 
			
		
		
	
    
	Federal Computers Fail Hacker Test 125
			
		 	
				Nintendork writes: "An article  by the Associated Press, published on CNN tells of the latest network security report cards earned by Federal agencies.  The Department of Defense along with several others failed.  I hope terrorists that pose physical threats don't have any script kiddies in their arsenal."
		 	
		
		
		
		
			
		
	
I don't buy it... (Score:3, Insightful)
I can't believe that they could have scored at F on any security test. Am I naive?
Is it physical security or through the internet or what?
Does anyone have any links that show what tests were done and how they scored on each one?
Re:I don't buy it... (Score:5, Interesting)
Well the following paragraph of the article gives some blatant examples of poor practices that were found:
The GAO routinely hacks into federal computers to test security and rarely fails. At the Commerce Department, for example, the GAO in August found some computers didn't require any passwords; some used "password" as the password; and entire lists of passwords were stored in plain view on the computers themselves. When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.
This isn't all that hard to believe. These networks are huge, and there will always be some people who value convenience over security. The question is whether the admins are understaffed, inexperienced, or simply lax in enforcing policies.
I work at a school (Score:2, Insightful)
Now, teachers are somewhat educated people. You can't just instantly become a teacher (as you could get some other bureaucratic positions) yet they are technophobic or just plain computer illiterate. Heck, I have to help them set up their vcrs! The extent of computer security that they can handle is putting a password on the Accelerated Reader program so that kids don't change their grades.
These people are not stupid or ignorant in general. They just know jack about computers. If these teachers, being more educated than your standard bureaucrat might be, can't deal with computer security then how could a standard bureaucrat be expected to?
Government systems administrators? School networks don't have system admins. They have librarians that know a little bit about computers. That is who will be maintaining the network at the school I volunteer at when I eventually leave. As far as I can tell, they never have had a dedicated computer person in the entire school district who maintains these systems. I know there is a woman in the district who is going to be working on installing more computer equipment, but fixing things doesn't seem to be a normal part of her job.
Just putting things in perspective.
Re:I work at a school (Score:2)
renovations during the summer and weird things the teachers do.
Now, teachers are somewhat educated people.
I work for a large bio-tech company. Most of the company has at least one PHD. But yet I still have to make sure that their computer is plugged in. Some even send their passwords in plain text email to me if they have a problem. That doesnt mean that they are not smart, They are each VERY smart in their own field, the nation's leaders. I can't expect them to be even the slight bit knowledgeable in MY field, or else, lets face it, there would be no need for an IT department at all, they could do it themselves, and we'd all be out of a job.
If a security audit came through on the day that Person A sent me their password in an email, and person B managed run and install a program that offers up a backdoor, no matter how good OUR security and policies are, we would just have failed.
Re:I don't buy it... (Score:2)
Re:I don't buy it... (Score:2, Insightful)
Heh, I used that trick once to get in a hospital computer system where my father worked (he forgot his new password). The X trick didnt work, but Default sure did.
Let's just face it, we are dealing with normal people here. Not nerds. Most of us here could set up a more secure network than you will find on average. And I include alot of us who have never actually set up a network in that statement. Alot of things that are common sense to us are magical or totally unknown to normal people.
The only way the gov and various businesses are going to get more secure is if they train their people in computers (unlikely) or hire more nerds (also unlikely, for the gov at least. They cant/dont compete with businesses very well).
In other words, alot of basic things in the beurocratic and commercial worlds are going to have to change if they are going to seriously make their systems secure.
Re:I don't buy it... (Score:1)
Re:I don't buy it... (Score:1)
To secure such a system, you should, well - upgrade to NT or better still, some brand of *nix. To secure a win9x system you need to use a third party utility. Symantec used to have a product called "Your Eyes Only" which included a bootlock, passworded screensaver, multiuser password administration and encryption. It was pretty good, but was discontinued. If you have win9x and need security the only solution I know of is NAI's Corporate PGP desktop, but I would still upgrade.
Re:I don't buy it... (Score:1)
If the tiger teams got in so easily, would-be net.terrorists could get in just as easily. This is just buying them time until their security cluefulness loan clears the bank. It's also possible that this report is a few weeks to a few months old, which would buy them further time. Whether or not this extra time was actually used productively is anyone's guess.
Proteus' Child
F is for Federal (Score:2)
F is for Fedral
It is also for fixed ideas, fubar, etc. very simply, if you think you have the answers, you will not look in the right places.
which is why you get situations like that.
Fotunately, or maybe not so fortunately, a lot of terrorist are not so interested in computer stuff as tools for their actions. they are more into things that go boom.
Real Terrorists (Score:1)
Now, if you are Education or Social or etc, that's fine. But what about Defense...that could hurt when someone finds a backdoor into weapons orders. Or Transportation...or just general integrity of systems. A good hacker that took out major Fed networks could cause major chaos, and open the door for terrorists. But Al Quaeda is never gonna post to a newsgroup that they hacked the DoE's computers. Or anything like that. They don't care. They want death. So i'm not too worried about terrorists...just idiots.
Re:I don't buy it... (Score:1)
Someone like the CIA or FBI, I might find a little hard to believe. However, I worked for the government for a few years and they are seriously laxed in security. Especially net security. They think they are safe behind their little firewalls, but they are penetrable.
nArf?! (Score:1)
Re:nArf?! (Score:2, Informative)
Homemade Unix (Score:3, Interesting)
As for the DOJ, I met a guy who was arested for cracking into it when he was 19. He explained that it is a lot easier than people think and he cracked it about 11 times before he was caught. He now works for a large security consulting group.
Re:Homemade Unix (Score:1)
The SSA (Score:5, Insightful)
Yes, the governement does have very terrible security. I thought our taxdollars were paying for more than this? Im not bashing, or trying to be a troll, but wouln't some form of UNIX like BSD, or Linux reduce our tax rates, providing the admins know how to use it? I know they are paying thousands just for that ONE NT4 server running on a Pentium Pro 200, with 128mb ram.
Typical useless gov't reports (Score:5, Interesting)
Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.
Self-Reporting Poor Grades (Score:1)
If indeed these grades are based no self-evaluation reporting then it is possible that the agencies in question reported terrible problems in an effort to gain additional financial resources. I believe the fact that they reported poor performance to the Office of Management and BUDGET is in line with such a theory.
Perhaps in effect they said, "We dunno nothin' 'bout dem puters securin matters. Duh. Maybe you give us money to get dat der schoolin? Or maybe we could hire someone whats smarter 'en us?"
Re:Typical useless gov't reports (Score:2, Insightful)
Re:Typical useless gov't reports (Score:3, Redundant)
Actually, I think you need to read the article more closely.
The GAO routinely hacks into federal computers to test security and rarely fails. At the Commerce Department, for example, the GAO in August found some computers didn't require any passwords; some used "password" as the password; and entire lists of passwords were stored in plain view on the computers themselves. When one Commerce employee detected investigators trying to hack the agency's computers during their testing, he launched an illegal, electronic counterattack against the GAO.
I'm pretty sure they didn't gather the "we keep passwords taped to our monitors" information through a form that the DOD filled out.
Re:Typical useless gov't reports (Score:3, Interesting)
Of course the flip side is that the security may be much better than this report leads you to believe. I'd imagine many gov't sysadmins have secured systems beyond what the paper pushers have speced out for them.
I've worked for or with the DoD for the past 10 years (both as active duty AF and now as a government contractor) - the last 5 working in security. Unfortunately, it has been my experience that your statement is exactly what you said - imagined. (I can really only speak on DoD - The AF and some nameless joint commands in particular.)
So many security problems exist at so many different levels, it's amazing no major infiltration has occured (that we know about anyway). Sure, IIS web servers all over the DoD are being defaced, but this is small potatos (and on par with the civilian sector). So many "mission critical" systems exist on the NIPRNET (Non-secure Internet Protocol Router NETwork - the DoD's chunk of the internet) with very very few competent administrators... it actually scares me. Patient tracking, Command and Control, Supply, Personnel, and etc. systems ride the NIPRNET. Glean enough information from these systems and you have the equivalent of classified information.
I said so many problems at so many different levels - What am I talking about? Example: The basics are not being followed. User education is horrendous. I know I could walk into most any secretary's office and find his/her password in minutes. How? Look under the keyboard, inside the monitor's control panel door, under the coffee cup on the desk, inside the top drawer, etc. etc. "Who cares? It's just a secretary. She/He couldn't possibly have access to important information." Well, they don't give secretaries to just any grunt. She's probably the secretary to at least a Colonel (O-6) and she probably has access to his email. What's more littered with sensitive information than a Colonel's or General's email.
Grab a phone book from any military facility (just look in the trash), get some names, call up the help desk. "This is Sgt Such-and-such... I've just locked myself out. I guess I've forgotten my password. Could you please reset it." "SURE. Your password is now P@ssW0rd. You'll be forced to change it when you next login." (YES, it really is this easy! - I know, I've done it during exercises.) Etc. etc. etc. Pick a basic security best practice and I can guaruntee it is not being followed at most DoD installations.
I've said this in many previous posts on  /. and I'll say it again - MOST DOD ADMINISTRATORS ARE INCOMPETENT!    The DoD isn't exactly paying top dollar for their personnel (that's why I'm a governement CONTRACTOR not an EMPLOYEE); Training for the grunts is next to SHITE; and a complete misunderstanding of information security bleeds throughout the top brass in the DoD.
It's pretty sad, but I keep banging away to make my little chunk of the DoD network(s) more secure. Wish me luck. I think I'll need it!
Re:Typical useless gov't reports (Score:1)
The evidence that some part of this system shows signs of complacence/ignorance frightens me.
Re:Typical useless gov't reports (Score:2)
This is pointless (Score:4, Funny)
I hope terrorists that pose physical threats don't have any script kiddies in their arsenal
So, Al Queda is going to deface the DOD's webpage? Who cares? The article mentioned the ever present password list taped to a computer, which would imply physical access. I doubt the average script kiddie has the social skills to get that.
Not really (Score:1)
Re:Not really (Score:2)
Let's hope they don't run IIS on computers with classified data, or at least don't connect it to the public net.
mmmm....pizza... (Score:1)
here [slashdot.org] talking about just that.
Re:This is pointless (Score:1)
Are international hackers the greatest threat? (Score:3, Insightful)
Re:Are international hackers the greatest threat? (Score:1)
However, spies could hack into the government to gain access to classified information, which is far worse. For example, imagine the Taliban finding out the next place to be bombed and evacuating in advance, rendering the bombings ineffective. That is much worse than a little data loss. Script kiddies wouldn't know what to do with classified information.
It also doesn't tell WHICH computers. (Score:3, Insightful)
I'm scared at the fact that someone could report on this with so little attention to detail. It's an article simply designed to scare people into thinking that the US government isn't more prepared than they are.
Re:It also doesn't tell WHICH computers. (Score:2, Informative)
Maybe not, but if there is a trust relationship among computers on the network and one is compromised, you have access to all of them. That changes your odds a bit.
Re:It also doesn't tell WHICH computers. (Score:1)
What do the grades mean? (Score:2, Insightful)
An 'F' is the worst possible grade, so does this mean that there is no possible way for those agencies to have done worse?
I found the results from last year here [house.gov]. It's interesting that it was released on September 11 2000.
Re:What do the grades mean? (Score:1)
Re:What do the grades mean? (Score:1)
Vulnerabilities (Score:4, Informative)
I was on an independant team to go over several different agencies policies and security models concerning the Internet, and this is what we found.
1) Most of the time we could find a vulnerable host on a network to exploit from the Internet with an off the shelf exploit.
2) The hosts and their networks usually tend to not have much information worth a terrorists time. I'm not saying that this is an excuse, merely pointing out the fact that if they're running a default install of IIS4, most of the time there isn't much on the network worth the time invested.
3) Most networks with something worth looking for, have some levels of security in place.
All of that said, I can assure you that most skript kiddies (the ones that posted to attrition.net, etc) don't have the knowledge to gain access to anything more than a default install on a jpl or nasa.gov host.
Reb
yeah (Score:1)
This area is powered by old hydroelectric generators; we get significant spikes daily. This school was barely able to scrape together the money for surge protectors. They plugged their computers straight into the wall before they got some. They will be lucky to get security patches every few years.
If they could barely handle the one-time expense of getting surge protectors, they certainly aren't getting any tech people any time soon.
On the other hand, there isn't much people would want. Other than elementary level skript kidz trying to mess up the school's computer for fun, they don't really have alot of security concerns. Terrorists aren't likely to attack these machines, and if someone does get in the worst they can do is make the network unusable for a while.
At least, that is what everyone hopes.
scoring system? (Score:2, Interesting)
Does 'D' imply posted password?
Does 'C' imply password?
Does 'B' imply encryption?
Does 'A' imply near perfection?
I presume an 'A+' is un-obtainable. If it has a way in, then, can't it be cracked?
Re:scoring system? (Score:1)
If it's airwalled. *grin*
Re:scoring system? (Score:1)
Re:scoring system? (Score:1)
I think that would depend on exactly where the systems were located.. doesn't TEMPEST work only under a certain distance? Beyond that, the signal strength would degrade, I thought.
Lets just hope it doesn't go down like this (Score:5, Funny)
Hello, sir, um, secretary, sir, um, could you, um, read the words taped onto your screen?
"k5jd930d03DfA"
Praise Allah!
*click*
Re:Lets just hope it doesn't go down like this (Score:1, Funny)
Hey, it's been done before!
Re:Lets just hope it doesn't go down like this (Score:4, Funny)
It must be a mess (Score:3, Interesting)
This makes it apparent that the IT department is extremly mismanged. Standards and procedures for dealing with hacker attacks, critical loss, and computer abuse are the core requirements of ant IT support. I'm guessing that alot of gov't computers have access to the internet that do not require access for its job function. Every terminal thats connected is a security risk that must be addressed. Probably setup by very underpaid gov't worker that was "trained" in a day.
But the important stuff is well protected... (Score:2)
Once in awhile we have to upgrade the older versions, in which case the older stuff is simply destroyed and replaced with newer operating systems, and operators.
Microsoft should be so pragmatic.
Still looking for the.. (Score:1)
I hate to rag on government employees (in some respect I "R" one) but we are not talking about the best and the brightest in the business.
Most are administration, working joes/janes who just want to do thier job...not unix/window/computer security professionals.
Does the "F" surprise me? Nope. Can this be improved...oh yes it can. Of course the optimist in me (and the cynic, too) thinks everything above an "F" is an improvement, and I'd be right.
Let's just hope they don't discover the wonders of Passport because knowing how secure Passport is and the grade they made it would probably be best not to see "if it can get any worse".
My Humble Opinion.
Re:Still looking for the.. (Score:1)
What kind of counterattack? (Score:4, Insightful)
I wish they had defined "illegal, electronic counterattack." What exactly did he do? I bet he did just what any one of you would have done, he performed portscan to see if there were any open ports suggesting a compromised system.
Re:What kind of counterattack? (Score:2, Insightful)
I too would have been interested in knowing the guidlines for these grades. Prior to 9/11/01 it is possible that the systems were looked at in a much less crucial manner, whereas after 9/11/01 those reviewing the systems may have been much more critical. This causing the grades to drop when the systems actually remained at the same level of security. - Henry Smith
Be careful (Score:3, Insightful)
The DoD's had it's fair share of smudged histories. Be Alert. Keep your pistol handy.
Yes, you can be useful in combatting terrorism. Just make sure you know where the line is getting drawn and be on the correct side of it.
And realize that some of combatting terrorism may go against projects you've been supporting, like anonymous remailers, strong crypto for everyone, anti-censorship protections, and the elusive set of projects working to enable dissidents in countries such as China to safely communicate with the outside world. These and other tools can also be used by the bad guys, and will no doubt become targets
.
Re:Be careful (Score:3, Insightful)
Good intentions can turn around and bite you on the ass.
Management style... (Score:2, Interesting)
In my brief stint at a Panasonic refurbishing depot, the management there also had the same policy.
"My door is always open, as long as you never walk in, it will remain so."
"First rule of management; EVERYTHING is your fault" --Hopper, A Bug's Life.
(note: misfiring neurons due to my son startling me awake at 5am. sigh.)
An observation (Score:1)
Seems to be indicative of Microsoft's sense of self-importance and the DOD's sense of self-security...
-Chardish
Doesn't surpise me but... (Score:2, Interesting)
We don't have our noses's burried in books and reading the "latest and greatest" security information for no reason.
Iraqi Geekettes (Score:2)
Now, we all know that geeks don't like girls except for the electronic kind so there is no danger of Iraqi geekettes showing their favors to Western geeks thereby offering them a better deal than they have gotten in the West -- particularly not when the likes of Jon Katz are granting the Western geeks the favor of writing stuff about the wonders of globalization of the West at which geeks are allowed to gawk for simulated exhilaration.
Re:Iraqi Geekettes (Score:2)
Something replied: Wrong. They would have to teach women how to read, let alone teach them computing.
Oh, but of course -- how could I have overlooked the fact that the Iraqis have no biological weapons programs... and even if they did, Western geeks are, as we all know, so demanding in the standards they apply to females they would deign to touch that they would insist not only on literate girls fawning over them as they program Perl or play Quake III -- but on girls who look like Laura Croft and can whip out a buffer-overflow exploit after hot sex and show it to him for his approval before the geek falls asleep.
big deal (Score:1, Insightful)
Systemic Problems (Score:5, Insightful)
Another problem is the civil service. You can have someone rise from a computer background to head a major department responsible for all IT and Telecomm issues that can barely use an e-mail client and can't explain one difference between ISDN and POTS. Then, they hire based on longevity. If you show up with the qualifications for a gs-9/10/11 position but haven't been in civil service, don't even think about it. Come in as a 4 or 5 and work your way up. Those inside the system feel that the higher position should be their's by virtue of having "put in their time". Promotions should be based on how long you've been in the system, not whether or not you can do it. My wife, who was in the civil service was once warned not to even think about applying for a specific position. Despite have a degree in the field and current certifications (medical field where those things frequently mean something) she hadn't been there long enough to deserve to apply for it. The woman who warned her used to have current qualifications, but had stopped bothering to stay current over 10 years ago. Nor attend any sort of training or classes to at least stay up on developing techniques. Not smart in any field. This sort of personnel system doesn't encourage people to stay or even to try to hire on. At this particular installation, those of us that could move on, did. Oh, did I mention that the pay isn't one of the more enticing features? I started at a large corporation making more than the director of that organization. Not that I make that much, they make that little.
Let's see, forced system architectures from the top down. A system that rewards longevity at the expense of competence. No central policies to control and/or coordinate at the command level, let alone service level, let alone within the civilian side of the house. And an incredibly low pay scale. I can't imagine why there would there would be any deficiencies. The good news is that there still exist some competent, dedicated people within this structure. Which is why any of the networks and/or machines passed at all.
NT Policy == Fraud, Waste and Abuse (Score:1)
The decision to use NT over viable alternatives such as UNIX or Novell could certainly be questioned.
Waddaya mean password is a bad password? (Score:4, Insightful)
While I have to believe the "really important super-secret stuff" is kept safely locked away by geeks wiser and smarter than us, it cannot come as a surprise that the state of government computer security is about the same as security on the internet at large... it mostly sucks. Why? We can blame the software companies that release easily exploited code, and maybe we should start making them more accountable, but as long as people keep picking dumb passwords, administrators keep letting them, and they in turn keep following poor practices (fricken clear-text password lists!?!), then this what happens.
Re:Waddaya mean password is a bad password? (Score:1)
Jeremy
What if... (Score:1)
If it involved lives im sure morals would win in the majority of cases.
But what if...
Re:What if... (Score:1)
Let's continue that scenario a little.
If it involved terrorists trying to get in DoJ computers, the choice is probably 'do it or die.' All they have to do is find one nerd who feels his own life is more important than the DoJ computer system and they are in. Doesn't sound too hard...
The reality check (Score:2, Interesting)
The Emperor has no clothes, gentlemen, and I have no sympathy for ANY Government network that gets hacked, when it could have been prevented.
That's bad news... (Score:1)
Damn. I knew computer AI was not advanced enough to simulate real intelligence, but I thought by now computers would be smart enough to pass a hacking test, since the pseudo-intelligence required to perform as well as scrip-kiddies is so low. But some Israeli firm even claimed to have a computer which was as smart as a 2 year old. I guess give that child/computer 10 years and we'll be there.
The report itself (Score:3, Informative)
http://www.gao.gov/new.items/d02231t.pdf [gao.gov]
Skript kiddie weapons? (Score:1)
Federal courts (Score:2)
Guess what systems have been widely infected by Code Red. And Code Red II. And NIMDA. These are organizations who are expected to serve a public trust, and who are DEPENDENT on their web servers to stay up. Not only do they fail to keep up with security patches (Code Red), they fail to apply patches when it becomes obvious they've failed to do so (Code Red II). They don't even apply patches or take servers offline when they've been rooted (NIMDA).
I couldn't figure out where all the Code Red etc. worms were still coming from until I discovered this while working with an attorney to file a brief with an infected court system. Your tax dollars at work.
Re:Federal courts (Score:1)
And then to the masses! (Score:1)
If a hacker to access the Gov systems, extract the information they wanted and then with the increasingly more intelligent virii/worms being developed, attach the information to a worm and set it loose in the wild. The virii/worm wouldn't even need to be malicious. Imagine the ramifications of someone obtianing 'real' govermental Area 51 information or President Kennedy assasination cover-up documentation and distibuting it.
The information alone could cause a government break down from within the US and distrust in our leaders.
The potential problems of anything less then an A+ could be severe! - Henry Smith
F is for ... (Score:2, Interesting)
I can't say I'm suprised... (Score:1)
Really!? (Score:2)
My guess is, they may have hacked into a few desktops running winders, but getting into shell.int.us.mil is still relatively difficult.
This is surprising why? (Score:2)
Well, when you're tapdancing through a minefield, you shouldn't be surprised when you wind up legless.
~Philly
Re:This is surprising why? (Score:1)
Take if from someone who is in a GAO audit. (Score:1)
Typical! (Score:1)
Re:Typical! (Score:1)
Atypical! (Score:1)
Second, 305 is about 600% more than 43. You can say it's 7 times as many, if you're trying to be honest.
Third, the U.S. government maintains far more hosts on the 'Net than the U.K. government does. Netcraft [netcraft.com] records only 1073 web sites in gov.uk, and 6290 -- that's nearly 5.86 times as many -- hosts in
I don't claim the U.S. is a whole lot better at securing their hosts than the U.K., but the converse is certainly unsupported by the evidence.
Demonizing Government IT? (Score:1)
Now, in the post-September 11 landscape, this report hits the streets. Do you think the GAO had time to go and do a complete survey in the last two months? No. the legwork for most of this report was probably done this year, but I think the government's views have changed, at least on the higher levels, since 9/11.
Are there still sites which put their password list within view of the computer? Yes. Are there lazy or slothful admins in government service? Yes. Are there good and secure networks within the government? Absolutely. Are there similar problems in the civilian market. You betcha.
As I said, I was laid off from a telecom. I have seen, since 9/11 that the government is hungry for security folks. The civilian market seems to be taking the approach that if they don't change the status quo, they are safe. There has not been much change in the requirements for security folks, where the government has seen the light.
The other thing I have seen is that your biggest problem is with upper management when it comes to security. Even if they do sign the checks, they are also the ones who feel that the rules don't apply to them. They think that its the rank-and- file's problem, and that they are above the law. User education is hardest in dealing with upper management.
All in all, I think the government is moving in the right direction. I wonder about industry...
timothy, timothy (Score:2)
Don't you mean 'cracker test'?
(Woot, now my
Re:timothy, timothy (Score:1)
The language changes, ESR notwithstanding. Get over it. There's nothing sillier than geeks trying to be pedantic about usage. (Oh, and let's not forget what a geek is.)
Solution (Score:1)
This implies that people don't think when they choose they're password.
Fact: People are lazy.
Fact: "1234" is a helluva lot easier to remember than "jE9kNq^"
Thus stupid people choose stupid passwords.
Quick Fix:
Access Card, Fingerprint ID, Retinal Scan, Voiceprint ID, Facial ID, or combination thereof.
If your working for the department of defense and have information worth protecting, the least you could do is swipe a card and say "Hello, My name is ______ ____, My voice is my passport, verify me" before using your computer. Then only people as smooth as the guys in Sneakers could crack it.
Working in the DoD (Score:1)
What OSes are the government sites using? (Score:1)
1: How much is spent on computer security.
2: Salary of these so called admins for these networks.
3: What OSes the government has standardized on.
4: To determine if one OS is better than the other.
Since each different division uses different software, which OSes are the least vulnerable and start converting to those OSes.
Another thing that should be pointed out is that the departments that got "F" marks should suspend/fire the admin without pay or atleast get a new admin and send the current admin to a 1-2 year course on the specific platforms.
Another thing I have noticed is that there really is NO security schools to help admins get a better knowledge of securing OSes. Maybe this idea can be a new niche market for anyone out there interested in teaching computer security.
Re:What OSes are the government sites using? (Score:1)
Diceware! (Score:1)
I don't see why computers don't all come with a diceware program or a pronouncable password generator. Random, secure passwords are pretty easy to comy by, assuming
I could come up with a good 2,048 word list off the top of my head, which would mean 11 bits of entropy per word. Random capitilization of the first and last letters means 13 bits per word. That's five words for about the strength of 64-bit encryption. Anyone should be able to remember 5 words. Assuming account lockouts for 15 minutes or so after 3 failed logins, this should be sufficient. Of course, Windows networking sends salted hashed passwords in the clear, right? That would mean you probably want at least about 80-bit strong passwords.
I really need to just sit down and write that password generator I've been meaning to get arround to. The hardest part is the 2,048 word list.
see diceware [diceware.org] for a simple way to generate secure passwords.
Shouldn't there be a filter against this? (Score:1, Interesting)