If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Some unsecured source)   Step 1: Leave random USB thumb drives and CDs lying around the parking lot of a government facility working with classified materials and secured computers. Step 2: ??? Step 3: Facepalm   (strategypage.com) divider line 148
    More: Fail, flash drives, security clearance, USB  
•       •       •

15372 clicks; posted to Main » on 06 Jul 2011 at 10:09 AM (3 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



148 Comments   (+0 »)
   

Archived thread
 
2011-07-06 09:54:26 AM
got root?
 
2011-07-06 09:59:08 AM
It may have something to do with the fact that they required just about every schlob to fill out a form 95 now and they reclassified a bunch of unimportant information/systems. Not that people shouldn't secure their systems and what they found probably should have been secured better, but they make it sound like some highly classified network was vulnerable. The classified systems I worked on had "gummed" USB ports and no working CD drives. If you wanted data off a CD, you have to go to a central point and have it done and sign for it. The areas are quite secure. I once had a solar calculator confiscated on the way out of the area (one of those cheap POS things that is built into a notebook). And most government sites run blackhats constantly
 
2011-07-06 10:10:17 AM

UberDave: It may have something to do with the fact that they required just about every schlob to fill out a form 95 now and they reclassified a bunch of unimportant information/systems. Not that people shouldn't secure their systems and what they found probably should have been secured better, but they make it sound like some highly classified network was vulnerable. The classified systems I worked on had "gummed" USB ports and no working CD drives. If you wanted data off a CD, you have to go to a central point and have it done and sign for it. The areas are quite secure. I once had a solar calculator confiscated on the way out of the area (one of those cheap POS things that is built into a notebook). And most government sites run blackhats constantly


I work with DOD guys all the time... it's hell and a half getting a screen shot out of a building even on a non-classified project.

"If you download the latest version of the software, you should be able to..."
"No, can't do that. Ever."
"But... I can't... the bug has been fixed in... I can't support it on that version."
"Well, you have to."
"...There isn't someone you can talk to about getting it..."
"No."
 
2011-07-06 10:13:30 AM
"Just thought you might be concerned.... about the security... of your shiat"
 
2011-07-06 10:14:29 AM
wanted for questioning

cdn.buzznet.com
 
2011-07-06 10:15:25 AM
The author of this article is a fool.
 
2011-07-06 10:15:31 AM
Did I read that right? If you work at an information-sensitive job, find random CDs & USB drives lying around the parking lot, and decide to use your work computer to see what's on them, it's NOT your fault if a virus was on them? It's the fault of the company for allowing the system to be compromised like that? What kind of BS is that? What moron doesn't know not to plug an unknown storage device into a work computer? My job's hardly a matter of national security but if one of my guys did that, I'd fire him!
 
2011-07-06 10:16:37 AM
virtulization is your friend
 
2011-07-06 10:18:16 AM
Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.
 
2011-07-06 10:19:19 AM
Subby and Story are equally silly.
 
2011-07-06 10:19:46 AM
This has been long known to be one of the best ways to get code into a poorly designed network.

That being said, IT security is pretty good these days*, but human security still sucks. Spies still get their jobs done by simply talking to lots of people and waiting for them to volunteer classified information.

*When people are willing to spend the time/money
 
2011-07-06 10:20:25 AM

kingoomieiii: UberDave: It may have something to do with the fact that they required just about every schlob to fill out a form 95 now and they reclassified a bunch of unimportant information/systems. Not that people shouldn't secure their systems and what they found probably should have been secured better, but they make it sound like some highly classified network was vulnerable. The classified systems I worked on had "gummed" USB ports and no working CD drives. If you wanted data off a CD, you have to go to a central point and have it done and sign for it. The areas are quite secure. I once had a solar calculator confiscated on the way out of the area (one of those cheap POS things that is built into a notebook). And most government sites run blackhats constantly

I work with DOD guys all the time... it's hell and a half getting a screen shot out of a building even on a non-classified project.

"If you download the latest version of the software, you should be able to..."
"No, can't do that. Ever."
"But... I can't... the bug has been fixed in... I can't support it on that version."
"Well, you have to."
"...There isn't someone you can talk to about getting it..."
"No."


As well as thumb drives are not used for any DoD information, unless with extremely rare and special permision.

/Good luck geting in without badges and certs.
 
2011-07-06 10:20:29 AM
"Your PC is now Stoned"
 
2011-07-06 10:20:41 AM
I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out before this stuff gets compromised."
 
2011-07-06 10:21:15 AM

WayToBlue: The author of this article is a fool.


The author of this article is 100% right. If anyone walking in off the street with a USB flash drive can crash or expose their system, then the security people running that system have failed.
 
2011-07-06 10:21:21 AM
Wow, I don't think I've ever seen someone turn an article about national security into a thinly veiled advertisement for Apple, kudos you kook.
 
2011-07-06 10:23:01 AM

kingoomieiii: I work with DOD guys all the time... it's hell and a half getting a screen shot out of a building even on a non-classified project.


Don't blame the DoD guys. It's been years since I did work for them but the policies and procedures for even the most standard of operations were ridiculous back then. The Lt. Col. running the project we were on couldn't even figure out the org chart where the directions were coming from, it was so convoluted. I can only imagine what's it's like now in a PATRIOT Act world.
 
2011-07-06 10:24:29 AM

incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.


Really, no USB drives. How astonishing!

And a physical fob to login is still a great idea. At some point, every possible security measure involves a digital signal - and as such, is vulnerable on some level - but the more varied the means, the better the security.

People still move files around on CDs because you can use the same systems for moving files around that you use for hardcopy classified documents.
 
2011-07-06 10:25:45 AM

thunderbird8804: Wow, I don't think I've ever seen someone turn an article about national security into a thinly veiled advertisement for Apple, kudos you kook.


That Apple stuff was inserted by code on a thumb drive the author found on his front porch.
 
2011-07-06 10:25:49 AM

special20: "Your PC is now Stoned"


Heh, the one and only virus I ever got.
 
2011-07-06 10:26:15 AM

brigid_fitch: Did I read that right? If you work at an information-sensitive job, find random CDs & USB drives lying around the parking lot, and decide to use your work computer to see what's on them, it's NOT your fault if a virus was on them? It's the fault of the company for allowing the system to be compromised like that? What kind of BS is that? What moron doesn't know not to plug an unknown storage device into a work computer? My job's hardly a matter of national security but if one of my guys did that, I'd fire him!


It still amazes me how unaware the average person is of basic computer security practices. My boss recently asked a group of us to put all our personal contact information in a spread sheet on a public drive accessable to hundreds of people. Phone numbers, home address, work schedule, etc. I wrote mine down and handed it to him in person.
 
2011-07-06 10:28:50 AM
Our machines at work have autorun disabled for all peripherals. This in itself bypasses most of the problems in TFA.
 
2011-07-06 10:29:32 AM

Izunbacol: I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out before this stuff gets compromised."


Good thought, but I'd bet a large sum of money that just about all of the people tossing these things in to their system all willynilly is just curious what's on it, and a security breach is the last thing on their minds
 
2011-07-06 10:30:12 AM
FTA: The creators of complex gear seem to miss the point that one point of designing such a product is to make it easy to use. Apple has long recognized this, and one of their catch phrases is that "it just works." Apple has grown prosperous by not thinking of their customers as clueless users, but as valuable customers who deserve products that are easy to use and just work.

Are you kidding me? That's exactly what Apple thinks of it users. A clueful person wouldn't spend thousands of dollars on a computer that "just works", they would spend a couple of hours on Google securing their PC and save themselves the money.

A more accurate assessment is that Apple thinks of its userbase as a cash cow that buys their products despite only being able to run applications that are approved by Apple's Morality Police (a game where you punch Jesus or shake a baby? Nope, this manufacturer thinks that you shouldn't be able to play those). If Apple values and respects their customers, why not install a $10 SD card slot into the iPod/iPad devices so your intelligent customers can buy a 64GB SD card for $25 instead of gouging them out of $200 for an extra 48GB?

I don't know what's worse - a company that thinks it's okay to charge $200 for an extra 48GB or the people who continue to give them their business and undying fanboyism. Yeah, they definitely respect their users.
 
2011-07-06 10:30:43 AM
incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.


I work in Information Assurance for the DoD, so I'm getting a kick out of the whining.

Users are stupid.

Less is more.

Especially in DoD.
 
2011-07-06 10:30:46 AM

incrdbil: Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.


Maybe you can't have USB drives because you're too farking stupid not to plug in shiat you find the the parking lot.
 
2011-07-06 10:30:54 AM
vartian

WayToBlue: The author of this article is a fool.

The author of this article is 100% right. If anyone walking in off the street with a USB flash drive can crash or expose their system, then the security people running that system have failed.


It is not possible to build a completely foolproof system that still needs to be reasonably functional. Your best bet is to hire fewer fools.

And no, it is not "anyone walking in off the street," these are security cleared personnel who have been trained specifically not to do this.
 
2011-07-06 10:33:12 AM

UberDave: "gummed" USB ports


Savages in this town.
 
2011-07-06 10:35:09 AM
With the secure cloud computing systems out there, coupled with high-bandwidth internet access and VPN tunneling, most corporate/govt computer workstations should not be able to read/write to ANY removable media.

Oh, and the IT department should "on the ball" be quickly vetting all server access, s/w apps and updates and only push them out to the workstations on an "as-needed" basis. The only problem is that IT guys tend to be slow as molasses which only encourages their users to seek their own solutions and ends up compromising security.

When the IT dept of one place I worked for implemented a workstation "lock-down" policy, the IT workload from re-imaging to clean out virus/spyware from workstations dropped from about 25/week to zero. Ideally, this should have freed up resources to quickly vet the software apps and updates, but they just laid off the staff, resulting in slowing down the process and motivating some of the more savvy users to figure out their own work-arounds that compromised the system. It's amazing what "system beaters" you can find out there on the various windows forums

Stupid bean counters and their shareholder masters. Ruin it for everyone
 
2011-07-06 10:39:24 AM
Security in computers is always a tradeoff... Security vs. Access. Too much of one is a problem. The most secure system in the world will be unusable. Secure the systems to a good point, and focus on the bigger problem. The one sitting on the chair. That will ALWAYS be the weakest link in network security.
 
2011-07-06 10:39:40 AM

WayToBlue:
It is not possible to build a completely foolproof system that still needs to be reasonably functional. Your best bet is to hire fewer fools.

And no, it is not "anyone walking in off the street," these are security cleared personnel who have been trained specifically not to do this.


Low level people. People that would work in any government building. Again, if I can disable your system with a USB flash drive, you haven't done your job.
 
GBB
2011-07-06 10:39:48 AM
Step 2: Stick it in the slot.

/duh
 
2011-07-06 10:39:58 AM
I thought the USB ports on classified computers were either disabled in BIOS or were filled with epoxy?
 
2011-07-06 10:40:37 AM

incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.


This attitude is the perfect example of why even the most secure system can still be vulnerable. The attitude of "rules are stupid and inconvenient." I get to deal with this one a daily basis and typically these are the users who end up causing some kind of security violation/breach.

I'd buy that in the average private sector company that the users can't/shouldn't be relied on to practice basic security measures but people who have clearances have a more serious obligation to know what's going on around them. If they can't follow simple rules like don't bring CDs/thumbdrives into the buildings and certainly don't plug them into your computer, they don't need a clearance.
 
2011-07-06 10:41:37 AM
Day_Old_Dutchie

With the secure cloud computing systems out there, coupled with high-bandwidth internet access and VPN tunneling, most corporate/govt computer workstations should not be able to read/write to ANY removable media.

The words "secure" and "cloud" are diametrically opposed to each other.
 
2011-07-06 10:44:29 AM

tricycleracer: Savages in this town.


I bet the guy who did this wasn't even supposed to be there that day.
 
2011-07-06 10:44:59 AM
GIVE ME A COOKIE

upandrunning.bplans.com
 
2011-07-06 10:45:11 AM
Any security policy that is so restrictive as to guarantee users will be forced to end run it just to get their basic work functiosn done is not a viable security policy. The number of personal computers used for government work, attempts to use Gmail, shared physical access cards and other numerous violations that come to our office for review on a daily basis highlight this. If there are constant violations of security policy, the blame is largely to be placed on those creating policies that fail despite multiple revisions.
 
2011-07-06 10:46:14 AM
My company still moves some classified stuff on floppy.

/just sayin
 
2011-07-06 10:46:33 AM

ForgotMyTowel: incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.

This attitude is the perfect example of why even the most secure system can still be vulnerable. The attitude of "rules are stupid and inconvenient." I get to deal with this one a daily basis and typically these are the users who end up causing some kind of security violation/breach.

I'd buy that in the average private sector company that the users can't/shouldn't be relied on to practice basic security measures but people who have clearances have a more serious obligation to know what's going on around them. If they can't follow simple rules like don't bring CDs/thumbdrives into the buildings and certainly don't plug them into your computer, they don't need a clearance.


Agreed, but they'll give anyone a clearance these days.

And groooooooowing (new window)

The problem remains that people are people...clearance or not.
 
2011-07-06 10:48:35 AM
Rincewind:

Users are stupid.

Less is more.

Especially in DoD.


Victory is life!
 
2011-07-06 10:51:59 AM

incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.
(blah)
My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.


Troll or not, your rant matches the ones who cause all this "inconvenient security" to exist in the first place. You also sound like the chick I pissed off who swore it was her "right" to play Farmville on company time and install Skype on company hardware.

Move along and remember your function, drone.
 
2011-07-06 10:52:45 AM

PanicMan: It still amazes me how unaware the average person is of basic computer security practices. My boss recently asked a group of us to put all our personal contact information in a spread sheet on a public drive accessable to hundreds of people. Phone numbers, home address, work schedule, etc. I wrote mine down and handed it to him in person.


Who promptly handed it to his secretary to enter into the unsecured spreadsheet.

ForgotMyTowel: If they can't follow simple rules like don't bring CDs/thumbdrives into the buildings and certainly don't plug them into your computer, they don't need a clearance.


Because their security clearance was probably based solely on their computer savvy and not, you know, the service or expertise for which they use that clearance.
 
2011-07-06 10:53:42 AM
FTFA
"In any manufacturing industry, there is often a bad attitude towards "dumb users." The creators of complex gear seem to miss the point that one point of designing such a product is to make it easy to use. Apple has long recognized this, and one of their catch phrases is that "it just works." Apple has grown prosperous by not thinking of their customers as clueless users, but as valuable customers who deserve products that are easy to use and just work."

Step 1: Don't be a moron and learn something about the equipment you use daily. This also goes for people who don't know the basics of car maintenance. You don't have to be a computer geek or grease monkey to troubleshoot the damn thing and fix common problems.
 
2011-07-06 10:54:46 AM

WayToBlue: The words "secure" and "cloud" are diametrically opposed to each other.


True. But there has been secure VPN file sharing around for a while.
 
2011-07-06 10:55:44 AM
Just got done getting a room of computers ready for a secret classification. I have the USB drives disabled in group policy. This is required per the specs from DOD. Sounds like the place in the article either isn't handling classified information, or is doing something terribly wrong.
 
2011-07-06 10:57:20 AM

Rincewind: Agreed, but they'll give anyone a clearance these days.


A security clearance isn't designed to test for intelligence. A security clearance identifies the person holding it as being an acceptable risk to the employer, i.e. based on their history, criminal record, finances and ideology they are less likely to compromise (or be coerced to compromise) security than an uncleared person.

Having a security clearance doesn't mean you know any more about information security or proper procedures than someone off the street. The HR department should be responsible for weeding out candidates who are too dumb to follow basic rules. After that, making a security breach an fire-able offence might make people think twice before plugging in an unknown USB key into their PC's slot.
 
2011-07-06 10:58:05 AM

Izunbacol: I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out before this stuff gets compromised."


Good point but there should be an SOP for that. If something is found bring to a central location to verify
 
2011-07-06 10:59:57 AM
People are missing the point of the DoD worrying about USB drives, it isn't so much worrying about the information leaving the site on the USB drives, it's the data that could find its way into the site via the USB drives (viruses, rootkits, what have you).

After all if a employee with clearance was going to steal data wouldn't it just be easier to wear some glasses with one of those little cameras? Not even the video cameras but the little digital cameras you can take a picture with whenever you "adjust" your glasses. Google them you can get them anywhere online.
 
2011-07-06 11:01:50 AM
failures are not the fault of users...but the security people, whose sole job is preserving secrets.

Safety is not a thing someone else worries about while you blithely plug every virus-ridden piece of trash you find out in the parking lot into your box. Pay attention to what you're doing or you're going to get infected.
 
2011-07-06 11:07:29 AM

veryunoriginal: Rincewind: Agreed, but they'll give anyone a clearance these days.

A security clearance isn't designed to test for intelligence. A security clearance identifies the person holding it as being an acceptable risk to the employer, i.e. based on their history, criminal record, finances and ideology they are less likely to compromise (or be coerced to compromise) security than an uncleared person.

Having a security clearance doesn't mean you know any more about information security or proper procedures than someone off the street. The HR department should be responsible for weeding out candidates who are too dumb to follow basic rules. After that, making a security breach an fire-able offence might make people think twice before plugging in an unknown USB key into their PC's slot.


Yep. You're right, but so much money is spent on clearance investigations that they're reluctant to either fire anyone or revoke a clearance. I've seen this in action.

Most day-to-day security violations or spillages come from high level employees or General Officers. They're not going anywhere and it's a slap on the wrist when they do get caught.

IA is a losing game. You spend the money, make the policies and wait for it to happen. It will sooner rather than later. Best to have a good clean up plan in place.
 
2011-07-06 11:08:51 AM

Unoriginal_Username: Izunbacol: I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out before this stuff gets compromised."

Good point but there should be an SOP for that. If something is found bring to a central location to verify


There is. "Report and deliver it to your IASO." And yes, our annual IA training covers this. Some people just can't be trained. Fortunately, most of those will be retiring in the next few years.
 
2011-07-06 11:11:13 AM

fang06554: Sounds like the place in the article either isn't handling classified information, or is doing something terribly wrong.


Yea. It's hiring and clearing morons who pick up random debris in the parking lot and then jam it into their work computers.

At some point, if a user has any access to anything at all, they have to take some responsibility. If you have any access at all to anything then that thing is, on some level, exposed in a way that only you can protect it from misuse. I can certainly protect every bit of data from every idiot in the place, but you're not going to like it when I just walk downstairs and rip all the cables out of all the patch panels, because that's the only way I can protect the place in absolute terms from stupid people: give them no access to anything.

Great, you disabled removable mass storage. What are you going to do when some idiot prints out classified documents, drops them on a conference table somewhere and forgets them, they get into the hands of someone without clearance and then that person runs off with them and plops them on Wikileaks? Is it your fault you didn't disable their access to printers?

Computers are tools that help people do their jobs. When the tools were simpler, just pencils and paper, we trusted the users not to jab out their own eyes. Now the tools are more complex, but they're still just tools, and there still needs to be responsibility and accountability for using those tools. At some point we need to stop making excuses for lazy idiots and start expecting people to have a basic understanding of common, everyday tools they've been using for years or even decades to do their jobs. And if you cannot use those tools properly, you should be fired just as you would be if you were unable to perform any other basic function of your job.
 
2011-07-06 11:14:51 AM

brigid_fitch: kingoomieiii: I work with DOD guys all the time... it's hell and a half getting a screen shot out of a building even on a non-classified project.

Don't blame the DoD guys.


Oh, no, I don't. They all hate it.
 
2011-07-06 11:14:58 AM

Splinshints: Computers are tools that help people do their jobs. When the tools were simpler, just pencils and paper, we trusted the users not to jab out their own eyes. Now the tools are more complex, but they're still just tools, and there still needs to be responsibility and accountability for using those tools. At some point we need to stop making excuses for lazy idiots and start expecting people to have a basic understanding of common, everyday tools they've been using for years or even decades to do their jobs. And if you cannot use those tools properly, you should be fired just as you would be if you were unable to perform any other basic function of your job.


This, so much.
 
2011-07-06 11:18:40 AM

vartian: Again, if I can disable your system with a USB flash drive, you haven't done your job.


You've got that all wrong. It should be "If you've given a top-secret clearance to someone who has no common sense, you haven't done your job."
 
2011-07-06 11:20:53 AM

Splinshints: And if you cannot use those tools properly, you should be fired just as you would be if you were unable to perform any other basic function of your job.


The general poor quality of government managers, coupled with the protections of civil service make it damned hard to fire all but the most blatant violators. Government managers face challenges in evaluating and counselling employees, due to the lack of obvious metrics for many positions, but this is compunded by the sheer lack of real management skills by most supervisors, and their inability to understand the basics of what they need to do to get an employee fired.
 
2011-07-06 11:22:14 AM

PanicMan: brigid_fitch: Did I read that right? If you work at an information-sensitive job, find random CDs & USB drives lying around the parking lot, and decide to use your work computer to see what's on them, it's NOT your fault if a virus was on them? It's the fault of the company for allowing the system to be compromised like that? What kind of BS is that? What moron doesn't know not to plug an unknown storage device into a work computer? My job's hardly a matter of national security but if one of my guys did that, I'd fire him!

It still amazes me how unaware the average person is of basic computer security practices. My boss recently asked a group of us to put all our personal contact information in a spread sheet on a public drive accessable to hundreds of people. Phone numbers, home address, work schedule, etc. I wrote mine down and handed it to him in person.


I'll come at it from the other side (and I guess pretty much restate the main point of this article). I work with defense-related data all the time, but I'm one of the guys who's actually producing the data. I don't have advanced training in protecting it, just as the IT guy doesn't have advanced training in not touching or breathing in the fumes of the stuff I'm making. Instead, we keep the door locked and don't let him in. Problem solved. If I can do something detrimental by being careless, why doesn't the IT guy just prevent me from having the opportunity to be careless in the first place?

/Understand what you're saying about personal data, though.
//No, you don't need my SSN to issue me a parking pass.
 
2011-07-06 11:22:46 AM

Accolade: Who promptly handed it to his secretary to enter into the unsecured spreadsheet.


Probably. It's like I'm speaking a foreign language here. It's incredibly frustrating. It doesn't help that there's a few people below 30, but the majority are 40s and 50s or older.
 
2011-07-06 11:27:02 AM

incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.


You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.
 
2011-07-06 11:29:26 AM
I'm really curious as to the reputable source for this. If anyone has a different link that doesn't wax ecstatic about the brilliance of Apple in a DoD noncompliance article, that would be awesome to the max.

Step 1) Protocol in a facility that handles any level of classified information is to submit to the proper media custodian any media that is not properly labeled for destruction. This is the same when it's Unclassified.

Step 2) there is no step 2. it's just that simple.

There's absolutely nothing to gain from "finding out what classified stuff might be on it."
 
2011-07-06 11:33:55 AM
Apple has grown prosperous by not thinking of their customers as clueless users

Now THAT is FUNNY.
 
2011-07-06 11:37:23 AM

An-Unnecessarily-Long-Name: incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.

You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.


IT guys are the worst. I'm not sure if it's because they all have assburger's or if it's because they realize that they're a dime a dozen.

If I were so negligent in my job that people were able to injure themselves or the company I'd be fired. That's why I restrict access to dangerous areas. The IA department should be required to do the same thing.
 
2011-07-06 11:38:17 AM

THE_JESUS_PANTS: I'm really curious as to the reputable source for this. If anyone has a different link that doesn't wax ecstatic about the brilliance of Apple in a DoD noncompliance article, that would be awesome to the max.

Step 1) Protocol in a facility that handles any level of classified information is to submit to the proper media custodian any media that is not properly labeled for destruction. This is the same when it's Unclassified.

Step 2) there is no step 2. it's just that simple.

There's absolutely nothing to gain from "finding out what classified stuff might be on it."


Bloomberg Article (supposedly more reliable) (new window)
 
2011-07-06 11:40:12 AM

tricycleracer: UberDave: "gummed" USB ports

Savages in this town.


I read that in Hunter S. Thompson's voice...
 
2011-07-06 11:46:43 AM

THE_JESUS_PANTS:
There's absolutely nothing to gain from "finding out what classified stuff might be on it."


Except for the whole finding out who/how is copying classified information onto portable storage then carelessly losing it in the parking lot thing.
 
2011-07-06 11:47:18 AM

32oz High Life: I'll come at it from the other side (and I guess pretty much restate the main point of this article). I work with defense-related data all the time, but I'm one of the guys who's actually producing the data. I don't have advanced training in protecting it, just as the IT guy doesn't have advanced training in not touching or breathing in the fumes of the stuff I'm making. Instead, we keep the door locked and don't let him in. Problem solved. If I can do something detrimental by being careless, why doesn't the IT guy just prevent me from having the opportunity to be careless in the first place?


That's an unreasonably large demand to put on your IT staff, particularly because for a lot of people they have the opportunity to be careless as soon as they sit down at a computer.

Security is always a trade off between usability and protection. Strong security causes people to jump through hoops for the sake of security, and they don't like it. What really needs to happen is a management decision detailing how they deal with this trade off and what their acceptable level of risk is, rather then pushing IT to simultaneously have perfect security and perfect usability.

You can lock your door, but then you need a key to get in. You, the user of the door, needs to be an active participant in the security process for that to work out. There are no door solutions that will allow you and only you through the door but not require a key or other identifying component.
 
2011-07-06 11:49:34 AM

shogun: THE_JESUS_PANTS:
There's absolutely nothing to gain from "finding out what classified stuff might be on it."

Except for the whole finding out who/how is copying classified information onto portable storage then carelessly losing it in the parking lot thing.


Yeah, but unless that's your job description you're just being a gossip. Secure installations always have someone in charge of "crap left lying around". It's his job to figure out what to do with it, not yours.
 
2011-07-06 11:56:47 AM

Fubini: 32oz High Life: I'll come at it from the other side (and I guess pretty much restate the main point of this article). I work with defense-related data all the time, but I'm one of the guys who's actually producing the data. I don't have advanced training in protecting it, just as the IT guy doesn't have advanced training in not touching or breathing in the fumes of the stuff I'm making. Instead, we keep the door locked and don't let him in. Problem solved. If I can do something detrimental by being careless, why doesn't the IT guy just prevent me from having the opportunity to be careless in the first place?

That's an unreasonably large demand to put on your IT staff, particularly because for a lot of people they have the opportunity to be careless as soon as they sit down at a computer.

Security is always a trade off between usability and protection. Strong security causes people to jump through hoops for the sake of security, and they don't like it. What really needs to happen is a management decision detailing how they deal with this trade off and what their acceptable level of risk is, rather then pushing IT to simultaneously have perfect security and perfect usability.

You can lock your door, but then you need a key to get in. You, the user of the door, needs to be an active participant in the security process for that to work out. There are no door solutions that will allow you and only you through the door but not require a key or other identifying component.


That's a good point -- the door tends to be enough to keep people out, but I have no real way of preventing someone from opening the door for someone else.

The fear of death or disfigurement is usually enough to keep people out. Maybe the IT guy could figure out a way to attach a capsule that would release a small amount of poisonous gas anytime someone inserted a non-secure USB drive.
 
2011-07-06 11:59:40 AM

32oz High Life: If I were so negligent in my job that people were able to injure themselves or the company I'd be fired. That's why I restrict access to dangerous areas. The IA department should be required to do the same thing.


Sometimes people need access to dangerous areas to do their job.

When you're a safety engineer you can tell your co-workers "do this or you'll suffer grievous bodily harm or death" and they'll sit up and listen because no one wants to suffer horrific industrial accidents. The people who get hurt from not following safety procedures are either them or people in their immediate area.

When you're in IT you tell your co-workers "do this or we open ourselves to potential security breaches". People get tired of the regulations because they seem arbitrary and there's no immediate consequence for when they violate the regulation. The other problem (though this is common to safety engineers too) is that sometimes people think they're above the rules, e.g. "I don't have to listen to the regulations about removable media because I'm not stupid enough to forget that CD someplace".

The management at these installations need to clearly define the expectation of security and the penalties for breaches of that security. Some places people can be fired on the spot for risky computer behavior, while other places people laugh it off and treat it like a slap on the wrist. Unsurprisingly, that attitude effects the overall security of the installation.
 
2011-07-06 12:00:24 PM

An-Unnecessarily-Long-Name:
You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.


Typical IA stupidity. "They wont follow our rules..we'll make the rules even more annoying, that should make them complient!"

Most workers want to follow the rules, but at the end of the day, when your boss says "Do this"..Joe Worker is going to do it, and tell IA ot go blow themsleves. Sure, some users are vilating security because they are lazy and morons, but others are doing it because the person who evaluates them, their boss, is telling them to do so. This is a direct consequence of lazy thinking when it coesm to devising policies and the general arrogant mindset of Government IA workers, who view users as contemptible peasants..and not the people they should be concerned about. Work with users, you'll get more compliance. Keep the typical IA attitude, and you'll keep having security violations.

Of course, the easiest way for the managers of IA departments to justify more money for their departments is tied to the perception of dire security issues. hmm.....

Oh, off topic here: I think I'm justified in saying someone's PST has grown a tad excessive when I have to break it down and spread it over 8 DVD's. If only there were some form of portable mass storage device that could handle the entire file. Maybe it'll be done by this afternoon
 
2011-07-06 12:00:33 PM

32oz High Life: Fubini: 32oz High Life: I'll come at it from the other side (and I guess pretty much restate the main point of this article). I work with defense-related data all the time, but I'm one of the guys who's actually producing the data. I don't have advanced training in protecting it, just as the IT guy doesn't have advanced training in not touching or breathing in the fumes of the stuff I'm making. Instead, we keep the door locked and don't let him in. Problem solved. If I can do something detrimental by being careless, why doesn't the IT guy just prevent me from having the opportunity to be careless in the first place?

That's an unreasonably large demand to put on your IT staff, particularly because for a lot of people they have the opportunity to be careless as soon as they sit down at a computer.

Security is always a trade off between usability and protection. Strong security causes people to jump through hoops for the sake of security, and they don't like it. What really needs to happen is a management decision detailing how they deal with this trade off and what their acceptable level of risk is, rather then pushing IT to simultaneously have perfect security and perfect usability.

You can lock your door, but then you need a key to get in. You, the user of the door, needs to be an active participant in the security process for that to work out. There are no door solutions that will allow you and only you through the door but not require a key or other identifying component.

That's a good point -- the door tends to be enough to keep people out, but I have no real way of preventing someone from opening the door for someone else.

The fear of death or disfigurement is usually enough to keep people out. Maybe the IT guy could figure out a way to attach a capsule that would release a small amount of poisonous gas anytime someone inserted a non-secure USB drive.


Or maybe an ink-bomb. Public shame really puts people in line.
 
2011-07-06 12:01:19 PM

Fubini: 32oz High Life: I'll come at it from the other side (and I guess pretty much restate the main point of this article). I work with defense-related data all the time, but I'm one of the guys who's actually producing the data. I don't have advanced training in protecting it, just as the IT guy doesn't have advanced training in not touching or breathing in the fumes of the stuff I'm making. Instead, we keep the door locked and don't let him in. Problem solved. If I can do something detrimental by being careless, why doesn't the IT guy just prevent me from having the opportunity to be careless in the first place?

That's an unreasonably large demand to put on your IT staff, particularly because for a lot of people they have the opportunity to be careless as soon as they sit down at a computer.

Security is always a trade off between usability and protection. Strong security causes people to jump through hoops for the sake of security, and they don't like it. What really needs to happen is a management decision detailing how they deal with this trade off and what their acceptable level of risk is, rather then pushing IT to simultaneously have perfect security and perfect usability.

You can lock your door, but then you need a key to get in. You, the user of the door, needs to be an active participant in the security process for that to work out. There are no door solutions that will allow you and only you through the door but not require a key or other identifying component.


Actually, we ran into that exact situation a few years back. Had a locked door, employees had a key card. After ten too many weekend "hey VP I left my card at home come open this so I can work", we put in fingerprint readers. I'm sure someone will lose a finer on the way in to work one day.
 
2011-07-06 12:01:51 PM
Disable auto-run via GPO
Disable thumb drive access in the OS
Disable CD access

Problem solved?

In a large enterprise Auto-run should be off no matter what. In a government facility with classified data, thumb drives should be heavily restricted anyway along with CD access.

Anything that needs to be installed via CD should be ripped from the master and put into whatever package/software delivery solution your company uses. No real need for either.

Thin clients help a little bit too.
 
2011-07-06 12:10:23 PM

incrdbil: An-Unnecessarily-Long-Name:
You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.

Typical IA stupidity. "They wont follow our rules..we'll make the rules even more annoying, that should make them complient!"

Most workers want to follow the rules, but at the end of the day, when your boss says "Do this"..Joe Worker is going to do it, and tell IA ot go blow themsleves. Sure, some users are vilating security because they are lazy and morons, but others are doing it because the person who evaluates them, their boss, is telling them to do so. This is a direct consequence of lazy thinking when it coesm to devising policies and the general arrogant mindset of Government IA workers, who view users as contemptible peasants..and not the people they should be concerned about. Work with users, you'll get more compliance. Keep the typical IA attitude, and you'll keep having security violations.

Of course, the easiest way for the managers of IA departments to justify more money for their departments is tied to the perception of dire security issues. hmm.....

Oh, off topic here: I think I'm justified in saying someone's PST has grown a tad excessive when I have to break it down and spread it over 8 DVD's. If only there were some form of portable mass storage device that could handle the entire file. Maybe it'll be done by this afternoon


Again, the typical attitude of "work" before security. IA depts are massively underfunded, over worked and under appreciated. I hope when you get your identity stolen or you compromise a classified program because you violated a simple rule you think about that from the unemployment line.

Large PST is really your best argument? You simply have no idea what goes into attempting to keep a network secure and useable when your biggest security flaw is lazy employees.
 
2011-07-06 12:13:00 PM

Geeves00: Disable auto-run via GPO
Disable thumb drive access in the OS
Disable CD access

Problem solved?

In a large enterprise Auto-run should be off no matter what. In a government facility with classified data, thumb drives should be heavily restricted anyway along with CD access.
.


Those restrictions on USB storage devices apply to non-classified systems, at least here.
No one should have an issue with USB restrictions on a classified system.
 
2011-07-06 12:13:13 PM

GBB: Step 2: Stick it in the slot.

/duh


...and that's the way you dooooo it!
 
2011-07-06 12:14:24 PM
"It just works" = "Apple users are stupid."
 
2011-07-06 12:14:55 PM
Anybody who picks up a found USB thumb drive and puts it in their computer is asking for it.

/I wonder how much flash powder can fit in a USB thumb drive?
 
2011-07-06 12:16:48 PM

Credy:
Step 1: Don't be a moron and learn something about the equipment you use daily. This also goes for people who don't know the basics of car maintenance. You don't have to be a computer geek or grease monkey to troubleshoot the damn thing and fix common problems.


I've gotten the argument that I need to remember that not everyone is as good with computers as me, and I need to be more understanding and sensitive about that.

I tell them if their job required use of a car and they didn't know how to fill the tank or notice that a tire is flat, they can't whine and say "I'm not a mechanic".

The job has requirements, and most jobs these days require computers or other electronic devices. This is not new news. Viruses, social engineering are topics that often hit mainstream media.

Really? You didn't know you shouldn't fark around on your work computer because you're not a CCNP? This is the answer you're giving me?

Also, (not) plugging in a USB stick is not a question of technical competency. It's a matter of basic listening skills, using your brain, and following directions. The reason you shouldn't plug in an unknown device into your machine isn't because "computers are scary and I don't know how to write a shell script". It's because your boss, HR, and the IT department all said "for God's sake, don't plug outside crap into your computer!"

It's the requirements of the job, people. Learn 'em, and take responsibility.
 
2011-07-06 12:17:34 PM
In graduate school a few years ago we were tasked with doing a red team analysis of the easiest way to gain unauthorized access to government computers. My report said drop a bunch of infected USB drives on keychains with random keys around the parking lot and local lunch spots. My teacher, who worked for DHS, said it was just simple enough to work. Glad to see I was right.

/CSB
 
2011-07-06 12:26:11 PM

WayToBlue: Day_Old_Dutchie

With the secure cloud computing systems out there, coupled with high-bandwidth internet access and VPN tunneling, most corporate/govt computer workstations should not be able to read/write to ANY removable media.

The words "secure" and "cloud" are diametrically opposed to each other.


You aren't too bright are you.
 
2011-07-06 12:26:54 PM

Carth: In graduate school a few years ago we were tasked with doing a red team analysis of the easiest way to gain unauthorized access to government computers. My report said drop a bunch of infected USB drives on keychains with random keys around the parking lot and local lunch spots. My teacher, who worked for DHS, said it was just simple enough to work. Glad to see I was right.

/CSB


Where did you learn that trick from? Thats been around since the days of the floppy drives.
 
2011-07-06 12:31:08 PM

An-Unnecessarily-Long-Name: .

Large PST is really your best argument? You simply have no idea what goes into attempting to keep a network secure and useable when your biggest security flaw is lazy employees.


Not really an argument..more of an complaintsomeone so OCD they want to keep that much old email. Would be nice if they had a useful data back up source though, other than the DVD option.

Our biggest security flaw is poor IA policies that encourage users to vioate them. No policy can eliminate all security violators, but current IA policies push users to do that who would prefer not to do so.
 
2011-07-06 12:34:41 PM

32oz High Life: An-Unnecessarily-Long-Name: incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.

You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.

IT guys are the worst. I'm not sure if it's because they all have assburger's or if it's because they realize that they're a dime a dozen.

If I were so negligent in my job that people were able to injure themselves or the company I'd be fired. That's why I restrict access to dangerous areas. The IA department should be required to do the same thing.


I work for a major fitness company in their IT dept. While it's not chemical weapons manufacturing or anything like that, one of our perks is the ability to fire users that cause network problems. No going to management. We can do it from here.

Granted, we are kind and just in our use of this power, but if a user completely screws the pooch, we can shiatcan them.
 
2011-07-06 12:36:32 PM

Geeves00: Problem solved?


I you really believe that, you have absolutely no business being near anything that requires any knowledge of information and operational security at all.

You can "fix" stupid people doing things like this that way, but theyr'e still stupid, they still lack even a basic awareness of the nature of their own tools, and they still have, apparently, virtually no respect for the sensitivity of the information they've been granted access to. That's the underlying problem, and there is no technical fix for it short of completely removing their access to everything they need to do their job.

You cannot write a fix for any of that into group policy. I can not fix management and hiring problems no matter how much computing power we buy. At some point somebody needs to be accountable for hiring morons who don't know how to use the basic tools required to do their jobs or its inevitable that some moron will misuse their access to expose something that shouldn't be exposed. You cannot simultaneously give people access to sensitive systems required to do their jobs and completely absolve them of the responsibility of protecting those systems. It's not possible. If an idiot has been hired, that idiot becomes the security problem and you can't program a patch for every possible bit of stupidity they'll undertake no matter how hard you try.

If you lay out thumb drives in the parking lot of a secure organization, every last person who picks one up and does anything short of turning it over to the appropriate technical authority should be immediately terminated because there is no fix out there, short of genetic engineering, for their profound lack of ability to perform their job correctly.
 
2011-07-06 12:37:05 PM

incrdbil: An-Unnecessarily-Long-Name: .

Large PST is really your best argument? You simply have no idea what goes into attempting to keep a network secure and useable when your biggest security flaw is lazy employees.

Not really an argument..more of an complaintsomeone so OCD they want to keep that much old email. Would be nice if they had a useful data back up source though, other than the DVD option.

Our biggest security flaw is poor IA policies that encourage users to vioate them. No policy can eliminate all security violators, but current IA policies push users to do that who would prefer not to do so.


Problem is that poor(all) IA policies come from Management. Me as an IA guy has no ability to dictate those policies. Just have to try to educate users who could give a damn less and put out fires from those same lazy slobs.
 
2011-07-06 12:39:28 PM

Izunbacol: I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out give it to security before this stuff gets compromised."

 
2011-07-06 01:01:41 PM

An-Unnecessarily-Long-Name: Carth: In graduate school a few years ago we were tasked with doing a red team analysis of the easiest way to gain unauthorized access to government computers. My report said drop a bunch of infected USB drives on keychains with random keys around the parking lot and local lunch spots. My teacher, who worked for DHS, said it was just simple enough to work. Glad to see I was right.

/CSB

Where did you learn that trick from? Thats been around since the days of the floppy drives.


AOL perfected it.
 
2011-07-06 01:03:01 PM

olapbill: virtulization is your friend


Exactly what I came in to say.

Step 1 Virtualize your desktops
Step 2 Install zero clients
Step 3 GPO and lock down Zero client to turn off USB devices except keyboards and mice
Step 4 Sit back and watch episodes of the IT Crowd

If anyone needs help virtualizing, I work for a great company! Virtuon-inc.com

/Sr. Sys Admin
 
2011-07-06 01:04:01 PM

An-Unnecessarily-Long-Name: Carth: In graduate school a few years ago we were tasked with doing a red team analysis of the easiest way to gain unauthorized access to government computers. My report said drop a bunch of infected USB drives on keychains with random keys around the parking lot and local lunch spots. My teacher, who worked for DHS, said it was just simple enough to work. Glad to see I was right.

/CSB

Where did you learn that trick from? Thats been around since the days of the floppy drives.


Floppy drives? you young kids. You know how hard it was to code bots on punch cards?
 
2011-07-06 01:05:18 PM

brigid_fitch: PATRIO


I worked at "Secured information government facility". It wasn't that bad.

The obvious:
no internet access on classified computers
no CD or USB read/write privledges
in fact USB drives and CD's were strictly controlled
no personal business (resume, your next novel) on a classified computer

less obvious.
list of cleared .exe's, a struxenet type exe would not have installation authority
and I'm pretty sure they grab the os from a read only image every time you boot.
All work files were saved in networked areas.
All programs were remote installed
Patches were rolled out quickly, I don't know how we managed but usually the vendors ended up just giving us the source code and we would fix the problems our selves.
 
2011-07-06 01:08:27 PM

Splinshints: Geeves00: Problem solved?

I you really believe that, you have absolutely no business being near anything that requires any knowledge of information and operational security at all.


It was meant to be a slightly sarcastic way of preventing the average idiot from from falling to this type of ploy. Remove their access for these devices within the OS/GPO and it can go a long way with keeping systems safe. Fool proof? Of course not. But it can help weed out those that aren't too determined.

As you said, there's no fix for stupid.
 
2011-07-06 01:19:39 PM

dapsychous: 32oz High Life: An-Unnecessarily-Long-Name: incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.

You fail in understanding that every time an assclown like you cant follow rules because waaaaaa its easier not too, we in IA have to put in place harder rules. I should be allowed to fire someone as lazy as you.

IT guys are the worst. I'm not sure if it's because they all have assburger's or if it's because they realize that they're a dime a dozen.

If I were so negligent in my job that people were able to injure themselves or the company I'd be fired. That's why I restrict access to dangerous areas. The IA department should be required to do the same thing.

I work for a major fitness company in their IT dept. While it's not chemical weapons manufacturing or anything like that, one of our perks is the ability to fire users that cause network problems. No going to management. We can do it from here.

Granted, we are kind and just in our use of this power, but if a user completely screws the pooch, we can shiatcan them.



That just seems so odd to me (and it's similar to other arguments other farkers are making.) The point of IA should be preventing bad things from happening in the first place, not handing out blame after bad things have already happened. Why not just restrict access from the get go?

Granted, I'm just a simple physicist, but is it really that hard to prevent users from accessing files they shouldn't? Isn't there some kind of firewall doohickey that can keep a user's disk isolated from the rest of the network and only let files that are known to be safe through? In my case, I can put as many warning labels and have as many safety seminars as I please about chemical safety, but I know if I leave a can of toxic material in the lunchroom some doofus is eventually going to open it. I doubt the boss would accept a defense of "but I told them not to."

Aside from nuking from orbit, restricting access is the only way to be sure. If the user disables the safeties to cause problems then fire him/her because it was clearly malicious or utterly moronic.
 
2011-07-06 01:24:31 PM

incrdbil: An-Unnecessarily-Long-Name: .

Large PST is really your best argument? You simply have no idea what goes into attempting to keep a network secure and useable when your biggest security flaw is lazy employees.

Not really an argument..more of an complaintsomeone so OCD they want to keep that much old email. Would be nice if they had a useful data back up source though, other than the DVD option.

Our biggest security flaw is poor IA policies that encourage users to vioate them. No policy can eliminate all security violators, but current IA policies push users to do that who would prefer not to do so.


It's certainly possible to make secure access easier for users, and IT departments love to make the user experience more streamlined and intuitive. But, if you have users violating security policies then those users have zero respect for the sensitivity of their data and shouldn't be working with it anyway.

These rules aren't arbitrary. If you're not willing to do what it takes to use your access responsibly then you should not have access, period. The hallmark of a professional is that they do what it takes to get the job done right, each and every time. If you're going to half-ass your security procedures then you're not a professional and you don't deserve that access.

A few years ago I got my CDL so I could drive a school bus in the course of my duties as a teacher at an after school program. The school district had their own bus barn and team of mechanics taking care of the fleet, but each and every driver (including myself) was required to know the ins and outs of all the hardware on the bus in order to drive them. Let me repeat myself: to drive a school bus you're expected to know and monitor hundreds of pieces of bus equipment, including the visible parts of the engine, transmission, and drive train. It's not rocket science, and it isn't asking too much for an office drone to know the bare-basics of computer security when they're working with sensitive data.

You can either be professional, or you can half-ass it. The choice is yours.
 
2011-07-06 01:25:04 PM

TheyCallThisWork: vartian: Again, if I can disable your system with a USB flash drive, you haven't done your job.

You've got that all wrong. It should be "If you've given a top-secret clearance to someone who has no common sense, you haven't done your job."


And, again, those people will always exist. If you have designed your security system with the assumption that everyone using it is responsible and competent, then you have failed miserably at your job.
 
2011-07-06 01:32:28 PM

32oz High Life: Granted, I'm just a simple physicist, but is it really that hard to prevent users from accessing files they shouldn't? Isn't there some kind of firewall doohickey that can keep a user's disk isolated from the rest of the network and only let files that are known to be safe through? In my case, I can put as many warning labels and have as many safety seminars as I please about chemical safety, but I know if I leave a can of toxic material in the lunchroom some doofus is eventually going to open it. I doubt the boss would accept a defense of "but I told them not to."


The main problem isn't preventing access to unauthorized users... that's actually pretty easy. The hard part is preventing the authorized users from doing something dangerous. The bulk of the problems in this thread are of the second variety.

Giving a user access inherently makes them a security risk.
 
2011-07-06 01:33:32 PM

THE_JESUS_PANTS: Step 1) Protocol in a facility that handles any level of classified information is to submit to the proper media custodian any media that is not properly labeled for destruction. This is the same when it's Unclassified.

Step 2) there is no step 2. it's just that simple.

There's absolutely nothing to gain from "finding out what classified stuff might be on it."


Out of curiosity, I have a sandboxed, non-networked system for checking that kind of thing. And I have a copy of its OS on an unmounted drive in the same system, so if shiat hits the fan, I can reboot in recovery and ghost the good copy back on.
 
2011-07-06 01:36:43 PM

An-Unnecessarily-Long-Name: Carth: In graduate school a few years ago we were tasked with doing a red team analysis of the easiest way to gain unauthorized access to government computers. My report said drop a bunch of infected USB drives on keychains with random keys around the parking lot and local lunch spots. My teacher, who worked for DHS, said it was just simple enough to work. Glad to see I was right.

/CSB

Where did you learn that trick from? Thats been around since the days of the floppy drives.


The fact it wasn't a trick was my point. It is a well known, easy and inexpensive attack that the government was doing almost nothing to prevent.
 
2011-07-06 01:42:56 PM

Fubini: 32oz High Life: Granted, I'm just a simple physicist, but is it really that hard to prevent users from accessing files they shouldn't? Isn't there some kind of firewall doohickey that can keep a user's disk isolated from the rest of the network and only let files that are known to be safe through? In my case, I can put as many warning labels and have as many safety seminars as I please about chemical safety, but I know if I leave a can of toxic material in the lunchroom some doofus is eventually going to open it. I doubt the boss would accept a defense of "but I told them not to."

The main problem isn't preventing access to unauthorized users... that's actually pretty easy. The hard part is preventing the authorized users from doing something dangerous. The bulk of the problems in this thread are of the second variety.

Giving a user access inherently makes them a security risk.


I think vartian summed up my feelings pretty well: If you have designed your security system with the assumption that everyone using it is responsible and competent, then you have failed miserably at your job. Joe Officeworker shouldn't be able to harm your network by plugging in a hard drive he found in the parking lot. Yes, he should know not to do it in the first place, but we both know he will eventually.
 
2011-07-06 02:00:13 PM
1. Train your people to understand what NOT to do when encountering lost discs and/or hardware.
2. Fire anyone who fails to comply
 
2011-07-06 02:03:24 PM

Cinaed: 1. Train your people to understand what NOT to do when encountering lost discs and/or hardware.
2. Fire anyone who fails to comply

3. Watch your sensitive data get stolen or corrupted because it's too late to prevent.
 
2011-07-06 02:06:10 PM
Any operating system that allows you to connect a foreign file system and run code from it by default is defective by design.
 
2011-07-06 02:24:49 PM
goddammit so much
/Manning should be freed based solely on this escapade
 
2011-07-06 02:25:36 PM

32oz High Life: I think vartian summed up my feelings pretty well: If you have designed your security system with the assumption that everyone using it is responsible and competent, then you have failed miserably at your job. Joe Officeworker shouldn't be able to harm your network by plugging in a hard drive he found in the parking lot. Yes, he should know not to do it in the first place, but we both know he will eventually.


You can't have it both ways: you can't simultaneously claim that people working with highly sensitive computer systems should be allowed to be computer morons. Like I said before, if a bus/truck driver (requirement: 8th grade reading and math) can be arsed to learn how a diesel engine works to get his license then there's no reason why workers in secure facilities with classified computer systems can't learn and respect the security procedures.

I said it before, I'll say it again: you can be professional about your job or you can half-ass it. When you design your system for the lowest-common-denominator you end up hamstringing the responsible computer users who would like the discretion to step out of the box sometimes.

There's nothing inherently wrong with USB drives... I've been to places where they depend on autorun features to streamline their workflow and make it easier for workers to do their job. They recognize that it's a security hole, but they're also mature and professional about managing that risk (and this is a group of English professors at a university, BTW, so they're not super IT people).
 
2011-07-06 02:28:17 PM

UberDave: It may have something to do with the fact that they required just about every schlob to fill out a form 95 now and they reclassified a bunch of unimportant information/systems. Not that people shouldn't secure their systems and what they found probably should have been secured better, but they make it sound like some highly classified network was vulnerable. The classified systems I worked on had "gummed" USB ports and no working CD drives. If you wanted data off a CD, you have to go to a central point and have it done and sign for it. The areas are quite secure. I once had a solar calculator confiscated on the way out of the area (one of those cheap POS things that is built into a notebook). And most government sites run blackhats constantly


I know someone that held everyone up at Raytheon at the end of the shift. He had brought in a newspaper or magazine from the newsstands that day that described one of their projects. On the way out security noticed it. No one else was allowed through the security line until he was thoroughly searched, and everyone else after him got a fine going over before they could leave.
 
2011-07-06 02:38:52 PM
incrdbil is a whiner and troll. These are the people I listen to EVERY day......... DoD sets policy - not the IT person helping you....

grrrrrrr
 
2011-07-06 02:50:36 PM

veryunoriginal: your intelligent customers can buy a 64GB SD card for $25


/64GB SD card for $25
//that auction is already up to $40 (but at least the shipping is free)
///and it's a no-brand card from "Japan", so it was probably simply packaged in Japan and manufactured by a Japanese-owned company in Taiwan using Chinese materials
\can still get 16GB SanDisk for about $30 at a brick-and-mortar
\\I got 2 32GB (1 Kingston, 1 SanDisk) off eBay for FREE because they didn't arrive until WELL after I had already filed a PayPal dispute for non-receipt and they didn't show up until weeks later when I had already found other places to try to get them
\\\doesn't matter much; my phone will see a 32GB but won't keep the directory tree after accessing files from the phone OS even though you can see them when you sync or are attached as a USB mass storage device - so the 16GB was what I needed
 
2011-07-06 02:52:06 PM

Fubini: 32oz High Life: I think vartian summed up my feelings pretty well: If you have designed your security system with the assumption that everyone using it is responsible and competent, then you have failed miserably at your job. Joe Officeworker shouldn't be able to harm your network by plugging in a hard drive he found in the parking lot. Yes, he should know not to do it in the first place, but we both know he will eventually.

You can't have it both ways: you can't simultaneously claim that people working with highly sensitive computer systems should be allowed to be computer morons. Like I said before, if a bus/truck driver (requirement: 8th grade reading and math) can be arsed to learn how a diesel engine works to get his license then there's no reason why workers in secure facilities with classified computer systems can't learn and respect the security procedures.

I said it before, I'll say it again: you can be professional about your job or you can half-ass it. When you design your system for the lowest-common-denominator you end up hamstringing the responsible computer users who would like the discretion to step out of the box sometimes.

There's nothing inherently wrong with USB drives... I've been to places where they depend on autorun features to streamline their workflow and make it easier for workers to do their job. They recognize that it's a security hole, but they're also mature and professional about managing that risk (and this is a group of English professors at a university, BTW, so they're not super IT people).


I still say it's stupid to rely on users to remember to prevent security breaches when you could just make it impossible for them to inadvertently breach security. If the data is valuable, it should be properly protected. If I can breach security just by plugging in a USB drive the data clearly is not properly protected.

As far as the bus goes how about this: If it was possible to make an uncrashable bus, would the bus manufacturer be half-assing their job if they decided to just leave not crashing up to the operator? I'd say yes.

I think we're just talking about two different work environments. My computer has data that's much more valuable than a few students' English composition papers.
 
2011-07-06 03:09:42 PM

32oz High Life: I still say it's stupid to rely on users to remember to prevent security breaches when you could just make it impossible for them to inadvertently breach security.


The only way to make it impossible for someone to inadvertently breach security is to not give them access to anything they could divulge. And if you do that they, presumably, can no longer do their jobs.

It's a tool. A computer is a tool. You know not to hit yourself with a hammer. You know not to put a running power drill in your belt. You know not to put metal in the microwave.

Asking you to know the basics of what not to do with your computer is not unreasonable and people who continue to insist that those responsibilities be forced onto the "tech guys" are causing serious harm. You cannot possibly predict every stupid thing a person will do with any tool and a computer is no different. Eventually, given enough time, the data WILL be breached in a way nobody has ever planned for. What are you going to do if the moron in question accesses the data in a read-only format, then someone uses the phone and a fake name and convinces them to just read the information to them verbatim? Is it your fault that you didn't predict that somebody would be dumb enough to read a stranger classified information over the phone? You could have taken the phone away. You could have pre-screened all the calls. Maybe the problem is that their requests for information need to be pre-screened?

Stop trying to do other people's jobs for them. Computers are common tools in the workplace. Have been for a very long time. It's long past time to start holding people accountable when they come on the job claiming to know how to use them when clearly they don't.

32oz High Life: If I can breach security just by plugging in a USB drive the data clearly is not properly protected.


And I'd like to point out that this is not what the article said happened. It's entirely possible, or even likely, that the systems in question are already locked down against removable mass storage. However, by watching dumbasses pick those things up and jam them into their machines, they've identified the fact that the people who did those things are morons and potential liabilities that could expose information in other ways through their foolishness.
 
2011-07-06 03:34:59 PM
MetaRinka

I worked at "Secured information government facility". It wasn't that bad.

If it was really secure, you wouldn't have been allowed to take a USB drive into the building at all.
 
2011-07-06 03:40:59 PM

32oz High Life: As far as the bus goes how about this: If it was possible to make an uncrashable bus, would the bus manufacturer be half-assing their job if they decided to just leave not crashing up to the operator? I'd say yes.


The flaw in your argument is that it's impossible to make a perfect computer system. Your argument sounds as though you think the IT guys could have some amazing system that lets everyone be perfectly productive and perfectly secure, but they don't for unfathomable reasons. There are always policy decisions that effect how the system works and the IT staff has to work within time and budget constraints to get the job done.

If nothing else, you can give someone access to sensitive data and they can take pictures of the screen with a camera. You can sneak in a hacksaw and steal hard drives. You can install rogue software. ANY level of access represents a security risk.

Your essentially saying that IT systems don't work well because the people in charge of those systems are negligent. You're also ignoring the fact that often the security policy is set way above the people who build and implement the actual systems, often involving people who aren't actually computer people to begin with. I'm sure your IT staff loves you.

Like I said before, security is an active process that involves everyone in an organization from guards and IT staff up to upper level management. There is no perfect security system that gives you a rubber room where you can't ever do anything bad.
 
2011-07-06 03:42:02 PM

studebaker hoch: MetaRinka

I worked at "Secured information government facility". It wasn't that bad.

If it was really secure, you wouldn't have been allowed to take a USB drive into the building at all.


One day my father in law took his music collection into work in a fit of absent mindedness. Now he can never take it from the premises.
 
2011-07-06 03:45:13 PM
If your security relies on the human factor than you are screwed from the get go. If people walking compramised data onto your network is an issue than you should remove the ability for it to happen. Article is 100% right.

I worked for a police deprtment and the security manager got paid huge money to say no all day.

"Can I downloadthis driver?"
"No"
"Can I get a thumb drive to hold drivers?"
"No"
"Can I check webmail?"
"No"
"Can we use a remote tool to fix computers in the building?"
"No"

Easiest job in the world.
 
2011-07-06 03:54:46 PM

Splinshints: 32oz High Life: If I can breach security just by plugging in a USB drive the data clearly is not properly protected.

And I'd like to point out that this is not what the article said happened.


I'm just going by this from the article: "The test consisted of leaving data CDs and thumb (USB) drives on the ground in their parking lots. About 60 percent of these items were taken inside, and office computers were used to see what was on the CDs and thumb drives."

Obviously there are a million ways to breach security (your example of just writing the info down from the screen is a great one). However, this one has just been demonstrated to occur. Why not fix the problem?

Here's an analogous way to view the situation. Say I'm a janitor at some school and there's a bunch of broken glass on the floor. I don't bother to clean it up because the kids are required to wear shoes at school and also not walking on broken glass is pretty much common sense. Some kid walks in barefoot for whatever reason and cuts his foot. So it's not my fault, right?

There are plenty of other similar examples. The point is, the kid still cut his foot and security has still been breached because of a preventable situation.

Yes, there will always be idiot office workers, but they should at least have to try to harm the network and not be able to do it with a piece of trash they find in the parking lot.

Here's something else from the article that I think you (and a lot of others in this thread) also missed: "This is a common problem. In any manufacturing industry, there is often a bad attitude towards "dumb users." The creators of complex gear seem to miss the point that one point of designing such a product is to make it easy to use."

A significant portion of the IT guys I know strike me as spoiled and whiny. I'm an engineer and if a product that I design ends up failing it is unacceptable for me to say "Stupid end-user should have known not to do that." I'm paid to make a good product, not a product that fails the first time somebody exceeds the design. If someone is going to call themselves a "Systems Engineer" or a "Network Engineer" they need to suck it up and act like an engineer.

2.bp.blogspot.com
 
2011-07-06 03:58:13 PM

studebaker hoch: MetaRinka

I worked at "Secured information government facility". It wasn't that bad.

If it was really secure, you wouldn't have been allowed to take a USB drive into the building at all.


true, but they can be hard to spot. Here's one of mine
s3.postimage.org
 
2011-07-06 04:01:33 PM
Fubini:The flaw in your argument is that it's impossible to make a perfect computer system.

See MK-Ultra71's comment.

I'm sure your IT staff loves you.

Yes, but only because I don't plug USB drives I find in the parking lot into my computer.
 
2011-07-06 04:01:44 PM

incrdbil: Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.


It's nuts. I worked in a company that were so strict about file shares (you had to get forms signed in triplicate, through change control, all that bullshiat) that people just took to using USB drives.

And what no-one sees is people doing this stuff, the risk, the wasted time.
 
2011-07-06 04:50:15 PM

32oz High Life: See MK-Ultra71's comment.


It's easy to say, "We should remove the ability for compromised data to effect the network." But a lot harder to achieve in practice when you consider the fact that most people need the ability to read/write/execute files on their computers to carry out their work functions. It doesn't help that IT departments are chronically underfunded because they're not a money making department.

You say you're an engineer, so you know that any system needs to be designed and built within the constraints of what is feasible. I can say that I want a car that goes from 0-60 in 3 seconds, gets 50 miles per gallon fuel efficiency, and has a 5 star crash rating but that car is going to cost an arm and a leg to produce. If you add a constraint like the total cost has to be less than $20,000 you're quickly running into the realm of infeasibility.

When you say you want impervious security you're asking for a lot. You're asking for a car that's safe regardless of the intelligence of the user and the other drivers on the road. You're asking for a car that can convey it's passengers into a brick wall at 60 miles per hour and bring them out without a scratch. Most professional equipment isn't designed for the lowest common denominator because there's a baseline assumption about the competency of the user. I don't see why computer networks should be any different. There are a ton of cars out there that are safe the vast majority of the time yet fail miserably when you try to run them into walls at 60mph.
 
2011-07-06 04:57:58 PM
Fubini:

Don't give up so easily.
 
2011-07-06 05:12:57 PM

32oz High Life: Fubini:

Don't give up so easily.


You's trollin.
 
2011-07-06 05:22:32 PM

Fubini: 32oz High Life: Fubini:

Don't give up so easily.

You's trollin.


I'm not. I promise. Just running out of time to spend on this discussion.

BTW, you seem pretty level headed for a farker. I wish you well.
 
2011-07-06 05:25:14 PM
No mention of The Recruit? For Shame!

/Am I a scary judge of Talent!
 
2011-07-06 05:34:29 PM
IT Guys: let me tell you when your users start to ignore you. On day one, we get the little IT security intro which includes things like "don't write your password down". Now, the computer savvy among us all laugh and nod at that one. Then, on day two, we start accessing the various systems we need to do our jobs. From the serious ones to the personnel document websites to the UPS account for shipping stuff. Soon, we realize that we've got 20 or 25 different systems/servers/internal websites that we have to use. And we realize that the majority of them require different usernames and passwords. The password rules are different and they all demand that we change the passwords at varying intervals. Now, I'm a bright guy, but there is no way in hell that I can remember all of that. I can't ever remember all of my usernames, let alone the passwords.

Now, Mr ITSec guy, what's your suggestion? Can't write them down. Can't put them in a protected document. Can't use KeePass. You see why we don't much take you seriously? No offense, I know that you didn't do this on purpose. I know that you don't have the funds to fix it. But it undermines your credibility just a little bit.

/Has a secure USB drive
 
2011-07-06 05:46:59 PM

studebaker hoch: MetaRinka

I worked at "Secured information government facility". It wasn't that bad.

If it was really secure, you wouldn't have been allowed to take a USB drive into the building at all.


It was, it was a top secret facility. I mean you could physically sneak in a USB key, but besides the lack of PnP drivers and all that I'm sure 10 alarms would sound if you somehow managed to upload files to a mass storage device.
 
2011-07-06 05:48:55 PM

ChubbyTiger: IT Guys: let me tell you when your users start to ignore you. On day one, we get the little IT security intro which includes things like "don't write your password down". Now, the computer savvy among us all laugh and nod at that one. Then, on day two, we start accessing the various systems we need to do our jobs. From the serious ones to the personnel document websites to the UPS account for shipping stuff. Soon, we realize that we've got 20 or 25 different systems/servers/internal websites that we have to use. And we realize that the majority of them require different usernames and passwords. The password rules are different and they all demand that we change the passwords at varying intervals. Now, I'm a bright guy, but there is no way in hell that I can remember all of that. I can't ever remember all of my usernames, let alone the passwords.

Now, Mr ITSec guy, what's your suggestion? Can't write them down. Can't put them in a protected document. Can't use KeePass. You see why we don't much take you seriously? No offense, I know that you didn't do this on purpose. I know that you don't have the funds to fix it. But it undermines your credibility just a little bit.

/Has a secure USB drive


We used a unified login, for all the different systems. however we didn't have web applications like fedex that have their own seperate system. The other thing we did was store passwords in physical file cabinets that had to be locked unless in use.
 
2011-07-06 05:52:05 PM

Izunbacol: I can almost see the rationale - find CDRs and flash memory devices in the parking lot, wonder "Why are these here? Is there classified info on here? I should get it inside and check it out before this stuff gets compromised."


More like, "Whose fault is this? Can't wait to tell the boss. I hope it's that jerk, Steve." And/or " I wonder if the idiot who lost this will pay me not to mention it?"
 
2011-07-06 05:53:44 PM

ChubbyTiger: IT Guys: let me tell you when your users start to ignore you. On day one, we get the little IT security intro which includes things like "don't write your password down". Now, the computer savvy among us all laugh and nod at that one. Then, on day two, we start accessing the various systems we need to do our jobs. From the serious ones to the personnel document websites to the UPS account for shipping stuff. Soon, we realize that we've got 20 or 25 different systems/servers/internal websites that we have to use. And we realize that the majority of them require different usernames and passwords. The password rules are different and they all demand that we change the passwords at varying intervals. Now, I'm a bright guy, but there is no way in hell that I can remember all of that. I can't ever remember all of my usernames, let alone the passwords.

Now, Mr ITSec guy, what's your suggestion? Can't write them down. Can't put them in a protected document. Can't use KeePass. You see why we don't much take you seriously? No offense, I know that you didn't do this on purpose. I know that you don't have the funds to fix it. But it undermines your credibility just a little bit.

/Has a secure USB drive


Use an algorithm to generate your passwords/passphrases. Preferably something easy to remember that can be altered slightly for each account. For example, "This1ismy'computer'password" can be easily changed to "This1ismy'bank'password" or "This1ismy'fark'password." If required to change the password on a regular basis, add a counter at the end, and increment it as needed.

/my 0.02
 
2011-07-06 06:08:01 PM

Fubini: 32oz High Life: See MK-Ultra71's comment.

It's easy to say, "We should remove the ability for compromised data to effect the network." But a lot harder to achieve in practice when you consider the fact that most people need the ability to read/write/execute files on their computers to carry out their work functions. It doesn't help that IT departments are chronically underfunded because they're not a money making department.

You say you're an engineer, so you know that any system needs to be designed and built within the constraints of what is feasible. I can say that I want a car that goes from 0-60 in 3 seconds, gets 50 miles per gallon fuel efficiency, and has a 5 star crash rating but that car is going to cost an arm and a leg to produce. If you add a constraint like the total cost has to be less than $20,000 you're quickly running into the realm of infeasibility.

When you say you want impervious security you're asking for a lot. You're asking for a car that's safe regardless of the intelligence of the user and the other drivers on the road. You're asking for a car that can convey it's passengers into a brick wall at 60 miles per hour and bring them out without a scratch. Most professional equipment isn't designed for the lowest common denominator because there's a baseline assumption about the competency of the user. I don't see why computer networks should be any different. There are a ton of cars out there that are safe the vast majority of the time yet fail miserably when you try to run them into walls at 60mph.


as an engineer I would agree for the most part. as I mentioned in my posts I worked in a top secret facility and I thought the IT department was fantastic, all the obvious stuff: Universal plug n play disabled, writing to any storage device besides the approved network drive was disabled. The computers would boot from a read only image of the OS every restart. Approved exe's only, remote install/front for install only. etc etc etc. There's still things like sidechain attacks and man in the middle attacks to try to get credentials. I'm sure there were plenty of things not visible to the User that would kick in.

we also had the resources and acknowledgement that we needed a secure system that works, most of the things we had in place would be too big of a burden to "lesser" secrets or commercial offices. For example having no internet is a big one, not "extremely locked down / disabled internet" there was no physical connection for our network to the outside world kind. Therefore if you wanted to do something legit like check out a vendor spec it was a lengthy process. Everyone reverted back to the old fashion days, used catalogs magazines and the phone to get work done. We could get outside information in but the occasion had to call for it.
 
2011-07-06 06:57:03 PM

special20: "Your PC is now Stoned"


It's about time my computer caught up with me.
 
2011-07-06 07:37:13 PM

tollbooth_willy: ChubbyTiger: IT Guys: let me tell you when your users start to ignore you. On day one, we get the little IT security intro which includes things like "don't write your password down". Now, the computer savvy among us all laugh and nod at that one. Then, on day two, we start accessing the various systems we need to do our jobs. From the serious ones to the personnel document websites to the UPS account for shipping stuff. Soon, we realize that we've got 20 or 25 different systems/servers/internal websites that we have to use. And we realize that the majority of them require different usernames and passwords. The password rules are different and they all demand that we change the passwords at varying intervals. Now, I'm a bright guy, but there is no way in hell that I can remember all of that. I can't ever remember all of my usernames, let alone the passwords.

Now, Mr ITSec guy, what's your suggestion? Can't write them down. Can't put them in a protected document. Can't use KeePass. You see why we don't much take you seriously? No offense, I know that you didn't do this on purpose. I know that you don't have the funds to fix it. But it undermines your credibility just a little bit.

/Has a secure USB drive

Use an algorithm to generate your passwords/passphrases. Preferably something easy to remember that can be altered slightly for each account. For example, "This1ismy'computer'password" can be easily changed to "This1ismy'bank'password" or "This1ismy'fark'password." If required to change the password on a regular basis, add a counter at the end, and increment it as needed.

/my 0.02


I do the algorithm thing. It's not enough. You also have to remember:

- what the username is. Some sites make it easy and say "email address" in the login form, so at least you probably know that one. If you always use the same username on other kinds of sites, ok, that's good too. But some sites say "username or email address", or use even more ambiguous nomenclature. Game and forum sites, for example, often let you pick a visible name which is different from your username. Work-related accounts exist which don't even use YOUR username (or password), but something meant to be shared by the company.

- what the allowed character set is, vs. the required character set. Some sites require capitals, digits, and symbols. (My bank, for example.) Other sites require that you NOT use special symbols. The majority permit you to use some kind of symbol, but the allowed symbols is different from site to site, such that, no matter what password your algorithm spits out for any particular site, you will NOT be able to use the same password pattern on every other site in your list.

- how often you have to change the password. If you have any site in your list that requires frequent password changes, then, effectively, ALL the sites in your list require frequent password changes, because your algorithm requires you to keep your passwords in sync.

- how did you abbreviate that site? Even if you go by the strict domain name (and what if it's a password that isn't associated with any particular website?) we now increasingly get password syndication schemes, where one site handles security for a number of others. Did you use the end-client site, or the partner site? Lots of sites also have internal divisions with different domains. Which one of those domains was it when you signed up? Do they even share user lists at all?

- who else has this password? If I have a password to an account that's shared with other people, I can't use my algorithm, because that would be equivalent to giving all my passwords to someone else. (Although that's very handy with the wife's accounts.. I got her to do the algorithm trick, and it does save us some time :)

- other random bullshiat. Sites are always coming up with innovative ways to make login forms more "user-friendly" which, without fail, means I have to remember more stupid crap about logging in. Cookies, images, captchas, IP address checks, security questions, URLs (thanks openid!), lots of other examples.

So, I end up with three different tools to keep my sanity.

1- for passwords that belong only to me, use the algorithm, and
2- record the username and URL in a plain text file that i keep in Dropbox. Neither the passwords nor the algorithm are in that file, but it does contain hints when there are special character requirements. My file currently contains 104 entries. Every so often I go through ALL of these and update passwords... it can take a few hours.
3- Use KeePass for all other (shared) usernames & passwords. It helps to insist that anyone else sharing these passwords should also be using KeePass themselves, otherwise I run the risk that they do a "forgot password" maneuver (and, most likely, forget to tell me) thus invalidating my saved credentials.

.
.
 
2011-07-06 08:26:25 PM
MetaRinka

It was, it was a top secret facility. I mean you could physically sneak in a USB key, but besides the lack of PnP drivers and all that I'm sure 10 alarms would sound if you somehow managed to upload files to a mass storage device.

If you really have a top secret clearance, which I doubt, you shouldn't say another word. Just stop now.
 
2011-07-06 08:34:46 PM

thunderbird8804: Wow, I don't think I've ever seen someone turn an article about national security into a thinly veiled advertisement for Apple, kudos you kook.


I came here to say this. It frightens me that people have become so brain-dead that they cannot recognize paid advertisement when they see it.

What bothers me even more is when "real" news channels show ads as if they were real news stories.
 
2011-07-06 08:51:10 PM

incrdbil: IT /security workers are jerks. Every practive they put into place is user hostile


Because you lusers are too farking dumb.
 
2011-07-06 09:07:09 PM

tollbooth_willy: Use an algorithm to generate your passwords/passphrases. Preferably something easy to remember that can be altered slightly for each account. For example, "This1ismy'computer'password" can be easily changed to "This1ismy'bank'password" or "This1ismy'fark'password." If required to change the password on a regular basis, add a counter at the end, and increment it as needed.

/my 0.02


This works for each individual password. The problem, as xant mentioned, is that each password has different requirements. Eight characters, six characters, more than eight characters, caps, no caps, special characters, no special characters, etc. It's just stupid.
 
2011-07-06 09:43:38 PM
32oz High Life Why not fix the problem?

Because you can only take away so many features of the machine before the machine stops being useful in any way, shape or form. Most of my users can't use mass storage devices either, but I can't take away everything or else they can't do their job and the things I can't take away give them access to thing they should protect. And if somebody can access those things, it opens up the potential for anybody to access those things in the right circumstances.

Hence, the whole thing about relying on them not to be morons.

I'm an engineer and if a product that I design ends up failing it is unacceptable for me to say "Stupid end-user should have known not to do that."

This is more like you engineered a hammer and your end user hit himself in the face with it then blamed you for breaking his nose, not you engineering a defective hammer. You'd realize that if our fields were related in anything more than superficial ways.

I'm not terribly worried about external attackers. I'm worried about internal boneheads. They're always going to be, by far, the biggest threat to security in virtually any organization.
 
2011-07-06 11:04:00 PM

ChubbyTiger: tollbooth_willy: Use an algorithm to generate your passwords/passphrases. Preferably something easy to remember that can be altered slightly for each account. For example, "This1ismy'computer'password" can be easily changed to "This1ismy'bank'password" or "This1ismy'fark'password." If required to change the password on a regular basis, add a counter at the end, and increment it as needed.

/my 0.02

This works for each individual password. The problem, as xant mentioned, is that each password has different requirements. Eight characters, six characters, more than eight characters, caps, no caps, special characters, no special characters, etc. It's just stupid.


I completely agree. There should be some sort of standardization with password requirements and allowances. What I wound up doing was going with 3 separate base passwords, depending on site requirements. It's a bit more of a stretch to remember, but it's do-able. Don't ask me to remember all my usernames though...

But my comment wasn't meant to be a total solution. Just a starting point. Oh... I'm also not really an IT guy. I just fix the hardware.
 
2011-07-06 11:09:43 PM

studebaker hoch: MetaRinka

It was, it was a top secret facility. I mean you could physically sneak in a USB key, but besides the lack of PnP drivers and all that I'm sure 10 alarms would sound if you somehow managed to upload files to a mass storage device.

If you really have a top secret clearance, which I doubt, you shouldn't say another word. Just stop now.


If you know my posting history, you'll understand that it has been very, very difficult for me to not post in this thread.

/gahhhhhhh!
 
2011-07-06 11:51:01 PM
Step 1: Disable autorun.
Step 2: Don't give admin rights to idiots.
Step 3: There is NO step 3.
 
2011-07-07 12:07:26 AM

Rincewind: incrdbil: Government IT /security workers are jerks. Every practive they put into place is user hostile, and negatively impacts the ability tot get the job done..then the morons dare act all surproised when users short circuit security.

Seriously..the only way we can move files about our office now is burning to CD. We can't have USB drives, and the one shared network drive we are allowed to have access to (we cant share anything on our computer) is full..because they allocated less than 100G to a large office with intense document sharing needs.

The card we have to use to log into our computers is a annoying pain; our ever evolving more secure email is less and less useful with every version.

My deepest scorn and disrespect to every individual who works in Information Assurance and security within the Department of Defense; you fail at security, and only suceed in harming users ability to get their job done. You suck in every way government work can suck. You waste time, and money with procedures that don't work, and are obviously inferior to the practices carried out by private firms.

I work in Information Assurance for the DoD, so I'm getting a kick out of the whining.

Users are stupid.

Less is more.

Especially in DoD.


The group that mandates encryption on all of our laptops and removable devices to keep data secure, taped the encryption passwords on all of their pc's. They got really huffy when I told them this defeated the whole purpose of the encryption. Their director went straight to the CIO to have me repramanded. The CIO took my documentation, and directive on encryption passwords and gave it to this department head. I got to re-do all of their encryption with much better keys. heh.
 
2011-07-07 12:42:58 AM
transferring hundreds of gigabytes of raw data can get quite tedious on 3.5" floppies.
 
2011-07-07 12:44:57 AM
Users are flippin' clueless retards and there's absolutely nothing we can do about it because the big exec is one of them. Encryption, way too much hassle. Flash drives, oh but we need those to work at home. Complex and multiple passwords, oh we can't remember those.

Someday our fail-boat will sink badly. Of course IT will get blamed for these. All I can do is lock them down the best I can and document all of my received denials for better security.

Your tax dollars at work, priceless.
 
2011-07-07 01:00:22 PM

32oz High Life: That just seems so odd to me (and it's similar to other arguments other farkers are making.) The point of IA should be preventing bad things from happening in the first place, not handing out blame after bad things have already happened. Why not just restrict access from the get go?

Granted, I'm just a simple physicist, but is it really that hard to prevent users from accessing files they shouldn't? Isn't there some kind of firewall doohickey that can keep a user's disk isolated from the rest of the network and only let files that are known to be safe through? In my case, I can put as many warning labels and have as many safety seminars as I please about chemical safety, but I know if I leave a can of toxic material in the lunchroom some doofus is eventually going to open it. I doubt the boss would accept a defense of "but I told them not to."

The analogy works to a point, but the difference is that (I assume) you don't leave containers of neurotoxin laying around with the label "Tasty Maple Syrup" or something similar.

Picture it this way: Every single container in your lab looks exactly the same. There are absolutely NO unique properties of any can. The only way to tell what's in the can is by what's written in Sharpie on the label. 10% of your cans have toxic substances in them. The rest are whipped cream. You can have all kinds of procedures and protections in place to prevent the wrong thing being written on the label, and all kinds of policies on where the cans with "Sarin Gas" written on the labels can go, but it all boils down to how the cans are labeled.

Now, lets go a step further. The cans come pre-labeled in sharpie from the same supplier. Without opening the cans there's no way to tell the difference without relying on the label.

In IT, we do what we can to prevent people from doing retarded things, but the universe has a way of making better retards for us to protect from themselves. There comes a point where some personal accountability takes over. The only reason those cans are labeled as they are is because someone labeled them that way. Whether they labeled them properly or not is a different question. Suppose there's a saboteur from China at the packing plant, and he switches some labels around. Now, your tasty whipped cream is Sarin gas, and people are dropping dead in the lunch room, regardless of all your policies and procedures.

There's no way to perfectly protect anything from anything else. Some accountability has to be placed on the people using the system. Picture it this way: If cans of Sarin gas were a basic communication method in your company, and the cans HAD to be moved from office to office, and everyone at the company had a few dozen lying around, would you have some policies regarding what they can do with those cans? Would you fire people who didn't follow those policies? I know its a ridiculous analogy, but it makes the point.

tl;dr: no. Security hardware only goes so far.

 
2011-07-07 07:06:57 PM

32oz High Life: Splinshints: 32oz High Life: If I can breach security just by plugging in a USB drive the data clearly is not properly protected.

And I'd like to point out that this is not what the article said happened.

I'm just going by this from the article: "The test consisted of leaving data CDs and thumb (USB) drives on the ground in their parking lots. About 60 percent of these items were taken inside, and office computers were used to see what was on the CDs and thumb drives."

Obviously there are a million ways to breach security (your example of just writing the info down from the screen is a great one). However, this one has just been demonstrated to occur. Why not fix the problem?

Here's an analogous way to view the situation. Say I'm a janitor at some school and there's a bunch of broken glass on the floor. I don't bother to clean it up because the kids are required to wear shoes at school and also not walking on broken glass is pretty much common sense. Some kid walks in barefoot for whatever reason and cuts his foot. So it's not my fault, right?

There are plenty of other similar examples. The point is, the kid still cut his foot and security has still been breached because of a preventable situation.

Yes, there will always be idiot office workers, but they should at least have to try to harm the network and not be able to do it with a piece of trash they find in the parking lot.

Here's something else from the article that I think you (and a lot of others in this thread) also missed: "This is a common problem. In any manufacturing industry, there is often a bad attitude towards "dumb users." The creators of complex gear seem to miss the point that one point of designing such a product is to make it easy to use."

A significant portion of the IT guys I know strike me as spoiled and whiny. I'm an engineer and if a product that I design ends up failing it is unacceptable for me to say "Stupid end-user should have known not to do that." I'm paid to make a good product, not a product that fails the first time somebody exceeds the design. If someone is going to call themselves a "Systems Engineer" or a "Network Engineer" they need to suck it up and act like an engineer.

[2.bp.blogspot.com image 249x257]


My internet was farked for a week because the guy I live with bought the router from a retail store (even though in the end he waited for an install tech to come in and crimp a new wire instead of having me do it and us having internet the same day as we called) and Comcast allowed 3rd party vendors to push firmware through their network, so on my end it looked like the DHCP server wasn't assigning us a WAN address while the Customer Service monkeys (I applied there once for an entry level position: they had me take an IQ test and rejected me). kept telling me to ungplug my router, turn off my computer, restart my computer, run ipconfig /release, ipconfig /renew, and netsh winsocks reset, turrn off my computer again, plug the router back in and restart my computer... after I told them I was using Debian testing base. I pulled out my 1.2GHz, 768MB WinXPPro laptop and humored them. No one ever mentioned that there was a firmware update, yet at least the IT department was aware of it. I even asked to speak with IT and was denied, and I never got a call back like the supervisor said; I had to call in again after we fixed it. We now have the router officially supported by Comcast - we are renting it. I think that's their scheme all along.
 
2011-07-07 07:11:43 PM

olapbill: studebaker hoch: MetaRinka

I worked at "Secured information government facility". It wasn't that bad.

If it was really secure, you wouldn't have been allowed to take a USB drive into the building at all.

true, but they can be hard to spot. Here's one of mine
[s3.postimage.org image 640x480]


Really? Most people have one that looks something like this:
www.geeky-gadgets.com
 
2011-07-07 07:16:14 PM

ChubbyTiger: IT Guys: let me tell you when your users start to ignore you. On day one, we get the little IT security intro which includes things like "don't write your password down". Now, the computer savvy among us all laugh and nod at that one. Then, on day two, we start accessing the various systems we need to do our jobs. From the serious ones to the personnel document websites to the UPS account for shipping stuff. Soon, we realize that we've got 20 or 25 different systems/servers/internal websites that we have to use. And we realize that the majority of them require different usernames and passwords. The password rules are different and they all demand that we change the passwords at varying intervals. Now, I'm a bright guy, but there is no way in hell that I can remember all of that. I can't ever remember all of my usernames, let alone the passwords.

Now, Mr ITSec guy, what's your suggestion? Can't write them down. Can't put them in a protected document. Can't use KeePass. You see why we don't much take you seriously? No offense, I know that you didn't do this on purpose. I know that you don't have the funds to fix it. But it undermines your credibility just a little bit.

/Has a secure USB drive


I keep mine in a safe. On a floppy disk. And when I forget or change one I pull out my 1.2GHz, 768MB WinXPPro laptop to edit the text file.

/WiFi password and root admin password for the router are taped right on it.
 
2011-07-08 01:54:03 PM

thelordofcheese: olapbill: studebaker hoch: MetaRinka

I worked at "Secured information government facility". It wasn't that bad.

If it was really secure, you wouldn't have been allowed to take a USB drive into the building at all.

true, but they can be hard to spot. Here's one of mine
[s3.postimage.org image 640x480]

Really? Most people have one that looks something like this:
[www.geeky-gadgets.com image 600x400]


valid point. except at a secure facility your phone is locked in a drop box at the first checkpoint and you don't get it back until you are leaving the building. Mine on the other hand can go on a key ring and nobody would look twice.
 
2011-07-09 03:05:51 AM

olapbill: thelordofcheese: olapbill: studebaker hoch: MetaRinka

I worked at "Secured information government facility". It wasn't that bad.

If it was really secure, you wouldn't have been allowed to take a USB drive into the building at all.

true, but they can be hard to spot. Here's one of mine
[s3.postimage.org image 640x480]

Really? Most people have one that looks something like this:
[www.geeky-gadgets.com image 600x400]

valid point. except at a secure facility your phone is locked in a drop box at the first checkpoint and you don't get it back until you are leaving the building. Mine on the other hand can go on a key ring and nobody would look twice.


I actually have one that is just a nub. Really. It's only slightly longer than the internal slot of a USB port. I could hide it almost anywhere. I'd take a pic if it wasn't almost 3AM and I cared more.
 
Displayed 148 of 148 comments



This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report