State Department Spent $1.2 Billion On An Asset Monitoring System... That Ignores All Non-Windows Equipment
from the julian-assange-agrees dept
We just wrote about a GAO report showing how the Defense Department is somewhat incompetent at dealing with online threats. Of course, it's not clear that anyone else in the government is any better. The GAO is back with yet another report, dinging the State Department for its dreadful computer security monitoring program. In this case, it's talking about threats to the State Department's network, rather than to third parties. And while the State Department spent a whopping $1.2 billion of taxpayer money on a fancy computer system, called iPost, to monitor everything, it turns out that it only works on Windows machines:But the iPost service only covers computers that use Microsoft's Windows operating system, not other assets such as the roughly 5,000 routers and switches along State's network, non-Windows operating systems, firewalls, mainframes, databases and intrusion detection devices, GAO auditors said.I mean, this is the kind of stuff that makes you shake your head in disbelief. Somewhere in the process of building a $1.2 billion system, no one thought to point out that there are more computer assets than those that run Microsoft Windows? Really? Someone seriously deserves to be fired.
Also, for the Windows computers where you can install it, it appears that the system barely works.
For instance, iPost tools did not always scan computers when scheduled, or they created false positives that had to be analyzed and explained. One scanner vendor failed to update its technology to detect the latest, most common vulnerabilities. And tools manufactured by different suppliers produced disparate scores that staff then had to interpret and modify.Apparently, all of this is leading to confusion where people don't even know who's responsible for what.
So can someone explain why the federal government is coming down so hard on Bradley Manning, rather than taking some of that energy and focusing on securing the State Department's computers? Honestly, from the sound of things, you have to imagine that lots of people (including tons of foreign spies) long ago broke into State Department computers and had access to all of this info, based on reports like this. If anything, it makes you wonder if the Wikileaks leak may help get the State Department to better secure things.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: computers, state department
Reader Comments
Subscribe: RSS
View by: Time | Thread
Worse. It sounds an awful lot like those spies infiltrated the State Department and then actively mismanaged (sabotaged) the asset security project to ensure that they could continue to breach government networks.
Spy Leader: We know how to circumvent Windows already. Ensure that the iPost project doesn't look at anything else.
Spy Underling: Yes, Mr. Gates.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Of course
[ link to this | view in chronology ]
Re: Of course
[ link to this | view in chronology ]
Re: Of course
The irony though is that most of the professionals who hack Windows machines are likely using something other than Windows (i.e. Linux/Unix). Honestly, if it weren't for DirectX games, Windows wouldn't even have a market among the technologically inclined.
[ link to this | view in chronology ]
Re: Re: Of course
[ link to this | view in chronology ]
Re: Re: Re: Of course
[ link to this | view in chronology ]
Re: Re: Re: Re: Of course
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Of course
[ link to this | view in chronology ]
Are you certain of that lol?
[ link to this | view in chronology ]
Re: Are you certain of that lol?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Of course
Hmmm... Helm's Deep was pretty easy to compromise as well. A little gunpowder was all the Urukai needed to breach the walls and then they were able to sweep through the outer defenses. Gandalf was even certain that the move to Helm's Deep was a dumb one...and he hoped that it would hold long enough for him to get the outcasted riders of Rohan and return.
Windows is pretty bad by default, but any competent administrator can lock down Windows so its is secure enough to convince all but the most driven individuals to move on to easier targets.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Of course
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Of course
I find the power button works well.
[ link to this | view in chronology ]
Re: Re: Re: Re: Of course
[ link to this | view in chronology ]
Re: Re: Re: Of course
"We got it right this time, really we did."
Been hearing that one since before most of you other people were on the Internet.
[ link to this | view in chronology ]
Re: Re: Re: Of course; @blaktron: the very existence of patches..
Here's the sequence:
1) An exploit is found in the wild; this is constantly monitored by numerous experts.
2) Microsoft hastily finds a fix (supposedly) and tries to put out a patch before it spreads.
3) Microsoft yells "Keep your patches up to date!"
4) You (and Microsoft) maintain that the most recent properly patched systems have never been exploited.
[ link to this | view in chronology ]
Still doesn't make Windows any better
Admittedly, Windows 7 is a better offering security-wise than other Windows systems, but it still pales in comparison to a basic Linux distro that comes with a firewall and locked root privileges by default. Add in the "no know viruses" carrot, and the choice is clear.
[ link to this | view in chronology ]
Re: Still doesn't make Windows any better
[ link to this | view in chronology ]
Re: Re: Still doesn't make Windows any better
...no, but I did get their root-kit. Is that a browser thing?
[ link to this | view in chronology ]
Re: Re: Still doesn't make Windows any better
I used to think you might be an idiot. I now have no doubt.
[ link to this | view in chronology ]
Re: Of course
[ link to this | view in chronology ]
Re: Of course
[ link to this | view in chronology ]
*facepalm!*
Hell, I'll do for only $1.1 billion--now that's value!
[ link to this | view in chronology ]
Re: *facepalm!*
But I wouldn't start with Linux for this purpose. Oh, it's certainly an enormous step up from Windows, but then again a steaming pile of cow manure would be the same. I'd start with OpenBSD, which is considerably smaller and much more focused on security.
None of this will happen, of course. Instead, those responsible for this will be rewarded and promoted, there will be more of the same epic failure, and even the poorest countries out there (the ones without a beer and an airline, thanks FZ) will be able to penetrate this operation whenever they want, merely by hiring a bored college student with a laptop.
[ link to this | view in chronology ]
Re: Re: *facepalm!*
[ link to this | view in chronology ]
Re: Re: Re: *facepalm!*
If you run a mail server of any size/volume/scope/etc., then all you have to do to answer that question is to look at your own logs. (By which I mean not just your SMTP logs, but everything else as well.)
If you don't, and not everyone does of course, then all you have to do is to read the relevant traffic on nanog, mailop, spam-l, full-disclosure, bugtraq, spamtools, and other related lists for the last ten years or so.
Either way, what you need to be paying attention to is not so much what's going into Hotmail (although that's certainly interesting in its own right) but what's coming out of it.
[ link to this | view in chronology ]
Re: Re: Re: Re: *facepalm!*
Another potential source for spam from hotmail (as I assume you're referring to that as "insecurity") is people's accounts getting hacked. That's usually their own fault for not using secure passwords.
And finally, since hotmail is one of the oldest and most popular services out there, spammers have been spoofing fake hotmail addresses for years. In fact, you can pretend to send email from anyone you like just by setting up your own mailserver! Doing that just usually means you get easily caught by the spam filters.
So....hotmail in and of itself is probably pretty secure. These days, Microsoft really seems to know what they're doing when it comes to locking things down...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: *facepalm!*
First: what comes out of any site has everything to do with whether or not it's secure. This is a first principle of network security, albeit one that is often overlooked. (Haven't you noticed that the most serious security issues don't involve someone breaking in...they involve someone breaking out?)
Second: one of the other fundamental principles is that outbound abuse is a surface-level indicator of underlying problems. Spam is of course not the only form of abuse -- it's merely one of many that uses the SMTP protocol -- but it does provide a highly reliable measure of internal security. Secure sites do not emit spam on a systemic and persistent basis. (Nor do they emit other forms of abuse on a systemic and persistent basis.)
Third: everyone who knows how to read email headers and/or evaluate their own logs is quite aware of what's really coming from Hotmail and what's not. Attempts to forge Hotmail's domain have decreased steadily, in part because even spammers, dull as some of them can be, have figured out that it's not a worthy target for forgery.
Fourth: spam is far from the only security problem at Hotmail. Again, read the references I cited, or, if you don't want to plow through the historical record, just subscribe to them...and wait. You probably won't have to wait long.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: *facepalm!*
Also, STMP security involves forcing authentication, which hotmail does. They just give free accounts that allow anyone to authenticate. They clean up their mess as much as anyone. Also, none of that has ANYTHING to do with system security. moron.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: *facepalm!*
I actually do run Mail servers, they are bigger than yours almost for sure and I can promise you about 10 times as much spam comes from gmail addresses as hotmail ones these days.
Maybe they are bigger, although in the 30 years I've been running mail servers, they've varied in size from "tiny" to "among the biggest and busiest on the net". And one of the things I've learned is that size is not correlated to clue. Another is that anyone who can competently operate a mail server with 10K users can operate a mail server of arbitrary size just as competently.
As to your comparison of volume from gmail vs. hotmail, you're making a beginner-level mistake here. Everyone who has studied spam in any depth knows that spammers target differentially: by country, by ASN, by network, by host, by domain, by MX, by OS, by MTA, by user, by LHS, by just about every criteria you can imagine. So one of the fundamental truths about anti-spam work is that your incoming spam mix does not look like their incoming spam mix, for all values of "your" and "their". Thus your observation, while presumably accurate, means nothing for anyone but you: it tells us precisely zero about the actual spam rates from either operation.
So if you actually want to assess patterns on anything approaching a global scale, one of the things you need is a very large number of measurement points, AND that very large number of measurement points has to reflect sufficient diversity among all the criteria I enumerated above -- plus a few others. This is difficult not only because of the scale, but because considerable craftiness is required to operate the measurement points. And then even more clue is required in order to combine the measurements in a way that actually means something.
Also, STMP security involves forcing authentication, which hotmail does.
It's SMTP, and only some SMTP security involves authentication. As I would expect anyone who claims to run a mail server to know, there are many injection paths which do not. For example, Hotmail emits backscatter (aka outscatter), which is a particular form of spam that does not even require the spammer to have a Hotmail account.
Beyond that, authentication is not a barrier to spammers running botnets, since they can possess and use at will any email authentication credentials stored or used on those systems. Thus -- as we've seen -- spammers will sometimes choose to use their bots not to directly send spam, but to relay it through third parties...some of which dutifully perform the authentication, which of course succeeds.
They clean up their mess as much as anyone.
Of all the things you've said, this is the most ludicrous. Everyone who has been paying the slightest attention to traffic among professionals in the field over the last ten years (whether that traffic is on mailing lists or in newsgroups or on the web or whatever) is well aware that Hotmail is absolutely, profoundly, completely incompetent at dealing with abuse and security issues. They have demonstrated, thousands of times, that not only can they not read well-crafted reports, not only can they not tell an abuse report from abuse, but they quite often fail to recognize their own hosts and networks as such.
That is, as someone once said, a special kind of stupid.
Here's an exercise for you: go over to Google. Type in "hotmail abuse clueless" and start reading the hits. When you're done, switch the search from the web to Usenet...and read some more. And then search...well, by now you should get the idea. Hotmail's abuse desk is legendary for their incompetence -- although they do have serious competition from Yahoo for worst-in-class.
Yet this is not the end of the issues with Hotmail. As I said previously, spam is only one of their many problems. It just happens to be a particularly easy one to observe.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: *facepalm!*
BLUF: Hotmail is not secure in itself, let alone that it's free. Thinking that it is is stupid. Period.
Why would you think that Microsoft (that has serious vulnerabilities found monthly (hence the patching)) would put more/equal effort into securing it's FREE product than it's PAY products (Windows Desktops, servers, productivity systems, etc)?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: *facepalm!*
Now as to your excellent question in the second paragraph: because Hotmail used to run on FreeBSD and Solaris. Just about ten years ago, Microsoft decided to switch it to Windows...and not coincidentally, that's when it began to go downhill rapidly. But they did it anyway, in a foolish, amateurish, misguided attempt to show that it could be done better with Windows (see http://www.theregister.co.uk/2002/11/21/ms_paper_touts_unix/) even though everyone knows that running a mail server on Windows is like setting yourself on fire: it's incredibly, completely stupid.
But one would think, given that Microsoft went through all this trouble, that they would take the time to do it at least halfway well -- because as it is now, all it really demonstrates is that not even Microsoft can run Microsoft products in a secure and stable fashion...which in turn raises the question, if they can't even do it, and they wrote the code, then why would anyone else believe that they can? Why would they even want to try?
And there's another point here, one that eludes many newcomers to the Internet. (You're "new" if did not have an email address ending in ".ARPA".) When you build an operation, any operation, and you plug it into the Internet, you take upon yourself the professional and ethical obligation to make sure that that operation does not harm the Internet. It's your first responsibility -- the one that trumps all others at all times. And in that...Microsoft has failed miserably. In part I think it's because they don't really care if Hotmail shits all over the rest of the Internet; but in part I think it's because they can't fix it. They've stacked the deck so much against themselves that they're stuck.
But whatever the underlying reason(s), we know that the operation, take as a whole, is completely insecure. We may not know exactly why, or how -- although we have substantial clues -- but the emitted traffic proves beyond any possible argument that it's rotten to core.
[ link to this | view in chronology ]
Nobody will get fired...
*nix systems are often wrongly assumed to be perfectly secure, which they aren't. The only computer immune from internet attacks is one that isn't connected to the internet (e.g. has no network capability like no wireless or NIC card, and even then that's suspect).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: iRonic
The parties responsible for this sham both inside and outside of the government should be tried for treason.
A FREE product called "spiceworks" can outrun this $1.2B epic fail.
So who is going to follow up on this? yah, nobody. They are all in on it.
[ link to this | view in chronology ]
But don't bring Bradley manning into this. They're focusing on him cuz he's a traitor.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Not surprised...
State Dept's forte is people and cultures, not technology.
Chris.
[ link to this | view in chronology ]
Seriously what does this get us that having them be a customer of Symantec doesn't?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Blame bureaucracy and office politics.
I guarantee somebody did point that out. They were probably shot down by someone higher up the chain, who won't be fired but promoted instead. That is how the government rolls. Just ask any federal employee.
[ link to this | view in chronology ]
#correction
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Honestly, from the sound of things, you have to imagine that lots of people (including tons of foreign spies) long ago broke into State Department computers and had access to all of this info, based on reports like this
[ link to this | view in chronology ]
First rule of government contracts... limit the scope
I'd like to think that things worked better in higher levels of government, but if they are this screwed up at the lower state levels, the federal government has to be even more screwed up.....
Sure you purchased an Enterprise Resource and Planning system from Dorkle (not real company), but reporting was not in the scope of the implementation contract you signed with us (HighlyPaidbutWorthless Consulting, LLP), so we only tested/implemented methods to put data into the system, you're on your own as far as figuring out how to get information out of the system....
Of course we would be happy to come back and sign another consulting contract with the scope limited to 'Reporting on X' for the same price as the initial implementation...
Sure reporting can be done internally, but that would required report writers to have access to the tools that can 'do stuff' in the system, we can't let our people have access to those tools, they would do 'something' that would cause us more work in the future. If we just restrict all functional users from using the tools, we can guarantee that all 'work' happens in ITS and is done by consultants (since our people don't understand the system they are in charge of maintaining and supporting).
This may sound a little far fetched, but this is basically the reality I've been living with for the last several years (names changed to protect the 'innocent' and all that...)
So yeah... If it has Government and IT involved.... expect it to be totally messed up (look at who the consulting dollars are flowing to if you want to really understand what's going on).
[ link to this | view in chronology ]
Pointy Hair Bosses
[ link to this | view in chronology ]
What a dumb idea of the government to waste all that money that we need.
FIX THE WASTE !!!
[ link to this | view in chronology ]
I can't believe no one has said it yet:
[ link to this | view in chronology ]
Correction to article
http://www.gao.gov/new.items/d11149.pdf
Apparently NIST.GOV did not feel the same way as GAO about this system:
http://www.state.gov/m/ds/rls/132183.htm
http://www.nsa.gov/ia/ia_at_nsa/rowlett_awards/award_recipients.shtml
[ link to this | view in chronology ]
The blogger is incompentent
Mike should go back and re-read the article or go back to school for reading comprehension classes.
[ link to this | view in chronology ]