back to article US may have by far the world's biggest military budget but it's not showing in security

If you were worried about the state of US military security systems you might not want to read the results of its latest audit. A “red teamer” cracked into a US Department of Defense system and rebooted it, but nobody noticed: the system suffered unexplained crashes. In another case, testers “caused a pop-up message to appear …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Flame

"instructing them to insert two quarters to continue operating.”

Damned inflation. I remember when one quarter was plenty, or even buying 5 tokens for $1.

(Now if you'll excuse me, I am going to go back to playing Defender on my Atari 2600.)

36
0
Silver badge

Re: "instructing them to insert two quarters to continue operating.”

"For three quarters, I'll trigger an immediate Windows update, and you can have the rest of the day off."

12
0

No need then to inconvenience our Chinese friends, or our Russian partners. Carry on. Business as usual.

16
0
Silver badge

I kind of assumed that business as usual is getting a Senator or Congressman re-elected.

Isn't what the US military budget is for?

36
1
Silver badge
Devil

I kind of assumed that business as usual is getting a Senator or Congressman re-elected.

Isn't what the US military budget is for?

How dare you!

It's there to make the executives at the defence companies richer as well.

Then they can use that money to bankroll a politician, who can then sling more business their way and keep the whole cycle going. Oh, and to give that politician a nice non-executive position once they retire of course..

5
0
Bronze badge
Big Brother

Military Industrial Complex

"It's there to make the executives at the defence companies richer as well."

When you control a market, you get to justify a cycle of replacing weak products with larger quantities of weak products.

And, let's not forget what it has been called: "The Military Industrial Complex."

1
0
Silver badge

Nothing's gonna come of it...

... General GAO's chicken.

(Thank you... besides fortune cookies, I also do Bar Mitzvahs!)

12
0
Anonymous Coward

Outsourcing

Government software development uses dedicated staffing agencies rather than managing their own hires. These staffing agencies offer poor pay, no incentive for talent to stay, and they have no ability to grade work. Throwing more money at them just gets you a larger incompetent staff. It's a miracle that anything works at all.

14
0
Silver badge
Meh

Re: Outsourcing

Meh.

Do a half-assed job- it's the American way!

/Homer

And extradite anyone who takes advantage of it...

1
0
Silver badge

BPOE

We have the Best People on Earth securing our military systems, or is that the Elks Club.

9
0
Gold badge
FAIL

How long have processors *connected* to a network been part of miltiary systems?

Decades at least.

And to save the implementation budget (not the overall budget of course) they'll use stuff they've picked off the internet or FOSS communities.

This reads like a catalogue of stupid, from the developers to the operators.

Once you hook kit up to a data cable (any data cable) you can no longer be entirely sure where that connection terminates. Is the box it connects to? The box that box connects to?

And that's before we get onto the wireless network connections that you can't even see.

6
0
Anonymous Coward

Re: How long have processors *connected* to a network been part of miltiary systems?

In the mid 1990s, I assisted with the installation of some commercial software at a DoD facility. This was one of the DoD "megacenters", basically internal service bureaus where many large systems hosted major DoD applications for things like logistics. Nothing any foreign power would be interested in.

The servers we were installing the software on were UNIX systems (HP-UX, if memory serves). They were on the Internet. With no firewalls.

"They're not in DNS," the sysadmin said. "No one can find them."

These folks weren't incompetent; they just didn't have any security training or awareness that it was even important. It simply wasn't visible to them at that time.

11
0
Silver badge

Re: How long have processors *connected* to a network been part of miltiary systems?

Decades at least.

Sure. Stoll's The Cuckoo's Egg came out in 1989, so for nearly 30 years it's been popular knowledge that there are DoD systems connected to the public Internet. Even many non-techies were aware of that.

Of course, since the Internet was itself a DoD project to begin with, there have always been DoD systems on it. But not everyone's aware of how many production DoD systems are exposed.

7
0

Re: How long have processors *connected* to a network been part of miltiary systems?

[quote]

...major DoD applications for things like logistics. Nothing any foreign power would be interested in.

[/quote]

I beg to differ. Wars are won (or, perhaps more correctly, lost) in the logistics.

6
1
Silver badge

Re: How long have processors *connected* to a network been part of miltiary systems?

Well, yes ... But there are DOD systems and there are DOD systems. I'm hampered by not having worked with that stuff for decades, but I doubt it's changed all that much. So, A few points:

1. Access to military systems is rather tightly constrained. Try walking onto the nearest military base without paper orders, or some other valid reason for being there.

2. Combat systems are unlikely to be connected to the Internet. That'd break rules about security. And they are, of necessity, designed to operate in an environment with limited and noisy communications.

3. Many military systems require extensive training to use them. That doesn't preclude hacking I suppose, but it makes it a lot more complicated.

4. There are, or least used to be, elaborate rules for dealing with classified data. Basically, you can freely introduce unclassified data into a classified environment, but any data generated in a classified environment has to be rigorously scrutinized before it can be released into an unclassified environment. Clearly, you can't just plug a dsl modem or whatever into a classified system.

5. There is, I'm told, a secure equivalent to the internet. I know nothing at all about it.

6. Non-combat systems -- personnel management, etc probably are connected to the internet and presumably have all the problems they would experience in a similar business environment. And maybe some additional problems.

BTW, I read the report. I don't think it's bad, deficient, or inaccurate. But I found it very difficult to relate it to what I saw in the three decades I spent working with US military software. The one thing that did resonate was a concern about security problems with the software development and maintenance environment. Likely there are real problems there.

3
3
Silver badge

Re: How long have processors *connected* to a network been part of miltiary systems?

So you can't launch nuclear missiles form a submarine with the password "swordfish"

But you can screw up spare parts deliveries to ground an entire airforce in the field.

You can mess around with payroll, holidays and shifts so that all the skilled aircraft mechanics leave

You can post home/personal details of the families of soldiers

You can target small suppliers/subcontractors to shut down the supply chain for a new $Bn project.

You can probably do enough to ground the next Gulf War without leaving any evidence of who did it.

10
0
Anonymous Coward

Re: How long have processors *connected* to a network been part of miltiary systems?

In the mid 1990s, I assisted with the installation of some commercial software at a DoD facility... These folks weren't incompetent; they just didn't have any security training or awareness that it was even important.

My second job was at a DoD personnel office doing data entry in the early 80s. There was no warning banner and no training other than what was needed to do the job. My current job working for Uncle Sam which I started in the late 2000s requires mandatory security training to get on the network at all plus a yearly refresher and other courses. It makes me wonder what went horribly wrong for each of the changes in practice to have been put in place during that period.

2
0
Gold badge
Unhappy

Sure. Stoll's The Cuckoo's Egg came out in 1989,

Exactly.

If anything the trend seems to be working down the food chain.

1989

Pentagon computers accessible by internet.

2018

Combat vehicles and their weapons available through the internet.

The PTB should find this trend worrying, but obviously don't.

3
0
Anonymous Coward

Holes by design (costs $1M per hole, DOD rates)

They are there to trap teenage hackers from all over the world into commoting crimes and then getting them deported to the USA where they can be made examples of in front of the US media. In return the DOD gets more taxpayer money for $1000 hammers and the like.

Cynical? you bet.

16
0
Silver badge

Re: Holes by design (costs $1M per hole, DOD rates)

I think your malice / incompetence ratio is way off there.

I'm sure the DoD runs some honeypots. It's not impossible that some are done in cahoots with State to try to ensnare and persecute token victims, and there may even be some quid pro quo (though really DoD has no trouble getting funds; it receives quite a lot of money it doesn't even request in its budget, thanks to legislators who want to keep jobs in their districts).

But the vast majority of the problems highlighted by the GAO are going to be due to poor management, incompetence, and systemic problems like legacy systems.

3
0
Mushroom

Doesn't the DoD realize that the Russians & Chinese have already found these vulns, even hidden them, in preparation for WW3. When US officers press the Big Button, either nothing will happen or the ICBM will explode in its silo. The enemy will win before a shot is even fired. Americans live in a fantasy - and will die there.

9
6
Silver badge

On the other hand, if you think the US suffers from poorly trained, paid and motivated staff, badly designed patched together systems and lots of legacy kit from the 60s/70s - how do you think the USSR-II is doing ?

3
0
Silver badge
Mushroom

You mean the old British WE117 bombs had the right idea? They'd have been rather hard to hack....

3
0

Typo?

Is this a deliberate bug?

[If you were worried about the state of US military security systems you might not want to read the latest audit.] with such frequency, there was no reason to suspect an attack.

10
0

I enjoy the fact that issuing policies must be the end of the matter

Try implementing and auditing against them, or testing them against prospective purchases etc.

This is no better than "your security is very important to us..."

My worry would be that if the systems are as leaky as the article makes it sound, then there is a reasonable probability of their own testing manifesting in the wild. That prank missile target on your mates house suddenly becomes are real possibility that it may just work...

6
0
Silver badge

Re: I enjoy the fact that issuing policies must be the end of the matter

"That prank missile target on your mates house suddenly becomes are real possibility that it may just work..."

Shall we play a game, Joshua?

17
0

Re: I enjoy the fact that issuing policies must be the end of the matter

I have to bite...

Can we play tic-tac-toe?

8
0

“Warnings were so common that operators were desensitized to them”

Ouch. That very one would hurt any pilot deeply.

7
0
Silver badge

“Warnings were so common that operators were desensitized to them”

Ouch. That very one would hurt any pilot deeply.

In my experience of reading descriptions of major air crashes, that theme (of operators - pilots and other flight-deck crew - being desensitized by the sheer number of warnings) occurs with depressing oftenness. So it would, indeed, hurt pilots (and their passengers and crew) deeply.

It's often accompanied by warnings of conditions requiring different solutions being nevertheless very similar in sound, even when applying problem one's solution will make problem two worse.

8
0
Headmaster

@ Steve the Cynic - !"oftenness"!? I think the word you were looking for was regularity.

2
0
Silver badge

oftenness... regularity...

The hanging sentence in the article itself contains the word "frequency". I am guessing the original context was exactly what the OP meant.

0
1
Silver badge

Now imagine if the siren went off everytime a packet from a non .mil address arrived at your firewall !

4
0

Or if a DNS hijacking attack was used and the .mil site just became a .ru/.$BAD_GUY_CC domain.

1
0

@Steve the Cynic

I can also attest to this, given that I have seen every single episode of Mayday/Air Crash Investigation.

The idea in aircraft is the shitty cockpit construction (whether it's hardware or wetware we're talking about). But in computers, it's just wetware.

Do we need a big siren to signal an intrusion?

And also about aircraft, I've always wondered why there wasn't simply a call-out with the error concerned instead of a chime/beep/whatever distraction?

That way pilots could know exactly what's going wrong.

And Helios 522 and the recent Jet Airways "re-enactment" (which thankfully landed safe after half the pax bled out of their noses) would've never occurred either.

0
0
Silver badge

That? That's a Cyberdyne Systems model T-101

It's harmless.

Just yell "User : Admin, Password : Password" at it and you can shut it down.

10
0
Silver badge

Just the Tip of the ICEBorg*?

Doesn't the DoD realize that the Russians & Chinese have already found these vulns, ...... jgarbo

Most probably, and hopefully so for Uncle Sam, they do, but they are disenabled and unable to do anything effective about them, jgarbo, ...... with the much bigger problem, and one for all manner of SCADA Administrative Systems, being even more of them hiding in codes and protocols just waiting for discovery and RAT exploitation/uncovering and capitalisation.

* ...... Information and Content Exchange

And most convenient for all purveyors of FUD to the brainwashed masses for it appears to keep them suitably terrorised and petrified into inaction?

3
2

Re: Just the Tip of the ICEBorg*?

What the bleep do SCADA systems have to do with ANYTHING discussed on El Reg?

0
6
Silver badge

Re: Just the Tip of the ICEBorg*?

What the bleep do SCADA systems have to do with ANYTHING discussed on El Reg? ... Waseem Alkurdi

Crikey! ..... Do you not yet know you are a SCADA System, Waseem Alkurdui. And they have things to do about everything.

Is yours not working correctly and badly not Inputting Feed and Feedback Back to Almighty Goals for Further Future Source Immaculate Provision? Or are you missing/skipping and missing out at those Sublime and Supreme and Surreal Levels of Live Operational Virtual Environment Empowerment? Will that be your decision?

IT is surely but One More Small Step for Man with One TitanICQ Quantum Communications Leap for Virtual Machinery and AIdSystems to Launch Oneself for Engagement into a Completely Different Sphere of COSMIC Enterprise.

And quite a Penultimate Weapon for Wielding before Finalising of Solutions.

1
4
Silver badge

Re: Just the Tip of the ICEBorg*?

What the bleep do SCADA systems have to do with ANYTHING discussed on El Reg?

You're new here and have just been trolled by El Reg's in house AI poster. We hope its an AI, because if it's not.. well... oh dear. Attempting to make sense of amanfrommars1's posts without the requisite amount of liquid inspiration will cause headaches. It will still cause headaches, but they pass quicker, given the appropriate dosage.

7
0
Silver badge

Re: Just the Tip of the ICEBorg*?

Attempting to make sense of amanfrommars1's posts without the requisite amount of liquid inspiration will cause headaches.

Liquid?

Nope, liquids as a medicinal for those particular migraine in potentia are insufficient at this stage. I recommend peyote, which, unfortunately is not yet available over the counter (any counter, 'round these parts).

The French have been known to prefer Absinthe, or failing that, a painkiller inserted anally.

3
1
Anonymous Coward

Re: Just the Tip of the ICEBorg*?

Hmm... Wasseem...

2
0
Anonymous Coward

Re: Just the Tip of the ICEBorg*?

...oh dear...:-)

Best cmm on AI here yet

2
0
Anonymous Coward

Re: Just the Tip of the ICEBorg*?

Normally, it would be advised here to use common sense as a kind of a dope one certainly needs to succeed and to make smth more comprehendsable for a reading unit.

1
0
Pint

Re: Just the Tip of the ICEBorg*?

I've been a commentard since April of this year, and since then, I've been trying to figure out whether @AMFM1 is a AI or a human. Sadly:

Do you not yet know you are a SCADA System, Waseem Alkurdui

And he's misspelled my name for the second time in a row after that being pointed out to him a day earlier! ^_^

So yep, he's a bot who for some reason believes that I don't know yet that I'm a SCADA system.

Regarding the headaches, no, they don't occur to me, because that is well taken care of by the other window on my desktop, the window in question being the Pathology textbook! ;-P

A safe-driving-mode-enabled* pint to all onlookers!

__________________

* non-alcoholic, that is

1
0
Silver badge
Alert

Re: Just the Tip of the ICEBorg*?

:)

Any self respecting online Internet AI will make intentional "mistakes" otherwise we might think that they are a dog or, worse, a human.

3
0
Silver badge

Re: Just the Tip of the ICEBorg*? And Something to Always Remember ...

The next logical progression, Waseem Alkurdi, is to ponder and deliberate on whether of Nigerian extraction because of the evidence of a simple misspelling/primitive predictive text typo .... although beware and be wary of stealthy security misdirection and other dynamic accommodations in Future Travels to Alien Intensive Spaces.

So yep, he's a bot who for some reason believes that I don't know yet that I'm a SCADA system. .... Waseem Alkurdi

Great, we are agreed then you are. Care to Dare Share an Unambiguous Confirmation of those Facts, WA? Just for the Record and Registering Interests. A Note for Posterity to File Away in the Deep Dark Vaults of Never Forgotten Forbidding Libraries.

Oh, and what do you define as a bot? Is it animal, vegetable, mineral or ethereal? Just for the Record and Registering Interests.

0
3

Re: Just the Tip of the ICEBorg*? And Something to Always Remember ...

Ethereal ... I like the word ...

0
0
I&I

Natural result of blame-culture e.g. the Gary McKinnon case.

6
0
Silver badge
Alert

Big budget

Would that be a budget big enough to support an entire bug-ridden comms system as a decoy, while having an altogether different system sitting behind it in the shadows?

Age-old military tactic.

5
0
Silver badge

Re: Big budget

That's what the enemy would expect.

Instead there is a massive inefficent bug-ridden insecure system that IS the main system

Good luck finding the non-existent secret effective decoy shadow system

5
0

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2018