Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Unisys Investigated For Covering Up Cyber-Attacks

kdawson posted about 7 years ago | from the whadda-ya-know-a-trojan dept.

Security 114

Stony Stevenson writes "Unisys, a major government IT contractor, is reportedly being investigated for failing to detect cyber-attacks, and then covering up its failings. Two US congressmen have called for an investigation into cyber-attacks aimed at the Department of Homeland Security, along with a contractor (that would be Unisys) charged with securing those networks. 'The House Committee on Homeland Security's investigations led them to believe the department is under attack by foreign powers, and could be at risk because of "incompetent and possibly illegal activity" by a US contractor. The congressmen didn't name the contractor in the letter. However, the Washington Post on Monday reported that the FBI is investigating Unisys, a major information technology firm with a $1.7 billion Department of Homeland Security contract, for allegedly failing to detect cyber break-ins traced to a Chinese-language Web site and then trying to cover up its deficiencies.'" Unisys denies it all.

cancel ×


Sorry! There are no comments related to the filter you selected.

Typical unisys (0, Troll)

suckmysav (763172) | about 7 years ago | (#20739663)

Unisys probably outsourced their techs to india. Unisys are just another tech dinosaur that never made it out of the seventies.

Re:Typical unisys (2, Insightful)

chuckymonkey (1059244) | about 7 years ago | (#20739905)

I highly doubt that. As with most government contracts you have to have a clearance to actually work on it, something not easily obtained by a lot of U.S. Citizens much less someone from a country that we really don't trust all that much. So I'm fairly certain that most of the people involved with the program are U.S. Citizens born and bred or at least naturalized from another trusted nation i.e. Great Britain, Canada, Australia.

Re:Typical unisys (2, Insightful)

Opportunist (166417) | about 7 years ago | (#20739979)

And that means what, exactly? That they adhere to some law which was passed with the intention to generate security and is circumvented with the intention to generate revenue.

For reference, see SOX.

Re:Typical unisys (0)

Anonymous Coward | about 7 years ago | (#20741275)

see SOX.

Circumventing sarbox has the intention of pretending to generate revenue.

And in any case... (3, Informative)

BrokenHalo (565198) | about 7 years ago | (#20741473)

Unisys are just another tech dinosaur that never made it out of the seventies.

FWIW, Unisys didn't exist in the seventies. I was there. I worked on both types of kit (in those days you either went with the herd and learned to use IBM, or you learned to be versatile).

IIRC it came about via the merging of Burroughs and Sperry/UNIVAC in about 1986 (in fact, to be specific, I think Burroughs swallowed Sperry).

Re:And in any case... (1)

sjames (1099) | about 7 years ago | (#20749071)

IIRC it came about via the merging of Burroughs and Sperry/UNIVAC in about 1986 (in fact, to be specific, I think Burroughs swallowed Sperry).

Two Dinosaurs mating will not produce a mammal.

Re:Typical unisys (4, Interesting)

El Torico (732160) | about 7 years ago | (#20740175)

As with most government contracts you have to have a clearance to actually work on it, something not easily obtained by a lot of U.S. Citizens...

This is a big part of the problem. The vast majority of Government Contractors are only marginally qualified and got their jobs by having the clearance, not by being technically proficient. This is known as "warm bodies" syndrome since many contracts pay per position filled. Getting a clearance can take years, depending on the level, and usually takes months, so this is a high barrier to entry and keeps a lot of smart people out.

There are many very capable and well-qualified people in Government Contracting, but they are a minority. Of course, Management, being what it is, doesn't want to give bad news to a customer, so sometimes they "muddy the waters".

Re:Typical unisys (1)

chuckymonkey (1059244) | about 7 years ago | (#20740351)

You'll notice that I didn't make any mention of the qualifications of those people. I agree with you very through and through. I was just stating that the people involved in that contract were most likely not offshore.

Re:Typical unisys (0)

Opportunist (166417) | about 7 years ago | (#20740447)

And how hard would it be to ship it offshore without the government noticing it? Create a branch in India, hire people and have them work officially for a totally unrelated project while actually using them to work on the highly secure, top secret thingamajig.

Don't tell me it can't be so.

Re:Typical unisys (3, Informative)

chuckymonkey (1059244) | about 7 years ago | (#20740501)

Let's just say I have insight into the subject and it would be extremely difficult to do. Heavy auditing, random inspections, random pen testing, and many many myriad things would get in the way of that. Also most networks in govt. are totally segregated (reference air-gap) from the rest of the world, so with anything actually sensitive it would be completely impossible. I know that you're going to scoff at that statement, but trust me when I say that the cost of offshoring anything like that would be extremely expensive not to mention illegal and when dealing with govt. contracts you play by their rules. They are very lucrative contracts and one violation can lose the entire thing, so it really isn't in a company's best interest to even try it with govt. contracts the risk vs. reward is much to great.

Re:Typical unisys (2)

Otto95 (1099755) | about 7 years ago | (#20741549)

That's bogus generalization. I've worked for several contractors including Unisys and I can tell you that while it is true that obtaining a clearance is a hurdle, the increase in pay you get with a clearance makes it worth the effort. Also, how do you think people get a clearance to begin with? Someone like Unisys sponsors them. Of course, if you're already cleared you're a more attractive candidate, but it is totally false to say that contractors only hire people on the basis of their clearance rather than their technical proficiency. If anything, people who are technically proficient are attracted to government contracting because the work is really interesting and the pay is better than you can expect to make as a government employee or in the commercial world. The problem with Unisys is that they treat their people like garbage, so anyone who is smart goes to work for another contractor. You're right to say they adhere to the "warm bodies" syndrome, but wrong to assert that all contractors do that. True IT services firms like Booz Allen, KPMG, CACI, do not.

Re:Typical unisys (1)

tkstock (1117923) | about 7 years ago | (#20741861)

My boss always said, "If you have a clearance and can spell C plus plus, you can get a job in the government IT industry..."

Re:Typical unisys (1)

TooMuchToDo (882796) | about 7 years ago | (#20749507)

Can anyone just go out and apply for a clearance? Or do you have to be sponsored by a company? Sounds like it would be a nice feature on a resume.

Re:Typical unisys (3, Interesting)

thejynxed (831517) | about 7 years ago | (#20740581)

Actually, Unisys hires through temp agencies and the temps only have to pass an FBI background check.

I know this, because I worked for IBM in a government data center at the time. We handled the big iron (oddly enough, including some machines from Sun and some ancient AS/400s) and the Unisys flunkies did operations and tape library stuff (cartridge and reel to reel). DOT, IRS, etc stuff. Believe it or not, they had PCs in there running Win95 and NT4 with no egress filtering to the internet... There were quite a few Ukrainians, Chinese, Russian and Estonian employees working there for Unisys. Over in the other room Lockheed Martin had their stuff running. No one but U.S. citizens allowed in there, and no outside internet access. I pitied the network admins (not really).

Re:Typical unisys (1)

chuckymonkey (1059244) | about 7 years ago | (#20740609)

Heh, I love my job. =P Just sayin.

Re:Typical unisys (1)

Otto95 (1099755) | about 7 years ago | (#20741661)

Contracts dictate what level of clearance contracting staff must possess. So if you worked on a contract with foreign nationals who only possessed FBI background checks, it's because the government specified that's all that was necessary. So Unisys hiring practices (along with all other contracting companies) vary from contract to contract.

Re:Typical unisys (1)

sammy baby (14909) | about 7 years ago | (#20743189)

Actually, Unisys hires through temp agencies and the temps only have to pass an FBI background check.

Sometimes yes, sometimes no. I'm a former full-time employee of Unisys, and used to do pre-sales architecture and systems engineering for them. On one particular contract we worked on, there were a couple of us full-timers to do architecture, another to handle the PM angle, several short-timers to do write code and DBA work, and a couple of outsourced coders.

Also, a PM outsourced from our Indian contractor. That was weird.

Re:Typical unisys (0)

Anonymous Coward | about 7 years ago | (#20740787)

Is this the same UniSys that makes some half-assed software for press production that spews out xml parsing errors every now and then at convienient times because it's Adobe Indesign/Incopy plugin implementation is funny? Or am I missing something?

Re:Typical unisys (1, Funny)

imr (106517) | about 7 years ago | (#20740997)

or at least naturalized from another trusted nation i.e. Great Britain, Canada, Australia.
I fart in your general direction !

Re:Typical unisys (3, Informative)

eudaemon (320983) | about 7 years ago | (#20745001)

More to the point, when companies lose contracts they lose to them to a small
circle of competitors and those competitors rehire most of the people who were on the contract.
In fact that is so common you usually take your tenure / seniority with you to the
next company. When a contract changes hands, it really means the management layer
and the interface between management and the government is being changed. Workers
by and large keep their jobs.

Re:Typical unisys (1)

MrZaius (321037) | about 7 years ago | (#20740651)

Shame I'm out of mod points. (Hint: Overrated)

How did "never made it out of the seventies" and "probably outsourced... to india" make it into the same post? Might I recommend you read and/or watch The Commanding Heights by Daniel Yergin? []

hmmmm (1)

Antiocheian (859870) | about 7 years ago | (#20741165)

``Unisys probably outsourced...,,

Did you take some time before speculating? Because it's obvious you don't even know the basics:

``just another tech dinosaur that never made it out of the seventies,,

Unisys was formed in 86. As always, the least one can do before posting on Slashdot is to glance at []

Re:Typical unisys (1)

stuntpope (19736) | about 7 years ago | (#20741923)

No, you're wrong. And these days, Unisys' business is far more service oriented, rather than providing 1970's dinosaur technology. And the services are in line with (competitive with) the services other contractors provide.

Out-of-country non-nationals are not about to be supporting contracts to DoD or DHS that require security clearances.

Re:Typical unisys (1)

mrops (927562) | about 7 years ago | (#20746335)

"Unisys probably outsourced their techs to India. "

I know this was meant as a joke, but just like all blond jokes annoy blonds, this annoys me, why, cause I'm an Indian. Further, I have been competing quite well against the best and the brightest US of A has to offer. There are a significant number of Indians in the silicon valley. Further, those crappy tech support are crappy not because they are in India, but because Corporate American Enterprises owning them want them that way, simply its cheap. hires Bachelor of History graduates to do tech support after a couple of weeks crash course in English accent, support and tech. Hence your get what you get when you call them.

Here is a humorous incident that took place some time back,
Traveling to US two years back, this petrol station clerk asked me where I was from, I said Canada, he said, "thats somewhere in New York, right!". Now lets say this guy is sitting at tech support in US and a European calls him!

One Million Dollars. (2, Funny)

Gary W. Longsine (124661) | about 7 years ago | (#20739691)

Dr. Evil: Here's the plan. We get the warhead, and we hold the Department of Homeland Security ransomed for.....One MILLION DOLLARS!!

No.2: Ahem...well, don't you think we should maybe ask for *more* than a million dollars? I mean, a million dollars isn't exactly a lot of money these days. Unisys alone makes over one million dollars a year!

Dr. Evil: Really?

No.2: Mm-hmm.

Dr. Evil: That's a number. Okay then. We hold the Department of Homeland Security ransom for.....One Point Seven BILLION DOLLARS!!

Re:One Million Dollars. (1)

sammy baby (14909) | about 7 years ago | (#20743111)

No.2: Ahem...well, don't you think we should maybe ask for *more* than a million dollars? I mean, a million dollars isn't exactly a lot of money these days. Unisys alone makes over one million dollars a year!

Have you seen Unisys' quarterly reports recently? I'm not quite sure that's the case.

(joking. They still make a ton of money. Just not as much as they need to support themselves.)

oh... (1)

cosmocain (1060326) | about 7 years ago | (#20739693)

...those nice and jolly GIF-Patent folks? i really do love'em!

Re:oh... (0)

Anonymous Coward | about 7 years ago | (#20739757)

I hate them both, unisys and dhs, hard to say which one more...

Here's for hoping they rip each other to pieces.

Re:oh... (1)

witte (681163) | about 7 years ago | (#20740877)

Don't forget who gets to pay for it with his tax dollars if dhs burns cash on this.

Re:oh... (0)

Anonymous Coward | about 7 years ago | (#20750859)

yeeeeessssss....i concur.

What really happened (0)

rs79 (71822) | about 7 years ago | (#20740061)

Translation: some wonk at DHS caught an MSN IM virus from a chick on a dating site.

Hey DHS, look for servicer.exe in the registry. Put a semi colon in front of the key. I'll sent you a bill. With lots of zeros.

Re:What really happened (0)

ZeroExistenZ (721849) | about 7 years ago | (#20740801)

Sounds like you're an "experience-expert" :)

Re:What really happened (1)

rs79 (71822) | about 7 years ago | (#20741215)

No, my 13 year old fixed my 15 year olds computer. I just watched.

If I could get her to lie about her age I swear I'd rent her out as a consultant. She can evrn make the VCR stop flashing 12.

Come to think of it I'll paypal anybody $5 who can show me a picture of a vcr flashing 12 inside Unisys.

Incompetence on both ends (2, Interesting)

Ekhymosis (949557) | about 7 years ago | (#20739735)

This is incompetence on both ends, really. Security is not something that only the contractor has to worry about, its something the users also have to worry about. The government should freaking train their employees and get them to pass classes of security, especially in the DHS. If you don't pass, your pay gets docked or whatever. The NIST has some damn good guidelines for securing XP boxen, so I don't understand why they don't implement those policies (they are free, right???) and train their personnel to use them.

Yes, Unisys may have screwed up, but then again, its all about the better mousetrap and all...

Re:Incompetence on both ends (2, Informative)

rindeee (530084) | about 7 years ago | (#20739769)

Don't know about DHS, but DoD requires this annually. Don't finish it, bad things happen. It's not the greatest training, but it's 'okay' and repeating it annually drives it home. The problem is that many of the breaches are not in fact the fault of (or involving) end-users. Rather, they can be traced back to poor perimeter security, lack of patching, etc...all responsibility of admin types.

Re:Incompetence on both ends (1)

tacarat (696339) | about 7 years ago | (#20739853)

The problem is that many of the breaches are not in fact the fault of (or involving) end-users.

1/2 right, 1/2 wrong. The biggest problem with most IT departments is that end users are treated as customers rather than sources of security risks and unnecessary work. Computer usage is viewed as a right rather than a revokable resource. If they didn't have to kiss asses (especially of those higher up in the food chain) many problems wouldn't occur. There would be less people with admin rights to their boxes, less unapproved software installed and less general screwing around on the internet. But no. Let people think their work boxes are for doing everything they ought to be saving for home (even porn surfing and gaming). I'd say it's a safe bet that somebody went and downloaded a trojan by surfing sites they shouldn't have been at.

I'm not saying that a few of the attacks weren't targeted infiltration successes by hackers. I think it's just as likely that some boxes got owned and then were later discovered to be important later on.

Re:Incompetence on both ends (1)

Catmoves (1136147) | about 7 years ago | (#20746989)

Curious here. Apparently you're employed by DoD? You stated that "bad things happen" in your post. Do you know, first hand, of any DoD firings because of this lack of action?

Re:Incompetence on both ends (2, Insightful)

Opportunist (166417) | about 7 years ago | (#20740011)

Security first and foremost is not a product you buy. Security is a process or procedure you develop and stick to, review constantly and readjust to match the requirements of an ever changing "market" of threats. And as long as neither companies nor governments realize that (let's not even get to the users, they can only stick to the policy created, even if they knew better), no security will be seen.

Security is actually the quest for the better mousetrap. The problem is, as soon as you have it, you get to face the better mouse and the race is on again.

Re:Incompetence on both ends (1)

jofny (540291) | about 7 years ago | (#20742331)

What does this have to do with the article? The issue isn't a lack of security really that's at issue. a) Managed Security Services never find really bad stuff except by accident b)The Chinese are in and out of our entire government largely at-will (it always takes them months or longer to detect the intrusions and exfiltration c) MSSP's -always- have clients that dispute their installation process and billing. Given these, UNISYS really is no worse off than anyone else in the industry and the conversation seems typical.

The only really interesting thing here is whether or not they actually found something and intentionally covered it up or, if as is common, they found something interesting, couldnt validate it, and let it fall through for lack of anything particularly actionably within the bounds of their SLA's

Re:Incompetence on both ends (1)

Opportunist (166417) | about 7 years ago | (#20742537)

Unisys is probably not worse than the rest, but, honestly, is that the way it should be? "I'm not worse than the rest, so why try harder?"

What I blame is the way contracts are. A contract specifies what is to be done, and a company will do that, to the point, and not an inch more. There is some regulation, written more than a year ago (in security terms, somewhere in antediluvian times), and that regulation is upheld. Why or for what, nobody cares.

And unless that attitude towards security, or any procedure, in bureaucracy changes, nothing will essentially change. That's what this has to do with the article or the problem at hand in general: Some security rules or procedures are drafted and never reviewed. They exist, set in stone, 'til the end of times or the moment something can't be covered up anymore, whatever comes first. Then we get another set of rules carved into some slabs, which will exist for another eternity or until...

So yes, Unisys might not have done anything "wrong" by the letter of the law, or their contract. The point is, though, that appearantly nobody cared to review whether what they're supposed to do is even having any positive impact in security altogether.

Re:Incompetence on both ends (1)

jofny (540291) | about 7 years ago | (#20742747)

Right. But all of that is essentially old news and oft covered here. In fact, it's such conventional wisdom that long after it IS fixed, youll still hear people saying it on Slashdot. The NEW information - which is what makes this more than yet-another-article-about-the-same-old-crap is the alleged -intentional- deception and that they're being criminally investigated for it (vs dealing with it withing the scope of contractual control)

Some security rules or procedures are drafted and never reviewed.

Except that wasn't the problem in this case. No one has alleged that UNISYS wasn't aware of security rules or procedures - they're very much aware of them - and DHS internally has regular, required, security training.

Re:Incompetence on both ends - Gov't BS (3, Insightful)

Anonymous Coward | about 7 years ago | (#20741447)

Anyone that has worked inside government IT whether directly or as a contractor will know that this is government politics at play. There are exceptions, but most highly skilled and trained system administrators are going where the money is, and it's not working as a gov't employee. I know. A gov't IT department may have policies and procedures up the wazoo, but at the same time no budget or authority to ensure compliance. Exception is the rule in gov't. Here's an example:

"Sir, there appears to be attacks against our systems from China"

"Are you telling me that China is attacking us? Can you provide proof beyond a doubt that it is China attacking our systems? How did you detect this attack?"

"Sir, it shows up in the firewall and IDS logs"

"What are firewalls or IDS? Did you get that report done...blahblahblah that I asked for? Why are you looking at the logs when I need real work done. What is the status of project A, B, C? Go help fix a computer somewhere."

"Sir, should I not be looking at the logs?"

"What, are you stupid, did I TELL you to look at the logs? Go fix a computer or something"

So, you train a govt IT person in computer security and they get a CISSP and maybe a SANS cert or two. But, they have to continue working with people who won't allow them to use the knowledge. They're leaving.

Generally speaking, my experience is that many departments in gov't don't follow their own process or rules and they breed an air of idiotic compliance. Then fire the blame gun when a problem erupts.

I was told by a long term employee when I asked how to survive in gov't so long..."for every situation, always have a putz lined up." Smart sysadmins in gov't learn that they will be the putz and leave.

Re:Incompetence on both ends - Gov't BS (1)

jofny (540291) | about 7 years ago | (#20742249)

Someone should mod this up.

Re:Incompetence on both ends (0)

Anonymous Coward | about 7 years ago | (#20744871)

Actually, Unisys requires employees to take the Department of Homeland Security training...I wonder why the Department, doesn't train their own employees...BTW, I have the certificate saying I passed technical training from the UNISYS - DEPARTMENT OF HOMELAND SECURITY on my fridge at home. It looks pretty cool!

Re:Incompetence on both ends (1)

eudaemon (320983) | about 7 years ago | (#20744921)

I still remember the security training video.

A VAX sysadmin leaves for a new job in the same facility but on a different government contract.
A few days into his new job, he realizes he could really use a script he wrote for the old job.
Rather than asking his replacement to e-mail / print / backup to tape / whatever the script,
he checks and finds he still has access to the old gear. One FTP later, Mr. Sysadmin is
doing 3-5 in Federal prison. These guys don't fark around.

Its sort of like taking out a credit card. If you are an unwashed rebel who can't be bothered
to pay his bills on time, taking out a credit card is a stupid idea. You are just rebelling
against a situation you put yourself into. Idiot. Same with a security clearance. If you
bother to get one, and manage to make it past the screening process you know the rules.
You may not agree with 'em, you may not like 'em. But you put yourself into that situation.
If you don't want to play, don't get a clearance.

The UNISYS guys may have been looking at some breakins as "we will lose the contract",
"we will be fired", etc. Who knows. Personally I think coming clean up front on the breakins
would have been much better. They knew the rules. The should have kept their boxes

Page 2? (2, Informative)

clarkkent09 (1104833) | about 7 years ago | (#20739763)

I guess if nobody reads the article, they figure it's not that important where they (don't) start reading from? Or else Stony Stevenson likes to read articles from back to front? I wonder how many /. readers will even notice.

Here is page 1 anyway: []

Re:Page 2? (0, Offtopic)

rootnl (644552) | about 7 years ago | (#20739781)

You must be new here. Welcome to Slashdot.

Re:Page 2? (2, Interesting)

Stony Stevenson (954022) | about 7 years ago | (#20740063)

Hey don't shoot the messenger. The linking to the Washington Post was a mod job. I had originally linked to a different site which referenced the Washington Post in its article, but which overall was more a summary of the whole affair.

Cyber (2)

julesh (229690) | about 7 years ago | (#20739789)

Can people please stop abusing the term "cyber". I mean, it once had a useful meaning (electronic control of physical processes) that is now on the verge of being lost.

Re:Cyber (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#20741397)

I cybered your mom last night.

Re:Cyber (0)

Anonymous Coward | about 7 years ago | (#20747213)

I guess you think scientists should not use the term cybernetics, etc. either, since some 14yo kids use the base word as a euphemism. No one thinks that way except you. That just goes to show your maturity level...

Re:Cyber (0)

Anonymous Coward | about 7 years ago | (#20747289)

Doesn't it simply mean 'network[ed]'? Actually makes sense that way, too.

Shit (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#20739799)

They must have been using Linux...

Isn't this the governments job. (1)

cyanyde (976442) | about 7 years ago | (#20739809)

Shouldn't the government be hiding their own ineptitude? Lou dobbs should be rolling in his..oh..he's alive ain't he.

Re:Isn't this the governments job. (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#20741471)

"he's alive ain't he."

after sitting through his whole show once, I wasn't sure. But they keep him nicely dusted.

Good point (1)

Bill, Shooter of Bul (629286) | about 7 years ago | (#20743493)

I think we can find a government contractor that will put Mr. Dobbs in a position to roll, however due to this month's annual red tape increase, we might have to form a committee to discuss the appointment of those that will oversee the bidding procedure of the swiss banks that will reroute the deferred compensation from the winning contractor to the appropriately untraceable accounts. The whole process might realistically be completed in 50 years or so, which may seem like a long time, but rest assured the contract accrual process will continue regardless of any death of Mr Dobbs. We know thats what he would have wanted.

Well... (3, Insightful)

Bananatree3 (872975) | about 7 years ago | (#20739813)

Security of critical gov't systems SHOULDN'T be left to some missionary IT support. It should be done in house. period.

missionary = mercenary (0, Offtopic)

Bananatree3 (872975) | about 7 years ago | (#20739821)

missionary = mercenary

Re:missionary = mercenary (0, Offtopic)

Opportunist (166417) | about 7 years ago | (#20740031)

Oh, missionary is just as right. They sell you promises of salvation if you turn away from your old salvation bringer, who is first of all slandered 'til you don't believe in him anymore, but if something blows up, your best hope is to pray 'cause there ain't much more you can do.

Re:missionary = mercenary (-1)

tacarat (696339) | about 7 years ago | (#20740151)

Mercenary position = sex with a pro?

Re:Well... (1)

KudyardRipling (1063612) | about 7 years ago | (#20742389)

There is this thing called COMPELLING GOVERNMENT INTEREST that seems to be ignored in this age of civil rights and political correctness [] . In the interests of national security there ought to be departments that should look like Hart-Celler [] never became law. Persons with sufficient pedigree to allow a runback to their ancestral lands should not be seen in such departments. Praat jy Amerikaans? []

You don't want that (0)

Anonymous Coward | about 7 years ago | (#20742559)

I assume by in house you mean the govt/military. Believe me you don't want this. If the military guys are doing it the more proficient guys are usually put in charge of the less proficient and therefore spend less time doing actual hands on work. A second problem is the lack of corporate knowledge, since they are pretty much guaranteed to change jobs/locations every 2-3 years you never get that guy that has been there since most of the systems were installed. This causes the same mistakes to be made every couple of years or every time the system is upgraded/replaced. As for the govt guys they are the epitome of not hiring the most qualified person for a job(yes that is a generalization but in the hands on tech field it is very true). Go out to and search for jobs in an area, at the bottom of the page there is a spot that talks about Applicant Eligibility, take a look at the difference in the number of jobs available by just changing that from no to yes. There are a lot of jobs out there held for only former govt/military people. Just clicking on AK - Ft. Richardson in location and changing it from no to yes changes the number of jobs found from 13 to 31.

Hmmm... (0, Offtopic)

ta bu shi da yu (687699) | about 7 years ago | (#20739827)

... is this the same Unisys that held the GIF LZW patent and tried to sue everyone for it, even though it was developed by Compuserv?

Excuse me while I don't shed a tear.

Re:Hmmm... (2, Informative)

Richard Steiner (1585) | about 7 years ago | (#20740231)

Uh... Unisys had a patent on LZW, which CompuServe subsequently used w/o permission in their GIF format specification.

Sounds like Unisys is going to be the "Fall Guy" (0)

Anonymous Coward | about 7 years ago | (#20739921)

DHS has been associated with some serious clusterfucks. The fact that they cant secure their own servers while they are supposed to be in charge of "security" is pollitically .... difficult.... for the current administration.

Surprise! Not! (1)

ChemE (1070458) | about 7 years ago | (#20740047)

This is nothing new. Think of Blackwater, Halliburton, Boeing, ..., ...

Big contractors like these simply get slapped on the wrist and keep going on with business as usual. The same thing will happen with UNISYS

Damn (1)

dcollins (135727) | about 7 years ago | (#20740071)

And here I thought the free market would protect me from that stuff.

Re:Damn (2, Insightful)

Opportunist (166417) | about 7 years ago | (#20740463)

This is about government and contractors. Free market is next door. Actually, it's down the corridor, then right, then ... ask again, I forgot where it was, we hardly use it today anymore.

Re:Damn (1)

cHiphead (17854) | about 7 years ago | (#20741765)

Government contracting is the new age Ayn Rand 'free market' philosophy, didn't you get the memo?

Re:Damn (1)

dcollins (135727) | about 7 years ago | (#20743377)

Of course, I forgot... if something failed then ipso facto the free market was not involved.

Re:Damn (1)

Opportunist (166417) | about 7 years ago | (#20743871)

Only because it's rarely if ever involved in business dealings within the last, say, 10-15 years.

Typical govt C&A hokum (5, Interesting)

mbstone (457308) | about 7 years ago | (#20740143)

Among my various other gigs, I've often worked as a contractor doing certification and accreditation (C&A) paperwork for half a dozen fed. govt. agencies. "C&A" is the required paperwork that is supposed to certify that an agency's systems have been secured in accordance with applicable NIST, DoD, etc. standards. Understand that many, if not most, agencies devote far more time, money, and effort to making the paperwork look good than they do to actually securing the systems. Some agencies, and some of their contractors, think the NIST SP 800-37 C&A process, DIACAP, FISMA reporting, etc. is just a worthless paper shuffle. Some are even still using SP 800-26 risk assessment questionnaires in lieu of a full C&A. I can't tell you how many job interviews I've gone on where the contractor company's hiring manager would actually brag about how they are going to falsify the C&A and snow the agency's inspector general, OMB, or whomever. My standard response to that has been, "Can I visit you in prison?" (Usually this spells the end of that particular interview process.) Since, up to now, nobody has actually gone to federal prison for submitting bogus C&A documentation, some people thought they could get away with this kind of bogosity forever. A strange and unlikely confluence of events caused the Unisys situation: they (allegedly) cheated on the C&A process, AND the intruders pwned the DHS network, including the main admin password. The successful intrusions caused an audit which exposed the C&A fraud (which otherwise would have slid on by). Too bad, so sad.

Re:Typical govt C&A hokum (3, Informative)

Rich0 (548339) | about 7 years ago | (#20740893)

I'd say the same thing applies in many regulated industries where it is required to document that a computer system meets various quality standards.

Far more money gets spent on documenting that the system works correctly than actually making the system work correctly. Often you end up with a system that looks great on paper that has lots of bugs in actual operation. Lots of tests get written that look like they test something but which rarely uncover bugs. The whole exercise costs a fortune, and largely exists to satisfy auditors (whether internal or external to the company performing the exercise).

Techniques like agile programming, automated testing, code reviews, etc are shunned because they're non-traditional and don't generate lots of paper. There is a fear that in an audit a government representative who hasn't signed on to the methodology might hammer you to death over not having a 2000 page design specification and a load of tests written and executed by everybody from the programmers, to IT QA, to end users (often the same exact test gets reformatted and run by all parties just so that it can be said that everybody had a hand in testing).

I once had to evaluate whether it was safe to directly modify a particular database field in an application, and was relieved to see that this application had one of those aforementioned thick design specifications. Then I was dismayed to find out that the only documentation there was on the field was the fact that it existed, what table it was in, what it was called, what kind of field it was, and what it contained (WidgetCorrectionFactor = Factor used to Correct the Widget value - really helpful as if I couldn't have guessed that much from the field name!). Absent was any kind of documentation as to what code might reference that field or what tables might join to it. I could search the source for the field name, but then there wasn't any kind of documentation or flow charts indicating the typical system workflow or in what order the various routines might get called. It was like documenting all the cell types in an animal without bothering to indicate what the actual animal looked like and how everything went together. But the auditors loved the document.

The issue is that most often QA and management and external auditors have no way of knowing whether a piece of code actually works or not. So, instead they look for stuff they can understand - paperwork. The paperwork does tend to lead to some basic form of quality, but rarely does it lead to code that doesn't break down on all the various one-off-cases that don't make their way into human-executed tests. I'll take a simple automated test that can be executed against a matrix of input values against a complex human-executed test that only ever gets run once (and is likely not repeated every time a piece of seemingly-unrelated code is touched) any day!

Re:Typical govt C&A hokum (2, Funny)

jafac (1449) | about 7 years ago | (#20745595)

To quote a rigorous defender of such regimes from a previous employer:
"Configuration Management is a serious engineering discipline!"

Unysis (2, Interesting)

syedelyas (1159799) | about 7 years ago | (#20740165)

"Security Unleashed - At Unisys, we're looking at security in an entirely new way. Security is no longer a defensive measure. It's an enabling catalyst for achievement. Unisys Secure Business Operations help to unleash your full potential." taken from Unisys web it says they can make everything possibility with their motto "we help you adapt quickly to meet ever-changing market demands and be resilient, agile and open" is a trash after all and hoping for a big fish to come after.. but the quote that they had used doesn't fit them a lot with this news. again, i think there not too good for this job.

Re:Unysis (1)

Opportunist (166417) | about 7 years ago | (#20740473)

Actually, this webpage speaks the truth, and I do believe them. Security is for them appearantly not defending you against threats but rather covering you in enough buzzwords that you don't notice that nothing is being done.

Re:Unysis (1)

ShakaZ (1002825) | about 7 years ago | (#20740959)

Heh that reminds me of when i worked for them here in Belgium a few years ago. Outsourcing was the big new trends in IT with reports of huge cost savings being made. So a new team was made to join the juicy business. After 3-4 months they hadn't really achieved anything, yet around that time i saw an interview of a Unisys manager saying the new section had been making great advances and was providing loads of opportunities, pure spinning...

Those evil Chinese-language Web sites (0)

Bender Unit 22 (216955) | about 7 years ago | (#20740179)

How do we stop websites from doing cyber attacks on their own?

Well, (1)

Nazlfrag (1035012) | about 7 years ago | (#20740195)

Any hacker worth his salt covers his tracks and leaves no traces, what did they expect?

Re:Well, (1)

Opportunist (166417) | about 7 years ago | (#20740487)

This isn't needed with Unisys! Unisys' kind of security is (quote from the reply above) "an enabling catalyst for achievement. Unisys Secure Business Operations help to unleash your full potential."

Appearantly they mean whoever wants to hack their customers and not their customers with that statement, but you can't say that they're lying.

Stealing Unclassified Data? (1)

wayward_bruce (988607) | about 7 years ago | (#20741007)

Although the hackers lifted data from unclassified systems, Paul Kurtz, a former White House cyber-security adviser, said that even unclassified data, if stolen in large enough quantities, could provide important clues about U.S. military and corporate trade secrets.
In my country it is impossible to steal unclassified data. That doesn't even make any sense.

Re:Stealing Unclassified Data? (2, Insightful)

argent (18001) | about 7 years ago | (#20741173)

What? Look... things like credit card numbers and passwords to online accounts aren't "classified data", but they certainly *can* be stolen. Plans for as yet unreleased products can still be stolen, even if they're plans for devices with no military application at all.

On the other hand, classified data can include material that people CAN find out from their own observation if they happen to be in the right place at the right time. Like whether a particular vessel is in a particular location... individual observations that aren't correlated aren't something that has been "stolen"... they just happen... but in bulk they become valuable and justify protection.

So whether something is a military or state secret is orthogonal to whether it's valuable or can be "stolen".

Re:Stealing Unclassified Data? (1)

wayward_bruce (988607) | about 7 years ago | (#20741273)

We are talking about DHS data, right? Unless I am grossly mistaken, it is governmental and, therefore, either "classified" or "unclassified". If it is unclassified, there can be no theft of data to speak of.

On the other hand, again if I understand you correctly, what is being stolen is the ease of access to the data, not the data itself (which, being governmental and unclassified, can not be stolen). That ease of access can enable the thieves to gain insight into some of the classified data.

If most of what I'm gathering from this is true, then both of us are right: unclassified data can not be stolen, but there can be a case of theft concerning unclassified governmental data. In any case, I maintain that unclassified data per se can not be stolen, which goes contrary to its virtue of being publicly accessible.

And talking about my credit card number, yes, it is classified, only I am not an institution of the government.

Re:Stealing Unclassified Data? (1)

argent (18001) | about 7 years ago | (#20743209)

We are talking about DHS data, right?

I don't know. You don't know, either.

Not all data on government systems belongs to the government. Some of it is proprietary information owned by private individuals and institutions and licensed or otherwise made available to the DHS (for a rather obvious example to prove my point, Windows is licensed from Microsoft, you can't get a copy of Windows for the price of a FOIA request).

Re:Stealing Unclassified Data? (1)

wayward_bruce (988607) | about 7 years ago | (#20747761)

OK, I think I get it for once. Thanks for taking your time to explain.

Re:Stealing Unclassified Data? (1)

JetScootr (319545) | about 7 years ago | (#20741237)

"Unclassified" doesn't mean valueless or null, etc. "Classified" data is that which has an impact (of varying degrees) on national security. "Unclassified" is all data that isn't in one of the "Classified" categories.
By itself or in normal amounts or normal handling, Unclassified has no impact on nat'l security. Nat'l security has nothing to do with what *the*company* considers important. Examples: almost all contractor's business info that doesn't overlap class. stuff, source code to company tools, blueprints for the company's buildings, etc.
"Unclassified" includes personal info and company trade secrets, etc. Ever hear of "identity theft"?
So yes, "unclassified" almost surely can be "stolen", in any country.

Re:Stealing Unclassified Data? (1)

Sabathius (566108) | about 7 years ago | (#20741257)

When I was in the Air Force, operational security also included something called EEFIs. Essential Elements of Friendly Information: little pieces of "seemingly" non-important information that, when put together with other pieces, equal real intelligence data.

Actually, it does make sense.

Unisys? (2, Funny)

Guppy06 (410832) | about 7 years ago | (#20741201)

"Unisys denies it all."

They Have the Way Out!(TM)

Dan Quayle's DEA record? (it's the coverup) (1)

argent (18001) | about 7 years ago | (#20741231)

Reminds me of this...

Scores of newspapers and commentators denounce a Doonesbury series about Dan Quayle's DEA file and Brett Kimberlin, a federal prisoner put in solitary confinement to keep him from repeating his claim that he sold marijuana to the vice president. "Who cares what a comic strip may or may not say about me or anyone else," said Quayle. Trudeau is denounced on the floor of the U.S. Senate, as numerous papers withhold the series and some drop the strip.
-- Doonesbury timeline, 1990 []

As I recall (can't find a copy of the actual strip, it's in the collection "What is it, Tink, is Pan in trouble?") the real punchline for the whole series went something like this:

Rick Redfern: "That's it! That's the story! The coverup!"
Source: "That's what I thought. Should I just toss the file?"

If there's a story here at all (after all, 'someone got trolled through IE' isn't a story at all... or if it is it's Microsoft who should be investigated), it's the coverup.

This is a failure of management (1)

ew1ley (1161795) | about 7 years ago | (#20741797)

From the Wash Post article: "...under the follow-on contract, "DHS, citing lack of funding, elected to stop paying for security monitoring services," but that the firm continued to provide the monitoring anyway." The follow-up contract started in '05. DHS wasn't PAYING for security monitoring, but Unisys did it anyway (which is illegal, I believe). Therefore during the breach in 2006, DHS basically got what they paid for. This is DHS's management utterly failing and Unisys getting the blame for it.

Re:This is a failure of management (1)

stuntpope (19736) | about 7 years ago | (#20742129)

More on that line of thought in Wall St Journal, []

Federal law-enforcement officials said the FBI was taking a look at the incidents -- and Unisys's response -- but said the allegations were so far not viewed as a major breach of national security. "The FBI is making sure that this was not something out of the ordinary," one official said, noting that attempts by hackers to infiltrate U.S. government computers are "everyday occurrences."

One key issue is whether Unisys failed to install the security programs or whether DHS cut them to save money. Unisys has urged the FBI to look at what the company recommended the agency needed versus what it was willing to pay for.

Dena Graziano, a spokeswoman for Rep. Bennie Thompson, (D., Miss) the chairman of the House Committee on Homeland Security, said congressional investigators found "there were several systems put in the closet that should not have been. What we don't know yet is who had them put there."

Not surprising (1, Interesting)

Anonymous Coward | about 7 years ago | (#20742281)

I worked for Unisys some time ago as helpdesk support for their DHS account, and this is no surprise to me at all. They are absolutely inept and have no concern for security. Among the things that just amazed me:

1. When a user asked for a password change, we were not supposed to challenge them in any way. This included people as high up as the Secretary(or more accurately-the secretary's assistant), but we didn't even have a list of who his assistants were.
2. Each desk had two systems, one Unisys and one DHS. The building had no physical security and the systems were not locked down. Also, nobody ever locked their desktops.
3. The head of cybersecurity resigned at one point, stating that nobody took network security seriously. Two weeks later, his account was still active.
4. I worked there for about 8 months before I decided to get out. In that time, I never received any sort of security clearance.

Those are just the big ones. That was my first and last job for a government contractor.

Re:Not surprising (1)

mbstone (457308) | about 7 years ago | (#20749031)

If you continue in government contracting, you'll encounter worse.

Well didn't you know... (1)

Shaltenn (1031884) | about 7 years ago | (#20742439)

Didn't you guys read the memo? Paying for resources to detect/prevent cyber-attacks is way more expensive than simply covering up the tracks after a cyber-attack. They're just watching out for their bottom line like every other corporation in America. Can't blame them for that.


easy enough (1)

steveaustin1971 (1094329) | about 7 years ago | (#20745215)

They can just do what every IT department at every job I've ever had does, blame it on the users! Currently our server difficulties are being explained to me as "Employees are using to many wildcard searches of the database" and somehow that explanation has so far appeased the managers... luckily for the IT department management is baffled by complex techie speak such as "wildcard searchs" and will likely put out a memo declaring "Wildcard searches are bad for the computers, please refrain from using wildcard searches on company computers" *sigh

1.7 billion (2, Funny)

greenbird (859670) | about 7 years ago | (#20746587)

What I want to know is what the hell could cost 1.7 billion dollars? Are they putting HA systems with redundant fiber channel SANs on every desktop? How big is the DHS? If were talking even 100,000 people that's over $17,000 per person in IT costs. For that kind of money they should have had big time segmentation with all kinds of traffic monitoring and IDSes along with honeypots and tarpits. Hell, for that kinda money I would even include fart detectors.

UGH! (1)

Danzigism (881294) | about 7 years ago | (#20750471)

damnit Unisys! I TOLD you to turn off telnet in your inetd.conf!! but you just didn't listen..
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?