Palin's E-Mail Account Hacked, Published on Web Site

Manic Moran

It wouldn't exactly cost thousands of dollars to implement or anything.

As a user of the Federal Government's email system (actually, two of them, one DHS and the other Dept Army), I don't blame anyone for using public systems like Yahoo, GMail and so on. The words 'user friendly' do not come to mind. There's a well-known need to balance security with functionality. The Feds have gone too far one way.

NTM

Ludo

Manic Moran wrote: »

As a user of the Federal Government's email system (actually, two of them, one DHS and the other Dept Army), I don't blame anyone for using public systems like Yahoo, GMail and so on. The words 'user friendly' do not come to mind. There's a well-known need to balance security with functionality. The Feds have gone too far one way.

NTM

And I assume if you used GMail for government business you would be fired immediately....at least I would hope so.

Black Swan

Manic Moran wrote: »

As a user of the Federal Government's email system (actually, two of them, one DHS and the other Dept Army), I don't blame anyone for using public systems like Yahoo, GMail and so on. The words 'user friendly' do not come to mind. There's a well-known need to balance security with functionality. The Feds have gone too far one way.

Surely you jest? Do you really expect governors to transact official state government business over insecure Yahoo? You don't even have to be at the level of a script kiddy to crack Yahoo. There are free programmes on the web for cracking Yahoo. All you have to do is Google to find them.

Furthermore, Sarah Palin did not have to use the Fed Intranet or sacrifice security for user-friendly convenience. Why not do like most states and use a state Intranet? You can customize it to your needs without leaving yourself wide open to script kiddy crackers on Yahoo.

Surely Manic Moran you are not suggesting that all the 50 States transact a lot of official online government communications using Yahoo, just because it's more user-friendly? Do you?

leninbenjamin

Manic Moran wrote: »

The Feds have gone too far one way.

with more than good reason.

Manic Moran

Blue_Lagoon wrote: »

Surely Manic Moran you are not suggesting that all the 50 States transact a lot of official online government communications using Yahoo, just because it's more user-friendly? Do you?

I'm not suggesting that they should, I'm suggesting that many do.

I work IT in a DHS field office. I see first-hand as both a user and a tech what the security requirements put down from higher do. If it makes life too difficult, people are going to simply say 'to hell with them' and move onto something easier. For the most basic example, the DHS system I'm on requires that one changes one's password every 45 days, it must combine upper, lower case, numbers and a 'special character', and be ten characters long. It also cannot share more than two letters in sequence together with any of the ten previous passwords. And so on. You've got to admit, the passwords are secure and all but unhackable. Result? I walk around the office, look under keyboards or behind monitor filters, and there are lots of little post-its with passwords written on them. Similarly, I have better luck reaching my squadron commander using his Yahoo account and not his US Army account.

Basically, the most secure system in the world is also going to be the most unproductive.

NTM

Hobbes

Manic Moran wrote: »

I work IT in a DHS field office. I see first-hand as both a user and a tech what the security requirements put down from higher do. If it makes life too difficult, people are going to simply say 'to hell with them' and move onto something easier.

I don't know about the DHS, but if I was to conduct customer/employee confidential information via gmail or yahoo mail I would be fired. Even if I thought it was easier. We can't even post mails not in English into an online translator.

Result? I walk around the office, look under keyboards or behind monitor filters, and there are lots of little post-its with passwords written on them.

Again in work. If anyone was discovered do this they get fired after the third time.

Heck if I even leave a blank CD on my desk it is the same as leaving passwords out. The auditors don't check the CD contents, they just treat it as potentially having confidential data on it and report you up.

Just because someone breaks IT guidelines isn't an excuse to let them off. You reprimand then fire them if they continue.

Basically, the most secure system in the world is also going to be the most unproductive.

Not true at all.

sink

Manic Moran wrote: »

I work IT in a DHS field office. I see first-hand as both a user and a tech what the security requirements put down from higher do. If it makes life too difficult, people are going to simply say 'to hell with them' and move onto something easier. For the most basic example, the DHS system I'm on requires that one changes one's password every 45 days, it must combine upper, lower case, numbers and a 'special character', and be ten characters long. It also cannot share more than two letters in sequence together with any of the ten previous passwords. And so on. You've got to admit, the passwords are secure and all but unhackable. Result? I walk around the office, look under keyboards or behind monitor filters, and there are lots of little post-its with passwords written on them. Similarly, I have better luck reaching my squadron commander using his Yahoo account and not his US Army account.

Where I used to work we had to do similar. I just saved the password on my mobile and no one would ever find out.

norbert64

Bill is gonna be pi**ed.
http://blog.wired.com/27bstroke6/2008/09/bill-oreilly-ha.html

Overheal

norbert64 wrote: »

Bill is gonna be pi**ed.
http://blog.wired.com/27bstroke6/2008/09/bill-oreilly-ha.html

I'd rather have him shot but this will do.

norbert64

lol, this may well come to pass yet.
http://boards.ie/vbulletin/showpost.php?p=57302807&postcount=1

Manic Moran

Hobbes wrote: »

INot true at all.

But it is. The industry magazines routinely have articles discussing the competing requirements and the two schools of thought. The problem with high IT security policies is that they are created in what is effectively a dream world where everyone remembers their password, nobody ever needs to change the time on their computer clock, and people always have access to a department computer on the physical department network. In theory, the most secure system will work at all times. But there's an old IT saw about never underestimating the stupidity of users. As a result, different organisations have created different compromises. If it all worked as you say, then all organisations would have exactly the same level of security, but they don't. DHS won't even let one use a cordless mouse, citing security concerns. (I had more than a few loud complaints when that dictat came out. At least not too many people had purchased Bluetooth headsets).

NTM

GuanYin

Manic Moran wrote: »

I'm not suggesting that they should, I'm suggesting that many do.

I work IT in a DHS field office. I see first-hand as both a user and a tech what the security requirements put down from higher do. If it makes life too difficult, people are going to simply say 'to hell with them' and move onto something easier. For the most basic example, the DHS system I'm on requires that one changes one's password every 45 days, it must combine upper, lower case, numbers and a 'special character', and be ten characters long. It also cannot share more than two letters in sequence together with any of the ten previous passwords. And so on. You've got to admit, the passwords are secure and all but unhackable. Result? I walk around the office, look under keyboards or behind monitor filters, and there are lots of little post-its with passwords written on them. Similarly, I have better luck reaching my squadron commander using his Yahoo account and not his US Army account.

Basically, the most secure system in the world is also going to be the most unproductive.

NTM

Excuse me? I work for the state and record patient information on an hourly basis. I have almost exactly the same password stringency as you do. I cope fine as does everyone else subject to MIPSA and HIPAA (every health professional in the US).

If I were to start passing medical information around on my gmail account, I would have my medical licence revoked, that would be without my account being hacked and were my account hacked I would probably face federal prosecution along with however many personal suits.

I'm about as tech saavy as a brick and if *I* can manage, anyone can.

There is absolutely NO excuse for not using secure e-mail when the job requires it, no matter how inconvenient you may think it is.

Manic Moran

The password thing was just one example from my organisation of a problem with is endemic throughout the IT industry and is a topic of great debate. Just google "security vs ease of use" and see how many hits you get. One of the hits on page 1 puts it rather well.

If something is not easy to use, then people will work out ways around it, thus obviating the security. Consider that the most secure computer is one that is disconnected from a network, turned off, and physically isolated from anybody and anything. Not very easy to use it though. The easiest computer to use is one with no passwords, no accounts, and anybody can do anything they like to it - not very secure. The goal of security is to find some place in the middle, such that the users don't have to work around your security in order to be able to actually use the damn thing.

This article from the Wall Street Journal caused a small furore in the IT world.
http://online.wsj.com/public/article_print/SB118539543272477927.html Entitled "Ten things your IT Department won't tell you"

And often it's just easier to accomplish certain tasks using consumer technology than using the sometimes clunky office technology our company gives us -- compare Gmail with a corporate email account.

There's only one problem with what we're doing: Our employers sometimes don't like it. Partly, they want us to work while we're at work. And partly, they're afraid that what we're doing compromises the company's computer network -- putting the company at risk in a host of ways. So they've asked their information-technology departments to block us from bringing our home to work.

End of story? Not so fast. To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. Specifically, we asked them to find the top 10 secrets our IT departments don't want us to know

Now, that list is small fry, but it's further evidence that the problem exists.

Currently the National Guard is going bats*&t over HSPD-12. A simple directive, requiring amongst other things that government agencies to use ID cards with chips in them, to be used for anything from logging onto computer networks to signing officer evaluation reports or requisitions. It's a good directive, when it is operational. Soon to be used for pay purposes as well, so everyone had better have a card that works, and every unit had better have a reader that works. There's a problem, however.

The Powers in the DA have started their implementation. All is working just peachy in the Pentagon. It's working well enough at any Army, Air Force or Coast Guard base I've had call to go to (I've had no need to go Navy). The problem is that they just haven't considered the unique issues posed by the half-million part-timers that form the Guard. We have to do a lot of our work at home, on our own PCs. Many people are hours away from the nearest military base to even get their CACards configured. Nobody has as yet told me how my troops are going to get paid, which is no small issue.

Whilst not entirely on point (I do have another story which is, and it resulted in my receiving a General Officer's Letter of Reprimand for going around the IT rules, and a top-rate on my annual evaluation for completing my mission in time as a result), it does pose one example of how just because something in IT seems to work and be a good idea for some people, it is not the case for all.

In any case, none of the above negates my initial contention that many people do work around IT security regardless of how much they shouldn't, and the trick with IT (and software designers) is to create a secure system which is usable enough that there is a near homogenous compliance rate.

NTM

GuanYin

The trick is to ensure that the people who have the important jobs are smart enough to know that yahoo isn't a safe place to store your information.

Palin obviously isn't that smart. That is worrying.

Black Swan

GuanYin wrote: »

The trick is to ensure that the people who have the important jobs are smart enough to know that yahoo isn't a safe place to store your information.

Palin obviously isn't that smart. That is worrying.

Indeed! Did Governor Sarah Palin really believe that her two Yahoo account addresses were secure to conduct State of Alaska official business, much less personal, when she used her title and name in both Yahoo addresses?

gov.palin@yahoo.com
gov.sarah@yahoo.com

These were the two cracked addresses (now removed) that led to all this questioning of her competence. Furthermore, her family related passwords for these accounts were simple to crack based upon public knowledge of her on Google.

Hobbes

Manic Moran wrote: »

But it is. The industry magazines routinely have articles discussing the competing requirements and the two schools of thought.

Maybe so, but I work in a company that has strict IT policies regarding passwords and how we conduct our business/IP law and we get work done fine.

It has never stopped me or my teams I have been on from conducting our work. I do know some of the more stricter rules has come because of issues that you cite where people thought it was no big deal.

We aren't talking about rocket science here. You put an IT guidelines in place. Those that are potentially security risks you reprimand or fire people for breaking them. Stupidity or laziness is not an excuse.

Manic Moran

Those that are potentially security risks you reprimand or fire people for breaking them

I'm telling you, you can't make that sort of generalisation. Case in point:

In 2007, the Federal Government suffered a couple of embarassing cases of data loss in short sequence. One was a Dept. Vet Affairs laptop, the other was an external hard drive from someone else. Millions of items of personal data. As a result, our department clamped down hard on any sort of unencrypted external storage. They even issued out, free of charge, encrypted USB flash drives. Great. Everyone in the offices had a wonderful, secure, working system.

The problem was that all the security equipment at the airports (The X-ray machines, bomb detectors, that sort of thing), being non-windows-running stand-alone machines were interfaced with by either Iomega zip drives, or unencrypted USB Flash drives. By IT security policy, and data loss is indeed a serious issue to be concerned about, such devices could no longer be used. Strict adherence to the policy would doubtless hugely reduce the chances of data loss.

Obviously, people notify up their chains that a problem exists. As they hem and haw about it (over no short period of time), imagine you're the chap in charge of running security at JFK. You have your own problems to deal with, and IT security is directly impinging you your ability to deal with them. You can either adhere to the IT security policies, or you can carry out your own security mandate of finding bombs. As far as I know, every single airport in the country implemented the same decision.

Now, this is a slightly different issue from choosing to conduct much of your business over Yahoo (And certainly about having a family-based password), but is presented as an argument in slightly greater extrmis that the security/functionality problem is one which IT departments routinely try to balance, else the IT rules will be broken. A good IT team will try to integrate the user base into the implementation plan. Simply issueing a dictat saying "Do this, don't do this, or else" without understanding the end user's perspective will result in a lack of understanding from the users, and higher non-compliance rates.

NTM

Otacon

Manic Moran wrote: »

I'm telling you, you can't make that sort of generalisation. Case in point:

In 2007, the Federal Government suffered a couple of embarassing cases of data loss in short sequence. One was a Dept. Vet Affairs laptop, the other was an external hard drive from someone else. Millions of items of personal data. As a result, our department clamped down hard on any sort of unencrypted external storage. They even issued out, free of charge, encrypted USB flash drives. Great. Everyone in the offices had a wonderful, secure, working system.

The problem was that all the security equipment at the airports (The X-ray machines, bomb detectors, that sort of thing), being non-windows-running stand-alone machines were interfaced with by either Iomega zip drives, or unencrypted USB Flash drives. By IT security policy, and data loss is indeed a serious issue to be concerned about, such devices could no longer be used. Strict adherence to the policy would doubtless hugely reduce the chances of data loss.

Obviously, people notify up their chains that a problem exists. As they hem and haw about it (over no short period of time), imagine you're the chap in charge of running security at JFK. You have your own problems to deal with, and IT security is directly impinging you your ability to deal with them. You can either adhere to the IT security policies, or you can carry out your own security mandate of finding bombs. As far as I know, every single airport in the country implemented the same decision.

Now, this is a slightly different issue from choosing to conduct much of your business over Yahoo, but is presented as an argument in slightly greater extrmis that the security/functionality problem is one which IT departments routinely try to balance, else the IT rules will be broken. A good IT team will try to integrate the user base into the implementation plan. Simply issueing a dictat saying "Do this, don't do this, or else" without understanding the end user's perspective will result in a lack of understanding from the users, and higher non-compliance rates.

NTM

Palin used a personal e-mail account to conduct government business. Why is this not the end of the discussion?

Hobbes

Otacon wrote: »

Palin used a personal e-mail account to conduct government business. Why is this not the end of the discussion?

exactly. It doesn't matter how many examples of stupidity that are given in not obeying security, if they break security guidelines they should be reprimanded or fired.

Bottle_of_Smoke

Pity none of this will matter to the near absoloute majority of republican voters

Manic Moran

Palin used a personal e-mail account to conduct government business. Why is this not the end of the discussion?

Because it's being made out as if "anyone with the sense God gave the Common Dog knows not to use non-official email channels."

Unfortunately, blatantly obvious though it may be to those of the Internet Generation or who work in IT, many otherwise intelligent persons just don't "Get it." It's as much a factor in education and exposure as anything else. Palin is far from the best person to have ever suffered from this failing. It's not attempted to be an excuse as much as an analysis, and it sortof digressed into a bit of an discussion session on the joys of working IT.

NTM

GuanYin

Manic Moran wrote: »

Because it's being made out as if "anyone with the sense God gave the Common Dog knows not to use non-official email channels."

Unfortunately, blatantly obvious though it may be to those of the Internet Generation or who work in IT, many otherwise intelligent persons just don't "Get it." It's as much a factor in education and exposure as anything else. Palin is far from the best person to have ever suffered from this failing. It's not attempted to be an excuse as much as an analysis, and it sortof digressed into a bit of an discussion session on the joys of working IT.

NTM

It is a law that state and government officals use ONLY offical e-mail for state and government business.

I'm not aware that she actually did use yahoo for government business but I understand that is still being examined.

If she did, she has no excuse, tech saavy has nothing to do with this. She either follows the rules or she doesn't, just like I have to on the same issue.

If she didn't, then OK, she left herself open by using yahoo for sensitive topics, not inexcusable but not what I want in an elected official.