"instructing them to insert two quarters to continue operating.”
Damned inflation. I remember when one quarter was plenty, or even buying 5 tokens for $1.
(Now if you'll excuse me, I am going to go back to playing Defender on my Atari 2600.)
If you were worried about the state of US military security systems you might not want to read the results of its latest audit. A “red teamer” cracked into a US Department of Defense system and rebooted it, but nobody noticed: the system suffered unexplained crashes. In another case, testers “caused a pop-up message to appear …
I kind of assumed that business as usual is getting a Senator or Congressman re-elected.
Isn't what the US military budget is for?
How dare you!
It's there to make the executives at the defence companies richer as well.
Then they can use that money to bankroll a politician, who can then sling more business their way and keep the whole cycle going. Oh, and to give that politician a nice non-executive position once they retire of course..
"It's there to make the executives at the defence companies richer as well."
When you control a market, you get to justify a cycle of replacing weak products with larger quantities of weak products.
And, let's not forget what it has been called: "The Military Industrial Complex."
Government software development uses dedicated staffing agencies rather than managing their own hires. These staffing agencies offer poor pay, no incentive for talent to stay, and they have no ability to grade work. Throwing more money at them just gets you a larger incompetent staff. It's a miracle that anything works at all.
Decades at least.
And to save the implementation budget (not the overall budget of course) they'll use stuff they've picked off the internet or FOSS communities.
This reads like a catalogue of stupid, from the developers to the operators.
Once you hook kit up to a data cable (any data cable) you can no longer be entirely sure where that connection terminates. Is the box it connects to? The box that box connects to?
And that's before we get onto the wireless network connections that you can't even see.
In the mid 1990s, I assisted with the installation of some commercial software at a DoD facility. This was one of the DoD "megacenters", basically internal service bureaus where many large systems hosted major DoD applications for things like logistics. Nothing any foreign power would be interested in.
The servers we were installing the software on were UNIX systems (HP-UX, if memory serves). They were on the Internet. With no firewalls.
"They're not in DNS," the sysadmin said. "No one can find them."
These folks weren't incompetent; they just didn't have any security training or awareness that it was even important. It simply wasn't visible to them at that time.
In the mid 1990s, I assisted with the installation of some commercial software at a DoD facility... These folks weren't incompetent; they just didn't have any security training or awareness that it was even important.
My second job was at a DoD personnel office doing data entry in the early 80s. There was no warning banner and no training other than what was needed to do the job. My current job working for Uncle Sam which I started in the late 2000s requires mandatory security training to get on the network at all plus a yearly refresher and other courses. It makes me wonder what went horribly wrong for each of the changes in practice to have been put in place during that period.
Decades at least.
Sure. Stoll's The Cuckoo's Egg came out in 1989, so for nearly 30 years it's been popular knowledge that there are DoD systems connected to the public Internet. Even many non-techies were aware of that.
Of course, since the Internet was itself a DoD project to begin with, there have always been DoD systems on it. But not everyone's aware of how many production DoD systems are exposed.
Well, yes ... But there are DOD systems and there are DOD systems. I'm hampered by not having worked with that stuff for decades, but I doubt it's changed all that much. So, A few points:
1. Access to military systems is rather tightly constrained. Try walking onto the nearest military base without paper orders, or some other valid reason for being there.
2. Combat systems are unlikely to be connected to the Internet. That'd break rules about security. And they are, of necessity, designed to operate in an environment with limited and noisy communications.
3. Many military systems require extensive training to use them. That doesn't preclude hacking I suppose, but it makes it a lot more complicated.
4. There are, or least used to be, elaborate rules for dealing with classified data. Basically, you can freely introduce unclassified data into a classified environment, but any data generated in a classified environment has to be rigorously scrutinized before it can be released into an unclassified environment. Clearly, you can't just plug a dsl modem or whatever into a classified system.
5. There is, I'm told, a secure equivalent to the internet. I know nothing at all about it.
6. Non-combat systems -- personnel management, etc probably are connected to the internet and presumably have all the problems they would experience in a similar business environment. And maybe some additional problems.
BTW, I read the report. I don't think it's bad, deficient, or inaccurate. But I found it very difficult to relate it to what I saw in the three decades I spent working with US military software. The one thing that did resonate was a concern about security problems with the software development and maintenance environment. Likely there are real problems there.
So you can't launch nuclear missiles form a submarine with the password "swordfish"
But you can screw up spare parts deliveries to ground an entire airforce in the field.
You can mess around with payroll, holidays and shifts so that all the skilled aircraft mechanics leave
You can post home/personal details of the families of soldiers
You can target small suppliers/subcontractors to shut down the supply chain for a new $Bn project.
You can probably do enough to ground the next Gulf War without leaving any evidence of who did it.
If anything the trend seems to be working down the food chain.
Pentagon computers accessible by internet.
Combat vehicles and their weapons available through the internet.
The PTB should find this trend worrying, but obviously don't.
They are there to trap teenage hackers from all over the world into commoting crimes and then getting them deported to the USA where they can be made examples of in front of the US media. In return the DOD gets more taxpayer money for $1000 hammers and the like.
Cynical? you bet.
I think your malice / incompetence ratio is way off there.
I'm sure the DoD runs some honeypots. It's not impossible that some are done in cahoots with State to try to ensnare and persecute token victims, and there may even be some quid pro quo (though really DoD has no trouble getting funds; it receives quite a lot of money it doesn't even request in its budget, thanks to legislators who want to keep jobs in their districts).
But the vast majority of the problems highlighted by the GAO are going to be due to poor management, incompetence, and systemic problems like legacy systems.
Doesn't the DoD realize that the Russians & Chinese have already found these vulns, even hidden them, in preparation for WW3. When US officers press the Big Button, either nothing will happen or the ICBM will explode in its silo. The enemy will win before a shot is even fired. Americans live in a fantasy - and will die there.
Try implementing and auditing against them, or testing them against prospective purchases etc.
This is no better than "your security is very important to us..."
My worry would be that if the systems are as leaky as the article makes it sound, then there is a reasonable probability of their own testing manifesting in the wild. That prank missile target on your mates house suddenly becomes are real possibility that it may just work...
“Warnings were so common that operators were desensitized to them”
Ouch. That very one would hurt any pilot deeply.
In my experience of reading descriptions of major air crashes, that theme (of operators - pilots and other flight-deck crew - being desensitized by the sheer number of warnings) occurs with depressing oftenness. So it would, indeed, hurt pilots (and their passengers and crew) deeply.
It's often accompanied by warnings of conditions requiring different solutions being nevertheless very similar in sound, even when applying problem one's solution will make problem two worse.
@Steve the Cynic
I can also attest to this, given that I have seen every single episode of Mayday/Air Crash Investigation.
The idea in aircraft is the shitty cockpit construction (whether it's hardware or wetware we're talking about). But in computers, it's just wetware.
Do we need a big siren to signal an intrusion?
And also about aircraft, I've always wondered why there wasn't simply a call-out with the error concerned instead of a chime/beep/whatever distraction?
That way pilots could know exactly what's going wrong.
And Helios 522 and the recent Jet Airways "re-enactment" (which thankfully landed safe after half the pax bled out of their noses) would've never occurred either.
Doesn't the DoD realize that the Russians & Chinese have already found these vulns, ...... jgarbo
Most probably, and hopefully so for Uncle Sam, they do, but they are disenabled and unable to do anything effective about them, jgarbo, ...... with the much bigger problem, and one for all manner of SCADA Administrative Systems, being even more of them hiding in codes and protocols just waiting for discovery and RAT exploitation/uncovering and capitalisation.
* ...... Information and Content Exchange
And most convenient for all purveyors of FUD to the brainwashed masses for it appears to keep them suitably terrorised and petrified into inaction?
What the bleep do SCADA systems have to do with ANYTHING discussed on El Reg? ... Waseem Alkurdi
Crikey! ..... Do you not yet know you are a SCADA System, Waseem Alkurdui. And they have things to do about everything.
Is yours not working correctly and badly not Inputting Feed and Feedback Back to Almighty Goals for Further Future Source Immaculate Provision? Or are you missing/skipping and missing out at those Sublime and Supreme and Surreal Levels of Live Operational Virtual Environment Empowerment? Will that be your decision?
IT is surely but One More Small Step for Man with One TitanICQ Quantum Communications Leap for Virtual Machinery and AIdSystems to Launch Oneself for Engagement into a Completely Different Sphere of COSMIC Enterprise.
And quite a Penultimate Weapon for Wielding before Finalising of Solutions.
What the bleep do SCADA systems have to do with ANYTHING discussed on El Reg?
You're new here and have just been trolled by El Reg's in house AI poster. We hope its an AI, because if it's not.. well... oh dear. Attempting to make sense of amanfrommars1's posts without the requisite amount of liquid inspiration will cause headaches. It will still cause headaches, but they pass quicker, given the appropriate dosage.
Attempting to make sense of amanfrommars1's posts without the requisite amount of liquid inspiration will cause headaches.
Nope, liquids as a medicinal for those particular migraine in potentia are insufficient at this stage. I recommend peyote, which, unfortunately is not yet available over the counter (any counter, 'round these parts).
The French have been known to prefer Absinthe, or failing that, a painkiller inserted anally.
I've been a commentard since April of this year, and since then, I've been trying to figure out whether @AMFM1 is a AI or a human. Sadly:
Do you not yet know you are a SCADA System, Waseem Alkurdui
And he's misspelled my name for the second time in a row after that being pointed out to him a day earlier! ^_^
So yep, he's a bot who for some reason believes that I don't know yet that I'm a SCADA system.
Regarding the headaches, no, they don't occur to me, because that is well taken care of by the other window on my desktop, the window in question being the Pathology textbook! ;-P
A safe-driving-mode-enabled* pint to all onlookers!
* non-alcoholic, that is
The next logical progression, Waseem Alkurdi, is to ponder and deliberate on whether of Nigerian extraction because of the evidence of a simple misspelling/primitive predictive text typo .... although beware and be wary of stealthy security misdirection and other dynamic accommodations in Future Travels to Alien Intensive Spaces.
So yep, he's a bot who for some reason believes that I don't know yet that I'm a SCADA system. .... Waseem Alkurdi
Great, we are agreed then you are. Care to Dare Share an Unambiguous Confirmation of those Facts, WA? Just for the Record and Registering Interests. A Note for Posterity to File Away in the Deep Dark Vaults of Never Forgotten Forbidding Libraries.
Oh, and what do you define as a bot? Is it animal, vegetable, mineral or ethereal? Just for the Record and Registering Interests.
Good luck finding the non-existent secret effective decoy shadow system .... Yet Another Anonymous coward
The fact that you don't recognise the Existing Military Industrial Complex as the already heavily deployed decoy not reporting on NEUKlearer HyperRadioProACTivated Virtualised Systems of Almighty COSMIC Dimension, is sure proof positive of an altogether different system beyond Shadowy Control and Shady Command of Flash Crash Collapsing Systems/Parasitic Executive Administration.
And with particular and peculiar specific regard to ....
Would that be a budget big enough to support an entire bug-ridden comms system as a decoy, while having an altogether different system sitting behind it in the shadows?..... Is that one of those New ERa Tools for Weaponisation and Live Fire BetaTesting in Novel Fields of Engagement and Employment ..... Guaranteeing Future Alien Contact with Earthly Contracts to Deliver on Supplied Promises Tendered via Shared Enlightening Words delivering Other Worldly Facts to Populate and Seed New Spaces and Out of the World Places, or a whole host of them stored in Impregnable Arsenals ... which be the Very Sweetest of Immaculately Deep HoneyPots.
Age-old military tactic. ... Nick Kew
Is Resistance to such AI Charm, Futile? Is Total Surrender to ITs Stated Promise, Heavenly Reward and One's Just Dessert? :-)
Answer that Holy Trinity of Questions both Correctly and Sincerely, and One be Really Powerful, for there be Others More Powerful in Waiting to Provide Everything Worthy of Almighty Future Services.
Beats running amfm :-) .... Anonymous Coward
Sure does, AC .... and it is hard to believe things can be so easily done so freely. :-)
But hey, that is just the very surreal nature of future virtualised things and nothing at all to be worried or too excited about unless worthy of specific attention and mention.
The engineering approach is to start from the assumption that at any given time, some part of the systems will be in "bad" state. If you start from that, then bugfix releases or configuration updates are just variables in the complex equation of "how much more broken could it become if we (do not) do that". Of course, the military cannot have that - hence there is no functioning monitoring, no canary releases, no fault tolerance, no regular disaster recovery exercises, no nothing. Just put it all together and hope it holds shape. Because in military, apparently "hope" is a strategy. Who would have thought?
Can anyone explain why a document titled WEAPON SYSTEMS CYBERSECURITY has the snappy and informative file name 694913.pdf?
I may be old fashioned, but I was under the impression that a file name was supposed to help the potential reader identify the content of the file...
But Google is very good at finding things;
"694913.pdf" gives "https://www.gao.gov/assets/700/694913.pdf" as the first response.
... and the second response was "https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/694913/dwp-ss030-security-standard-oracle-database-security.pdf" _ what is it with 694913 and cybersecurity?
> ”Officials from one program we met with said they are supposed to apply patches within 21 days of when they are released, but fully testing a patch can take months due to the complexity of the system;
I'd love to see the reaction from some US General when he's told that he can't have a new system because it would be too complicated to patch according to the DoD's own guidelines.
Can't say for sure, but based on my limited experience, the last thing most high ranking officers want is more problems. They are quite a conservative lot and their jobs come with more sufficient problems. The constant (often broken) updates that IT folks think of as necessary improvements probably look to them more like aggravation than assistance.
Just make is to that it is impossible not to stay in business unless every programmer is trained in security and constantly has security in mind while working and the final product isn't a complete embarrassment after a Red Team gets a month or so to attack it.
As long as you can get paid once to half ass something, then paid to again and again to fix it over and over, and still remain in business this problem is not going away.
Most new military hardware is just an ever increasingly way to add complexity to a problem. It must be due to simple solutions not having the ability to generate really large research budgets or invoices.
What was the book? "Superiority"?
What's more frightening to an enemy:
1. 3 latest generation stealth fighter/bombers (F-22/F-35,B-2)
2. 100 older generation fighter/bombers (F-16/A-10,B-52)
Brute force and ignorance is the name of the game in warfare. The advanced stuff has the tendency to go "bing" when it's really needed.
Ron White has a great line, "I don't know how many it would take to throw me out, but I knew how many they were gonna use." I'd be a bit more daunted by pure numbers.
Biting the hand that feeds IT © 1998–2019