Krypt3ia

Staff Finds White House in the Technological Dark Ages

By Anne E. Kornblut
Washington Post Staff Writer
Thursday, January 22, 2009; A01

If the Obama campaign represented a sleek, new iPhone kind of future, the first day of the Obama administration looked more like the rotary-dial past.

Two years after launching the most technologically savvy presidential campaign in history, Obama officials ran smack into the constraints of the federal bureaucracy yesterday, encountering a jumble of disconnected phone lines, old computer software, and security regulations forbidding outside e-mail accounts.

What does that mean in 21st-century terms? No Facebook to communicate with supporters. No outside e-mail log-ins. No instant messaging. Hard adjustments for a staff that helped sweep Obama to power through, among other things, relentless online social networking.

“It is kind of like going from an Xbox to an Atari,” Obama spokesman Bill Burton said of his new digs.

The rest of the article here:

This is an interesting conundrum of change for the presidency as well as the White House. Being that I am a security professional, I think that on the one hand, the “old” technology and practices that have been in place are there for good reasons. At least the security measures in place (as they have been elaborated on here… I am sure there are many more) are to keep from too much information getting out easily and to protect the White house from being compromised. However, on the other side of that coin, I would REALLY like to know things like:

Just what patch and service pack level are those Xp machines at in the White house?

How many characters are the passwords?

What are their complexity?

Do they have a standard image?

Do they have a domain and Active Directory?

Do they have logging turned on on the machines? And yes, both for FAILURE and SUCCESS?

Do they have “autorun” on?

Do these machines have their primary users as ADMIN locally?

There are so many more questions…

There are a slew more questions that I would be asking as an interested party (aka make the bad man stop hacking me!) to the White house tech team that I’d be asking. It seems to me from the fact that at one point I had the White house phone directory on my PDA (Google it sometime kids) including the SITROOM, that the White House is in need of a technological “shot in the arm”

It is with that in mind that I think that this administration needs to be guided by the likes of me to make sure that yes, they can indeed use their Facebook and other toys while doing so SECURELY. It can be done, but it will take a complete re-vamp of the technological space that the presidency resides in.

The FIRST thing I would do would be to carry out a complete security audit of the White House networks and end user systems as well as physical security on those assets and training for end users on said security. (imagine getting to hack the WH legally?)

The SECOND thing I would do would be audit the security policies and procedures (probably done in tandem with the network audit) to make sure that they are in good order and that they include some good direction for those end users.

The THIRD thing I would do would be to talk with the Prez and really hash out the possibilities of using their favorite OS of OSX. Yes, I said it, I would not be opposed to OSX. You know why? Cuz it’s BSD under the hood kids. I imagine that the NSA might like that one too. A properly secured OSX (after thorough auditing of the OS for bugs) would be MUCH more secure than even a “secured” Microsoft product any day of the week. Can you imagine (all infosec heads here) a fully integraded BSD *NIX network that has been secured by (ok, probably not doable but one can dream) an NSA Trusted configured *NIX environment?

Daaaaammmmn baby!

I am sure that right now, the real security effort with the current network there is that it isn’t really connected to the outside world ala the original C2 rating for M$ (NT4) Ya know, the one where the thing is not plugged in, in a room with a guard, and a gun? Yeah, that one. Freakin M$, what a piece of crap…

Anyway, I think that perhaps the Obama team may be somewhat spoiled in their technolust and their use of it, but, they can be taught security. I think that right there should be the object here. Bring the technology to the present. It’s a fast paced world out there and we need to be agile.

Hey Big O… I am always just a phone call away….