)
That is "hard work". (as someone in the administration has a tendency to say)
Re:Homeland security is a joke (Score:2)
Dept. of Homeland and FBI security priorities. (Score:5, Funny)
My opinion of the dept of Homeland Security as well as the FBI sank immeasurabily as a result.
Your error was that you failed to realize what the priorities of these agencies are. Report the incident again only this time put the words 'terrorist' and 'activity' in the subject line. Wait an hour and then turn on the TV, switch to a news channel and you should hear reports of massive USAF airstrikes somewhere in Romania. For shorter response times try adding the word 'Osama' to the subject line. Just be careful when using the words 'bin' and 'Laden' since combining those with the other three in one subject line might lead to a tactical nuclear strike.
Re:Dept. of Homeland and FBI security priorities. (Score:2)
Re:Homeland security is a joke (Score:1, Flamebait)
Re:Homeland security is a joke (Score:2)
You do know that FBI is part of the DOJ, not the DHS, right? Surely you also realize that some dork in Romania compromising an ISP mail server is not a cri
Re:Homeland security is a joke (Score:2)
Freudian slip?
Outsourcing (Score:3, Funny)
Just what we need (Score:3, Funny)
Reality check... (Score:2, Insightful)
(2) Every time I read a headline like this, I remember playing Uplink, and chuckling over the poor bastards when what I did hit the headlines. Somewhere in Korea, someone is chuckling hard.
Re:Reality check... (Score:4, Insightful)
you can end up with a information that would be classified: see (1)
*limited official use (now sensitive but unclassified), controlled, for official use only, internal use only, variations on sensitive, etc etc etc.
Re:Reality check... (Score:2)
Oh...
So that's why the VA let's people carry around laptops will million of Social Security Numbers. Because they aren't allowed to connect to a network (via the internet).
Re:Reality check... (Score:2)
Airgaps are very good security when they are followed religiously. In practice, this is rare because of the requirements for support.
Mental note . . . (Score:4, Funny)
The root password is now "god" instead of "sex"
Don't be Silly... (Score:2)
Geek trivia for 10 thanks... (Score:5, Funny)
If you don't get this your not geek enough, hang your head in shame.
Re:Geek trivia for 10 thanks... (Score:1)
Re:Geek trivia for 10 thanks... (Score:1)
Thanks. (Score:2)
Re:Geek trivia for 10 thanks... (Score:2, Funny)
Re:Geek trivia for 10 thanks... (Score:1)
Will someone please arrest/sue Matthew Broderick's co-stars. They were the ones that told us all about the "back doors". An obvious national security breach.
Re:Geek trivia for 10 thanks... (Score:1)
One of my questions was: "What is your favorite question?"
My response had to be: "Shall we play a game?"
Another question I had was "What is your favorite color?"
My response had to be "Red, no blue!"
Most of 'em didn't ge
Re:Geek trivia for 10 thanks... (Score:2)
I just hope they changed the password from "pencil".
Must I say it again? (Score:1)
pass the salt please (Score:5, Insightful)
If they really experienced that much security breaches I doubt CNN would be allowed to publicize this.
OTOH, TFA mentions a lot of scary evil things like North-Korean missiles and Chinese Hackers.
I'm not sure whether I prefer this article to be for real or propaganda, both possibilities imply information warfare on the US people.
Re:pass the salt please (Score:2)
Re:pass the salt please (Score:1)
Remember that power brings out the worst in people. Show me someone who wants to get on top of the pile and i'll show you someone who will go over corpses to achieve his goal. (If enough is at stake, literally.)
This may be hyperbolic, but that's the way human society works. The egotistical/powerhungry maniacs that are smart enough to tell the right lies to woo everybody into believing they *need* them (eg. through fear for an external enemy --> "
Re:pass the salt please (Score:4, Insightful)
Wholesale monitoring of communications is as useful as trying to read all the content on the internet, for every useful bit of information you read, you get a 1000 useless bits. So training people to understand the subtleties of "the enemy" would seem a more sensible solution.
Re:pass the salt please (Score:2)
Re:pass the salt please (Score:2)
Look, if a government is going to be respected by the people and/or the press, they either have to be well organized and competant or they have to use a lot of guns. For the moment, they seem to be using the guns approach as they are arming themselves with laws that are abused on a pretty frequent basis giving law enforcement and the executive unprecedented power
ignorant comment (Score:3, Funny)
Why bother? (Score:4, Insightful)
U.S. Hacking Officials? (Score:2, Funny)
When did they hire anyone like that? I call their bluff!
Perhaps they hired some first-rate plumbers - they know how to "hack" into tubes.
Re:U.S. Hacking Officials? (Score:4, Funny)
Didn't work out so well for Nixon.
Disabling security (Score:3, Interesting)
Wait a minute, they actually disabled their security after they got hit with an attack??!? Someone tell me if I'm wrong about secure sockets layer being a security measure of sorts.
Re:Disabling security (Score:2)
I suspect that was poorly worded. What it probably meant to say was they disabled transfer of encrypted information over the internet, instead opting to just not transfer the information at all.
Re:Disabling security (Score:2, Interesting)
I believe their target were the incoming SSL connexions.
stupid security (Score:3, Insightful)
Re:stupid security (Score:2)
The department may well deserve a drubbing, but said drubbing probably shouldn't consist of their computers which I bought and paid for, being run as part of a botnet by Joe Pyongyang.
Cracking vs. Hacking (Score:2, Insightful)
This is a clear case of cracking, not hacking. Please tag this article as such, as if IT experts use the correct tems for activities, maybe the word "hacking" can be saved?
RMS or such other famous nerd: I'm a hacker
Justice, influenced by Fox: Off to Gitmo for you then, hacker means computer terrorist.
Re:Cracking vs. Hacking (Score:4, Informative)
Politics 101 (Score:2)
2.) Request new budget to deal with problem
3.) Call architect about new weekend home in the mountains...
I don't care if it is the local Highway Patrol or Congress, you can bet the only 'problem' these wonks always have is figuring a way to line their pockets.
This is why.... (Score:2, Insightful)
Real break-ins or just 'common' trojans? (Score:2)
Someone ... (Score:2)
a machine that was online.