Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security United States IT

After the Riot, the US Capitol's IT Staff Faces 'a Security Mess' (wired.com) 140

After Wednesday's invasion by protesters, America's Capitol building is now grappling with "the process of securing the offices and digital systems after hundreds of people had unprecedented access to them," writes Wired.

Long-time Slashdot reader SonicSpike shares their report: Rioters could have bugged congressional offices, exfiltrated data from unlocked computers, or installed malware on exposed devices. In the rush to evacuate the Capitol, some computers were left unlocked and remained accessible by the time rioters arrived. And at least some equipment was stolen; Senator Jeff Merkley of Oregon said in a video late Wednesday that intruders took one of his office's laptops off a conference table...

Former Senate sergeant at arms Frank Larkin, who retired as Senate sergeant at arms in 2018, adds that cybersecurity is the next priority after physical security. In spite of this, the mob Wednesday had ample opportunities to steal information or gain device access if they wanted to. And while the Senate and House each build off of their own shared IT framework, ultimately each of the 435 representatives and 100 senators runs their own office with their own systems. This is a boon to security in the sense that it creates segmentation and decentralization; getting access to Nancy Pelosi's emails doesn't help you access the communications of other representatives. But this also means that there aren't necessarily standardized authentication and monitoring schemes in place. Larkin emphasizes that there is a baseline of monitoring that IT staffers will be able to use to audit and assess whether there was suspicious activity on congressional devices. But he concedes that representatives and senators have varying levels of cybersecurity competence and hygiene.

It's also true that potentially exposed data at the Capitol on Wednesday would not have been classified, given that the mob had access only to unclassified networks. But congressional staffers are not subject to Freedom of Information Act obligations and are often much more candid in their communications than other government officials. Security and intelligence experts also emphasize that troves of unclassified information can still reveal sensitive or even classified information when combined... Kelvin Coleman, executive director of the National Cyber Security Alliance, who formerly worked in the Department of Homeland Security and National Security Council... adds, though, that for now the most important thing congressional IT staffers can do is account for which devices were stolen and begin a mass effort to reset passwords, add multifactor authentication to any accounts that don't already have it, wipe and reimage hard drives when practical, and comb monitoring logs for signs of access or exfiltration.

This discussion has been archived. No new comments can be posted.

After the Riot, the US Capitol's IT Staff Faces 'a Security Mess'

Comments Filter:
  • "But congressional staffers are not subject to Freedom of Information Act obligations and are often much more candid in their communications than other government officials."

    • It's too bad that this equipment wasn't obtained by someone like a Snowden, but retards with zero credibility. We're never going to get a reliable report of what was on them. It's going to be radioactive, legally, for anyone to handle this equipment. How many will be willing to seek asylum in Russia to publicly release data from it? How would you even verify the chain of custody at this point?
      What's guaranteed, though, is the usual social-media conspiracy morons will have a field day mentally masturbating o

  • CSO here (Score:5, Insightful)

    by Corbets ( 169101 ) on Sunday January 10, 2021 @11:37AM (#60920778) Homepage

    And while the Senate and House each build off of their own shared IT framework, ultimately each of the 435 representatives and 100 senators runs their own office with their own systems. This is a boon to security in the sense that it creates segmentation and decentralization; getting access to Nancy Pelosi's emails doesn't help you access the communications of other representatives.

    It is most certainly NOT a boon to security. It‘s a clusterfuck, and a poor attempt to justify lack of proper standardization and control (probably, though it is an assumption, due to overaggressive and unreasonable management stakeholders) by claiming that security by obscurity is a good thing.

    I had no idea the US government allowed that kind of nonsense.

    • So the riot did some good after all. Better go buy more barn doors.
    • by 602 ( 652745 )
      It's certainly not allowed in the federal agency where I work (we do health care). Only government-issued equipment is allowed on the network, all computers must remained turned on overnight so that patches can be applied, all devices enter lock mode after a few minutes (10?) of inactivity, users cannot install software, and users cannot attach external devices of any kind. If I take my govt laptop off site to work via a VPN, the process of connecting securely is onerous. And yet it's still possible for eve
      • Re:CSO here (Score:5, Insightful)

        by AleRunner ( 4556245 ) on Sunday January 10, 2021 @12:11PM (#60920930)

        It's certainly not allowed in the federal agency where I work (we do health care). Only government-issued equipment is allowed on the network, all computers must remained turned on overnight so that patches can be applied, all devices enter lock mode after a few minutes (10?) of inactivity, users cannot install software, and users cannot attach external devices of any kind. If I take my govt laptop off site to work via a VPN, the process of connecting securely is onerous. And yet it's still possible for everyone to do all of their work.

        Everyone's piling on to this thread and missing the main point. These people are not the government. At any time almost half of them are likely to be the opposition working against the government. In the case of the house, until recently that would be the majority of people. Even those that are currently aligned with the government can suddenly find them on the opposite side, as is about to happen on 20th January.

        Given that the current president is primarily known for his disregard for laws and conventions, would you want people under his authority securing your representatives? If the answer is yes, then would you want Joe Biden's people securing your representative? If, even now you are answering yes, then you should probably study the history of security services interference in congressional investigations [theguardian.com].

        • Yep. Decentralized here is sub-optimal in many ways, but so is fully centralized.

          Encryption is your friend.

        • by Entrope ( 68843 )

          The US is not a parliamentary system, where the "government" is defined by a majority of the parliament. All members of Congress are equally part of the government. Some are more equal than others, by virtue of seniority or leadership positions or what not, but there is NO "part of the government" versus "not part of the government" distinction.

          • s/government/administration/ or approximately "executive branch". Sorry - my mistake over the word. The function is equivalent and our MPs work in exactly the same way as your congress members (each one is an independent and has their own office) but because of the way it's formed we just use the term government.

            Basic effect - the security people may be reporting to someone other than the people that the representative is loyal to. This means that the capitol police won't go into a Congress member's offi

            • by Entrope ( 68843 )

              Correct, no member of Congress would accept the executive branch or the opposition party to have system administration rights to their office. They have often pooled resources to share staff across politicians from the same party; see also Imran Awan for one of the risks.

              However, the security problems are MUCH less an issue of who administers the system or who watches for security events, and much more an issue of having clear, strong standards for system operation and security controls. Get one or two sh

          • by Mitreya ( 579078 )

            All members of Congress are equally part of the government.

            I am assuming GP's point may have been that certain members of Congress have explicitly and openly expressed their goal to work against the government (e.g., prioritizing stopping Obama [politico.com], refusing to recognize Biden's win, and general "starve the beast" policy).

        • They were elected officials. Elected means people trust them and they represent those people, and hence, in a democracy, have equal power an voices.

          The whole concept of an "opposition" is fucked-up N@zi-propaganda-level shit that has no place in a democracy.

          They are expected to be a team, work out their differences and work together! Even associating with a party after being elecred as part od a parliament, shouls be a federal crime IMHO.

      • by t0qer ( 230538 )

        Ya right. Doctors overruled the "Lock workstation when smart card is removed" and they're able to simultaneously unlock multiple workstations.

      • Ask yourself if you want the Administration to have administrative control of all the Senators' and all the House members' IT. They could read emails, selectively block emails, read shared documents, etc.. The level of possible mischief is incalculable.

        That would be the ultimate clusterfuck.

        • The Congress has thousands of staff members.
          Examples being the Congressional Budget Office and the capital police, who report to Congress, not to the executive adminstration.

          Congress can have the Congressional IT Office in the same way that they have the Congressional Budget Office.

    • Re:CSO here (Score:5, Insightful)

      by geekmux ( 1040042 ) on Sunday January 10, 2021 @11:56AM (#60920882)

      And while the Senate and House each build off of their own shared IT framework, ultimately each of the 435 representatives and 100 senators runs their own office with their own systems. This is a boon to security in the sense that it creates segmentation and decentralization; getting access to Nancy Pelosi's emails doesn't help you access the communications of other representatives.

      It is most certainly NOT a boon to security. It‘s a clusterfuck, and a poor attempt to justify lack of proper standardization and control (probably, though it is an assumption, due to overaggressive and unreasonable management stakeholders) by claiming that security by obscurity is a good thing.

      Agreed, and whomever sold them on the idea that decentralization and non-standardization for this particular group of users was the way to go, practically deserves the security clusterfuck they created. It's almost as if these non-technical fossils can't even grasp the basic non-technical concept of a chain only being as strong as its weakest link. Sure you could claim compartmentalization is a security enhancement, if you actually had consistent security rules. The fact that civilians got into the building highlights that not even physical security standards, are standard.

      I had no idea the US government allowed that kind of nonsense.

      Government computer security audits have shown failing grades all the way back to the Win9x days. Nothing much has changed regardless of the increased risk. And Hillary's personal email server wasn't that long ago. No lawmaker who's above the law is going to look to confirm that quickly.

      • You really couldn't secure Windows 9x. To log into a password protected Windows 9x system, simply boot from a floppy, and delete the PWL file. Then you can create whatever password you want.
      • by HiThere ( 15173 )

        You've got to appreciate the history. Originally most legislators didn't have or want any computers in the office. Then a few enthusiasts did, but each one had his own way of doing things. Eventually more and more found the benefits of computers to be worthwhile, but those who were already using them didn't want to give up their own systems.

        • Term limits could have taken care of this as well. Sure, you would still have a few folks that would try to homebrew stuff but that takes time (and money) and if the official IT staff has a working system, I'd say 99 out of 100 Congress critters coming in would just go with it.

      • Agreed, and whomever sold them on the idea that decentralization and non-standardization for this particular group of users was the way to go, practically deserves the security clusterfuck they created.

        Who would manage this centralized IT? The administration? You really want the administration to have the potential to mess with elected officials' emails, documents, etc.? That would be the real clusterfuck.

      • You know how the CEO is often a security hole because he/she doesn't listen to the IT/security guidelines, because 'special?' Imagine working in a place where everyone is CEO level of arrogance and privilege.
    • Sounds like setting up a workplace for dealing with highly sensitive data, by letting everyone bring in their own computer, NAS, network equipment and so on. Sounds great... it's worse than BYOD, where the system you're plugging into at least enforces some basic security rules. Such sandboxing or encryption at rest. Or at the very least: locking the screen after x minutes of inactivity,

      "cybersecurity is the next priority after physical security"... yeah. Somehow that doesn't make me feel a whole lot
      • Each Congress Critter is their own 'workplace,' they aren't one big workplace simply by being under one roof. Just like how my dentist has a different network than the Starbucks and the lawyer's office even though all three are in one building.
    • by k6mfw ( 1182893 )
      Seems to me inherent problems of computer security goes back to years of "reduce costs and increase efficiency" so the cheaper consolidation and/or contract everything to a specific company that advocated a more simple and lower cost of doing stuff (i.e. typical companies that cut all kinds of corners or benefits). Then there's horrible bureaucracy that can be a huge turn-off for many IT people. And all this accelerated under Trump that really pushed prevailing attitude "guvmint is bad" and cut budgets for
    • Speaking for myself, I would prefer that it remains decentralized and independently controlled. That better reflects our actual political system - a negotiated union of individual states.
    • And while the Senate and House each build off of their own shared IT framework, ultimately each of the 435 representatives and 100 senators runs their own office with their own systems. This is a boon to security in the sense that it creates segmentation and decentralization; getting access to Nancy Pelosi's emails doesn't help you access the communications of other representatives.

      It is most certainly NOT a boon to security. It‘s a clusterfuck, and a poor attempt to justify lack of proper standardization and control (probably, though it is an assumption, due to overaggressive and unreasonable management stakeholders) by claiming that security by obscurity is a good thing.

      I had no idea the US government allowed that kind of nonsense.

      Not a CSO but I'm not sure I agree.

      Your idea makes sense if they all share the same basic information, so an intrusion of Rep Bob also compromises Rep Janet.

      But even though they have similar classes of info, fundraiser lists, bills being written, constituent projects, etc, etc, they don't actually have the same information.

      Therefore breaking into Rep Bob's network doesn't really compromise any specific items that Rep Janet is working on.

      I think it really does makes sense to think of those 535 different legi

      • by uncqual ( 836337 )

        fundraiser lists

        Are Senators and Representatives allowed to use government computing resources for campaign purposes? I seem to recall that they are not (well, except, for routing pork to favored parties of course -- but that's really the definition of their job).

        • Govermental computers and telephones are not to be used for fund raising. The cell phone took over the private line 15 years ago. We trusted no one at the field offices to touch the network or the phone room.

          There are rented rooms in goverment building and ajcent to goverment building just for that sort of campaigning. The typical hill rat has a 8x5 to himself or shared with someone else from his party somewhere and a private table to run 100 donar calls a day from.

          Each party has 5-10 phone apps and w
          • by uncqual ( 836337 )

            You wife is most likely to deal with the real movers and shakers daily.

            So I guess having a hot, young, and willing spouse is probably a good asset if you're considering national politics - but I suppose if you're a career politician you might have to upgrade regularly and could be on Spouse 4.0 by the end of your career.

    • It is a practical matter— each congressional office is essentially its own independent business. Each one has its own interests and needs to keep matters isolated and private. I might not be on the cutting edge of this stuff, but it has only really been in the past year or two that there was a better approach for most of the functions via centralization. It is quite likely that there are still hold-outs of applications and technologies that centralization would pose a challenge.

      I have recently beco

    • by t0qer ( 230538 )

      Government worker here. Depends on which part of the government you are in.

      I used to work for the DoD. They don't fuck around. Doesn't matter who the 4 star general is, if it's against security standards he's pretty much told he can fuck off if he's expecting some special treatment. OTOH the current branch of government I work for gives certain people special treatment. I won't go into the particulars because I don't want to expose myself, but I will say that it seems that congress has not enabled "Loc

      • This is what burnt clinton as sec of state and her email off site. We know that as the standard for a decade +, she was subject to it, and she went against her own rules. That was left mostly unsaid, but those of us in IT knew a 3rd party IT shop was up to no good.

        "Isn't matter who the 4 star general is, if it's against security standards he's pretty much told he can fuck off if he's expecting some special treatment."
    • What, you’ve never heard of security through clusterfuckery?
      • What, you’ve never heard of security through clusterfuckery?

        Kudos, you've won my morning chuckle!

    • Itâs a clusterfuck, and a poor attempt to justify lack of proper standardization and control... I had no idea the US government allowed that kind of nonsense.

      Remember, these people are not members of one team. Each is independently elected and is its own team. They are not "government workers" whom "the government" can tell what to do. What this would mean in practice is Donald Trump giving the orders for the administration of Pelosi's computer... let's think about that for a moment.

    • by gweihir ( 88907 )

      It depends. It certainly slows attackers down. But it also slows defenders down and you may have lots and lots of unrecognized security issues.

    • FWIW, if they want to look at secret data, there are more secure, more centrally managed, mechanisms.

  • by JoshuaZ ( 1134087 ) on Sunday January 10, 2021 @11:49AM (#60920844) Homepage
    This is a major argument for why there should have been more use of force. Let's leave rom the fact that force, lethal or otherwise was used against BLM and other left-wing groups far more often on right-wing groups even when the violence levels are close to the same https://fivethirtyeight.com/features/the-polices-tepid-response-to-the-capitol-breach-wasnt-an-aberration/ [fivethirtyeight.com]. In this case, this was the US Capitol building, and the national security issues of having systems there compromised is horrific. Who knows if some Russian or Chinese spy used this as an opportunity to get in and compromise hardware, whether on the low side, or on the high-side. And given how quick the evacuation happened, who knows how much was left on. Trump's attempted coup also ended up being a terrible breach of security. And yes, this was a coup attempt. Its lack of success and incompetence doesn't make it less of one.
    • Agreed (Score:2, Insightful)

      Imagine if the people breaking in and looting were of a darker skin tone. It would have been a bloodbath. Capitol police were taking selfies and letting these terrorists in.

      • by Tablizer ( 95088 )

        I suspect those in charge of security felt "their own kind" were safer. That's normal human bias, whether you call it tribalism or racism. On average, we are simply more afraid of cultures we don't understand.

        • by gweihir ( 88907 )

          I suspect those in charge of security felt "their own kind" were safer. That's normal human bias, whether you call it tribalism or racism. On average, we are simply more afraid of cultures we don't understand.

          Probably. But this is still exceptionally unprofessional. Hence they should all lose their jobs and those in charge probably should face criminal prosecution.

    • What would you have them do to Hilary Clinton?

    • by rsilvergun ( 571051 ) on Sunday January 10, 2021 @12:26PM (#60920990)
      let it happen. There have been multiple reports of staff on Capital Hill turning down offers of extra police from the surrounding area, which is a pretty standard response.

      The videos I've seen make it very clear the police were completely undermanned and out gunned. Unless the Secret Service was willing to break out the mini-guns and commit a massacre I don't think more force was an option at that point.

      The running theory is that this was allowed to happen by Trump in the hopes he could declare martial law. He had a pretty bad case of COVID and it's known to affect the brain, we may be seeing the effects of that play out in front of us. This is why the Dems are calling so strongly for the 25th. Heck, this is what the 25th is for.

      Nonetheless still the Republicans back him, and McConnell is already saying he won't hold a floor vote on impeachment conviction. This is a purely political move. He doesn't want them to have to go on record as either voting to remove or voting to keep him. It's a lose-lose for the Republican party. Meanwhile Trump is still up there encouraging his supporters to think he somehow won the election, despite multiple recounts and his own judicial appointments shooting him down time and time again.

      TL;DR; Power and Party before Country.
      • by Entrope ( 68843 ) on Sunday January 10, 2021 @12:41PM (#60921054) Homepage

        Trump has no control over the Capitol Police. Mayor Bowser very specifically rejected the idea of more federal law enforcement presence, unless they coordinated with her office specifically, and said they "were not asking for" more help: https://thehill.com/homenews/a... [thehill.com]

        The Capitol Police rejected an offer from the Pentagon to provide National Guard forces to help keep order: https://thehill.com/news-by-su... [thehill.com]

        The lack of forces cannot fairly be laid at Trump's feet.

        • he didn't. Eventually under pressure Pence did. You're right about the police, that was due to the Republican party blocking it (with McConnell being the one to do the actual blocking so that he could safely take the blame away from the rest of the party).

          So Trump failed to call out the guard and the Republican Party blocked attempts to call in additional police, hence the reason my post said "Trump & the GOP". They are both equally to blame and both culpable in an attempt to overthrow the US Govern
          • Re: (Score:2, Troll)

            by Entrope ( 68843 )

            Every significant fact you alleged in your earlier comment was a lie. Do you have a shred of evidence that McConnell told the Capitol Police to reject the offer for help?

            Or are you just putting Power and Party before Country, again?

            You additionally ignore that DC's Democratic mayor also rejected the idea of federal law enforcement on the streets. And that Capitol Police rejected the FBI's offer of help during the early stages of the riot. Your comment SHOULD have said that by all indications, Congress

            • but I be you'd have said the same thing about Bush's Weapons of Mass Destruction and Reagan holding back on releasing the hostages for political gain.

              If you're still alive in 20 years when the documents around Trump's presidency are declassified will you change your mind? No, probably not. This isn't about truth, this is about your side winning.
          • he didn't. Eventually under pressure Pence did.

            That is not what the Whitehouse Press Secretary said the day after. She was explicit in claiming it was Trump who called the National Guard.

            I would love to see an investigation and a report on the timeline of events. Did Trump resist calling the NG while the siege was in progress. If so then that is treason and he was party to the riot. You know very well he was watching the events in real-time.

        • Mayor Bowser very specifically rejected the idea of more federal law enforcement presence.

          That was before the terrorists attempted the overthrow of the government. While it was happening, calls were made asking for reinforcements [stripes.com] but because of the "optics" of having military personnel on the Capitol grounds, there was a significant delay in sending reinforcements.

          The lack of forces cannot fairly be laid at Trump's feet.

          On January 4th and 5th, memos were issued by the Pentagon which prohibited the District [politicususa.com]

      • by Tablizer ( 95088 )

        He had a pretty bad case of COVID and it's known to affect the brain,

        Nah, Don was a fucked up troll before Covid. Remember, he told his crowd to consider using the "2nd amendment" on Hillary, twice.

    • Oh come on! Do you think spies were just sitting in their asses all the decades before that?

      You think none of the little helpers there, *especially* their IT, security and cleaning staff, is a spy? Don't make us laugh.

      I bet there was not a thing they wanted, that they didn't already have.

      • by Tablizer ( 95088 )

        Oh come on! Do you think spies were just sitting in their asses all the decades before that?

        No, but they may have been in the vicinity for other reasons, but take advantage of the crowd when opportunity knocks.

    • And yes, this was a coup attempt. Its lack of success and incompetence doesn't make it less of one.

      Those who say it wasn't a "coup" say there was no direct planning. But Trump doesn't really plan, at least not on a detail level. He throws chaos & distraction into the system and surfs the chaos in an ad-hoc, shoot-from-the-hip way. He knew they were certifying the votes next door and if he could disrupt and postpone that it could buy him time to insert more chaos into other cracks as they form. Being ab

      • by Gimric ( 110667 )

        The definition of a coup shouldn't require competence. A failed coup is still an attempted coup. Trump's stated objective is to overturn the election result. When legal challenges failed he resorted to threats and intimidation.

  • A bunch of dumb rednecks can't pull this sort of well planned attack on their own.
    We all know they were paid by the Russians to install malware on exposed devices. The Russians have been planing this for years.
    Did you see the pictures. These aren't exactly Carnegie Mellon AI PhDs.

    • I didn't read the piece and take away that anything bad did actually happened (I could be wrong), they are saying it's a royal PITA to make sure that nothing did happen. I take it as a political play by ambitious persons and agencies as an attempt to grab power by arguing to centralize their IT.
    • Re: Russians (Score:4, Insightful)

      by BAReFO0t ( 6240524 ) on Sunday January 10, 2021 @01:00PM (#60921150)

      Oh you wish it was the big bad scapegoat behind the horizon that makes everything sooo simple and nothing your fault and no reason to fix anything about your society . . .

      Which, funnily, is exactly how we got here.

      American can only ever become the greatesr nation on Earth, if it starts to admit that it isn't. (And assess what there is to do.)

    • Did you see the pictures. These aren't exactly Carnegie Mellon AI PhDs.

      Which is what the con artist was concerned about while the insurrection was happening. The con artist was upset at how low class the terrorists looked on tv [nymag.com].

      This adviser, who spoke to Trump on Wednesday amid the siege, said Trump watched the events on television intently. CNN reported that he was so excited by the action, it “freaked out” some staffers around him. The adviser told me that Trump expressed disgust on aesthetic grounds over how “low class” his supporters looked. “He doesn’t like low-class things,” the adviser said, explaining that Trump had a similar reaction over the summer to a video of Brad Parscale, his former campaign manager, shirtless and drinking a beer in his driveway during a mental-health emergency in which police tackled him and seized his weapons. “He kept mentioning, ‘Oh, did you see him in his beer shirt?’ He was annoyed. To him, it’s just low class, in other words.”

    • by HiThere ( 15173 )

      I don't think you've ever been to a technical college. Students, and even professors, when they aren't "looking professional" tend to go in for fantastic garb. (Well, not all of them, but a sizeable minority.)

    • I don't think we need the Russians to destroy our country. We're doing a good job of it ourselves.
  • by kkoo ( 4352157 ) on Sunday January 10, 2021 @12:13PM (#60920940)
    You can bet you life that the crowds entering the building included agents from Russia, China, Iran, North Korea, and elsewhere specifically intent on stealing documents, drives, and maybe planting bugs.
  • Who really wants to make a distinction between what the rioters could have done and what Trump's officials may have done on their own?

    At this point should one no longer make such a distinction. Instead, just wipe all the IT devices of the entire government. Get rid of any doubts and get rid of anything from the Trump era with it. But also don't forget to make copies in case it may be needed as evidence later.

  • "In the rush to evacuate the Capitol, some computers were left unlocked and remained accessible by the time rioters arrived."

    Oops.

  • Military TMs have instructions for the destruction of equipment to prevent it falling into enemy hands. That should be mandatory for civilian government. Computers should require an inserted CAC card to unlock which is also the individual's ID.
    Thin clients with a central, guarded server in such a building would allow instant network shutdown and easy disabling military-style by thermit grenade (those don't explode but fire extinguishers don't put them out so they'd finish the job, plus sprinklers make occup

    • I would hope there was no classified info on any of the machines in the unsecured areas of congress/senate offices. My understanding is all classified is done in special areas of the chamber. And frankly, if it was breached, someone should pay dearly. That area should be fort knox, and anyone attempting to breach it should have been shot and killed. I worked for a defence company years back and secure buildings had guards with guns who looked more than willing to use them.
      • by flink ( 18449 )

        There is plenty of FOUO material floating around on sensitive but unclassified systems that when correlated together can create classified product.

    • Meeting in person is the only way to get any compromise going.

  • It's a small wonder if they know how to spell "computer". Let alone access computer systems, unless the keyboard looks like this:
    https://uxpamagazine.org/wp-co... [uxpamagazine.org]

    But never underestimate the power of doing something thst makes you feel good. :)

  • But then pretty much everyone working in the Capitol would have known this.

    It probably means that for as long as this has been standard practice pretty much any outside entity probably had easy and comprehensive access to pretty much anything. Who needs collusion when you have incompetents running the show.

  • I think it probably near 100% likely that that somebody will claim to have obtained sensitive incriminating data from the computers that turns out to be crude fakes.

  • Psalm 127:1
    Unless the Lord builds the house, those who build it labor in vain. Unless the Lord guards the city, the guard keeps watch in vain.

    This security rule is know for fourty centuries. Some write about policies, secure networks, disk encryption, etc., but it all may be, well, in vain, if 127:1 is not observed.
  • Why? Stop printing stuff unless you need to sign something! (though that can be done digitally as well.)

    Then there is digital access. Done with encrypting drives, etc.

    Seriously, this is a no-brainer, it is thought out for you already, a long time ago.

    Years even.
  • Not only do we have security issues with China and Putin due to the far left and their GD political correctness, along with Russian Asset in the WH,
    but now, we have the far right directly attacking congress, and opening up a nice little breach for spies to take advantage of.

    Who needs to worry about the likes of Mannings/Snowdens, when we have far right extremists that do it far better.
  • My systems have encrypted drives and timed log off. Why wouldn't any government system be doing the same?.
    • > My systems have encrypted drives and timed log off. Why wouldn't any government system be doing the same?.

      Your incentives are aligned. Crazy Aunt Nancy gets to go down to the local store and pick up a shiny new laptop on her expense card and her IT has to deal with it.

      That's the benefit of having outsized power.

      Having nobody to say "no" to you is the downside of outsized power.

      While everybody was distracted by Viking Man being a clown, operatives were in opposition offices grabbing equipment. Some wo

  • Not protestors. Insurrectionists.

  • The reason that network is such a hodge podge is that the primary users are all effectively c-suite and their privately employed staffs.

    Any standardization would pretty much require unanimous approval in order to be implemented and would still leave the IT people in the lurch if later one of Congress critters decides to do something different. Imagine a Private trying to tell a General the plane won't move until he buckles up, technically correct, but what's he going to do, physically eject the General from

  • by ytene ( 4376651 ) on Sunday January 10, 2021 @03:42PM (#60921784)
    The two most dangerous threats to an organisation today are:-

    1. A cyber breach
    2. A physical breach


    Since the federal government knows that the Capital Building was physically penetrated, there is only one safe response: physically remove every single computer, router, switch, hub, printer, laptop, wifi repeater, printer and any other piece of network-connected electronics and replace with "all new"...

    By all means they can bring all the "suspect" gear to a laboratory and perform a forensic analysis, but they will need to re-flash every bios, check firmware in peripherals [like hard drives] the works. To be honest, it would likely be cheaper and quicker to assume that everything has been compromised and junk the lot.

    While they are replacing all the federally-owned electronics from the building, they might as well sweep for electronics left behind by the visitors. Given the event was advertised in advance, it would not be unreasonable to suspect that hostile foreign nations had their own actors - even under-cover agents - in the crowd. It would also be reasonable to suspect that such agents might have had an opportunity to plant listening devices, network repeaters and similar technology anywhere in the building that was accessible to the mob. The penetration of the Capital building by the mob would be a perfect cover for a small cadre of agents to plant devices - in say ceiling voids or flush-fit wall boxes, or even inside power sockets.

    A mate of mine used to work for a big US bank that has offices around the world. In places like New York, London, Hong Kong, Tokyo, Singapore they have plush offices for corporate clients, including conference facilities and meeting rooms. Those areas of the buildings that are open to visitors are comprehensively scanned for foreign electronics two or three times a week - and it is quite remarkable to learn just how much stuff is found - equipment left being by supposed clients.

    If a commercial entity needs to take these sorts of precautions on a routine basis, the federal government sure as hell does.

    And if they haven't done so already, they need to instigate a more thorough review and security harden the physical infrastructure of their technology. Hopefully, they will be doing all this and more.
  • The actual agents in the mob - any spies in DC would have been stupid *not* to join the mob - will have gotten what they can. The idiots of the insurrectionists got zip, other than laptops, because all federal government hard drives are encrypted. And, once they're off the network, the traitors can't log into them, either.

    And even if you use a std. password cracker, or attach it to another computer, we're back to "it's encrypted".

    The real worry are all the actual bugs, and whether USB cables are, in fact, b

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...