>I think I can safely say (paraphrasing Kevin) that the prevailing >management attitude is, "Hey, I passed the C&A so I can back-burner >security until the next C&A cycle." And then they get whacked. Not their >fault - they passed the C&A. Funny this should come up. But digging back into the archives of history let us recall the most embarrassing hack of www.af.mil circa Jan 1996. So, purhaps the readership has forgotten (or did I fail to post) that just DAYS before the hack, DTIC's computer systems underwent a 'security checkup' by none other than DISA's ASSIST intrusions tiger team. Said team asked DTIC to point out their internet connected boxes and ran a set of tools against them and upon finishing, blessed their health. Seems nobody at DTIC mentioned the nifty new IRIX box sitting off in a corner playing dumb and happy to the address of 'www.af.mil'. So the DTIC guys went happily on their way, forgetting all about certain builtin accounts not having passwords (default out of box setup) or that some flaming bozo had set the root password to "1234". So you see audit or not who says the auditors will do a complete job? The fact that the intrusion team didn't "find" the irix box is a bit troubling no? >"Insurance" in the .mil/.gov arena usually translates to >"Plausible Deniability" or some other form of Vogon poetry. Precisely!! So who in the Pentagon do we want to hack today??? 'Flippergate' got to love it. -------- "There are no significant bugs in our released software that any significant number of users want fixed." - Bill Gates in an interview with Focus magazine, Oct 23, 1995.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:59 PDT