Is it Just Me, Or Is Our Mainframe Missing? 606
xnuandax writes "Here's a salient lesson for those system security personnel who spend their time fretting over the theoretical crack-ability of their 1024 bit encryption keys. Australian Customs have recently suffered a rather unfortunate set back in their "War Against Terror" with the admission that two of their secure mainframe servers have been wheeled out of the building by persons unknown. I'll bet my $2 that the root password on those boxes was 'trustno1'."
This is what happens ... (Score:5, Funny)
Check for neck-mounted bomb collars too... (Score:4, Interesting)
Re:This is what happens ... (Score:2)
What really happened (Score:5, Funny)
This [mplug.org] is what really happened to them.
(That's a link to a 5MB mpeg, please be gentle, mirror and post a link!)
Mirror 1, please don't kill me (Score:3)
Re:This is what happens ... (Score:2)
Re:This is what happens ... (Score:5, Informative)
Many restraunts do that. You work, you get $2.25/hr (or whatever the boss is nice enough to pay you). So in most places, the staff are very dependant on your tips.
I tip 20%, and then adjust by service. If the service seriously sucked ass, you may get nothing. If you were really good, you may get 20% rounded up to the nearest $10. ($85 dollar meal would get a $20 tip). Knowing most people are complete idiots who don't tip for good service, it's worth it for me for two reasons. 1) they deserve decent pay if they did a good job. 2) I expect good service next time I come in, and will probably get it. Usually if I tip well and come back another day, I get better than average service. Places I go regularly, I don't have to ask for my drink, they'll have it ready by the time I'm seated.
But, tipping doesn't excuse impoliteness. Well, you probably wouldn't get a tip if you're looking at all your customers saying "What kind of idiot....", but the polite waiter gets pleases and thank you's, and a good tip.
But in some parts of the world, this isn't expected or acceptable. I gave a taxi driver in Europe a $10 tip for getting me from point A to point B in no time. He was polite, held the door for me, yada, yada, yada. He was completely flabergasted that I gave him anything extra.
In New York, I gave a taxi driver $20 for getting me from Times Square to the WTC [mapquest.com] in less than 5 minutes. Of course, stop lights and lane markings are frequently meaningless, so that helped accomplish the time.
In some US cities, you may be lucky the car doesn't hit you driving away if you don't tip.
Flight attendants don't take tips, and get offended when you offer one. I haven't quite figured that one out yet. If I buy a beer from a fight attendant, they are the bartender, and the bartender always get tipped.
So, maybe in the UK you don't take tips, fine. In some countries it's most of the money that they make. In some jobs it's the majority of their paycheck.
I don't tip because I have extra money. I tip because I've worked just about every shit job there is at some point in time, and can completely relate to them having to deal with asshole customers every day who think that $2.25/hr actually pays the rent in most metro areas.
Re:This is what happens ... (Score:5, Informative)
In Japan, however, things are a little different. Japanese custom considers a gift of money to a stranger (so basicly tipping) to be the rough equivilent of giving money to a begger on the street. Thus the waiter who accepts a tip is implicitly stating that he does not make enough/have enough to support himself and his family. (The Japanese are very focused on the implicit meanings of things) This is an afront to dignity, pride, and honor. Tipping in Japan is not only unexpected, it's RUDE.
I honestly didn't belive the tour book when I read this. However a very polite and kind waitress in a sushi bar explained this to me while I was reeling from the 16 hours of jet lag.
Re:This is what happens ... (Score:3, Informative)
Also, don't forget that minimum tax withholding for waiters in the US is calculated on base salary plus a percentage of the waiter's gross sales (used to be 8%; not sure what it is now). This makes that $2.25 even smaller; when I waited tables, 2 weeks of full-time work would net me a $20-$30 paycheck. It also means that if you fail to tip your waiter you're actually
Re:This is what happens ... (Score:3, Insightful)
I've never been able to resolve this for one second with the notion of a Federal Minimum Wage.
Period. It's been explained to me, and I understand the economics, but I can't deal with it. Either there is a Federal Minimum Wage or there isn't.
Because restaurant people don't have to be paid the same minimum as any other labor, I am forced t
Re:This is what happens ... (Score:3, Insightful)
Slow down there, you just insulted several million americans. Did you know that in some states in the US like Florida and Ohio, federal minimum wage doesn't apply? They are paid just over $2 per hour. If they weren't tipped, they would walk home with almost nothing.
They're just doing their job, I guess you don't tip Taxi cab drivers either? The gratuity is for going above and beyond doing their job. I could just bring a person
I bet I know where those machines are... (Score:5, Funny)
Re:I bet I know where those machines are... (Score:5, Insightful)
Mainframe repairmen! (Score:4, Funny)
I kept saying that's how I'd get my SGI Onyx that way, but it never seemed to work out. Anybody that steals a mainframe is either looking to part it out and sell it on Ebay, or they are going to melt it down for the valuable metals.
Re:Mainframe repairmen! (Score:3, Insightful)
Re:Mainframe repairmen! (Score:5, Insightful)
The article "states" that, but how does anyone know? The thieves didn't give any interviews.
Re:Mainframe repairmen! (Score:5, Funny)
No you can't have it, I thought I'd just taunt you tho
Re:unused SGIs (Score:3, Funny)
Physical security (Score:5, Interesting)
Re:Physical security (Score:2)
PC (Score:5, Funny)
Thats PC for terrorist isnt it ?
Re:PC (Score:5, Funny)
Thats PC for terrorist isnt it?
That's not PC at all! It's like describing someone as Scandinavian-Russian-French.
"All you fsckers look the same to me!"
Re:PC (Score:4, Funny)
Ha ha! After reading the description of "pakistani/indian/arab", I'm betting that the person whose job it was to look after these things didn't see anybody at all.
Tell an Australian that a person from any one of these three sub-cultures stole something, they'll instantly believe you.
-- james
Re:PC (Score:3, Funny)
Re:PC (Score:2)
Re:PC (Score:3, Funny)
No no no! It's not like that at all... These men CLEARLY came from a mixed Pakistani, Indian and Arabic heratiage (20%/15%/65%, respectivly). What else are people who majored in Physical Anthropology in Austrailia going to do if they aren't going to schlep it as security guards? They have to make a living somehow, as there are only so many days that you can eat spit-roasted kangaroo in a row before you need a decent chicken wing or two..
Re:PC (Score:5, Funny)
I forget the rest, but the Australian government ends up looking like a bunch of tools
Re:PC (Score:5, Funny)
It's a slightly more PC version of the previously used description "of Middle Eastern appearance", which non-Middle Eastern people found offensive, especially those born in Australia. A more accurate description would be "two smug looking guys, each with a server on a trolley."
security? (Score:2, Insightful)
Re:security? (Score:3, Informative)
At most places, security is an underfunded joke. The only serious security that I have seen is at some military installations, where sensitive areas have MPs with weapons, who actually look at IDs and access lists, and have clear orders to shoot any idiot who tries to breeze through th
Those pesky Pakistani-Indian-Arabians! (Score:5, Insightful)
When you're caught being grossly negligent and incompetant, blame terrorists.
Re:Those pesky Pakistani-Indian-Arabians! (Score:2, Interesting)
Re:Those pesky Pakistani-Indian-Arabians! (Score:5, Funny)
"If something goes wrong, blame the guy who doesn't speak English"
simple security procedures (Score:5, Insightful)
Simple security procedures.
Didn't anyone learn anything from losers like Kevin Mitnick?
Re:simple security procedures (Score:5, Insightful)
Nope. if they did social engineering wouldnt be as easy as it is, and believe me it is EASY. i work for an outsourcing company (3000 employees, dual OC 192 connections, and two brand new V880's) and they dont employ ONE security person, they have no security policy. and we are doing work for some of the top companies in the telecom/datacom industry. amusing from my perspective anyway.
Comment removed (Score:5, Interesting)
This means that (Score:5, Insightful)
How well does your company pay their cleaning/janitorial staff? Suppose a coworker went into your cubicle and called IT from your phone -- how would security find out who did it?
I would assume that they would need to see your ID (as well as you) before resetting your password. If that is too burdensome, then have a system in which you contact your manager or HR. One of these can then log in through a secure connection and file a password reset request with your ID to the remote IT support site. The fact that they are logged in (with their password) at least ensures there is a starting point for an audit, and the odds of impersonation are less likely.
Re:This means that (Score:5, Insightful)
He didn't claim his security was perfect. There's always a way around security; mere existance of a way around it does not automatically mean its worthless. It raises the bar, I'd bet money it provides a paper trail, and as long as the employee isn't on vacation, the employee will detect it when they try to login next and can't because the password changed. (Detection isn't instant but should average less then a day.)
I post this because this is one of the common mistakes made in security, not doing a risk analysis and just assuming you need "more". I strongly suspect that unless the grandparent poster is working for the NSA, that they've successfully raised the bar past what anybody who cares can hurdle. Spending more on a more restrictive regime would just be a waste of money.
Re:simple security procedures (Score:5, Interesting)
stole this idea from Peter Kay's Phoenix Nights... (Score:2, Funny)
overalls!?
My IT team did that once. (Score:5, Informative)
it was the NEXT DAY before any inquiries came in.
Oh, they also used the signs on the buildings you could see through the windows as admin passwords.
Experience in post 9/11 NYC (Score:5, Insightful)
So... I walked into see my customer. I was surprised a the new security in place. I showed my company badge, signed in, and was lead to a desk under a sign marked "High Value Transactions". Plopped me right down in front of a terminal. I was really confused. The setup was totally different than what I was expecting from previous visits. So I started looking around for people I knew, etc... After about 10 minutes I realized I was in the data center for the WRONG company!
So I got up and left. I have no idea how long I could have stayed there, or what I could have done. I suspect that if I had gotten out a screwdriver, I could have likely started shopping for hardware.
Moral of the story: chaos breeds insecurity, and an "official" plastic badge with your picture on it is shockingly powerful.
Its not just what was taken... (Score:5, Interesting)
From my perspective as a former sysadmin/security guy, how could someone not notice that 2 main fileservers were suddenly offline? Alarm bells should have been ringing the second they came offline. Where's the monitoring? I suppose at the very least that its a kick in the ass to anyone who thinks that physical security and good procedures are any less important than firewalls and network intrusion detection.
Re:Its not just what was taken... (Score:2)
You mean it was all stored on the hard drives of the stolen computers?
Re:Its not just what was taken... (Score:2, Interesting)
[The representative] said the stolen servers did not contain sensitive information.
"They did not contain any personal, business-related or security information, and they are not servers that are used to communicate with law enforcement or security agencies," [she] said.
Re:Its not just what was taken... (Score:5, Interesting)
Because you'd expect them to say anything different? Hell, the theft took place on the 27th of last month and since then the very woman whose job it is to ensure physical security of the site has been involved in a Parliamentary review of National security. She managed to appear a few times and didn't mention the theft once.
The short answer is that they'll tell you nothing if they think they can get away with it, then tell a lie when caught out telling nothing and then when caught lying, they'll claim they had to lie for the protection of "National Security".
Biggest security hole in any corporation... (Score:5, Insightful)
On the same note, people inside an organization are often responsible for hacks, stolen information, and other things since they have the keys already!
It just goes to show the weakest portion of any system is the people.
Re:Biggest security hole in any corporation... (Score:5, Interesting)
Re:Biggest security hole in any corporation... (Score:3, Funny)
Re:Trump Card (Score:3, Funny)
Fortunately, he had a change of heart later
Re:Biggest security hole in any corporation... (Score:3, Funny)
crosshead screwdriver and a coil of cat5 (Score:3, Funny)
Re:Biggest security hole in any corporation... (Score:4, Interesting)
Yeah, typical (Score:3, Funny)
Re:Yeah, typical (Score:3, Insightful)
Oracle's default SYS password is change_on_install. You'd be surprised at how many people will type that every day, and not change it.
Possible Scenario (Score:5, Funny)
*slams hand down to hit Enter key*
*hits bare desk*
Well done Timothy (Score:2)
Re:Well done Timothy (Score:2)
Reminds me of the story (Score:5, Funny)
TWW
Re:Reminds me of the story (Score:4, Funny)
"He's not our dad. He just asked us if we wanted to come in and have a coke"
Are your backups encrypted ? (Score:5, Interesting)
A good sysadmin has all important stuff backed up. And if you do it properly the backup is sent to a offsite location. Isn't it easier to steal those backup tapes or discs? If you are lucky the outsourced company doesn't even notice the theft or someone who does not want to loose his job does not tell anyone.
So my question is: Do *you* encrypt your backups?
Re:Are your backups encrypted ? (Score:3, Interesting)
I run several GB of postgres dumps through GPG before they hit the disk every night. They are then shipped off with rsync. Anyone want to receive a copy of my sensitive databases periodically (just over 2GB nightly)?
And no, I don't believe it's impossible to break GPG, but the goal was to be able to put them wherever I wanted them without worrying much about how they got there or whether they leaked.
No official BS (Score:5, Insightful)
As we can see it's a well-planned action, and there's almost no way to sell the two mainframe for good profit. The major cost center of a mainframe lies mainly in the operational and maintanence, which are not applicable to stolen hardware.
Obviously, their target is the data within. If the authority do not start investigating what information the thieves are looking for and the possible use of the information within the stolen hw, the consequence might be very serious.
No more official BS. Do something before too late.
Re:No official BS (Score:5, Insightful)
1) If it was a mainframe there'd be no point stealing the CPU, there's no hard drives in it, you need to take the DASD.
2) If it was a mainframe CPU and/or DASD 2 guys couldn't hack it - you'd need a crane or possibly a forklift- if it's a small box. They are big+heavy.
3) Of course the bigger mainframes are water cooled as so they'd need more time for the plumbing or someone would have noticed the leaks...
The article says they were let into the mainframe room and put the computers on trolleys, then later they refer to "mainframe servers". It doesn't add up-what a surprise the reporting is vague.
Still, in my opinion (fwiw) the most likely thing stolen is big HP/IBM/DELL servers. These are often put in mainframe rooms to take advantage of the (ha!) physical security, air-con and halon systems. You'd also be a lot more confident of being able to actually hack in to one of these, without the dedicated power supply and other costs you mentioned.
they didn't need that server anyway (Score:5, Interesting)
So, the servers had neither personal nor business data on it. So what's left? The server must have been empty then, good riddance.
Re:they didn't need that server anyway (Score:2)
Still a damn expensive thing to lose.
Are you telling me... (Score:2)
the problem... (Score:2)
How are secure mainframes for national security without any top secret data. Do the Aussies allow their public officals to play Quake on govt machines? Come on, everything is clasified because it leads to something else! Maybe it only had names and addresses of terrorists [better yet, just t
Covering their arses (Score:3, Insightful)
They've got to be kidding.
IMHO there should be some investigation into this level of incompetence. Procedures should be in place and followed. If procedures were followed, the person responsible for security (and the procedures) should be put out on their arse with zero chance of another job in security. If procedures weren't followed, the staff that didn't follow them should get their arses kicked.
Re:Covering their arses (Score:4, Insightful)
No one will lose their job. Bureaucrats are good at setting it up so that everyone is doing their job perfectly well and can only be complemented on their good work even though everything is fucked up beyond belief.
How mwny american civil servants lost their jobs because of 9/11 (except the ones who actually tried to warn people). So why would a little mainframe theft lead to dismissal.
Maybe they were just for decoration? (Score:2, Funny)
Okayy.... So just what was on them, then? Somebody's pr0n collection?
Re:Maybe they were just for decoration? (Score:5, Funny)
Okayy.... So just what was on them, then?
They were completely empty. Completely. They never were used to and never inteded to be used, ever. Ever. Seriously. They were shut off since they were bought in 1982 and never, never, ever used for anything secret or anything. Especially not for anything secret at ALL... I SWEAR! This is a complete non-story, please stop asking about it. Nothing to see, nothing to write about, just normal EDS maintence contract gone wrong on some completely unused servers, pretty standard stuff. Here, look at the monkey.
Relax (Score:5, Funny)
Not Mainframes at all (Score:2, Interesting)
No mainframes were taken... they were two win32 computers taken from a semi secure? area.
I'm a little happy that they didnt leave a bomb in place of the two bombs that they took.
And a word of praise for the IT support staff. They had our systems back up in no time at all.
How is this unusual? (Score:5, Informative)
It was only on the second last day that someone questioned my actions. Until then, nobody thought twice about an unfamiliar person sauntering up their desk, unplugging their desktop PC, and walking off. Because the old PCs were so dusty, I wasn't even wearing my normal business attire -- instead, I was wearing jeans and a t-shirt.
This is by no means unusual. I've been to places where the IT employees did not know which servers do what, how many servers they actually have, or what the passwords are. In a place like that, a missing server may not be noticed for days!
Re:How is this unusual? (Score:3, Interesting)
Re:How is this unusual? (Score:3, Insightful)
Oh,
that sounds like a place I worked once. The DBA and I were joking that we could just roll out the main database server and put something cheap like a desktop PC in the backend, nobody would know, because besides him and me none knew what we were doing nor on what har
Re:How is this unusual? (Score:4, Funny)
Not in quite the same league as walking out the building with a server, but it still took a special brand of stupidity to forget to put a door in the new wall... :)
Re:How is this unusual? (Score:3, Interesting)
Screw a server, we're talking probably a quarter million dollars in equipment, given how the military does busi
They don't even know what was on these computers (Score:3, Funny)
Really? Then what the hell were they for?
They say
"They would have personal internal email accounts, probably the passwords for those accounts, and any information harboured within them.
hmm. 'personal email' sounds like personal information, and probably business and security related too. But then say:
The Australian Customs Service has admitted the security blunder, but told customs officers in an email that no sensitive operational information was lost.
So I guess they're just using their mainframes to advertise penis enlargement pills
"Customs officers use the accounts to communicate volumes of sensitive operational material and intelligence to each other, including information from other agencies such as AFP and ASIO. This would be at risk."
I give up.
Well even Microsoft... (Score:3, Informative)
It's been a while hasn't it? (Score:5, Funny)
Are you sure... (Score:5, Funny)
(Google for heist60.mpeg if above if slashdotted)
Mainframes or file servers? (Score:5, Insightful)
If, however, one or more of the systems was a RAID or some such data storage system, then the Custom's people are (as expected) lying through their teeth. The next question would be whether or not some form of encryption was in use (fs or application level).
Hey Look It Wasn't Stolen (Score:5, Funny)
Maybe they were repossesed? (Score:5, Interesting)
It was in a central room, which had one door and no windows. The door opened to a hallway. From that hallway, you could either go out past the receptionist, past one of the company founder's office, to get out the front door, or you could go the other way, past my office, and the offices of a couple other programmers.
We noticed the machine missing at noon. It had last been used at 11am. Between that time, the receptionist had been on duty, the founder had been at work in his office with the door open, and four programmers had been at work with their doors open, facing the hallway.
There had been the usual bathroom breaks, trips to the printer, and stuff like that, but still...it seems like it would require amazing timing to find an opportunity in there to sneak the thing out...and there was no vantage point outside the building from which one could see that the route would be clear.
Re:Maybe they were repossesed? (Score:3, Insightful)
I'd say the repo guys had access to a fully functioning matter transporter.
Heh... (Score:5, Funny)
I live and work in a certain large Far Eastern city, which has quite a few major financial institutions.
Several of these institutions use Sun hardware.
One of these institutions found that on Monday morning, their production system didn't work.
A bit more investigation found that the CPUs (8, IIRC) had all been removed. Apparently, someone walked in over the weekend and then walked out with several thousand dollars worth of UltraSPARC IIs under his arm.
They made a bit of fuss about this, boosted their security, and bought a bunch of new CPUs.
Then, a couple of months later, they found that their production system wasn't working on a Monday morning...
Three words (Score:3, Funny)
This happened to a customer of ours. (Score:5, Interesting)
Two men dressed as couriers wandered into the reception, said that had a faulty machine to pick up, were let into the machine room, and walked out with the 3000 file server.
It took the network admin over an hour to realise that the server had been taken - they had even logged a fault call with us stating that users were having problems accessing their data.
ROFL (Score:5, Interesting)
For those that dont know Snow Hall is a tech training center and has 24 hour security and video cameras. The machine was quite large and bolted to the floor and since it was the day before payday it was full also. 250k was in it I believe.
Only bank robbers I know of that got away with it AFAIK.
Outsourcing and security (Score:5, Insightful)
Another reason you should be damn careful about how you outsource, who you outsource with, and the security involved. People need to know who they're really dealing with and how to check.
My personal experience (Score:3, Insightful)
The key: just look like you know what you are doing.
East Timor, Afghanistan, Iraq.... (Score:2)
Our army seems extremely professional. First rate SAS troops, a reasonable knack for peace-keeping and even some cool (if obvious in hindsight) gun technology [blogspot.com].
Re:Australia (Score:5, Funny)
Afganistan: Australia's Special Air Service was there, saved a few yanks in a downed helicopter. The American soldiers seemed to thing these Aussies were all right.
Iraq: Australia sent 3 boats and about 2000 special forces personell. Did a lot of (if not all of) the ground based reconisance, plus about half the search and rescue missions.
East Timor: Liberated the poor little country from the Indonesians and wiped out the resistance. Free elections were held for the first time.
Indonesia: Sent Federal Police over who "helped" with the investigation into the recent Bali Bombing.
North Korea: We'll Be There!
Iran: Be a walk in the park!
Saudi Arabia: Hey, we all like cheap petrol!
Plus there's the fact we're all reasonably well off here in Aus, excellent education and health systems, great democratic political system, fair moral sense.
So you can see there's a few reasons the terrorists might not like us, although, if they do come here, we can easily melt their hearts with our koala bears, or melt their skin with our radiant sun
Re:Australia (Score:2)
Re:Ack! (Score:5, Funny)
Liar. I've seen your password. It's eight asterisks.
Re:Missing Servers (Score:3, Informative)
Since when??
Region Free DVD players are legal in Australia (Thank you Alan Fels!!)
Re:Like my sneakers? (Score:3, Informative)
Yes!
You win the prize, a decrypted 8-bit character!
Here you go: @
And everyone's right about the moderators. They screwed the pooch on this one. Metamods, go remove their mouse fingers.
What Indeed... (Score:3, Funny)
Then he'd problably add, "Crocs rule!"
Virg