Reply From: Matthew Patton <patton@sysnet.net>
>Thatís one of the reasons government security is so lame, Ranum said. Iíll
>believe the government is serious about security when somebody at the
>Pentagon gets fired.
Amen!! But we'll never see the day that happens, no matter how much
mouthing Hamry does. While significant blame must be attached to managment
and their cluelessness, one has to wonder if basic security precautions are
a natural and responsible part of being a sysadmin. I think so, very
strongly in fact. If OSD or any of the military branches are going to get
serious about security, they'd better start firing their present
contractors wholesale. So many of them can't find their own asses in a
shell prompt.
I wish Janet R. would save us all the bother with one more agency
investigating "cyber crime" and pretending to act like a CERT and instead
give the services the money and label it specifically for advanced Unix
security training. This means mandatory attendance to SANS etc. And/or
workshops where we invite an eminent person to teach these morons how to
configure a Slowaris box (most .gov unix is slowaris) and force them to
submit their workstations to instructor review/penetration testing. THey
don't get to leave the class till they have mastered more than the basics
to securing the operating system. And at gun point we force each admin to
weekly look at CERT's notices, or subscribe to such wonderful services as
BugTraq.
We further empower the IG to do spotchecks on systems (at least quarterly)
and railroad any idiot (with an Article 15 or outright termination) who
repeatedly fails to do things correctly. The latter especially applicable
to these slimeball contractors who feed at the Pentagon trough.
>One federal employee, who performs vulnerability assessments for the
>Defense Information Systems Agency, defended government security efforts.
Heh, that's funny! Why don't you (the DISA guy) turn your vaunted tiger
team on yourselves? Specifically the HQ building. You want to have some
fun? Get your own house in order before you go spouting off defending
current practices. Somehow I don't remember seeing any seminars hosted by
these tiger team members or similar to help the careless admins learn what
they did wrong and to fix it. Has anyone else?
I wish to heaven we could put some teeth to security. But alas, it's nearly
impossible to fire anyone in the government. Let alone reovke a stupid
contract. Maybe we should have a black list, "These individuals and
contracting companies (or their staff) are incompetent. They are under no
circumstance permitted to administer computer systems. If you want to
redeem yourself, you will have to be subjected to intense scruitiny from
established players. Anyone caught 'blessing' an incompetent individual
will be banned likewise but with no hope of working in the field again for
at least 5 year." Hey, Hamry. How about that?
- Matt, disgusted to be working as a phed with pheds.
--------
"You need only reflect that one of the best ways to get yourself a
reputation as a dangerous citizen these days is to go around repeating
the very phrases which our founding fathers used in their struggle for
independence," - Charles A. Beard (American historian)
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
Received on Sat Aug 15 15:03:07 1998