If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Washington Post)   Federal agencies including DHS have so utterly failed at network security that their networks get compromised because of uninstalled firewalls and default passwords that never get changed. That Obamacare website is safe, though, you can trust them   (washingtonpost.com) divider line 66
    More: Fail, DHS, default password, Senate, Senate Homeland Security, security patches, governmental affairs committee, federal system, anti-virus software  
•       •       •

4009 clicks; posted to Main » on 04 Feb 2014 at 11:56 AM (32 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



Voting Results (Smartest)
View Voting Results: Smartest and Funniest

vpb [TotalFark]
2014-02-04 10:36:33 AM
12 votes:
We should contract web security out to Target because private industry is so much better.
2014-02-04 12:06:16 PM
6 votes:
Well then, maybe; just MAYBE we should put more money and effort into protecting our cyber security than say:

1 - Building Tanks the Army doesn't need.

2 - Cargo planes the Air Force doesn't need.

3 - 10+ billion dollars a pop on new Aircraft Carriers.

4 - "Super; next-gen" jet-fighters that have yet to live up to their promise. (400 billion and counting)
2014-02-04 12:11:25 PM
4 votes:
imgs.xkcd.com

/oblig
2014-02-04 12:19:49 PM
3 votes:

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


Just FYI, most of the "security" problems on government computers are due to lack of funding of IT departments.  No one wants to pay for IT until there's a problem.  When you have one or two people trying to manage 500 computers, there are bound to be times when they miss a few things.  So if you want IT security to improve, tell congress to get off of their duffs and increase funding for IT and security efforts.

Of course congress won't increase funding for anything because it will just go to waste in their opinion.  So you get situations like these where agencies have been cutting corners for years to ensure that their core functions are running while the fringe functions (system administration, hardware and software upgrades, etc) get ignored.
2014-02-04 01:59:57 PM
2 votes:

verbaltoxin: This government/private sector debate is a strawman. IT security is hard, expensive, and mostly reactive. That last part is why it so often fails, the first two are why it's so poorly practiced.


You know who IS pretty good at it? The DoD.

Granted, some of their older legacy systems are mainframes and some other software was designed for IE6, but as far as policy goes (and my experience working on a DoD project involving health records run by people who knew IT. My former-Navy former boss chewed out a full-bird Colonel for trying to fark up her carefully-laid plans), they're largely on top of things.

// TBF, they've been securing computer systems since before "rap" was a thing, so they damn well better be excellent at it
2014-02-04 01:46:12 PM
2 votes:

swaxhog: ongbok:
This happens when you have a large bureaucracy, even in private companies. The people who actually know something about security and make suggestions to improve it are at the bottom of the hill, and the people at the top, or as it is in most cases, people who think they are at the top and are important, don't like to be bothered by security and think it is a burden, so many procedures don't get initiated or are ignored because people complain about them.

This so very much. Where I work, It's nearly impossible to patch servers or do any preventive maintenance because the do nothings have created a half dozen committees that needs to have their say in any change. Inevitability someone will halt the work because someone, somewhere might be affected.
Eventually, you just give up and watch it all burn. Keeping the stack of emails showing all the times work has been denied of course.


Yup.

I used to work for a large hotel company that had all of its services worldwide centralized out of NYC.

Hotels are a little different, as they never close, and maintenance CAN inflict issues on operations, but trying to come up with a maintenance window that everyone could agree on was a disaster.  What truly made it a disaster was allowing each property's front office have a say in it.

I finally went all authoritarian, and decided the schedule and told them that was it.

\csb
2014-02-04 01:19:47 PM
2 votes:

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


We don't hide, we also criticize the administration.  In those threads, we get incorrectly called "Republican" and/or "Conservative."

You're shiatting on the wrong people.  Biatch about the Democrats, not the liberals.  Liberals have plenty of beefs with this Administration.
2014-02-04 12:44:37 PM
2 votes:
ongbok:
This happens when you have a large bureaucracy, even in private companies. The people who actually know something about security and make suggestions to improve it are at the bottom of the hill, and the people at the top, or as it is in most cases, people who think they are at the top and are important, don't like to be bothered by security and think it is a burden, so many procedures don't get initiated or are ignored because people complain about them.

This so very much. Where I work, It's nearly impossible to patch servers or do any preventive maintenance because the do nothings have created a half dozen committees that needs to have their say in any change. Inevitability someone will halt the work because someone, somewhere might be affected.
Eventually, you just give up and watch it all burn. Keeping the stack of emails showing all the times work has been denied of course.
2014-02-04 12:36:45 PM
2 votes:

Wodan11: csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.


The whole secret question/answer thing should be scrapped because of the rise of social media.
2014-02-04 12:29:59 PM
2 votes:
csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.
2014-02-04 12:28:42 PM
2 votes:

YixilTesiphon: mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.

I think that's his point, not so much that Obama or Democrats can't be trusted as that the government should have limited powers because it cannot be trusted regardless of who's in charge.


This happens when you have a large bureaucracy, even in private companies. The people who actually know something about security and make suggestions to improve it are at the bottom of the hill, and the people at the top, or as it is in most cases, people who think they are at the top and are important, don't like to be bothered by security and think it is a burden, so many procedures don't get initiated or are ignored because people complain about them.
2014-02-04 12:28:35 PM
2 votes:
Is the politics tab full, and we're having to shunt the excess dreck to the Main Page?
2014-02-04 12:24:28 PM
2 votes:

the_celt: My neighbor is an IT guy and apparently not a very good one. I can see his network and just for fun I tried a few simple passwords trying to access his home network. Protip farkers, don't use your wife and children's names as your wireless password.
csb
My point is, apparently IT people can be just as lazy as the next person.


Not that it's an excuse, but because we work in IT we have to remember a ton of passwords.  But yes, even still you'd think he'd know better.
2014-02-04 12:17:31 PM
2 votes:

mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.


I think that's his point, not so much that Obama or Democrats can't be trusted as that the government should have limited powers because it cannot be trusted regardless of who's in charge.
2014-02-04 12:05:03 PM
2 votes:

vpb: We should contract web security out to Target because private industry is so much better.


You never have to enter a Target in your life if you don't want to. It's a little different than DHS.

I'm surprised that the story about part of Healthcare.gov being written in Belarus hasn't shown up yet.
2014-02-04 11:10:42 AM
2 votes:
Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.
2014-02-04 10:47:29 AM
2 votes:

vpb: We should contract web security out to Target because private industry is so much better.


Who do your think DHS has been using?
2014-02-04 05:06:27 PM
1 votes:
This doesn't surprise me in the least.

I do a bit of work in governmental IT security. It's laughable sometimes. The best things are issues like only being allowed CESG approved software/firmware versions of firewalls, but because the certification takes so long, by the time a particular version is approved, not only has it been superceded, sometimes it's actually has security issues, but you can't upgrade because the version that fixes the issue isn't CESG approved yet.

So you either follow the rules and use an approved version which has issues, or you have to break policy in order to secure a system properly.

Don't even get me started on the beauracrats who apparently know better than the consultant they hired in security matters simply because they read a basic pen test report.

"this device is open to the entire Internet on ports 80 and 443, fix it"

What? You mean your webserver/load balancer/reverse proxy? How exactly should I go about fixing this situation?

"You're the expert, you fix it"

*sigh*

/also management of devices over telnet
//so much telnet :-(
2014-02-04 05:00:16 PM
1 votes:
I'm sure this has already been covered, but I've found that vendors are the biggest threat.  One place I worked for did web portals for a lot of major companies, with all of the user creds going through one database.  They made users signup using their personal email addresses, and ALL of their passwords were in plaintext in the database (that anyone working there could access). So they had your email/plaintext passwords.  I've done pen-testing for some other vendors who are even worse. Something else I've noticed is that people don't care if you can grab a copy of their database, but if you can login to their Facebook account, that's when they take security seriously.
2014-02-04 03:00:43 PM
1 votes:

irate vegetable: manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.


It's definitely a mixed bag and all depends on what agency/branch of military you work for and if you are CONUS or over seas.  I've seen contractors that are glorified seat warmers riding out a contract, and I've seen them with more expertise on a subject than all of the gov't civilians combined.
2014-02-04 02:46:55 PM
1 votes:
manbart:The govt contractor system is a huge waste of money. the workers are underpaid, the quality of work is poor and useless contracting companies exist as a parasite sucking taxpayer funds off the top of all this as their profit margin. the Gov't actually pays the contracting company well above market rate for each position they hire. the company then hires employees for less and keeps the difference. And this is how the system is supposed to work! It baffles my mind that people favor this arrangement.

As someone who currently works as a DoD contractor, it depends.  Our government civilians are actually terrible, can't do their entry level jobs (despite between 5 to 15 years experience) can't follow simple instructions, and can't be fired for things that would have a contractor shown the door.
2014-02-04 02:38:27 PM
1 votes:

That Guy Jeff: Frankly I would do away with all password requirements, even for banks. Say "fine, you can use any password you want, with any characters you want, up to the size that can be hashed efficiently in our system, 128 characters or so." I would also combine that with "if your account gets broken into because your password is pathetic, we don't care. Your fault, your problem, try and be more responsible in the future, stupid." Zero liability for website users screwing up.


You do know what will happen when a hacker makes off with all of that bank's money without needing a single password, right? Yup, it's the customers' fault; no refund for you.
2014-02-04 02:04:48 PM
1 votes:

kalvyn: [imgs.xkcd.com image 740x601]

/oblig


I actually use a printed version of this comic to explain to customers of mine about passwords and what is good and what isn't.  I also don't have "must include numerals and punctuation and at least one capital letter" restrictions on the passwords they can use on our systems.

I do encourage them to make up something complicated, but easy to remember.  Quotations from favorite book passages are popular these days.
2014-02-04 02:03:28 PM
1 votes:

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


I'll bite. 1. If you use the word 'messiah' to describe the perception of Obama by anything more than maybe .^A% of his supporters, you are deluded beyond belief and should seek professional psychological help ASAP.
2. There's pretty rampant pissed off-ness on a lot of things under O that his biggest supporters are open about: drone policy, gitmo, NSA BS, lack of curb stomping bankers, continued lobbyist crap, wtf ACA website. BUT the perpetual conservavictim crowd ignores the real shiat and derps out on Benghazi!, arugula!, golf!, Bo!, birf certificate!, secret muslim socialist atheist!, shock that Air Force one costs money!, flag pins!, not saluting right!. And, of course "our number one priority is to make him a one term president". Ie. fark jobs and the people we represent! Petty political bs is job 1!!!!!

You jack holes squandered every ounce of legit political capital you had over, what I can only explain as mostly racist and at best hysterical garbage.

So fark your messiah BULLSHIAT. You've made fools of yourselves, damaged the nation, and squandered every opportunity to make things better. He's not our messiah. He's your antichrist. And you've acted the ass for that decision. Don't deflect it on to us.
2014-02-04 02:01:36 PM
1 votes:

andersoncouncil42: In other words, they're up to par with the public sector.


This, so farking much this.

This isn't a government problem, it's system wide.  Some organizations pay to have a decent sysadmin, most do not. The corruption, nepotism and general incompetence that the government is prone to, is no worse than what you find in any large company.
2014-02-04 01:59:08 PM
1 votes:

Wodan11: csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.


Thats why I always answer What color is your car with something like  "Tr0uba4dor#m3"
2014-02-04 01:49:09 PM
1 votes:

Molavian: a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.

So all liberals see the world in shades of gray and all conservatives see it in black and white?


Most liberals see the world in shades of gray and most conservatives see it in black and white.
2014-02-04 01:39:50 PM
1 votes:
My work passwords give the IT people problems. My home passwords are just as odd and here is why:
I have an old map of Wales that was printed before WWI. It has some very, very interesting spellings and some of the towns don't exist anymore. Spelling out some of the names to the IT people usually involves quite a bit more time than most seem to be willing to spend on such issues!
gja [TotalFark]
2014-02-04 01:39:07 PM
1 votes:

lennavan: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

We don't hide, we also criticize the administration.  In those threads, we get incorrectly called "Republican" and/or "Conservative."

You're shiatting on the wrong people.  Biatch about the Democrats, not the liberals.  Liberals have plenty of beefs with this Administration.


I also eschew all the trappings and failings of identifying along party lines.
In my opinion if you choose to vote or agree to line up based on party affiliation you have already subjugated yourself and adopted a submissive and subservient posture. And that is just plain lame.

I would like to see all elections allow picking and choosing whomever you wish from whatever party and make it so that if they get elected and we end up with representatives from all over the party-line chart they have to serve together and learn to work together.

That said, I.T. wise, security is never a goal nor is it a task to be completed. It is a methodology and discipline.
And that requires a constant relearning and redoing of things. Exactly the type of work government does not like because of the ongoing costs and not having a neat and tidy end date.
2014-02-04 01:38:13 PM
1 votes:
As someone who works on gov computer systems, I'm not even sure how they allow 'password' to work.  My passwords have to be so damn cryptic I seem to forget them at least a couple times a year.
2014-02-04 01:31:13 PM
1 votes:

Molavian: So all liberals see the world in shades of gray and all conservatives see it in shades of rape?


FIFM

50 shades of rape
2014-02-04 01:29:52 PM
1 votes:
They keep telling us privacy is dead I guess this is Anon's way of agreeing with them.

Anonymous Slovenia Claims FBI Hacked

The information, posted by user Black-Shadow of the Slovenian branch of the hacktivist group, purportedly contains FBI domain email addresses and passwords for 68 agents, although the user claims in his post that the collected log-in details are "not all ours".

The post also includes a short profile on FBI director James Brien Comey Jr, including sensitive information such as his date of birth, his wife's name, the date they got married, his educational history and even the geographical coordinates of his residence.

Anonymous Slovenia posted the Pastebin link on its Facebook Page, along with the comment "Laughing at your security".
2014-02-04 01:27:52 PM
1 votes:

a particular individual: Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.


So all liberals see the world in shades of gray and all conservatives see it in black and white?
2014-02-04 01:27:28 PM
1 votes:

vpb: We should contract web security out to Target because private industry is so much better.


WOW. FIRST MOTHER FARKING EVER LOVING POST! (Am I gonna gets a boobies for that?) My first thought at the headline was which NSA-Stazi apologist is gonna tell us privacy/data security/govt accountability/ corp accountability/ human decency/judicial oversight/the 4th amendment / a modicum of govt transparency/myopia for the horrific outcome of every similiar program of the past etc etc etc are all passé BULLSHIAT because REASONS.

AND IT WAS DONE IN FARKING ONE!!! Congrats shiatizen. You are a credit to the cowardice we are being conditioned to accept as the new norm.
2014-02-04 01:26:42 PM
1 votes:
Take it from someone on the inside, this is what happens when you slash IT budgets (along with most others) and go lowest bidder on IT support contracts.  You get what you pay for.  Politicians will respond with more of...."We'll keep slashing your budget until you improve!"
2014-02-04 01:24:11 PM
1 votes:

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


Maybe those same liberals are agreeing with the article, but you can't believe that's possible, so you assume we're keeping silent. Anyone who really believes liberals revere Obama as the Messiah is incapable of handling the reality of liberals' love of nuance and our ability to see the worlds in shades of gray instead of black and white as conservatives do.
2014-02-04 01:24:08 PM
1 votes:

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


You need to highlight people who you think are Fark Libs in a certain color, this way, you'd see that they are indeed here, and you would have avoided making a stupid comment.
2014-02-04 01:20:50 PM
1 votes:
Surprised that no one's pointed out that by design, HealthCare.gov doesn't store much PII beyond the minimum to setup an account. All the really sensitive stuff is stored locally on the machine and then sent directly to the insurance company.

Sure, if the machine was completely compromised, you could intercept traffic going forward. However, there isn't some central database of everyone's SSN, income, birthdates, etc for a hacker to steal or incompetent admin to leave on an unsecured thumb drive.
2014-02-04 01:16:24 PM
1 votes:
Obamacare website doesn't really have any special information it needs to keep secure.
2014-02-04 01:15:03 PM
1 votes:

FormlessOne: The IRS doesn't need to chase you down - they're patient, and they keep records. The penalties are cumulative, and the penalty for 2014 is a slap on the hand compared to the penalty for 2016, so, sure, feel free to try and stick it to The Man for three years. It'll be a hoot.


I think the IRS likes to wait as long as possible to make sure you've dug a sufficiently deep hole with no hope of escape.
2014-02-04 01:06:39 PM
1 votes:

the_celt: My neighbor is an IT guy and apparently not a very good one. I can see his network and just for fun I tried a few simple passwords trying to access his home network. Protip farkers, don't use your wife and children's names as your wireless password.
csb
My point is, apparently IT people can be just as lazy as the next person.


Maybe he doesn't care.  If you aren't file sharing or have computers on all the time then who cares?  My home internet is used for Netflix, Xbox, and basic internet every few days on the laptop.  If you aren't file sharing i don't see much of a reason to care since most people aren't doing sophisticated attacks to steal your CC info they just want free internet.
2014-02-04 01:02:40 PM
1 votes:

Devil's Playground: redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.

Correct Horse Battery Staple


Yeah, and then some policy-driven noob will want complex characters and it turns into  C0rr3ct!h0R53*&B$TT3r7?5TaPl3@and then the end user will useP@ssword1 because it meets the minimum policy requirements.
2014-02-04 01:00:11 PM
1 votes:
Do I have to remind everyone again?  Prime Directive:  Do NOT respond to anyone who refers to Obama as the "messiah" of the left.

0/10
lazy troll
2014-02-04 12:52:22 PM
1 votes:

stewbert: IMO, the feds are doing better than states. I haven't changed my network password in years, and it isn't a strong password. I'm sure there is a policy somewhere that "requires" me to change it quarterly, and use a stronger pw, but unless/until IT forces it, no one will comply.


Forcing people to change their passwords every 90 days makes security worse because it encourages bad password habits.
2014-02-04 12:46:55 PM
1 votes:

Glendale: Wodan11: csb: I have an account on a site designed and run by one of the largest gov't contractors, for the purpose of doing government work.  It has a pw policy that it enforces, which is pretty good.

HOWEVER, click the "forgot password" link and you get your choice of 1 of 3 questions.  For example: What's the name of your pet? What color is your car? etc.  Stuff that you can easily find out on someone's social media pages.

The whole secret question/answer thing should be scrapped because of the rise of social media.


Seriously, that sort of thing is one of the easiest attack vectors. When I was taking a computer security course in college, one of the first things the professor told us was to avoid using these if at all possible; he would literally type gibberish in for the answers if he was required to use them. Sure, he can't recover his password if he forgets it, but no one else can recover it either, and that's the far more important consideration.
2014-02-04 12:46:55 PM
1 votes:

redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.


Correct Horse Battery Staple
2014-02-04 12:45:14 PM
1 votes:

Cold_Sassy: Why does this not surprise me?  Thank God I have private insurance.



Governments let your info slip for free, private companies sell it to the highest bidder.

poo-tay-toe, po-tat-oh
2014-02-04 12:39:50 PM
1 votes:
As someone who was InfoSec for years, in a corporation that made the news for a breach a while back, I can tell you this:  Nobody gives a shiat about system security.

It's difficult, a pain in the neck, inconvenient, and often not built in to projects from the start as it should be.  You can work your ass off to lock things down but all it takes is a whiny ass developer combined with a clueless manager and they tell their VP "Security is keeping us from doing our jobs."  Then there's a VP fight and it always trickles down to "give them access, the big boss is wondering what the problem is."

Then you get a breach.  An "in the news" breach where published stories full of "facts" are rarely even remotely accurate and EVERYBODY JUMPS ON THE SECURITY BANDWAGON.  The same clueless people start implementing utterly worthless security policies and procedures for a few months then go back to their usual ways.

Example of a worthless new security policy:

When a customer wants all of their account's passwordfs changed, they will fax in a list of user IDs and new passwords.  Someone will pick up the fax (literally, someone.  Employee, contractor, temp) and put it in a bin.  From there an employee will pick it up and change the passwords.  They will then make a copy of the list and put one copy in the account file (that almost anyone could grab) and the other copy in the "password changes file."  again, most anyone could grab that file.  No logging, no direct responsibility.  Oh, and users were not forced to change their password upon logging in.  People met for two months to create that policy/procedure and didn't invite InfoSec to a single meeting.  We found out the day before implementation when one of the clods called us to get help with some InfoSec wording.  We were like "You're doing what?  That's funny, what do you really want?  Wait, you're serious?  No, hell no, you can't do that."

That was 10 years ago, thankfully things are a lot better from a security perspective.

I no longer am a member of InfoSec but suffer through their "implementation of a new product/client/monitoring app without any operational responsibility" from the current guys.
2014-02-04 12:38:55 PM
1 votes:
taxandspend:
That's basically what it says at the bottom of the article: "Still, Washington has been slow to act. A 2000 law to improve government cybersecurity did not mandate consequences for agency lapses. In recent years, numerous bills calling for better computer and network security have languished in Congress. The White House, meanwhile, is pushing to give the Department of Homeland Security more authority to enforce cybersecurity rules across government."

I do like the guy who has to preface that he is a taxpayer as if his outrage over security lapses would be unjustified if he wasn't.


That is the main problem.  Originally, there was the threat that if an agency didn't pass an IT security audit, its budget would be impacted.  Large agencies like DHS, FBI, IRS, etc. called that bluff - a media piece about how DHS can't protect you against terrorists because some IT weenie didn't like their password policy was all that would be needed.  And no, the current admin will not make significant changes in that mentality unless it means dealing with insider threats.  That will be addressed.
2014-02-04 12:36:26 PM
1 votes:

stewbert: Funding isn't our problem. It's that IT/management don't actually "require" people to do anything. More funding won't solve the lack of accountability that is rampant in govt.


You do realize that enforcement requires manpower.  Manpower requires funding.  If you don't have funding, you don't have the people.  Again, one of the first places where the goverment cuts corners is with IT funding.  They don't fund for enforcement.  It's easier and cheaper to get someone to write documentation than to get someone who knows how to implement a solution.  Automated solutions either cost development time or money to buy a third party solution.  Most third party solutions for enforcement require yearly funding for operation and also training on how to use it.

If you don't have the people, don't want to pay for the training, don't want to pay for the development for an alternate solution, things aren't going to get done.
2014-02-04 12:35:03 PM
1 votes:
In other words, they're up to par with the public sector.
2014-02-04 12:35:00 PM
1 votes:
Would you like some freedom fries with that?

The Belarusian Connection

U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised.
2014-02-04 12:31:09 PM
1 votes:

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


We are in our secret bunker underneath Soros World Domination HQ reading your posts, rolling our eyes and making rude noises.
2014-02-04 12:28:15 PM
1 votes:

vpb: We should contract web security out to Target because private industry is so much better.


Herr Goebbels omits the fact that there is no federal mandate to shop at Target.
2014-02-04 12:22:17 PM
1 votes:
My neighbor is an IT guy and apparently not a very good one. I can see his network and just for fun I tried a few simple passwords trying to access his home network. Protip farkers, don't use your wife and children's names as your wireless password.
csb
My point is, apparently IT people can be just as lazy as the next person.
ecl
2014-02-04 12:21:30 PM
1 votes:
So DHS security is lax or not even in place and the Republicans are worried about the healthcare website?  Derangement,
2014-02-04 12:21:27 PM
1 votes:

mokinokaro: duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.

You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.


I was contracting to DoD during the Y2K certification.  They were running out of time to certify the missile systems.  Solution?  Waive the certification requirements.  That made me fell all warm and comfy and secure.

Good thing Obama uses a complex password for his time machine.
2014-02-04 12:19:04 PM
1 votes:

redmid17: Diogenes: Yeah.  ADP "accidentally" gave away my 2012 W-2 info last year, but made it nearly impossible for me to download the 2013 copy this year.  Apparently everyone's entitled to my data but me.

And a coworker who's retired military said the password complexity requirements for his taxing info are insane.  16 character passwords that require changing every two months.  That kind of forces you to write it down.  Point of diminishing security returns IMHO.

And it's all moot if the networks and databases can be hacked.

Honestly I prefer passphrases to complex passwords. We had an app that required uppercase, lowercase, special character, number, and no dictionary words and needed be to changed every thirty days, but it never vetted your password against your last one.

1Passw0rd! would work for thirty days. Then the person would change it to 2Passw0rd@ and so on for each month. Kind of defeats the purpose of all that complexity guys.


Sounds similar to mine for work.  But I do work with very secure customer data sometimes.  I've considered getting one of those online password safe thingies, but I'm sure that's not allowed for work passwords.
2014-02-04 12:16:33 PM
1 votes:
Meanwhile, your doctor's office and local pharmacy are totally secure.
2014-02-04 12:14:48 PM
1 votes:
Less of an argument against ACA and more of one for ACTUAL TECHIES RUNNING THINGS.

Best practices don't exist just so that you can say you read them. You've gotta actually press all them little buttons, and in the right order, and make sure the results is/acts as it should, and monitor it, and keep ahead of the major threat vectors.

Governmenting's hard, yo.
2014-02-04 12:14:33 PM
1 votes:

duffblue: Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.


You honestly think this kind of shiat didn't happen under Bush too?

Remember the Air Force used to secure nuclear missiles with the combination 00000000.

Governments always fark up security wise due to laziness and it's an issue no matter the current administration.
2014-02-04 12:11:42 PM
1 votes:
Or, they could follow the goddamn FIPS requirements and have admins that CAN actually be arsed to do their jobs...
2014-02-04 12:07:57 PM
1 votes:
Why does this not surprise me?  Thank God I have private insurance.

It seems "they're" doing everything within their power to downgrade the quality of life for the average Joe.

/USA!  USA! USA!
2014-02-04 12:05:53 PM
1 votes:
Where do all the fark liberals hide when the countless articles criticising the administration are posted? The same people that tell everyone that our government has our best interests in mind seem to vanish when anything that casts their messiah or his administration in a negative light.
2014-02-04 11:59:09 AM
1 votes:
admin
admin

*click*


Welcome Dr. Falken

ilk.uvt.nl
2014-02-04 11:59:02 AM
1 votes:
It's everything we've come to expect from YEARS of government oversight.  ;)
 
Displayed 66 of 66 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report