Skip to main content

Windows security and its impact in real life

I found this story Wired News story (Border Security System Left Open) via slashdot. It describes how, in August 2005, the US-VISIT system was crippled by the Zotob worm. As I read the story the hairs on the back of my neck stood up. I couldn't believe what I read.

First of all, how is it that a highly sensitive system such as US-VISIT is even tied to the internet? The ideal, most paranoid solution is to use a separate network to tie everything together. Considering all the dark fiber that still exists after the dot-com crash, the feds should have pulled together a government network on which they could have placed US-VISIT and any other critical system. If they needed access to the rest of the next, they could have either provided gateways between the government net and the rest of the world, or else put a second dirty system next to the clean ones for email and surfing the web. I've worked enough time on government contracts to know that if the computer information is sensitive or higher then the computers go on a separate net with highly restricted access to the outside world.

Second is the choice of operating systems. It wasn't just Windows, it was Windows 2000. This was how the worm was able to effect US-VISIT. Zotob targets the flaw that was found in Windows 2000's plug-and-play 'feature'. Having the government use Win2K is not all the unbelievable. I'm on a program right now where the PC sitting on my desk is still running Win2K, and they're just now getting around to upgrading to WinXP (yes, right before the delayed launch of Vista). And I did work for a company that refused to roll out service pack 2 for Windows XP because it interfered with certain corporate applications. But in both cases the IT group maintained and deployed critical fixes. This particular government screwup was amplified because the Zotob patch wasn't applied to systems until a week after it had been released by Microsoft.
Operating somewhat more slowly, it took CBP officials until Aug. 16 -- a full week after Microsoft released a patch for the hole -- to start pushing the fix to CBP's Windows 2000 computers. But because of the array of peripherals hanging off of the US-VISIT workstations -- fingerprint readers, digital cameras and passport scanners -- they held off longer on fixing those machines, for fear that the patch itself might cause a disruption.
The biggest question I have is whether or not the US-VISIT systems were sitting behind a firewall. I remember August 2005, and I remember the Zotob worm. I also recall that none of the major contractors in the Orlando area with which I was familiar had a problem. Why? Because the people running IT in their various shops maintain an iron grip on the various corporate nets with firewalls, anti-virus software, and corporate policies and procedures that prevent this from happening. If something does get through the corporate net, then the vector is a notebook (from someone in management) that was connected directly to the internet, became infected, and then was allowed to be reconnected to the controlled network after the infection. Even then it's rapidly quashed.

Yes, you can blame part of this on Windows' security problems. But the greatest share of blame is rightfully heaped on the government IT group that failed to properly design and maintain an iron-clad network for US-VISIT. On the internet, only the paranoid survive.

Comments

Popular posts from this blog

cat-in-a-box channels greta garbo

So I'm sitting at my computer, when I start to notice a racket in back. I ignore it for a while until I hear a load "thump!", as if something had been dropped on the floor, followed by a lot of loud rattling. I turn around and see Lucy in the box just having a grand old time, rolling around and rattling that box a good one. I grab the GX1 and snap a few shots before she notices me and the camera, then leaps out and back into her chair (which used to be my chair before she decided it was her chair).

Just like caring for Katie my black Lab taught me about dogs, caring for Lucy is teaching me about cats. She finds me fascinating, as I do her. And she expresses great affection and love toward me without coaxing. I try to return the affection and love, but she is a cat, and she takes a bat at me on occasion, although I think that's just her being playful. She always has her claws in when she does that.

She sits next to me during the evening in her chair while I sit in mi…

first night for the gingersnaps

The first night has passed and the two have managed to survive, in spite of what their tiny hearts might have thought when first arriving. Greebo, the larger of the two, has been in hiding the entire time so far. Ponder has spent the time zipping in and out of hiding spots, checking things out, and learning just how comfortable pillows are for resting your head.

During the night I felt the tiny body of Ponder hitting the bed as he leaped up on the side, and then climbed to the top to run around on top of me. At least once he play-attacked my fingers. He might be small but his claws are still quite sharp.

When I got up in the morning the bowl of cat kitten food was fairly well depleted. It's been refilled and fresh water put in the big dish on the floor. I'm assuming that both Greebo and Ponder are feeding and drinking. I have seen Greebo under the furniture peeking out at me when I went looking for him. I'm leaving him alone while he continues to adjust.

So far the guys h…

vm networking problem fixed

Over the weekend I upgraded to Windows 8.1, then discovered that networking for the virtual machines wouldn't work. Then I tried something incredibly simple and fixed the problem.

Checking the system I noticed that three VMware Windows services weren't running; VMnetDHCP, VMUSBArbService, and VMwareNatService. VMware Player allows you to install, remove, or fix an existing installation. I chose to try fixing the installation, and that fixed the problem. The services were re-installed/restarted, and the virtual machines had networking again.

Once network connectivity was established there was exactly one updated file for Ubuntu 13.10, a data file. This underscores how solid and finished the release was this time. Every other version of every other Linux installation I've ever dealt with has always been succeeded by boatloads of updates after the initial installation. But not this time.

Everything is working properly on my notebook. All's right with the world.