Government and Security

There’s a story running on CBC that several Canadian Government departments were penetrated from China over the network. It seems the intruders got control of some executive PCs and sent memos to underlings to reveal passwords etc… I guess it helped that the PCs were running that other OS but once the keys to the kingdom are turned over it matters little what OS was running where.

These departments have critical identity information on Canadians which is collected for compulsory programmes. If a business let this stuff out they would likely be open for prosecution. I doubt the government will prosecute itself but I am sure this laxity was a violation of Canadian law as well as common sense. Where have these folks been living in the last 15 years?

As much as I would like to blame that other OS or M$ or bureaucrats for this, it turns out to be a much larger problem. 103 countries have suffered similar attacks. I guess it is time we had more diversity in IT so the criminals would have to work harder. I wonder whether or not the intrusion would have been as easy with GNU/Linux on the desktops? I doubt it. I also doubt that nothing was taken which is the current line of disinformation.

See CBC

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

9 Responses to Government and Security

  1. Ray says:

    Agreed. That’s why a mixed oses would be perfect. 😀

  2. Bender says:

    @Ray

    Tell me, is GNU/Linux bugs free? Is the kernel bugs free? How many security bugs have there been? Countless for all operating systems (granted linux kernel contains a lot more stuff than win32 kernel so it levels out) but finding and exploiting a flaw is easy on any system if you know how to do it. Both systems can be secured but GNU/Linux can be a lot more secure (“if you just want a glass of milk then why have a whole cow” approach of windows makes it easier target due to predictable software).

    No software is bugs free, and if no software is bugs free then it is also exploitable. How much exploitable it is depends on software preventing that, GNU/Linux has it (SELinux/AppArmor/other LSM) but it doesn’t mean it is not exploitable because it definitely has bugs.

  3. Richard Chapman says:

    I understand user incompetence sets a baseline of security for all systems. That just sets the bottom line from which all systems must strive to improve upon. What it doesn’t do is lower the upper reaches of security incompetence, such as what the world suffers from Microsoft, down to the user the incompetence baseline. That is what some would like us to believe with statements like, “No system is completely secure”. Well of course. And let me add to that, “the sky is blue”. Both statements are equal in their helpfulness to computer security.

  4. I think there were so many acts of incompetence evident that it is hard to single anyone out. I suspect that such attacks depending on “social engineering” could succeed with any OS. For example, if one of the bosses responded to a spam e-mail and somehow forwarded the passwords to the attacker, the same result could have happened on any OS. Believe me, being a boss is no guarantee of common sense in IT. Many of my bosses have been complete novices in IT, akin to 8 year old children, yet, legally, they can order divulging passwords. I have a former boss who phones me from time to time asking for the admin password… Normally, I would have long forgotten it but he keeps reminding me. This guy received a proper memo with the passwords and a paragraph about their import on my departure. He has no sense of security of IT whatsoever. It is a good thing he doesn’t know that a PC can be set up to require no passwords.

  5. The best way of ensuring security is to have a system implemented in diverse layers so that an attacker will wear himself out trying to get in. That is a great strength for GNU/Linux where, on top of the normal system administration tools we have countless combinations of packages so that an attacker depending on any one of them will be successful only a fraction of the time. With that other OS, the layers are mostly identical in the OS. Further, we know some of the layers M$ makes are out to get us because they use software to mess with competition and to lock us in.

    I had an encounter today with malware. It was interesting in that the diagnostic tools available to me on that other OS showed nothing was wrong but the system was taking tens of seconds to respond to clicks. AVG was running but there wasn’t a huge load on the system. It turns out that killing Excel loosened everything up and the XP system flew. What’s with that? Is M$ making its own malware? The system in question had 1gB of RAM and only FireFox and Excel were running for the user. There were hundreds of MB of free RAM. A system so insecure that it denies its legitimate user performance is inherently insecure, IMHO.

  6. BrianPage says:

    The thing that makes me want to start a fist fight more than anything else is how key words: “Microsoft” and “Windows” are left out of the article.
    the press always does this.

    do we blame Microsoft for incompetence? no
    do we blame Canadian “IT Officials” for incompetence? no
    do we blame China for whatever? yes.

  7. Richard Chapman says:

    “I guess that for a determined foe no system is a barrier.”

    That’s just the kind of defeatist remark administrators who run sloppy operations like to hear. It puts everyone on the same level regardless of experience, expertise, OS or installation. There are plenty of “determined foes” out there, right? There are more than enough “determined foes” to go around, right? So why bother lifting a finger or spending a dime on security? Why bother, unless that statement is meant to extend the shelf life of an operating system that was never designed to withstand the rigors of the World Wide Web. That statement is essentially the same as: “All systems are in secure”. That misguided logic was coved in this recent post: http://mrpogson.com/2011/02/11/malware-is-winning/#comment-40631

    No need to beat it to death… Unless, of course, it refuses to die.

  8. Ray says:

    What about using a bit of Windows, a bit of MacOS, A bit of UNIX, a bit of Linux, a bit of BSD, and a bit of Plan 9. That way, if a virus attacked, no systems would be compeletly hacked. 🙂

  9. Bender says:

    I guess that for a determined foe no system is a barrier. GNU/Linux can be at least secured as hell with SELinux/AppArmor/SMACK etc. though i think that the system is as safe as the administrator of that system 🙂 Poor admin poor security, good admin good security.

Leave a Reply