If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Washington Post)   Federal agencies including DHS have so utterly failed at network security that their networks get compromised because of uninstalled firewalls and default passwords that never get changed. That Obamacare website is safe, though, you can trust them   (washingtonpost.com) divider line 180
    More: Fail, DHS, default password, Senate, Senate Homeland Security, security patches, governmental affairs committee, federal system, anti-virus software  
•       •       •

4009 clicks; posted to Main » on 04 Feb 2014 at 11:56 AM (33 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



180 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
vpb [TotalFark]
2014-02-04 10:36:33 AM
We should contract web security out to Target because private industry is so much better.
 
2014-02-04 10:47:29 AM

vpb: We should contract web security out to Target because private industry is so much better.


Who do your think DHS has been using?
 
2014-02-04 11:10:42 AM
Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.
 
2014-02-04 11:58:20 AM
I was told the Post Office is running Obamacare.
 
2014-02-04 11:59:02 AM
It's everything we've come to expect from YEARS of government oversight.  ;)
 
2014-02-04 11:59:09 AM
admin
admin

*click*


Welcome Dr. Falken

ilk.uvt.nl
 
2014-02-04 12:03:54 PM
You mean you have to connect the firewall??  Well that changes everything.
 
2014-02-04 12:04:44 PM
IMO, the feds are doing better than states. I haven't changed my network password in years, and it isn't a strong password. I'm sure there is a policy somewhere that "requires" me to change it quarterly, and use a stronger pw, but unless/until IT forces it, no one will comply.

When there is a problem at work, someone writes a new policy. Our workplace campus is now "smoke free" even though people smoke outside wherever they want. Smoke free policy; you can't argue with that. Just an example, but people here think that writing a policy actually influences behavior, without needed to enforce said policy.
 
2014-02-04 12:05:03 PM

vpb: We should contract web security out to Target because private industry is so much better.


You never have to enter a Target in your life if you don't want to. It's a little different than DHS.

I'm surprised that the story about part of Healthcare.gov being written in Belarus hasn't shown up yet.
 
2014-02-04 12:05:53 PM
Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.
 
2014-02-04 12:06:09 PM

Anayalator: admin
admin

*click*


Welcome Dr. Falken

[ilk.uvt.nl image 591x327]



A system installed at my job recently had the default PW as Joshua

/csb
 
2014-02-04 12:06:16 PM
Well then, maybe; just MAYBE we should put more money and effort into protecting our cyber security than say:

1 - Building Tanks the Army doesn't need.

2 - Cargo planes the Air Force doesn't need.

3 - 10+ billion dollars a pop on new Aircraft Carriers.

4 - "Super; next-gen" jet-fighters that have yet to live up to their promise. (400 billion and counting)
 
2014-02-04 12:06:20 PM

Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.


Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.
 
2014-02-04 12:07:57 PM
Why does this not surprise me?  Thank God I have private insurance.

It seems "they're" doing everything within their power to downgrade the quality of life for the average Joe.

/USA!  USA! USA!
 
2014-02-04 12:11:25 PM
imgs.xkcd.com

/oblig
 
2014-02-04 12:11:42 PM
Or, they could follow the goddamn FIPS requirements and have admins that CAN actually be arsed to do their jobs...
 
2014-02-04 12:12:38 PM

Malacon: A system installed at my job recently had the default PW as Joshua

/csb


I sure hope the hell they changed it...
 
2014-02-04 12:14:33 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.
 
2014-02-04 12:14:48 PM
Less of an argument against ACA and more of one for ACTUAL TECHIES RUNNING THINGS.

Best practices don't exist just so that you can say you read them. You've gotta actually press all them little buttons, and in the right order, and make sure the results is/acts as it should, and monitor it, and keep ahead of the major threat vectors.

Governmenting's hard, yo.
 
2014-02-04 12:16:33 PM
Meanwhile, your doctor's office and local pharmacy are totally secure.
 
2014-02-04 12:17:31 PM

mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.


I think that's his point, not so much that Obama or Democrats can't be trusted as that the government should have limited powers because it cannot be trusted regardless of who's in charge.
 
2014-02-04 12:18:15 PM

Malacon: Anayalator: admin
admin

*click*


Welcome Dr. Falken

[ilk.uvt.nl image 591x327]


A system installed at my job recently had the default PW as Joshua

/csb


The admin of the campus when I was in college claimed "Joshua" was always in the top ten of passwords. This was the mid-late 90's so this was the generation that grew up with Wargames.
 
2014-02-04 12:19:04 PM

redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.


Sounds similar to mine for work.  But I do work with very secure customer data sometimes.  I've considered getting one of those online password safe thingies, but I'm sure that's not allowed for work passwords.
 
2014-02-04 12:19:49 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


Just FYI, most of the "security" problems on government computers are due to lack of funding of IT departments.  No one wants to pay for IT until there's a problem.  When you have one or two people trying to manage 500 computers, there are bound to be times when they miss a few things.  So if you want IT security to improve, tell congress to get off of their duffs and increase funding for IT and security efforts.

Of course congress won't increase funding for anything because it will just go to waste in their opinion.  So you get situations like these where agencies have been cutting corners for years to ensure that their core functions are running while the fringe functions (system administration, hardware and software upgrades, etc) get ignored.
 
2014-02-04 12:20:09 PM

jntaylor63: Well then, maybe; just MAYBE we should put more money and effort into protecting our cyber security than say:

1 - Building Tanks the Army doesn't need.

2 - Cargo planes the Air Force doesn't need.

3 - 10+ billion dollars a pop on new Aircraft Carriers.

4 - "Super; next-gen" jet-fighters that have yet to live up to their promise. (400 billion and counting)


so very much this
 
2014-02-04 12:21:27 PM

mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.


I was contracting to DoD during the Y2K certification.  They were running out of time to certify the missile systems.  Solution?  Waive the certification requirements.  That made me fell all warm and comfy and secure.

Good thing Obama uses a complex password for his time machine.
 
ecl
2014-02-04 12:21:30 PM
So DHS security is lax or not even in place and the Republicans are worried about the healthcare website?  Derangement,
 
2014-02-04 12:22:17 PM
My neighbor is an IT guy and apparently not a very good one. I can see his network and just for fun I tried a few simple passwords trying to access his home network. Protip farkers, don't use your wife and children's names as your wireless password.
csb
My point is, apparently IT people can be just as lazy as the next person.
 
2014-02-04 12:24:28 PM

the_celt: My neighbor is an IT guy and apparently not a very good one. I can see his network and just for fun I tried a few simple passwords trying to access his home network. Protip farkers, don't use your wife and children's names as your wireless password.
csb
My point is, apparently IT people can be just as lazy as the next person.


Not that it's an excuse, but because we work in IT we have to remember a ton of passwords.  But yes, even still you'd think he'd know better.
 
2014-02-04 12:27:15 PM
Remember .. you voted this assembly of asshats
 
2014-02-04 12:27:47 PM
FTA: "A common password on federal systems, the report found, is "password.""

www.hotflick.net

You better think again.

/love, sex, secret and god

Also:

4.bp.blogspot.com

/yes, please
//everything about this is hot
///well, except for Fisher Stevens
 
2014-02-04 12:28:15 PM

vpb: We should contract web security out to Target because private industry is so much better.


Herr Goebbels omits the fact that there is no federal mandate to shop at Target.
 
2014-02-04 12:28:35 PM
Is the politics tab full, and we're having to shunt the excess dreck to the Main Page?
 
2014-02-04 12:28:39 PM

degenerate-afro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

Just FYI, most of the "security" problems on government computers are due to lack of funding of IT departments.  No one wants to pay for IT until there's a problem.  When you have one or two people trying to manage 500 computers, there are bound to be times when they miss a few things.  So if you want IT security to improve, tell congress to get off of their duffs and increase funding for IT and security efforts.

Of course congress won't increase funding for anything because it will just go to waste in their opinion.  So you get situations like these where agencies have been cutting corners for years to ensure that their core functions are running while the fringe functions (system administration, hardware and software upgrades, etc) get ignored.


Funding isn't our problem. It's that IT/management don't actually "require" people to do anything. More funding won't solve the lack of accountability that is rampant in govt.
 
2014-02-04 12:28:42 PM

YixilTesiphon: mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.

I think that's his point, not so much that Obama or Democrats can't be trusted as that the government should have limited powers because it cannot be trusted regardless of who's in charge.


This happens when you have a large bureaucracy, even in private companies. The people who actually know something about security and make suggestions to improve it are at the bottom of the hill, and the people at the top, or as it is in most cases, people who think they are at the top and are important, don't like to be bothered by security and think it is a burden, so many procedures don't get initiated or are ignored because people complain about them.
 
2014-02-04 12:29:59 PM
csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.
 
2014-02-04 12:31:09 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


We are in our secret bunker underneath Soros World Domination HQ reading your posts, rolling our eyes and making rude noises.
 
2014-02-04 12:32:17 PM
What about 12345? That's the combination I use on my luggage.
 
2014-02-04 12:35:00 PM
Would you like some freedom fries with that?

The Belarusian Connection

U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised.
 
2014-02-04 12:35:03 PM
In other words, they're up to par with the public sector.
 
2014-02-04 12:36:26 PM

Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.


First off, writing down your password isn't necessarily bad. Depends on what risk you're trying to mitigate. Logging into your workstation? Yeah, don't write that down on your desk because that defeats the purpose of identify you as the person on your workstation. Logging into your tax data? Why not have written down? You have your damn tax data written down, but the way to access that same data online can't be in the same place? That's stupid.

Back when I worked tech support I had this laughable old man call in complaining about password complexity requirements. He kept saying "What next, you're going to require that the third character be a number?" and I would just say "No, that would decrease the randomness of the password." Basically just a rambling old fool whose childish understanding of password security served to illustrate how out of touch with reality he was. Husks of men still pretending to be capable of existing in modern society were funny calls.

Frankly I would do away with all password requirements, even for banks. Say "fine, you can use any password you want, with any characters you want, up to the size that can be hashed efficiently in our system, 128 characters or so." I would also combine that with "if your account gets broken into because your password is pathetic, we don't care. Your fault, your problem, try and be more responsible in the future, stupid." Zero liability for website users screwing up.

Now time for the actual solution: password keepers are awesome. I just have to remember one random string of characters. All my passwords are whatever the max complexity allowed for the site is, and they are different for every site. Need to change? No problem, generate a new one, save, done. I haven't the slightest idea what any of my passwords are except the master.
 
2014-02-04 12:36:26 PM

stewbert: Funding isn't our problem. It's that IT/management don't actually "require" people to do anything. More funding won't solve the lack of accountability that is rampant in govt.


You do realize that enforcement requires manpower.  Manpower requires funding.  If you don't have funding, you don't have the people.  Again, one of the first places where the goverment cuts corners is with IT funding.  They don't fund for enforcement.  It's easier and cheaper to get someone to write documentation than to get someone who knows how to implement a solution.  Automated solutions either cost development time or money to buy a third party solution.  Most third party solutions for enforcement require yearly funding for operation and also training on how to use it.

If you don't have the people, don't want to pay for the training, don't want to pay for the development for an alternate solution, things aren't going to get done.
 
2014-02-04 12:36:45 PM

Wodan11: csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.


The whole secret question/answer thing should be scrapped because of the rise of social media.
 
2014-02-04 12:36:48 PM

xanadian: Or, they could follow the goddamn FIPS requirements and have admins that CAN actually be arsed to do their jobs...


Phipps?

memoryglands.com

/hot like the chips aren't
 
2014-02-04 12:38:55 PM
taxandspend:
That's basically what it says at the bottom of the article: "Still, Washington has been slow to act. A 2000 law to improve government cybersecurity did not mandate consequences for agency lapses. In recent years, numerous bills calling for better computer and network security have languished in Congress. The White House, meanwhile, is pushing to give the Department of Homeland Security more authority to enforce cybersecurity rules across government."

I do like the guy who has to preface that he is a taxpayer as if his outrage over security lapses would be unjustified if he wasn't.


That is the main problem.  Originally, there was the threat that if an agency didn't pass an IT security audit, its budget would be impacted.  Large agencies like DHS, FBI, IRS, etc. called that bluff - a media piece about how DHS can't protect you against terrorists because some IT weenie didn't like their password policy was all that would be needed.  And no, the current admin will not make significant changes in that mentality unless it means dealing with insider threats.  That will be addressed.
 
2014-02-04 12:39:50 PM
As someone who was InfoSec for years, in a corporation that made the news for a breach a while back, I can tell you this:  Nobody gives a shiat about system security.

It's difficult, a pain in the neck, inconvenient, and often not built in to projects from the start as it should be.  You can work your ass off to lock things down but all it takes is a whiny ass developer combined with a clueless manager and they tell their VP "Security is keeping us from doing our jobs."  Then there's a VP fight and it always trickles down to "give them access, the big boss is wondering what the problem is."

Then you get a breach.  An "in the news" breach where published stories full of "facts" are rarely even remotely accurate and EVERYBODY JUMPS ON THE SECURITY BANDWAGON.  The same clueless people start implementing utterly worthless security policies and procedures for a few months then go back to their usual ways.

Example of a worthless new security policy:

When a customer wants all of their account's passwordfs changed, they will fax in a list of user IDs and new passwords.  Someone will pick up the fax (literally, someone.  Employee, contractor, temp) and put it in a bin.  From there an employee will pick it up and change the passwords.  They will then make a copy of the list and put one copy in the account file (that almost anyone could grab) and the other copy in the "password changes file."  again, most anyone could grab that file.  No logging, no direct responsibility.  Oh, and users were not forced to change their password upon logging in.  People met for two months to create that policy/procedure and didn't invite InfoSec to a single meeting.  We found out the day before implementation when one of the clods called us to get help with some InfoSec wording.  We were like "You're doing what?  That's funny, what do you really want?  Wait, you're serious?  No, hell no, you can't do that."

That was 10 years ago, thankfully things are a lot better from a security perspective.

I no longer am a member of InfoSec but suffer through their "implementation of a new product/client/monitoring app without any operational responsibility" from the current guys.
 
2014-02-04 12:40:59 PM

1derful: vpb: We should contract web security out to Target because private industry is so much better.

Herr Goebbels omits the fact that there is no federal mandate to shop at Target.


1derfulNazi omits the fact that it is a private contractor building the ACA website.
 
2014-02-04 12:41:51 PM
Take the bogus zombie alert, which was carried by television stations in Michigan, Montana and New Mexico. It highlighted flaws in the oversight of the Emergency Alert System, which is mandated by the Federal Communications Commission and managed by the Federal Emergency Management Agency.

Hackers discovered that some television stations had connected their alert-system equipment to the Internet without installing a firewall or changing the default password, as the company's guide instructed, said Ed Czarnecki, an official with Monroe Electronics, which manufactured the equipment that was breached. He said those mistakes in elementary network security might have been prevented with more instruction from the government.
"Neither the FCC nor FEMA had issued clear guidelines on how to secure this gear," said Czarnecki said.


So a private company is trying to shift the blame for security problems with the installation of their hardware (by other private companies), on the government NOT TELLING THEM WHAT TO DO?

And this is in a report by Congressional Republicans? Would they have rather had additional government regulations on how each company was supposed to secure their network? Then we'd be hearing about the unjust cost burden on small, family owned television stations that can't afford the firewalls!
 
2014-02-04 12:42:05 PM

YixilTesiphon: mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.

I think that's his point, not so much that Obama or Democrats can't be trusted as that the government should have limited powers because it cannot be trusted regardless of who's in charge.


NO, the gov't is here to help! Never, ever say anything bad about them...they listen to all the things.
 
2014-02-04 12:42:11 PM
as a rule, sycophants are not good engineers...

/  not good at anything really...  except for kissing up and kicking down
 
2014-02-04 12:44:13 PM
Didn't RTFA but I see some sort of lib/con angle so fark whatever the story is and:

a) ha ha! stupid obama!
b) oh yeah? snarky snark snark neocon idiots!
 
2014-02-04 12:44:37 PM
ongbok:
This happens when you have a large bureaucracy, even in private companies. The people who actually know something about security and make suggestions to improve it are at the bottom of the hill, and the people at the top, or as it is in most cases, people who think they are at the top and are important, don't like to be bothered by security and think it is a burden, so many procedures don't get initiated or are ignored because people complain about them.

This so very much. Where I work, It's nearly impossible to patch servers or do any preventive maintenance because the do nothings have created a half dozen committees that needs to have their say in any change. Inevitability someone will halt the work because someone, somewhere might be affected.
Eventually, you just give up and watch it all burn. Keeping the stack of emails showing all the times work has been denied of course.
 
2014-02-04 12:45:14 PM

Cold_Sassy: Why does this not surprise me?  Thank God I have private insurance.



Governments let your info slip for free, private companies sell it to the highest bidder.

poo-tay-toe, po-tat-oh
 
2014-02-04 12:46:41 PM

Witty_Retort: 1derful: vpb: We should contract web security out to Target because private industry is so much better.

Herr Goebbels omits the fact that there is no federal mandate to shop at Target.

1derfulNazi omits the fact that it is a private contractor building the ACA website.


Right, and there is a federal mandate to use that, which is the difference.
 
2014-02-04 12:46:55 PM

redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.


Correct Horse Battery Staple
 
2014-02-04 12:46:55 PM

Glendale: Wodan11: csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.

The whole secret question/answer thing should be scrapped because of the rise of social media.


Seriously, that sort of thing is one of the easiest attack vectors. When I was taking a computer security course in college, one of the first things the professor told us was to avoid using these if at all possible; he would literally type gibberish in for the answers if he was required to use them. Sure, he can't recover his password if he forgets it, but no one else can recover it either, and that's the far more important consideration.
 
2014-02-04 12:47:40 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


Yep, and people who can't spell criticizing and call the President a "messiah" are just so much better than everyone else that they don't need to hide their awesome powers of intellect from the interwebs!
 
2014-02-04 12:49:43 PM

YixilTesiphon: Witty_Retort: 1derful: vpb: We should contract web security out to Target because private industry is so much better.

Herr Goebbels omits the fact that there is no federal mandate to shop at Target.

1derfulNazi omits the fact that it is a private contractor building the ACA website.

Right, and there is a federal mandate to use that, which is the difference.


You always have the option of just paying the fine.

Which is better than the alternative you have to not going to the hospital when you're sick, and I  guarantee there are a ton of major hospitals with similarly lax IT security.
 
2014-02-04 12:51:50 PM

Devil's Playground: redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.

Correct Horse Battery Staple


Honestly you don't even need to follow the xkcd example. Just think of a random sentence. I use to use long movie titles. I'm sure there are rainbow tables out there that might take those into account, but the odds of them being used against one of my passwords is probably less than someone breaking into my house to steal the data off my  computer.
 
2014-02-04 12:52:22 PM

stewbert: IMO, the feds are doing better than states. I haven't changed my network password in years, and it isn't a strong password. I'm sure there is a policy somewhere that "requires" me to change it quarterly, and use a stronger pw, but unless/until IT forces it, no one will comply.


Forcing people to change their passwords every 90 days makes security worse because it encourages bad password habits.
 
2014-02-04 12:54:09 PM
"DHS has taken significant measures to improve and strengthen our capabilities to address the cyber risks associated with our critical information networks and systems," S.Y. Lee, a department spokesman, said in an e-mailed statement.

This statement has no substance, why did he even bother replying to the reporter's email if he was just going to say "nope, fixed it!"

/accountability?
 
2014-02-04 12:55:53 PM
What does "DHS" stand for again? I forget.
 
2014-02-04 12:57:19 PM

Mithiwithi: You always have the option of just paying the fine.


And if I don't pay the fine?
 
2014-02-04 01:00:11 PM
Do I have to remind everyone again?  Prime Directive:  Do NOT respond to anyone who refers to Obama as the "messiah" of the left.

0/10
lazy troll
 
2014-02-04 01:01:00 PM

Glendale: What about 12345? That's the combination I use on my luggage.


Only a fool would use a password like that!  That and "password" or "guest" or...
 
2014-02-04 01:02:20 PM
my password was a randomly created password given to with my first college email account.  i just never changed it from the random jibberish.

now, it was taken on special characters and caps and a few variables (characters I switch out).  i use code words to identify which iteration of the password to use.

but, i still can't ever remember my farking user name.
 
2014-02-04 01:02:31 PM
degenerate-afro: Of course congress won't increase funding for anything because it will just go to waste in their opinion.  0bama.

FTFY
 
2014-02-04 01:02:40 PM

Devil's Playground: redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.

Correct Horse Battery Staple


Yeah, and then some policy-driven noob will want complex characters and it turns into  C0rr3ct!h0R53*&B$TT3r7?5TaPl3@and then the end user will useP@ssword1 because it meets the minimum policy requirements.
 
2014-02-04 01:02:46 PM

YixilTesiphon: Mithiwithi: You always have the option of just paying the fine.

And if I don't pay the fine?


Nothing really.

However, the IRS is limited in the ways it can collect the fine. The Affordable Care Act stipulates that taxpayers are not subject to criminal prosecution or penalty for refusing to pay. The IRS cannot place a lien on property, either, as it can when collecting back taxes.

The only way the IRS can collect the mandate fine is by taking it out of withholding or deducting it from tax refunds of those who receive one.
The IRS has no way to collect the fine from people who do not participate in withholding - however, making it more likely they will receive a return.
 
2014-02-04 01:04:29 PM

YixilTesiphon: Mithiwithi: You always have the option of just paying the fine.

And if I don't pay the fine?


It's not like you'll have a choice - it's a "tax penalty", applied by the IRS when you file your taxes. You can either skip filing your taxes or try to take the IRS to court over it, but it's not like you can say, "well, I'm just not paying it."
 
gja [TotalFark]
2014-02-04 01:04:29 PM

Anayalator: admin
admin

*click*


Welcome Dr. Falken

[ilk.uvt.nl image 591x327]


Now I'm hungry.
 
2014-02-04 01:06:39 PM

the_celt: My neighbor is an IT guy and apparently not a very good one. I can see his network and just for fun I tried a few simple passwords trying to access his home network. Protip farkers, don't use your wife and children's names as your wireless password.
csb
My point is, apparently IT people can be just as lazy as the next person.


Maybe he doesn't care.  If you aren't file sharing or have computers on all the time then who cares?  My home internet is used for Netflix, Xbox, and basic internet every few days on the laptop.  If you aren't file sharing i don't see much of a reason to care since most people aren't doing sophisticated attacks to steal your CC info they just want free internet.
 
2014-02-04 01:10:38 PM

tricycleracer: YixilTesiphon: Mithiwithi: You always have the option of just paying the fine.

And if I don't pay the fine?

Nothing really.

However, the IRS is limited in the ways it can collect the fine. The Affordable Care Act stipulates that taxpayers are not subject to criminal prosecution or penalty for refusing to pay. The IRS cannot place a lien on property, either, as it can when collecting back taxes.

The only way the IRS can collect the mandate fine is by taking it out of withholding or deducting it from tax refunds of those who receive one. The IRS has no way to collect the fine from people who do not participate in withholding - however, making it more likely they will receive a return.


In other words, if you participate in withholding, or if you expect a refund, ever, from the IRS, you'll automatically pay that fine and there's nothing you can do about it. The only way to "refuse to pay" is to:
- file your taxes, but not participate in withholding;
- file your taxes, but be poor enough to not get anything back, or;
- not file your taxes, and hope that they don't catch you.

The IRS doesn't need to chase you down - they're patient, and they keep records. The penalties are cumulative, and the penalty for 2014 is a slap on the hand compared to the penalty for 2016, so, sure, feel free to try and stick it to The Man for three years. It'll be a hoot.
 
gja [TotalFark]
2014-02-04 01:13:41 PM

beakgeek: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

Yep, and people who can't spell criticizing and call the President a "messiah" are just so much better than everyone else that they don't need to hide their awesome powers of intellect from the interwebs!


Hey Mr. Grammar/spelling nazi, not everyone lives here in the USA. In the UK that spelling is completely valid.
 
2014-02-04 01:15:02 PM
Everyone knows that private industry never has security problems.
 
2014-02-04 01:15:03 PM

FormlessOne: The IRS doesn't need to chase you down - they're patient, and they keep records. The penalties are cumulative, and the penalty for 2014 is a slap on the hand compared to the penalty for 2016, so, sure, feel free to try and stick it to The Man for three years. It'll be a hoot.


I think the IRS likes to wait as long as possible to make sure you've dug a sufficiently deep hole with no hope of escape.
 
2014-02-04 01:16:24 PM
Obamacare website doesn't really have any special information it needs to keep secure.
 
2014-02-04 01:17:51 PM

Mithiwithi: YixilTesiphon: Witty_Retort: 1derful: vpb: We should contract web security out to Target because private industry is so much better.

Herr Goebbels omits the fact that there is no federal mandate to shop at Target.

1derfulNazi omits the fact that it is a private contractor building the ACA website.

Right, and there is a federal mandate to use that, which is the difference.

You always have the option of just paying the fine.

Which is better than the alternative you have to not going to the hospital when you're sick, and I  guarantee there are a ton of major hospitals with similarly lax IT security.


Not here!  oh wait.

That having been said:  management drives the security posture of an organization, not IT.  Management proposes, and IT disposes.  I can tell my bosses all the wonderful things we can be doing to secure data/systems/people, and if they don't want to do it, guess what.

Fortunately, the management here has listened to MOST of my suggestions.  At some point, though, you have to accept certain risks to maintain a level of availability your clients/customers/etc are used to.

/my biggest pet peeve?  Security perimeters.  The door to the admin wing is wide open so people can just march in.  Will it cause problems?  Probably not.  Hence, it's a risk that's accepted.
//I also wouldn't mind an independent audit, tbh...
 
2014-02-04 01:19:39 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


Right, and of course government only ceased to do anything right after your team was out of power.

BOOOOOOORRRRRIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIINNNNGGG.
 
2014-02-04 01:19:47 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


We don't hide, we also criticize the administration.  In those threads, we get incorrectly called "Republican" and/or "Conservative."

You're shiatting on the wrong people.  Biatch about the Democrats, not the liberals.  Liberals have plenty of beefs with this Administration.
 
2014-02-04 01:20:50 PM
Surprised that no one's pointed out that by design, HealthCare.gov doesn't store much PII beyond the minimum to setup an account. All the really sensitive stuff is stored locally on the machine and then sent directly to the insurance company.

Sure, if the machine was completely compromised, you could intercept traffic going forward. However, there isn't some central database of everyone's SSN, income, birthdates, etc for a hacker to steal or incompetent admin to leave on an unsecured thumb drive.
 
2014-02-04 01:24:08 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


You need to highlight people who you think are Fark Libs in a certain color, this way, you'd see that they are indeed here, and you would have avoided making a stupid comment.
 
2014-02-04 01:24:11 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


Maybe those same liberals are agreeing with the article, but you can't believe that's possible, so you assume we're keeping silent. Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.
 
2014-02-04 01:25:23 PM

vpb: We should contract web security out to Target because private industry is so much better.


sadly, it still is.  By a lot.
 
2014-02-04 01:26:42 PM
Take it from someone on the inside, this is what happens when you slash IT budgets (along with most others) and go lowest bidder on IT support contracts.  You get what you pay for.  Politicians will respond with more of...."We'll keep slashing your budget until you improve!"
 
2014-02-04 01:27:28 PM

vpb: We should contract web security out to Target because private industry is so much better.


WOW. FIRST MOTHER FARKING EVER LOVING POST! (Am I gonna gets a boobies for that?) My first thought at the headline was which NSA-Stazi apologist is gonna tell us privacy/data security/govt accountability/ corp accountability/ human decency/judicial oversight/the 4th amendment / a modicum of govt transparency/myopia for the horrific outcome of every similiar program of the past etc etc etc are all passé BULLSHIAT because REASONS.

AND IT WAS DONE IN FARKING ONE!!! Congrats shiatizen. You are a credit to the cowardice we are being conditioned to accept as the new norm.
 
2014-02-04 01:27:52 PM

a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.


So all liberals see the world in shades of gray and all conservatives see it in black and white?
 
2014-02-04 01:29:34 PM

andersoncouncil42: In other words, they're up to par with the public sector.


So we can sue DHS if there is a release of personally identifiable information?
 
2014-02-04 01:29:52 PM
They keep telling us privacy is dead I guess this is Anon's way of agreeing with them.

Anonymous Slovenia Claims FBI Hacked

The information, posted by user Black-Shadow of the Slovenian branch of the hacktivist group, purportedly contains FBI domain email addresses and passwords for 68 agents, although the user claims in his post that the collected log-in details are "not all ours".

The post also includes a short profile on FBI director James Brien Comey Jr, including sensitive information such as his date of birth, his wife's name, the date they got married, his educational history and even the geographical coordinates of his residence.

Anonymous Slovenia posted the Pastebin link on its Facebook Page, along with the comment "Laughing at your security".
 
2014-02-04 01:31:13 PM

Molavian: So all liberals see the world in shades of gray and all conservatives see it in shades of rape?


FIFM

50 shades of rape
 
2014-02-04 01:35:11 PM

a particular individual: liberals' love of nuance


Oh, wow. That's art, right there.
 
2014-02-04 01:38:13 PM
As someone who works on gov computer systems, I'm not even sure how they allow 'password' to work.  My passwords have to be so damn cryptic I seem to forget them at least a couple times a year.
 
2014-02-04 01:39:02 PM
Your insurance company website is probably way better, so don't worry about them. Or the cable company. Or your bank. Or Apple. Or Microsoft. Or Amazon. Or Google.

None of them have ever been compromised. Ever.
 
gja [TotalFark]
2014-02-04 01:39:07 PM

lennavan: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

We don't hide, we also criticize the administration.  In those threads, we get incorrectly called "Republican" and/or "Conservative."

You're shiatting on the wrong people.  Biatch about the Democrats, not the liberals.  Liberals have plenty of beefs with this Administration.


I also eschew all the trappings and failings of identifying along party lines.
In my opinion if you choose to vote or agree to line up based on party affiliation you have already subjugated yourself and adopted a submissive and subservient posture. And that is just plain lame.

I would like to see all elections allow picking and choosing whomever you wish from whatever party and make it so that if they get elected and we end up with representatives from all over the party-line chart they have to serve together and learn to work together.

That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date.
 
2014-02-04 01:39:50 PM
My work passwords give the IT people problems. My home passwords are just as odd and here is why:
I have an old map of Wales that was printed before WWI. It has some very, very interesting spellings and some of the towns don't exist anymore. Spelling out some of the names to the IT people usually involves quite a bit more time than most seem to be willing to spend on such issues!
 
2014-02-04 01:42:09 PM
Computer, "Destruct sequence 1, code 1-1 A."
 
2014-02-04 01:43:54 PM

Shryke: a particular individual: liberals' love of nuance

Oh, wow. That's art, right there.


Yup, I thought this one was a little over the top.

And I'm a libby lib.
 
2014-02-04 01:44:39 PM

gja: That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date


Private entities hate it for those reasons also. This government/private sector debate is a strawman. IT security is hard, expensive, and mostly reactive. That last part is why it so often fails, the first two are why it's so poorly practiced.

It really comes down to how important is privacy and personal freedom, and until people are willing to have that debate, nothing will change.
 
2014-02-04 01:46:12 PM

swaxhog: ongbok:
This happens when you have a large bureaucracy, even in private companies. The people who actually know something about security and make suggestions to improve it are at the bottom of the hill, and the people at the top, or as it is in most cases, people who think they are at the top and are important, don't like to be bothered by security and think it is a burden, so many procedures don't get initiated or are ignored because people complain about them.

This so very much. Where I work, It's nearly impossible to patch servers or do any preventive maintenance because the do nothings have created a half dozen committees that needs to have their say in any change. Inevitability someone will halt the work because someone, somewhere might be affected.
Eventually, you just give up and watch it all burn. Keeping the stack of emails showing all the times work has been denied of course.


Yup.

I used to work for a large hotel company that had all of its services worldwide centralized out of NYC.

Hotels are a little different, as they never close, and maintenance CAN inflict issues on operations, but trying to come up with a maintenance window that everyone could agree on was a disaster.  What truly made it a disaster was allowing each property's front office have a say in it.

I finally went all authoritarian, and decided the schedule and told them that was it.

\csb
 
2014-02-04 01:46:22 PM
Good thing they have a firewall in case some lunatic fire bombs the building.
 
2014-02-04 01:48:45 PM

jntaylor63: Well then, maybe; just MAYBE we should put more money and effort into protecting our cyber security than say:

1 - Building Tanks the Army doesn't need.

2 - Cargo planes the Air Force doesn't need.

3 - 10+ billion dollars a pop on new Aircraft Carriers.

4 - "Super; next-gen" jet-fighters that have yet to live up to their promise. (400 billion and counting)


You should read this. Then you might rethink your "we don't need". It's never a need until you needed it and didn't have it. Do we need to cut back on some spending..yep..but I'd rather have defense stuff just in case then not have it.

http://www.dailymail.co.uk/news/article-1386978/The-Japanese-mayor-l au ghed-building-huge-sea-wall--village-left-untouched-tsunami.html
 
2014-02-04 01:49:09 PM

Molavian: a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.

So all liberals see the world in shades of gray and all conservatives see it in black and white?


Most liberals see the world in shades of gray and most conservatives see it in black and white.
 
2014-02-04 01:52:45 PM

Lost Thought 00: Obamacare website doesn't really have any special information it needs to keep secure.


I was wondering about this. What information does the ACA site actually have? I would think anything really sensitive could wait until you're talking to the insurance company.
 
2014-02-04 01:53:54 PM

gja: That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date.


I hate your politics, but your IT-philosophy chops are more than up to snuff.

Were we geographically close, I would offer to buy you a beer.
 
2014-02-04 01:55:25 PM

I AM THE GOAT: As someone who works on gov computer systems, I'm not even sure how they allow 'password' to work.  My passwords have to be so damn cryptic I seem to forget them at least a couple times a year.


Password requirements are 12 characters, three of four ($ymbol, CAPITAL, lowercase, Number#).  Passwords change every 45~90 days.

Of course that's only enforced by systems that are using AD / LDAP.  If a system isn't on a domain (most linux systems) or aren't online, the password policy can't be enforced.
 
2014-02-04 01:56:12 PM

degenerate-afro: stewbert: Funding isn't our problem. It's that IT/management don't actually "require" people to do anything. More funding won't solve the lack of accountability that is rampant in govt.

You do realize that enforcement requires manpower.  Manpower requires funding.  If you don't have funding, you don't have the people.  Again, one of the first places where the goverment cuts corners is with IT funding.  They don't fund for enforcement.  It's easier and cheaper to get someone to write documentation than to get someone who knows how to implement a solution.  Automated solutions either cost development time or money to buy a third party solution.  Most third party solutions for enforcement require yearly funding for operation and also training on how to use it.

If you don't have the people, don't want to pay for the training, don't want to pay for the development for an alternate solution, things aren't going to get done.


Enforcement also requires intestinal fortitude. That was eliminated long before IT funding was cut around here. Money just isn't the root cause of the problems in my agency. Not sure about yours. Lack of accountability goes much farther than the IT department.
 
2014-02-04 01:56:33 PM
It's pretty wild that anyone's security is really that lax.

Pretty much every company I've ever worked for, of at least large size, had some pretty good security measures for their network.  The least of which are, complicated passwords, requirement to change every 3 months or so, and VPN for any connection outside the office.

It seems absurd that the gov't doesn't adhere to these simple things.
 
2014-02-04 01:58:07 PM

durbnpoisn: It seems absurd that the gov't doesn't adhere to these simple things.


In my time with the government, we adhered to all three of those.
 
2014-02-04 01:59:08 PM

Wodan11: csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.


Thats why I always answer What color is your car with something like  "Tr0uba4dor#m3"
 
2014-02-04 01:59:44 PM

gingerjet: stewbert: IMO, the feds are doing better than states. I haven't changed my network password in years, and it isn't a strong password. I'm sure there is a policy somewhere that "requires" me to change it quarterly, and use a stronger pw, but unless/until IT forces it, no one will comply.

Forcing people to change their passwords every 90 days makes security worse because it encourages bad password habits.


Ok, honest question: Is that worse than me keeping the same pw for 5 years?
 
2014-02-04 01:59:57 PM

verbaltoxin: This government/private sector debate is a strawman. IT security is hard, expensive, and mostly reactive. That last part is why it so often fails, the first two are why it's so poorly practiced.


You know who IS pretty good at it? The DoD.

Granted, some of their older legacy systems are mainframes and some other software was designed for IE6, but as far as policy goes (and my experience working on a DoD project involving health records run by people who knew IT. My former-Navy former boss chewed out a full-bird Colonel for trying to fark up her carefully-laid plans), they're largely on top of things.

// TBF, they've been securing computer systems since before "rap" was a thing, so they damn well better be excellent at it
 
2014-02-04 02:01:36 PM

andersoncouncil42: In other words, they're up to par with the public sector.


This, so farking much this.

This isn't a government problem, it's system wide.  Some organizations pay to have a decent sysadmin, most do not. The corruption, nepotism and general incompetence that the government is prone to, is no worse than what you find in any large company.
 
2014-02-04 02:02:44 PM

Molavian: a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.

So all liberals see the world in shades of gray and all conservatives see it in black and white?


Maybe.
 
2014-02-04 02:03:28 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


I'll bite. 1. If you use the word 'messiah' to describe the perception of Obama by anything more than maybe .^A% of his supporters, you are deluded beyond belief and should seek professional psychological help ASAP.
2. There's pretty rampant pissed off-ness on a lot of things under O that his biggest supporters are open about: drone policy, gitmo, NSA BS, lack of curb stomping bankers, continued lobbyist crap, wtf ACA website. BUT the perpetual conservavictim crowd ignores the real shiat and derps out on Benghazi!, arugula!, golf!, Bo!, birf certificate!, secret muslim socialist atheist!, shock that Air Force one costs money!, flag pins!, not saluting right!. And, of course "our number one priority is to make him a one term president". Ie. fark jobs and the people we represent! Petty political bs is job 1!!!!!

You jack holes squandered every ounce of legit political capital you had over, what I can only explain as mostly racist and at best hysterical garbage.

So fark your messiah BULLSHIAT. You've made fools of yourselves, damaged the nation, and squandered every opportunity to make things better. He's not our messiah. He's your antichrist. And you've acted the ass for that decision. Don't deflect it on to us.
 
2014-02-04 02:04:32 PM

thurstonxhowell: durbnpoisn: It seems absurd that the gov't doesn't adhere to these simple things.

In my time with the government, we adhered to all three of those.


Upon further thought, there is no indication that adhering to those three rules would have stopped any of the events mentioned in the article.
 
2014-02-04 02:04:48 PM

kalvyn: [imgs.xkcd.com image 740x601]

/oblig


I actually use a printed version of this comic to explain to customers of mine about passwords and what is good and what isn't.  I also don't have "must include numerals and punctuation and at least one capital letter" restrictions on the passwords they can use on our systems.

I do encourage them to make up something complicated, but easy to remember.  Quotations from favorite book passages are popular these days.
 
2014-02-04 02:07:24 PM

The underlying problem, said Coburn and several outside experts, is the failure of federal agencies to hire top-notch information technology workers, pay them enough and give them enough clout to enforce routine security practices.

"It's a low-status, often low-paid, high-stress position because people only notice systems administrators when something breaks," said Steven Bellovin, a Columbia University computer science professor and former Federal Trade Commission technologist. "It becomes a very easy position to neglect."


As someone who has worked as a DoD contractor before, I would agree with this. The government contractor model for hiring IT staff creates a race to the bottom. Company's win contracts by underbidding their competitor. This puts pressure on these companies to lower their payroll expenses to protect their profit margin.

On the contract I worked on, good employees would come on to the project, and work for a while until something better opened up or they got sick of the B.S. office politics. The pay was under market for some, about right from some and outrageously high for others. But, ultimately, either becuase of pay or work environement, the good workers would leave and the shiatty would stick around. It's no suprise when the quality of work goes to shiat in this setup.

The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.
 
2014-02-04 02:09:57 PM

manbart: The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.


Gotta keep the number of government employees low. Sure, it may cost $100,000 to hire a guy who costs his contracting agency $70,000, but that's one less government employees you need. Fewer government employees = more freedom.
 
gja [TotalFark]
2014-02-04 02:10:27 PM

verbaltoxin: gja: That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date

Private entities hate it for those reasons also. This government/private sector debate is a strawman. IT security is hard, expensive, and mostly reactive. That last part is why it so often fails, the first two are why it's so poorly practiced.

It really comes down to how important is privacy and personal freedom, and until people are willing to have that debate, nothing will change.


You can't see me so I will write I am nodding my head so very much in agreement. There should be NO difference between gov/priv.
Security and privacy is due all.
 
2014-02-04 02:18:20 PM

jgilb: Molavian: a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.

So all liberals see the world in shades of gray and all conservatives see it in black and white?

Most liberals see the world in shades of gray and most conservatives see it in black and white.


I'm just surprised no one has bragged that they can also see colors.

/I can also see colors.
 
gja [TotalFark]
2014-02-04 02:18:31 PM

What_do_you_want_now: gja: That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date.

I hate your politics, but your IT-philosophy chops are more than up to snuff.

Were we geographically close, I would offer to buy you a beer.


LOL. That's cool. I am a shiat-stirrer, that is certain. I want to rock the boat til we all get a bath. Way overdue in my opinion.
I make my living in I.T. and have for decades.

My politics are not solidified, I give no allegiance and expect those in office to understand they owe us an honest days work for their pay. We rarely get that out of them, so I like to remind everyone most pol's suck as far as ROI goes.
 
gja [TotalFark]
2014-02-04 02:21:18 PM

HindiDiscoMonster: gja: beakgeek: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

Yep, and people who can't spell criticizing and call the President a "messiah" are just so much better than everyone else that they don't need to hide their awesome powers of intellect from the interwebs!

Hey Mr. Grammar/spelling nazi, not everyone lives here in the USA. In the UK that spelling is completely valid.

maybe for a Limey like you...

/jk :P


Why you bloody li'il wanker!

/i keed, i keed
Also, born a bred NYer, lifetime at that. Do love the UK, have spent plenty of time there. Ah, the stories. Uh, on second thought let's not share those, not sure of statute of limitations on......errr....things.
 
2014-02-04 02:27:17 PM

That Guy Jeff: Frankly I would do away with all password requirements, even for banks. Say "fine, you can use any password you want, with any characters you want, up to the size that can be hashed efficiently in our system, 128 characters or so." I would also combine that with "if your account gets broken into because your password is pathetic, we don't care. Your fault, your problem, try and be more responsible in the future, stupid." Zero liability for website users screwing up.


Why not have a system that locks you (or whomever is trying to guess your password) out for an hour after each 10 tries (something my company already does)? Or requires 10 seconds in between each try? Either way, your password can be a lot less secure and still keep hackers out.

The other problem is when hacking into a system with user X's password allows the hacker easier access to other parts of the system, of course.

Now time for the actual solution: password keepers are awesome. I just have to remember one random string of characters. All my passwords are whatever the max complexity allowed for the site is, and they are different for every site. Need to change? No problem, generate a new one, save, done. I haven't the slightest idea what any of my passwords are except the master.

I'm resisting getting a password keeper. I believe they fall into two types:

Open source: everyone can see the code. If you see a way to crack it, you can either A) fix it for no money, or B) sell it for lots of money.

Proprietary: the company has every financial motivation to conceal breaches, and none to let you know that their system has been hacked.

I have a strong belief in the role of money as a motivating force.
 
2014-02-04 02:31:09 PM
HindiDiscoMonster:  If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?

Disclaimer - I'm not in IT.

Supposedly, by far the most likely way your password will be stolen is by someone not actually sitting at your terminal.  So you're safer to use a ridiculously safe password and have it on a sticky on your computer screen than you are to use a really easy to guess password that you memorize.  I imagine the smartest thing to do is write down your cryptic password and keep it in your wallet or something.
 
2014-02-04 02:32:36 PM

draypresct: Why not have a system that locks you (or whomever is trying to guess your password) out for an hour after each 10 tries (something my company already does)? Or requires 10 seconds in between each try? Either way, your password can be a lot less secure and still keep hackers out.


I might be wrong and it doesn't work the same with online access but when I was testing wifi attacks what happens is it only asks the router once if the password it's trying is good or not.  When it returns the nope not good it then attacks the reply until the reply says hey you found me and it sends it to the router to be let in.  Now again that was very basic description on how it works but you probably get the point.
 
2014-02-04 02:33:43 PM
By the way, does anyone else hate passwords that only allow SOME !@#$% characters as much as I do?

My health insurance company won't allow "!". Thanks assholes... WTF is that crap?
 
2014-02-04 02:35:38 PM

manbart: The underlying problem, said Coburn and several outside experts, is the failure of federal agencies to hire top-notch information technology workers, pay them enough and give them enough clout to enforce routine security practices.

"It's a low-status, often low-paid, high-stress position because people only notice systems administrators when something breaks," said Steven Bellovin, a Columbia University computer science professor and former Federal Trade Commission technologist. "It becomes a very easy position to neglect."


As someone who has worked as a DoD contractor before, I would agree with this. The government contractor model for hiring IT staff creates a race to the bottom. Company's win contracts by underbidding their competitor. This puts pressure on these companies to lower their payroll expenses to protect their profit margin.

On the contract I worked on, good employees would come on to the project, and work for a while until something better opened up or they got sick of the B.S. office politics. The pay was under market for some, about right from some and outrageously high for others. But, ultimately, either becuase of pay or work environement, the good workers would leave and the shiatty would stick around. It's no suprise when the quality of work goes to shiat in this setup.

The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.


Not only that, you add subcontractors into the mix and it gets even worse.  The DoD ends up paying $250K to company A for a position on a contract.  A then hires company B to fill it.  After all is said and done, the advertised position is lucky to be paying $50K.

Navy contractor who works in cyber security...glad I don't deal in complex passwords anymore now that almost everything has moved to 2-factor authentication.  All I need is my CAC and my PIN, though I'm assed out if I ever leave my CAC at home.
 
2014-02-04 02:38:18 PM
It's an interesting theory. If you don't pay for good infrastructure then it will come crashing down around your ears.

img.fark.net
 
2014-02-04 02:38:27 PM

That Guy Jeff: Frankly I would do away with all password requirements, even for banks. Say "fine, you can use any password you want, with any characters you want, up to the size that can be hashed efficiently in our system, 128 characters or so." I would also combine that with "if your account gets broken into because your password is pathetic, we don't care. Your fault, your problem, try and be more responsible in the future, stupid." Zero liability for website users screwing up.


You do know what will happen when a hacker makes off with all of that bank's money without needing a single password, right? Yup, it's the customers' fault; no refund for you.
 
2014-02-04 02:38:35 PM

draypresct: That Guy Jeff: Frankly I would do away with all password requirements, even for banks. Say "fine, you can use any password you want, with any characters you want, up to the size that can be hashed efficiently in our system, 128 characters or so." I would also combine that with "if your account gets broken into because your password is pathetic, we don't care. Your fault, your problem, try and be more responsible in the future, stupid." Zero liability for website users screwing up.

Why not have a system that locks you (or whomever is trying to guess your password) out for an hour after each 10 tries (something my company already does)? Or requires 10 seconds in between each try? Either way, your password can be a lot less secure and still keep hackers out.

The other problem is when hacking into a system with user X's password allows the hacker easier access to other parts of the system, of course.

Now time for the actual solution: password keepers are awesome. I just have to remember one random string of characters. All my passwords are whatever the max complexity allowed for the site is, and they are different for every site. Need to change? No problem, generate a new one, save, done. I haven't the slightest idea what any of my passwords are except the master.

I'm resisting getting a password keeper. I believe they fall into two types:

Open source: everyone can see the code. If you see a way to crack it, you can either A) fix it for no money, or B) sell it for lots of money.

Proprietary: the company has every financial motivation to conceal breaches, and none to let you know that their system has been hacked.

I have a strong belief in the role of money as a motivating force.


Open source is the way to go. They use crypto libraries that are well checked and used in many more applications. If there's a flaw in those libraries the world's got much bigger problems than just your passwords. The whole "people can see the code" worry is a non-issue.

HindiDiscoMonster:

If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?

Depends on the application. If that password is a PIN and it's in your wallet with your ATM card, then it's crazy insecure. If it's the password to your online banking account that just shows you your transactions and you keep it on top of the stack of bank statements that show the same thing, it's every bit as secure as it needs to be.

Also depends on who your adversary is. The Syrian Electronic Army isn't going to steal your twitter account by breaking into your house. The government, however, will tear your house apart trying to find the password for your full disk encryption.
 
2014-02-04 02:38:42 PM

lennavan: HindiDiscoMonster:  If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?

Disclaimer - I'm not in IT.

Supposedly, by far the most likely way your password will be stolen is by someone not actually sitting at your terminal.  So you're safer to use a ridiculously safe password and have it on a sticky on your computer screen than you are to use a really easy to guess password that you memorize.  I imagine the smartest thing to do is write down your cryptic password and keep it in your wallet or something.


The most likely way somebody is going to steal your password is by sending you an email claiming that they are the systems admin and that they need your username and password. Either that way or through some other social engineering technique. The actual guessing of passwords and using rainbow tables and other attacks are fast becoming surpassed by social engineering.
 
2014-02-04 02:40:30 PM

HindiDiscoMonster: degenerate-afro: I AM THE GOAT: As someone who works on gov computer systems, I'm not even sure how they allow 'password' to work.  My passwords have to be so damn cryptic I seem to forget them at least a couple times a year.

Password requirements are 12 characters, three of four ($ymbol, CAPITAL, lowercase, Number#).  Passwords change every 45~90 days.

Of course that's only enforced by systems that are using AD / LDAP.  If a system isn't on a domain (most linux systems) or aren't online, the password policy can't be enforced.

If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?


An example of a password that meets the 12 3/4 requirement:
Webster'sNew-CollegeDictionary
Babys1st.SippyCup

It's your fault if you want to make a password so complex that you can't remember it.

The other problem is because of how frequent they require the password to change.  Places that require a 45 day password change get people using the same password and just changing three or four things at the begging or end to make it compliant.

For example if someone has a base password of "HappyNewYear", They'll change their password every 90 days to be:
Aug13HappyNewYear
Oct11HappyNewYear
Jan2HappyNewYear

and so on.  Active Directory doesn't check for repetition in that manner which allows people to cheat on their passwords.  Then there are the people who make complex passwords, but can't remember them so they wind up writing them down.

Then you have what I call the IT favorite passwords:

1qaz@WSX3edc
or
QWE!@#asd123

or some variation of the above.  I absolutely HATE seeing people who abuse the QWERTY keyboard to make their password by running their fingers up and down the keys.  It's not secure, it's stupid and the worst part is it's mostly IT guys who do this.
 
2014-02-04 02:41:01 PM

Gone to Plaid: Not only that, you add subcontractors into the mix and it gets even worse. The DoD ends up paying $250K to company A for a position on a contract. A then hires company B to fill it. After all is said and done, the advertised position is lucky to be paying $50K.

Navy contractor who works in cyber security...glad I don't deal in complex passwords anymore now that almost everything has moved to 2-factor authentication. All I need is my CAC and my PIN, though I'm assed out if I ever leave my CAC at home.


You have a detachable penis? Never had that problem.
 
2014-02-04 02:46:55 PM
manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.
 
2014-02-04 02:47:49 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


0/10
Very poor.
 
2014-02-04 02:49:20 PM

ongbok: Gone to Plaid: Not only that, you add subcontractors into the mix and it gets even worse. The DoD ends up paying $250K to company A for a position on a contract. A then hires company B to fill it. After all is said and done, the advertised position is lucky to be paying $50K.

Navy contractor who works in cyber security...glad I don't deal in complex passwords anymore now that almost everything has moved to 2-factor authentication. All I need is my CAC and my PIN, though I'm assed out if I ever leave my CAC at home.

You have a detachable penis? Never had that problem.


I almost busted out laughing during my introductory security seminar for working on the base. Hearing a former military (federal civilian employee) security officer sternly say  "insert the CAC into the slot to gain access!" was too much. That could have been awkward, but I contained myself. Many jokes were made among the IT staff about inserting or displaying the CAC.
 
2014-02-04 02:50:43 PM

irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.


Where do I apply?
 
2014-02-04 02:51:28 PM

degenerate-afro: HindiDiscoMonster: degenerate-afro: I AM THE GOAT: As someone who works on gov computer systems, I'm not even sure how they allow 'password' to work.  My passwords have to be so damn cryptic I seem to forget them at least a couple times a year.

Password requirements are 12 characters, three of four ($ymbol, CAPITAL, lowercase, Number#).  Passwords change every 45~90 days.

Of course that's only enforced by systems that are using AD / LDAP.  If a system isn't on a domain (most linux systems) or aren't online, the password policy can't be enforced.

If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?

An example of a password that meets the 12 3/4 requirement:
Webster'sNew-CollegeDictionary
Babys1st.SippyCup

It's your fault if you want to make a password so complex that you can't remember it.

The other problem is because of how frequent they require the password to change.  Places that require a 45 day password change get people using the same password and just changing three or four things at the begging or end to make it compliant.

For example if someone has a base password of "HappyNewYear", They'll change their password every 90 days to be:
Aug13HappyNewYear
Oct11HappyNewYear
Jan2HappyNewYear

and so on.  Active Directory doesn't check for repetition in that manner which allows people to cheat on their passwords.  Then there are the people who make complex passwords, but can't remember them so they wind up writing them down.

Then you have what I call the IT favorite passwords:

1qaz@WSX3edc
or
QWE!@#asd123

or some variation of the above.  I absolutely HATE seeing people who abuse the QWERTY keyboard to make their password by running their fingers up and down the keys.  It's not secure, it's stupid and the worst part is it's mostly IT guys who do this.


Gotta admit, I was guilty as all hell of doing this when I was a server admin.  Not so much when shifting to information assurance.  I don't think anyone mentioned it, but the DoD policy is 15 character minimum, 2 upper, 2 lower, 2 special, 2 numbers.  Max password attempt is 3 within an hour.  If you exceed that then your account is locked out for good and you have to call the help desk to get it unlocked.
 
2014-02-04 02:56:04 PM

irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.


Some of the govies were okay at performing technical tasks (from what I saw anyway, we weren't allowed to work directly with them). Some of their work looked sloppy, but that is true at any organization.

They stick around forever though. Turnover was very high among contractors, but all of the government employees I worked with had been at the base forever. That was an asset at times though, institutional knowledge and all (i.e. where to find some documentation about existing infrastructure if it exists, and what may be important to know that doesn't show up in the available documentation)
 
2014-02-04 02:59:15 PM

ongbok: Gone to Plaid: Not only that, you add subcontractors into the mix and it gets even worse. The DoD ends up paying $250K to company A for a position on a contract. A then hires company B to fill it. After all is said and done, the advertised position is lucky to be paying $50K.

Navy contractor who works in cyber security...glad I don't deal in complex passwords anymore now that almost everything has moved to 2-factor authentication. All I need is my CAC and my PIN, though I'm assed out if I ever leave my CAC at home.

You have a detachable penis? Never had that problem.


CAC/cock-based humor is as common in government offices as required postings informing us that today is National Check Your Leave Balance Day.
 
2014-02-04 03:00:43 PM

irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.


It's definitely a mixed bag and all depends on what agency/branch of military you work for and if you are CONUS or over seas.  I've seen contractors that are glorified seat warmers riding out a contract, and I've seen them with more expertise on a subject than all of the gov't civilians combined.
 
2014-02-04 03:18:12 PM

SlothB77: vpb: We should contract web security out to Target because private industry is so much better.

sadly, it still is.  By a lot.


Good thing it is a private industry handling healthcare.gov.
 
2014-02-04 03:20:14 PM

manbart: irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.

Some of the govies were okay at performing technical tasks (from what I saw anyway, we weren't allowed to work directly with them). Some of their work looked sloppy, but that is true at any organization.

They stick around forever though. Turnover was very high among contractors, but all of the government employees I worked with had been at the base forever. That was an asset at times though, institutional knowledge and all (i.e. where to find some documentation about existing infrastructure if it exists, and what may be important to know that doesn't show up in the available documentation)


As far as I've experienced, contractors tend to have a pretty high turnover rate for just about any field. I've been doing contract work for the last year or so, and I'm paid way more than my corporate/govt counterpart would make, even including benefits. They brought me in to start and complete a project (and sometimes train a replacement) within a short time span. It's nothing compared to what my last company charged per hour for my work (3x what I make now).
 
2014-02-04 03:20:39 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


HAhahahahaha! Oh, wait. You're serious? Let me laugh even HARDER

BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH!HA-HAH!
 
2014-02-04 03:21:14 PM

Serious Post on Serious Thread: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

I'll bite. 1. If you use the word 'messiah' to describe the perception of Obama by anything more than maybe .^A% of his supporters, you are deluded beyond belief and should seek professional psychological help ASAP.
2. There's pretty rampant pissed off-ness on a lot of things under O that his biggest supporters are open about: drone policy, gitmo, NSA BS, lack of curb stomping bankers, continued lobbyist crap, wtf ACA website. BUT the perpetual conservavictim crowd ignores the real shiat and derps out on Benghazi!, arugula!, golf!, Bo!, birf certificate!, secret muslim socialist atheist!, shock that Air Force one costs money!, flag pins!, not saluting right!. And, of course "our number one priority is to make him a one term president". Ie. fark jobs and the people we represent! Petty political bs is job 1!!!!!

You jack holes squandered every ounce of legit political capital you had over, what I can only explain as mostly racist and at best hysterical garbage.

So fark your messiah BULLSHIAT. You've made fools of yourselves, damaged the nation, and squandered every opportunity to make things better. He's not our messiah. He's your antichrist. And you've acted the ass for that decision. Don't deflect it on to us.


Your newsletter...how do I subscribe?
 
2014-02-04 03:22:46 PM

FormlessOne: YixilTesiphon: Mithiwithi: You always have the option of just paying the fine.

And if I don't pay the fine?

It's not like you'll have a choice - it's a "tax penalty", applied by the IRS when you file your taxes. You can either skip filing your taxes or try to take the IRS to court over it, but it's not like you can say, "well, I'm just not paying it."


Even if the IRS could take collection actions on the ACA penalty - and I have no doubt they will be given that power eventually - you will still have the choice of not paying it, at which point the IRS will attach tax liens and all the other things the IRS does about uncollected taxes.

But, and this is my point, that is still an available  choice.  And still a better result for you than the alternative to going to the hospital when you're sick, which is to stay at home and die.  (Let's recall, this is a hypothetical hospital with shiatty IT policies that leaks your personal data like a sieve due to poor password policies.  And it may be the only hospital in town.)
 
2014-02-04 03:23:10 PM
The_Celt


Maybe he's a really good IT guy, and he honeypotted you and is now using you as a proxy for his porn ring and stolen credit card numbers....?
 
2014-02-04 03:27:46 PM

Clemkadidlefark: Remember .. you voted this assembly of asshats


Did we? I remember dead people voting, and corporations voting with their dollars, and politicians voting for each other with ballot box stuffing... OH! and Electronic machines changing our votes for us to help us out, but really, I'm not sure we, the people, voted for anyone at all...
 
2014-02-04 03:34:28 PM

tlars699: Clemkadidlefark: Remember .. you voted this assembly of asshats

Did we? I remember dead people voting, and corporations voting with their dollars, and politicians voting for each other with ballot box stuffing... OH! and Electronic machines changing our votes for us to help us out, but really, I'm not sure we, the people, voted for anyone at all...


Are you sure you remember all of that and didn't just make it up?
 
2014-02-04 04:04:21 PM

tripleseven: Serious Post on Serious Thread: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

I'll bite. 1. If you use the word 'messiah' to describe the perception of Obama by anything more than maybe .^A% of his supporters, you are deluded beyond belief and should seek professional psychological help ASAP.
2. There's pretty rampant pissed off-ness on a lot of things under O that his biggest supporters are open about: drone policy, gitmo, NSA BS, lack of curb stomping bankers, continued lobbyist crap, wtf ACA website. BUT the perpetual conservavictim crowd ignores the real shiat and derps out on Benghazi!, arugula!, golf!, Bo!, birf certificate!, secret muslim socialist atheist!, shock that Air Force one costs money!, flag pins!, not saluting right!. And, of course "our number one priority is to make him a one term president". Ie. fark jobs and the people we represent! Petty political bs is job 1!!!!!

You jack holes squandered every ounce of legit political capital you had over, what I can only explain as mostly racist and at best hysterical garbage.

So fark your messiah BULLSHIAT. You've made fools of yourselves, damaged the nation, and squandered every opportunity to make things better. He's not our messiah. He's your antichrist. And you've acted the ass for that decision. Don't deflect it on to us.

Your newsletter...how do I subscribe?


I don't know man. I'm ranty about this yes, but I don't think I'm ton foil hatty.

I'm all libby and shiat, but I'm pretty neutral that O is a mixed bag for the farther left progressives. So when I hear the 'messiah/Birther/secret muslim' crazy from the delusional right, I gotta think they're just batshiat with either racist or at least psychotic undertones. Which saddens me cause a legit critique on the opposition is useful. But weapons grade derp is just a sad distraction.

Oh, and what's a 'newsletter'? Is it like an old timey blog or something?
 
2014-02-04 04:08:35 PM

irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.


These people infuriate me. They should have it operate the same as politicians.
You have this job for X years.
You will be given a 1 year warning that you will be replaced so as to make plans for getting different job, You are not allowed to apply for this position until 2*X years from now.
Special circumstances: Your boss,(optional: and their boss) can write a recommendation to keep you in said position. This recommendation will be due 9 months prior to your termination, and must provide examples of your exemplary work.
If this recommendation meets approval of HR Board, you will qualify for contract extension/re-negotiation*.

* This will allow for those who give a glowing review but no actual example data, to negotiate for a lower salary to said person. It also allows raises if said employee is particularly awesome
 
2014-02-04 04:14:55 PM

gja: beakgeek: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

Yep, and people who can't spell criticizing and call the President a "messiah" are just so much better than everyone else that they don't need to hide their awesome powers of intellect from the interwebs!

Hey Mr. Grammar/spelling nazi, not everyone lives here in the USA. In the UK that spelling is completely valid.


gja - this MERICA  fark Yeah!  He is not from the UK since he said "our government", but thanks for the comment Mr. We Spell it like this in the UK ;-)
 
2014-02-04 04:16:24 PM

thurstonxhowell: tlars699: Clemkadidlefark: Remember .. you voted this assembly of asshats

Did we? I remember dead people voting, and corporations voting with their dollars, and politicians voting for each other with ballot box stuffing... OH! and Electronic machines changing our votes for us to help us out, but really, I'm not sure we, the people, voted for anyone at all...

Are you sure you remember all of that and didn't just make it up?


1. Chicago mayoral/ senate position voting
2. Lobbying/Money=Free Speech
3. Milwaukee: Scott Walker becoming the Governor, AND during the recall. The same county in the Milwaukee area turned in their vote tally LATE and had to recount it, because they "Missed 3 bags of votes" TWICE. Riiiiiiiiiight. The person responsible? A Republican that had to be voted into office for the counting votes, and was previously hired as a campaign assistant for Scott Walker becoming Mayor.
4. Florida GW Bush Presidential election. Machines would change votes so the dot filled the spot wished for, and made the ballot nigh impossible to interpret to begin with.

Given these have previously happened, what makes you think that any of these have or will stop?
 
2014-02-04 04:26:34 PM

tlars699: irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.

These people infuriate me. They should have it operate the same as politicians.
You have this job for X years.
You will be given a 1 year warning that you will be replaced so as to make plans for getting different job, You are not allowed to apply for this position until 2*X years from now.
Special circumstances: Your boss,(optional: and their boss) can write a recommendation to keep you in said position. This recommendation will be due 9 months prior to your termination, and must provide examples of your exemplary work.
If this recommendation meets approval of HR Board, you will qualify for contract extension/re-negotiation*.

* This will allow for those who give a glowing review but no actual example data, to negotiate for a lower salary to said person. It also allows raises if said employee is particularly awesome


A much simpler solution would be to have actual accountability for govt workers. From where I sit, anything good that govt does is mostly by accident or the hard work of someone who hasn't burned out and become cynical yet.
 
2014-02-04 04:48:13 PM
Passwords for my bank, work, retirement fund, fark account

nttawwt
ianalymmv
rofloldiaf
eabodbbq
 
ecl
2014-02-04 04:51:00 PM

trappedspirit: Passwords for my bank, work, retirement fund, fark account

nttawwt
ianalymmv
rofloldiaf
eabodbbq


I usually stick to DVDA.
 
2014-02-04 04:55:34 PM

Serious Post on Serious Thread: tripleseven: Serious Post on Serious Thread: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

I'll bite. 1. If you use the word 'messiah' to describe the perception of Obama by anything more than maybe .^A% of his supporters, you are deluded beyond belief and should seek professional psychological help ASAP.
2. There's pretty rampant pissed off-ness on a lot of things under O that his biggest supporters are open about: drone policy, gitmo, NSA BS, lack of curb stomping bankers, continued lobbyist crap, wtf ACA website. BUT the perpetual conservavictim crowd ignores the real shiat and derps out on Benghazi!, arugula!, golf!, Bo!, birf certificate!, secret muslim socialist atheist!, shock that Air Force one costs money!, flag pins!, not saluting right!. And, of course "our number one priority is to make him a one term president". Ie. fark jobs and the people we represent! Petty political bs is job 1!!!!!

You jack holes squandered every ounce of legit political capital you had over, what I can only explain as mostly racist and at best hysterical garbage.

So fark your messiah BULLSHIAT. You've made fools of yourselves, damaged the nation, and squandered every opportunity to make things better. He's not our messiah. He's your antichrist. And you've acted the ass for that decision. Don't deflect it on to us.

Your newsletter...how do I subscribe?

I don't know man. I'm ranty about this yes, but I don't think I'm ton foil hatty.

I'm all libby and shiat, but I'm pretty neutral that O is a mixed bag for the farther left progressives. So when I hear the 'messiah/Birther/secret muslim' crazy from the delusional right, I gotta think they're just batshiat with either racist or at least psychotic undertones. Which saddens me cause a legit critique on the opposition is useful. But weapons grade derp is just a sad distraction.

Oh, and what's a 'newsletter'? Is it like an old timey blog or something?


I was replying as a compliment.


Maybe I misused the term
 
2014-02-04 05:00:16 PM
I'm sure this has already been covered, but I've found that vendors are the biggest threat.  One place I worked for did web portals for a lot of major companies, with all of the user creds going through one database.  They made users signup using their personal email addresses, and ALL of their passwords were in plaintext in the database (that anyone working there could access). So they had your email/plaintext passwords.  I've done pen-testing for some other vendors who are even worse. Something else I've noticed is that people don't care if you can grab a copy of their database, but if you can login to their Facebook account, that's when they take security seriously.
 
2014-02-04 05:04:49 PM

Serious Post on Serious Thread: I'm all libby and shiat, but I'm pretty neutral that O is a mixed bag for the farther left progressives. So when I hear the 'messiah/Birther/secret muslim' crazy from the delusional right, I gotta think they're just batshiat with either racist or at least psychotic undertones. Which saddens me cause a legit critique on the opposition is useful. But weapons grade derp is just a sad distraction.


Old adage is that Republicans accuse the Democrats of doing what the Rs are actually doing.
They yell about voter fraud 'cause they commit it.
They yell about Obama messiah because they worship Reagan.

/my 2 cents
 
2014-02-04 05:06:27 PM
This doesn't surprise me in the least.

I do a bit of work in governmental IT security. It's laughable sometimes. The best things are issues like only being allowed CESG approved software/firmware versions of firewalls, but because the certification takes so long, by the time a particular version is approved, not only has it been superceded, sometimes it's actually has security issues, but you can't upgrade because the version that fixes the issue isn't CESG approved yet.

So you either follow the rules and use an approved version which has issues, or you have to break policy in order to secure a system properly.

Don't even get me started on the beauracrats who apparently know better than the consultant they hired in security matters simply because they read a basic pen test report.

"this device is open to the entire Internet on ports 80 and 443, fix it"

What? You mean your webserver/load balancer/reverse proxy? How exactly should I go about fixing this situation?

"You're the expert, you fix it"

*sigh*

/also management of devices over telnet
//so much telnet :-(
 
2014-02-04 05:16:36 PM
You mean to tell me that a government IT office is stuck in 1990?! SAY IT AIN'T SO!

/faints
 
2014-02-04 05:27:57 PM
One of the strangest password rules was angry or four letters passwords were not allowed on a subsystem of a corporate network.  It would tell you in a strange way to use more respectful password.

I never understood that.
 
2014-02-04 05:39:55 PM

Pinko_Commie: "this device is open to the entire Internet on ports 80 and 443, fix it"

What? You mean your webserver/load balancer/reverse proxy? How exactly should I go about fixing this situation?

"You're the expert, you fix it"


This happened to me once.  I told them to send it to me in writing.  They did, so I "fixed" it as requested.  When the complaints started rolling in, all I did was show the letter requesting that we close off port 80 and 443 and went back to doing my work.

/They actually had to write up a POA&M before reopening it
//CSB
 
2014-02-04 05:53:01 PM
Was it "Guest"?

/In my world, Archer is a documentary
 
2014-02-04 06:11:52 PM

tripleseven: I was replying as a compliment.


Maybe I misused the term


No, I think your usage was correct.
 
2014-02-04 06:24:17 PM

tripleseven: Serious Post on Serious Thread: tripleseven: Serious Post on Serious Thread: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

I'll bite. 1. If you use the word 'messiah' to describe the perception of Obama by anything more than maybe .^A% of his supporters, you are deluded beyond belief and should seek professional psychological help ASAP.
2. There's pretty rampant pissed off-ness on a lot of things under O that his biggest supporters are open about: drone policy, gitmo, NSA BS, lack of curb stomping bankers, continued lobbyist crap, wtf ACA website. BUT the perpetual conservavictim crowd ignores the real shiat and derps out on Benghazi!, arugula!, golf!, Bo!, birf certificate!, secret muslim socialist atheist!, shock that Air Force one costs money!, flag pins!, not saluting right!. And, of course "our number one priority is to make him a one term president". Ie. fark jobs and the people we represent! Petty political bs is job 1!!!!!

You jack holes squandered every ounce of legit political capital you had over, what I can only explain as mostly racist and at best hysterical garbage.

So fark your messiah BULLSHIAT. You've made fools of yourselves, damaged the nation, and squandered every opportunity to make things better. He's not our messiah. He's your antichrist. And you've acted the ass for that decision. Don't deflect it on to us.

Your newsletter...how do I subscribe?

I don't know man. I'm ranty about this yes, but I don't think I'm ton foil hatty.

I'm all libby and shiat, but I'm pretty neutral that O is a mixed bag for the farther left progressives. So when I hear the 'messiah/Birther/secret muslim' crazy from the delusional right, I gotta think they're just batshiat with either racist or at least psychotic undertones. Which saddens me cause a legit critique on the opposition is useful. But weapons grade derp is just a sad distraction.

Oh, and what's a 'newsletter'? Is it like an old timey blog or something?

I was replying as a compliment.


Maybe I misused the term


Heh. Well thanks then. I usually associate the 'newsletter' thing to a crazy ranty guy reference whom you're making fun of, but I suppose it can also be a humorous compliment. This being fark I generally assume the former. :)
 
2014-02-04 06:53:37 PM
Here's  an idea.
Stop collecting mass amounts of data on American citizens, assholes.
 
2014-02-04 07:46:37 PM

syberpud: And no, the current admin will not make significant changes in that mentality unless it means dealing with insider threats. That will be addressed.


I think the Robert Hanssen and Aldrich Ames cases show pretty clearly that the US intelligence community isn't interested in dealing with insider threats, at least not quickly.
 
2014-02-04 08:16:48 PM

jntaylor63: Well then, maybe; just MAYBE we should put more money and effort into protecting our cyber security than say:

1 - Building Tanks the Army doesn't need.

2 - Cargo planes the Air Force doesn't need.

3 - 10+ billion dollars a pop on new Aircraft Carriers.

4 - "Super; next-gen" jet-fighters that have yet to live up to their promise. (400 billion and counting)


Except they've hired admins. They aren't doing their jobs. Probably affirmative action hires or unionized.
 
2014-02-04 08:39:22 PM

Diogenes: the_celt: My neighbor is an IT guy and apparently not a very good one. I can see his network and just for fun I tried a few simple passwords trying to access his home network. Protip farkers, don't use your wife and children's names as your wireless password.
csb
My point is, apparently IT people can be just as lazy as the next person.

Not that it's an excuse, but because we work in IT we have to remember a ton of passwords.  But yes, even still you'd think he'd know better.


the
Neighborhood honeypot
 
2014-02-04 09:36:21 PM

Gone to Plaid: degenerate-afro: HindiDiscoMonster: degenerate-afro: I AM THE GOAT: As someone who works on gov computer systems, I'm not even sure how they allow 'password' to work.  My passwords have to be so damn cryptic I seem to forget them at least a couple times a year.

Password requirements are 12 characters, three of four ($ymbol, CAPITAL, lowercase, Number#).  Passwords change every 45~90 days.

Of course that's only enforced by systems that are using AD / LDAP.  If a system isn't on a domain (most linux systems) or aren't online, the password policy can't be enforced.

If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?

An example of a password that meets the 12 3/4 requirement:
Webster'sNew-CollegeDictionary
Babys1st.SippyCup

It's your fault if you want to make a password so complex that you can't remember it.

The other problem is because of how frequent they require the password to change.  Places that require a 45 day password change get people using the same password and just changing three or four things at the begging or end to make it compliant.

For example if someone has a base password of "HappyNewYear", They'll change their password every 90 days to be:
Aug13HappyNewYear
Oct11HappyNewYear
Jan2HappyNewYear

and so on.  Active Directory doesn't check for repetition in that manner which allows people to cheat on their passwords.  Then there are the people who make complex passwords, but can't remember them so they wind up writing them down.

Then you have what I call the IT favorite passwords:

1qaz@WSX3edc
or
QWE!@#asd123

or some variation of the above.  I absolutely HATE seeing people who abuse the QWERTY keyboard to make their password by running their fingers up and down the keys.  It's not secure, it's stupid and the worst part is it's mostly IT guys who do this.

Gotta admit, I was guilty as all hell of doing this when I was a server admin.  Not so much when shifting to information assurance.  I don't think anyone mentioned it, but the DoD policy is 15 character minimum, 2 upper, 2 lower, 2 special, 2 numbers.  Max password attempt is 3 within an hour.  If you exceed that then your account is locked out for good and you have to call the help desk to get it unlocked.


Account lockouts are not likely to help much. most breeches seem to be either social engineering or cracking the password hashes offline. In the first case, you've got one username password combo outright, and in the second you're breaking all (some/many/whatever) of the passwords directly from a stolen file with no interaction with the agency at all. If the passwords are weak, or the hashing algorithm poor, you're farked.
 
2014-02-04 10:52:38 PM

a particular individual: Molavian: a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.

So all liberals see the world in shades of gray and all conservatives see it in black and white?

Maybe.


lol
 
2014-02-04 11:24:11 PM
The entire Department of Homeland Security is a spaghetti western set facade created to vacuum up government pork. You guys get that, right?
 
2014-02-05 02:04:57 AM
They should call the NSA for help.
 
2014-02-05 02:51:07 AM
ACA is a mess that is increasing premiums without any gain in value.
 
2014-02-05 09:53:16 AM

soakitincider: ACA is a mess that is increasing premiums without any gain in value.


[citation needed]
 
2014-02-05 10:48:54 AM
Bullseyed:
Except they've hired admins. They aren't doing their jobs. Probably affirmative action hires or unionized.

Chucklehead GS employees that are mostly retired military and unfireable without an act of congress, led by political appointees protected from above due to their deep pockets for campaign donations task a publicly traded gov't contractor to staff a security operation. Said corporation hires kids fresh out of college and pays them 70k to sit in chairs they're charging the gov't upward of double that to fill. And that's just the problems out of the starting gate.
 
ecl
2014-02-05 05:52:17 PM

Witty_Retort: soakitincider: ACA is a mess that is increasing premiums without any gain in value.

[citation needed]


You shut up!
 
2014-02-05 09:20:24 PM
The company I work for (huge bank) has character limits on passwords.  Cannot exceed 8 char for system passwords.  And expire within 20 days.  So most people just write it down on sticky note somewhere in there cubicle.
 
2014-02-05 11:53:33 PM

Frederick: The company I work for (huge bank) has character limits on passwords.  Cannot exceed 8 char for system passwords.  And expire within 20 days.  So most people just write it down on sticky note somewhere in there cubicle.


Can you give us a hint as to which bank that is.  Just curious.
 
Displayed 180 of 180 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report