My Day Job right now is employed full-time by a Federal Agency (the USGS, a component of DOI) and the big mistake that most people have when dealing with Federal IT is assuming that agencies have centralized, monolithic, highly coordinated IT resources that are tightly controlled by some uber-IT group. In most agencies that's just completely false: a single agency might have (literally) hundreds of servers managed by hundreds of people with a huge range of skill levels, everything from your standard highly-competent server god to some bozo who decided to buy a cheap Linux box and throw it onto the web.

In my agency, for example, the "powers that be" (that is, the IT management for the agency) once did a port-scan of the entire agency and discovered that there were 1,300 servers responding to port 80 (i.e., webservers). Problem was, there was only supposed to be around 300. The other 1,000 (!!!) just popped into existence without any assurance that they were brought up securely or correctly. Yee ha.

Even DOD agencies, which are known for their top-down, military-like organization is susceptible to this. It's not hard to have a base somewhere with, shall we say, less than optimal security even though the main www.army.mil type sites are well-maintained. It's a big government... and by it's very nature it's almost impossible to keep everything in control. It's a fairly deadly combination of lack of skill, lack of organization, and lack of control combined with a whole lotta money.

Gary Blackburn
Trained Killer