Drudge Retort: The Other Side of the News
Monday, February 11, 2019

Two US senators have asked the Department of Homeland Security (DHS) to look into the possible dangers of US government workers using VPN apps that are owned by foreign companies and which redirect sensitive government-related traffic through servers located in other countries --namely China and Russia.

More

Comments

Admin's note: Participants in this discussion must follow the site's moderation policy. Profanity will be filtered. Abusive conduct is not allowed.

A worthy concern. Surprising that there isn't a standard VPN that these folks are mandated to use.

#1 | Posted by GOnoles92 at 2019-02-11 12:15 PM | Reply

Just make it so most employees cannot install software.

This just means government ISSO's are actually going to have to do their jobs and keep track of who has install permissions on the local machine.

#2 | Posted by boaz at 2019-02-11 02:59 PM | Reply


@#2

I'd be more curious why government workers feel the need to use VPNs.

Without understanding the problem, you may provide the wrong solution.

#3 | Posted by lamplighter at 2019-02-11 05:28 PM | Reply | Newsworthy 1

They should be more concerned about that Pakistani family that was running IT for DWS.

#4 | Posted by nobiasposter101 at 2019-02-11 08:06 PM | Reply | Newsworthy 1

Gov employees use VPNs for a bunch of reasons.
1. When they login from home. (This is often from their personal PC which they have install permissions on)
2. When they login to remote servers.
3. When they login while on business or personal trips.
4. When they post to the retort from Texas, but sound like they are from Pakistan.

The first 3 are legit uses of VPNs. Why the US gov doesn't mandate the use of a signed VPN, I don't know. I think they hired too many clueless vets to give them security advice.

#5 | Posted by bored at 2019-02-12 03:31 AM | Reply | Funny: 2

When they post to the retort from Texas, but sound like they are from Pakistan.
I think they hired too many clueless vets to give them security advice.

#5 | POSTED BY BORED

Can you think of any examples of those?

#6 | Posted by kudzu at 2019-02-12 06:59 AM | Reply

The VPN government workers use is provided by the government. It's going to be rare if any government network is going to allow a civilian computer to connect to it, even with VPN. You cannot connect to a government network with a personal VPN. And most government networks will not allow you to connect to a VPN through firewall settings.

If someone is using a private VPN on a U.S. government network, whoever the systems admin and the security officer is over that GSS needs to be fired. A VPN is like a go around through your firewall.

As a computer security professional, I've always said it's not the hackers from china that scare me, it's the idiots already behind my firewall on my network who do.

#7 | Posted by boaz at 2019-02-12 08:21 AM | Reply


@#7

There's that acronym: PEBCAK

#8 | Posted by LampLighter at 2019-02-12 09:13 AM | Reply | Funny: 1

I'd be more curious why government workers feel the need to use VPNs.

Probably the same reason why Hillary felt she had to have her own private mail server...

#9 | Posted by Pegasus at 2019-02-12 11:17 AM | Reply

As a computer security professional, I've always said it's not the hackers from china that scare me, it's the idiots already behind my firewall on my network who do.

#7 | POSTED BY BOAZ

Yes. And you know what makes them do unsafe things? Stupidly restrictive IT policies.

Keep in mind that the whole Hillary email thing was due to the NSA refusing to provide her with a secure Blackberry, so she found a nerd to create a solution that allowed her to get her work done. Which do you think would have been more secure?

That is not uncommon. It happens all the time in government and in private companies. People are not trying to subvert security policies because they are spiteful. They just want to get done what needs to get done. IT makes themselves the enemy by getting in the way of people working effectively.

So... if people are using VPNs because IT is blocking websites that these people need to use to do their work (or to communicate with family, or whatever) then cracking down on them will not help. People will just find another (probably even MORE insecure) solution. Instead, IT needs to think of their users as their customers instead of their enemies, and work with their "customers" so that IT can achieve their priorities without imposing an excessive burden on their users. Otherwise the users WILL find someone who offers as solution to accomplish what they need, and like the Republican party, those solutions might end up being foreign enemies of the US.

#10 | Posted by gtbritishskull at 2019-02-12 11:23 AM | Reply | Newsworthy 2

#10,

Then if that's the case, the "customers" need to give IT a list of requirements. I dont agree with your synopsis because I've worked with the federal government all my life in IT.

As I had been speculating, the issue here is one of personal comfort ... [Secretary Clinton] does not use a computer, so our view of someone wedded to their e-mail (why doesn't she use her desktop when in the SCIF?) doesn't fit this scenario... during the campaign she was urged to keep in contact with thousands via a BB... once she got the hang of it, she was hooked... now every day, she feels hamstrung because she has to lock her BB up... she does go out several times a day to an office they've crafted for her outside the SCIF and plays email catch-up. [Clinton's Counselor and Chief of Staff] Cheryl Mills and others who are dedicated BB addicts are frustrated because they too are not near their desktop very often during the working day... at this 2PM meeting CheryI indicated she last checked her email at 8:30... they are used to having the BB on their hip and staying closely in touch with developments during the day.

As I sit here typing on the Retort, I am in a classified SCIF. Know where my phone is? Outside in a phone bank, waiting for when I go check it. There is a reason why bluetooth enabled devices arent allowed in areas such as this. Plus, I know that DOD and the USG are getting away from blackberries and most using apple products now. Clinton just wanted to use her blackberry in a protected SCIF and the rest of the federal government cannot do that. And I'm glad IT security didnt budge and let her open up this gaping hole in the network. No wonder her email server was HACKED. She was stupid when it came to computer security and it shows.

Given the NSA's refusal to give Clinton what she wanted, the secretary apparently decided to continue to use her personal e-mail server for State Department business, while her staff was fully aware of the security risks associated with using her BlackBerry.

But her "staff" isnt the owner of the network she is using. If that person or entity did not agree to accept the risks she was presenting, then she shouldnt have had access to the network. This is NIST 800-53 basics. Basic network security. For that alone, Hillary shouldnt have had access to the Federal government GIG.

#11 | Posted by boaz at 2019-02-12 12:49 PM | Reply | Newsworthy 1

The NSA offered a number of alternatives and security "mitigations" to allow the use of BlackBerry devices, but the proposals "would remove the very functionality desired ... while others might take time to develop."

I wonder if it occured to the Secretary that what she wanted to do may present a large security hole and wouldnt have been a good thing to do.

I say good on IT security for stopping her.

#12 | Posted by boaz at 2019-02-12 12:51 PM | Reply

Uhhh Their may be a bit of an issue by the writers and posters here of understanding what VPNs are and how they are used in the first place.

A VPN is a "private" internet network with encrypted traffic and there are a couple different use cases.

This SOUNDS like they are referring to IPSEC VPN clients connecting to a "Private" Governement network. A VPN CLIENT for connecting to a Government network is going to be installed and configured by the IT team - there would be no reason to go find one. Typically you are going to need a specific configuration for the client and a 2-Factor authentication system as well.

It is POSSIBLE (depending on the VPN itself) to connect with different clients but your average user is going to be rather clueless and would have no reason to seek a different client (again it is POSSIBLE...). So "technically" you could load a Chinese created VPN client and configure it to connect to some VPNs. It is also possible that client would communicate with foreign servers without your knowledge.

Most of the government isn't cutting edge on this last I knew but my particular enterprise VPN requires its own client to connect to the VPN service that I host on site. It also requires a 2-factor authentication piece of software that is unique to the device, client and license. Also it would surprise me if the government wasn't using some sort of SIEM to manage remote computers. It is THE common practice in enterprise as a whole. You can only do what they allow you to do and phones home when you do things like install software or attempt to.

A different VPN use would be for browsing anonymously is going to be software you install on your own and it sounds like what they are talking about here. It uses the company's "network" and software to anonymize your system, location, etc. Networks like TOR fall under this.

To be clear an audit by the IT teams is something that should be engaged in and regularly but I would HOPE this is a non-issue.

#13 | Posted by GalaxiePete at 2019-02-12 02:25 PM | Reply

#11 | Posted by boaz

I am TOTALLY with you on this.

As for gtbritishskull & "Stupidly restrictive IT policies" - it is usually for a very good reason. You are talking about national security in the case of Hillary. Yes there has to be and is a way to get things changed if they are ok to change. It is a necessarily bureaucratic process in larger organizations. And speaking very very frankly anyone who thinks IT chooses to be "stupidly restrictive" for ----- and giggles should be banned from the network because it likely isn't the attitude in most IT departments today. IT is working to protect the government or other organization from people doing really stupid things without even realizing it. They don't want to make their own life harder and they don't want angry and unhappy users. It's the instant gratification nature of users that is the real problem IMHO. Nobody has any patience and is quick to blame anymore.

Personally - I have to fight to keep a balance within a private organization of allowing users to do things and keeping things "fairly" secure and IMHO "fairly" secure is downright insecure. More and more it is just not possible to allow a lot of activities without creating unreasonable risk to the organization and its data. Pretty much any activity you allow carries risk. I have personally seen several organizations shut their doors for multiple days in the past couple years while they clean up after user induced messes. Even fighting within the IT organization over clamping down more is a reality today.

The truth is the bad guys are always ahead of the good guys when it comes to finding holes and exploiting them.

However if you want to look at "stupidly restrictive policies" - I personally find this funny. I have a vendor who will not accept images in emails and has not for the 12+ years I have worked with them. JPEG, GIF, PNG, etc. - No bueno. The reason is according them the potential for viruses in those files and relationships with GOVERNMENT customers (Local and state level) who require that they not accept those files in an email. However they then tell you to put the images in a Word document or PDF which they do accept and send it to them in your HTML filled email and that simply blows my mind.

#14 | Posted by GalaxiePete at 2019-02-12 02:54 PM | Reply

To add on to the good points made above, bad actors are working harder to get into systems, than the effort the average user puts forward to acting in a secure manner. Multiply that by a number of factors such as carelessness, missing a training session about not opening junk email attachments, and wanting to download random stuff off the internet "to improve their experience," and IT folks are constantly forgetting an uphill battle.

#15 | Posted by GOnoles92 at 2019-02-12 04:46 PM | Reply

Forgetting s/b Fighting

#16 | Posted by GOnoles92 at 2019-02-12 04:52 PM | Reply

This means we have entered the twilight zone.

Dang, there are too many posts agreeing with each other.

Must be ______ fault!!

#17 | Posted by Petrous at 2019-02-12 08:58 PM | Reply

Yet... Hillary still had her private email server. Government employees are using foreign VPNs. Our voting systems are getting hacked.

You can sit there all high and mighty blaming OTHER PEOPLE for your inability to do your job successfully. That is what Republicans do. Learned helplessness. It is always someone else's fault that YOU failed.

Or you can work towards real solutions.

"And speaking very very frankly anyone who thinks IT chooses to be "stupidly restrictive" for ----- and giggles should be banned from the network because it likely isn't the attitude in most IT departments today."

No. It is because they are lazy.

Case in point...

"Then if that's the case, the "customers" need to give IT a list of requirements. I dont agree with your synopsis because I've worked with the federal government all my life in IT."

IT wants others to do their job for them. Maybe that works for people who have spent all of their lives sheltered in a cushy government job, but in the REAL WORLD you have to determine your customer's needs. Customers don't tell you what their real needs are. They tell you what they THINK they need, or what they think YOU think they need, or what you want to hear, or something they read on the internet. You have to determine their real needs. Anyone who expects a customer's real needs to just fall into their lap are hopelessly naive (or never actually had to do real work).

"The truth is the bad guys are always ahead of the good guys when it comes to finding holes and exploiting them."

Especially when your users are actively opening security holes because you refuse to take the time to try to work WITH them instead of sitting on your high horse making rules that YOU think are right regardless of how it affects someone else's workflow.

Now, I am not complaining about how you work (and how it affects my job). I work with lazy people all the time. I just find a way to work around them. What I have a problem with is you complaining about how it is other people's fault that YOU can't do your job effectively. And I am trying to point out that the reason you are always just complaining and not getting effective solutions is you have fallen into the trap of victimhood. Just blame all of your woes on the "user" or the "liberal media" or some other boogeyman so that YOU can be lazy and don't have to modify your own behavior and make yourself better.

It is IT's job to secure the network. Regardless of the your opinion of the merits, it is undeniable that instead of sitting around complaining about it (like you are doing), Hillary found a SOLUTION. She got her job done. The fact that classified emails ended up on a private server is a failure was on the part of IT (it is IT's job to secure the network, not Hillary's).

The problem with IT is they concentrate on PROCESS instead of RESULTS. Because if you look at RESULTS, then it would be pretty obvious that most IT departments suck. But the process was created with the intention to achieve a RESULT. But, if it is created with unrealistic assumptions, then that intention will not be realized (as demonstrated by the state of IT). IT hides behind the right "process" to distract from the fact that their results are terrible.

#18 | Posted by gtbritishskull at 2019-02-13 09:27 AM | Reply

Comments are closed for this entry.

Home | Breaking News | Comments | User Blogs | Stats | Back Page | RSS Feed | RSS Spec | DMCA Compliance | Privacy | Copyright 2019 World Readable

Drudge Retort