If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Some unsecured source)   Step 1: Leave random USB thumb drives and CDs lying around the parking lot of a government facility working with classified materials and secured computers. Step 2: ??? Step 3: Facepalm   (strategypage.com) divider line 148
    More: Fail, flash drives, security clearance, USB  
•       •       •

15372 clicks; posted to Main » on 06 Jul 2011 at 10:09 AM (3 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



148 Comments   (+0 »)
   

Archived thread

First | « | 1 | 2 | 3 | » | Last | Show all
 
2011-07-06 09:54:26 AM
got root?
 
2011-07-06 09:59:08 AM
It may have something to do with the fact that they required just about every schlob to fill out a form 95 now and they reclassified a bunch of unimportant information/systems. Not that people shouldn't secure their systems and what they found probably should have been secured better, but they make it sound like some highly classified network was vulnerable. The classified systems I worked on had "gummed" USB ports and no working CD drives. If you wanted data off a CD, you have to go to a central point and have it done and sign for it. The areas are quite secure. I once had a solar calculator confiscated on the way out of the area (one of those cheap POS things that is built into a notebook). And most government sites run blackhats constantly
 
2011-07-06 10:10:17 AM

UberDave: It may have something to do with the fact that they required just about every schlob to fill out a form 95 now and they reclassified a bunch of unimportant information/systems. Not that people shouldn't secure their systems and what they found probably should have been secured better, but they make it sound like some highly classified network was vulnerable. The classified systems I worked on had "gummed" USB ports and no working CD drives. If you wanted data off a CD, you have to go to a central point and have it done and sign for it. The areas are quite secure. I once had a solar calculator confiscated on the way out of the area (one of those cheap POS things that is built into a notebook). And most government sites run blackhats constantly


I work with DOD guys all the time... it's hell and a half getting a screen shot out of a building even on a non-classified project.

"If you download the latest version of the software, you should be able to..."
"No, can't do that. Ever."
"But... I can't... the bug has been fixed in... I can't support it on that version."
"Well, you have to."
"...There isn't someone you can talk to about getting it..."
"No."
 
2011-07-06 10:13:30 AM
"Just thought you might be concerned.... about the security... of your shiat"
 
2011-07-06 10:14:29 AM
wanted for questioning

cdn.buzznet.com
 
2011-07-06 10:15:25 AM
The author of this article is a fool.
 
2011-07-06 10:15:31 AM
Did I read that right? If you work at an information-sensitive job, find random CDs & USB drives lying around the parking lot, and decide to use your work computer to see what's on them, it's NOT your fault if a virus was on them? It's the fault of the company for allowing the system to be compromised like that? What kind of BS is that? What moron doesn't know not to plug an unknown storage device into a work computer? My job's hardly a matter of national security but if one of my guys did that, I'd fire him!
 
2011-07-06 10:16:37 AM
virtulization is your friend
 
2011-07-06 10:18:16 AM
Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.
 
2011-07-06 10:19:19 AM
Subby and Story are equally silly.
 
2011-07-06 10:19:46 AM
This has been long known to be one of the best ways to get code into a poorly designed network.

That being said, IT security is pretty good these days*, but human security still sucks. Spies still get their jobs done by simply talking to lots of people and waiting for them to volunteer classified information.

*When people are willing to spend the time/money
 
2011-07-06 10:20:25 AM

kingoomieiii: UberDave: It may have something to do with the fact that they required just about every schlob to fill out a form 95 now and they reclassified a bunch of unimportant information/systems. Not that people shouldn't secure their systems and what they found probably should have been secured better, but they make it sound like some highly classified network was vulnerable. The classified systems I worked on had "gummed" USB ports and no working CD drives. If you wanted data off a CD, you have to go to a central point and have it done and sign for it. The areas are quite secure. I once had a solar calculator confiscated on the way out of the area (one of those cheap POS things that is built into a notebook). And most government sites run blackhats constantly

I work with DOD guys all the time... it's hell and a half getting a screen shot out of a building even on a non-classified project.

"If you download the latest version of the software, you should be able to..."
"No, can't do that. Ever."
"But... I can't... the bug has been fixed in... I can't support it on that version."
"Well, you have to."
"...There isn't someone you can talk to about getting it..."
"No."


As well as thumb drives are not used for any DoD information, unless with extremely rare and special permision.

/Good luck geting in without badges and certs.
 
2011-07-06 10:20:29 AM
"Your PC is now Stoned"
 
2011-07-06 10:20:41 AM
I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out before this stuff gets compromised."
 
2011-07-06 10:21:15 AM

WayToBlue: The author of this article is a fool.


The author of this article is 100% right. If anyone walking in off the street with a USB flash drive can crash or expose their system, then the security people running that system have failed.
 
2011-07-06 10:21:21 AM
Wow, I don't think I've ever seen someone turn an article about national security into a thinly veiled advertisement for Apple, kudos you kook.
 
2011-07-06 10:23:01 AM

kingoomieiii: I work with DOD guys all the time... it's hell and a half getting a screen shot out of a building even on a non-classified project.


Don't blame the DoD guys. It's been years since I did work for them but the policies and procedures for even the most standard of operations were ridiculous back then. The Lt. Col. running the project we were on couldn't even figure out the org chart where the directions were coming from, it was so convoluted. I can only imagine what's it's like now in a PATRIOT Act world.
 
2011-07-06 10:24:29 AM

incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.


Really, no USB drives. How astonishing!

And a physical fob to login is still a great idea. At some point, every possible security measure involves a digital signal - and as such, is vulnerable on some level - but the more varied the means, the better the security.

People still move files around on CDs because you can use the same systems for moving files around that you use for hardcopy classified documents.
 
2011-07-06 10:25:45 AM

thunderbird8804: Wow, I don't think I've ever seen someone turn an article about national security into a thinly veiled advertisement for Apple, kudos you kook.


That Apple stuff was inserted by code on a thumb drive the author found on his front porch.
 
2011-07-06 10:25:49 AM

special20: "Your PC is now Stoned"


Heh, the one and only virus I ever got.
 
2011-07-06 10:26:15 AM

brigid_fitch: Did I read that right? If you work at an information-sensitive job, find random CDs & USB drives lying around the parking lot, and decide to use your work computer to see what's on them, it's NOT your fault if a virus was on them? It's the fault of the company for allowing the system to be compromised like that? What kind of BS is that? What moron doesn't know not to plug an unknown storage device into a work computer? My job's hardly a matter of national security but if one of my guys did that, I'd fire him!


It still amazes me how unaware the average person is of basic computer security practices. My boss recently asked a group of us to put all our personal contact information in a spread sheet on a public drive accessable to hundreds of people. Phone numbers, home address, work schedule, etc. I wrote mine down and handed it to him in person.
 
2011-07-06 10:28:50 AM
Our machines at work have autorun disabled for all peripherals. This in itself bypasses most of the problems in TFA.
 
2011-07-06 10:29:32 AM

Izunbacol: I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out before this stuff gets compromised."


Good thought, but I'd bet a large sum of money that just about all of the people tossing these things in to their system all willynilly is just curious what's on it, and a security breach is the last thing on their minds
 
2011-07-06 10:30:12 AM
FTA: The creators of complex gear seem to miss the point that one point of designing such a product is to make it easy to use. Apple has long recognized this, and one of their catch phrases is that "it just works." Apple has grown prosperous by not thinking of their customers as clueless users, but as valuable customers who deserve products that are easy to use and just work.

Are you kidding me? That's exactly what Apple thinks of it users. A clueful person wouldn't spend thousands of dollars on a computer that "just works", they would spend a couple of hours on Google securing their PC and save themselves the money.

A more accurate assessment is that Apple thinks of its userbase as a cash cow that buys their products despite only being able to run applications that are approved by Apple's Morality Police (a game where you punch Jesus or shake a baby? Nope, this manufacturer thinks that you shouldn't be able to play those). If Apple values and respects their customers, why not install a $10 SD card slot into the iPod/iPad devices so your intelligent customers can buy a 64GB SD card for $25 instead of gouging them out of $200 for an extra 48GB?

I don't know what's worse - a company that thinks it's okay to charge $200 for an extra 48GB or the people who continue to give them their business and undying fanboyism. Yeah, they definitely respect their users.
 
2011-07-06 10:30:43 AM
incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.


I work in Information Assurance for the DoD, so I'm getting a kick out of the whining.

Users are stupid.

Less is more.

Especially in DoD.
 
2011-07-06 10:30:46 AM

incrdbil: Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.


Maybe you can't have USB drives because you're too farking stupid not to plug in shiat you find the the parking lot.
 
2011-07-06 10:30:54 AM
vartian

WayToBlue: The author of this article is a fool.

The author of this article is 100% right. If anyone walking in off the street with a USB flash drive can crash or expose their system, then the security people running that system have failed.


It is not possible to build a completely foolproof system that still needs to be reasonably functional. Your best bet is to hire fewer fools.

And no, it is not "anyone walking in off the street," these are security cleared personnel who have been trained specifically not to do this.
 
2011-07-06 10:33:12 AM

UberDave: "gummed" USB ports


Savages in this town.
 
2011-07-06 10:35:09 AM
With the secure cloud computing systems out there, coupled with high-bandwidth internet access and VPN tunneling, most corporate/govt computer workstations should not be able to read/write to ANY removable media.

Oh, and the IT department should "on the ball" be quickly vetting all server access, s/w apps and updates and only push them out to the workstations on an "as-needed" basis. The only problem is that IT guys tend to be slow as molasses which only encourages their users to seek their own solutions and ends up compromising security.

When the IT dept of one place I worked for implemented a workstation "lock-down" policy, the IT workload from re-imaging to clean out virus/spyware from workstations dropped from about 25/week to zero. Ideally, this should have freed up resources to quickly vet the software apps and updates, but they just laid off the staff, resulting in slowing down the process and motivating some of the more savvy users to figure out their own work-arounds that compromised the system. It's amazing what "system beaters" you can find out there on the various windows forums

Stupid bean counters and their shareholder masters. Ruin it for everyone
 
2011-07-06 10:39:24 AM
Security in computers is always a tradeoff... Security vs. Access. Too much of one is a problem. The most secure system in the world will be unusable. Secure the systems to a good point, and focus on the bigger problem. The one sitting on the chair. That will ALWAYS be the weakest link in network security.
 
2011-07-06 10:39:40 AM

WayToBlue:
It is not possible to build a completely foolproof system that still needs to be reasonably functional. Your best bet is to hire fewer fools.

And no, it is not "anyone walking in off the street," these are security cleared personnel who have been trained specifically not to do this.


Low level people. People that would work in any government building. Again, if I can disable your system with a USB flash drive, you haven't done your job.
 
GBB
2011-07-06 10:39:48 AM
Step 2: Stick it in the slot.

/duh
 
2011-07-06 10:39:58 AM
I thought the USB ports on classified computers were either disabled in BIOS or were filled with epoxy?
 
2011-07-06 10:40:37 AM

incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.


This attitude is the perfect example of why even the most secure system can still be vulnerable. The attitude of "rules are stupid and inconvenient." I get to deal with this one a daily basis and typically these are the users who end up causing some kind of security violation/breach.

I'd buy that in the average private sector company that the users can't/shouldn't be relied on to practice basic security measures but people who have clearances have a more serious obligation to know what's going on around them. If they can't follow simple rules like don't bring CDs/thumbdrives into the buildings and certainly don't plug them into your computer, they don't need a clearance.
 
2011-07-06 10:41:37 AM
Day_Old_Dutchie

With the secure cloud computing systems out there, coupled with high-bandwidth internet access and VPN tunneling, most corporate/govt computer workstations should not be able to read/write to ANY removable media.

The words "secure" and "cloud" are diametrically opposed to each other.
 
2011-07-06 10:44:29 AM

tricycleracer: Savages in this town.


I bet the guy who did this wasn't even supposed to be there that day.
 
2011-07-06 10:44:59 AM
GIVE ME A COOKIE

upandrunning.bplans.com
 
2011-07-06 10:45:11 AM
Any security policy that is so restrictive as to guarantee users will be forced to end run it just to get their basic work functiosn done is not a viable security policy. The number of personal computers used for government work, attempts to use Gmail, shared physical access cards and other numerous violations that come to our office for review on a daily basis highlight this. If there are constant violations of security policy, the blame is largely to be placed on those creating policies that fail despite multiple revisions.
 
2011-07-06 10:46:14 AM
My company still moves some classified stuff on floppy.

/just sayin
 
2011-07-06 10:46:33 AM

ForgotMyTowel: incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.

This attitude is the perfect example of why even the most secure system can still be vulnerable. The attitude of "rules are stupid and inconvenient." I get to deal with this one a daily basis and typically these are the users who end up causing some kind of security violation/breach.

I'd buy that in the average private sector company that the users can't/shouldn't be relied on to practice basic security measures but people who have clearances have a more serious obligation to know what's going on around them. If they can't follow simple rules like don't bring CDs/thumbdrives into the buildings and certainly don't plug them into your computer, they don't need a clearance.


Agreed, but they'll give anyone a clearance these days.

And groooooooowing (new window)

The problem remains that people are people...clearance or not.
 
2011-07-06 10:48:35 AM
Rincewind:

Users are stupid.

Less is more.

Especially in DoD.


Victory is life!
 
2011-07-06 10:51:59 AM

incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.
(blah)
My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.


Troll or not, your rant matches the ones who cause all this "inconvenient security" to exist in the first place. You also sound like the chick I pissed off who swore it was her "right" to play Farmville on company time and install Skype on company hardware.

Move along and remember your function, drone.
 
2011-07-06 10:52:45 AM

PanicMan: It still amazes me how unaware the average person is of basic computer security practices. My boss recently asked a group of us to put all our personal contact information in a spread sheet on a public drive accessable to hundreds of people. Phone numbers, home address, work schedule, etc. I wrote mine down and handed it to him in person.


Who promptly handed it to his secretary to enter into the unsecured spreadsheet.

ForgotMyTowel: If they can't follow simple rules like don't bring CDs/thumbdrives into the buildings and certainly don't plug them into your computer, they don't need a clearance.


Because their security clearance was probably based solely on their computer savvy and not, you know, the service or expertise for which they use that clearance.
 
2011-07-06 10:53:42 AM
FTFA
"In any manufacturing industry, there is often a bad attitude towards "dumb users." The creators of complex gear seem to miss the point that one point of designing such a product is to make it easy to use. Apple has long recognized this, and one of their catch phrases is that "it just works." Apple has grown prosperous by not thinking of their customers as clueless users, but as valuable customers who deserve products that are easy to use and just work."

Step 1: Don't be a moron and learn something about the equipment you use daily. This also goes for people who don't know the basics of car maintenance. You don't have to be a computer geek or grease monkey to troubleshoot the damn thing and fix common problems.
 
2011-07-06 10:54:46 AM

WayToBlue: The words "secure" and "cloud" are diametrically opposed to each other.


True. But there has been secure VPN file sharing around for a while.
 
2011-07-06 10:55:44 AM
Just got done getting a room of computers ready for a secret classification. I have the USB drives disabled in group policy. This is required per the specs from DOD. Sounds like the place in the article either isn't handling classified information, or is doing something terribly wrong.
 
2011-07-06 10:57:20 AM

Rincewind: Agreed, but they'll give anyone a clearance these days.


A security clearance isn't designed to test for intelligence. A security clearance identifies the person holding it as being an acceptable risk to the employer, i.e. based on their history, criminal record, finances and ideology they are less likely to compromise (or be coerced to compromise) security than an uncleared person.

Having a security clearance doesn't mean you know any more about information security or proper procedures than someone off the street. The HR department should be responsible for weeding out candidates who are too dumb to follow basic rules. After that, making a security breach an fire-able offence might make people think twice before plugging in an unknown USB key into their PC's slot.
 
2011-07-06 10:58:05 AM

Izunbacol: I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out before this stuff gets compromised."


Good point but there should be an SOP for that. If something is found bring to a central location to verify
 
2011-07-06 10:59:57 AM
People are missing the point of the DoD worrying about USB drives, it isn't so much worrying about the information leaving the site on the USB drives, it's the data that could find its way into the site via the USB drives (viruses, rootkits, what have you).

After all if a employee with clearance was going to steal data wouldn't it just be easier to wear some glasses with one of those little cameras? Not even the video cameras but the little digital cameras you can take a picture with whenever you "adjust" your glasses. Google them you can get them anywhere online.
 
2011-07-06 11:01:50 AM
failures are not the fault of users...but the security people, whose sole job is preserving secrets.

Safety is not a thing someone else worries about while you blithely plug every virus-ridden piece of trash you find out in the parking lot into your box. Pay attention to what you're doing or you're going to get infected.
 
Displayed 50 of 148 comments

First | « | 1 | 2 | 3 | » | Last | Show all



This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report