Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Washington Post)   Federal agencies including DHS have so utterly failed at network security that their networks get compromised because of uninstalled firewalls and default passwords that never get changed. That Obamacare website is safe, though, you can trust them   (washingtonpost.com) divider line 180
    More: Fail, DHS, default password, Senate, Senate Homeland Security, security patches, governmental affairs committee, federal system, anti-virus software  
•       •       •

4051 clicks; posted to Main » on 04 Feb 2014 at 11:56 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



180 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | 3 | 4 | » | Last | Show all
 
2014-02-04 01:48:45 PM  

jntaylor63: Well then, maybe; just MAYBE we should put more money and effort into protecting our cyber security than say:

1 - Building Tanks the Army doesn't need.

2 - Cargo planes the Air Force doesn't need.

3 - 10+ billion dollars a pop on new Aircraft Carriers.

4 - "Super; next-gen" jet-fighters that have yet to live up to their promise. (400 billion and counting)


You should read this. Then you might rethink your "we don't need". It's never a need until you needed it and didn't have it. Do we need to cut back on some spending..yep..but I'd rather have defense stuff just in case then not have it.

http://www.dailymail.co.uk/news/article-1386978/The-Japanese-mayor-l au ghed-building-huge-sea-wall--village-left-untouched-tsunami.html
 
2014-02-04 01:49:09 PM  

Molavian: a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.

So all liberals see the world in shades of gray and all conservatives see it in black and white?


Most liberals see the world in shades of gray and most conservatives see it in black and white.
 
2014-02-04 01:52:45 PM  

Lost Thought 00: Obamacare website doesn't really have any special information it needs to keep secure.


I was wondering about this. What information does the ACA site actually have? I would think anything really sensitive could wait until you're talking to the insurance company.
 
2014-02-04 01:53:54 PM  

gja: That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date.


I hate your politics, but your IT-philosophy chops are more than up to snuff.

Were we geographically close, I would offer to buy you a beer.
 
2014-02-04 01:55:25 PM  

I AM THE GOAT: As someone who works on gov computer systems, I'm not even sure how they allow 'password' to work.  My passwords have to be so damn cryptic I seem to forget them at least a couple times a year.


Password requirements are 12 characters, three of four ($ymbol, CAPITAL, lowercase, Number#).  Passwords change every 45~90 days.

Of course that's only enforced by systems that are using AD / LDAP.  If a system isn't on a domain (most linux systems) or aren't online, the password policy can't be enforced.
 
2014-02-04 01:56:12 PM  

degenerate-afro: stewbert: Funding isn't our problem. It's that IT/management don't actually "require" people to do anything. More funding won't solve the lack of accountability that is rampant in govt.

You do realize that enforcement requires manpower.  Manpower requires funding.  If you don't have funding, you don't have the people.  Again, one of the first places where the goverment cuts corners is with IT funding.  They don't fund for enforcement.  It's easier and cheaper to get someone to write documentation than to get someone who knows how to implement a solution.  Automated solutions either cost development time or money to buy a third party solution.  Most third party solutions for enforcement require yearly funding for operation and also training on how to use it.

If you don't have the people, don't want to pay for the training, don't want to pay for the development for an alternate solution, things aren't going to get done.


Enforcement also requires intestinal fortitude. That was eliminated long before IT funding was cut around here. Money just isn't the root cause of the problems in my agency. Not sure about yours. Lack of accountability goes much farther than the IT department.
 
2014-02-04 01:56:33 PM  
It's pretty wild that anyone's security is really that lax.

Pretty much every company I've ever worked for, of at least large size, had some pretty good security measures for their network.  The least of which are, complicated passwords, requirement to change every 3 months or so, and VPN for any connection outside the office.

It seems absurd that the gov't doesn't adhere to these simple things.
 
2014-02-04 01:58:07 PM  

durbnpoisn: It seems absurd that the gov't doesn't adhere to these simple things.


In my time with the government, we adhered to all three of those.
 
2014-02-04 01:59:08 PM  

Wodan11: csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.


Thats why I always answer What color is your car with something like  "Tr0uba4dor#m3"
 
2014-02-04 01:59:44 PM  

gingerjet: stewbert: IMO, the feds are doing better than states. I haven't changed my network password in years, and it isn't a strong password. I'm sure there is a policy somewhere that "requires" me to change it quarterly, and use a stronger pw, but unless/until IT forces it, no one will comply.

Forcing people to change their passwords every 90 days makes security worse because it encourages bad password habits.


Ok, honest question: Is that worse than me keeping the same pw for 5 years?
 
2014-02-04 01:59:57 PM  

verbaltoxin: This government/private sector debate is a strawman. IT security is hard, expensive, and mostly reactive. That last part is why it so often fails, the first two are why it's so poorly practiced.


You know who IS pretty good at it? The DoD.

Granted, some of their older legacy systems are mainframes and some other software was designed for IE6, but as far as policy goes (and my experience working on a DoD project involving health records run by people who knew IT. My former-Navy former boss chewed out a full-bird Colonel for trying to fark up her carefully-laid plans), they're largely on top of things.

// TBF, they've been securing computer systems since before "rap" was a thing, so they damn well better be excellent at it
 
2014-02-04 02:01:36 PM  

andersoncouncil42: In other words, they're up to par with the public sector.


This, so farking much this.

This isn't a government problem, it's system wide.  Some organizations pay to have a decent sysadmin, most do not. The corruption, nepotism and general incompetence that the government is prone to, is no worse than what you find in any large company.
 
2014-02-04 02:02:44 PM  

Molavian: a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.

So all liberals see the world in shades of gray and all conservatives see it in black and white?


Maybe.
 
2014-02-04 02:03:28 PM  

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


I'll bite. 1. If you use the word 'messiah' to describe the perception of Obama by anything more than maybe .^A% of his supporters, you are deluded beyond belief and should seek professional psychological help ASAP.
2. There's pretty rampant pissed off-ness on a lot of things under O that his biggest supporters are open about: drone policy, gitmo, NSA BS, lack of curb stomping bankers, continued lobbyist crap, wtf ACA website. BUT the perpetual conservavictim crowd ignores the real shiat and derps out on Benghazi!, arugula!, golf!, Bo!, birf certificate!, secret muslim socialist atheist!, shock that Air Force one costs money!, flag pins!, not saluting right!. And, of course "our number one priority is to make him a one term president". Ie. fark jobs and the people we represent! Petty political bs is job 1!!!!!

You jack holes squandered every ounce of legit political capital you had over, what I can only explain as mostly racist and at best hysterical garbage.

So fark your messiah BULLSHIAT. You've made fools of yourselves, damaged the nation, and squandered every opportunity to make things better. He's not our messiah. He's your antichrist. And you've acted the ass for that decision. Don't deflect it on to us.
 
2014-02-04 02:04:32 PM  

thurstonxhowell: durbnpoisn: It seems absurd that the gov't doesn't adhere to these simple things.

In my time with the government, we adhered to all three of those.


Upon further thought, there is no indication that adhering to those three rules would have stopped any of the events mentioned in the article.
 
2014-02-04 02:04:48 PM  

kalvyn: [imgs.xkcd.com image 740x601]

/oblig


I actually use a printed version of this comic to explain to customers of mine about passwords and what is good and what isn't.  I also don't have "must include numerals and punctuation and at least one capital letter" restrictions on the passwords they can use on our systems.

I do encourage them to make up something complicated, but easy to remember.  Quotations from favorite book passages are popular these days.
 
2014-02-04 02:07:24 PM  

The underlying problem, said Coburn and several outside experts, is the failure of federal agencies to hire top-notch information technology workers, pay them enough and give them enough clout to enforce routine security practices.

"It's a low-status, often low-paid, high-stress position because people only notice systems administrators when something breaks," said Steven Bellovin, a Columbia University computer science professor and former Federal Trade Commission technologist. "It becomes a very easy position to neglect."


As someone who has worked as a DoD contractor before, I would agree with this. The government contractor model for hiring IT staff creates a race to the bottom. Company's win contracts by underbidding their competitor. This puts pressure on these companies to lower their payroll expenses to protect their profit margin.

On the contract I worked on, good employees would come on to the project, and work for a while until something better opened up or they got sick of the B.S. office politics. The pay was under market for some, about right from some and outrageously high for others. But, ultimately, either becuase of pay or work environement, the good workers would leave and the shiatty would stick around. It's no suprise when the quality of work goes to shiat in this setup.

The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.
 
2014-02-04 02:09:57 PM  

manbart: The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.


Gotta keep the number of government employees low. Sure, it may cost $100,000 to hire a guy who costs his contracting agency $70,000, but that's one less government employees you need. Fewer government employees = more freedom.
 
gja
2014-02-04 02:10:27 PM  

verbaltoxin: gja: That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date

Private entities hate it for those reasons also. This government/private sector debate is a strawman. IT security is hard, expensive, and mostly reactive. That last part is why it so often fails, the first two are why it's so poorly practiced.

It really comes down to how important is privacy and personal freedom, and until people are willing to have that debate, nothing will change.


You can't see me so I will write I am nodding my head so very much in agreement. There should be NO difference between gov/priv.
Security and privacy is due all.
 
2014-02-04 02:18:20 PM  

jgilb: Molavian: a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.

So all liberals see the world in shades of gray and all conservatives see it in black and white?

Most liberals see the world in shades of gray and most conservatives see it in black and white.


I'm just surprised no one has bragged that they can also see colors.

/I can also see colors.
 
gja
2014-02-04 02:18:31 PM  

What_do_you_want_now: gja: That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date.

I hate your politics, but your IT-philosophy chops are more than up to snuff.

Were we geographically close, I would offer to buy you a beer.


LOL. That's cool. I am a shiat-stirrer, that is certain. I want to rock the boat til we all get a bath. Way overdue in my opinion.
I make my living in I.T. and have for decades.

My politics are not solidified, I give no allegiance and expect those in office to understand they owe us an honest days work for their pay. We rarely get that out of them, so I like to remind everyone most pol's suck as far as ROI goes.
 
gja
2014-02-04 02:21:18 PM  

HindiDiscoMonster: gja: beakgeek: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

Yep, and people who can't spell criticizing and call the President a "messiah" are just so much better than everyone else that they don't need to hide their awesome powers of intellect from the interwebs!

Hey Mr. Grammar/spelling nazi, not everyone lives here in the USA. In the UK that spelling is completely valid.

maybe for a Limey like you...

/jk :P


Why you bloody li'il wanker!

/i keed, i keed
Also, born a bred NYer, lifetime at that. Do love the UK, have spent plenty of time there. Ah, the stories. Uh, on second thought let's not share those, not sure of statute of limitations on......errr....things.
 
2014-02-04 02:27:17 PM  

That Guy Jeff: Frankly I would do away with all password requirements, even for banks. Say "fine, you can use any password you want, with any characters you want, up to the size that can be hashed efficiently in our system, 128 characters or so." I would also combine that with "if your account gets broken into because your password is pathetic, we don't care. Your fault, your problem, try and be more responsible in the future, stupid." Zero liability for website users screwing up.


Why not have a system that locks you (or whomever is trying to guess your password) out for an hour after each 10 tries (something my company already does)? Or requires 10 seconds in between each try? Either way, your password can be a lot less secure and still keep hackers out.

The other problem is when hacking into a system with user X's password allows the hacker easier access to other parts of the system, of course.

Now time for the actual solution: password keepers are awesome. I just have to remember one random string of characters. All my passwords are whatever the max complexity allowed for the site is, and they are different for every site. Need to change? No problem, generate a new one, save, done. I haven't the slightest idea what any of my passwords are except the master.

I'm resisting getting a password keeper. I believe they fall into two types:

Open source: everyone can see the code. If you see a way to crack it, you can either A) fix it for no money, or B) sell it for lots of money.

Proprietary: the company has every financial motivation to conceal breaches, and none to let you know that their system has been hacked.

I have a strong belief in the role of money as a motivating force.
 
2014-02-04 02:31:09 PM  
HindiDiscoMonster:  If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?

Disclaimer - I'm not in IT.

Supposedly, by far the most likely way your password will be stolen is by someone not actually sitting at your terminal.  So you're safer to use a ridiculously safe password and have it on a sticky on your computer screen than you are to use a really easy to guess password that you memorize.  I imagine the smartest thing to do is write down your cryptic password and keep it in your wallet or something.
 
2014-02-04 02:32:36 PM  

draypresct: Why not have a system that locks you (or whomever is trying to guess your password) out for an hour after each 10 tries (something my company already does)? Or requires 10 seconds in between each try? Either way, your password can be a lot less secure and still keep hackers out.


I might be wrong and it doesn't work the same with online access but when I was testing wifi attacks what happens is it only asks the router once if the password it's trying is good or not.  When it returns the nope not good it then attacks the reply until the reply says hey you found me and it sends it to the router to be let in.  Now again that was very basic description on how it works but you probably get the point.
 
2014-02-04 02:33:43 PM  
By the way, does anyone else hate passwords that only allow SOME !@#$% characters as much as I do?

My health insurance company won't allow "!". Thanks assholes... WTF is that crap?
 
2014-02-04 02:35:38 PM  

manbart: The underlying problem, said Coburn and several outside experts, is the failure of federal agencies to hire top-notch information technology workers, pay them enough and give them enough clout to enforce routine security practices.

"It's a low-status, often low-paid, high-stress position because people only notice systems administrators when something breaks," said Steven Bellovin, a Columbia University computer science professor and former Federal Trade Commission technologist. "It becomes a very easy position to neglect."


As someone who has worked as a DoD contractor before, I would agree with this. The government contractor model for hiring IT staff creates a race to the bottom. Company's win contracts by underbidding their competitor. This puts pressure on these companies to lower their payroll expenses to protect their profit margin.

On the contract I worked on, good employees would come on to the project, and work for a while until something better opened up or they got sick of the B.S. office politics. The pay was under market for some, about right from some and outrageously high for others. But, ultimately, either becuase of pay or work environement, the good workers would leave and the shiatty would stick around. It's no suprise when the quality of work goes to shiat in this setup.

The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.


Not only that, you add subcontractors into the mix and it gets even worse.  The DoD ends up paying $250K to company A for a position on a contract.  A then hires company B to fill it.  After all is said and done, the advertised position is lucky to be paying $50K.

Navy contractor who works in cyber security...glad I don't deal in complex passwords anymore now that almost everything has moved to 2-factor authentication.  All I need is my CAC and my PIN, though I'm assed out if I ever leave my CAC at home.
 
2014-02-04 02:38:18 PM  
It's an interesting theory. If you don't pay for good infrastructure then it will come crashing down around your ears.

img.fark.net
 
2014-02-04 02:38:27 PM  

That Guy Jeff: Frankly I would do away with all password requirements, even for banks. Say "fine, you can use any password you want, with any characters you want, up to the size that can be hashed efficiently in our system, 128 characters or so." I would also combine that with "if your account gets broken into because your password is pathetic, we don't care. Your fault, your problem, try and be more responsible in the future, stupid." Zero liability for website users screwing up.


You do know what will happen when a hacker makes off with all of that bank's money without needing a single password, right? Yup, it's the customers' fault; no refund for you.
 
2014-02-04 02:38:35 PM  

draypresct: That Guy Jeff: Frankly I would do away with all password requirements, even for banks. Say "fine, you can use any password you want, with any characters you want, up to the size that can be hashed efficiently in our system, 128 characters or so." I would also combine that with "if your account gets broken into because your password is pathetic, we don't care. Your fault, your problem, try and be more responsible in the future, stupid." Zero liability for website users screwing up.

Why not have a system that locks you (or whomever is trying to guess your password) out for an hour after each 10 tries (something my company already does)? Or requires 10 seconds in between each try? Either way, your password can be a lot less secure and still keep hackers out.

The other problem is when hacking into a system with user X's password allows the hacker easier access to other parts of the system, of course.

Now time for the actual solution: password keepers are awesome. I just have to remember one random string of characters. All my passwords are whatever the max complexity allowed for the site is, and they are different for every site. Need to change? No problem, generate a new one, save, done. I haven't the slightest idea what any of my passwords are except the master.

I'm resisting getting a password keeper. I believe they fall into two types:

Open source: everyone can see the code. If you see a way to crack it, you can either A) fix it for no money, or B) sell it for lots of money.

Proprietary: the company has every financial motivation to conceal breaches, and none to let you know that their system has been hacked.

I have a strong belief in the role of money as a motivating force.


Open source is the way to go. They use crypto libraries that are well checked and used in many more applications. If there's a flaw in those libraries the world's got much bigger problems than just your passwords. The whole "people can see the code" worry is a non-issue.

HindiDiscoMonster:

If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?

Depends on the application. If that password is a PIN and it's in your wallet with your ATM card, then it's crazy insecure. If it's the password to your online banking account that just shows you your transactions and you keep it on top of the stack of bank statements that show the same thing, it's every bit as secure as it needs to be.

Also depends on who your adversary is. The Syrian Electronic Army isn't going to steal your twitter account by breaking into your house. The government, however, will tear your house apart trying to find the password for your full disk encryption.
 
2014-02-04 02:38:42 PM  

lennavan: HindiDiscoMonster:  If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?

Disclaimer - I'm not in IT.

Supposedly, by far the most likely way your password will be stolen is by someone not actually sitting at your terminal.  So you're safer to use a ridiculously safe password and have it on a sticky on your computer screen than you are to use a really easy to guess password that you memorize.  I imagine the smartest thing to do is write down your cryptic password and keep it in your wallet or something.


The most likely way somebody is going to steal your password is by sending you an email claiming that they are the systems admin and that they need your username and password. Either that way or through some other social engineering technique. The actual guessing of passwords and using rainbow tables and other attacks are fast becoming surpassed by social engineering.
 
2014-02-04 02:40:30 PM  

HindiDiscoMonster: degenerate-afro: I AM THE GOAT: As someone who works on gov computer systems, I'm not even sure how they allow 'password' to work.  My passwords have to be so damn cryptic I seem to forget them at least a couple times a year.

Password requirements are 12 characters, three of four ($ymbol, CAPITAL, lowercase, Number#).  Passwords change every 45~90 days.

Of course that's only enforced by systems that are using AD / LDAP.  If a system isn't on a domain (most linux systems) or aren't online, the password policy can't be enforced.

If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?


An example of a password that meets the 12 3/4 requirement:
Webster'sNew-CollegeDictionary
Babys1st.SippyCup

It's your fault if you want to make a password so complex that you can't remember it.

The other problem is because of how frequent they require the password to change.  Places that require a 45 day password change get people using the same password and just changing three or four things at the begging or end to make it compliant.

For example if someone has a base password of "HappyNewYear", They'll change their password every 90 days to be:
Aug13HappyNewYear
Oct11HappyNewYear
Jan2HappyNewYear

and so on.  Active Directory doesn't check for repetition in that manner which allows people to cheat on their passwords.  Then there are the people who make complex passwords, but can't remember them so they wind up writing them down.

Then you have what I call the IT favorite passwords:

1qaz@WSX3edc
or
QWE!@#asd123

or some variation of the above.  I absolutely HATE seeing people who abuse the QWERTY keyboard to make their password by running their fingers up and down the keys.  It's not secure, it's stupid and the worst part is it's mostly IT guys who do this.
 
2014-02-04 02:41:01 PM  

Gone to Plaid: Not only that, you add subcontractors into the mix and it gets even worse. The DoD ends up paying $250K to company A for a position on a contract. A then hires company B to fill it. After all is said and done, the advertised position is lucky to be paying $50K.

Navy contractor who works in cyber security...glad I don't deal in complex passwords anymore now that almost everything has moved to 2-factor authentication. All I need is my CAC and my PIN, though I'm assed out if I ever leave my CAC at home.


You have a detachable penis? Never had that problem.
 
2014-02-04 02:46:55 PM  
manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.
 
2014-02-04 02:47:49 PM  

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


0/10
Very poor.
 
2014-02-04 02:49:20 PM  

ongbok: Gone to Plaid: Not only that, you add subcontractors into the mix and it gets even worse. The DoD ends up paying $250K to company A for a position on a contract. A then hires company B to fill it. After all is said and done, the advertised position is lucky to be paying $50K.

Navy contractor who works in cyber security...glad I don't deal in complex passwords anymore now that almost everything has moved to 2-factor authentication. All I need is my CAC and my PIN, though I'm assed out if I ever leave my CAC at home.

You have a detachable penis? Never had that problem.


I almost busted out laughing during my introductory security seminar for working on the base. Hearing a former military (federal civilian employee) security officer sternly say  "insert the CAC into the slot to gain access!" was too much. That could have been awkward, but I contained myself. Many jokes were made among the IT staff about inserting or displaying the CAC.
 
2014-02-04 02:50:43 PM  

irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.


Where do I apply?
 
2014-02-04 02:51:28 PM  

degenerate-afro: HindiDiscoMonster: degenerate-afro: I AM THE GOAT: As someone who works on gov computer systems, I'm not even sure how they allow 'password' to work.  My passwords have to be so damn cryptic I seem to forget them at least a couple times a year.

Password requirements are 12 characters, three of four ($ymbol, CAPITAL, lowercase, Number#).  Passwords change every 45~90 days.

Of course that's only enforced by systems that are using AD / LDAP.  If a system isn't on a domain (most linux systems) or aren't online, the password policy can't be enforced.

If a password is so cryptic that it must be written down to be remembered (remember, not everyone has eidetic memory like you), then how secure is that password?

An example of a password that meets the 12 3/4 requirement:
Webster'sNew-CollegeDictionary
Babys1st.SippyCup

It's your fault if you want to make a password so complex that you can't remember it.

The other problem is because of how frequent they require the password to change.  Places that require a 45 day password change get people using the same password and just changing three or four things at the begging or end to make it compliant.

For example if someone has a base password of "HappyNewYear", They'll change their password every 90 days to be:
Aug13HappyNewYear
Oct11HappyNewYear
Jan2HappyNewYear

and so on.  Active Directory doesn't check for repetition in that manner which allows people to cheat on their passwords.  Then there are the people who make complex passwords, but can't remember them so they wind up writing them down.

Then you have what I call the IT favorite passwords:

1qaz@WSX3edc
or
QWE!@#asd123

or some variation of the above.  I absolutely HATE seeing people who abuse the QWERTY keyboard to make their password by running their fingers up and down the keys.  It's not secure, it's stupid and the worst part is it's mostly IT guys who do this.


Gotta admit, I was guilty as all hell of doing this when I was a server admin.  Not so much when shifting to information assurance.  I don't think anyone mentioned it, but the DoD policy is 15 character minimum, 2 upper, 2 lower, 2 special, 2 numbers.  Max password attempt is 3 within an hour.  If you exceed that then your account is locked out for good and you have to call the help desk to get it unlocked.
 
2014-02-04 02:56:04 PM  

irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.


Some of the govies were okay at performing technical tasks (from what I saw anyway, we weren't allowed to work directly with them). Some of their work looked sloppy, but that is true at any organization.

They stick around forever though. Turnover was very high among contractors, but all of the government employees I worked with had been at the base forever. That was an asset at times though, institutional knowledge and all (i.e. where to find some documentation about existing infrastructure if it exists, and what may be important to know that doesn't show up in the available documentation)
 
2014-02-04 02:59:15 PM  

ongbok: Gone to Plaid: Not only that, you add subcontractors into the mix and it gets even worse. The DoD ends up paying $250K to company A for a position on a contract. A then hires company B to fill it. After all is said and done, the advertised position is lucky to be paying $50K.

Navy contractor who works in cyber security...glad I don't deal in complex passwords anymore now that almost everything has moved to 2-factor authentication. All I need is my CAC and my PIN, though I'm assed out if I ever leave my CAC at home.

You have a detachable penis? Never had that problem.


CAC/cock-based humor is as common in government offices as required postings informing us that today is National Check Your Leave Balance Day.
 
2014-02-04 03:00:43 PM  

irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.


It's definitely a mixed bag and all depends on what agency/branch of military you work for and if you are CONUS or over seas.  I've seen contractors that are glorified seat warmers riding out a contract, and I've seen them with more expertise on a subject than all of the gov't civilians combined.
 
2014-02-04 03:18:12 PM  

SlothB77: vpb: We should contract web security out to Target because private industry is so much better.

sadly, it still is.  By a lot.


Good thing it is a private industry handling healthcare.gov.
 
2014-02-04 03:20:14 PM  

manbart: irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.

Some of the govies were okay at performing technical tasks (from what I saw anyway, we weren't allowed to work directly with them). Some of their work looked sloppy, but that is true at any organization.

They stick around forever though. Turnover was very high among contractors, but all of the government employees I worked with had been at the base forever. That was an asset at times though, institutional knowledge and all (i.e. where to find some documentation about existing infrastructure if it exists, and what may be important to know that doesn't show up in the available documentation)


As far as I've experienced, contractors tend to have a pretty high turnover rate for just about any field. I've been doing contract work for the last year or so, and I'm paid way more than my corporate/govt counterpart would make, even including benefits. They brought me in to start and complete a project (and sometimes train a replacement) within a short time span. It's nothing compared to what my last company charged per hour for my work (3x what I make now).
 
2014-02-04 03:20:39 PM  

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


HAhahahahaha! Oh, wait. You're serious? Let me laugh even HARDER

BWAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH!HA-HAH!
 
2014-02-04 03:21:14 PM  

Serious Post on Serious Thread: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

I'll bite. 1. If you use the word 'messiah' to describe the perception of Obama by anything more than maybe .^A% of his supporters, you are deluded beyond belief and should seek professional psychological help ASAP.
2. There's pretty rampant pissed off-ness on a lot of things under O that his biggest supporters are open about: drone policy, gitmo, NSA BS, lack of curb stomping bankers, continued lobbyist crap, wtf ACA website. BUT the perpetual conservavictim crowd ignores the real shiat and derps out on Benghazi!, arugula!, golf!, Bo!, birf certificate!, secret muslim socialist atheist!, shock that Air Force one costs money!, flag pins!, not saluting right!. And, of course "our number one priority is to make him a one term president". Ie. fark jobs and the people we represent! Petty political bs is job 1!!!!!

You jack holes squandered every ounce of legit political capital you had over, what I can only explain as mostly racist and at best hysterical garbage.

So fark your messiah BULLSHIAT. You've made fools of yourselves, damaged the nation, and squandered every opportunity to make things better. He's not our messiah. He's your antichrist. And you've acted the ass for that decision. Don't deflect it on to us.


Your newsletter...how do I subscribe?
 
2014-02-04 03:22:46 PM  

FormlessOne: YixilTesiphon: Mithiwithi: You always have the option of just paying the fine.

And if I don't pay the fine?

It's not like you'll have a choice - it's a "tax penalty", applied by the IRS when you file your taxes. You can either skip filing your taxes or try to take the IRS to court over it, but it's not like you can say, "well, I'm just not paying it."


Even if the IRS could take collection actions on the ACA penalty - and I have no doubt they will be given that power eventually - you will still have the choice of not paying it, at which point the IRS will attach tax liens and all the other things the IRS does about uncollected taxes.

But, and this is my point, that is still an available  choice.  And still a better result for you than the alternative to going to the hospital when you're sick, which is to stay at home and die.  (Let's recall, this is a hypothetical hospital with shiatty IT policies that leaks your personal data like a sieve due to poor password policies.  And it may be the only hospital in town.)
 
2014-02-04 03:23:10 PM  
The_Celt


Maybe he's a really good IT guy, and he honeypotted you and is now using you as a proxy for his porn ring and stolen credit card numbers....?
 
2014-02-04 03:27:46 PM  

Clemkadidlefark: Remember .. you voted this assembly of asshats


Did we? I remember dead people voting, and corporations voting with their dollars, and politicians voting for each other with ballot box stuffing... OH! and Electronic machines changing our votes for us to help us out, but really, I'm not sure we, the people, voted for anyone at all...
 
2014-02-04 03:34:28 PM  

tlars699: Clemkadidlefark: Remember .. you voted this assembly of asshats

Did we? I remember dead people voting, and corporations voting with their dollars, and politicians voting for each other with ballot box stuffing... OH! and Electronic machines changing our votes for us to help us out, but really, I'm not sure we, the people, voted for anyone at all...


Are you sure you remember all of that and didn't just make it up?
 
2014-02-04 04:04:21 PM  

tripleseven: Serious Post on Serious Thread: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

I'll bite. 1. If you use the word 'messiah' to describe the perception of Obama by anything more than maybe .^A% of his supporters, you are deluded beyond belief and should seek professional psychological help ASAP.
2. There's pretty rampant pissed off-ness on a lot of things under O that his biggest supporters are open about: drone policy, gitmo, NSA BS, lack of curb stomping bankers, continued lobbyist crap, wtf ACA website. BUT the perpetual conservavictim crowd ignores the real shiat and derps out on Benghazi!, arugula!, golf!, Bo!, birf certificate!, secret muslim socialist atheist!, shock that Air Force one costs money!, flag pins!, not saluting right!. And, of course "our number one priority is to make him a one term president". Ie. fark jobs and the people we represent! Petty political bs is job 1!!!!!

You jack holes squandered every ounce of legit political capital you had over, what I can only explain as mostly racist and at best hysterical garbage.

So fark your messiah BULLSHIAT. You've made fools of yourselves, damaged the nation, and squandered every opportunity to make things better. He's not our messiah. He's your antichrist. And you've acted the ass for that decision. Don't deflect it on to us.

Your newsletter...how do I subscribe?


I don't know man. I'm ranty about this yes, but I don't think I'm ton foil hatty.

I'm all libby and shiat, but I'm pretty neutral that O is a mixed bag for the farther left progressives. So when I hear the 'messiah/Birther/secret muslim' crazy from the delusional right, I gotta think they're just batshiat with either racist or at least psychotic undertones. Which saddens me cause a legit critique on the opposition is useful. But weapons grade derp is just a sad distraction.

Oh, and what's a 'newsletter'? Is it like an old timey blog or something?
 
Displayed 50 of 180 comments

First | « | 1 | 2 | 3 | 4 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report