by Constantine von Hoffman

3 Incredibly Stupid Security Mishaps You Need to Know About

Aug 09, 20124 mins
CybercrimeData and Information SecurityMobile Security

The U.S. Army's flushes $2B down the drain on a mobile intelligence database; the American State Department fights terrorists by trolling them online; and a website offers a 9mm pistol as reward for finding the hacker who put naughty pictures on its home page.

Just because the U.S. government is behind Flame, the coolest cyber-spying software ever, doesn’t mean it overlooked its core mission of producing pure stupidity. I offer you the following examples:

News comes today that the U.S. Army spent $2.3 billion on an iPad-ready intelligence-gathering system that has turned out to be “not suitable, and not survivable.” Although The Washington Times got the inside scoop on the story (and a big “well done” to them for doing so – BTW guys, your security certificate has expired), I will quote The Register’s description of the system:

“The DCGS-A (Distributed Common Ground System – Army) is intended to be an ambitious master database of intelligence. It is fully buzzword-compliant, of course – everything from cloud-friendly to iPad-capable, and drawn from supply chain of contractors including Lockheed Martin, Northrop Grumman, Raytheon, General Dynamics and IBM. The system assembles ‘threat, terrain and weather data into comprehensive intelligence products, utilising sensors data, intelligence and analyst resources,’ the Army said.”

However, in his assessment of the silly thing, Maj. Gen. Genaro Dellarocco wrote:

“Poor reliability was observed in the low OPTEMPO IOTE environment. Server failures that resulted in reboots/restarts were recorded every 5.5 hours of test.  TS/SCI enclave workstation operators experienced a failure every 10.8 hours of active usage. Based on observations across many programs, we expect that high OPTEMPO conditions will decrease reliability further still, which would increase FSR workload and reduce the availability of unoccupied workstations. In addition, we observed a possible correlation between reliability failure events and target alert/alarm delays on the workstations.”

The military has wasted much more money in signficiantly more harmful ways–ask me sometime about why the Abrams M-1 tank uses highly explosive gasoline in its engine and not diesel–but this one just sang out to me.

This kind of idiocy is certainly not limited to the armed services. The incredibly-underfunded State Department is spending money fighting terrorism by going all 4chan on them. (If you do not know what 4chan is and your company monitors employee browser use, do not use that link! Go here for the Wikipedia entry instead.) State, working with a guy out of Silicon Valley, launched Viral Peace “an improbable new initiative to annoy, frustrate and humiliate denizens of online extremist forums.”

In other words, we are going to troll the terrorists. Before you get all uppity about wasting tax-payer money (why is it we get so much more indignant when some sector of the government besides the military wastes money?) please consider the words of Wired’s Spencer Ackerman:

“Even its architects concede it hasn’t fleshed out an actual strategy yet, and accordingly can’t point to any results it’s yielded. Its annual budget is a rounding error. The Pentagon will spend more in Afghanistan in the time it takes you to finish reading this sentence.”

Hell, the Chicago Cubs are almost certainly spending more than the department’s budget to finish last in MLB this year.

But wait, let’s not forget about the private sector.

The Daily Caller, a conservative website, is offering a free 9mm handgun to the person who turns in the hacker who replaced its front-page ads with pornography on Monday. I’m not a big believer in most gun-control laws, nor am I a fan of the NRA. But I do not think this giveaway will do anything to help find said hacker. And if by some chance it did, I am opposed to giving weapons to random people solely because they have computer skills. (Perhaps the oddest day of my life–and that is really, really saying something–came during my Basic Training when I was issued an M-16. I remember thinking quite clearly, “Are they out of their minds?!?!? I know me, and I’m not sure I would trust me with a weapon.”)

This next item is not really an IT security thing, but it has been irritating me since I first heard it on Marketplace, a radio show about business, usually heard on NPR stations. The story was about Knight Capital Group losing $440 million because of a problem with its trading software. Here’s the opening to the Marketplace story:

“There’s a reason that there’s no show on TV called ‘CSI: Stock Market:’ When computer glitches screw up trading, there’s usually no way to tell what went wrong and no way to ensure it won’t happen again.”

Everything after the semi-colon is flat out wrong. What do these idiots think happens in a software screw-up? Does the program mysteriously vanish? It might take a lot of time and effort but unless the damn thing erased itself chances are overwhelmingly good the source of the problem can be found.