Re: [ISN] Hackers, feds say govt. net security stinks | GCN August 10, 1998

From: mea culpa (jerichoat_private)
Date: Sat Aug 15 1998 - 00:24:19 PDT

  • Next message: mea culpa: "[ISN] National Emergency Extended"

    Reply From: Matthew Patton <pattonat_private>
    >Thatís one of the reasons government security is so lame, Ranum said. Iíll
    >believe the government is serious about security when somebody at the
    >Pentagon gets fired.
    Amen!! But we'll never see the day that happens, no matter how much
    mouthing Hamry does. While significant blame must be attached to managment
    and their cluelessness, one has to wonder if basic security precautions are
    a natural and responsible part of being a sysadmin. I think so, very
    strongly in fact. If OSD or any of the military branches are going to get
    serious about security, they'd better start firing their present
    contractors wholesale. So many of them can't find their own asses in a
    shell prompt.
    I wish Janet R. would save us all the bother with one more agency
    investigating "cyber crime" and pretending to act like a CERT and instead
    give the services the money and label it specifically for advanced Unix
    security training. This means mandatory attendance to SANS etc. And/or
    workshops where we invite an eminent person to teach these morons how to
    configure a Slowaris box (most .gov unix is slowaris) and force them to
    submit their workstations to instructor review/penetration testing. THey
    don't get to leave the class till they have mastered more than the basics
    to securing the operating system. And at gun point we force each admin to
    weekly look at CERT's notices, or subscribe to such wonderful services as
    We further empower the IG to do spotchecks on systems (at least quarterly)
    and railroad any idiot (with an Article 15 or outright termination) who
    repeatedly fails to do things correctly. The latter especially applicable
    to these slimeball contractors who feed at the Pentagon trough.
    >One federal employee, who performs vulnerability assessments for the
    >Defense Information Systems Agency, defended government security efforts.
    Heh, that's funny! Why don't you (the DISA guy) turn your vaunted tiger
    team on yourselves? Specifically the HQ building. You want to have some
    fun? Get your own house in order before you go spouting off defending
    current practices. Somehow I don't remember seeing any seminars hosted by
    these tiger team members or similar to help the careless admins learn what
    they did wrong and to fix it. Has anyone else?
    I wish to heaven we could put some teeth to security. But alas, it's nearly
    impossible to fire anyone in the government. Let alone reovke a stupid
    contract. Maybe we should have a black list, "These individuals and
    contracting companies (or their staff) are incompetent. They are under no
    circumstance permitted to administer computer systems. If you want to
    redeem yourself, you will have to be subjected to intense scruitiny from
    established players. Anyone caught 'blessing' an incompetent individual
    will be banned likewise but with no hope of working in the field again for
    at least 5 year." Hey, Hamry. How about that?
     - Matt, disgusted to be working as a phed with pheds.
    "You need only reflect that one of the best ways to get yourself a
     reputation as a dangerous citizen these days is to go around repeating
     the very phrases which our founding fathers used in their struggle for
     independence,"  - Charles A. Beard (American historian)
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International []

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:02 PDT