Re: USGS returns to the Internet
Unnamed Administration sources reported that Patrick Greenwell said:
A judge *ordered* the DOI offline.
I disagree. Read the order. <http://www.indiantrust.org/rulings/2001.12.05_TRO.pdf> It only talks about systems with Indian Trust data not the home page server. I think it's fair to assume a PHB panicked over [his,her] tail being locked up by His Honor; and ordered ALL servers down. YMMV. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Sun, 9 Dec 2001, David Lesher wrote:
A judge *ordered* the DOI offline.
I disagree. Read the order. <http://www.indiantrust.org/rulings/2001.12.05_TRO.pdf>
It only talks about systems with Indian Trust data not the home page server. I think it's fair to assume a PHB panicked over [his,her] tail being locked up by His Honor; and ordered ALL servers down.
Rather than play tit for tat, here's what the relevant portions from the TRO state: "Further ordered that defendants shall immediately disconnect from the Internet all computers within the custody and control of the Department of the Interior, its employees and contractors, that have access to individual Indian trust data." I have no personal knowledge of the DOI's infrastructure, and unless you do, I think we're all left to speculate as to whether or not the "home page server" of the DOI had access to the Indian trust data. My speculation would be that it does if it's Internet connected... As you say, YMMV. :-)
Unnamed Administration sources reported that Patrick Greenwell said:
On Sun, 9 Dec 2001, David Lesher wrote:
"Further ordered that defendants shall immediately disconnect from the Internet all computers within the custody and control of the Department of the Interior, its employees and contractors, that have access to individual Indian trust data."
Thank you. For some reason I was unable to screen grab that pdf.
I have no personal knowledge of the DOI's infrastructure, and unless you do, I think we're all left to speculate as to whether or not the "home page server" of the DOI had access to the Indian trust data. My speculation would be that it does if it's Internet connected...
I can see no reason why a server full of personal data would be. {But this is getting way OT} -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Sun, 09 Dec 2001 21:54:31 EST, David Lesher <wb8foz@nrk.com> said:
Unnamed Administration sources reported that Patrick Greenwell said:
page server" of the DOI had access to the Indian trust data. My speculation would be that it does if it's Internet connected...
I can see no reason why a server full of personal data would be.
Personally, given the amount and size of holes the court-appointed tiger team found, and the fact that *previous* security audits going back as far as 1989 (it appears) have found problems, I'd be surprised if they had gotten it *right* and segregated that server from the Internet. And of course, given the judge's wording, if the data server is on the Internet, then every DoI host that's on the Internet has access to it - and thus needs to have its plug pulled. Bet somebody's wishing that server had been on a private network with only several other dozen machines.... ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Sun, 9 Dec 2001, Patrick Greenwell wrote:
I have no personal knowledge of the DOI's infrastructure, and unless you do, I think we're all left to speculate as to whether or not the "home page server" of the DOI had access to the Indian trust data. My speculation would be that it does if it's Internet connected...
The great thing about our government is public oversight. It may be embarrassing to the managers involved, but Interior's computer security is detailed in several places. Information Security: Weak Controls Place Interior's Financial and Other Data at Risk. July 3 2001. http://www.gao.gov/new.items/d01615.pdf DoI responds: "While this audit, as well as previous audits, have identified areas where NBC-Denver can improve its management controls, none of these audits has ever shown that the integrity of the financial data has ever been compromised. Our on-going operations have provided our customers accurate financial information and timely delivery of services."
On Sun, 9 Dec 2001, Sean Donelan wrote:
On Sun, 9 Dec 2001, Patrick Greenwell wrote:
I have no personal knowledge of the DOI's infrastructure, and unless you do, I think we're all left to speculate as to whether or not the "home page server" of the DOI had access to the Indian trust data. My speculation would be that it does if it's Internet connected...
The great thing about our government is public oversight. It may be embarrassing to the managers involved, but Interior's computer security is detailed in several places.
Really an excellent point. On a somewhat tangential note, would Internet security be aided if businesses were held to higher degrees of public disclosure and/or accountability? Not that it would ever happen of course, but I think the discussion around the question could be intriguing....
The problem is a clear-cut conflict of interest when you have a professional services firm doing both financial auditing and network security reviews for the same company. It's a known fact that auditing firms make more money off of financial audits than network services, and I believe there are a few public cases where security reviews have been skewed/glossed over/spun in a manner not to piss the customer off, particularly when they are paying BIG BUCKS for the financial audit part of the contract. With respects, I for one would not want the same Big Whatever Firm doing my network security reviews if they were also doing my finances. It comes down to the question of do you want the truth, or the illusion of the truth? rf
From: Sean Donelan <sean@donelan.com> Date: Sun, 9 Dec 2001 23:38:04 -0500 (EST) To: Patrick Greenwell <patrick@cybernothing.org> Cc: David Lesher <wb8foz@nrk.com>, nanog list <nanog@merit.edu> Subject: Network security: The auditors point of view
On Sun, 9 Dec 2001, Patrick Greenwell wrote:
I have no personal knowledge of the DOI's infrastructure, and unless you do, I think we're all left to speculate as to whether or not the "home page server" of the DOI had access to the Indian trust data. My speculation would be that it does if it's Internet connected...
The great thing about our government is public oversight. It may be embarrassing to the managers involved, but Interior's computer security is detailed in several places.
Information Security: Weak Controls Place Interior's Financial and Other Data at Risk. July 3 2001.
http://www.gao.gov/new.items/d01615.pdf
DoI responds: "While this audit, as well as previous audits, have identified areas where NBC-Denver can improve its management controls, none of these audits has ever shown that the integrity of the financial data has ever been compromised. Our on-going operations have provided our customers accurate financial information and timely delivery of services."
participants (5)
-
David Lesher
-
Patrick Greenwell
-
Richard Forno
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu