Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Operating Systems Software

How The NSA Secures Computers 209

An Anonymous Reader wrote to mention an NSA site covering secure configuration guidelines for a number of operating systems. From the site: "NSA initiatives in enhancing software security cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products."
This discussion has been archived. No new comments can be posted.

How The NSA Secures Computers

Comments Filter:
  • Great Idea.. (Score:3, Insightful)

    by digitallystoned ( 770225 ) on Sunday October 30, 2005 @03:13AM (#13908067) Homepage
    Leave it to the government to tell us how to secure our computers so they can tap into our data later through some backdoor. Good read, except all they really had to say was 'disconnect your computer from the fucking internet'..
    • Re:Great Idea.. (Score:4, Insightful)

      by aussie_a ( 778472 ) on Sunday October 30, 2005 @03:16AM (#13908074) Journal
      Good read, except all they really had to say was 'disconnect your computer from the fucking internet'..

      Uh-huh. And there comes a point where security impinges on usability to an unsatisfactory degree. Sure, not having your computer hooked onto the net will make it incredibly secure compared to if it were hooked to the net. But if you need to use the internet, then this level of security makes it unusable.
      • Uh-huh. And there comes a point where security impinges on usability to an unsatisfactory degree. Sure, not having your computer hooked onto the net will make it incredibly secure compared to if it were hooked to the net. But if you need to use the internet, then this level of security makes it unusable. True, but thats basically what the NSA says in their 143-page document from 2003 (which misses, oh, ALL of the patches to XP, for example)... Maybe they released this information as a conspiracy to the UN
      • I just installed Windows Server 2003 Enterprise, and when I went to use Internet Explorer to download some drivers, it was even more annoying than it usually is: Server 2003 has some "enhanced security" option enabled for IE, which basically makes it so most or all web sites break. And you get to look at a large "warning! Enhanced IE security is on" message every time you go to a URL. I eventually completely uninstalled this "enhanced security" because it made it impossible for me to get anything done.
        • Why couldn't you get anything done? The only place you should be 'surfing' on a MS server is to the manufacturers website to download new drivers, or the OS/applications makers website to download patches. You just add those websites to your whitelist, and your done.
    • Re:Great Idea.. (Score:2, Insightful)

      by LnxAddct ( 679316 )
      Except that if you RTFA and looked at the history of the NSA, they've been pretty up front about security. They don't tell us everything they know, but what they do tell us has always been credible and useful (i.e. making SHA more secure without actually telling us how it worked). This guide is for everyone, including securing government systems, those same systems that may need to securely exchange data with the NSA, Pentagon, White House, etc... The NSA has every reason to make this guide as accurate as p
    • Re:Great Idea.. (Score:5, Informative)

      by Martin Blank ( 154261 ) on Sunday October 30, 2005 @11:49AM (#13909238) Homepage Journal
      This is not remotely new. These things have been around for YEARS, and Slashdot covered them at that time [slashdot.org]. They were written for the use of other government agencies to secure their systems when using the listed products, but they also have a great deal of value to the public. They follow all the things we've been told over the years -- put up layered defenses, stop using old, broken protocols, use those with better hashes, disable unneeded services, reduce your attack surface... Or do you believe that these are things meant to make it easier for attackers to get in?

      The guides are a valuable learning tool, too, and a number of companies have followed the idea. In fact, when Microsoft wrote its own guide for securing Windows 2003, the NSA decided that it was comprehensive enough that they didn't have to write one themselves. NSA even went so far as to mirror it themselves [nsa.gov], presumably for government convenience.

      The pace of the documentation has slowed significantly; for a while, there was a new guide coming out every month or two. But every so often, they cover new topics such as evaluating wireless IDS, as well as some other more esoteric titles like So Your Boss Bought you a New Laptop...How do you identify and disable wireless capabilities [nsa.gov]. You can see a complete list of titles here [nsa.gov].

      Go try reading the original material before criticizing it. You might actually learn something and be able to earn your karma through something other than a cheap shot.
  • huh? (Score:5, Funny)

    by utnow ( 808790 ) <utnow@yahoo.com> on Sunday October 30, 2005 @03:14AM (#13908070) Homepage
    The NSA has customers? How long do you think it'll be before Microsoft tries to 'aquire' them as the latest 'innovation' in computer security? :D
    • The NSA has customers?

      Yeah, they're called taxpayers

    • The NSA has customers?
      As a government entity, and like all government entities, the NSA has been serving customers since January 20, 2001 :-)
    • Re:huh? (Score:4, Interesting)

      by bhiestand ( 157373 ) * on Sunday October 30, 2005 @10:35AM (#13908924) Journal
      The NSA has customers? How long do you think it'll be before Microsoft tries to 'aquire' them as the latest 'innovation' in computer security? :D

      I know you're joking, but I believe the intelligence community generally uses that term. Either "customers" or "consumers", as opposed to "producers", of course. I know most of the government refers to other departments, agencies, and offices as their "customers".

      From NSA.GOV on SIGINT [nsa.gov]:
      NSA's SIGINT mission provides our military leaders and policy makers with intelligence to ensure our national defense and to advance U.S. global interests. This information is specifically limited to that on foreign powers, organizations or persons and international terrorists. NSA responds to requirements levied by intelligence customers, which includes all departments and levels of the United States Executive Branch.

      And on Information Assurance [nsa.gov]:
      NSA's Information Assurance Directorate invites government employees throughout the nation to take advantage of the products, services, and programs we offer to help you secure your critical information systems. Peruse our TEMPEST product lists and descriptions to find exactly the product you need. Discover what the IAD is doing to ensure the security of the emerging Global Information Grid. Download the latest security guides, or enlist the services of IA professionals to help you engineer secure systems or assess the security of existing systems. Learn more about national-level IA programs like those available through the Interagency OPSEC Support Staff and the Information Assurance Training and Rating Program. Or register for IA-related events and conferences to get up-to-speed on the latest IA technologies. Whatever your Information Assurance needs, the IAD is here to help.

      In short, their customers include the entire military, who will receive intelligence reports that may be based on sigint information. Other customers include the state department, which might want to know if the NSA manages to get an intercepted telegram of Germany asking Mexico to declare war on America. Or maybe the president wants to know what kind of porn Usama Bin Laden likes to look at. Either way, according to their website, the NSA is tasked to do this stuff by other agencies, who then use that information to do their job. This gives them bonus points when justifying their budget, so it is the government equivalent of being directly paid to do the work. This is quite definitely a "customer".

      On top of that, since the NSA knows so much about communications, networks, computer systems, and the security of these systems, the NSA is the de facto expert, hence they're also responsible for helping ensure that government computer systems are secure. They say they send advisors to help people out, and I'm sure they have some sort of responsibility for classified networks as well. It's in their best interest if the US has a well-secured communications infrastructure. I'd say it's the digital equivalent of using a sniper as a counter-sniper. But this means the entire government is also their customer. At least anyone who needs their computers to be secure.

      So yes, I'd say the NSA has a lot of customers.

      As for the comments about "the NSA may as well have said that you should just unplug your computer from the internet", I remember an ask.slashdot question a while ago where a guy asked for advice on securing his business computers for some classification certification. A lot of the replies basically said that the computers couldn't be on the internet, period. From my past experiences with having computers online, I'd have to agree that it's a bad idea to have a computer with sensitive data on an open network like the internet.
  • by ivlad ( 646764 ) on Sunday October 30, 2005 @03:17AM (#13908076) Homepage

    ... but there are also a few guides to the applications security available: http://www.nsa.gov/snac/downloads_all.cfm [nsa.gov]

    my favorite are Cisco IOS and Microsoft CA guides

  • Crushing defeat. (Score:5, Interesting)

    by Number44 ( 41761 ) on Sunday October 30, 2005 @03:20AM (#13908084) Homepage
    As an employee of IBM (I work on enterprise storage products) I have this anecdotal story to relate:

    The NSA buys lots of our gear, the large multi-terabyte enterprise-class disk storage arrays. In the case I heard about, there were a small handful of boxes. We keep track of the code loaded on each of them for support reasons, so we have a good sense of where each box is and what it's doing.

    Our warranty on those arrays is 3 years.

    At the end of the warranty period, it is the policy of the NSA to replace the gear outright and start fresh. What we learned was, these boxes had never been put into operation and sat on their shop floor as "excess capacity" (happens in the larger shops, it's a good idea). They had never been attached as storage to their mainframes.

    The NSA crushed them. Brand new, unused and perfectly functional with ZERO data on them. Crushed to scrap.

    That hurts, guys. It really does. My tax dollars paid for them, my sweat and tears makes them run, and the gov't just hauls them outside and crushes them when they can't get support via the original warranty terms. They will never let a shred of data leave their shop for fear of losing control of classified info, but damn, these never had any!

    Why do they treat our tax money so callously?
    • by cperciva ( 102828 ) on Sunday October 30, 2005 @03:26AM (#13908102) Homepage
      Why do they treat our tax money so callously?

      It's cheaper to replace a 3 year old disk array than it is to do all the paperwork necessary to prove that it was never used.
      • ^BumP^ (Score:5, Insightful)

        by TubeSteak ( 669689 ) on Sunday October 30, 2005 @04:30AM (#13908216) Journal
        Lol, this probably isn't as far from the truth as we think.

        Part of it is that they pretty much have to spend their budget, or it'll get reduced during the next cycle.

        The other thing is, lets say that they rip out all the HD's and RAM in order to auction off the hardware... well, someone has to do that, someone has to file a bunch of paperwork (in triplicate, everything is in triplicate), someone else is going to file the paperwork that's just been generated, someone else has to make sure the HD's & RAM get destroyed, more paperwork...

        The costs can snowball very quickly. It may seriously be cheaper to de-mill the stuff and buy it again.

        • Re:^BumP^ (Score:3, Interesting)

          by Anonymous Coward
          The costs can snowball very quickly.

          I work in the French civil service, and the rule here is that we change computers every 3 years. I'm due to get a new toy in December.

          I told the person in charge that I'm happy with my current machine, and was willing to keep it. I was answered that by using a machine out of warranty, I risk creating extra hassle when it breaks down, and that the salary I'd spend on changing a disk drive would more than offset any savings.
          • Yeah, but that's not the point. The point is that why not just use it until it breaks (or it's obsolete, whichever comes first), *then* replace it. It's not a cost-saving thing really either. It's a usability and productivity thing. At my work, we're super nervous every time we do an upgrade or add new servers because the new and untested hardware may not be entirely reliable and you will never know until it's been running under load for a while.

            By that same token, we have a couple servers that date back to
        • The costs can snowball very quickly.

          Hmm.. I'm afraid I sympathize more with the original poster, since he actually did work and felt emotions about this hardware. I certainly wouldn't want to make something so that it could be destroyed, regardless of the reasons. And if the NSA has to destroy things in order to keep their budget, that makes me suspicious that their budget is too large. And something makes me doubt that the NSA has to re-defend and earn its budget every single year. It's probably more

        • Part of it is that they pretty much have to spend their budget, or it'll get reduced during the next cycle.
          Considering the fact that their budget comes straight out of my paycheck, tell me how this is a bad thing if their budget is reduced?
    • by Sycraft-fu ( 314770 ) on Sunday October 30, 2005 @03:38AM (#13908119)
      The problem is that if you start to allow some things to be sold without being destroyed, the possibility that something is classified incorrectly, and thus has data on it increases. When you are dealing with TS/SCI shit, you just don't take the risk.

      When it comes to spy games, there's no such thing as "parinoid enough".
      • Of course the obvious idea of re-positioning the equipment for less security sensitive applications like federal employee personel files, or any other of a zillion sort of sensitive data items the federal gov keeps, is out of the question.

        I can see why they wouldn't want it on the open market, but it is hard to see other branches of our gov as the "enemy".
        • Very simple government rule covers this.... Once it has been designated for one security clearance level you may NEVER designate it for use in lower classification level system, though it can be used in an equal or higher level system. And once its in an agency, its way too much of a hassle to share with a different branch, department or agency (the paperwork would eat up any cost savings).
        • Let's say you have equipment orignally for the NSA and it's holding the most critical secret data. It's not supporsed to be sold, but is confused for something that is. However policy says sell it only to the federal govrenment. So it's sold to the IRS. The IRS uses it for non-confidental storage, not even people's information. So when they get rid of it, it's just public surplus. After all? Who cares if someone gets the data, it wasn't sensitive.

          Well some foriegn spy agency then buys the hardware, and usin
      • Beware bad players (Score:4, Insightful)

        by coyote-san ( 38515 ) on Sunday October 30, 2005 @11:15AM (#13909104)
        You don't just have to worry about something being classified incorrectly, you have to worry about bad players who deliberately make "mistakes" when declassifying hardware. That's not acceptable so you need to second- and triple-check everything, and that drives the cost way up since everyone must have the appropriate clearances, all of the paperwork is classified, etc.
    • by Sloppy ( 14984 ) on Sunday October 30, 2005 @04:02AM (#13908167) Homepage Journal
      Why do they treat our tax money so callously?
      What's to stop them? Whatcha gonna do, citizen, hold them accountable? HA! Fire them? HA HA!!
    • by Crouty ( 912387 ) on Sunday October 30, 2005 @04:20AM (#13908199)
      As your posting clearly shows even the fact that the disks were not used is an information worth keeping secret.
    • by Decker-Mage ( 782424 ) <brian.bartlett@gmail.com> on Sunday October 30, 2005 @05:39AM (#13908324)
      The problem here, familiar to anyone that has dealt with the classified security system regulations, is that as soon as that equipment went in the door it became classified equipment of some certain level. Forever after that equipment, whether it had data on it or not, is set at the level of classification, period. You can never use it with equipment of a lesser classification nor can you declassify it (which in the eyes of the requlations is using it with unclassified equipment). If you can't deal with it, sorry, but that's the way the system works and it isn't going to change as one mistake can cost not just the country but real lives.
    • I too personally think it's silly to replace computers every three years, simply because the lease and support is up. All of my x86 computers were off-lease and sold for cheap, and the workstations are the most reliable computers I've ever owned, except for one compatibility issue with one hard drive, I've never had a reliability problem attributable to the computer. I think this is one way foreign companies and countries are probably going to beat us just because all they have to do is be smarter about t
      • Your operatioin must be small, becuase in any significant number of workstaitons, things DO fail, regularly. Hardware fails, that's a fact of life, and if yours hasn't yet, that's good luck for you.

        When you have 500 or 1000 or more machines to look after, you don't want to be fiddling with old machines.. you want to pick up the phone, call dell, and have the replace the part with another new part immediately, and keep on trucking. Tracking individual repairs on a variety of hardware is a royal pain in the
    • Curious, how did you know how these units were used and when they were disposed of? I didn't think that would be information they'd share with anyone.
    • Loose lips sink ships.

      If you must talk about stuff here, do NOT say which federal agency it is.

      If you must say some thing, it is best not to be too specific as to the situation.

      If you have a difficult time not talking about something like this, then avoid the areas that piss you off so you are not tempted to post here concerning these kind of incidents.

      Yes, I know that you did not take a loyality oath, and likewise, you do not see how this info can possible be used against the feds. But even this po
    • There a lot of other good replies already posted, but I'd like to underline the potential cost in human lives.

      You could create a system that would allow hardware like this to become reused. And if it ever broke down, information improperly classified, a drive left in a system and sent to DRMO, it could cost a human life.

      They treat the money callously because it's just money. The alternative is to treat human lives callously.

      The government is doing the right thing in this case.

      If it were my money, directl
    • One of the basic tenets of security is that you don't let ANY information leak. Knowing how many machines were sold is an unavoidable leak, but knowing how many were "excess capacity" combined with that number tells you how much computing power the NSA actually uses. Double seriously uncool. If the security manager is doing his job there's going to be a random, but substantial, number of excess machines but nobody outside of the agency will know how many.

      Some classic examples of this in practice? One fa
    • That hurts, guys. It really does. My tax dollars paid for them, my sweat and tears makes them run, and the gov't just hauls them outside and crushes them ...
      You think that's tough, what about the guys who sell cruise missiles to the government?
  • guide to XP (Score:5, Funny)

    by briancurtin ( 901109 ) on Sunday October 30, 2005 @03:21AM (#13908087)
    the guide to securing Windows XP is actually a link to http://distrowatch.com/ [distrowatch.com] so you can choose one of the many different options they have laid out for you.
  • NSA guidelines (Score:5, Interesting)

    by Phroggy ( 441 ) * <slashdot3@NOsPaM.phroggy.com> on Sunday October 30, 2005 @03:22AM (#13908095) Homepage
    I've read through the NSA's guidelines for securing Mac OS X before; as I recall their instructions included things like deleting the audio input drivers, so software can't record audio in the room by using the built-in microphone. Interesting stuff.
    • Re:NSA guidelines (Score:5, Interesting)

      by hughk ( 248126 ) on Sunday October 30, 2005 @05:24AM (#13908296) Journal
      Many years ago, there was an issue on Sun workstations. The audio driver was world readable by default so code running on your workstation could literally "bug" you.
    • Nonsense (Score:2, Interesting)

      by marat ( 180984 )
      If I own your machine, is it hard for me to install drivers back? Is it hard for me to hide the fact of installation? Is it hard for me to access hardware directly if I'm really after you? This is a good example of advice giving false sense of security. If their other advices are really like this your country is in a big big trouble.

      Just as an example in the computer class of my university they tried to deny us access to floppy drives by clearing FDD type in BIOS and setting the BIOS password. This didn't h
      • sure it can be gotten around with ROOT access to the system. with OSX you don't run constantly as root. just because it is possible that an attacker would escalate privlidges enough to install drivers doesn't mean you should give up and not even try to protect yourself.
      • Re:Nonsense (Score:3, Insightful)

        If I own your machine, is it hard for me to install drivers back? Is it hard for me to hide the fact of installation? Is it hard for me to access hardware directly if I'm really after you? This is a good example of advice giving false sense of security.

        Don't be silly. There are no certainties in security, just probabilities. Every obstacle you add filters out a few more bad guys who don't have sufficient time and skill to overcome that obstacle, thus reducing the probability of compromise.

  • by Splintax ( 828933 ) on Sunday October 30, 2005 @03:23AM (#13908096)
    Holy shit, have we just slashdotted the NSA? I can't reach the article.
  • Impressions (Score:3, Informative)

    by josephdrivein ( 924831 ) on Sunday October 30, 2005 @03:45AM (#13908131)
    I have read the OsX guide a year ago and everything was written there seemed obvious to me. (ie usual "Don't use rsh, use ssh" stuff or similar).

    Anyway, not a bad guide for beginners (as it's supposed to be).
  • Linux (Score:5, Funny)

    by Anonymous Coward on Sunday October 30, 2005 @03:46AM (#13908134)
    So, since the NSA doesn't provide instructions on how to secure a Linux computer, they're either saying Linux is so good it doesn't need to be secured (yay slashdot mentality) or its red commie software that no freedom-loving american would dare use
    • Re:Linux (Score:5, Informative)

      by SecureTheNet ( 915798 ) on Sunday October 30, 2005 @03:59AM (#13908161) Homepage
      The NSA has released it's over version of linux, SELinux [nsa.gov], the Security Enhanced Linux.
      • Re:Linux (Score:3, Informative)

        by laptop006 ( 37721 )
        SELinux isn't a distribution, it's a kernel patch and some utilities to enable mandatory access control. Fedora and RHEL both ship with SELinux enabled as standard, full SELinux support has just come through in debian (although much of it has been there for years).

        SELinux is a neat solution to a problem that few users have.
        • i was under the impression that selinux allowed you to make your systems a lot more secure and it really comes down to if you are prepared to take the trouble to set everything up right.
    • Eheh (Score:4, Insightful)

      by SmallFurryCreature ( 593017 ) on Sunday October 30, 2005 @05:02AM (#13908266) Journal
      I use parts of SElinux and am right now running a linux tool called foremost wich seems to be written by some part of the US airforce.

      American tax dollars hard at work to keep my socialist PC running nicely. Got to love the modern world.

      Afraid that the US goverment (the one that makes speeches) might be firmly up MS backside but the parts of the US goverment that actually do stuff seem to like linux.

  • by Anonymous Coward
    Why do we have to go hunting round 3rd parties to learn how to secure our O/S? Surely this information (in the form of clear and easy Howtos) should be given as part of the O/S package, as purchased from the vendor.
    • Actually Microsoft has had guides like these for quite a while and I've been using their guides and the ones from the NSA for years now as baselines for the networks and computer systems that I've been locking down for clients. So, I'm a bit puzzled about why you can't go to a website (Microsoft Downloads) and download them. It's not like they are hard to find. There's also a heck of a lot of this information built into the help files that come with XP, for instance, and the other MS operating systems un
  • by Anonymous Coward
    Computer secures YOU!
  • by HungSquirrel ( 790165 ) on Sunday October 30, 2005 @04:11AM (#13908180) Homepage
    If Slashdot takes down a government website so quickly, is it a threat to our national security?
  • by Money for Nothin' ( 754763 ) on Sunday October 30, 2005 @04:13AM (#13908185)

    NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products."

    No fucking shit. Suppose somebody said "let's use our resources INEFFICIENTLY! And given our title of NATIONAL SECURITY AGENCY, let's NOT PROMOTE THE BEST SECURITY OPTIONS!" Would anybody really jump up and say "that's a *brilliant* idea!"?

    Hell no.

    Look, to anybody with any common sense at all, it's implicit in any organization that efficiency is important. But so is security. So is safety. So is customer satisfaction. So is employee satisfaction. So is profit (if a private for-profit org).

    Is it *really* especially insightful to say "we should be efficient!" anymore? Or, now that 9/11 has warped our psyche to care singlemindedly about security (almost invariably at the expense of liberty), that another top priority is security? Not to anybody with a brain.

    Why do we pay people to make such broad, fucking-obvious statements again? To remind us of what we already have known since we were teenagers?

    Oh yes, I swear here and ruthlessly criticize somebody for making statements that have coincided with the goal of economy (implicitly or explicitly) for the last 230 years. Mod me troll now.
    • Or, now that 9/11 has warped our psyche to care singlemindedly about security (almost invariably at the expense of liberty) [...]

      Actually, it hasn't — 9/11 has warped our psyche(s) to single-mindedly care about *fear*, which is pretty much the exact opposite of what you need if you want security. We're all just running around like chickens scared by the hawk, and those who want to curtail our civil liberties are just using the chance to push through their legislation now, in the name of "security

      • Good distinction...

        I should've more-accurately said that our *rhetoric* is single-mindedly about security, even if our actual *practice* is single-minded fear. :-/ (guards in airports with automatic M16's will do absolutely nothing to stop any terrorist who manages to get on a plane)
  • by putko ( 753330 )
    Any instructions on what to do for the BSDs? I didnt' see anything there.

    I'm assuming there isn't much to do to OpenBSD and NetBSD.

    • Re:BSDs? (Score:3, Interesting)

      and NetBSD.

      I run two colocated web servers on NetBSD. Both are stock installations and I haven't had any problems. The one thing I would like to see change is that a single IP address can do a dictionary attack on sshd for hours on end without OpenSSH saying "ok lets not listen to that IP address for a while.

      Getty does this, or something like it, why not ssh?

      • Either a small script which parses the sshd logs or a couple of things you can find on sourceforge should do the task.
        I had a lot of dictionary attacks on my sshd. My first solution was a one hour blacklisting of every IP address which tries dictionary attacks. Now I switched to port knocking, which seems even more secure and convenient to me. I use a relatively simple port knocking sequence but that is more than enough to fight off any script kiddie.
      • Re:BSDs? (Score:5, Informative)

        by Homology ( 639438 ) on Sunday October 30, 2005 @06:35AM (#13908397)
        I run two colocated web servers on NetBSD. Both are stock installations and I haven't had any problems. The one thing I would like to see change is that a single IP address can do a dictionary attack on sshd for hours on end without OpenSSH saying "ok lets not listen to that IP address for a while. Getty does this, or something like it, why not ssh?

        Unless you have weak passwords, then this is not much of of a problem.

        In the sshd_config you may disable password logins, and login using a certificate. In addition, you may specify which users/groups that may login:

        Protocol 2
        PermitRootLogin no
        PasswordAuthentication no
        ClientAliveCountMax 5
        ClientAliveInterval 30
        AllowTcpForwarding no
        AllowUsers someuser

        Many of those automated attempts to bruteforce sshd is run from a Linux machine, so a simple fix (if you use the OpenBSD packet filter that is ported to NetBSD) is qute simply to drop all packets to sshd that is sendt from a Linux computer.

        • Re:BSDs? (Score:4, Informative)

          by Poeir ( 637508 ) <poeir.geo@yahMENCKENoo.com minus author> on Sunday October 30, 2005 @10:25AM (#13908892) Journal
          I wrote a script that did this not so long ago on OpenBSD; unfortunately, that system isn't immediately accessible. What it boiled down to was grepping /var/log/messages for any failed logins, sedding out everything but the IP address, piping the output to sort, doing uniq -c, finding any IPs listed "many" times (for whatever definition of "many" is reasonable), and then piping those IPs to pfctl to add to a blacklist. Since the logs rotate every week, if anyone tries to log in too many times, they'll be permanently blacklisted. Stick the script in a cronjob and call it good. Not exactly user-friendly to implement, but highly adaptable.
      • I run two colocated web servers on NetBSD. Both are stock installations and I haven't had any problems. The one thing I would like to see change is that a single IP address can do a dictionary attack on sshd for hours on end without OpenSSH saying "ok lets not listen to that IP address for a while.

        The delay setup you outline should not be step one but step two. The first step is to use tcpwrapper around sshd to limit your exposure. The kiddies cant do their dictionary attack if they cant reach sshd in the

  • They secure computers using SELinux [nsa.gov]
    • I used SELinux for a while. It was rather difficult to use. Setting permissions correctly was a really big pain, so we ended up turning it off. It's a good concept, but it still needs a little fleshing out.
  • by Linker3000 ( 626634 ) on Sunday October 30, 2005 @07:23AM (#13908471) Journal
    If you find the main site slashdotted, I have a link to someone hosting all the docs on their own PC - the guy's name is Frank and he works in some government office in Washington DC - you'll find all the docs in a sub-folder just next to the MP3 and porn store managed by someone called ZoM61e Kar1.
    .
    .
    .
    .
    .
    .
    .
    Note to NSA and FBI: This is a Joke. Honest.
  • by mpapet ( 761907 ) on Sunday October 30, 2005 @07:34AM (#13908485) Homepage
    I found the NIST WindowsXP Security guide,
    http://csrc.nist.gov/itsec/guidance_WinXP.html [nist.gov]

    Is there a comparable server guide?
  • by v1 ( 525388 ) on Sunday October 30, 2005 @08:52AM (#13908630) Homepage Journal
    I have done some digging into the less accessible files in the OS, and was quite surprised to find US government things buried deep within the OS. The first thing I found were two images of key cards, and the code to support their use. The other fun thing I ran into were large emblems of the army, navy, air force, marines, FBI, noaa, coast guard, DoD, public health service, and several other US government departments. Clearly OS X has some built-in support for use in US government roles. (no images from non-US governments were found) This is in client as well as server. I'd love to know how to enable those features. Anyone happen to run across this info anywhere?

    (for those interested, in 10.3, do Go, Go to Folder... /System/Library/CoreServices/SecurityAgentPlugins/ SCLoginPlugin.bundle/Contents/Resources/)
  • Ah (Score:3, Funny)

    by crmartin ( 98227 ) on Sunday October 30, 2005 @09:16AM (#13908681)
    ... but was the reader really anonymous?
  • "Customers"? How about "citizens"? How come serving customers is a higher calling than serving citizens, for a government agency?
  • by merc ( 115854 ) <slashdot@upt.org> on Sunday October 30, 2005 @11:53AM (#13909262) Homepage
    The NSA has customers...

    *blinks*
  • by Kristoffer Lunden ( 800757 ) on Sunday October 30, 2005 @02:13PM (#13909814) Homepage
    I know these guys should know what they are talking about, but it feels a bit strange to take technical advice from someone who claims that "To download and uncompress zipped files you need to have winzip loaded on your local machine." on their XP advice page [nsa.gov]. I thought even XP could do that without addons, not to mention other OS:es which also seem to manage it just fine.

    Maybe they are just sponsored. Or is that "bribed" when it comes to governments? :)

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...