Computers and Networks: GRRRR!

[Leatherneck]

So I get to work at 0630 and power up the PC. It grinds a bit and prompts me for my Comman Access card (Smart Card). I put it in, and it resets and asks for my PIN. Enter PIN, it thinks about it and says "Nope--you're not you." Re-enter same PIN, it thinks a while, and grudgingly runs the Mobile Armor data encryption software. Asks for a CTRL-ALT-DELETE, user name and 12-digit password. Pull out CAC, re-insert, and it asks again for the PIN. Mind, if you enter the wrong CAC PIN three times, it invalidates the CAC and I have to go clear across the Pentagon to security and get a new PIN reset.

Finally, it starts Windows. Now to the mail server: reset CAC, re-enter PIN, and outlook starts.

Time now: 0705; total time to log in TO THE UNCLASSIFIED NETWORK: 35 frikkin' minutes. Don't even ask about the classified network! Man, pretty soon we'll be so secure we won't be able to do any work. Might's well put the laptop in a box, fill it with concrete and throw it in the river.

TC

[mtnbkr]

Man, pretty soon we'll be so secure we won't be able to do any work

It's getting that way.  I work on a civ .gov network and some of the hoops we have to jump through on the engineering side are amusing. 

The best is when you're in an engineering meeting and some stuffed shirt starts talking about security as if they've had any hands on in the past 20 years.  Put the Govt Computing magazine down and back away...

Chris

[wingnutx]

It took me forever to get my CAC set up at home.

I'm afraid to update anything now that I can use all the DOD sites.

[wmenorr67]

I know what you mean.  Being in the National Guard and having an AKO account you now have to sign on with your CAC to change your password, and that has to be done every 150 days.  Heaven forbid your password expires and cannot get somewhere to us your CAC and you miss an email from the unit.  Just a pain in the ass.  I went out and bought a card reader but so far I have been unable to get it to work.  Lucky me that the computer in the TOC has a card reader built in.  So I am good for a year.

[Gewehr98]

I hated that card thing.  It was also my military ID card, with the gold chip.  I don't know how many times my guys left theirs in the computer at work, then called me after lunch from the guard shack - their ID cards were still firmly in the CAC card readers, right where they left them before heading off-base for lunch.

I talked to the sysadmins about putting some kind of application on each NIPRNET machine that flashed the screen and beeped when somebody logged off, reminding them to take their cards.  Of course, that wouldn't help the guys that simply walked away from the machines while still logged in.   

[Vodka7]

I talked to the sysadmins about putting some kind of application on each NIPRNET machine that flashed the screen and beeped when somebody logged off, reminding them to take their cards.  Of course, that wouldn't help the guys that simply walked away from the machines while still logged in.   

LOL, sounds like the best solution to that would be to put a card reader next to the exit doors (all the ones not fire-alarmed) so people have to swipe on their way out.

[wmenorr67]

Too simple of a solution.

[Leatherneck]

Heh. One of our admins forgot her CAC at home yesterday: no entrance, no PC login, no travel orders processed. She said she was gonna staple it to her.....

TC

[280plus]

Down at the casino all the regulars have these long springy like a telephone cord holder things to their belts to which they attach their "wampum" cards. This way they can;t accidentally walk away from a machine and forget their cards. Just a thought. That don't do nothing for LN though. I like the concrete idea but I like fire myself, it's more thorough. 

[BozemanMT]

Remember, the .gov can take anything slightly useful (computers) and not only take the joy out of it, make it slower, but actually make it less productive.

that's really silly, 35 minutes?
every day?

[mtnbkr]

In the gov's defense, they can't win at this.  If they make it less secure and some bit of privileged data gets out, everyone blames them for lax security.  If they make it tough, they get faulted for making it too secure.

Chris

[BozemanMT]

In the gov's defense, they can't win at this.  If they make it less secure and some bit of privileged data gets out, everyone blames them for lax security.  If they make it tough, they get faulted for making it too secure.

Chris

You know, i work for one of those companies that has all that security jazz (not that bad though) and I think to myself everyday
WTF would ever for any reason want to steal this $hit?

[Sylvilagus Aquaticus]

When I was admin'ing servers for DHS we had very limited access to the Innerweb through the DOJ network. Couldn't even access cnn.com the thing was locked down so tight.

We didn't have our 'company' email accounts set up for awhile, so we all got hushmail accounts. The next day the building manager came in, apoplectic.
  "Who's been sending encrypted data over the network!?" he screamed.
"Uh...that'd be us. You got a problem with that?"

Email accounts were ready for us by noon.

Regards,
Rabbit.

[tellner]

Security and useability are always in opposition. It's a matter of what trade-offs you're willing to make.

A good friend and martial arts student of mine is Intel's chief InfoSec warrior. The stuff he sees coming down the pipe would scare the need for a laxative out of you. Malware in the bios and at the device level. Real firewall killers. The Russian Mafia hiring promising (poor) kids in high school and putting them through University all the way through grad school so they'll have the best and brightest working in computer crime. I'm willing to put up with a bit of extra inconvenience for a little more safety on this one.

[RevDisk]

So I get to work at 0630 and power up the PC. It grinds a bit and prompts me for my Comman Access card (Smart Card). I put it in, and it resets and asks for my PIN. Enter PIN, it thinks about it and says "Nope--you're not you." Re-enter same PIN, it thinks a while, and grudgingly runs the Mobile Armor data encryption software. Asks for a CTRL-ALT-DELETE, user name and 12-digit password. Pull out CAC, re-insert, and it asks again for the PIN. Mind, if you enter the wrong CAC PIN three times, it invalidates the CAC and I have to go clear across the Pentagon to security and get a new PIN reset.

Finally, it starts Windows. Now to the mail server: reset CAC, re-enter PIN, and outlook starts.

Time now: 0705; total time to log in TO THE UNCLASSIFIED NETWORK: 35 frikkin' minutes. Don't even ask about the classified network! Man, pretty soon we'll be so secure we won't be able to do any work. Might's well put the laptop in a box, fill it with concrete and throw it in the river.

TC

Lemme put it this way.  I used to work as a civvie contractor over at DISA (which is being integrated with JTF-GNO).  Either we directly run your network, or indirectly ran it.  I say "used to", because we lost our contract.  Our company was owned by a minority female, and then was sold to another company.  Thus we lost the affirmative action identifier.  Thus we lost the contract.  A 'qualified' competitor that cost more and had less knowledgable personnel won the contract.   I was offered a job with the new folks.  I had a buddy over in Army CI look up the company's background for me.  His advice?  "Run.  Run fast, do not look back."

There's plenty of other stories I could tell ya, but they're classified as hell to protect the guilty. 

Just be glad it works whatsoever.  There's a lot of good folks keeping the machines and wires going.  But it's an uphill battle.  The technical aspects are hard enough.  Getting work done dispite the DD GS-15's is just short of impossible. JWICS is a bloody nightmare. And do not get me started on the NATO nets.  SIPRNET is heaven compared to CRONOS.

Cheap.  Secure.  Easy to Use.  Pick two.