Reply From: Matthew Patton <pattonat_private> >Thatís one of the reasons government security is so lame, Ranum said. Iíll >believe the government is serious about security when somebody at the >Pentagon gets fired. Amen!! But we'll never see the day that happens, no matter how much mouthing Hamry does. While significant blame must be attached to managment and their cluelessness, one has to wonder if basic security precautions are a natural and responsible part of being a sysadmin. I think so, very strongly in fact. If OSD or any of the military branches are going to get serious about security, they'd better start firing their present contractors wholesale. So many of them can't find their own asses in a shell prompt. I wish Janet R. would save us all the bother with one more agency investigating "cyber crime" and pretending to act like a CERT and instead give the services the money and label it specifically for advanced Unix security training. This means mandatory attendance to SANS etc. And/or workshops where we invite an eminent person to teach these morons how to configure a Slowaris box (most .gov unix is slowaris) and force them to submit their workstations to instructor review/penetration testing. THey don't get to leave the class till they have mastered more than the basics to securing the operating system. And at gun point we force each admin to weekly look at CERT's notices, or subscribe to such wonderful services as BugTraq. We further empower the IG to do spotchecks on systems (at least quarterly) and railroad any idiot (with an Article 15 or outright termination) who repeatedly fails to do things correctly. The latter especially applicable to these slimeball contractors who feed at the Pentagon trough. >One federal employee, who performs vulnerability assessments for the >Defense Information Systems Agency, defended government security efforts. Heh, that's funny! Why don't you (the DISA guy) turn your vaunted tiger team on yourselves? Specifically the HQ building. You want to have some fun? Get your own house in order before you go spouting off defending current practices. Somehow I don't remember seeing any seminars hosted by these tiger team members or similar to help the careless admins learn what they did wrong and to fix it. Has anyone else? I wish to heaven we could put some teeth to security. But alas, it's nearly impossible to fire anyone in the government. Let alone reovke a stupid contract. Maybe we should have a black list, "These individuals and contracting companies (or their staff) are incompetent. They are under no circumstance permitted to administer computer systems. If you want to redeem yourself, you will have to be subjected to intense scruitiny from established players. Anyone caught 'blessing' an incompetent individual will be banned likewise but with no hope of working in the field again for at least 5 year." Hey, Hamry. How about that? - Matt, disgusted to be working as a phed with pheds. -------- "You need only reflect that one of the best ways to get yourself a reputation as a dangerous citizen these days is to go around repeating the very phrases which our founding fathers used in their struggle for independence," - Charles A. Beard (American historian) -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: New Dimensions International [www.newdimensions.net] -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:01:15 PDT