Well, THERE'S your PROBLEM....
Microsoft Windows, Apple OS X, Linux, Unix, BSD...
It doesn't matter.
PEBCAK
...Cirdan...
Of course, administrative decisions hobble those in the trenches...
In response to this week's data breach at the US Office of Personnel Management, the White House has ordered federal agencies to immediately deploy state-of-the-art anti-hacker defenses – things like installing security patches, and not giving everyone the admin password. This groundbreaking cyber-edict comes after dossiers …
"If the White House's top tips on cyber-security really are news to government IT admins, the hackers needn't have bothered burning such a precious tool."
That's the problem right there. machines don't lie and people do.
Your unpatched, unaudited, unchanged password chickens will eventually come home to roost.
My new cyber-security company, GetAClue Inc. will help fix all that. It will start by firing all the people whose details were leaked, on the grounds of National Security. Then we will hire some Indians, Vietnamese, Chinese and Mexicans to sort it all out. Kerching!
Let's not forget the REAL problem ... software, it sucks. It's a house of cards with no solution in sight. We have patches with fix patches which fix patches etc. And nobody knows which pieces fit with other pieces.
In order to rush out the latest and greatest to make that almighty buck, we've sacrificed stability and common sense in design and testing. It's the only product you buy which comes with a 'known list of bugs' and nobody cares.
This post has been deleted by its author
It's the only product you buy which comes with a 'known list of bugs' and nobody cares.
Er no, all products now come with a list of 'known bugs' in order to limit legal liability.
This microwave oven is unsuitable for the drying of pets.
Your mileage may vary.
Only those who buy software even remotely expect perfection, and no one in the engineering and manufacturing industry who has the least idea of the modern ideas of Quality Management expects any product to be perfect without continuous effort devoted to improving it - not till its perfect, but until all known and serious flaws have been identified fixed or documented into a 'limitations of use' type tome
Please, you cannot compare, bugs are things that don't make the product work or not work as advertized. Drying of pets in a microwave is not the same, it's not a bug. Having the microwave stop working for certain foods made by certain manufactures is a bug. Mileage varies on how you drive and where (city or highway), it's not a bug.
"
It's the only product you buy which comes with a 'known list of bugs' and nobody cares.
Er no, all products now come with a list of 'known bugs' in order to limit legal liability.
"
I'll add to that and say that your average washing machine is not equipped to detect and deal with malicious attackers who go house-to-house secretly loosening bolts and rewiring all the appliances.
Software bugs are really not the main problem here.
I'm not sure you'll be put on such a list, or if you are whether it will mean anything. The NSA has, so far, failed to detect a single terrorist attack despite its massive surveillance of citizens. Today brings yet another example, as a loon in Dallas with what turns out to be a history of threats and wild-eyed imaginings managed to set bombs off around police headquarters and spray it with gunfire, without a single warning from all that monitoring.
Honestly, I don't believe terrorist monitoring is the purpose of the NSA. They've taken Hoover and Nixon and their idea of "enemies lists" to a massive extreme, and are far more interested in monitoring political activity, aspirations, and opposition than in keeping the public safe from harm.
>>I'm not sure you'll be put on such a list, or if you are whether it will mean anything. The NSA has, so far, failed to detect a single terrorist attack despite its massive surveillance of citizens.
Uh, exactly. I'm not a terrorist so I'm sure they'll direct most of their effort to monitoring me.
The NSA has, so far, failed to detect a single terrorist attack despite its massive surveillance of citizens.
The history of the Uk's involvement with N Ireland terrorism is littered with incidents that made the papers and MI scuttlebutt about what really happened.
Murders by e.g. the Unionist paramilitaries of (largely unknown) IRA high command.
The mysterious early detonation of bombs and even weapons caches by 'inept terrorists'
The way in which the IRA high command eventually turned coats and joined a peace settlement.
The point about secret intelligence, is that it is secret.
https://en.wikipedia.org/wiki/Bodyguard_of_Lies
Is a book worth reading that illustrates just how much of the secret intelligence war of WWII was devoted to disguising how much the secret intelligence agencies had actually penetrated the enemy intelligence systems.
And how much even when it was published remained secret. And a lot still is.
The problem with secret agencies is that you have to take them on trust.
There is an apocryphal story about a newly elected Harold Wilson calling in the heads of the security services and saying 'I am the duly elected representative of this country: Can you tell me the sphere of your operations?'
"No: Its a matter of national security"
"And who are you answerable to, if not me?"
"Can't tell you: National security".
But how can we bootstrap the process? Because it's obvious that a Dept for the Obvious is needed, without that dept already in place no action can be taken!
We'll just have to trust to the cornerstone of modern US democracy: give an ungodly amount of money to lobbyists, lie back and think of the children.
1. three to six months to develop a departmental assessment team and draft an action plan;
2. six months to vet, recruit, and hire a departmental team of in-house security experts;
3. ditto the outside consulting team;
4. six to nine months of developing security objectives, systems flow charts, software initiatives, and hardware procurement timelines;
5. preliminary submission of department budget requests with security set-asides;
6. evaluations and promotions of upper level management to oversee security initiatives;
7; 8; 9; 10 ... need we go on?
It will be a cold day in Hell before ... ( groan )
- Install software patches for critical vulnerabilities "without delay."
- Use antivirus and check log files for "indicators" of malware infection or intrusion.
- Start using two-factor authentication.
- Slash the number of people with administrator-level access and limit what they can do.
So, as a sysadmin I consider these an absolute necessity (Bar perhaps 2FA) for ALL of my customers... Let alone a federal agency.
... did you do as I told you and install our made-in-the-US state of the art anti-bad-guy stuff?"
"Yes, Mr President. We did."
"Hmmm. But isn't that the stuff we told folks to put, like, back doors and ways in into?"
"Yes, Mr President - but it's OK. We've taken care of that."
"Oh? How?"
"We put big software signs on all the back doors. They say 'US Government secrets behind here. KEEP OUT."
"Ah. That's alright then. Carry on...."