Pentagon Confirms 2008 Computer Breach — 'Worst Ever'

jowifi writes "The New York Times reports that the Pentagon has confirmed that, in 2008, a foreign agent instigated 'the most significant breach of US military computers ever' using a USB flash drive. While the breach was previously reported on Wired and the LA Times, this is the first official confirmation of the attack that led to the banning of USB drives on government computers."

This is likely why MS has GPOs in W7

[mlts]

This is likely why Windows 7 has explicit GPOs to either set USB flash drives read-only, or deny them the ability to mount whatsoever. Other programs that have this functionality are PGP Universal, and Symantec Endpoint Protection.

Now, if MS can put autoplay/autorun to rest six feet under with Clippy and Bob, that would be a good security advance.

Re:This is likely why MS has GPOs in W7

[rikkards]

The thing that is stupid about it is that sure block exes from being run from a USB, then the user will copy it to the machine and run it there.
BTW, GPOs from day one have had the ability to disable Autoplay and autorun.

Re:This is likely why MS has GPOs in W7

[Lehk228]

there should be a way to restrict execution to only code signed by the owning organization's IT security.

Re:This is likely why MS has GPOs in W7

[Mr 44]

Like "Software Restriction Policies" [microsoft.com] in windows XP and AppLocker [microsoft.com] in Windows 7?

Re:

[JeffSpudrinski]

Win7 Applocker is a great idea, but it's not very dynamic at this point. You have to add programs and file names specifically to a blacklist manually including path name and file name, although I think you can use other thing like file hashes with a little more work in configuring it.

As it was explained to me, there's pretty simple ways around it and it's not smart enough to recognize new version of programs. An example of this would be a new version of Mozilla would run until it was explicitly blocked.

Re:

[holiggan]

there should be a way to restrict execution to only code signed by the owning organization's IT security.

There is such a way: it's called "Software Restriction Policies". It's been around since Windows 2000 and it can be deployed by GPO... You can restrict by signature, by file name, by path, etc. It's part of Windows, it's "free", you just need to configure it.

http://technet.microsoft.com/en-us/library/bb457006.aspx [microsoft.com]

Oh, and you can block access to floppy, CD/DVD and USB drives as well. All with GPOs.

I'm no addressing specifically to you, but it gets on my nerves that people keep bashing MS, and they simply don

Re:

[Lehk228]

compiler should have had a valid signing key

Re:This is likely why MS has GPOs in W7

[Ethanol-fueled]

There are ways to hide stuff like that from view on Windows. They magically show up when the USB device is plugged into a Linux box.

Related note: A similar piece of malware and the ensuing hassle is what prompted me to switch to Linux for good.

Re:This is likely why MS has GPOs in W7

[dgatwood]

There should never have been a way to enable autorun in the first place. The very notion of automatically executing code or installers form a piece of media without the user explicitly taking any action is antithetical to proper security.

Not if the O/S is properly designed.

[master_p]

Code executed automatically off external media could be allowed if the O/S had a security model that allowed it. For example, if code in external media did not have write capabilities to the hard disk, or if said code had lower privileges over installed applications etc.

Re:

[Svartalf]

Ah...but that would get in way of the "ease of use" of the OS.

They make a big deal about ease of use, but what nobody from that camp is willing to tell you is that ease of use almost always prevents any semblance of real security, leading to an easy "pwn4g3" for the script kiddies. For real security (and requiring goofy passwords ISN'T that, folks...), you're going to have some reduction in "ease of use". You don't auto launch stuff, for example.

Re:

[dgatwood]

I see no apparent difference between those two statements in modern English usage.

Re:

[Svartalf]

If they didn't intend for something to autoexecute, it's a problem. Much like Sony's infamous rootkit, you don't expect to insert a removable storage device and have something surreptitiously install a trojan onto your machine- and there's no interaction from the user past plugging in the device, you really don't know you've been had until well after the fact.

Re:

[dgatwood]

Wrong. The user put the media in the machine with the intent of doing something. Even with commercial CD-ROMs, quite often, the media contains other things besides the installer. It might contain documentation, it might contain installers for other tools, and so on. And in that case, auto-launching the installer is the wrong thing.

And further, the disc is not always an install disc. Whether it's a USB stick, a movie DVD, an audio CD, or whatever, having Windows install some piece of software behind you

Re:

[ukyoCE]

No.

We're not talking about gaming consoles here, we're talking about PCs. People more often put in a disc to peruse files on the disc than to run any executable at all. There is also no way to know if a disc has an executable on it before you put it in. Running one automatically is a truly terrible idea.

It's right up there with "hide file extensions" as one of the most boneheaded things Windows does (BritneySpears.jpg.exe anyone?). And Microsoft steadfastly refuses to fix those flaws despite their const

Re:

[Anonymous Coward]

In 2008 any standard issue Army computer would've have had autorun disabled. This was standard practice. In 2008 the Army was handing out commercially available encrypted USB drives and telling everyone to use them and nothing else. These drives had an unencrypted partition loaded with the software used to unlock and mount the encrypted partition, along with an autorun.bat script that would eliminate the extra steps needed to launch that encryption software, if you were to actually have autorun enabled.

S

This is why DoD needs to put a bullet in M$

[SgtChaireBourne]

In 2008 any standard issue Army computer would've...

But were they able to track down and deal with the individual(s) that deployed Microsoft products?

The military procurement procedures produce a solid paper trail even if on some occasions they produce nothing else. Had they deployed properly engineered products rather than brands infamous for bad design [slashdot.org] the problem would not have arisen. The US Navy will focus on open systems only [fcw.com], if it can stay clear of the old M$ contractors and M$ resellers.

Re:

[Svartalf]

You know... An Anti-virus program is like closing the barn door AFTER the horses have all went on walk-about. It only works on stuff that was identified by the anti-virus companies and they have some sort of signature data on the malware- which it's my understanding that they wouldn't have been any better protected in this case, no signatures or they'd have had a solid handle on it and not lost anywhere near as much operational intelligence.

Placing your faith in a piece of software that protects against s

Re:

[rtb61]

As tech spy, meant be good with computer. Mouse unplug, USB drive insert, reboot, bios change, boot from USB, OS on USB, very special do what you need to do nothing more, be quite and hide on network (plenty gigs), get data leave virus in bios (much cool), reboot, plug in mouse, done. The worst thing about this, most bioses have back-door passwords, arghhh.

Re:This is likely why MS has GPOs in W7

[rickb928]

I have this dim recollection that we could do this with GPOs in Win XP.

And we could use ZenWorks to do it also. Much nicer editor, and volatile accounts are a blessing in school labs.

Disabling removable media isn't new, just overlooked.

Re:

[Darth_brooks]

XP has similar capabilities. We push GPO's that limit removable media to read only, so it's not a recent development.

Re:

[bleh-of-the-huns]

Disabling the ability to mount or mounting read only for USB mass storage devices would not have made a difference. Further, there is a fundamental flaw with USB...

During Blackhat/Defcon (or was it B Sides), a guy, whos name completely escapes me right now, as I did not get a chance to attend the briefing/talk, took a USB thumb drive and added some keyboard hardware to it. When you plug it into the system, it registers as an HID device, not a USB Mass storage device...

Guess what, every computer that is s

Re:

[Anonymous Coward]

Doesn't help the government NMCI machines, which are still running XP.

Re:

[dave420]

It's been possible to disable autorun using GPO since 2000.

Obligatory

[Flea of Pain]

Worst...Computer breach...Ever.

Re:

[Flea of Pain]

Damn. Parsing got rid of my comic book guy html tags.

Re:

[idontgno]

That's OK. Maybe some day Slashcode will actually render <comic book guy> and </comic book guy> tags. About the time they decide to implement more than 2% of the HTML entity set.

Re:

[Monkeedude1212]

With good reason

</marquee>

Re:

[xiong.chiamiov]

That's OK. Maybe some day Slashcode will actually render <comic book guy> and </comic book guy> tags. About the time they decide to implement more than 2% of the HTML entity set.

Of course, by that time, everyone else will have been using Markdown (or similar) for 10 years.

The right reaction?

[mangu]

the attack that led to the banning of USB drives on government computers.

This reminds me of the joke of the man that, having learned that his wife was fucking other men in the couch in the living room, moved the couch to the garage.

USB drives have a purpose for legal uses. Wouldn't it be better to improve their systems so that USB drives couldn't be used in harmful ways?

Re:

[Anonymous Coward]

I have heard that the ban has since been lifted. I inferred from this that it was a temporary measure allowing them to get a secure solution in place.

Re:

[dwillden]

While I haven't seen any official statement about it being lifted. I have started seeing USB drives work more and more often.

But then again maybe someone in the G6 (Army IT guys) just decided the ban was stupid when they were issuing out new computers and while USB was blocked, Firewire, eSATA and SD card port and slots were all active and working. My office went from everyone carrying USB drives in their pockets to everyone carrying SD cards.

Now if the machine is off the mil network the USB works,

Re:The right reaction?

[Dahamma]

From TFA...

In an early step, the Defense Department banned the use of portable flash drives with its computers, though it later modified the ban.

Fixing the vulnerabilities takes time. It was just an emergency measure until they could investigate and come up with better policy.

Re:The right reaction?

[Beardo the Bearded]

They have.

Look, they have two completely separate computer networks. They've got a network that can access all the Classified Military Shit, and then they have the computers that can access Everything Bad in the Multiverse. (My terms, not theirs.) The two never meet. Never ever ever, and not even then.

99% of the time, you work with the Unclassified stuff. It's a PITA to work with Classified documents. You've got to go to a secure room, you can't make a copy unless you've signed off a billion times, you have to work on a special computer, you have to have a buddy / guard / watcher, and you've got to go through a debriefing after you've goofed around with it.

If your average worker / troop / contractor picked up a USB drive and put it into their EBitM network and it took over every machine in a billionth of a second and sent all the info on the EBitM network to China, Russia, and Zork the Evil, the risk to National Security would be zilch. Yeah, it would be a PITA to fix the compys, but it would be no worse than the same PITA you'd get in any large civilian network. The only difference is that it's a huge fucking PR nightmare. Think about how embarrassing it would be if Norton was taken down due to a worm. Now go up two orders of magnitude.

The computers you see the troops using are almost always personal property used for emailing back home, watching movies, playing games, and otherwise fucking around. The work computers are usually tied into the EBitM network and they use them for work. Unless you are one of The Anointed Few, you haven't even seen a computer that's handled Classified information.

Re:

[hedwards]

If the two never meet, then how do you explain that data breech where they lost terabytes of information to the internet? I'm not sure why the classified DARPA stuff wouldn't be similarly secured.

Re:

[Beardo the Bearded]

Either it was human error, which can lead to jail time (or in some very rare cases execution) or the info wasn't Classified. As was pointed out elsewhere in this thread, military breaches carry different penalties than civilian ones. Chief among those is that security is enforced with lead-based penalties.

I could give you millions of pages detailing a warship. It would bore you halfway to death, unless you're absurdly interested in which cable connects which junction box on some class of warship. But wa

Re:The right reaction?

[guruevi]

After actually having implemented such a methods, it is noticed that nobody ever uses the classified network except for highly official stuff, when the project is done. It seems that all work in progress is just being saved on the non-classified network.

Trust me, I have implemented just about any security method in a variety of settings (medical, financial, ...). The fact remains that people can't be bothered to lock their screens when they step out because it's "too difficult" and "too complicated" let alone click the button to encrypt their e-mail or their USB sticks.

Re:

[shadowofwind]

After actually having implemented such a methods, it is noticed that nobody ever uses the classified network except for highly official stuff, when the project is done. It seems that all work in progress is just being saved on the non-classified network.

I guess I shouldn't be surprised by anything, but I've never heard or seen any sign of people working with classified data on a non-classified network. Except for that Chinese guy who got charged for spying at Sandia.

A different world

[sjbe]

Trust me, I have implemented just about any security method in a variety of settings (medical, financial, ...).

What about military? I've worked in medical, financial, manufacturing and retail too. Military is very different.

The fact remains that people can't be bothered to lock their screens when they step out because it's "too difficult" and "too complicated" let alone click the button to encrypt their e-mail or their USB sticks.

Very true but the difference is that the military can send you to prison for the rest of your life if you get caught being sufficiently lazy/sloppy/incompetent with secure data. The same laws we live by in civilian life don't apply [wikipedia.org] much of the time. The worst a financial firm can do is fire you. I'm not saying that people don't behave exactly as you describe (I'm sure they do) but there are

Re:

[Anonymous Coward]

Wow! It sounds like Internet information clearinghouse sites like wikileaks stand no chance of ever getting their hands on sensitive information with a system as strong as you describe.

Re:

[Svartalf]

Actually, if there was a breach and it compromised operational data (definitely secret/top secret stuff...), it would be an issue of National Security as well as the PR nightmare you mention.

And just because the systems are supposed to be air-gapped, we all know that this is a fun process and doesn't always get done right. People are in the mix and people make mistakes all the time.

Re:

[0123456]

The most likely person to be killed with a firearm is the owner.

Well, yes, if you want to commit suicide and happen to have a gun, that's probably what you'll use. Most of us don't regard sucide as a 'nefarious purpose', particularly as anyone who's willing to shoot themselves can find numerous other reliable methods of killing themselves even if they don't have a gun.

I believe this is also the source of the infamous 'a cop is more likely to be killed with his own gun than kill a criminal', as cops have a high suicide rate and rarely kill criminals.

Re:

[not_hylas( )]

@ 0123456

"... as anyone who's willing to shoot themselves can find numerous other reliable methods of killing themselves even if they don't have a gun."

http://games.adultswim.com/five-minutes-to-kill-yourself-adventure-online-game.html [adultswim.com]

Please, everyone, feel free to explore these options and test your theories.

Re:

[Muad'Dave]

That also hints at either:

1) how poorly the average police officer is trained in using (and more importantly) retaining possession of his weapon while engaged in an altercation

2) the mamby-pamby rules that require the officer to put himself in a position where his weapon can be taken from him instead of using it while still out of reach of an armed or otherwise dangerous perp.

Re:

[codepunk]

The Supreme Court does not side with your theory.

Re:

[dave420]

Apart from all the strict security that can't be bypassed, including locking down USB drive access, sure.

Re:

[GameboyRMH]

Wow are those guys idiots or what? A known terrorist says he wants to renounce terrorism and turn himself in to the prince...in person.

Dora the Explorer wouldn't fall for that.

And yeah the pics in that PDF are only SFW if you work for rotten.com.

They should have ...

[SlashDev]

... watched the movie "The Recruit" when it came out.

Do they ban flash cards as well?

[GodfatherofSoul]

That seems to be a more reasonable security risk.

Re:

[oneiros27]

Actually, I don't know that they've outright banned them, but since about that time, there's been a policy that US government owned removable storage is not to be used in non-government owned machines, and non-government owned storage is not be used in US government owned machines.

It wasn't just this incident that lead to it; there were incidents of people going to conferences and passing around USB sticks with the presentations, and then everyone coming back from their conference and putting a whole bunch

Still vulnerable

[Bryansix]

Since the US Armed Forces, DoD, et al. still use Windows it would be prudent for all of them to employ BitLocker or whole drive encryption even on the unclassified computers. The reason being is that I just made a flash drive today that can still blank out the local system admin password on any windows computer in existance (unless they have BitLocker or TruCrypt).

Re:

[Monkeedude1212]

The reason being is that I just made a flash drive today that can still blank out the local system admin password on any windows computer in existance (unless they have BitLocker or TruCrypt).

Assuming you have a way to physically access the computer.

Locking the box inside a steel cage could also keep you out, with the added benefit of being harder to physically steal. But then again, TruCrypt and Bitlocker have the added benefit of making the drive much more difficult to access in the event it does get stolen.

And the cons are of course locking in a steel cage means you don't get to use CD's or USB sticks - and of course Encrypting the drive means you can't use a flash drive to reset the admin pa

Re:

[hedwards]

That was my thought, why are they allowing physical access to the USB ports without properly monitoring the devices being allowed to be used in the machines. Physical access to the keyboard and mouse is enough of a security risk as it is, but allowing people to plug in strange USB devices without first inspecting them strikes me as irresponsible. Admittedly, people do have to do their work, but I'm not sure why they weren't being required to scan the information on the drive before connecting it up to a sec

Re:

[GameboyRMH]

On Vista/7, wouldn't this cause a UAC prompt to pop up? Unless you're looking to exploit a local privilege escalation vulnerability, and you're just hoping any Vista/7 machine you attack wouldn't be patched.

If you're just switchblading XP machines and infecting individual Vista/7 user accounts, that's old news.

Re:

[Bryansix]

The exploit doesn't run in Windows.

Re:

[GameboyRMH]

Oh it's a password reset boot utility that requires plenty of physical access to the machine. That's even older news.

Re:

[Bryansix]

Congrats because we take business from Geek Squad every day. They suck for business support. We specialize in SMB clients and provide real service.

Re:Still vulnerable

[Beardo the Bearded]

It's always someone's first day. It took you years to get to the point you could even post on /.

Where there's a USB port ... there's a way

[PolygamousRanchKid]

A US Army dental surgeon told me that their computers were "fixed", so they could not copy pictures of their operations to any external media. The surgeons needed anonymous pictures of operations that they had performed, for preparing for their careers after their service. Like, applying for a job somewhere.

One of them figured a way to use the USB port in the Canon printer that they had. They could toss pictures at the printer, and land them on the USB stick. Circumventing any blocks on the PCs from accessing the PCs' USB ports.

So any unprotected port is, well, a potential source of a leak.

Re:Where there's a USB port ... there's a way

[countSudoku()]

That's a good work-around!

So any unprotected [USB] port is, well, a potential source of a leak.

Along with any camera, copier, cell phone, human with a memory, network accessible device, etc. Every kind of access restriction can be circumvented. *Every* kind.

I would suggest mounting all laptops in cement, then chaining the cement block down to the cube frame structure. Close off all connectivity, embed in a Faraday Cage, then keep anyone, including the approved user, from accessing it, and you're all set! Bob's your uncle! Otherwise, expect your data to escape. Because it will. :) Have a nice day!

More Self-Serving Hype

[yourpusher]

Rob Rosenberger at VMyths notes: [vmyths.com]

et’s cut to the chase. U.S. Deputy Defense Secretary William J. Lynn III wrote an op-ed for a commercial publication in which he claims a single USB thumb drive caused the worst military data breach in history. And according to Wikipedia, that one little USB stick led to the creation of the Pentagon’s new Cyber Command.
[. . .]

I’ll bet it took so long only because it was a classified operation. This malware would have blown over in a week if DoD-CERT had issued an email saying “hey, there’s a new virus running around, please scan your PCs for agent.btz.”

{sniff} I can definitely smell a lot of groupthink here. Not to mention hype, which goes hand in hand with groupthink.

Lynn suffers from a short memory span. We know this because he thinks the Pentagon got “a wake-up call” when agent.btz slithered into classified networks. If Lynn’s brain had more RAM, he would recall the Melissa virus did EXACTLY the same thing in 1999. It infected classified U.S. networks at a depth & scope even I myself would label “impressive.”

So why this story? Well (from the same source):

You can see I’ve got a healthy dose of skepticism over Lynn’s “Buckshot Yankee” revelation. And I’m not alone: Wired filed a story with the headline “Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack.”

Waitaminit. GCN’s breathless story includes the phrase “Lynn said Wednesday in a teleconference with reporters.” You mean to say he gabbed with the media on top of all the hype he wrote in an official capacity for a commercial publication? {sniff} I smell a book deal in the works when Lynn’s boss retires next year.

Re:

[INT_QRK]

Whenever an OSD, or for that matter any federal, official with "Honorable" in front of his or her name deliberately broaches any issue in a public venue, there is an underlying effect that he or she is trying to promote. This typically may involve either defending, or laying the groundwork for, some pending policy which has not quite achieved full acceptance from all the other key players with a stake in the game. Given especially that the Hon. Mr. Lynn is the DEPSECDEF, that is number two in the DoD, I'd a

Flash Drives

[Reason58]

I know for sure that USB drives (flash and otherwise) have been banned on DoD systems for quite a while before 2008. Perhaps other government sectors didn't have this rule in place, but more likely it was simply not being enforced.

Re:

[PhxBlue]

And I know for sure that you're wrong. Personal flash drives have been banned on DOD systems, but government-purchased flash drives were perfectly okay to use.

Re:

[Reason58]

Where are you seeing that this was a DoD approved device? You may be correct that it was not technically a rule for all flash drives, but no Army, Air Force, or civilian location where I worked allowed their use at all.

Re:

[Anonymous Coward]

USB drives were at one time used to transfer between air-gapped networks when CD/DVD transfers would burn through media too often. I can attest to this.

Re:

[Svartalf]

Then the systems really weren't air-gapped, you had a sneakernet between them.

Air-gapped means that never the two shall ever meet. Nothing like a flash or CD/DVD to be shared between the trusted and untrusted network can happen.

Re:

[gandhi_2]

In my neck of the DOD, all external storage devices were disabled by GPO. And I'm nothing special. And flash drives bought from the GSA catalog are nothing special either.

Re:

[dwillden]

Wrong. I regularly used USB drives on classified and unclassified systems up until the ban. Personal ones were strictly verboten in classified systems but on unclass ones it was no big deal, and very common to use personal ones. Especially since supply would usually only come up with old low-capacity thumb drives (I'm talking 128 meg when 4 gb was common and 8 gb were the big ones on the market).

Haven't I seen this movie before?

[boddhisatva]

Same guy that stole the plans to defend South Korea from attack by the North with a thumb drive? There are solutions guys and they're not very difficult. How about this one, which I stole from "Cryptanomicon": Anything electronic going in or out goes through security. Personnel drop such things off at the entrance and then walk through a very large, strong magmetic field. Same thing leaving. Just like the airport only if you forget to drop off your watch, it gets fried.

Re:

[Lehk228]

my little 4 gig USB drive would become a dangerous projectile long before a magnetic field actually hurt it. my SD cards won't even do that.


unless you intend to use a powerful and oscillating electrical field, which will also kill anyone with a pacemaker or metal implant.

Re:Haven't I seen this movie before?

[PitaBred]

Didn't you read? He said magmetic field. I assume it has to do with magma, maybe burning the user alive. That sounds pretty secure to me.

Re:

[tsm_sf]

Your ideas intrigue me and I wish to subscribe to your newsletter.

Re:

[hedwards]

I was a bit surprised, but you're indeed correct about that. Not only that, but it's questionable as to whether the hard disk would be effected either. Theoretically you could amp up the magnetic field enough to destroy the SD card, from what I gather you'd also be removing the iron from the blood vessels with a magnetic field that strong.Busting the Biggest PC Myths [pcworld.com]

If the data is that sensitive you're better off with metal detectors and good old fashioned cavity searches.

Not the worst ever...

[d474]

In 1983, a high school kid named David Lightman hacked his way into DOD computer @ Norad called the W.O.P.R. which almost resulted in an all out nuclear war between the U.S.A. and Russia. I believe they made a movie about it.

So until I hear a story that tops that, keep your "worst ever" superlatives to yourself. Oh, wait...

Re:

[DNS-and-BIND]

"It might help to beef up security around the W.O.P.R." Best movie line ever. I still laugh about it. WarGames was also notable as one of the vanishingly few positive portraits of a Southerner in a position of authority. I remember people being incredulous that General Beringer wasn't some "let's push the button now and nuke the Russkies" character that they expected when he first opened his mouth.

Was it Windows, again?

[devent]

So, what system the computer were running? Why is that information never in this news reports? Are they assuming that computers just runs, without any software on it? Don't they know that computers usually have an operation system on it to be useful?

I really had it now. I clicked through the pages and agent.btz is mentioned. Nobody had mentioned that's a Windows worm Worm:W32/Agent.BTZ http://www.f-secure.com/v-descs/worm_w32_agent_btz.shtml [f-secure.com] Platform is Windows 32, of course. Why is nobody is mentioning the

Re:

[Anonymous Coward]

Dude, chill. Your English is breaking up.

+1 Funny

[PerfectionLost]

Hilarious

Re:

[polaris20]

As much as I'm not a fan of Windows, it's the target, not the OS that's the problem. OS X and Linux can be circumvented too, if the prize is worth it. Anyone who doesn't realize that is a fool.

Re:

[hedwards]

Given that eventually somebody found an exploit in the OpenBSD base install, I'd say it's a given that with enough of an incentive you can find one in any OS, it just takes longer for some than for others.

Re:

[WindBourne]

Considering that there are more https servers with CC info on them running Linux/Unix, I would say that your logic is incorrect. The simple fact is, that ppl/crackers go after the EASY systems.

For example, why go to a house, with a burgler alarm, no windows, doors that you have to pick, that has $100 million if you can go to anther house that has basically no alarm, has open backdoors, and has only $1 million, though they MIGHT have a key to get into the OTHER Place, though you also get to the 100 million

So your argument is security through obscurity

[Sycraft-fu]

Well there's multiple problems with that, as applied to the government:

1) If the idea is to go to the less used system because it is more secure, that means changing any time your system isn't so minor. In fact they'd be much better to write their own OS, with no relation to any existing one, than to use Linux. Linux does have a fair bit of use and does get owned (our research labs get their poorly secured Linux boxes owned from time to time) and of course the government is a big user so them switching woul

Re:

[WindBourne]

First, where do I advocate anything? I pointed out FACTS, not the fiction that MS is hit because it is a monoculture or the most heavily used.
Second, when I worked at TL agencies, I was prohibited from using MS except as a none-networked connected system. Why? Because the agencies do not want their code on the net. THere is NO SUCH THING as secured windows.
Third, if we are going to have a monoculture, then it is far far better to have a secured system, rather than something as unsecured as Windows. That w

Re:

[Sycraft-fu]

If you think there is no such thing as secure Windows, but is such a thing as secure Linux it just means you are a zealot, uneducated, or both. Sorry, but there is no magic that makes Linux secure. I know this is something fanboys like to think, they tell themselves there is some architectural superiority that ensures it is a secure system but there's not. If you've taken the time to learn about how OSes actually work, at the high and low levels, you find that no, Linux is just another OS. How secure it is,

Re:

[WindBourne]

When you work in a secured environment for three letter agencies, please explain to them why you want Windows exposed to the net. I am quite certain that you have more knowledge than the nice folks at NSA, CIA, and NRO. Sadly, those at DHS and DOD will continue to have issues because they do not consider the issues of Windows vs. just about any other OS.

BTW, I have not said that Linux is secured. I have said that versions of it as well as other OSs are much more secured than anything coming out of the Win

Re:

[devent]

4) There are real needs in terms of apps and so on, not all of which Linux can meet well (if at all). [...]

If nobody is using Windows for anything important, like they should, what do you think how fast will everybody port their applications?

Re:

[devent]

As much as I'm not a fan of Windows, it's the target, not the OS that's the problem. OS X and Linux can be circumvented too, if the prize is worth it. Anyone who doesn't realize that is a fool.

I don't care about what OS is more secure. But I do care that the news reporter are doing his/her job by telling what the affected system is. If it's Linux, fine, say Linux is affected. But nobody is ever mentioning that it's Microsoft Windows. In fact, please read the last 20 security reports. Microsoft Windows is never mentioned once.

Re:

[JamesP]

They should have gone with AIX or Solaris on PPC / Sparc

Re:

[0123456]

The theory that an all Linux environment would be secure is false in the real world. All operating systems and applications are vulnerable to varying degrees.

But Linux won't be owned just by putting a USB stick in the slot. Sure, there might be USB driver bugs, but that's very different to autorunning software off the stick, or loading DLLs from the stick when you browse that directory.

Re:

[antifoidulus]

The windows security model is so incredibly incoherent and pointlessly complicated that its essentially worthless. Locking down a windows box is a laborious and error prone process, for instance in XP there are at least THREE different places where you set firewall policies and the ways they interact and overrule each other are incredibly complicated. The only reason for this pointless complexity is so that Microsoft can sell more MCSEs.

Compare this with Linux and iptables. I have essentially one text

USB drive on sensitive computers...

[geogob]

I didn't follow the original story back then, but I find somewhat surprising what I read here. USB drives allowed on a sensitive system containing sensitive informations seems like a bad idea how ever you present it. But having one universal port for everything is a problem for sensituve application. You can only block its use for data link on the software level, which will eventually be bypassed.

It will always be possible to retrieve information from the system, sometimes with considerable amount of work.

Re:

[KahabutDieDrake]

Actually, it's trivial to disable USB in a windows system. I mean disable it at the system level. Further, it's not hard to disable it at the hardware level either. Some crazy glue will go a long way to making those ports useless.

That being said, there are always ways around such efforts, especially if you have physical access.

Re:

[dskoll]

On Linux, you could compile kernels without support for USB mass storage devices. But I'm not sure that would be sufficient; maybe user-level USB access could be (ab)used to manipulate flash drives. Still, it'd make things a lot harder for the average attacker than a Windoze box.

Re:

[LinuxIsGarbage]

On windows you can delete usbstor.sys or disable driver in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

Government contractors..

[Paracelcus]

The Gummermint in their infinite wisdom has decided that they will no longer hire Tech people as permanent employees (there are exceptions) so their has been an explosion of revolving door "new people" who have to be allowed to sit at a desk, in the building, at a console for up to six months until their security clearances come through. Can you say "social networking"?, I know you can!

Hi, Foobar, can I sit at your terminal, you know, just to check my Foobar account, is that OK? (check & mate).

Re:

[JamesP]

Hi, Foobar, can I sit at your terminal, you know, just to check my Foobar account, is that OK? (check & mate).

Let me guess, it's Alice and Bob again.

Darn those two!

Re:

[David_W]

Let me guess, it's Alice and Bob again.

Nah, it's Mallory.

One ray of hope...

[TheCarp]

So no hope that the person who did this gave the info to Wikileaks? That would definitely be the best of all possible worlds here.

That would be the only silver lining that I could hope for here. You can't really blame other countries for spying, I am sure just as many (if not many more) USB drives were filled up with secrets by people on american payrolls, so its hard to feel bad for the US Military on this one. When you choose to play the game, sometimes you get played. I only really care about innocent by

Re:

[dwillden]

They don't log you out. A few minutes after you walk away the screen saver will kick in and lock the screen, but pulling a CAC doesn't log you out.
That would make it a real pain to register a new CAC card on a system, or do one of many common tasks we do where someone will sit at another's machine and log into AKO or another site with their own CAC.