Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

State Department Hit With Many More Break-Ins

ScuttleMonkey posted more than 8 years ago | from the crackers-and-hackers-and-press-oh-my dept.

143

adjust28 writes to tell us CNN is reporting that the US State Department has been dealing with a number of computer break-ins with regards to their headquarters and offices dealing with China and Korea over the past couple of weeks. From the article: "Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking."

Sorry! There are no comments related to the filter you selected.

FUCK ANTDUDE (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15703850)

Before you listen to any more drivel by 'AntDude [slashdot.org] ', take a look at who you're dealing with: http://pbx.mine.nu/antdude.jpg [pbx.mine.nu] . The abortion in the center is 'AntDude'. I won't even get into discussion about him listing his 'sex' as 'female' on his SHITTY 'blog' (aqfl.net [aqfl.net] ). This faggot has nothing better to do than sit on the internet and spew worthless garbage. He's the new LostCluster [slashdot.org] when it comes to posting utterly worthless tripe. Not to mention his submitted stories! Every single one of his last 10 or so submissions have been tagged as 'lame' or 'slownewsday'. Why does taco even bother posting his shit. Maybe he gets some tiny deformed chinese cock up his taco ass in exchange for some linkspam with google ads? Do the world a favor and never reply to comments from ANTDUDE and mark him as a FOE [slashdot.org] .

Lack of motivation (5, Interesting)

Anonymous Coward | more than 8 years ago | (#15703862)

The government seems to have never placed much importance on computer security. I recently read Cliff Stoll's 1989 chronicle of a hacking, The Cuckoo's Egg [amazon.com] . Back then the government was slow to respond and pretty unmotivated, and it seems like little has changed today. Yet, once they catch someone, they give him a draconian punishment that ruins his life, just look at Mitnick. The government can't seem to decide it's priorities. It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts.

Re:Lack of motivation (2, Insightful)

penix1 (722987) | more than 8 years ago | (#15703883)

"The government can't seem to decide it's priorities. It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts."

sarcasm
Who needs secure systems when you have draconian punishments? /sarcasm

That aside, systems are no more secure or insecure as the people behind them. I have been in places where they have implemented "high security passwords" only to have the secretary simply write the thing down on a post-it and stick it to their monitor.

B.

Re:Lack of motivation (4, Insightful)

Tony Hoyle (11698) | more than 8 years ago | (#15704124)

I have been in places where they have implemented "high security passwords" only to have the secretary simply write the thing down on a post-it and stick it to their monitor.

That's because so-called "high security passwords" are nothing of the sort - once you reach a certain level of complexity people will simply write them down.. a password that someone can remember is far more secure than a 'high security' one that has to be written down somewhere.

I suspect they only went that route because they were too cheap to buy securid.

Re:Lack of motivation (2, Informative)

MECC (8478) | more than 8 years ago | (#15704406)

Has everyone forgotten about FIPS-181? Making a non-word password pronounceable at least increases the chances it won't get written down. Then at least if someone steals one part of two factor authentication, there's less of a chance that the password hasn't been lifted as well.

Re:Lack of motivation (0)

Anonymous Coward | more than 8 years ago | (#15705021)

a password that someone can remember is far more secure than a 'high security' one that has to be written down somewhere.
I'm starting to believe that the exact opposite is true.

Re:Lack of motivation (1)

T_ConX (783573) | more than 8 years ago | (#15705121)

That's how it works at my workplace. Passwords must have characters from three of four groups, Capitals, lower-case, numbers and symbols, and must be updated every 40 days (with a 'heads up' after 30 days). People hated this, and just recently we got little biometric finger readers for those who wanted them.

For me... creating hard to guess passwords that use a variety of characters but are eay to remember is the one single thing l337 speak is still useful for. Sadly, there aren't enough l337d00ds around here.

Re:Lack of motivation (0)

Anonymous Coward | more than 8 years ago | (#15704216)

I have been in places where they have implemented "high security passwords" only to have the secretary simply write the thing down on a post-it and stick it to their monitor.


State? Defence? Commerce? Treasury?,,,be specific please.

Re:Lack of motivation (5, Insightful)

rolfwind (528248) | more than 8 years ago | (#15703892)

And also at the same time, we "have to" entrust them with our information. Which they seem to have a voracious appetite for these days. Sad, really.

Re:Lack of motivation (1)

rodgster (671476) | more than 8 years ago | (#15703895)

Remember a while back the guy that got fired for hacking back?

Maybe he should have been rewarded and/or his bold personal vendetta recognized as a necessary response to seemingly state sponsored hacking of US computer systems (critical infrastructure).

The horse has bolted (5, Interesting)

jdbartlett (941012) | more than 8 years ago | (#15703918)

I don't want to trigger a Windows/Linux debate, but relevant is this quote from a recently slashdotted interview with McKinnon:

"I found out that the US military use Windows," said Mr McKinnon in that BBC interview. "And having realised this, I assumed it would probably be an easy hack if they hadn't secured it properly."

Source here [bbc.co.uk]

Even if it is considered right to treat such breakins so seriously: how many times must the horse bolt before the barn door?

Re:The horse has bolted (4, Funny)

stunt_penguin (906223) | more than 8 years ago | (#15704026)

It would seem that unfortunately this particular horse has managed to build himself a back door as well, unfortunately.

Re:The horse has bolted (2, Informative)

Tony Hoyle (11698) | more than 8 years ago | (#15704128)

It depends which version... MS are slowly getting the 'secure by default' idea, and Win2003 is reasonably secure out of the box. It remains to be seen what happens with vista.. I suspect UAC will be weakened in the same way that NX was in XP, simply to 'improve the user experience'.

Re:The horse has bolted (0, Flamebait)

EraserMouseMan (847479) | more than 8 years ago | (#15704716)

I don't want to trigger a Windows/Linux debate

And then you turn right around and quote somebody saying something about the military using Windows machines. I wasn't aware that the State Department is a branch of the US Military. Am I wrong about that? Or are you using unrelated quotes to to flamethrow?

And then the second half of your misapplied quote, "it would probably be an easy hack if they hadn't secured it properly." Now *nix would be an easy hack if not secured properly as well, now wouldn't it? In fact, if it's not secured properly the penetration can barely be called a hack. If the door is open there's no breaking in required.

I don't want to trigger a Windows/Linux debate . . . but your post was 95% flamebait.

Re:The horse has bolted (1)

jdbartlett (941012) | more than 8 years ago | (#15705035)

The The United States Department of State and The United States Department of Defense (which controls the US military) are both organizations of the United States government that use Windows OS. Am I wrong about that? I've only lived in this country for a couple of years, apologies if I'm wrong.

As I said, I didn't want to start a Win/Linux debate. Perhaps I should have emphasized the phrase "if they hadn't secured it properly". The horse is not Windows, the horse is impropperly secured systems in many organizations of the United States government in spite of international press stories that explicitly state impropperly secured systems were a contributing factor in breakins.

And this is bad? (4, Insightful)

SmallFurryCreature (593017) | more than 8 years ago | (#15703957)

Do we really want have a goverment that can keep things secret? A state that can keep things from being investigated by having it totally secure, privileged eyes only, any leak easily traced?

I think not. Just remember the whole fuzz about journalists being bugged so that anyone calling them with secret information can be traced. How can the press then do its job?

If total security is achieved say goodbye to all those leaks and exposes. You will have a system that makes the KGB look like childsplay. Not because they will abuse it but because if they want to they can, without ever being found out. All that would need to happen is for someone to come along who wishes to abuse it. Do you trust any party so much you want to give them complete secrecy?

Democracy and free press are nasty things. They conflict immidiatly with the need to keep things hidden. Even such a simple thing as the skunk works is a direct violation of the principles of free press and accountable goverment. How the hell can we judge our goverment if they can keep what they are doing hidden from us?

The only alternative is to accept a certain level insecurity and just go after the people that go to far. A very strange state of affairs but better then living in a police state.

Mitnick ain't a victim. He is a stupid criminal and deserves everything he is going to get. He was not a journalist seeking the truth, he was just a cracker messing around with computers that were not his.

If I do not lock my door that does not give you the right to enter my house. Neither do I want to live in a world where the goverment is behind closed doors.

Re:And this is bad? (1, Informative)

CRCulver (715279) | more than 8 years ago | (#15703963)

Do we really want have a goverment that can keep things secret? A state that can keep things from being investigated by having it totally secure, privileged eyes only, any leak easily traced? I think not. Just remember the whole fuzz about journalists being bugged so that anyone calling them with secret information can be traced. How can the press then do its job?

The Pentagon Papers trial created a fine balance that is worth preserving. The government can keep things secret in the interest of security, but at the same time it's not illegal for the press to print whatever is leaked to it. It's, on average, a win-win.

It may not be illegal, but... (5, Insightful)

Animaether (411575) | more than 8 years ago | (#15704306)

...there are certainly dire consequences -if- the government wants there to be. Just look at the money tracing operations and their exposure: President Bush openly and fiercely attacked those newspapers who have reported on it, stating that they have hurt the U.S.'s cause in tracking down terrorists -and- have done damage to the security of the United States and its citizens. He has done this repeatedly, with the full support of other government officials and branches, and guess what? Recent polls showed that the nation is divided roughly in half on the issue at this time, while when the story was published most people really just didn't care too much -or- were outraged that the U.S. government once again pried in their personal affairs. That is now 50% of people agreeing that they feel less secure now that papers, specifically The New York Times, reported on this secret program, and that they shouldn't have done it and -should- be prohibited from doing so in the future. The U.S. government is doing a great job of making the papers out to be 'the bad guys', and one can only imagine that it's certainly not helping their subscribership.

So yes, they can report whatever they want, but the government can very much make them feel sorry for doing so in financial terms. Thankfully the majority of the papers who have reported it -don't- feel sorry in terms of 'doing the right thing'; as one of the editors said - if they can't report on this, then what's next? Not reporting on Abu Ghraib? Not reporting on 'accidental' bombings of civilians? All in the name of supposed national security.

I can understand - and papers should certainly be wise enough to make this decision for themselves - that papers should -not- publish information regarding specific individuals or programs that would severely compromise those individuals or programs; e.g. operatives abroad who have infiltrated: you don't go publishing their names and photos. Investigations into a terrorist sleeper cell in Hicksville: you don't go publishing that they are under investigation. But for something as broad as "The U.S. government is tracking your international money transfers", there is -no- compromise of the program. If nothing else, sad as it is, most people probably expect that the U.S. government was doing that already, and the U.S. government can happily continue doing so; they can't honestly believe that terrorists will suddenly go "oh dear, I say... they are tracing our money wires.. perhaps we should stop using that.".

Elections must be coming up again soon...

Re:And this is bad? (1)

crossmr (957846) | more than 8 years ago | (#15705416)

I didn't read teh details of the Pentagon Papers trial, however I hope there was an exception included that them being allowed to print whatever was leaked did not extend to things like say battle-plans or such stuff (which they may be allowed to print, but not before the operation reached a conclusion).

Re:And this is bad? (3, Insightful)

ijakings (982830) | more than 8 years ago | (#15704123)

I am so sick of that comparison. Entering a computer that has no password or no security is NOTHING like not locking the door of a house. It is what it is, someone logging on to an unsecure system, stop trying to compare it or dumb it down for the masses, this is slashdot, not congress.

The Ethics Of Housebreaking (2, Interesting)

NickFortune (613926) | more than 8 years ago | (#15704350)

Entering a computer that has no password or no security is NOTHING like not locking the door of a house.

I can sympathise with a desire to see the correct terminology used, but in this instance, I'm not sure I can see the harm.

The trouble is that hacking is, in terms of human society, comparatively new. Everyone understands the times when it is right or wrong to enter someone else's house. The same is not clear for remote computer access.

So, it makes sense to look for an situation analagous to unathorised access and reason from that starting point. A lot of people, myself included, find the housebreaking metaphor apt.

Of course, it remains an analogy, and necessarily inexact, but it does provide a useful frame of reference. I'm not sure it's possible to consdier the issue without one. Is there anything intrinsically good or bad in accessing a computer system? Why should permission alter the scenario? At least if we talk about houses and bolts we make our presumptions clear from the start.

Do you think the analogy is unhelpful? Do you have a better starting point? I can't see how else to approach the problem.

Re:The Ethics Of Housebreaking (1)

InsertCleverUsername (950130) | more than 8 years ago | (#15704991)

> So, it makes sense to look for an situation analagous to unathorised access
> and reason from that starting point. A lot of people, myself included, find
> the housebreaking metaphor apt.
>
> Do you think the analogy is unhelpful? Do you have a better starting point?
> I can't see how else to approach the problem.

I think a better metaphor would be coming across an abandoned looking building while out on a hike. You know it must belong to someone, but obviously they don't care to lock it up or even maintain it. It certainly isn't hurting anything if you poke around a little. It's not like there was a "no trespassing" sign on the open door.

Now, if you trash the place or lift some valuables for yourself... Then you've crossed the line.

Re:And this is bad? (0)

Anonymous Coward | more than 8 years ago | (#15704133)

Mitnick or McKinnon?

Security and transparency (5, Insightful)

Crash Culligan (227354) | more than 8 years ago | (#15704184)

Do we really want have a goverment that can keep things secret? A state that can keep things from being investigated by having it totally secure, privileged eyes only, any leak easily traced?

Actually, yes we do. As long as we have to trust it with our things, we want it to be able to hold onto those things and not let just anybody see them or use them against us. If the government expects to claim that it's protecting us and our personal information, it has to deliver on that protection.

However, you're conflating security with transparency , when in fact they're both important. Security is the ability to keep the secret things secret against prying eyes. Transparency is the ability to unlock and inspect certain documents on demand to make sure that the government is functioning as it should. And ideally, the minimum amount of information should be classified secret: the smaller the pile of sensitive information is and the less it moves around, the less likely it'll get violated.

Democracy and free press are nasty things. They conflict immidiatly with the need to keep things hidden. Even such a simple thing as the skunk works is a direct violation of the principles of free press and accountable goverment. How the hell can we judge our goverment if they can keep what they are doing hidden from us?

The role of the free press is to report. It could be said that the role of the free press in a healthy democracy is to act as watchdog, to report when the system's security breaks so people can be warned and take measures for their own security, or to use the transparency to report problems. And it could be further argued that when transparency breaks down and secrets are kept unnecessarily, the best thing a reporter can do is intentionally break that bad kind of security. When the Pentagon Papers were exposed and the illegal acts of the Nixon administration were revealed, that was the free press's finest hour.

Nowadays, government security and government transparency are both oxymorons, and the "free press" provides spin, runs interference, and distracts people with the missing-blond-girl-du-jour (I'm looking at you, Fox "News"). Oh, and a significant portion of the people are okay with that.

My question is, where do we start the triage? Any one we start to fix will give us trouble from the other three.

Re:And this is bad? (2, Insightful)

hyfe (641811) | more than 8 years ago | (#15704295)

I think not. Just remember the whole fuzz about journalists being bugged so that anyone calling them with secret information can be traced. How can the press then do its job?

Is it now?

If total security is achieved say goodbye to all those leaks and exposes. You will have a system that makes the KGB look like childsplay.

If your system is counting on access failures for transparency and fail-checking there is something wrong with the system you've designed.

Just as CEO's should be personally responsible for what their companies do, government employees should be responsible for their own actions. Participate in illegal spying, fine'em. Ordering illegal spying, jail'em. Went to other countries, captured citizens and then refuse them any legal status, jail'em. Every single, bloody one responsible.

It might be painfull the first years, but the law is there to be followed. Even corporations. Even government. Personal responsibility is the way to go.

How the hell can we judge our goverment if they can keep what they are doing hidden from us?
The government isn't something magical being. They're the people you voted for. Start voting for certifiably sane people.
He is a stupid criminal and deserves everything he is going to get.
There are levels of criminality. Why are people so fast to brand someone a criminal, and then practically demand the death-penalty for any little simple thing. Trying to balance out low risk of getting caught with extreme punishments is a really dangerous method of creating a lawfull society.

Re:And this is bad? (0)

Saint Fnordius (456567) | more than 8 years ago | (#15704321)

If I do not lock my door that does not give you the right to enter my house. Neither do I want to live in a world where the goverment is behind closed doors.

That is a bad, bad analogy. Instead, imagine you have an idiot savant who keeps your records for you. If you don't tell him not to, he's happily blurt out the info to anybody who will talk to him. Who is at fault if he answers a request for imformation you were supposed to keep secret?

"Only tell me this," you'll tell your records keeper, but he's an idiot. How will he recognise you? How can you make sure he doesn't fall for a disguise?

This is also an imperfect metaphor, but closer to the case of tricking servers into delivering content they shouldn't. And that is what hacking is all about: tricking machines into doing doing things they shouldn't.

So yes, I want an entity that I entrust with my data to not simply blurt it out to any and all. Far too many people are out there who would love to use that info to pretend to be me or to defraud me. If I am to trust them with my info, I have every right to expect them to act responsible with it. Your conflating security from outside attempts to gain access with whistle-blowers and leakers (insiders divulging information) is misguided and possibly dishonest.

Re:And this is bad? (0)

Anonymous Coward | more than 8 years ago | (#15704373)

Yes, I would love a government that can not keep things secret, and therefore has little ability to protect its citizens in matters of Defense.

Re:Lack of motivation (3, Insightful)

asuffield (111848) | more than 8 years ago | (#15704045)

Yet, once they catch someone, they give him a draconian punishment that ruins his life, just look at Mitnick.


While this is generally fairly accurate, in the case of Mitnick they seem to have made him a career, not ruined his life. Before he was nobody; now he's getting all kinds of stuff because of all the publicity the government paid for. I'm really not sure what they thought they were doing.

Re:Lack of motivation (1)

infosec_spaz (968690) | more than 8 years ago | (#15704901)

Mitnik seems to be doing pretty good now a days...granted, they were a bit rough on him, holding him without trial and all, but he has made the best of it.

Re:Lack of motivation (0)

Anonymous Coward | more than 8 years ago | (#15704858)

The government can't seem to decide it's priorities. It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts.


This is a false dilemma. While I agree that the government should do more to secure its stuff, there's no reason that harsh penalties can't be used as a deterrent.

I think that if you hack a machine belonging to the US government or one of its contractors and poke around for sensitive information relating to other countries or things such as so-called economic or defense secrets that it implies espionage, and you should be executed. And no, I'm not kidding.

The simple solution to stay clean?

Don't fucking do it.

Sooner or later this is going to cost us. The Russians already had our game plans for WWIII sorted out on multiple occasions. If things go down badly and we attempt to help Taiwan (and make no mistake, it will be the US carrying the load as the EU have no balls and a laughable warfighting capability) we need to keep the game plan secret. It's not a game.

What may appear to be a lone gunman cracker may be a contractor for an unfriendly.. but no matter. Crack the system? Death. And, FWIW I have no problem with governments executing people acting on behalf of the US if they're committing espionage against a given nation and are caught by said nation.

Re:Lack of motivation (1)

LWATCDR (28044) | more than 8 years ago | (#15705059)

"Back then the government was slow to respond and pretty unmotivated, and it seems like little has changed today. Yet, once they catch someone, they give him a draconian"

The level of security shouldn't have anything to do with the punishment. You don't go to jail longer for breaking into a home with 3 dead-bolts and an alarm vs one with a single lock. It isn't up to the victim to keep the criminal out of trouble.
"It'll punish you more for cracking than for murder"
Last time I checked murder was punishable by life in prison or death. I don't believe that anyone has been sentenced to death for hacking.
Does the government need to secure it's systems better? If people are breaking in the yes they do.

It gets better (0)

Anonymous Coward | more than 8 years ago | (#15705318)

Since 9-11, we pay lip service to security and democracy. At the same time, Bush has been paying back support and pushing loads of Windows boxes. For example, DHS (the group who is into faterland, rather than motherland) has pushed windows. Yet, the stats clearly show that it is the worst. We are now paying the price for allowing our country to become a fascists nation in spite of warnings from such as Eisenhower and even Warren Buffett.

Re:Lack of motivation (2, Insightful)

vertinox (846076) | more than 8 years ago | (#15705460)

It'll punish you more for cracking than for murder, but at the same time it won't secure it's own systems and heed experts.

That's not even half the problem. What happens if the hacker is in China and can't be arrested because he is actually in the basement of the People's Army and employed by the Chinese government.

Seriously, if I was a lead intelligence expert in China or Russia, I'd be having a heyday of compromising US military computers and trying to get as much information out of them as possible.

If some bright guy in the UK can do it... Why not trained teams of government spies with millions of dollars in their budget?

Ask Slashdot: Why do gov't 'puters have net access (3, Insightful)

Palal (836081) | more than 8 years ago | (#15703870)

Ask Slashdot: Why do gov't 'puters have net access?

Re:Ask Slashdot: Why do gov't 'puters have net acc (0)

Anonymous Coward | more than 8 years ago | (#15703881)

Why do they even have puters?

(pen and papers)

-m10

Re:Ask Slashdot: Why do gov't 'puters have net acc (3, Informative)

penix1 (722987) | more than 8 years ago | (#15703896)

Re:Ask Slashdot: Why do gov't 'puters have net acc (1)

nacturation (646836) | more than 8 years ago | (#15705027)

And what relationship to the public internet does a desire to decrease paperwork have?
 

Re:Ask Slashdot: Why do gov't 'puters have net acc (4, Funny)

jdbartlett (941012) | more than 8 years ago | (#15703938)

Because they're on the green.

For a bunker shot, they'd use a sand wedge.

Re:Ask Slashdot: Why do gov't 'puters have net acc (1)

orielbean (936271) | more than 8 years ago | (#15704958)

No, they use JDAM munitions for bunker shots. Or maybe those clever new mini-nukes that are somehow less offensive than the regular genocidal ones... :-)

Re:Ask Slashdot: Why do gov't 'puters have net acc (2, Funny)

jdbartlett (941012) | more than 8 years ago | (#15703931)

Joke answer: because they invented it! [wikipedia.org]

Re:Ask Slashdot: Why do gov't 'puters have net acc (1)

Firehed (942385) | more than 8 years ago | (#15703951)

So they can continue to wage the War on Child Pr0n, of course.

Re:Ask Slashdot: Why do gov't 'puters have net acc (3, Informative)

TrappedByMyself (861094) | more than 8 years ago | (#15704046)

Ask Slashdot: Why do gov't 'puters have net access?

Why shouldn't they? They need to do work and send email to people outside the government like the rest of us. How do you think, for example, all the tax forms show up on IRS.gov? Magic?

Classified computers do not have access to the normal internet, so when you see these break-in stories, no classified information was compromised, unless some dope went out of his way to get info from a class system to an unclass one.

Re:Ask Slashdot: Why do gov't 'puters have net acc (0)

Anonymous Coward | more than 8 years ago | (#15704253)

That actually isn't 100% true. The requirement of physical seperation does not apply to all classified networks.

Re:Ask Slashdot: Why do gov't 'puters have net acc (4, Informative)

jferguson (871036) | more than 8 years ago | (#15704741)

At least as of five years ago, most State Department computers had a single monitor, keyboard and mouse plugged into a switch that in turn ran to two different CPUs. One CPU, with big red stickers on it, was the classified ("class") machine; the other, with big green stickers on it, was the unclassified ("unclass") machine. The class machine had an ethernet hookup to the State Department intranet, to handle Lotus Notes and access to Cable Express, the computerized version of State's old Telex cable system. That intranet was completely disconnected from the internet. The unclass machine had a connection to the internet.

The hard disk in the class machine had a barrel lock on it. At the end of the working day, you powered down your machine, unlocked and removed the hard drive, and locked the drive in your safe. (The safe is less fancy than it sounds: a standard four-drawer file cabinet with two u-flanges welded onto it; you slid a long steel bar through both flanges and padlocked it into place. Cheap, but pretty effective.) The unclass machine's hard disk remained in place, and those machines were rarely turned off.

As the story mentioned, most of the hacks target unclass machines, for the simple reason that they can't reach class machines. Give State some credit; on the hardware side at least, they did the right thing by building two networks.

The problem with this setup is this: say you're writing a report that will include some classified information but that will also have background research perhaps from the internet. In theory, you should write the report on the class machine. You should do the internet research on the unclass machine, write up whatever you want to add to the report, copy it to a floppy or flash drive, and copy it onto the class machine. The document from the class machine should never appear on the floppy or the flash drive, much less the unclass machine. In practice, as you can imagine, people often put the file on the portable medium so that they can avoid wrangling with version control (most foreign-service officers don't know what version control is, but they know they don't like to wrangle with it). Once you start doing that, it's only a matter of time before classified information ends up on an unclassified machine.

Just for the record, a lot of classified information is, frankly, uninteresting. If an embassy staffer covers a rally in the foreign capital and writes a cable that has six paragraphs of description of the rally and one paragraph of commentary on the rally, he'll often mark his comments confidential; this in turn makes the cable classified. This tendency to classify TOO MANY THINGS only adds to the report-writing problem I mentioned above, since often the necessary reference material is unclassified description within a classified cable.

Frankly, if you can come up with a way to sort out this state of affairs, I think the State Department would be pretty willing to listen to it. At least, based on watching diplomatic security officers tear their hair out at the potential security breaches that their own employees commit, I think they would be.

Re:Ask Slashdot: Why do gov't 'puters have net acc (3, Interesting)

infosec_spaz (968690) | more than 8 years ago | (#15704922)

Right....Classified systems are on a seperate network...until, that is, some network eng. patches them together to make his/her job easier. Have you ever done a audit of a military/government network? I personally have, and found over 60 paths to so called "Secured" networks from a machine which was Internet accessable...Let's stop cherry picking, and call it like it is...totally kludged up, non-functonal, messy security at best.

Re:Ask Slashdot: Why do gov't 'puters have net acc (1)

MichaelSmith (789609) | more than 8 years ago | (#15704069)

Why do gov't 'puters have net access?

Without direct access to microsoft servers the OS can't automatically update itself. Does this mean that airgapped systems are less secure?

Re:Ask Slashdot: Why do gov't 'puters have net acc (1)

Richard_at_work (517087) | more than 8 years ago | (#15704138)

Uh, software update server? Its easy to automatically update Windows systems without access to the Internet.

Re:Ask Slashdot: Why do gov't 'puters have net acc (1)

MichaelSmith (789609) | more than 8 years ago | (#15704333)

Uh, software update server?

I had to ask because I am not a windows person myself. The windows admins where I work have a fairly kludgy tool which they run to remotely install stuff on the windows boxen. It occasionally raises dialogs on our screens asking questions like "do you want to continue?", etc. I wondered if the update mechanism could be used to cleanly feed config and binary changes to the workstations and based on your reply this seems to be the case. Its a pity it doesn't get used.

Hacking: an offensive weapon (2, Funny)

jdbartlett (941012) | more than 8 years ago | (#15703880)

The Pentagon warned earlier this year that China's army is emphasizing hacking as an offensive weapon. It cited Chinese military exercises in 2005 that included hacking "primarily in first strikes against enemy networks."

Of course, that's what the bayonet is for!

What about MySpace? (4, Funny)

Ohreally_factor (593551) | more than 8 years ago | (#15703884)

This could put the State Department ahead of MySpace as the #1 destination site.

Homeland security is a joke (4, Interesting)

mcrbids (148650) | more than 8 years ago | (#15703885)

I spent a few months not so long ago tracking down a cracker who had compromised a mail server for an ISP. He'd gotten root, and installed rootkit style stuff that hid directories, etc.

It was a long process to penetrate all his defenses. Finally, I ended up chatting with the cracker a la Yahoo Chat, including video. He was from Romania, and liked diet 7-up.

So, I get all the sources together with which he compromised the server. I had everything, down to IP addresses. I called the FBI and they referred me to some web page that didn't even allow enough upload to report everything I had found.

I submitted what I could. I didn't even gt a "thank you" email. I would have been happy with a "thank you" message. But I got nothing.

My opinion of the dept of Homeland Security as well as the FBI sank immeasurabily as a result.

Re:Homeland security is a joke (4, Insightful)

dclocke (929925) | more than 8 years ago | (#15703907)

Unfortunately, the government just doesn't have the resources to investigate every single incident of computer trespassing. It would be nice if they could, but until then I can understand why an intrusion of an ISP mail server would not be very high on their priority list. As many incidents as there are like this that occur every day, it simply isn't possible to follow up on every one. Although, if what you say is true, it seems like you did most of the work for them. Hopefully they would at least file the information away for a rainy day, but my guess is they they didn't.

However, if this incident caused your opinion of the FBI and DHS to sink that much, I think you may have been overly generous with your opinion of the two agencies to begin with :)

Re:Homeland security is a joke (1)

jimcooncat (605197) | more than 8 years ago | (#15705153)

"Unfortunately, the government just doesn't have the resources to investigate every single incident of computer trespassing."

Why the hell not????

Re:Homeland security is a joke (1)

rodgster (671476) | more than 8 years ago | (#15703908)

I've submitted several well documented (IMHO) "events" to the FBI. I got a call once (RE: hacking of AT&T wireless website for new account sign-up). Didn't go any further. And I got an email another time (fraud) in effect saying sorry, try the local PD.

Dept. of Homeland and FBI security priorities. (5, Funny)

Anonymous Coward | more than 8 years ago | (#15703991)

I submitted what I could. I didn't even gt a "thank you" email. I would have been happy with a "thank you" message. But I got nothing.

My opinion of the dept of Homeland Security as well as the FBI sank immeasurabily as a result.


Your error was that you failed to realize what the priorities of these agencies are. Report the incident again only this time put the words 'terrorist' and 'activity' in the subject line. Wait an hour and then turn on the TV, switch to a news channel and you should hear reports of massive USAF airstrikes somewhere in Romania. For shorter response times try adding the word 'Osama' to the subject line. Just be careful when using the words 'bin' and 'Laden' since combining those with the other three in one subject line might lead to a tactical nuclear strike.

Re:Dept. of Homeland and FBI security priorities. (0)

Anonymous Coward | more than 8 years ago | (#15704245)

Unfortunately you have been modded as Funny instead of Informative.

Re:Homeland security is a joke (1)

ratonu (868505) | more than 8 years ago | (#15704007)

Oh, but they didn't just ignored your report. I received a job offer from them right after that "incident". I guess it's me who owns you that "Thank you!" that you were looking for.
Of course, my ip probably looks like i am in Croatia right now, but don't let yourself fooled by such a small detail.

Re:Homeland security is a joke (1)

tomlouie (264519) | more than 8 years ago | (#15705195)

> I guess it's me who owns you that "Thank you!" ...

Freudian slip?

Re:Homeland security is a joke (0, Flamebait)

killjoe (766577) | more than 8 years ago | (#15704156)

This guy was just another hacker. If you want homeland security to go after him you need to paint him as a liberal who protests the war or Bush. If he was an arab you would not have to do that but he is a white guy so that's your best bet.

Re:Homeland security is a joke (0)

Anonymous Coward | more than 8 years ago | (#15704835)

If the hacker would have been uploading warez THEN it would have been a big deal.

simple (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15703889)

me chinese me play joke me put pee pee in your coke

all the linux fanboys are going to shout: THE GOVT WAS USING WINDOWS!!!! but i bet some linux servers got cracked.

Outsourcing (2, Funny)

Umbral Blot (737704) | more than 8 years ago | (#15703891)

Maybe they shouldn't have been outsourcing. (that's a joke people)

Just what we need (3, Funny)

Anonymous Coward | more than 8 years ago | (#15703894)

Great now they'll get buried in viagra ads. Guys they aren't trying to steal secrets they just wanted your security down so they can sell you dick pills and cheap pirate software. Oh and by the way that nice guy in Nigeria wants to take money out of your account not put it in.

Re:Just what we need (0)

Anonymous Coward | more than 8 years ago | (#15704441)

What??!?!? You mean the rebels really don't need to secure their millions in my bank account? Ah crap!

Reality check... (2, Insightful)

flynns (639641) | more than 8 years ago | (#15703939)

(1) The classified servers are physically disconnected from the Internet. They have to be.

(2) Every time I read a headline like this, I remember playing Uplink, and chuckling over the poor bastards when what I did hit the headlines. Somewhere in Korea, someone is chuckling hard.

Re:Reality check... (3, Insightful)

TubeSteak (669689) | more than 8 years ago | (#15704086)

(3) If you compile enough *sensitive information...
you can end up with a information that would be classified: see (1)

*limited official use (now sensitive but unclassified), controlled, for official use only, internal use only, variations on sensitive, etc etc etc.

Re:Reality check... (0)

Anonymous Coward | more than 8 years ago | (#15704112)

I hate to break it to you, but with regards to point #1, that's just not true. It applies to some classified networks, but this notion of a 100% airgap is simply not true. There are points of physical connection (that are guarded).

who needs privacy? (0)

Anonymous Coward | more than 8 years ago | (#15703945)

people to government: Ha, ha... if we can't have any privacy, neither can you! So there!

Mental note . . . (4, Funny)

bblboy54 (926265) | more than 8 years ago | (#15703959)

After the State Department break-ins, many employees were instructed to change their passwords.

The root password is now "god" instead of "sex"

Don't be Silly... (1)

Dareth (47614) | more than 8 years ago | (#15704751)

They changed it to a much stronger password: superman

Geek trivia for 10 thanks... (5, Funny)

overbaud (964858) | more than 8 years ago | (#15703965)

The password for the defense department computers in question was 'Joshua'.

If you don't get this your not geek enough, hang your head in shame.

Re:Geek trivia for 10 thanks... (1)

CaptainDefragged (939505) | more than 8 years ago | (#15703996)

That's a WOPR of a statement ;)

Re:Geek trivia for 10 thanks... (1)

Kijori (897770) | more than 8 years ago | (#15704004)

Answer,ROT13, for those that aren't full awake/alive: Sebz gur svyz Jnetnzrf (1983). Frr uggc://jjj.vzqo.pbz/gvgyr/gg0086567/

Thanks. (1)

antdude (79039) | more than 8 years ago | (#15704629)

Thanks for the answer even though I don't remember Joshua used in the movie, but then it has been years (only saw it once) since I saw it. :)

Re:Geek trivia for 10 thanks... (2, Funny)

MK_CSGuy (953563) | more than 8 years ago | (#15704088)

Oh... So North Korea didn't really fire those missiles?

Re:Geek trivia for 10 thanks... (1)

borg007 (712705) | more than 8 years ago | (#15704583)

I don't know why, but your posting has left me hungry for a W.O.P.R. I guess I'll head to Burger King or NORAD for lunch.

Will someone please arrest/sue Matthew Broderick's co-stars. They were the ones that told us all about the "back doors". An obvious national security breach.

Re:Geek trivia for 10 thanks... (1)

AgentPhunk (571249) | more than 8 years ago | (#15704654)

When my company was using a 3rd party "managed" firewall service, they'd always ask you three security questions before you could open a ticket, make change requests, etc. You were able to create the questions that they would ask you, and then of course specify what the correct answers were.

One of my questions was: "What is your favorite question?"
My response had to be: "Shall we play a game?"

Another question I had was "What is your favorite color?"
My response had to be "Red, no blue!"

Most of 'em didn't get it. I guess those two movies weren't very popular in India..

Re:Geek trivia for 10 thanks... (1)

tacokill (531275) | more than 8 years ago | (#15705126)

Yes, but was the Global Thermonuclear Warfare game available to be played? If not, I suppose I'll have to settle for tic-tac-doe.

I just hope they changed the password from "pencil".

Must I say it again? (1)

Thaidog (235587) | more than 8 years ago | (#15703971)

Keep it off the network!!!

pass the salt please (5, Insightful)

witte (681163) | more than 8 years ago | (#15703993)

One has to wonder if this is for real or if this is just another stab at fear-mongering so more propositions to cripple net neutrality / online privacy / ... can be passed.
If they really experienced that much security breaches I doubt CNN would be allowed to publicize this.

OTOH, TFA mentions a lot of scary evil things like North-Korean missiles and Chinese Hackers.

I'm not sure whether I prefer this article to be for real or propaganda, both possibilities imply information warfare on the US people.

Re:pass the salt please (1)

packeteer (566398) | more than 8 years ago | (#15704022)

If all posible scanrios lead to a conspiracy theory maybe you should be thinking about why you see conspiracy theories in all possible scenarios.

Re:pass the salt please (1)

witte (681163) | more than 8 years ago | (#15704099)

Thats a pretty subtle way to say I'm a paranoid basketcase.

Remember that power brings out the worst in people. Show me someone who wants to get on top of the pile and i'll show you someone who will go over corpses to achieve his goal. (If enough is at stake, literally.)
This may be hyperbolic, but that's the way human society works. The egotistical/powerhungry maniacs that are smart enough to tell the right lies to woo everybody into believing they *need* them (eg. through fear for an external enemy --> "we will protect you. now fork over the cash.") will often outsmart the moderate idealists that want to do good for the people they represent.
So go ahead and call me paranoid.

Actually I hope I am wrong. But it's historic fact that those in power lie to people to further their agenda.
At work, at the governement, at shops, to their own kids, ...
A lot of people will lie to maintain an edge.
The idea is that lies do no harm, but that's a misconception. Sometimes lies get other people killed.

Re:pass the salt please (4, Insightful)

Meneguzzi (935620) | more than 8 years ago | (#15704030)

I think that news such as these underline the fact that the American's are putting their money on the wrong kind of project for their "homeland security". I bet that monitoring the net and phone traffic of a huge number of people costs quite a great deal of money, money which could have been spent training people to better protect sensitive, or even not that sensitive systems (the tiniest security hole can always widen and become a real liability, if you ask me).
Wholesale monitoring of communications is as useful as trying to read all the content on the internet, for every useful bit of information you read, you get a 1000 useless bits. So training people to understand the subtleties of "the enemy" would seem a more sensible solution.

Re:pass the salt please (1)

argStyopa (232550) | more than 8 years ago | (#15704702)

Yes, but net surveillance is a mechanistic solution, that doesn't depend on anyone to act. Yes, throwing money down a surveillance rathole is going to generate (if you're damn lucky) perhaps a %0.0001 useful data return. But it's nearly assured you're going to get SOMETHING, and in the meanwhile, you can always PROVE to your constituencies that you are doing something useful, even if we all acknowlege it is trivial. It's not all that different from hiring umpteen-gajillion TSA screeners to make airports LOOK quite a bit more secure, even if we all ignore the facts that
- its terrifically unlikely that anyone in the reasonable future will try to hijack a plane again due to the near certainty that the passengers will no longer 'cooperate' as they did before 9/11
- the 9/11 hijackers in any case DIDN'T 'sneak' **anything** through security. They were carrying AFAIK at the time perfectly legal stuff, box cutters, etc.
- routine testing is showing that the current arrangement, while better than nothing, is only just, and is regularly penetrated by testers with guns, knives, and fake explosives.

OTOH, educating the public is a Brobingnagian task that presupposes a level of long term committment from the citizens (to say nothing of politicians) that's frankly unsustainable. And then, once they are educated, you're faced with the simple contradiction that an open society simply CANNOT be secured to the point that terror incidents can be prevented - full stop. So 'education' becomes synonymous with (what I would call) a more mature view that such things are going to happen like being struck by lightning. You can reduce the likelihood, but can't prevent it totally, not and live a normal life. And THEN the public is going to realize that the main motive traction behind terrorism is the media, and blame (rightly) the media's obsession with sensationalism.
No, I think education, aside from being a utopian goal, opens entirely too many cans of worms for government, media, business, etc to be comfortable with the results. But hey, I'm just a complete cynic.

Finally, it's endemic to a democracy that its policies will blow whichever way the wind happens to be blowing. The public's attention and concern is fickle and short-lived.

Re:pass the salt please (1)

erroneus (253617) | more than 8 years ago | (#15704205)

Did you just say "allowed" to publicize this? You mean the way the other leaks regarding secret and illegal government surveilance was "allowed"?

Look, if a government is going to be respected by the people and/or the press, they either have to be well organized and competant or they have to use a lot of guns. For the moment, they seem to be using the guns approach as they are arming themselves with laws that are abused on a pretty frequent basis giving law enforcement and the executive unprecedented powers...which are also abused on a frequent basis. And until the GAO (Gov't Accountability Office) can double it's size (among the only government organizations that needs to grow in my opinion) there won't be any competancy in government.

ignorant comment (2, Funny)

freaker_TuC (7632) | more than 8 years ago | (#15704016)

Nothing news about this; this is a dupe [slashdot.org] ; there was already an article before of the US being the #1 destination for Internet traffic.

Why bother? (3, Insightful)

99luftballon (838486) | more than 8 years ago | (#15704017)

Since most state computer security seems to be so laughably weak. UK 'hacker' Gary McKinnon, currently being extradited to the US, got into US Navy logistics computers by just typing in admin and password to login screens for Windows NT for goodness sake. If the most advanced military force on the planet is using an unsupported operating system I dread to think what the state department's systems must be like.

U.S. Hacking Officials? (2, Funny)

NorthwestWolf (941862) | more than 8 years ago | (#15704059)

"said U.S. officials familiar with the hacking"

When did they hire anyone like that? I call their bluff!

Perhaps they hired some first-rate plumbers - they know how to "hack" into tubes.

Re:U.S. Hacking Officials? (3, Funny)

1u3hr (530656) | more than 8 years ago | (#15704118)

Perhaps they hired some first-rate plumbers - they know how to "hack" into tubes.

Didn't work out so well for Nixon.

Disabling security (2, Interesting)

Mr. Freeman (933986) | more than 8 years ago | (#15704062)

After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet.
Wait a minute, they actually disabled their security after they got hit with an attack??!? Someone tell me if I'm wrong about secure sockets layer being a security measure of sorts.

Re:Disabling security (1)

David_W (35680) | more than 8 years ago | (#15704246)

The department also temporarily disabled a technology known as secure sockets layer
Wait a minute, they actually disabled their security after they got hit with an attack??!?

I suspect that was poorly worded. What it probably meant to say was they disabled transfer of encrypted information over the internet, instead opting to just not transfer the information at all.

Re:Disabling security (2, Interesting)

aadvancedGIR (959466) | more than 8 years ago | (#15704256)

SSL is good news for you when you try to connect to your bank, but very bad ones when you don't know your machine has been changed into a server by a trojan.
I believe their target were the incoming SSL connexions.

stupid security (2, Insightful)

Exter-C (310390) | more than 8 years ago | (#15704073)

Any company or government department that has any internet exposed servers that hold critical or sensitive information must be soo stupid they deserve to be broken into. What ever happened to having separated internet from internal servers etc..

Re:stupid security (1)

Vengeance (46019) | more than 8 years ago | (#15704152)

The problem with government departments 'deserving' this is that it's MY government (albeit not run well, nor by folks I'm particularly proud of) and MY data and MY country that is being put at risk.

The department may well deserve a drubbing, but said drubbing probably shouldn't consist of their computers which I bought and paid for, being run as part of a botnet by Joe Pyongyang.

Cracking vs. Hacking (2, Insightful)

Anonymous Coward | more than 8 years ago | (#15704074)

This is a clear case of cracking, not hacking. Please tag this article as such, as if IT experts use the correct tems for activities, maybe the word "hacking" can be saved?

RMS or such other famous nerd: I'm a hacker
Justice, influenced by Fox: Off to Gitmo for you then, hacker means computer terrorist.

Re:Cracking vs. Hacking (3, Informative)

cshirky (9913) | more than 8 years ago | (#15704115)

This battle has been fought and lost. The term 'cracker' was a belated attempt to create a good witch/bad witch distinction after the press took a dim view of hacking, but it is totally artificial. To take but one example, Ken Thompson's seminal Reflections on Trusting Trust [acm.org] , spends some time moralizing (his word) about the 414 and Dalton gangs, saying "The acts performed by these kids are vandalism at best and probably trespass and theft at worst. It is only the inadequacy of the criminal code that saves the hackers from very serious prosecution." This is from the mid-80s, when breaking and entering was clearly described as hacking by one of the giants of the field. Hacking historically covered all forms of unapproved exploration of computer systems; in a more halcyon time, the gray area was wide, and the black area was not too black. Times have changed, but the fact that some hacking is now explicitly criminal, as Thompson predicted, does not make it not hacking.

Politics 101 (1)

djupedal (584558) | more than 8 years ago | (#15704174)

1.) Announce problem...place blame on shoulders of nearest competitor in need of demonizing
2.) Request new budget to deal with problem
3.) Call architect about new weekend home in the mountains...

I don't care if it is the local Highway Patrol or Congress, you can bet the only 'problem' these wonks always have is figuring a way to line their pockets.

China *LIKES* it this way... (0)

Anonymous Coward | more than 8 years ago | (#15704403)

From the article:

"Tracing the origin of such break-ins is difficult. But employees told AP the hackers appeared to hit computers especially hard at headquarters and inside the Bureau of East Asian and Pacific Affairs, which coordinates diplomacy in countries including China, the Koreas and Japan.

...snip...

But China also is home to a large number of insecure computers and networks that hackers in other countries could use to disguise their locations and launch attacks."


It would seem that China now has a vested interest in windows insecurity - due to botnets of rooted winboxes, their own efforts at computer warfare can easily be explained away in this manner...

But, but... it wasn't *us*!!!

Slashdot's irrational +5 insightful assumptions (0, Insightful)

Anonymous Coward | more than 8 years ago | (#15704572)

Can we at least have a 2-sided discussion here? I mean, for example:

Must we assume that whatever was compromised was an unpatched machine that was unusually vulnerable? Call me crazy, but 0-day exploits?

Must we, by the same reasoning, can we assume that it wasn't some fool-headed diplomat's lackey that opened "worldpeace.exe" hoping to save US/China relations?

Must we assume that the shutdown of SSL afterwards was a stupid move? What if the exploit involved services running SSL, or if the worm/virus/trojan/badthing used SSL to communicate?

Must we just go and flatly state that because a government entity can be hacked, we should never give them our information? If you want to use that logic, then I suggest you go ahead and move off the Internet entirely and go be an off-the-grid tinfoil hat wearer. You're assuming the government is *always* purposefully irresponsible with your data, and you're also assuming things listed above. Hey, keep reading, there will be time after this for people to post about the V.A. data exposure, so we can lump every gov. agency together with that mistake and be +X insightful.

And holy crap people...you gave "why do gov. computers have internet access" a +4 insightful? GET A GRIP. You know what? A better idea. Let us take away Internet access from every agency and company, and just watch that productivity skyrocket because they aren't getting hacked from the outside anymore. I'm sure the modern world can safely go back to doing business over the phone and through snail-mail.

Sometimes these discussions end up being rumor-driven, speculation-rewarded, techno-mob mentality flame fests. Way to be logical about it all folks and to think this through.

I'm not trying to go out of my way to defend the government here, but when it's such a one-sided argument, a rational Devil's Advocate has little choice.

This is why.... (2, Insightful)

SupremoMan (912191) | more than 8 years ago | (#15705254)

This is exactly why I am agianst allowing the government to implement OS level backdoor. They will simply lose the information on the backdoor to hackers and then no computer will be safe!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?