Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security United States

U.S. Cybersecurity Not So Secure? 162

Posted by ScuttleMonkey from the behind-the-times dept.
freaktheclown writes "According to CNet, 'government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be 'unprepared' for emergencies.'" The article discusses FEMA's handling of relief efforts for hurricane Katrina and how a very similar situation exists with electronic security measures in the U.S. In addition to a conjecture the department of cybersecurity has been "plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups."
This discussion has been archived. No new comments can be posted.

U.S. Cybersecurity Not So Secure? More

U.S. Cybersecurity Not So Secure?

Comments Filter:

  • That's what happens when unqualified people.. (Score:5, Insightful)

    by CyricZ ( 887944 ) on Monday October 10, 2005 @06:33PM (#13760066)
    ... are given jobs because of their political affiliations.

    Yes, unqualified people performing serious jobs leads to nothing but problems.

    • Have opeatives with secured White House computer access! What's Phillipine GNP? How 'enabled' are their foreign intelligence services?

      Whoopie! Maybe Haiti will have a mole in the NSA?

    • Re:That's what happens when unqualified people.. (Score:5, Funny)

      by clambake ( 37702 ) on Monday October 10, 2005 @06:54PM (#13760171) Homepage
      Yes, unqualified people performing serious jobs leads to nothing but problems.

      Careful now, that sounds a bit like TERRORIST talk to me...

    • Re:That's what happens when unqualified people.. (Score:3, Insightful)

      by Anonymous Coward
      I think that attitude is part of the problem. The initial post laments:

      ..accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying...

      I think those things are very intertwined. Whenever there is a governmental mistake, or failure to accurately foresee the future, accusations start flying. The media Queen of hearts shouts at everyone, "Off with their heads". No wonder there's an exodus of senior staff.
      Help Wanted:Anyone want to fill the 'scapegoat' position? I didn'

      • Re:That's what happens when unqualified people.. (Score:4, Insightful)

        by CyricZ ( 887944 ) on Monday October 10, 2005 @07:03PM (#13760220)
        The media Queen of hearts shouts at everyone, "Off with their heads". No wonder there's an exodus of senior staff.

        Except in the United States the media does not seriously question the government. That is why the Bush administration was able to preside over several of the worst incidents in American history, and have emerged basically unscathed.

        • "Except in the United States the media does not seriously question the government."

          The Bush administration was able to quite quickly attribute the 9/11/2001 debacle to Saddam bin Laden. The 10/2001 Metro DC sniper team was relatively quickly captured, considering the population and traffic density. But the perpetrators of the deadly anthrax letters of 11/2001 have never been caught.

          Those deadly anthrax letters were not directed to members of the Bush administration, nor to their neo(Con)artist supporters

      • Re:That's what happens when unqualified people.. (Score:4, Insightful)

        by Doc Ruby ( 173196 ) on Monday October 10, 2005 @09:13PM (#13760981) Homepage Journal
        If the media weren't in Bush's pocket, the departure in disgust of every "cybersecurity czar" we've had (all under Bush) would be a running story about how we're begging to get hit. We pay taxes to a government we elected to protect us from threats, and those responsible for the cyber department won't accept liability for their useless department. That's not "scapegoating". If the department were competent, there wouldn't be any need to scapegoat anyone. Anyone watching their counterparts across DHS leave thousands to die in the wake of Katrina can tell that we're paying fools to pretend to protect us. And if reporters were more competent than these DHS personnel they cover for, it wouldn't take Katrina to show how screwed we all are.
        • If the media weren't in Bush's pocket...


          Just curious....What color is the sky on your planet?

          • What the AC said [slashdot.org]:

            " Around these here parts the sunrises are colored Murdoch, the sunsets O'Reilly.

            The sad thing about the mindless sheeple like you is that they're too busy squawking the party line to realize that the world's done gone and moved on. Even CNN goes begging for conservative viewership these days.            "

            Now, if you'd step away from your corporate media and brush the rust off your brain, you'd notice that the Bush administration has left our country smashed almost beyond recognition. Harder to look at
          • > > If the media weren't in Bush's pocket...

            > Just curious....What color is the sky on your planet?

            Heh. "Blue" sounds like a doubly appropriate answer.

      • Re:That's what happens when unqualified people.. (Score:5, Insightful)

        by NMerriam ( 15122 ) <NMerriam@artboy.org> on Monday October 10, 2005 @10:30PM (#13761344) Homepage
        Whenever there is a governmental mistake, or failure to accurately foresee the future, accusations start flying. The media Queen of hearts shouts at everyone, "Off with their heads". No wonder there's an exodus of senior staff.

        But that's not what happens -- the media doesn't scapegoat invisible public service employees who've been dutifully showing up doing their job every day for 30 years. Those employees make it through scandals in administration after administration, because everyone knows the agency will not function without them -- ocassionally one may be scapegoated internally, but they don't have any "sex appeal" to the media.

        This recent wave IS very different, because it is one of the first times that these guys do seem to be resigning in large numbers -- not because of "media pressure" (the media doesn't even know who these guys are), but because of inept cronies being put in place above them, and then the cronies not being smart enough to realize the career professionals should be running the show.

        That's exactly what is happening with the CIA right now, where guys who have happily served both Republican and Democratic administrations for decades are suddenly being dictated to on how to perform their jobs by people who are barely qualified to operate the paper shredder.

        "The Media" isn't pushing out the senior CIA officials, the Bush administration is, the same way they pushed Whitman out of the EPA (I mean, geez, the Republican governor of New Jersey is "too liberal" on the environment? Reality check! That's as crazy as suggesting a quadrupegic veteran isn't patriotic!)
        • > That's exactly what is happening with the CIA right now, where guys who have happily served both Republican and Democratic administrations for decades are suddenly being dictated to on how to perform their jobs by people who are barely qualified to operate the paper shredder.

          And operating a paper shredder appears to be a very important skill for Bush appointees.

    • Re:That's what happens when unqualified people.. (Score:5, Funny)

      by Tackhead ( 54550 ) on Monday October 10, 2005 @06:57PM (#13760186)
      > ... are given jobs because of their political affiliations.
      >
      > Yes, unqualified people performing serious jobs leads to nothing but problems.

      You miss the point. The purpose of cycling senior people through the bureaucracy isn't because the bureaucracy's ineffective, it's because it's the gateway to a consluting career with the bureaucracy. That's how the Aristocracy of Pull works, and it works the same way whether the Jackasses or the Elephants are in charge. (The only catch is that you can only pull fellow Jackasses (or Elephants) through the door -- and because your tribal totem isn't going to be in charge forever, whenever your gang's in charge, you're obliged to bring the maximum number of fellow gang members through the door as possible during your time in charge.)

      To recap:

      1) Cultivate enough pull to get a cushy appointment.
      2) As a courtesy to the last guy to hold your post, hire him as a conslutant at double his previous pay.
      3) Continue to ineffective -- preferably so ineffective that you have a good excuse to resign in "disgrace" within a year or so. This frees up the slot so your boss can reward another guy with pull.
      4) Get hired by the new guy at half the political liability to your friends, and at double the pay.
      5) PROFIT!

      The less effective the bureaucracy, the more people can be run through the revolving door during the course of a given administration, and the more taxpayer dollars can be looted in the process. And because pull is proportional to dollars looted, the system creates its own incentive. Launder, rinse, repeat.

    • "Unqualified" can be handled by becoming qualified.

      "Unqualified" can be handled by finding and hiring qualifed assistants / advisors / etc.

      What we have is a situation where an unqualified person is put in charge of an agency and spends his/her time there working on his/her political connections using the agency's resources. So, over time, the agency is less capable of handling its mission than it was when that person started.

      But that's how our current politicians reward those who've helped them get into off
      • Hiring advisors does not make one qualified. At some point, he will need ot decide which advisor to listen to, and to do that he needs to be qualified enough to judge the relative value of their advice. Unless he has some senior officer who does all that work for him- in which case, that senior officer ought to be runnign the show.

        • Unless he has some senior officer who does all that work for him- in which case, that senior officer ought to be runnign the show.

          And that used to be the way these things were run. The head of the agency was a political appointee. But s/he had long term professionals working for him/her. Those professionals worked for multiple administrations and were not involved in the political games. They did their jobs and were the experts in their fields.

          Check TFA and you'll see where it's talking about those profes

      • > "Unqualified" can be handled by becoming qualified.

        Yeah, that's why on my job applications I always put "CEO" in the "Position applying for" field.
    • A couple of years ago I enjoyed a speech and follow-up discussion with the Middle Tennessee Infragard president, who held (and currently holds) several high level security positions after many years of underground security experience. He worked closely with federal employees and appointees. His observation was not that the appointees were chosen by political affiliation or felt it necessary to follow a political agenda. The problem was that the appointees had to negotiate an unfamiliar system of red tape
    • ... are given jobs because of their political ... Hmm. "Outside observers are holding out hope for Chertoff's departmental reorganization announced in July. As part of the reshuffling, he hired Stewart Baker, former general counsel to the National Security Agency and a well-respected technology lawyer." I know that I feel safer with attorneys in charge of my countrys network security.
    • Wow, that's deep.

      You don't know sh*t about the problem, so it MUST be what ever BS idea pops into your head.

      Then you get modded as "insightful" by equally simple-minded moderators.

      Amazing.

  • First post? (Score:2, Funny)

    by Anonymous Coward
    Cybersecurity not so secure?

    That's like jumbo shrimp!

  • Security Through Obscurity is my motto (Score:5, Funny)

    by Average_Joe_Sixpack ( 534373 ) on Monday October 10, 2005 @06:38PM (#13760088)
    I keep all my usernames/passwords on a Geocities hosted site.

  • Duh! (Score:2, Troll)

    by jellomizer ( 103300 ) *
    When you have over 90% of all computers running on the same family of Operating Systems, with the other less then 10% trying to keep the features to work with the other 90% of the computers. Is a disaster waiting to happen. You can firewall every box, Windows could be the most secure OS in the world, but when you have 90% market share it is going to be a target. Secondly people are afraid to have an independent audits on their computer security, they worry about loosing their jobs if the auditors find a

    • Re:Duh! (Score:2, Insightful)

      by kcarlin ( 99704 ) *
      When you have over 90% of all computers running on the same family of Operating Systems, with the other less then 10% trying to keep the features to work with the other 90% of the computers. Is a disaster waiting to happen. You can firewall every box, Windows could be the most secure OS in the world, but when you have 90% market share it is going to be a target. Secondly people are afraid to have an independent audits on their computer security, they worry about loosing their jobs if the auditors find a pro
    • What do you expect to happen, for the Government to regulate Microsoft? Microsoft gave the proper campaign contributions - there's effectively nothing that can be done by the Government.

      The People could, but they're complacent and lazy. Your best bet is to defend your island of data and have a plan for when everything else goes to hell.

  • Education (Score:2, Insightful)

    by AxsDeny ( 152142 )
    The core of the problem is that users continue to not understand what they are doing or using. People expect things to "just work" and if it breaks they will have it fixed. Many people treat their cars this way. They know how to drive them, but not how to fix them if they break down. If we can't educate the users in the safe and proper use of their machines, we will continue to have such problems. If the mainstream OS continues to be riddled with security holes that grandma doesn't know how to patch, we wil
    • ABSOLUTELY, ABSOLUTELY, ABSOLUTELY!!!

      I have gone all Linux & BSD on my home machines, but I had Windows for many years before that AND NEVER HAD 1 F***** VIRUS, CRACK, OR ANYTHING OF THAT NATURE happen to the machine and I had no AV protection. My friends and family asked "How? What AV Sofware you use?" I said "My Brain." Education is the first thing in is this matter all the way.

      I just cannot fathom how people have a deal about a $%$%$FREE ip0d9$)#($#$, then it says go to a web page, and download so
    • You know, I'm ALL for educating the user, but being in education, I know when and when it's not possible to teach.

      If it's a system of users on a network of a non-500 company, then mass education and mandatory training of employees just WILL NOT happen.

      So, what's the realistic answer? Real tech troubleshooters. Yes, real-- because there are plenty of admins out there that are so jaded with users that they won't even help them as much as they need to be helped.

      What is needed is a scramble crew of techies that
    • The core of the problem is that users continue to not understand what they are doing or using. People expect things to "just work" and if it breaks they will have it fixed.

      I expect people pay for software/hardware with the idea what they are using should "just work" (assuming they are following the proper operating procedures). Maybe marketters should stop spreading this idea and be more realistic if it's not true.

      Many people treat their cars this way. They know how to drive them, but not how to fix the

    • Education and training actually does better security and society as a whole.
      Maybe we should get a copy of Moodle installed somewhere and put up some cyber security courses, K-Ph. D. levels should cover it.

  • How important is it REALLY? (Score:4, Insightful)

    by plover ( 150551 ) * on Monday October 10, 2005 @06:43PM (#13760119) Homepage Journal
    Seriously, the intarweb has been little more than a stew of viruses, zombies and DOS attacks for years now. Yet we all manage to show up and do our jobs. How bad could a "cyberattack" really be, if we're living through the current levels of crap?

    And what good is a "federal overseer" when they have no jurisdiction over half of the network?

    I say that we're no worse off for not having a top-dog. It's a meaningless, ineffective position. Why spend the money on it, much less promote the position to a direct report under the DIRHSA?

    • And what good is a "federal overseer" when they have no jurisdiction over half of the network?
      This is my logic to have an international control of the Internet (predominated by the US).

      But in terms of what they could do, did you really think they could bring down the Twin Towers? I mean, I figure that they can be pretty darn creative if they put their minds to it. And they seem to have decent monetary backing.

      • That was known years ago. (Score:5, Insightful)

        by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday October 10, 2005 @07:14PM (#13760269)
        There was a plot to fly a plane into the Eiffel Tower. We've known planes were considered as weapons for years.

        But planes are physical objects. They cause physical damage. Normal, healthy people can be killed from physical damage.

        What's the very worst that can happen if the Internet goes down?

        That's not a rhetorical question. Think of the worst situation you can and then think of whether it would be better/safer to not have the Internet connected to whatever it is. Nuclear plant cyber-attack? Why have them on the 'net in the first place? Dam flooding a town? Same thing.

        The first thing any "cybersecurity czar" should be doing is making sure that the potential for damage is reduced.

        If the worst thing that they can do is to steal your identify and money online, then you're "safe" in that it won't kill you or physically cripple you.

        But that takes thought and expertise in evaluating the real threat.
        • There was a plot to fly a plane into the Eiffel Tower. We've known planes were considered as weapons for years.
          Yeah, and unlike 9/11, the french managed to foil that plot. (And the french warned the US in advance of 9/11 but they didn't listen).

        • What's the very worst that can happen if the Internet goes down?

          Somebody somewhere panics and shoots off a bunch of nuclear missiles. Billions die, but I survive.

          Now it's a race to see if I die from radiation or starvation. Good thing I have all this extra body fat. Once that's gone, I'll have the corpses of my family and my pets to eat.

          Dang, radiation sickness really sucks. The other survivors all have it too, so I'm able to successfully fight them off for my share of the remnants of society.

          Fina

        • 'cybersecurity' isn't just about the internet.

          It's about keeping the computer that run things safe, whether or not they are on the internet.

          Granted, in most cases they can be made safe by removing remote access and restricting physical access to them.

        • "What's the very worst that can happen if the Internet goes down?"

          For the sake of argument, let's assume that it wouldn't cost any lives. It could easily cost tens or hundreds of billions of dollars. This is where logic breaks down for most people. They are unwilling to equate lives to dollars. But lives *are* dollars, and dollars *are* lives. That's the whole purpose of money, to serve as a paper representation of the everything a person needs and can hope to achieve in his life. Dollars buy medicin
        • "We've known planes were considered as weapons for years."

          Exactly so!

          Prior to the first Gulf War when Saddam bin Laden invaded Kuwait and King George 1st retaliated, the Islamic Republic of Iran was busy making mischief in the Persian Gulf -- mining the waterways used by the oil tankers sailing out of Iraq, Kuwait, and Saudi Arabia, as well as threatening the NATO ships in the region with Chinese supplied Silkworm missles. The US Navy shot down an Iranian commercial aircraft over the Persian Gulf because i

    • How bad could a "cyberattack" really be, if we're living through the current levels of crap?

      All powerstations are down for days, lots of people die at hospitals all over the country. Others people die due to no light/AC/heat/water "even worse" ... billions lost due to companies that can't do anything, noone can travel due to gas stations not having power (thus no food gets to stores), stocks go down the toilet bringing even more economic damage.

      But, yeh, fuckit ... you've got virus protection right

      • Thanks, that's precisely the kind of mindless hysteria needed to get people all worked up over this.

        Hospitals going dark? Patients dying without power? I'm sorry, you must have missed the last couple of decades where virtually every hospital and almost all major clinics in the country have standby diesel generators. Hell, not only the ordinary office buildings and hotels around here but even the freakin' PARKING RAMPS have generators now, lest the power should go out and trap Jim-Bob in an elevator for

  • And yet with GLB/HIPAA/Sarbanes-Oxley (Score:3, Insightful)

    by TykeClone ( 668449 ) <TykeClone@gmail.com> on Monday October 10, 2005 @06:48PM (#13760136) Homepage Journal
    They have claimed the right to regulate the networks of financial services and medical services outfits.

    Let he who is without sin...

  • some interesting & revealing quotes:
    "I sure wouldn't take that job," "It only has a downside."

    "It's been a mess for over four years, and hopefully the new folks will fix this,"

    "In the previous incarnation, DHS and the Homeland Security Council didn't really know what to do with cyber--it's been a deer-in-the-headlights experience for them,"

    "Cybersecurity clearly fell off the radar screen when they set up the department, and the department is trying to find its way,"

    "the nation is a
    • they should be giving large bonuses/salaries & get creative in order to recruit people ASAP and get them out of this mess Of course since we're talking security-related government jobs they'll pay bottom dollar (practically poverty wages in high-cost markets like New York) and be incredibly invasive in terms of privacy.

  • the ownership vs. threat info gap (Score:5, Insightful)

    by G4from128k ( 686170 ) on Monday October 10, 2005 @06:53PM (#13760167)
    One core problem is that the people that regulate cybersecurity don't own the infrastructure. This means they have little hope of understanding how real-world privately-owned (and vulnerable) networks operate. The flip side is that the government people that might have intelligence data on cybersecurity threats won't share that info with the people that actually own and operate the networks.

    One group (govt) may understand the threat, but is clueless on the operations side. The other group (owers) don't have the classified intelligence data on the threat, but do know the operations side of the network.

    Until the two sides share both info and operations knowledge, cybersecurity isn't possible.

  • Who wants a top-down solution anyway? (Score:5, Insightful)

    by Quadraginta ( 902985 ) on Monday October 10, 2005 @06:59PM (#13760193)
    Goodness, who wants the Federal government to be responsible for general IT security in this country? I mean, let's just think carefully through the kind of power over the network they'd need (or say they need) to be given to achieve it.

    Brrr.
    • I'll believe it when they get their own house in order. Until then, they can keep their sticky paws off my network.
    • But by "responsible" I mean "It's your ass that gets fined/fired/jailed if there's a problem".

      I don't mean just saying "I take responsiblity".

      Responsiblity means that you pay the consequences.

      If someone cracks my systems at work and gets away with customer data, I'm the one they fire. I'm "responsible". But I don't see anyone in our government actually being "responsible". That's the whole purpose of bureaucracy. The "responsibility" is diffused until it doesn't exist in sufficient quantity with any one per
    • Are you talking about vigilante cybersecurity? While arguably effective, it tends to get people in trouble [time.com] (registration required...article now a premium). As a summary, in his spare time, some guy went after a group of Chinese hackers code-named Titan Rain who were stealing government data. He handed information off to the Feds, and was consequently fired from his high-profile security job and even placed under suspicion of aiding Titan Rain by...you guessed it, the Federal Government.

      Don't get me wr

    • TFA: "the nation is applying Band-Aids, rather than developing the inherently more secure information technology that our nation requires."

      The popular + IT/tech press: more and more statements like this lately...

      Quadraginta above: "Goodness, who wants the Federal government to be responsible for general IT security in this country? I mean, let's just think carefully through the kind of power over the network they'd need (or say they need) to be given to achieve it."

      Put the clues together, here. Or m

    • I dunno, it'd be nice to see the govt. push some basic standards.

      "And there fhalle be no portf open by default."

      or something.

  • DHS bit off more than they can chew (Score:3, Insightful)

    by KerberosKing ( 801657 ) on Monday October 10, 2005 @07:00PM (#13760202)
    All year long, they have had no one at the helm for cybersecurity. It shouldn't surprise anyone. Let's take a job that many different agencies struggled to keep up with before, then add the requirement that they all reorganize into DHS, where instead of computer security being their number one focus, it is one of many concerns. I would bet the funding for DHS compsec is less than the total spent by the seperate agency committees. There is only so much you can save by pooling resources, and I would agrue it gets lost when you have to compete for attention with WMDs, IEDs and other serious physical security threats.
    • > All year long, they have had no one at the helm for cybersecurity. It shouldn't surprise anyone. Let's take a job that many different agencies struggled to keep up with before, then add the requirement that they all reorganize into DHS, where instead of computer security being their number one focus, it is one of many concerns. I would bet the funding for DHS compsec is less than the total spent by the seperate agency committees. There is only so much you can save by pooling resources, and I would agru

  • A history of unfavorable gov't security reports (Score:5, Informative)

    by sczimme ( 603413 ) on Monday October 10, 2005 @07:02PM (#13760212)

    Much of the Federal government has a sub-optimal track record in the security arena. In March of 2004 Rick Forno published an article (with links) that summarized Uncle Sam's security issues:

    The farce of federal cybersecurity [securityfocus.com]

    (That's the title Rick used, btw.)

  • Of course, they are not ready (Score:1, Insightful)

    by Anonymous Coward
    NSA and CIA disallowed any Windows based products in house except for unsecured desktop boxes and as a upfront web server (but they are simply traps). Now they are under extreme pressure from "above" to allow Windows and windows products in-house, no matter what the security costs are. When politicians make decisions, and not the experts, then we end up with 9/11s. After all, that is exactly what 9/11 and Iraqi invasion were.
  • honestly, wtf is the point of this department anyway. shouldn't it be the responsiblity of each organisation to secure it's own IT? there doesn't seem to be much need for this. i mean what do they do all day? the FBI is already the ones who investigate crimes, CIA keeps and eye on things outside your borders. seems like a big fucking waste of money.
  • In IT or economics, the rules are the same. Government doesn't provide security, freedom provides security - in this case meaning free software. I know this will come as a shocker for some people, but the copyright incentive system that government promotes by it's vary nature incentivises poor security too. Solve that problem and the security problem will solve itself.
  • 9/11 was preventable. We got pwned by leaving the cockpit doors open even though it was "common" knowledge that the most effective way to thwart hijackings was to NEVER let the bad guys take control of the airplane. If they can manage to crash it, or kill every passenger, so be it. El Al figured this out in the 70's, yet the FAA was too fucking stupid to pay attention.

    Similarly, the Bush administration ignored the valuable information it received from Richard Clarke and even their own Condoleezza Rice.
    • 9/11 was preventable. We got pwned by leaving the cockpit doors open even though it was "common" knowledge that the most effective way to thwart hijackings was to NEVER let the bad guys take control of the airplane. If they can manage to crash it, or kill every passenger, so be it. El Al figured this out in the 70's, yet the FAA was too fucking stupid to pay attention.

      Though I agree with your points, it's important to realize that there are other contributing factors to both the hijacking and why cockpit do

  • Authority grab is the problem (Score:3, Interesting)

    by keraneuology ( 760918 ) on Monday October 10, 2005 @07:16PM (#13760279) Journal
    The problem isn't political appointments, inept federal chiefs or any political leanings or biases. The problem is the the federal government has no business in being in charge of domestic response. Response to a local emergency or disaster is, and must remain the domain of the local authorities who can be held accountable for their preparation and performance - or lack thereof.

    FEMA can do nothing but react to an event and throw more debt at the problem. Unfortunately this leads to problems down the road - not only does it push the federal government closer to insolvency - but it leads to all kinds of expectations on the part of locals who develop the "we'll just sit back and wait for the calvary" mentality. Not only this, but you end up with gross inequity in the response: federal dollars to New Orleans for Katrina are already about 5 times the aid sent to Florida for four hurricanes combined. FEMA has given out some $600,000,000 in "emergency cash disbursements" so far, with many people upset that only the first 10,000 or so were given $2,000 cash cards. New Hampshire recently saw a few hundred people flooded out and it wouldn't shock me in the slightest if some of them file lawsuit under the equal protection clause asking for $2,000 cash cards, FEMA-paid apartments around the country and the like.

    Local emergencies should be handled by city, the county, the state and then the federal. In that order. And the federal should not be allowed to call any of the shots: they should provide resources only but all decisions should be made by the local leaders.

    • I really do not think you are right. But, independently of that, do you seriously believe that anyone will buy into "they should provide resources only but all decisions should be made by the local leaders."?

      • I really do not think you are right.

        The difference between Madison's federalists and Jefferson's anti-federalists. I believe in a weak federal government under the theory that there is less accountability at the federal level which makes abuse easier and more widespread.

        do you seriously believe that anyone will buy into "they should provide resources only but all decisions should be made by the local leaders."?

        Do I believe they will buy into this? No. Just a beautiful dream.

    • Re:Authority grab is the problem (Score:2, Insightful)

      by Anonymous Coward
      Your idea is preposterous. A disaster by its nature often overwhelms local resources no matter what planning has taken place. Many local leaders don't know dick about dealing with disasters. If an earthquake hits San Francisco the day after a new mayor takes office, will he be able to handle it? Not likely. The head of FEMA should have known how to deal with disasters, but didn't. There's the real source of the problem.

      By your proposal every single locality in the United States needs to have experts i
    • it leads to all kinds of expectations on the part of locals who develop the "we'll just sit back and wait for the calvary" mentality.

      Typo? Perhaps not.

      Local emergencies should be handled by city, the county, the state and then the federal. In that order.

      In fact, that is how it is handled, more or less.

    • Local emergencies should be handled by city, the county, the state and then the federal. In that order.

      I'm not really sure that I agree with this. The major efforts to rebuild New Orleans were conducted by Army engineers, and military hardware was a big part of multiple efforts. It's not appropriate to turn over control of military hardware and manpower to local authorities, given that a great amount of coordination is needed to use available tools most efficiently. That in turn means that some central a
  • All the Federal Government needs to do is print out the following checklist and go through it. The same for every corporation. If you can get all of these things accomplished, I can pretty much guarantee you'll be immune to any existing attack method short of physical compromise.


    • Ban .rhosts files. Totally. Sack and/or excommunicate those who use them. There are much more secure ways to have zero-password logins for automatic connections. If using an unencrypted network, ban RSH, RLOGIN and Telnet - use SSH instead. If using IPSec with host authentication by certificates, then you've already got the authentication and encryption covered, so unsecure protocols can be used there.
    • Different channels should get different access rights. Unsecure channels should NEVER have access to secure data. Unsecure channels should NEVER be used to create secure channels, as that is a common point of attack.
    • All servers with confidential data (credit card info, corporate data, missile plans, etc) should have some form of Mandatory Access Control at an absolute minimum, with such data unreachable from ANY combination of program and user other than those combinations specifically designated as having access. For Linux, you're wanting to look at SELinux or GRSecurity. Ideally, you want a B1-compliant OS at a minimum for commercially sensitive data and a B3-certified OS for Government work. Such servers should NOT be directly reachable, they should be accessed ONLY by intermediate servers. As such, we don't care about holes so much (as nobody should be able to reach them) - rather, we care about operations we're specifically allowing users to perform and making sure THOSE are bullet-proof.
    • All intermediate servers should be damn-near 100% free of security holes. We don't care about access controls for these, as they don't have any data. They're merely front-ends. However, because they're first in line for any cyber-attack, they need to be as close to immune from such attacks as possible. THIS is an ideal place for OpenBSD or MirBSD systems.
    • You should have two firewalls in series, pointing in opposite directions, at the entranceway. You want to control what comes into the network, but you ALSO want to control what comes out. That part is often forgotten, and THAT is why many network security strategies fail.
    • Active NIDS systems and authentication systems should live in parallel to the two firewalls. You want them to be able to shut down BOTH firewalls, should EITHER firewall be compromised, which means you have to have direct connections to both. Otherwise, the compromised firewall can simply block your instructions.
    • Servers that should NOT be reachable from the outside should NOT be on a LAN that is visible to the outside. If they need to connect to each other, use a private LAN.
    • If using a centralized authentication system, use Kerberos V. DO NOT use NT domains, NIS+, or any other such method.
    • Since the internal network is likely on private addresses, it would be better to use IPv6 and then have proxies map communication onto IPv4 for the outside world. The reason? It'll seriously bugger up those attack scripts that assume IPv4. It'll also make zombies that do reach the inside ineffective, as many of those will assume IPv4 as well. If IPv4 is not being carried, such software will break.
    • We've defined three types of LAN so far - one LAN inside the firewall connecting to proxy servers, one LAN for secure servers, and bridging LANs linking secure servers to proxies. We need one further network, this time for users. This LAN ONLY connects to the proxy servers. As those can see the outside world, we can use them as proxies to see the outside as much as those on the outside can use them to see the inside.


    If the Department of Homeland Paranoia were to implement such a system, I feel confident they'd score an A on their next evaluation, and would be as close to invulnerable as you can be using a computational system. People may disagee - and probably will - but I'd like to know where they think they'd be able to break in.

    • ... you still need recourse. You can't expect that all IT solutions will be 100% secure -- some engineer/administrator along the way will make a mistake. And worse, there's still the human element: even if you plug all the holes, those on the inside can still steal or misuse information stored on the very secure platforms.

      So what's the backup, that recourse? Log all events on your network: TCP/IP connections, transfer statistics, event logs, syslogs, web server logs, mail logs, DB logs, etc. Make su

  • The problem is too much duplicate effort, and the wrong people in charge of things.

    NIST, part of commerce, has come out with good documentation on information security. They have also created guides on host OS security duplicating NSA & DISA efforts.

    DISA, an agency within DOD, is the proponent for the Security Technical Implementation Guides (STIGs). These STIGs are the best, most updated guides on technical security within the US govt, and mandatory for DOD components.

    NSA, an agency within DOD, is th
  • and list was Homeland Security is prepared for.

  • they need to be prepared for an emergency (Score:1, Funny)

    by Anonymous Coward
    A cyberterrorist attack could hit any moment. DHS needs to have the following items on hand to distribute:

    1,000,000 emergency email clients
    100,000 fast-deploying RSS readers
    5,000,000 excel-compatible spreadsheets (they might have to tap foreign companies to produce this)
    20,000,000 Windows-compatible operating systems
    plenty of duct tape

    Thankfully, DHS has already executed several successful evacuation drills:

    1) with coordination from the major tier-1 ISPs, we can evacute up to 1 terabyte per day from the maj
  • I read the article, and am a sysadmin, and really, what purpose would such a position serve? Is there a specific job description of responsibilities for the position? The article indicates that the individual would "coordinate the response" to an Internet attack, but at what level do they start to become involved, and really, with as dynamic as the Internet is and companies continually coming and going, being bought out, etc., how would they constantly maintain communications with all the players? As soo
  • Am I the only person who is tired of the rhetoric "Since September 11th, each and every American's life has changed"? For those outside of the goverment, and particularly the military, has it really? Certainly we have mangled the Bill of Rights beyond recognition, but am I the only one whose reaction to the 2nd attack on the WTC was "well, it finally happened?" And the notion that using commercial airliners as weapons was unthought of? Given that Tom Clancy is a best selling author, the odds that no one in
  • Well, what do you expect? Bush's appointments have been terrible across the board. His original economic advisers were mostly from Enron. His energy advisers were Cheney's buddies from the oil industry. His head of FEMA, well, we know about that bozo. In all those areas, the government is doing a poor job. Why should cybersecurity be doing better?

    It's a real problem. The President's key job is is appoint the top people in the federal government, about 3000 of them. That determines how well the Gove

Slashdot Top Deals

Happiness is twin floppies.

Close