State Department Spent $1.2 Billion On An Asset Monitoring System… That Ignores All Non-Windows Equipment

from the julian-assange-agrees dept

We just wrote about a GAO report showing how the Defense Department is somewhat incompetent at dealing with online threats. Of course, it’s not clear that anyone else in the government is any better. The GAO is back with yet another report, dinging the State Department for its dreadful computer security monitoring program. In this case, it’s talking about threats to the State Department’s network, rather than to third parties. And while the State Department spent a whopping $1.2 billion of taxpayer money on a fancy computer system, called iPost, to monitor everything, it turns out that it only works on Windows machines:

But the iPost service only covers computers that use Microsoft’s Windows operating system, not other assets such as the roughly 5,000 routers and switches along State’s network, non-Windows operating systems, firewalls, mainframes, databases and intrusion detection devices, GAO auditors said.

I mean, this is the kind of stuff that makes you shake your head in disbelief. Somewhere in the process of building a $1.2 billion system, no one thought to point out that there are more computer assets than those that run Microsoft Windows? Really? Someone seriously deserves to be fired.

Also, for the Windows computers where you can install it, it appears that the system barely works.

For instance, iPost tools did not always scan computers when scheduled, or they created false positives that had to be analyzed and explained. One scanner vendor failed to update its technology to detect the latest, most common vulnerabilities. And tools manufactured by different suppliers produced disparate scores that staff then had to interpret and modify.

Apparently, all of this is leading to confusion where people don’t even know who’s responsible for what.

So can someone explain why the federal government is coming down so hard on Bradley Manning, rather than taking some of that energy and focusing on securing the State Department’s computers? Honestly, from the sound of things, you have to imagine that lots of people (including tons of foreign spies) long ago broke into State Department computers and had access to all of this info, based on reports like this. If anything, it makes you wonder if the Wikileaks leak may help get the State Department to better secure things.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “State Department Spent $1.2 Billion On An Asset Monitoring System… That Ignores All Non-Windows Equipment”

Subscribe: RSS Leave a comment
David Muir (profile) says:

Honestly, from the sound of things, you have to imagine that lots of people (including tons of foreign spies) long ago broke into State Department computers and had access to all of this info, based on reports like this.

Worse. It sounds an awful lot like those spies infiltrated the State Department and then actively mismanaged (sabotaged) the asset security project to ensure that they could continue to breach government networks.

Spy Leader: We know how to circumvent Windows already. Ensure that the iPost project doesn’t look at anything else.

Spy Underling: Yes, Mr. Gates.

Greevar (profile) says:

Re: Of course

Considering the NSA required Microsoft to add a back door for them, I’d say Windows is far more insecure than other OS offerings.

The irony though is that most of the professionals who hack Windows machines are likely using something other than Windows (i.e. Linux/Unix). Honestly, if it weren’t for DirectX games, Windows wouldn’t even have a market among the technologically inclined.

blaktron (profile) says:

Re: Re: Of course

This is so ridiculously false that I dont know how to respond. There have been many, many, many tests and Windows7/2008R2 in their default installations and kept up to date with patches have NEVER been successfully attacked in the real world without user compromise or physical access. Get your facts straight.

ltlw0lf (profile) says:

Re: Re: Re:4 Of course

neither is it Helm’s Deep.

Hmmm… Helm’s Deep was pretty easy to compromise as well. A little gunpowder was all the Urukai needed to breach the walls and then they were able to sweep through the outer defenses. Gandalf was even certain that the move to Helm’s Deep was a dumb one…and he hoped that it would hold long enough for him to get the outcasted riders of Rohan and return.

Windows is pretty bad by default, but any competent administrator can lock down Windows so its is secure enough to convince all but the most driven individuals to move on to easier targets.

blaktron (profile) says:

Re: Re: Re:5 Of course

Please, name me a change from the default security settings that makes Windows more secure. In days gone by Windows used to ship with IIS and certain RPC services turned on and listening by default, which made setting up other service (like domain services) much easier. But those days are long gone, so please good sir, do tell me what OS level changes you personally make to a windows7 machine to make it more secure.

out_of_the_blue says:

Re: Re: Re: Of course; @blaktron: the very existence of patches..

proves you trivially wrong.

Here’s the sequence:
1) An exploit is found in the wild; this is constantly monitored by numerous experts.
2) Microsoft hastily finds a fix (supposedly) and tries to put out a patch before it spreads.
3) Microsoft yells “Keep your patches up to date!”
4) You (and Microsoft) maintain that the most recent properly patched systems have never been exploited.

Morgenstern says:

Re: Re: Re: Still doesn't make Windows any better

Ah, but therein lies the difference between security on a Windows and on other systems. Microsoft cannot respond quickly enough to patch needs because it has to develop them in-house, whereas Linux systems rely upon a community of people to plug the holes the moment they appear. This means that Windows is more vulnerable because it’s security design is inherently flawed and rooted in a proprietary non-open source model.

Admittedly, Windows 7 is a better offering security-wise than other Windows systems, but it still pales in comparison to a basic Linux distro that comes with a firewall and locked root privileges by default. Add in the “no know viruses” carrot, and the choice is clear.

blaktron (profile) says:

Re: Re: Re:2 Still doesn't make Windows any better

The amount of security-model ignorance you guys are spouting here is fantastic. Every SINGLE Windows exploit you’ve ever come in contact has been browser level. All of them. Those exact same exploits exist in the linux varieties of the browsers as well. God, I hope you aren’t responsible for people’s security, I almost think you work at Sony….

djm229 (profile) says:

Re: Of course

Dude, seriously? So you’re one of those that believe MAC has only like 5 existing viruses, that UNIX is not a playground to hackers and that Steve Jobs will ensure that no viruses/malware could possibly hit you when you’re on the IPAD? Because if you believe that, I’ve got a LOT of beachfront property for you in Tornado Alley.

Rich Kulawiec (profile) says:

Re: *facepalm!*

Of course. It is quite, quite impossible to secure Windows systems for any meaningful value of “secure”. Witness Microsoft itself, which has (a) the source code (b) massive in-house expertise (c) essentially-infinite personnel (d) essentially-infinite money and yet still cannot manage to run a mere email service (Hotmail) securely. Anyone who is actually paying attention to their own mail servers knows this; their own log files prove it repeatedly, all day, every day, and have been doing so for years.

But I wouldn’t start with Linux for this purpose. Oh, it’s certainly an enormous step up from Windows, but then again a steaming pile of cow manure would be the same. I’d start with OpenBSD, which is considerably smaller and much more focused on security.

None of this will happen, of course. Instead, those responsible for this will be rewarded and promoted, there will be more of the same epic failure, and even the poorest countries out there (the ones without a beer and an airline, thanks FZ) will be able to penetrate this operation whenever they want, merely by hiring a bored college student with a laptop.

Rich Kulawiec (profile) says:

Re: Re: Re: *facepalm!*

You’re kidding, right? You’re asking me to demonstrate to you that the ocean is wet. But presuming this is a serious question:

If you run a mail server of any size/volume/scope/etc., then all you have to do to answer that question is to look at your own logs. (By which I mean not just your SMTP logs, but everything else as well.)

If you don’t, and not everyone does of course, then all you have to do is to read the relevant traffic on nanog, mailop, spam-l, full-disclosure, bugtraq, spamtools, and other related lists for the last ten years or so.

Either way, what you need to be paying attention to is not so much what’s going into Hotmail (although that’s certainly interesting in its own right) but what’s coming out of it.

Matt H (profile) says:

Re: Re: Re:2 *facepalm!*

What’s coming out of hotmail really has nothing to do with it’s security as a whole. Anyone can sign up for a free account, hook it into a bot, and start spamming away. That still doesn’t equal a lack of security.

Another potential source for spam from hotmail (as I assume you’re referring to that as “insecurity”) is people’s accounts getting hacked. That’s usually their own fault for not using secure passwords.

And finally, since hotmail is one of the oldest and most popular services out there, spammers have been spoofing fake hotmail addresses for years. In fact, you can pretend to send email from anyone you like just by setting up your own mailserver! Doing that just usually means you get easily caught by the spam filters.

So….hotmail in and of itself is probably pretty secure. These days, Microsoft really seems to know what they’re doing when it comes to locking things down…

Rich Kulawiec (profile) says:

Re: Re: Re:3 *facepalm!*

There are many things wrong with your statements, some of which are obvious and some of which are subtle. I’m just going to cover the major points, and refer you to the resources already outlined for more extensive coverage.

First: what comes out of any site has everything to do with whether or not it’s secure. This is a first principle of network security, albeit one that is often overlooked. (Haven’t you noticed that the most serious security issues don’t involve someone breaking in…they involve someone breaking out?)

Second: one of the other fundamental principles is that outbound abuse is a surface-level indicator of underlying problems. Spam is of course not the only form of abuse — it’s merely one of many that uses the SMTP protocol — but it does provide a highly reliable measure of internal security. Secure sites do not emit spam on a systemic and persistent basis. (Nor do they emit other forms of abuse on a systemic and persistent basis.)

Third: everyone who knows how to read email headers and/or evaluate their own logs is quite aware of what’s really coming from Hotmail and what’s not. Attempts to forge Hotmail’s domain have decreased steadily, in part because even spammers, dull as some of them can be, have figured out that it’s not a worthy target for forgery.

Fourth: spam is far from the only security problem at Hotmail. Again, read the references I cited, or, if you don’t want to plow through the historical record, just subscribe to them…and wait. You probably won’t have to wait long.

blaktron (profile) says:

Re: Re: Re:4 *facepalm!*

I actually do run Mail servers, they are bigger than yours almost for sure and I can promise you about 10 times as much spam comes from gmail addresses as hotmail ones these days. Sorry, try again.

Also, STMP security involves forcing authentication, which hotmail does. They just give free accounts that allow anyone to authenticate. They clean up their mess as much as anyone. Also, none of that has ANYTHING to do with system security. moron.

Rich Kulawiec (profile) says:

Re: Re: Re:5 *facepalm!*

I should probably charge you a consulting fee for this, but:

I actually do run Mail servers, they are bigger than yours almost for sure and I can promise you about 10 times as much spam comes from gmail addresses as hotmail ones these days.

Maybe they are bigger, although in the 30 years I’ve been running mail servers, they’ve varied in size from “tiny” to “among the biggest and busiest on the net”. And one of the things I’ve learned is that size is not correlated to clue. Another is that anyone who can competently operate a mail server with 10K users can operate a mail server of arbitrary size just as competently.

As to your comparison of volume from gmail vs. hotmail, you’re making a beginner-level mistake here. Everyone who has studied spam in any depth knows that spammers target differentially: by country, by ASN, by network, by host, by domain, by MX, by OS, by MTA, by user, by LHS, by just about every criteria you can imagine. So one of the fundamental truths about anti-spam work is that your incoming spam mix does not look like their incoming spam mix, for all values of “your” and “their”. Thus your observation, while presumably accurate, means nothing for anyone but you: it tells us precisely zero about the actual spam rates from either operation.

So if you actually want to assess patterns on anything approaching a global scale, one of the things you need is a very large number of measurement points, AND that very large number of measurement points has to reflect sufficient diversity among all the criteria I enumerated above — plus a few others. This is difficult not only because of the scale, but because considerable craftiness is required to operate the measurement points. And then even more clue is required in order to combine the measurements in a way that actually means something.

Also, STMP security involves forcing authentication, which hotmail does.

It’s SMTP, and only some SMTP security involves authentication. As I would expect anyone who claims to run a mail server to know, there are many injection paths which do not. For example, Hotmail emits backscatter (aka outscatter), which is a particular form of spam that does not even require the spammer to have a Hotmail account.

Beyond that, authentication is not a barrier to spammers running botnets, since they can possess and use at will any email authentication credentials stored or used on those systems. Thus — as we’ve seen — spammers will sometimes choose to use their bots not to directly send spam, but to relay it through third parties…some of which dutifully perform the authentication, which of course succeeds.

They clean up their mess as much as anyone.

Of all the things you’ve said, this is the most ludicrous. Everyone who has been paying the slightest attention to traffic among professionals in the field over the last ten years (whether that traffic is on mailing lists or in newsgroups or on the web or whatever) is well aware that Hotmail is absolutely, profoundly, completely incompetent at dealing with abuse and security issues. They have demonstrated, thousands of times, that not only can they not read well-crafted reports, not only can they not tell an abuse report from abuse, but they quite often fail to recognize their own hosts and networks as such.

That is, as someone once said, a special kind of stupid.

Here’s an exercise for you: go over to Google. Type in “hotmail abuse clueless” and start reading the hits. When you’re done, switch the search from the web to Usenet…and read some more. And then search…well, by now you should get the idea. Hotmail’s abuse desk is legendary for their incompetence — although they do have serious competition from Yahoo for worst-in-class.

Yet this is not the end of the issues with Hotmail. As I said previously, spam is only one of their many problems. It just happens to be a particularly easy one to observe.

djm229 (profile) says:

Re: Re: Re:6 *facepalm!*

Anyone else notice that you both compared server sizes? This sounds like “mine’s bigger than yours” … wait, it IS that advanced argument.
BLUF: Hotmail is not secure in itself, let alone that it’s free. Thinking that it is is stupid. Period.

Why would you think that Microsoft (that has serious vulnerabilities found monthly (hence the patching)) would put more/equal effort into securing it’s FREE product than it’s PAY products (Windows Desktops, servers, productivity systems, etc)?

Rich Kulawiec (profile) says:

Re: Re: Re:7 *facepalm!*

Actually no, I explicitly disclaimed the “bigger is better” proposition…because it’s wrong. Some of the best-run mail servers are not very big at all; some of the worst-run are enormous. The only thing that running a bigger server gets you, if you learn from the experience, is some clue about scaalability.

Now as to your excellent question in the second paragraph: because Hotmail used to run on FreeBSD and Solaris. Just about ten years ago, Microsoft decided to switch it to Windows…and not coincidentally, that’s when it began to go downhill rapidly. But they did it anyway, in a foolish, amateurish, misguided attempt to show that it could be done better with Windows (see even though everyone knows that running a mail server on Windows is like setting yourself on fire: it’s incredibly, completely stupid.

But one would think, given that Microsoft went through all this trouble, that they would take the time to do it at least halfway well — because as it is now, all it really demonstrates is that not even Microsoft can run Microsoft products in a secure and stable fashion…which in turn raises the question, if they can’t even do it, and they wrote the code, then why would anyone else believe that they can? Why would they even want to try?

And there’s another point here, one that eludes many newcomers to the Internet. (You’re “new” if did not have an email address ending in “.ARPA”.) When you build an operation, any operation, and you plug it into the Internet, you take upon yourself the professional and ethical obligation to make sure that that operation does not harm the Internet. It’s your first responsibility — the one that trumps all others at all times. And in that…Microsoft has failed miserably. In part I think it’s because they don’t really care if Hotmail shits all over the rest of the Internet; but in part I think it’s because they can’t fix it. They’ve stacked the deck so much against themselves that they’re stuck.

But whatever the underlying reason(s), we know that the operation, take as a whole, is completely insecure. We may not know exactly why, or how — although we have substantial clues — but the emitted traffic proves beyond any possible argument that it’s rotten to core.

Mr. Smarta** says:

Nobody will get fired...

Nobody’s going to get fired. This sort of work was done by contractors who were hired to handle the Windows side of things, but either there was no contracting team to handle the “other” operating systems or somebody felt those were perfectly secure because they aren’t “Windows”. RedHat is most likely covered under the RedHat company, Solaris and databases for Oracle, routers and switches for Cisco.

*nix systems are often wrongly assumed to be perfectly secure, which they aren’t. The only computer immune from internet attacks is one that isn’t connected to the internet (e.g. has no network capability like no wireless or NIC card, and even then that’s suspect).

Sum One says:

Blame bureaucracy and office politics.

“Somewhere in the process of building a $1.2 billion system, no one thought to point out that there are more computer assets than those that run Microsoft Windows? Really? Someone seriously deserves to be fired.”

I guarantee somebody did point that out. They were probably shot down by someone higher up the chain, who won’t be fired but promoted instead. That is how the government rolls. Just ask any federal employee.

Anonymous Coward says:

Honestly, from the sound of things, you have to imagine that lots of people (including tons of foreign spies) long ago broke into State Department computers and had access to all of this info, based on reports like this

Why bother? Why not just give 1 of the 2 million or so people who had access a couple of hundred dollars for the Manning Files. I am sure they all did. All the Wikileaks files will have been old hat to the other nations, but just very embarrassing that the public got to see them.

Anonymous Coward says:

First rule of government contracts... limit the scope

The first rule of successful government contracting it to limit the scope of the work to a very narrow, somewhat easily achievable target…. this can easily be done by including a statement in the initial contract such as ‘iPost will secure windows based systems’… and suddenly it doesn’t matter who brings up the issue of non-windows systems or how many times it comes up, the contractor just says, “That’s not in the scope of this project, and ignores it.”

I’d like to think that things worked better in higher levels of government, but if they are this screwed up at the lower state levels, the federal government has to be even more screwed up…..

Sure you purchased an Enterprise Resource and Planning system from Dorkle (not real company), but reporting was not in the scope of the implementation contract you signed with us (HighlyPaidbutWorthless Consulting, LLP), so we only tested/implemented methods to put data into the system, you’re on your own as far as figuring out how to get information out of the system….

Of course we would be happy to come back and sign another consulting contract with the scope limited to ‘Reporting on X’ for the same price as the initial implementation…

Sure reporting can be done internally, but that would required report writers to have access to the tools that can ‘do stuff’ in the system, we can’t let our people have access to those tools, they would do ‘something’ that would cause us more work in the future. If we just restrict all functional users from using the tools, we can guarantee that all ‘work’ happens in ITS and is done by consultants (since our people don’t understand the system they are in charge of maintaining and supporting).

This may sound a little far fetched, but this is basically the reality I’ve been living with for the last several years (names changed to protect the ‘innocent’ and all that…)

So yeah… If it has Government and IT involved…. expect it to be totally messed up (look at who the consulting dollars are flowing to if you want to really understand what’s going on).

Anonymous Coward says:

Pointy Hair Bosses

This is typical pointy hair boss stuff. They hire people with Microsoft “certifications” (i.e. vendor lackies) because they ignorantly believe that makes them “computer experts”. (Never mind people with real degrees from ABET accredited programs!) Is it any wonder then when all these people seem to know about is Windows? What a joke.

Concerned Citizen says:

Correction to article

Correcting a detail you mention that is not accurate. If you look at the GAO report (link below) bottom of page 6 and top of page 7 you will clearly see that the 1.2B you refer to is the the entire IT Budget not the cost for an “Asset Monitoring System”.
Apparently NIST.GOV did not feel the same way as GAO about this system:

Someone with a clue says:

The blogger is incompentent

The facts in his article are way off. The 1.2 Billion is for a much larger project for which iPost would account for a small fraction of a percentage. iPost is just a web front end that shows the results of other COTS products and makes calculations of risk based on that data.

Mike should go back and re-read the article or go back to school for reading comprehension classes.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...