If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Washington Post)   Federal agencies including DHS have so utterly failed at network security that their networks get compromised because of uninstalled firewalls and default passwords that never get changed. That Obamacare website is safe, though, you can trust them   (washingtonpost.com) divider line 184
    More: Fail, DHS, default password, Senate, Senate Homeland Security, security patches, governmental affairs committee, federal system, anti-virus software  
•       •       •

4009 clicks; posted to Main » on 04 Feb 2014 at 11:56 AM (31 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



184 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | 3 | 4 | » | Last | Show all
 
vpb [TotalFark]
2014-02-04 10:36:33 AM
We should contract web security out to Target because private industry is so much better.
 
2014-02-04 10:47:29 AM

vpb: We should contract web security out to Target because private industry is so much better.


Who do your think DHS has been using?
 
2014-02-04 11:10:42 AM
Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.
 
2014-02-04 11:58:20 AM
I was told the Post Office is running Obamacare.
 
2014-02-04 11:59:02 AM
It's everything we've come to expect from YEARS of government oversight.  ;)
 
2014-02-04 11:59:09 AM
admin
admin

*click*


Welcome Dr. Falken

ilk.uvt.nl
 
2014-02-04 12:03:54 PM
You mean you have to connect the firewall??  Well that changes everything.
 
2014-02-04 12:04:44 PM
IMO, the feds are doing better than states. I haven't changed my network password in years, and it isn't a strong password. I'm sure there is a policy somewhere that "requires" me to change it quarterly, and use a stronger pw, but unless/until IT forces it, no one will comply.

When there is a problem at work, someone writes a new policy. Our workplace campus is now "smoke free" even though people smoke outside wherever they want. Smoke free policy; you can't argue with that. Just an example, but people here think that writing a policy actually influences behavior, without needed to enforce said policy.
 
2014-02-04 12:05:03 PM

vpb: We should contract web security out to Target because private industry is so much better.


You never have to enter a Target in your life if you don't want to. It's a little different than DHS.

I'm surprised that the story about part of Healthcare.gov being written in Belarus hasn't shown up yet.
 
2014-02-04 12:05:53 PM
Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.
 
2014-02-04 12:06:09 PM

Anayalator: admin
admin

*click*


Welcome Dr. Falken

[ilk.uvt.nl image 591x327]



A system installed at my job recently had the default PW as Joshua

/csb
 
2014-02-04 12:06:16 PM
Well then, maybe; just MAYBE we should put more money and effort into protecting our cyber security than say:

1 - Building Tanks the Army doesn't need.

2 - Cargo planes the Air Force doesn't need.

3 - 10+ billion dollars a pop on new Aircraft Carriers.

4 - "Super; next-gen" jet-fighters that have yet to live up to their promise. (400 billion and counting)
 
2014-02-04 12:06:20 PM

Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.


Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.
 
2014-02-04 12:07:57 PM
Why does this not surprise me?  Thank God I have private insurance.

It seems "they're" doing everything within their power to downgrade the quality of life for the average Joe.

/USA!  USA! USA!
 
2014-02-04 12:11:25 PM
imgs.xkcd.com

/oblig
 
2014-02-04 12:11:42 PM
Or, they could follow the goddamn FIPS requirements and have admins that CAN actually be arsed to do their jobs...
 
2014-02-04 12:12:38 PM

Malacon: A system installed at my job recently had the default PW as Joshua

/csb


I sure hope the hell they changed it...
 
2014-02-04 12:14:33 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.
 
2014-02-04 12:14:48 PM
Less of an argument against ACA and more of one for ACTUAL TECHIES RUNNING THINGS.

Best practices don't exist just so that you can say you read them. You've gotta actually press all them little buttons, and in the right order, and make sure the results is/acts as it should, and monitor it, and keep ahead of the major threat vectors.

Governmenting's hard, yo.
 
2014-02-04 12:16:33 PM
Meanwhile, your doctor's office and local pharmacy are totally secure.
 
2014-02-04 12:17:31 PM

mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.


I think that's his point, not so much that Obama or Democrats can't be trusted as that the government should have limited powers because it cannot be trusted regardless of who's in charge.
 
2014-02-04 12:18:15 PM

Malacon: Anayalator: admin
admin

*click*


Welcome Dr. Falken

[ilk.uvt.nl image 591x327]


A system installed at my job recently had the default PW as Joshua

/csb


The admin of the campus when I was in college claimed "Joshua" was always in the top ten of passwords. This was the mid-late 90's so this was the generation that grew up with Wargames.
 
2014-02-04 12:19:04 PM

redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.


Sounds similar to mine for work.  But I do work with very secure customer data sometimes.  I've considered getting one of those online password safe thingies, but I'm sure that's not allowed for work passwords.
 
2014-02-04 12:19:49 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


Just FYI, most of the "security" problems on government computers are due to lack of funding of IT departments.  No one wants to pay for IT until there's a problem.  When you have one or two people trying to manage 500 computers, there are bound to be times when they miss a few things.  So if you want IT security to improve, tell congress to get off of their duffs and increase funding for IT and security efforts.

Of course congress won't increase funding for anything because it will just go to waste in their opinion.  So you get situations like these where agencies have been cutting corners for years to ensure that their core functions are running while the fringe functions (system administration, hardware and software upgrades, etc) get ignored.
 
2014-02-04 12:20:09 PM

jntaylor63: Well then, maybe; just MAYBE we should put more money and effort into protecting our cyber security than say:

1 - Building Tanks the Army doesn't need.

2 - Cargo planes the Air Force doesn't need.

3 - 10+ billion dollars a pop on new Aircraft Carriers.

4 - "Super; next-gen" jet-fighters that have yet to live up to their promise. (400 billion and counting)


so very much this
 
2014-02-04 12:21:27 PM

mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.


I was contracting to DoD during the Y2K certification.  They were running out of time to certify the missile systems.  Solution?  Waive the certification requirements.  That made me fell all warm and comfy and secure.

Good thing Obama uses a complex password for his time machine.
 
ecl
2014-02-04 12:21:30 PM
So DHS security is lax or not even in place and the Republicans are worried about the healthcare website?  Derangement,
 
2014-02-04 12:22:17 PM
My neighbor is an IT guy and apparently not a very good one. I can see his network and just for fun I tried a few simple passwords trying to access his home network. Protip farkers, don't use your wife and children's names as your wireless password.
csb
My point is, apparently IT people can be just as lazy as the next person.
 
2014-02-04 12:24:28 PM

the_celt: My neighbor is an IT guy and apparently not a very good one. I can see his network and just for fun I tried a few simple passwords trying to access his home network. Protip farkers, don't use your wife and children's names as your wireless password.
csb
My point is, apparently IT people can be just as lazy as the next person.


Not that it's an excuse, but because we work in IT we have to remember a ton of passwords.  But yes, even still you'd think he'd know better.
 
2014-02-04 12:27:15 PM
Remember .. you voted this assembly of asshats
 
2014-02-04 12:27:47 PM
FTA: "A common password on federal systems, the report found, is "password.""

www.hotflick.net

You better think again.

/love, sex, secret and god

Also:

4.bp.blogspot.com

/yes, please
//everything about this is hot
///well, except for Fisher Stevens
 
2014-02-04 12:28:15 PM

vpb: We should contract web security out to Target because private industry is so much better.


Herr Goebbels omits the fact that there is no federal mandate to shop at Target.
 
2014-02-04 12:28:35 PM
Is the politics tab full, and we're having to shunt the excess dreck to the Main Page?
 
2014-02-04 12:28:39 PM

degenerate-afro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

Just FYI, most of the "security" problems on government computers are due to lack of funding of IT departments.  No one wants to pay for IT until there's a problem.  When you have one or two people trying to manage 500 computers, there are bound to be times when they miss a few things.  So if you want IT security to improve, tell congress to get off of their duffs and increase funding for IT and security efforts.

Of course congress won't increase funding for anything because it will just go to waste in their opinion.  So you get situations like these where agencies have been cutting corners for years to ensure that their core functions are running while the fringe functions (system administration, hardware and software upgrades, etc) get ignored.


Funding isn't our problem. It's that IT/management don't actually "require" people to do anything. More funding won't solve the lack of accountability that is rampant in govt.
 
2014-02-04 12:28:42 PM

YixilTesiphon: mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.

I think that's his point, not so much that Obama or Democrats can't be trusted as that the government should have limited powers because it cannot be trusted regardless of who's in charge.


This happens when you have a large bureaucracy, even in private companies. The people who actually know something about security and make suggestions to improve it are at the bottom of the hill, and the people at the top, or as it is in most cases, people who think they are at the top and are important, don't like to be bothered by security and think it is a burden, so many procedures don't get initiated or are ignored because people complain about them.
 
2014-02-04 12:29:59 PM
csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.
 
2014-02-04 12:31:09 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


We are in our secret bunker underneath Soros World Domination HQ reading your posts, rolling our eyes and making rude noises.
 
2014-02-04 12:32:17 PM
What about 12345? That's the combination I use on my luggage.
 
2014-02-04 12:35:00 PM
Would you like some freedom fries with that?

The Belarusian Connection

U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised.
 
2014-02-04 12:35:03 PM
In other words, they're up to par with the public sector.
 
2014-02-04 12:36:26 PM

Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.


First off, writing down your password isn't necessarily bad. Depends on what risk you're trying to mitigate. Logging into your workstation? Yeah, don't write that down on your desk because that defeats the purpose of identify you as the person on your workstation. Logging into your tax data? Why not have written down? You have your damn tax data written down, but the way to access that same data online can't be in the same place? That's stupid.

Back when I worked tech support I had this laughable old man call in complaining about password complexity requirements. He kept saying "What next, you're going to require that the third character be a number?" and I would just say "No, that would decrease the randomness of the password." Basically just a rambling old fool whose childish understanding of password security served to illustrate how out of touch with reality he was. Husks of men still pretending to be capable of existing in modern society were funny calls.

Frankly I would do away with all password requirements, even for banks. Say "fine, you can use any password you want, with any characters you want, up to the size that can be hashed efficiently in our system, 128 characters or so." I would also combine that with "if your account gets broken into because your password is pathetic, we don't care. Your fault, your problem, try and be more responsible in the future, stupid." Zero liability for website users screwing up.

Now time for the actual solution: password keepers are awesome. I just have to remember one random string of characters. All my passwords are whatever the max complexity allowed for the site is, and they are different for every site. Need to change? No problem, generate a new one, save, done. I haven't the slightest idea what any of my passwords are except the master.
 
2014-02-04 12:36:26 PM

stewbert: Funding isn't our problem. It's that IT/management don't actually "require" people to do anything. More funding won't solve the lack of accountability that is rampant in govt.


You do realize that enforcement requires manpower.  Manpower requires funding.  If you don't have funding, you don't have the people.  Again, one of the first places where the goverment cuts corners is with IT funding.  They don't fund for enforcement.  It's easier and cheaper to get someone to write documentation than to get someone who knows how to implement a solution.  Automated solutions either cost development time or money to buy a third party solution.  Most third party solutions for enforcement require yearly funding for operation and also training on how to use it.

If you don't have the people, don't want to pay for the training, don't want to pay for the development for an alternate solution, things aren't going to get done.
 
2014-02-04 12:36:45 PM

Wodan11: csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.


The whole secret question/answer thing should be scrapped because of the rise of social media.
 
2014-02-04 12:36:48 PM

xanadian: Or, they could follow the goddamn FIPS requirements and have admins that CAN actually be arsed to do their jobs...


Phipps?

memoryglands.com

/hot like the chips aren't
 
2014-02-04 12:38:55 PM
taxandspend:
That's basically what it says at the bottom of the article: "Still, Washington has been slow to act. A 2000 law to improve government cybersecurity did not mandate consequences for agency lapses. In recent years, numerous bills calling for better computer and network security have languished in Congress. The White House, meanwhile, is pushing to give the Department of Homeland Security more authority to enforce cybersecurity rules across government."

I do like the guy who has to preface that he is a taxpayer as if his outrage over security lapses would be unjustified if he wasn't.


That is the main problem.  Originally, there was the threat that if an agency didn't pass an IT security audit, its budget would be impacted.  Large agencies like DHS, FBI, IRS, etc. called that bluff - a media piece about how DHS can't protect you against terrorists because some IT weenie didn't like their password policy was all that would be needed.  And no, the current admin will not make significant changes in that mentality unless it means dealing with insider threats.  That will be addressed.
 
2014-02-04 12:39:50 PM
As someone who was InfoSec for years, in a corporation that made the news for a breach a while back, I can tell you this:  Nobody gives a shiat about system security.

It's difficult, a pain in the neck, inconvenient, and often not built in to projects from the start as it should be.  You can work your ass off to lock things down but all it takes is a whiny ass developer combined with a clueless manager and they tell their VP "Security is keeping us from doing our jobs."  Then there's a VP fight and it always trickles down to "give them access, the big boss is wondering what the problem is."

Then you get a breach.  An "in the news" breach where published stories full of "facts" are rarely even remotely accurate and EVERYBODY JUMPS ON THE SECURITY BANDWAGON.  The same clueless people start implementing utterly worthless security policies and procedures for a few months then go back to their usual ways.

Example of a worthless new security policy:

When a customer wants all of their account's passwordfs changed, they will fax in a list of user IDs and new passwords.  Someone will pick up the fax (literally, someone.  Employee, contractor, temp) and put it in a bin.  From there an employee will pick it up and change the passwords.  They will then make a copy of the list and put one copy in the account file (that almost anyone could grab) and the other copy in the "password changes file."  again, most anyone could grab that file.  No logging, no direct responsibility.  Oh, and users were not forced to change their password upon logging in.  People met for two months to create that policy/procedure and didn't invite InfoSec to a single meeting.  We found out the day before implementation when one of the clods called us to get help with some InfoSec wording.  We were like "You're doing what?  That's funny, what do you really want?  Wait, you're serious?  No, hell no, you can't do that."

That was 10 years ago, thankfully things are a lot better from a security perspective.

I no longer am a member of InfoSec but suffer through their "implementation of a new product/client/monitoring app without any operational responsibility" from the current guys.
 
2014-02-04 12:40:59 PM

1derful: vpb: We should contract web security out to Target because private industry is so much better.

Herr Goebbels omits the fact that there is no federal mandate to shop at Target.


1derfulNazi omits the fact that it is a private contractor building the ACA website.
 
2014-02-04 12:41:51 PM
Take the bogus zombie alert, which was carried by television stations in Michigan, Montana and New Mexico. It highlighted flaws in the oversight of the Emergency Alert System, which is mandated by the Federal Communications Commission and managed by the Federal Emergency Management Agency.

Hackers discovered that some television stations had connected their alert-system equipment to the Internet without installing a firewall or changing the default password, as the company's guide instructed, said Ed Czarnecki, an official with Monroe Electronics, which manufactured the equipment that was breached. He said those mistakes in elementary network security might have been prevented with more instruction from the government.
"Neither the FCC nor FEMA had issued clear guidelines on how to secure this gear," said Czarnecki said.


So a private company is trying to shift the blame for security problems with the installation of their hardware (by other private companies), on the government NOT TELLING THEM WHAT TO DO?

And this is in a report by Congressional Republicans? Would they have rather had additional government regulations on how each company was supposed to secure their network? Then we'd be hearing about the unjust cost burden on small, family owned television stations that can't afford the firewalls!
 
2014-02-04 12:42:05 PM

YixilTesiphon: mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.

I think that's his point, not so much that Obama or Democrats can't be trusted as that the government should have limited powers because it cannot be trusted regardless of who's in charge.


NO, the gov't is here to help! Never, ever say anything bad about them...they listen to all the things.
 
2014-02-04 12:42:11 PM
as a rule, sycophants are not good engineers...

/  not good at anything really...  except for kissing up and kicking down
 
Displayed 50 of 184 comments

First | « | 1 | 2 | 3 | 4 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report