If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Washington Post)   Federal agencies including DHS have so utterly failed at network security that their networks get compromised because of uninstalled firewalls and default passwords that never get changed. That Obamacare website is safe, though, you can trust them   (washingtonpost.com) divider line 184
    More: Fail, DHS, default password, Senate, Senate Homeland Security, security patches, governmental affairs committee, federal system, anti-virus software  
•       •       •

4008 clicks; posted to Main » on 04 Feb 2014 at 11:56 AM (24 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



184 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | 3 | 4 | » | Last | Show all
 
2014-02-04 12:44:13 PM
Didn't RTFA but I see some sort of lib/con angle so fark whatever the story is and:

a) ha ha! stupid obama!
b) oh yeah? snarky snark snark neocon idiots!
 
2014-02-04 12:44:37 PM
ongbok:
This happens when you have a large bureaucracy, even in private companies. The people who actually know something about security and make suggestions to improve it are at the bottom of the hill, and the people at the top, or as it is in most cases, people who think they are at the top and are important, don't like to be bothered by security and think it is a burden, so many procedures don't get initiated or are ignored because people complain about them.

This so very much. Where I work, It's nearly impossible to patch servers or do any preventive maintenance because the do nothings have created a half dozen committees that needs to have their say in any change. Inevitability someone will halt the work because someone, somewhere might be affected.
Eventually, you just give up and watch it all burn. Keeping the stack of emails showing all the times work has been denied of course.
 
2014-02-04 12:45:14 PM

Cold_Sassy: Why does this not surprise me?  Thank God I have private insurance.



Governments let your info slip for free, private companies sell it to the highest bidder.

poo-tay-toe, po-tat-oh
 
2014-02-04 12:46:41 PM

Witty_Retort: 1derful: vpb: We should contract web security out to Target because private industry is so much better.

Herr Goebbels omits the fact that there is no federal mandate to shop at Target.

1derfulNazi omits the fact that it is a private contractor building the ACA website.


Right, and there is a federal mandate to use that, which is the difference.
 
2014-02-04 12:46:55 PM

redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.


Correct Horse Battery Staple
 
2014-02-04 12:46:55 PM

Glendale: Wodan11: csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.

The whole secret question/answer thing should be scrapped because of the rise of social media.


Seriously, that sort of thing is one of the easiest attack vectors. When I was taking a computer security course in college, one of the first things the professor told us was to avoid using these if at all possible; he would literally type gibberish in for the answers if he was required to use them. Sure, he can't recover his password if he forgets it, but no one else can recover it either, and that's the far more important consideration.
 
2014-02-04 12:47:40 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


Yep, and people who can't spell criticizing and call the President a "messiah" are just so much better than everyone else that they don't need to hide their awesome powers of intellect from the interwebs!
 
2014-02-04 12:49:43 PM

YixilTesiphon: Witty_Retort: 1derful: vpb: We should contract web security out to Target because private industry is so much better.

Herr Goebbels omits the fact that there is no federal mandate to shop at Target.

1derfulNazi omits the fact that it is a private contractor building the ACA website.

Right, and there is a federal mandate to use that, which is the difference.


You always have the option of just paying the fine.

Which is better than the alternative you have to not going to the hospital when you're sick, and I  guarantee there are a ton of major hospitals with similarly lax IT security.
 
2014-02-04 12:51:50 PM

Devil's Playground: redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.

Correct Horse Battery Staple


Honestly you don't even need to follow the xkcd example. Just think of a random sentence. I use to use long movie titles. I'm sure there are rainbow tables out there that might take those into account, but the odds of them being used against one of my passwords is probably less than someone breaking into my house to steal the data off my  computer.
 
2014-02-04 12:52:22 PM

stewbert: IMO, the feds are doing better than states. I haven't changed my network password in years, and it isn't a strong password. I'm sure there is a policy somewhere that "requires" me to change it quarterly, and use a stronger pw, but unless/until IT forces it, no one will comply.


Forcing people to change their passwords every 90 days makes security worse because it encourages bad password habits.
 
2014-02-04 12:54:09 PM
"DHS has taken significant measures to improve and strengthen our capabilities to address the cyber risks associated with our critical information networks and systems," S.Y. Lee, a department spokesman, said in an e-mailed statement.

This statement has no substance, why did he even bother replying to the reporter's email if he was just going to say "nope, fixed it!"

/accountability?
 
2014-02-04 12:55:53 PM
What does "DHS" stand for again? I forget.
 
2014-02-04 12:57:19 PM

Mithiwithi: You always have the option of just paying the fine.


And if I don't pay the fine?
 
2014-02-04 01:00:11 PM
Do I have to remind everyone again?  Prime Directive:  Do NOT respond to anyone who refers to Obama as the "messiah" of the left.

0/10
lazy troll
 
2014-02-04 01:01:00 PM

Glendale: What about 12345? That's the combination I use on my luggage.


Only a fool would use a password like that!  That and "password" or "guest" or...
 
2014-02-04 01:02:20 PM
my password was a randomly created password given to with my first college email account.  i just never changed it from the random jibberish.

now, it was taken on special characters and caps and a few variables (characters I switch out).  i use code words to identify which iteration of the password to use.

but, i still can't ever remember my farking user name.
 
2014-02-04 01:02:31 PM
degenerate-afro: Of course congress won't increase funding for anything because it will just go to waste in their opinion.  0bama.

FTFY
 
2014-02-04 01:02:40 PM

Devil's Playground: redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.

Correct Horse Battery Staple


Yeah, and then some policy-driven noob will want complex characters and it turns into  C0rr3ct!h0R53*&B$TT3r7?5TaPl3@and then the end user will useP@ssword1 because it meets the minimum policy requirements.
 
2014-02-04 01:02:46 PM

YixilTesiphon: Mithiwithi: You always have the option of just paying the fine.

And if I don't pay the fine?


Nothing really.

However, the IRS is limited in the ways it can collect the fine. The Affordable Care Act stipulates that taxpayers are not subject to criminal prosecution or penalty for refusing to pay. The IRS cannot place a lien on property, either, as it can when collecting back taxes.

The only way the IRS can collect the mandate fine is by taking it out of withholding or deducting it from tax refunds of those who receive one.
The IRS has no way to collect the fine from people who do not participate in withholding - however, making it more likely they will receive a return.
 
2014-02-04 01:04:29 PM

YixilTesiphon: Mithiwithi: You always have the option of just paying the fine.

And if I don't pay the fine?


It's not like you'll have a choice - it's a "tax penalty", applied by the IRS when you file your taxes. You can either skip filing your taxes or try to take the IRS to court over it, but it's not like you can say, "well, I'm just not paying it."
 
gja [TotalFark]
2014-02-04 01:04:29 PM

Anayalator: admin
admin

*click*


Welcome Dr. Falken

[ilk.uvt.nl image 591x327]


Now I'm hungry.
 
2014-02-04 01:06:39 PM

the_celt: My neighbor is an IT guy and apparently not a very good one. I can see his network and just for fun I tried a few simple passwords trying to access his home network. Protip farkers, don't use your wife and children's names as your wireless password.
csb
My point is, apparently IT people can be just as lazy as the next person.


Maybe he doesn't care.  If you aren't file sharing or have computers on all the time then who cares?  My home internet is used for Netflix, Xbox, and basic internet every few days on the laptop.  If you aren't file sharing i don't see much of a reason to care since most people aren't doing sophisticated attacks to steal your CC info they just want free internet.
 
2014-02-04 01:10:38 PM

tricycleracer: YixilTesiphon: Mithiwithi: You always have the option of just paying the fine.

And if I don't pay the fine?

Nothing really.

However, the IRS is limited in the ways it can collect the fine. The Affordable Care Act stipulates that taxpayers are not subject to criminal prosecution or penalty for refusing to pay. The IRS cannot place a lien on property, either, as it can when collecting back taxes.

The only way the IRS can collect the mandate fine is by taking it out of withholding or deducting it from tax refunds of those who receive one. The IRS has no way to collect the fine from people who do not participate in withholding - however, making it more likely they will receive a return.


In other words, if you participate in withholding, or if you expect a refund, ever, from the IRS, you'll automatically pay that fine and there's nothing you can do about it. The only way to "refuse to pay" is to:
- file your taxes, but not participate in withholding;
- file your taxes, but be poor enough to not get anything back, or;
- not file your taxes, and hope that they don't catch you.

The IRS doesn't need to chase you down - they're patient, and they keep records. The penalties are cumulative, and the penalty for 2014 is a slap on the hand compared to the penalty for 2016, so, sure, feel free to try and stick it to The Man for three years. It'll be a hoot.
 
gja [TotalFark]
2014-02-04 01:13:41 PM

beakgeek: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

Yep, and people who can't spell criticizing and call the President a "messiah" are just so much better than everyone else that they don't need to hide their awesome powers of intellect from the interwebs!


Hey Mr. Grammar/spelling nazi, not everyone lives here in the USA. In the UK that spelling is completely valid.
 
2014-02-04 01:15:02 PM
Everyone knows that private industry never has security problems.
 
2014-02-04 01:15:03 PM

FormlessOne: The IRS doesn't need to chase you down - they're patient, and they keep records. The penalties are cumulative, and the penalty for 2014 is a slap on the hand compared to the penalty for 2016, so, sure, feel free to try and stick it to The Man for three years. It'll be a hoot.


I think the IRS likes to wait as long as possible to make sure you've dug a sufficiently deep hole with no hope of escape.
 
2014-02-04 01:16:24 PM
Obamacare website doesn't really have any special information it needs to keep secure.
 
2014-02-04 01:17:51 PM

Mithiwithi: YixilTesiphon: Witty_Retort: 1derful: vpb: We should contract web security out to Target because private industry is so much better.

Herr Goebbels omits the fact that there is no federal mandate to shop at Target.

1derfulNazi omits the fact that it is a private contractor building the ACA website.

Right, and there is a federal mandate to use that, which is the difference.

You always have the option of just paying the fine.

Which is better than the alternative you have to not going to the hospital when you're sick, and I  guarantee there are a ton of major hospitals with similarly lax IT security.


Not here!  oh wait.

That having been said:  management drives the security posture of an organization, not IT.  Management proposes, and IT disposes.  I can tell my bosses all the wonderful things we can be doing to secure data/systems/people, and if they don't want to do it, guess what.

Fortunately, the management here has listened to MOST of my suggestions.  At some point, though, you have to accept certain risks to maintain a level of availability your clients/customers/etc are used to.

/my biggest pet peeve?  Security perimeters.  The door to the admin wing is wide open so people can just march in.  Will it cause problems?  Probably not.  Hence, it's a risk that's accepted.
//I also wouldn't mind an independent audit, tbh...
 
2014-02-04 01:19:39 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


Right, and of course government only ceased to do anything right after your team was out of power.

BOOOOOOORRRRRIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIINNNNGGG.
 
2014-02-04 01:19:47 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


We don't hide, we also criticize the administration.  In those threads, we get incorrectly called "Republican" and/or "Conservative."

You're shiatting on the wrong people.  Biatch about the Democrats, not the liberals.  Liberals have plenty of beefs with this Administration.
 
2014-02-04 01:20:50 PM
Surprised that no one's pointed out that by design, HealthCare.gov doesn't store much PII beyond the minimum to setup an account. All the really sensitive stuff is stored locally on the machine and then sent directly to the insurance company.

Sure, if the machine was completely compromised, you could intercept traffic going forward. However, there isn't some central database of everyone's SSN, income, birthdates, etc for a hacker to steal or incompetent admin to leave on an unsecured thumb drive.
 
2014-02-04 01:24:08 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


You need to highlight people who you think are Fark Libs in a certain color, this way, you'd see that they are indeed here, and you would have avoided making a stupid comment.
 
2014-02-04 01:24:11 PM

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


Maybe those same liberals are agreeing with the article, but you can't believe that's possible, so you assume we're keeping silent. Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.
 
2014-02-04 01:25:23 PM

vpb: We should contract web security out to Target because private industry is so much better.


sadly, it still is.  By a lot.
 
2014-02-04 01:26:42 PM
Take it from someone on the inside, this is what happens when you slash IT budgets (along with most others) and go lowest bidder on IT support contracts.  You get what you pay for.  Politicians will respond with more of...."We'll keep slashing your budget until you improve!"
 
2014-02-04 01:27:28 PM

vpb: We should contract web security out to Target because private industry is so much better.


WOW. FIRST MOTHER FARKING EVER LOVING POST! (Am I gonna gets a boobies for that?) My first thought at the headline was which NSA-Stazi apologist is gonna tell us privacy/data security/govt accountability/ corp accountability/ human decency/judicial oversight/the 4th amendment / a modicum of govt transparency/myopia for the horrific outcome of every similiar program of the past etc etc etc are all passé BULLSHIAT because REASONS.

AND IT WAS DONE IN FARKING ONE!!! Congrats shiatizen. You are a credit to the cowardice we are being conditioned to accept as the new norm.
 
2014-02-04 01:27:52 PM

a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.


So all liberals see the world in shades of gray and all conservatives see it in black and white?
 
2014-02-04 01:29:34 PM

andersoncouncil42: In other words, they're up to par with the public sector.


So we can sue DHS if there is a release of personally identifiable information?
 
2014-02-04 01:29:52 PM
They keep telling us privacy is dead I guess this is Anon's way of agreeing with them.

Anonymous Slovenia Claims FBI Hacked

The information, posted by user Black-Shadow of the Slovenian branch of the hacktivist group, purportedly contains FBI domain email addresses and passwords for 68 agents, although the user claims in his post that the collected log-in details are "not all ours".

The post also includes a short profile on FBI director James Brien Comey Jr, including sensitive information such as his date of birth, his wife's name, the date they got married, his educational history and even the geographical coordinates of his residence.

Anonymous Slovenia posted the Pastebin link on its Facebook Page, along with the comment "Laughing at your security".
 
2014-02-04 01:31:13 PM

Molavian: So all liberals see the world in shades of gray and all conservatives see it in shades of rape?


FIFM

50 shades of rape
 
2014-02-04 01:35:11 PM

a particular individual: liberals' love of nuance


Oh, wow. That's art, right there.
 
2014-02-04 01:38:13 PM
As someone who works on gov computer systems, I'm not even sure how they allow 'password' to work.  My passwords have to be so damn cryptic I seem to forget them at least a couple times a year.
 
2014-02-04 01:39:02 PM
Your insurance company website is probably way better, so don't worry about them. Or the cable company. Or your bank. Or Apple. Or Microsoft. Or Amazon. Or Google.

None of them have ever been compromised. Ever.
 
gja [TotalFark]
2014-02-04 01:39:07 PM

lennavan: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

We don't hide, we also criticize the administration.  In those threads, we get incorrectly called "Republican" and/or "Conservative."

You're shiatting on the wrong people.  Biatch about the Democrats, not the liberals.  Liberals have plenty of beefs with this Administration.


I also eschew all the trappings and failings of identifying along party lines.
In my opinion if you choose to vote or agree to line up based on party affiliation you have already subjugated yourself and adopted a submissive and subservient posture. And that is just plain lame.

I would like to see all elections allow picking and choosing whomever you wish from whatever party and make it so that if they get elected and we end up with representatives from all over the party-line chart they have to serve together and learn to work together.

That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date.
 
2014-02-04 01:39:50 PM
My work passwords give the IT people problems. My home passwords are just as odd and here is why:
I have an old map of Wales that was printed before WWI. It has some very, very interesting spellings and some of the towns don't exist anymore. Spelling out some of the names to the IT people usually involves quite a bit more time than most seem to be willing to spend on such issues!
 
2014-02-04 01:42:09 PM
Computer, "Destruct sequence 1, code 1-1 A."
 
2014-02-04 01:43:54 PM

Shryke: a particular individual: liberals' love of nuance

Oh, wow. That's art, right there.


Yup, I thought this one was a little over the top.

And I'm a libby lib.
 
2014-02-04 01:44:39 PM

gja: That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date


Private entities hate it for those reasons also. This government/private sector debate is a strawman. IT security is hard, expensive, and mostly reactive. That last part is why it so often fails, the first two are why it's so poorly practiced.

It really comes down to how important is privacy and personal freedom, and until people are willing to have that debate, nothing will change.
 
2014-02-04 01:46:12 PM

swaxhog: ongbok:
This happens when you have a large bureaucracy, even in private companies. The people who actually know something about security and make suggestions to improve it are at the bottom of the hill, and the people at the top, or as it is in most cases, people who think they are at the top and are important, don't like to be bothered by security and think it is a burden, so many procedures don't get initiated or are ignored because people complain about them.

This so very much. Where I work, It's nearly impossible to patch servers or do any preventive maintenance because the do nothings have created a half dozen committees that needs to have their say in any change. Inevitability someone will halt the work because someone, somewhere might be affected.
Eventually, you just give up and watch it all burn. Keeping the stack of emails showing all the times work has been denied of course.


Yup.

I used to work for a large hotel company that had all of its services worldwide centralized out of NYC.

Hotels are a little different, as they never close, and maintenance CAN inflict issues on operations, but trying to come up with a maintenance window that everyone could agree on was a disaster.  What truly made it a disaster was allowing each property's front office have a say in it.

I finally went all authoritarian, and decided the schedule and told them that was it.

\csb
 
2014-02-04 01:46:22 PM
Good thing they have a firewall in case some lunatic fire bombs the building.
 
Displayed 50 of 184 comments

First | « | 1 | 2 | 3 | 4 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report