USGS returns to the Internet

David_Lesher1 · December 10, 2001, 2:09am

Unnamed Administration sources reported that Patrick Greenwell said:

A judge *ordered* the DOI offline.

I disagree. Read the order.
<http://www.indiantrust.org/rulings/2001.12.05_TRO.pdf>

It only talks about systems with Indian Trust data not the home
page server. I think it's fair to assume a PHB panicked over
[his,her] tail being locked up by His Honor; and ordered
ALL servers down.

YMMV.

Patrick_Greenwell1 · December 10, 2001, 2:50am

Rather than play tit for tat, here's what the relevant portions from the
TRO state:

"Further ordered that defendants shall immediately disconnect from the
Internet all computers within the custody and control of the Department of
the Interior, its employees and contractors, that have access to
individual Indian trust data."

I have no personal knowledge of the DOI's infrastructure, and unless you
do, I think we're all left to speculate as to whether or not the "home
page server" of the DOI had access to the Indian trust data. My
speculation would be that it does if it's Internet connected...

As you say, YMMV.

Sean_Donelan · December 10, 2001, 4:38am

The great thing about our government is public oversight. It may be
embarrassing to the managers involved, but Interior's computer security
is detailed in several places.

Information Security: Weak Controls Place Interior's Financial and Other
Data at Risk. July 3 2001.

http://www.gao.gov/new.items/d01615.pdf

DoI responds: "While this audit, as well as previous audits, have
identified areas where NBC-Denver can improve its management controls,
none of these audits has ever shown that the integrity of the financial
data has ever been compromised. Our on-going operations have provided our
customers accurate financial information and timely delivery of services."

Patrick_Greenwell1 · December 10, 2001, 5:57am

Really an excellent point. On a somewhat tangential note, would Internet
security be aided if businesses were held to higher degrees of
public disclosure and/or accountability?

Not that it would ever happen of course, but I think the discussion around
the question could be intriguing....

Richard_Forno · December 10, 2001, 2:38pm

The problem is a clear-cut conflict of interest when you have a professional
services firm doing both financial auditing and network security reviews for
the same company.

It's a known fact that auditing firms make more money off of financial
audits than network services, and I believe there are a few public cases
where security reviews have been skewed/glossed over/spun in a manner not to
piss the customer off, particularly when they are paying BIG BUCKS for the
financial audit part of the contract.

With respects, I for one would not want the same Big Whatever Firm doing my
network security reviews if they were also doing my finances.

It comes down to the question of do you want the truth, or the illusion of
the truth?

rf