Sure blame the thumb drives....



  • reciently the pentagon banned the use of usb drives citing a systematic computer virus infection being spread by usb drives not authorized to be used on DOD systems .

    but the only step to authorize a device is to go to your S-6 office and scan the usb drives for viruses

    but the antivirus automatically scans a usb device when its plugged in

    so the real wtf isnt infected usb drives

    its the antivirus solution the DOD uses

    you would think the department of defense would use some uber secret high speed software that was government use only

    or at least a decient commercial antivirus

    but no they use one of the worst ones on the market ( i wont mention names)

    and that one is the only authorized antivirus for DOD systems

    and the funny thing is i knew about the infection for the past year and i tried to tell them

    but their answer was "our antivirus isnt picking it up so it doesnt exsist now stop making up stories"

    but mine did when i scanned an unclassified drive using my home computer's antivirus (also wont mention it but its free for home use and has a blue icon )

    the real wtf here is the antivirus the DOD uses they give away for free to soldiers and encourage them to use it.

    ive spent the past year telling the soldiers in our unit not to use it and a majority have switched to alternate products and most of them found infections undetectable to their previous product

    I guess the real lesson here is just because software is popular doesnt make it quality

    and just because software is free doesnt mean it isnt any good

     

     

     



  • @raziel said:

    you would think the department of defense would use some uber secret high speed software that was government use only

    I take it you don't have a lot of experience working with Federal bureaucracy. 



  • oh i do have experience but i kinda figured they would take information security more seriously seeing as national security was at stake......

     



  • @raziel said:

    oh i do have experience but i kinda figured they would take information security more seriously seeing as national security was at stake......
    This is yet another sign that you're new to government contracting.  You need to lose that idealism.  Here is how the government will pick an anti-virus software vendor (or anything else for that matter):

    First, they need to put together a bid package.  This will contain all the specifications of the software they need. But where do they get these specifications?  Procurement people don't know anything about software, so they go to a standard specification.  And where do the standard specifications come from?  Whichever software vendor has done the best networking and gotten their specs into the hands of the right people.  Now, these specs are always biased in favor of the vendor in question, often to the point where the approved products list is a single item: the vendor's software.  Since they can't sole-source a product, the procurement department will have to allow alternate software to be approved, but this is hard because the vendor who wrote the spec will include poison pills in the requirements: that is, they will include at least one feature, no matter how useless, that no other product has.  In some cases, other software must be approved before the bid takes place, leaving other vendors no time to implement said feature.  Even if they can implement the feature and get approval in time to bid, the extra cost of doing so often forces them out of the running, and the spec writing vendor walks away with a smile and a new contract.  This is not uncommon; my company has "provided" specs many times.  Sometimes procurement people will actually ask us to stack the deck in our favor because they liked our performance and don't want to risk some fly-by-night operation getting it. 

    And, of course, this is assuming you even need an open bid.  Often procurement offices will have spending amounts under which they don't need to present an open bid or get competitive pricing.  We get perhaps 20 projects a year in the $2500 to $10000 range where certain officials with whom we have a good relationship will simply call us for a price, issue a PO, and we go to work.  It's not illegal -- hell, it's not even considered shady.  I went to an airport authority conference a few weeks back where they encouraged vendors to meet with their small purchases people and establish a good relationship to get the sort of work I'm describing.



  • @raziel said:

    <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>but no they use one of the worst ones on the market ( i wont mention names)<o:p></o:p>and that one is the only authorized antivirus for DOD systems<o:p></o:p>
    <o:p></o:p> The DoD has contracts with at least 3 Antivirus companies that I know of. In fact, it's DoD regulation that Servers and Workstations cannot be protected by products from the same Antivirus Company. I believe it's suggested (But not required) that your e-mail is scanned by a product from a 3rd vendor, but it's possible that was a local or Service Branch related requirement.<o:p></o:p>@raziel said:
    <o:p></o:p>reciently the pentagon banned the use of usb drives citing a systematic computer virus infection being spread by usb drives not authorized to be used on DOD systems .<o:p></o:p>but the only step to authorize a device is to go to your S-6 office and scan the usb drives for viruses (snip)<o:p></o:p>but mine did when i scanned an unclassified drive using my home computer's antivirus (also wont mention it but its free for home use and has a blue icon )<o:p></o:p>
    <o:p></o:p>
    No, this was banned by DoD CIO/G-6 Data at Rest Memo of Apr 2006, DoD Directive 5200, and DoD Instruction 8500. I'm not sure of your branch of service, but the Army also bans this with AR 25-2. <o:p></o:p>If your Thumb Drive is personally owned, you are in violation of DoD Policy when you connect it to government computers. If it's government owned, you're in violation when you connect it to your computer. If you're taking it off post, you're in violation if it's not encrypted. In any case, you are in violation if the thumb drive isn't marked with the Data At Rest label. From your write up, I assume it's not.<o:p></o:p>The problem is your S-6, Information Assurance Security Officer, and Information Assurance Department. Depending on where you are, this might all be the same person. Your Unit Commander also has responsibility here. They are just rubber stamping reports. If you are in garrison, they probably aren't running the required Vulnerability Assessment either- Those should have detected the unauthorized USB Drives and the virus.<o:p></o:p> <o:p></o:p>@raziel said:
    <o:p></o:p>the real wtf here is the antivirus the DOD uses they give away for free to soldiers and encourage them to use it.<o:p></o:p>ive spent the past year telling the soldiers in our unit not to use it and a majority have switched to alternate products and most of them found infections undetectable to their previous product<o:p></o:p>I guess the real lesson here is just because software is popular doesnt make it quality<o:p></o:p>and just because software is free doesnt mean it isnt any good<o:p></o:p>
    <o:p></o:p>
    Again, the Real WTF is that your S-6 is lazy, incompetant, and not doing his/her job. But you are correct- Being free and/or popular does not mean good.<o:p></o:p>

     



  • @raziel said:

    but no they use one of the worst ones on the market ( i wont mention names)
     

    Norton?

    McAfee?



  • @bstorer said:

    @raziel said:

    oh i do have experience but i kinda figured they would take information security more seriously seeing as national security was at stake......
    This is yet another sign that you're new to government contracting.  You need to lose that idealism.  Here is how the government will pick an anti-virus software vendor (or anything else for that matter):

    First, they need to put together a bid package.  This will contain all the specifications of the software they need. But where do they get these specifications?  Procurement people don't know anything about software, so they go to a standard specification.  And where do the standard specifications come from?  Whichever software vendor has done the best networking and gotten their specs into the hands of the right people.  Now, these specs are always biased in favor of the vendor in question, often to the point where the approved products list is a single item: the vendor's software.  Since they can't sole-source a product, the procurement department will have to allow alternate software to be approved, but this is hard because the vendor who wrote the spec will include poison pills in the requirements: that is, they will include at least one feature, no matter how useless, that no other product has.  In some cases, other software must be approved before the bid takes place, leaving other vendors no time to implement said feature.  Even if they can implement the feature and get approval in time to bid, the extra cost of doing so often forces them out of the running, and the spec writing vendor walks away with a smile and a new contract.  This is not uncommon; my company has "provided" specs many times.  Sometimes procurement people will actually ask us to stack the deck in our favor because they liked our performance and don't want to risk some fly-by-night operation getting it. 

    And, of course, this is assuming you even need an open bid.  Often procurement offices will have spending amounts under which they don't need to present an open bid or get competitive pricing.  We get perhaps 20 projects a year in the $2500 to $10000 range where certain officials with whom we have a good relationship will simply call us for a price, issue a PO, and we go to work.  It's not illegal -- hell, it's not even considered shady.  I went to an airport authority conference a few weeks back where they encouraged vendors to meet with their small purchases people and establish a good relationship to get the sort of work I'm describing.

     

    You forgot the part where Cheney steps in and gives the contract to a company that he receives money from, no matter how many bidders there are or what their bid is.  Please amend your statement.



  •  @cdosrun said:

    ...
    QFT



  • @dtech said:

    @raziel said:

    but no they use one of the worst ones on the market ( i wont mention names)
     

    Norton?

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!

     @dtech said:

    McAfee?

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! to the power of AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!




  • I can not believe

    that they would do that

    or insist on such asinine policies

    but who am I to advise the government

    I guess the lesson here is to use less line breaks



  • @dubbreak said:

    I can not believe

    that they would do that

    or insist on such asinine policies

    but who am I to advise the government

    I guess the lesson here is to use less line breaks

     

    A

    g

    r

    e

    e

    d



  •  ive been in the service for 10 years, and yes they do stupid things but one thing ive noticed is they tend to do the smart thing when peoples lives are at stake (at least where im at) so this was a WTF for me anyways

    as for the antivirus no there are only 2 authorized not 3 and both were stated in previous posters guesses

    see thats the problem its not the IASO

    because i was the IASO

    i was in the S-6

    and barking regulations at me is just proving my point

    the point is i was right and the antiviruses were inadequate

    and the thick headed attitude of the DOD is preventing real security

    BTW DOIM (and post) policy allowed the use of usb drives both personal and military for unclassifed non sensitive data (to allow NCO's and officers to be able to do councilings NCOER's and other such work at home) as long as it was scanned by the S-6 this policy was promulgated down to the users on multiple occasions

    i did my job i scanned usb drives with their useless antivirus i even warned doim there was an infetcion going around so calling me the lazy one is just typical of those who know nothing of real network security and make their living writing useless policies for people who know more about IA than you

     



  • dtech:
    raziel:
    but no they use one of the worst ones on the market ( i wont mention names)
     

    Norton?

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!

     

    dtech:

    McAfee?


    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! to the power
    of AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!

     

     bingo!



  • @dtech said:

    McAfee?

    Weeeee!!!!! This "antivirus" went down in flames in 1994 ... trying to remove "DIR II"!!!

    Yes, a 5+ year old virus took down this POS; so even back then I didn't trust McAffee. Hell, I even trusted the MS Antivirus (remember that one?) than McAffee.

    Funny thing, the good one back then was Norton. Ah, how times have changed...



  • @danixdefcon5 said:

    @dtech said:

    McAfee?

    Weeeee!!!!! This "antivirus" went down in flames in 1994 ... trying to remove "DIR II"!!!

    Yes, a 5+ year old virus took down this POS; so even back then I didn't trust McAffee. Hell, I even trusted the MS Antivirus (remember that one?) than McAffee.

    Funny thing, the good one back then was Norton. Ah, how times have changed...

     

    So what's the best free one now?



  • @raziel said:

    and that one is the only authorized antivirus for DOD systems 

    @raziel said:

    as for the antivirus no there are only 2 authorized not 3 and both were stated in previous posters guesses


    Yes, I see now. Are you sure you don't want to search for Trend Micro on AKO?

    @raziel said:

    see thats the problem its not the IASO

    because i was the IASO

    i was in the S-6

    and barking regulations at me is just proving my point

    the point is i was right and the antiviruses were inadequate

    and the thick headed attitude of the DOD is preventing real security

    Yes. I see. The thick headed attitude of the DoD assuming you were doing your job according to regulation. You, sir, are the WTF. You might not be the only one, but you are one.

    @raziel said:

    BTW DOIM (and post) policy allowed the use of usb drives both personal and military for unclassifed non sensitive data (to allow NCO's and officers to be able to do councilings NCOER's and other such work at home) as long as it was scanned by the S-6 this policy was promulgated down to the users on multiple occasions

    Failing to follow the policy, then blaming the policy when it fails you? Nice. That "NCOERS and other such work" is precisely what this policy was designed to prevent. It often contains PII, which is NOT "Unclassified Non Senstive", it is SBU, Sensitive But Unclassified.The Army paid a lot of money for various data protection programs and strategies, it's nice to see my work and tax dollars wasted because you feel orders don't apply to you.

     

    @raziel said:

    i did my job i scanned usb drives with their useless antivirus i even warned doim there was an infetcion going around so calling me the lazy one is just typical of those who know nothing of real network security and make their living writing useless policies for people who know more about IA than you

    Yes, the guy who can't even answer how many Antivirus Scanners he has with the same number two days in a row knows more about IA then I do. The guy who claims he knows policy and willfully disobeys orders, putting soldiers PII at risk, isn't ignorant. The SOB who can't be bothered to file a US-CERT report or contact the IAVM Team isn't lazy.

    And the cry goes up.... "But DOIM told me it was OK!". Right. Fine. You aren't the only WTF. Do me a favor- Where are you stationed?



  • @cdosrun said:

    Do me a favor- Where are you stationed?

    pssst Dude, don't tell him where you are stationed!  I think it might be a trap!



  • @amischiefr said:

    You forgot the part where Cheney steps in and gives the contract to a company that he receives money from, no matter how many bidders there are or what their bid is.  Please amend your statement.

    Trying to act like this is something only Cheney did or does is silly.  I don't know if you are joking, but almost every politican acts this way.  Hell, most of the contracts awarded to Halliburton for Iraq were established under the Clinton Administration, anyway. 



  • @cdosrun said:

    @raziel said:

    and that one is the only authorized antivirus for DOD systems 

    @raziel said:

    as for the antivirus no there are only 2 authorized not 3 and both were stated in previous posters guesses


    Yes, I see now. Are you sure you don't want to search for Trend Micro on AKO?

    @raziel said:

    see thats the problem its not the IASO

    because i was the IASO

    i was in the S-6

    and barking regulations at me is just proving my point

    the point is i was right and the antiviruses were inadequate

    and the thick headed attitude of the DOD is preventing real security

    Yes. I see. The thick headed attitude of the DoD assuming you were doing your job according to regulation. You, sir, are the WTF. You might not be the only one, but you are one.

    @raziel said:

    BTW DOIM (and post) policy allowed the use of usb drives both personal and military for unclassifed non sensitive data (to allow NCO's and officers to be able to do councilings NCOER's and other such work at home) as long as it was scanned by the S-6 this policy was promulgated down to the users on multiple occasions

    Failing to follow the policy, then blaming the policy when it fails you? Nice. That "NCOERS and other such work" is precisely what this policy was designed to prevent. It often contains PII, which is NOT "Unclassified Non Senstive", it is SBU, Sensitive But Unclassified.The Army paid a lot of money for various data protection programs and strategies, it's nice to see my work and tax dollars wasted because you feel orders don't apply to you.

     

    @raziel said:

    i did my job i scanned usb drives with their useless antivirus i even warned doim there was an infetcion going around so calling me the lazy one is just typical of those who know nothing of real network security and make their living writing useless policies for people who know more about IA than you

    Yes, the guy who can't even answer how many Antivirus Scanners he has with the same number two days in a row knows more about IA then I do. The guy who claims he knows policy and willfully disobeys orders, putting soldiers PII at risk, isn't ignorant. The SOB who can't be bothered to file a US-CERT report or contact the IAVM Team isn't lazy.

    And the cry goes up.... "But DOIM told me it was OK!". Right. Fine. You aren't the only WTF. Do me a favor- Where are you stationed?

     

    lol you obviously have no idea what you are talking about trend micro is not on the ako downloads page i just checked it to verify

    symantec mcafee and norton are

    so gtfo my internet

    and the approved antivirus for dod networks is symantec and mcafee

    i just double checked the approved list to verify

    now if you knew anything about army IA you would know they delegated all authority to DOIM so you either do it there way or get cut off from the network and have your user account revoked

    it isnt a matter of oh doim says its ok so we can its a matter of doim says we do this or else

    doim is the law when it comes to IA in the army

     

    so STFU and GTFO my internet

     



  • I think the real scary part is that I am getting the impression the OP works for the government and writes like a child.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.