×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Govt. Report Slams FBI's Internal Network Security

CowboyNeal posted more than 6 years ago | from the uncle-sam's-open-doors dept.

Security 70

An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

70 comments

fp (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#19266367)

first psot

Common Knowledge (5, Informative)

Anonymous Coward | more than 6 years ago | (#19266389)

I've worked in another agency in a related line of work. FBI security is a joke. Everyone knows it. An FBI agent's idea of "information security" is carrying a gun when he brings home Top Secret documents in his glove compartment. Their security flaws are a reason intelligence organizations are reluctant to cooperate.

"Trying since 2002" WHAT? (0)

Anonymous Coward | more than 6 years ago | (#19268851)

I heard that they cut funding to a couple of their security programs earlier this year. This is just another example of misplaced priorities. If your in the industry this shouldn't come as a surprise.

Pipe Dream: what's the cost? (2, Informative)

cyberianpan (975767) | more than 6 years ago | (#19268919)

TFR

Specifically, FBI did not consistently
(1) configure network devices and services securely to prevent unauthorized insider access;
(2) identify and authenticate users to prevent unauthorized access;
(3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate;
(4) apply strong encryption techniques to protect sensitive data on its networks;
(5) log, audit, or monitor security-related events;
(6) protect the physical security of its network; and
(7) patch key servers and workstations in a timely manner.
Insider attack is always a risk, full solutions against it are 1) Impossible 2) Infinitely costly (see 1)
I work in Financial Services a lot - these solutions aren't necessarily all implemented that strongly, the limitation is cost. Without seeing a costing plan for the above utopian remediation I'm not so sure it is needed. I'm not saying the FBI are necessarily good - just that the report language is too general/pipe dreamish to know.

Re:Common Knowledge (0)

Anonymous Coward | more than 6 years ago | (#19277607)

True story... I was told while at an FBI office in DC that they didn't need to encrypt their desktop computer data because if anybody tried to steal a hard drive they would just shoot them. Weak!

Holy Crap! (4, Funny)

Jeremiah Cornelius (137) | more than 6 years ago | (#19266395)

They run that Sh!tH*le like it's some cruddy Government institution, ferchrissake!

Re:Holy Crap! (3, Insightful)

Aoreias (721149) | more than 6 years ago | (#19266907)

Obviously not all the government is bad at computer security. Clearly the GAO had to know what 'right' is to be able to criticize the FBI for not having adequate security measures.

It's not that the government is filled with people that don't have a clue, but rather that the technically able people usually get frustrated by bureaucracy, politics, and poor management.

Re:Holy Crap! (1)

conureman (748753) | more than 6 years ago | (#19268893)

Well, I am SURE that SOME branch of our government is not being run by incompetent losers. The FBI ain't it.

Hold on There Cowboy (1)

mpapet (761907) | more than 6 years ago | (#19269455)

GAO had to know what 'right'

Keep in mind the audit and disclosure is probably politically motivated. Maybe the FBI wants a bigger IT budget? Maybe the head of another agency wants to discredit the FBI? I can tell you from experience, this is more likely rather than plain old incompetence.

The GAO looks like they are doing their job, but that's about it. Having set up NIST compliant LAN and desktops. I promise you they are not _that_ secure. It's better than a default windows desktop, but not remarkable. It's windows after all.

Re:Holy Crap! (1)

Jeremiah Cornelius (137) | more than 6 years ago | (#19269977)

GAO doesn't "know" any better. They hire outside contractors- like SAIC - who do. The report is then issued under GAO covers.

Re:Holy Crap! (0)

Anonymous Coward | more than 6 years ago | (#19270541)

I heard about the work that the GAO did. The GAO uses a small cadre of technical experts who are all internal GAO staff to do this type of work. Due to the sensitivity of the network and the data involved, no contractors were allowed.

Windows ? (1, Funny)

linuxIsLife (1044762) | more than 6 years ago | (#19266437)

I think they use Windows OS on their servers...

Re:Windows ? (4, Interesting)

Architect_sasyr (938685) | more than 6 years ago | (#19266527)

All windows bashing aside, does it matter? Internal Network Security could be lacking because rather than installing and configuring sudo half the team is given the root passwords to su with.

That said... I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"? ;)

A kopek to get in, a rouble to get out (2, Insightful)

Archtech (159117) | more than 6 years ago | (#19267437)

'I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"? ;)'

Carefully, though. You might end up penetrating Guantanamo.

Re:A kopek to get in, a rouble to get out (1, Funny)

Anonymous Coward | more than 6 years ago | (#19269773)

In Soviet (Russia|America), Guantanamo penetrates you!

Re:Windows ? (0)

Anonymous Coward | more than 6 years ago | (#19267705)

does it matter?

Let's see. How many more millions in yearly revenue will they gain from this failure? There's your answer.

You're not in the administration business, are you?

Re:Windows ? (1)

Architect_sasyr (938685) | more than 6 years ago | (#19287451)

Aside from responding to an AC... the parent post was taken out of context... the "does it matter" referred to *what* was vulnerable, not the fact that it WAS vulnerable.

Re:Windows ? keep your hat (0)

Anonymous Coward | more than 6 years ago | (#19267881)

All you have to do is turn a Yagi toward the local police station from a block or more away hook into their wireless then into their FBI connection and have a look around.

Re:Windows ? (1, Funny)

Anonymous Coward | more than 6 years ago | (#19270435)

I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"? ;)

Nice pick-up line! Mind if I borrow it?

Re:Windows ? (4, Insightful)

Anonymous Coward | more than 6 years ago | (#19266657)

In most cases, yes.

However I doubt FBI security is as good as DISA (they handle information security for the military). They have a PKI (public key infrastructure) CAC (control access card) system for authenticating users wherever they go (logging into computers, opening doors, etc). Whether this is better than more traditional systems is another topic of debate, as very few people (as in, none of the users) really understand how PKI works.

At the absolute minimum the FBI needs at least some sort of two-factor authentication with a OTP (one time password) generator. Relying on Active Directory security with Windows passwords is an absolute joke, especially when you are reusing those passwords over and over in many different systems. Even if you aren't reusing passwords between systems, users won't remember 20 different case sensitive passwords all containing 12 random characters each. Which is most likely why the FBI might not be using high security on their networks - the usability suffers in a big way.

They would really need to rebuild the IT infrastructure from the ground up with added security in mind. Everyone would need to be retrained on the use of PKI/OTP/2-factor-auth/etc and other DISA-like security used in more secure environments. Especially with a Windows platform these changes would be expensive... but the FBI has never had problems spending money on IT/software (*wink*) so I don't see what is holding them back.

Also notice the use of 10 million acronyms above... the FBI is getting NOTHING without adding at least 450 new acronyms to their vocabulary. That is government IT for you!

Re:Windows ? (5, Interesting)

Lord_Frederick (642312) | more than 6 years ago | (#19267785)

I've worked for private companies, local government and federal government. IT in some federal agencies is very scary.

CAC cards are used, but terminal servers and websites for teleworking still allow username/password.

Blackberries get CAC card readers for encrypted email, while flash drives and external hard drives are thrown into purses and bags.

Remote computers co-located at contractor facilities STILL store LM hashes and don't have the physical security of a DoD office.

EVERYONE writes down passwords because they have a dozen passwords to keep track of and each one is kept very similar to the next.

Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."

Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.

Don't even get me started on how the systems are managed. No folder redirection, no user storage on servers. Everyone stores their data on the local hard drive, and because they are local admins they put it anywhere. I've seen a guy storing his documents in c:\windows\system32.

Re:Windows ? (1)

BenEnglishAtHome (449670) | more than 6 years ago | (#19271065)

I can give you some insight into how much better things are here than your experiences have shown.

IT in some federal agencies is very scary.

Thank you for the qualifier "SOME federal agencies". Such may be the case, but not where I work - the IRS.

CAC cards are used, but terminal servers and websites for teleworking still allow username/password.

No access to our networks comes in from outside except via encrypted VPN. The phrase "website for teleworking" isn't in our vocabulary.

Blackberries get CAC card readers for encrypted email, while flash drives and external hard drives are thrown into purses and bags.

Where else would you carry your flash drives and external hard drives? All SBU (sensitive but unclassified) data on them, however, is required to be encrypted. The overwhelming majority of our users who are sophisticated enough to request external storage are complying with those requirements.

Remote computers co-located at contractor facilities STILL store LM hashes and don't have the physical security of a DoD office.

Any computer that a contractor needs to put on our network is bought by us and issued to that contractor. All the same security rules apply as to employees.

EVERYONE writes down passwords because they have a dozen passwords to keep track of and each one is kept very similar to the next.

Our security manual states that it's suboptimal to write down passwords but does not actually prohibit the practice. Many of our users wind up with far too many logins and passwords to keep track of (though we're working towards SSO) and writing them down is a reasonable way to deal with the situation. Typically, when I'm doing orientation for new employees or security training for old ones, I pull my wallet out of my pocket and show them a credit card. "See that number on there? That is, in effect, a password to my credit line. I don't mind the fact that it's written down. It's not a security risk for it to be written down. I simply have to make sure I never lose it." We do physical security checks and if anyone actually writes down passwords and leaves them, for example, under a keyboard, they get formally disciplined. People just don't do that kind of crap around here.

Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."

Guilty in the past, but not any more. It's been a long time since we took the easy way out on this one and looked the other way as our IT staff asked users for their passwords. That sort of thing is now completely foreign to our work practices. I don't doubt that some users could be compromised by a well considered social engineering attack, but that will always be the case. Their numbers are small enough to tolerate the risk.

Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.

Almost nobody is a local admin. If you're not a desktop support tech, you don't get that kind of access. There are no google toolbars, no IMs. In fact, one of our newly-hired people plugged in a USB key with some software utilities on it. It was detected by the network, his connection locked out, and an emergency security report issued. Within 10 minutes, a security analyst was on the phone with his boss and it was days before they got around to letting him back on the network after substantial disciplinary action had been completed.

Don't even get me started on how the systems are managed. No folder redirection, no user storage on servers. Everyone stores their data on the local hard drive, and because they are local admins they put it anywhere. I've seen a guy storing his documents in c:\windows\system32.

Everyone gets 500mb on a server, more with a valid reason. Local file storage is allowed but default-limited to a small set of folders that are touched by a semi-automatic backup script.

If other agencies aren't working at least this well, then phooey on them. And, yes, sure, there are things that could be improved around here. Bu we do a pretty damn good job of keeping data safe from misuse or misappropriation, the network secure, and our people productive, all at the same time. As you make clear in your original post, some agencies are better than others. It's my impression that our practices are far more typical of government agencies than the sort of problems you list.

Determining which of our respective impressions is more correct is the function of oversight folks like the GAO. I wonder if they've ever issued a broad-based comparison of how well various agencies handle security matters?

Re:Windows ? (1)

smooth wombat (796938) | more than 6 years ago | (#19271723)

Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."


Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.

I work for state government and these two items take place where I work. When I moved to where I am now (higher position and pay), I found out those two things on my first day. My jaw hit the floor when I found this out.

Where I had been previously, another state agency, we, the administrators, NEVER asked anyone for their passwords and with the exception of those in IT and one or two in the Executive area, everyone was a general user. No admin privileges on their machines.

That didn't stop the occasional piece of crapware from being installed but it did stop people from trying to install other things.

I'm trying to combat the first item by telling people why I don't ask for their password but instead have them log in for me. That doesn't mean it still doesn't happen but at least they know why they shouldn't just give out their password.

Not all agencies... (1)

joedoc (441972) | more than 6 years ago | (#19273775)

I work for a federal agency as a contractor doing web application development. I worked for the Navy as a federal employee for 21 years before that, 13 in IT, eight at my last job as an IT officer. In my current environment, I see a dramatic difference in security, mostly because of the higher level of classification we have here. Some differences to what you state:

CAC cards are used, but terminal servers and websites for teleworking still allow username/password.

We use CAC cards for the unclass systems (on the NIPRNET). 95% of the work people do on computers here is on the SIPRNET, which requires no CAC card, but may in the future. No telework here. Hell, we can't even access our unclassified e-mail accounts using Outlook Web access anymore. For me, this is mostly a good thing.

Blackberries get CAC card readers for encrypted email, while flash drives and external hard drives are thrown into purses and bags.

Blackberries? Hell, I know of exactly three people in this organizations that have them, and they're at the highest levels. They require them for very specific operational purposes. Here's what the rest of us have in regard to Blackberries, phones, flash drives and thumbdrives: NADA. No one is even permitted to bring any of the aforementioned items into the building. Ever. Doing so is a major security violation and could get a contractor like me canned in about an hour. This list also includes mp3 players, walkman-type devices, laptops, PDAs, radios, televisions, CDs/DVDs (audio, video and data), diskettes of any type, basically any item or device that can record, save, store or transmit any kind of electronic signal. A few months ago, someone in hardware support installed a new PC in the building where I work, and the PC had an active wireless adapter installed and transmitting. Security went nuts for an afternoon trying to track down the source of the signal, which was detected during a routine sweep. No one thought to look at this new PC stowed under someone's desk. This place is anal.

Remote computers co-located at contractor facilities STILL store LM hashes and don't have the physical security of a DoD office.

If our folks don't install it, it doesn't get used. This includes anything remote.

EVERYONE writes down passwords because they have a dozen passwords to keep track of and each one is kept very similar to the next. Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."

I've seen far less of this here, and they don't kid around with passwords. With the CAC, all you have to remember is a PIN which you put on the card, and it never expires (unless the card is updated). On the high side, we have to use long passwords (12-char minimum) with at least one upper case letter and one number and a change every 90 days. No reuse of a password until you've changed it 25 times. Although I'm sure some people do it, writing a password down is severely frowned upon. The support folks never ask for passwords...they don't have to. The sysadmins and customer service folks have good control and implementation of passwords and permissions, so any tech using a system will either have you log in (if an issue is with your account) or will log in with their own higher-access account.

Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.

Heh, I wish. We can do NOTHING on any workstation. App installations have to be requested through customer service and are frequently pushed from servers. The lockdown of these machines is are more anal than anything I ever did at my last job, even on the NIPR/unclass side. The only way to get around some of these restrictions is to make friends with one of the guys in the Windows branch, and even then, he or she will have to come to you and fix or add what you want.

Don't even get me started on how the systems are managed. No folder redirection, no user storage on servers. Everyone stores their data on the local hard drive, and because they are local admins they put it anywhere. I've seen a guy storing his documents in c:\windows\system32.

At my last job, I discovered folder redirection in Windows AD and used it extensively. I set it up to have the user's "My Documents" folder to point to a LAN drive folder. I pleaded with my users to put their stuff there, because it was regularly backed up. I warned that anything left on a local hard drive was subject to loss. I recall some years ago preparing to upgrade a set of PCs from NT to W2K. I chose to do clean installs, and sent out multiple emails over a week to the affected users. I wanted them that anything on their local drives would be lost once I slicked the disk. Just to cover my ass, I had delivery and read receipts returned to me on each mail.

I worked on one guy's system one night. Scanned the hard disk quickly just in case, saw nothing. Format, install, configure. The next day, he's in front of my boss, claiming that I deleted a folder full of employee evaluations he had on that system. I caught wind of his meeting, and when my boss called me up, I had printouts of the e-mails and receipts in my hand. I win, he loses. This was so typical a problem, I finally made people read and sign an IT policy document when I briefed them on arrival to the organization. Covering one's ass is almost as important as implementing security policy.

This folder redirection was in addition to the departmental space I gave them on the servers. Gigs and gigs of space, with nightly backups and fast connections...and they still dumped shit on their hard disks.

I've seen criticisms of other agencies, including ones I've worked for, that were similar to what the FBI is going through now. As the IRS guy stated in another post, how well this stuff is implemented varies widely from agency to agency. In my current case, the sensitivity of the information is far to great to take any of that for granted. But, we're small and nimble here, something the FBI hasn't been in a long time.

Re:Windows ? (1)

A non-mouse Coward (1103675) | more than 6 years ago | (#19274845)

It's stories like this and the FISMA scores that pushes me to contend that the Financial Vertical is still on top of the security pyramid. It mostly has to do with being able to quantify and measure risk.

"To measure is to know."

"If you can not measure it, you can not improve it."

-Lord Kelvin [zapatopi.net]

Re:Windows ? (1)

MMC Monster (602931) | more than 6 years ago | (#19269173)

I always wondered why text-based passwords are still being used on high-speed networks.

How about this: When a person gets an ID for one of these systems, they have to submit a series of 20 personal photos. Every time they log in, the system puts up five of the pictures. The user has to sort them by date taken to successfully log in.

Re:Windows ? (1)

pedalman (958492) | more than 6 years ago | (#19269569)

Every time they log in, the system puts up five of the pictures. The user has to sort them by date taken to successfully log in.
Yeah, it would be just our luck that when these photos are taken, the camera will put the timestamp in the lower-right corner of each one. That'll really complicate things and thwart suspicious activity. ;)

Obligatory... (4, Funny)

Anonymous Coward | more than 6 years ago | (#19266553)

Unpatched they may be, but when they come bursting through your door, you'd sure-as-hell better welcome them as your new digital overlords...

Perhaps they are unpatched due to a misunderstanding with the RIAA when they agreed not to be pirates?

Reviewed? (3, Insightful)

palemantle (1007299) | more than 6 years ago | (#19266725)

From TFA: "The bureau, which had the opportunity to review the GAO's findings before publication" ...

I wonder what "review" means in this context? Read through? Edit? Sanitize?

Re:Reviewed? (0)

Anonymous Coward | more than 6 years ago | (#19267459)

It means Gao!
Gao~
Gao!?
Gao~!

Government oversight reports for the uninitiated (1)

BenEnglishAtHome (449670) | more than 6 years ago | (#19270577)

GAO and IG reports to/on U.S. federal agencies are shared with the agency first. Typically, the agency writes a short response (Generally along the lines of "A, B, and C were cited as problems. At the time of the review: A was being revised and is now fixed; the methodology used to find problems in B were faulty and we refute the finding; C was a valid problem and we've formed a committee to find solutions.") that's normally added to the report as an addendum before it goes to final publishing. Only in rare cases is the agency not allowed to have a couple of pages at the back of the report to defend itself; that's a good sign of political shenanigans. In even rarer cases, if the agency points out grievous errors in the report, the GAO or IG authoring the report will go back and re-write. The authors of the report don't want to look stupid, so if the agency manages to catch them in a dumb mistake, they'll either fix it in the main body of the report or (I've seen this a couple of times) tack on an extra, typically single-paragraph appendix that replies to the agency reply.

Who needs good prevention... (4, Interesting)

SharpFang (651121) | more than 6 years ago | (#19266813)

Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?
After all, crime fighting stats don't rise for not catching these who didn't manage to break law, because it was too difficult.

Good thinking, Sherlock. (2, Funny)

twitter (104583) | more than 6 years ago | (#19267211)

Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?

Well, it might be nice if you want to ACTUALLY CATCH THEM! How are you supposed to do that when they overwrite your files?

Oh, I see, you don't care if the arrested is actually guilty. I'll be quit now. Forget I said anything. You guys are doing great, keep up the good work and help yourself to some real Wow software or something. Bye.

FBI's Internal Network Security Problem (1)

Hope M. (1106489) | more than 6 years ago | (#19267203)

This could not be possible because the FBI is one of the government's largest agencies, if it is true the situation should be reversed and the funding for security should be studied further. This be the case for the government to provide better security for the homeland, but how can it be if even the agencies are lacking of it...

Re: FBI's Internal Network Security Problem (-1, Troll)

Anonymous Coward | more than 6 years ago | (#19267281)

If your government wanted to provide safety and security it would step down and hand all the power to the democratic party.

Re: FBI's Internal Network Security Problem (0)

Anonymous Coward | more than 6 years ago | (#19267439)

I've read your post (and posting history--both of 'em) trying to understand your message. You are clearly new here, and I'd suggest that you think about what you're typing and how it'll sound to a jaded slashdotter (if you care about being moderated up, that is...). Do you really believe that the size of an agency has any correlation with the security practices they employ? Remember, these are all headed up by political appointees with next-to-zero knowledge of their own IT shops. Good luck in the future making your points!

I can already see the next /. on this story (3, Funny)

Nappa48 (1041188) | more than 6 years ago | (#19267405)

[blah bla] writes to inform us that the Government Accountability Office was attacked earlier today.
Nobody knows who done the attack, but the FBI said it was a swift and tactical raid, everyone dead, and one bin on fire with what appears to be a report from the remains, the title read FB... nal.. ty, thats all that could be read at the time.

Fallacy when dealing with government IT security (2, Insightful)

Opportunist (166417) | more than 6 years ago | (#19267923)

IT-Security is not handled by the technical department when it comes to the feds. It's handled by the legal department.

Then again, that's how many companies deal with it, too. Don't you dare to steal, or we sue you into oblivion.

The fallacy about that is that you first of all have to find the culprit. Or, rather, you first of all have to find out that something went missing. The problem about data theft is that you don't immediately notice it. It's not like your door is broken down and your belongings searched, with your family heirlooms missing. All your data is still there, and you won't even know someone went through your stuff before it's too late.

And those people should be trusted with my information?

Re:Fallacy when dealing with government IT securit (2, Insightful)

brennz (715237) | more than 6 years ago | (#19268753)

This is incorrect.

The FBI, likes all other government agencies, has a CIO with an office of security under him responsible for securing their IT systems.

http://www.fbi.gov/hq/ocio/ocio_home.htm [fbi.gov]

Re:Fallacy when dealing with government IT securit (1)

Opportunist (166417) | more than 6 years ago | (#19269001)

Yes, of course such a thing exists. But generally, my experience is that IT security is handled through legal rather than technical means.

FBI Blames Broken DB for FBI Breaking Laws (2, Informative)

Doc Ruby (173196) | more than 6 years ago | (#19268021)

The FBI has blamed its blatant longterm abuse [techdirt.com]of the Bush privacy-invasion toy "National Security Letters" on its broken database.

Since, as usual, no one at Bush's FBI has suffered after disclosure of this destructive abuse, the excuse will of course multiply in popularity.

Funny how Bush Gang "mistakes" always seem to benefit Bush, though his gang claims it's all just accident and happenstance. Random distributions that always favor Bush must be "miracles".

Good old FBI (4, Insightful)

MikeRT (947531) | more than 6 years ago | (#19268083)

Things like this bring to mind my dad's grumbling about them. He was a Customs special agent, and used to grumble about how the FBI spent more of its time posing in front of the camera as though it were the hottest shit in the federal law enforcement world, than doing good casework. The FBI are camera hounds compared to the other agencies. They are a highly dysfunctional agency, and 9-11 proved that. Three of their offices noticed serious warning signs about Islamic activity in the US, but didn't work together because of rivalry and turf. Sounds more like a group of federalized local cops if you ask me...

This comes not long after the FBI blew $500M on a series of hardware and software upgrades. Is anyone surprised that this agency can't get its act together by now?

Re:BAd old FBI (1)

hesaigo999ca (786966) | more than 6 years ago | (#19268745)

If you are aware, I believe to continue your claim, they spent a BIG WASTEFUL sum of money developing this supposed NEW tcp/ip filtering technology called CARNIVORE, hence it to say, after all the spending, they ended up scraping the idea, and started all over with a new APP. which guess what, also needed same amount of funding......

Then you wonder where all our money goes to when they say we have to increase our taxes due to lack of money for our federal budget

When did the name change? (1)

BCW2 (168187) | more than 6 years ago | (#19268125)

The GAO has always been the "General Accounting Office" and works for Congress. Similar in function to the "Inspector General" in the military, investigate problems and report to superiors with evidence.

Good. Government transparency is great. (2, Insightful)

dj42 (765300) | more than 6 years ago | (#19268399)

We need more gov't transparency. Appointing stooges to the DOJ to fire the noncompliant, limiting free-speech, obfuscating information to the journalists, and distrusting the American public to the point of borderline treason, I would hope that somewhere, somehow, eventually true, honest, and open people get hold of information that will shed light on the gov't actions in the last 6 years. /Woops... *removes tin foil hat, jumps in the ocean, swims, far*.

Really? (0)

Anonymous Coward | more than 6 years ago | (#19268527)

To be gratuitously paranoid for the moment, do announcements like this make anyone suspicious? As in, purposely leaking "our security is teh s uck" reports to lure in a few daring souls who don't know any better, and who are then easily busted trying to crack a system that isn't all that teh s uck after all. They then get to lock up another round of curious script kiddies, which looks great on paper and shows the higher-ups how clever they are and why they need more funding to be even more clever in future. Like traffic cops setting up extra hidden speed traps at quota time.

The FBI is computer-challenged (2, Insightful)

grandpa-geek (981017) | more than 6 years ago | (#19269221)

The fact that the FBI is computer-challenged has been known for years. It goes well beyond information security.

When the police were investigating the DC area sniper case, the FBI brought in a computer system to help coordinate the leads. They wound up having everybody looking for a "white box truck", while there was an overlooked report about a blue Chevvy. The snipers' vehicle turned out to be the blue Chevvy. IIRC, the FBI's computer system didn't help much in actually catching the snipers.

Some years ago the chief of FBI information security turned out to be a spy for the Soviet Union. There wasn't anyone at the FBI who knew enough about computers or information security to realize that he was compromising them.

A major FBI system development was one of the huge systems canceled in the 1990's because it wasn't properly managed and became impossible to complete.

I suppose geeks don't meet image the FBI wants for its people. Computer-illiterates do. That's the way things go there.

EU Credit Card & Flight Data Stolen? (0, Troll)

Anonymous Coward | more than 6 years ago | (#19269477)

And these guys are getting full access to our credit card data, credit histories, purchase histories and flight data. -- I don't think EU realizes what kind of security risks they are subjecting their own (more affluent) citizens by giving USA full access to all this data when clearly they don't give proper consideration to it's security. There is ample opportunity for spying and illicit uses, and where there is opportunity, there is also traditionally abuse.

Americans need to give EU data on their own citizens in return. This one sided "pulling of our pants down" is not OK.

Yeah well, you know how it goes, theory X mgmt (2, Insightful)

br0d (765028) | more than 6 years ago | (#19270753)

No stock price to piss off shareholders, who beat up on a board of directors. No CEO for them to beat on, so he can then beat up on his CIO, who then beats up on directors who beat up on team leads, who work hard to create tight solutions. Money is generally a better motivator than standards compliance.

FBI IT Restructuring Problems (2, Interesting)

PPH (736903) | more than 6 years ago | (#19273051)

The stories about the FBI's ongoing IT restructuring troubles have been covered extensively in the industry news over the past few years. Having been involved in similar work for another (in)famous gov't agency, the problems look all too familiar.


Some years ago, the FAA began a restructuring effort in order to modernize its infrastructure and get rid of unmaintainable, decades old equipment. Each time they put a set of requirements out for bid and selected a vendor, lawsuits and political lobbying ensued. The FAA's systems are a big (and lucrative) enough target for every two-bit vendor with political connections that no selection of Vendor A over Vendor B was allowed to stand without the losing party either taking the decision to court or creating trouble in various congressional appropriations committees. Worse yet, suggestions that they (the FAA) build something in-house was answered with threats from industry lobbyists to get their funding cut so severely, they would barely have the money for normal operations.


The FBI is in a similar position. Particularly following 9/11 and the subsequent application of practically unlimited anti-terrorism funds, the vultures are circling. Having read some of the articles relating to the FBI's troubles, many of the players look to be the same ones that suckled on the FAA's tit for years.

Hi! (0)

Anonymous Coward | more than 6 years ago | (#19273125)

I'm typing this post from a hacked FBI computer.

See ya.

No wonder they hate encryption (0)

Anonymous Coward | more than 6 years ago | (#19274653)

They don't have time to secure their own networks, much less crack encryption on seized evidence.

http://shorterlink.org/2405 [shorterlink.org]

Me thinks that it's time to download TrueCrypt.

Too General (0)

Anonymous Coward | more than 6 years ago | (#19275181)

I work on a daily basis on various FBI networks. I've read the GAO report from cover to cover and find it really vague. Within the FBI there are several network infrastructures that support different programs at different levels of security. The higher the level of security and the more widespread the network is, the more levels of authentication that are required for physical and electronic access to the space. Don't get me wrong, the FBI is way behind the curve, but the days of running Win98 and using 56k leased lines for backbone network connections is a thing of the past.

More Tsar's! (1)

bill_mcgonigle (4333) | more than 6 years ago | (#19294773)

I'm half kidding, with the way we're restructuring our government to resemble 19th century Russia, but there is knowledge of how to do secure networks in other TLA agencies. Think XML bridges instead of routers.

It seems a shame to re-invent the wheel for the FBI. I thought Jamie Gorelick's wall was properly and completely smashed post 9/11?

You'd think they could have one of the boys from Virginia over for lunch for a proper "you frikkin' idiots"-ing. Note: I expect that there are plenty of line techs who get this - the conversation would need to take place on the top floor, not in Mulder's office.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...