While this does present some profound concerns due to the lack of
oversight, it also means the system is wide open for free-lance
projects as folks have historically performed to amend their civil
servants income.
-jma
http://blog.wired.com/27bstroke6/2007/08/fbi-spy-docs-sh.html
FBI Spy Docs Show G-Men Don't Understand Security, Professor Says
By Ryan Singel August 30, 2007 | 12:20:20 PMCategories: Hacks and
Cracks, Sunshine and Secrecy
Computer science professor Steven Bellovin -- one of the most
knowledgeable outsiders on the government's eavesdropping mandates
known as CALEA, pored over recently released documents that outline
the FBI's extensive, eavesdropping architecture.
He concludes that they don't bode well for anyone:
I don't think the FBI really understands computer security. More
precisely, while parts of the organization seem to, the overall
design of the DCS-3000 system shows that when it comes to building
and operating secure systems, they just don't get it.
The most obvious example is the account management scheme described
in the DCS-3000 documents: there are no unprivileged userids. In
fact, there are no individual userids; rather, there are two
privileged accounts. Each has diferent powers; however, as the
documents themselves note, each can change the other's permissions to
restore the missing abilities. Where is the per-user accountability?
Why should ordinary users run in privileged mode at all? The answers
are simple and dismaying.
Instead of personal userids, the FBI relies on log sheets. This may
provide sufficient accountability if everyone follows the rules. It
provides no protection against rule-breakers. It is worth noting that
Robert Hanssen obtained much of the information he sold to the
Soviets by exploiting weak permission mechanisms in the FBI's
Automated Case System. The DCS-3000 system doesn't have proper
password security mechanisms, either, which brings up another point:
why does a high-security system use passwords at all? We've know for
years how weak they are. Why not use smart cards for authentication?
----------------------------------------------------------------------------------------------------
World Class, Professional, Ethical, and Competent Bug Sweeps, and
Wiretap Detection using Sophisticated Laboratory Grade Test Equipment.
----------------------------------------------------------------------------------------------------
James M. Atkinson Phone: (978) 546-3803
Granite Island Group Fax: (978) 546-9467
127 Eastern Avenue #291 Web:
http://www.tscm.com/
Gloucester, MA 01931-8008 E-mail: mailto:jm..._at_tscm.com
----------------------------------------------------------------------------------------------------
We perform bug sweeps like it's a full contact sport, we take no prisoners,
and we give no quarter. Our goal is to simply, and completely stop the spy.
----------------------------------------------------------------------------------------------------
Received on Sat Mar 02 2024 - 00:57:27 CST