Slashdot Mirror

Back before the days of cell phones, judges could give prosecutors the ability to (1) break into someone's house, (2) install a device like these and then collect data.

You could also take someone's smart phone, root it, and install a surveillance software (with the same due process above). Even with encryption, if I have access to your phone (and it's unlocked -- figuring out a 6 key pass-code by spying isn't exactly James Bond's hardest mission) I would have access to your private key to decrypt said messages.

What law enforcement wants here are not the old rights they've always had -- but new ones. As the late Antonin Scalia wrote for the unanimous court regarding the unconstitutionality of planting a GPS device without a warrant:
“What we apply is an 18th century guarantee against unreasonable searches, which we believe must provide at a minimum the degree of protection it afforded when it was adopted,”

Any military power using anything from Microsoft.

You laugh, but this has already happened with catastrophic results as expected: https://gcn.com/Articles/1998/...

https://gcn.com/articles/2017/...

https://www.samba.org/samba/se...

> What does Windows power ? Desktops and a few web servers.

Also Navy ships.

Look at what they did to the USS Yorktown!

True - MS products aren't known as stable reliable systems. Hell, MS OSes even left a whole Navy ship disabled, so why would you think an entertainment system nearly 20 years later would be any better? Their OS hasn't changed measurably underneath the covers, other than lots of bandaids.

• Problem statement from DHS: In the current environment, information technology systems are built to operate in a relatively static configuration. For example, addresses, names, software stacks, networks and various configuration parameters remain more or less the same over long periods of time. This static approach is a legacy of information technology systems designed for simplicity in a time when malicious exploitation of system vulnerabilities was not a concern
• Solution approach from DHS: Moving Target Defense (MTD) is the concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts. MTD assumes that perfect security is unattainable. Given that starting point, and the assumption that all systems are compromised, research in MTD focuses on enabling the continued safe operation in a compromised environment and to have systems that are defensible rather than perfectly secure.
• “[MTD] Enables us to create, analyze, evaluate, and deploy mechanisms and strategies that are diverse and that continually shift and change over time to increase complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency.” – Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program published by the Executive Office of the President, National Science and Technology Council, December 2011
• Links to additional reading material
  1. 1. DHS overview: https://www.dhs.gov/science-an...
  2. 2. Morphisec's blog on MTD: http://blog.morphisec.com/movi...
  3. 3. Details on Morphisec's solution (one of many in this space): http://www.morphisec.com/how-i...
  4. 4. The "Morphinator" project sponsored by the Army for shape-shifting networks: https://gcn.com/articles/2012/...
• It is the combination of at least 6 key initiatives that will fundamentally disrupt and transform the cyber defense capabilities of our critical infrastructure and beyond:
  1. 1. "Shift left" by applying Continuous Delivery, Architecture-as-Code, and other

Defence against 'computer network attacks', that would be like trying to stop their Microsoft Windows computers being hacked. No one in their right minds would put Microsoft Windows anywhere near a war domain. Have they that short a memory:

Software glitches leave Navy Smart Ship dead in the water

Technical Analysis of the August 14, 2003, Blackout:

Slammer worm crashed Ohio nuke plant network

This happened, but it was considered "operator error" as someone put in a 0 and then the system crashed as it couldn't divide by zero. Personally, I see this as a "design error" that it allowed anyone to put in an invalid number in the first place, but that's just me.

These people didn't argue so the fine becomes formal. That's how the process works,
but it neither makes the fine appropriate nor does it set followable precedent.

You can rest easy that "CTS" (the Chinese firm -- not its real name) will continue to sell
the jammers under many many other names and the amount they will pay the FCC will
be somewhere around $0.

You can rest easy that just like prisons want to use cellphone jammers https://gcn.com/articles/2013/...
so too do beat cops who stop a motorist on the road. That way they can prevent that
"call to the lawyer" that might help preserve the rights of the individual.

When law-enforcement plays with these toys, that means they too are interfering with
legitimate signals and communication. That takes all the hot air out of the FCC's
"think of the [adult] children [communicating]!" message.

Nobody will pay a fine.
Cellphone jammers will become more ubiquitous... like drones [UASs] only not so popular.
But hey, headlines.

Ehud
Tucson AZ

Folks, in case you didn't already know this, you don't want to be too rude to these people even though they're in prison. They have phones and they have friends on the outside, and they know who you are and where you live.

http://www.myajc.com/news/news...

Also, the FCC has been a endless obstacle to blocking prisoner's phone calls.
The fear is that cellphone jamming might interfere with people driving by the prison yakking on the phones, or maybe the employees might want to use their phones. I suppose it's a good thing that people talking while driving takes precedence over blocking crimes.

Maybe this will help.
https://gcn.com/Articles/2013/...
Someday.

Redhat's success really has little to do with open source, other than they could take advantage of the fact that someone else created the Linux kernel for them and they could build on that.

Who funds Linux development? RedHat: 11.2%

Think about the nave ending up forced to use "Windows for warships".

Heh, that takes me back: https://gcn.com/Articles/1998/...

I hope it's not running Windows... like the last time

Windows had nothing to do with it. Application software controlled the equipment, not the operating system. If an application fails to validate data coming from a database, if it fails to handle an exception like divide by zero, then the application crashes and the equipment is not available for use. Windows or Linux makes no difference.

I hope it's not running Windows... like the last time

I'm sure that given time and money, there could be a Windows variant that did the job.

That is far from certain. Microsoft's adventures in similar areas often end in tears.

The DISA STIGs and USGCB standards are used by many government agencies, not just the DoD. http://gcn.com/articles/2015/0...

Software glitches leave Navy Smart Ship dead in the water

a database overfow error (resulting from a divide by zero operation) caused the ship's propulsion system to fail.

The Yorktown Affair

How about sense-and-avoid in combination with ADS-B? This article suggests that people are working in that direction.

So, Microsoft is a threat then? ;-)

Must be the OS?

All of those are valid points.

However, some of us are old enough to remember stuff like this:

The Navy's Smart Ship technology may not be as smart as the service contends.

Although PCs have reduced workloads for sailors aboard the Aegis missile cruiser USS
Yorktown, software glitches resulted in system failures and crippled ship operations,
according to Navy officials.

Navy brass have called the Yorktown Smart Ship pilot a success in reducing manpower,
maintenance and costs. The Navy began running shipboard applications under Microsoft
Windows NT so that fewer sailors would be needed to control key ship functions.

But the Navy last fall learned a difficult lesson about automation: The very
information technology on which the ships depend also makes them vulnerable. The Yorktown
last September suffered a systems failure when bad data was fed into its computers during
maneuvers off the coast of Cape Charles, Va.

Call it a well earned cynicism.

Investigators from the House Ways and Means Committee interviewed IRS technicians Monday.

The federal IT sector is heavily outsourced -- the investigators should be looking to see which firm(s) provided IT services to the IRS in 2010 and bringing those firms in. There should have been contract documents specifying requirements about backing up email servers.

This part is also laughable:

Lerner’s computer crashed in the summer of 2011, depriving investigators of many of her prior emails. Flax’s computer crashed in December 2011, Camp and Boustany said.

Sorry, but federal government IT standards in 2011 required that PCs run XP or Win-7. Even a Linux and BSD guy like myself knows that XP was reliable enough that it is extremely unlikely that both of their computers crashed with data loss.

I can't find the specific federal IT standard that was in place during 2011, but it did require the use of Windows XP or later. Here's a September 10,2009 article titled: "Federal agencies prepare to make the leap from XP to Windows 7": http://gcn.com/articles/2009/0...

Oh don't be silly, that kind of thing would never happen for real.

I know this because a client I once consulted for, sold 400,000 licenses for their Windows product to the Navy.

Windows isn't so bad if it's properly locked down, but it's not really possible to do that unless all of your application are Windows Logo-compliant, for example they don't store end-user documents in the Program Files folder. I expect the military has a lot of homebrew software they absolutely need to use, that prevents Program Files from being locked down.

Also everyone who actually administrates a windows box, has to actually know how to lock it down.

• USS Yorktown Dead In Water After Divide By Zero

The Navy's Smart Ship technology is being considered a success, because it has resulted in reduced manpower, workloads, maintenance and costs for sailors aboard the Aegis missile cruiser USS Yorktown. However, in September 1997, the Yorktown suffered a systems failure during maneuvers off the coast of Cape Charles, VA., apparently as a result of the failure to prevent a divide by zero in a Windows NT application. The zero seems to have been an erroneous data item that was manually entered. Atlantic Fleet officials said the ship was dead in the water for about 2 hours and 45 minutes. A previous loss of propulsion occurred on 2 May 1997, also due to software. Other system collapses are also indicated. [Source: Gregory Slabodkin, Software glitches leave Navy Smart Ship dead in the water, Government Computer News, 13 Jul 1998, PGN Stark Abstracting from http://www.gcn.com/gcn/1998/Ju... ...

``Using Windows NT, which is known to have some failure modes, on a warship is similar to hoping that luck will be in our favor,'' said Anthony DiGiorgio, a civilian engineer with the Atlantic Fleet Technical Support Center in Norfolk.

Title copied from Boing Boing, and the article there is full of hyperbole. T3 is providing digitization to the over 1 million physical media, organize and catalog everything, and then will charge a fee for access (however access for authorized government personnel is FREE). T3 is NOT claiming copyright, they just have an exclusive license for 10 years.

Check this out:
300,000 physical videos (300,000 hours!)
37,000 films (11,000 hours)
40,000 audio clips (1.5 million minutes)
700,000 still images
1.2 million digital images.

Seems reasonable to me. HALF the library is not even accessible on the internet as they are physical only. This is a good way to preserve what has been accumulated, and a lot of it is very old.

A much better summary is here:
http://gcn.com/articles/2013/12/12/dod-library.aspx

Like releasing the same document twice, with different redactions? http://www.aljazeera.com/humanrights/2013/08/2013851618340986.html
Or information on an Iraqi shooting? http://gcn.com/articles/2005/05/13/pdf-user-slipup-gives-dod-lesson-in-protecting-classified-information.aspx
Or when the TSA published their 'classified' handbook? http://www.wired.com/threatlevel/2009/12/tsa-leak/
Or when the UK revealed their nuclear submarine secrets? http://www.bbc.co.uk/news/uk-13107413

Oh, that they already missed back in 1998, the case of the USS Yorktown... http://gcn.com/articles/1998/07/13/software-glitches-leave-navy-smart-ship-dead-in-the-water.aspx
The problem is as always: the smart old guys has retired and the new guy need to show that he can do better than the old guy.

Yes, people are using Ada, in fact, it's been making a quiet comeback. Ada is the #16 most popular language according to the TIOBE programming language survey of November and December 2012, an increase from #19 in November 2011. Keller reports that by 2000 Ada use had decreased and then increased again. It's not huge compared to C or Java, of course; its use is focused in certain domains. In certain communities, such as aviation software, it continues to be a popular language and has been credited with helping to produce high-quality software within time and budget.

Historically, Ada was developed by the Department of Defense (DoD), and the DoD tried to make it the one and only universal language . An NRC report on Ada talks about this. Fundamentally, trying to make one language do everything was a bad idea, and predictably failed; there is still no one language that can be all things to all people, even many years later.

Ada isn't a complex language by today's standards, but it has a lot of "pickiness" that means you have to obey more rules. Is that a good thing? Well, you first have to understand what it was designed for - and then decide if that design is what you want.

Ada focuses on software that needs high reliability and yet absolutely no compromise of performance. If reliability isn't really all that important to you, or you can give up a lot of performance, then Ada's trade-offs may not work for you. For reliability, it has a strong typing system, and you have to use generics (etc.) instead of just saying "shut up and trust me" a la C. For performance, it doesn't mandate automatic garbage collection (as compared to Java or Python). Ada shines when you're writing programs that will could un-intentionally kill people if the program is wrong or takes too long. Think airplane flight controls, train systems, medical systems, that sort of thing. A lot of Slashdot readers have never tried to write software that could accidentally kill people, and thus can't understand why you might want a "picky" language like Ada. If your response to "it has a bug" is just "install this patch" maybe another language would be fine. But when mistakes can kill, having a language that helps prevent them can be literally a lifesaver.

NIST statistics show that over half the agencies have made "no progress" in their IPv6 deployment. It is good that the government is doing this, but too many agencies are asleep at the wheel. It does no good when the agencies will not do what they are required to do.

Did you even RTA? and your going to do this EVERY time you type sensitive data?

If so, try reading this one: http://gcn.com/articles/2011/10/18/smart-phone-sensors-steal-keystrokes.aspx

... also find it hard to believe that we can detect planets around stars which themselves are barely visible; or subatomic particles...

Couldn't have said it better myself.

Also if you find the above hard to believe then you're never going to believe this: http://gcn.com/articles/2011/10/18/smart-phone-sensors-steal-keystrokes.aspx.

Well, this article indicated it's less than 2%: http://gcn.com/Articles/2011/08/10/ECG-Windows-7-Top-Selling-OS-by-End-of-2011.aspx?Page=2

Nothing against Linux, I use it and have installed it on other's computers, but it's extremely niche for the desktop.

Also, listening to investor demand? There's no accountability to Kickstarter, you don't become a chairman of the board by donating $15.

They ARE different when it comes to data. AT&T and T-Mobile don't offer real 4G. Sprint doesn't cap data use or throttle you. Verizon has real 4G and the largest, fastest 3G/4G cellular data network.

This is actually very incorrect. No one offers true 4G, period. The FCC bumped the legal definition of it down significantly because of lobbying from the cell carriers so that they could advertise like they have "4G" when in fact they have improved 3G.

Refer to this article (it is from last year, but I believe most of it is still true): http://gcn.com/articles/2011/01/13/what-is-4g.aspx
Another article (From this year about it): http://www.rethink-wireless.com/2012/01/23/itu-confirms-official-true-4g-standards.htm
And of course, Wikipedia awaaaaaaaaaaaaaaaaaaay! http://en.wikipedia.org/wiki/4G

So no, don't buy the cell phone companies' BS about them having "4G" when they are not hardly halfway to what the actual standard dictates.

Oddly enough, you know what also creates efficiencies, good security/IT practices.

One firm I was working with was already undergoing HIPAA and SAS 70 audits regularly because they work with medical data. My government agency customer needed them to get up to government IT standards for security (FISMA/NIST). We made them think about their Contingency planning and their policies a lot more than they ever had in the past.

The company is a small business but was making money and buying up other small businesses, each time they did they absorbed another irregular IT department. Instead of trying to continue with 8 different IT departments they re-used a lot of the work they did for us and standardized their IT practices across the company.

At some size level they would have reached that conclusion anyway. Other than the things I pointed out most of the effort involved with bringing them up to speed was documenting/taking credit for what they already did.

You could also look at the State Department's white paper on their new metrics based IT Security, and how they acheived greater control over their hundreds of independently operated embassies and saved money doing it.
http://gcn.com/articles/2009/11/12/state-department-it-security-pilot.aspx

I was a SANS class going over the Critical Security Controls methodolgy, same kind of methodolgy State used, a lot of private industry was there.

I am sure that won't be an issue shortly. The Department of Defense is already moving toward a switch to Android with "secure" smartphones. RIM is losing its corporate base...and more importantly, now they are losing their lucrative government base.

I heard last year that first responders are trying to hang onto a chunk of radio spectrum that the telecoms want. I don't think it was really about encryption so much as making sure that it could do trunking correctly - units could bring in radios across the country and have working interoperability. Encryption is its own ball of crazy. I for one would rather have the fire fighters have better radios, the fuzz can generally get good radios if they want them.

This is apparently the "D Block" which is next to existing 700MHz public safety frequencies.
http://gcn.com/articles/2011/03/31/first-responders-public-safety-d-block-spectrum.aspx
later: http://www.nydailynews.com/blogs/dc/2011/06/911-first-responder-radio-bill-clears-committee

I think you've hit the nail on the head. Any decent large-scale eavesdropping facility like, oh, I don't know, the one the NSA is building in Utah will be scanning VoIP traffic for audible triggers ("bomb" "whitehouse" "boom") and will certainly notice when the nominal codec doesn't match the payload. Such traffic will certainly be flagged for closer inspection.

Just think, what, forty years ago he designed a programming language in order to port an operating system that would eventually run on everything from PDP-11's through cell phones, so they could play a computer game on (then) new hardware.

It's not just that C is the second most common programming language: Most of the other languages are actually written in C. That includes Perl, Python, and PHP.

Not only that, but realistically you have to count embedded systems, not just personal computing devices. By that measure, C is still by far the most popular programming language on the planet.

Just think, what, forty years ago he designed a programming language in order to port an operating system that would eventually run on everything from PDP-11's through cell phones, so they could play a computer game on (then) new hardware.

It's not just that C is the second most common programming language: Most of the other languages are actually written in C. That includes Perl, Python, and PHP.

That is interesting.

This mess has probably not changed much. It was ongoing in 2007:

http://gcn.com/Articles/1995/09/18/Troubled-AF-systems-are-kept-alive-by-generous-lawmakers.aspx

These business are probably mom and pop shops or startup hipsters who'll never run anything more enterprisey then Outlook on the Macs.

No. Of course not. Nobody seriously uses Macs (or is currently studying same) in a large-scale deployment. And of course, this doesn't even count the countless educational institutions (from K through college) and R&D (pure science) labs that have each used dozens to thousands of Macs for years. If you think those don't count as "enterprise-scale" deployments as well, you're delusional.

The GSA themselves have declared that Google's product is indeed FISMA certified ( http://gcn.com/articles/2011/04/14/google-fires-back-on-fisma-certification.aspx and http://www.businessinsider.com/dear-microsoft-you-owe-google-an-apology-2011-4) so Google's original argument that the Department of the Interior did not give Google fair consideration when selecting their vendor as Microsoft did not have FISMA certification is still valid. From what I understand, all this does is put more egg on Microsoft's face (along with the officials involved in vendor selection at the Department of the Interior).

If you want to make fun of something, how about the fact that they NEVER made a Pentium Pro laptop.

Never say never! "PGI’s Condor Applique+ is a rugged, dual 200-MHz Pentium Pro notebook with 64M of RAM, expandable to 512M, and a 2.4G hard drive, in a removable, shock-resistant cartridge.The Condor has a detachable keyboard and a 10.4- or 12.1-inch touch-screen display that can be viewed in full sunlight." c/o http://gcn.com/articles/1998/08/31/army-finishes-tests-on-two-combat-notebooks.aspx

Sony is going to run into a full Streisand Effect backlash with this new attempt to expunge the net of any trace of the very mention of this hack existing.

Sony, WTF, Remember the 80's? Remember when Sony was sued for helping people infringe copyright by selling Betamax VCRs?
Sort of like how the "Beta can be used to make illegal copies" lawsuit alerted more people that such could be done and Sony sold a bit more units because of this newly publicised use-case.

Sony Inc. v Universal Studios:

The Court's 5-4 ruling to reverse the Ninth Circuit in favor of Sony hinged on the possibility that the technology in question had significant non-infringing uses, and that the plaintiffs were unable to prove otherwise.

On the question of whether Sony could be described as "contributing" to copyright infringement, the Court stated:

[There must be] a balance between a copyright holder's legitimate demand for effective - not merely symbolic - protection of the statutory monopoly, and the rights of others freely to engage in substantially unrelated areas of commerce. Accordingly, the sale of copying equipment, like the sale of other articles of commerce, does not constitute contributory infringement if the product is widely used for legitimate, unobjectionable purposes. Indeed, it need merely be capable of substantial noninfringing uses....

So, now the tables have turned. Hotz is assumed to be "contributing to copyright infringement", however the technology in question has significant non-infringing uses -- (See: The US Air Force's PS3 Supercompter) I would dare the plaintiffs to attempt to prove otherwise.

And what is it about asking for the IP address of those who VIEWED it?

Anyone with the same info that Hotz has is capable of "contributing to copyright infringement" by way of re-publishing the info as Hotz did. Perhaps one of those folks has redistributed the info, and actually has agreed to the PSN terms -- Perhaps they would be easier to sue because of their voluntarily accepting the TOS's legal neutering.

Of course Hotz's case doesn't hinge on whether or not what he does has significant non-infringing uses, but If I were Hotz's lawyers I would be sure to make reference to the Betamax case -- Hotz, much like Sony, has made available something that could help people infringe copyright; In neither case does Hotz's how-to video or Sony's Betamax cassettes require that the users infringe copyright. If someone does infringe copyright using Hotz's info or a Betamax cassette then you don't hold the creator of the tools they used responsible.

For fuck's sake Sony, could you be any more evil and two-faced?

If "Cyberwar" is war, then we should bomb China?

Or Iran has justification to bomb Israel and the US?

While the treatment of WikiLeaks and Julian Assange is important, it's USUALLY misdirection, to divert public attention.

How effective is the (replacment) EO 13526 http://edocket.access.gpo.gov/2010/pdf/E9-31418.pdf or http://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-information

Was it followed by State and DoD? Have NIST/FISMA security guidelines been properly implemented (even yet)?

Are there actual timing considerations, when-leaked, vs when EO 13526 went into force? (Signed: December 29, 2009)

WHY would there be no "alarms" when a PFC accesses an enormous number of documents?

Someplace between a half-million and 3 million people with full access to these documents BEFORE they got to WikiLeaks?

What about "the State Department's Risk Scoring tool"?

STREUFERT: "...the continuous monitoring has something that is an assessment capacity of the organization to deal with outside risk that is never longer than a month and scanning data in fact could be as fresh as 24 hours old." (but are they looking at the RIGHT THINGS)?

Refs: http://gcn.com/articles/2010/03/03/rsa-futue-of-fisma.aspx
            http://www.govinfosecurity.com/podcasts.php?podcastID=276 [John Streufert, State Department Deputy CIO and CISO]
            http://www.darkreading.com/database-security/167901020/security/news/224200410/ninth-state-department-insider-found-guilty-of-illegal-database-access.html [Ninth State Department Insider Found Guilty Of Illegal Database Access - Mar 25, 2010]

For investigation:
http://www.state.gov/m/pri/rls/plans/146301.htm
> For example, weekly reports to senior management are now routed through Microsoft
> SharePoint websites instead of by paper or individual emails. -- August 30, 2010

In case you think this is "picking on Microsoft" ...
http://www.federaltimes.com/article/20101205/IT03/12050306/
> Besides limiting access to Net Centric Diplomacy, the State Department has recently
> suspended SIPRNet access to two classified sites, ClassNet and SharePoint, according
> to the White House. In an apparent reference to those actions, State Department
> spokesman P.J. Crowley said last week that access to diplomatic cables has been narrowed
> across the government "for the time being."

You can't fire people fast enough to keep Windows out of mission critical areas

Ask BP - or the US Navy...

The US department of defence also owns a ground reception station for their exclusive use (the network can also make calls between phones without going via a ground station)

http://gcn.com/articles/1998/11/09/disa-establishes-portal-for-telecom-satellite-system.aspx

C'mon. The jackass is hired to be Microsoft's number on apologist. His office can now be abused to cover the situation up. If he admitted to the cyberwar that has been going for two years at least, then he'd open the door to an investigation of the situation the US finds itself in and how it got there. He and the other Microsoft party members would find themselves in very hot water, fast.

Besides, with all the Microsoft products permeating even military bases, it's not a war it's nasty beating.

It's only a war if it's possible to fight back. The US is permeated with Windows, which is a system designed to be taken over back door or outright bad design security hole. There's no reason why any Microsofter, from your average asshole MCSE on up to the party chairman Bill Gates should be walking free. It's one thing for them to be racketeering and destroying the US' ability to compete in research or industry. It's an entirely additional problem once it affects national defense and standing. From Bill's party, we've already had a sampler of navy ships dead in the water, power blackouts, disaster recovery clusterfucks, air traffic outages, and many hundreds of billions of malware damage.

C'mon. The jackass is hired to be Microsoft's number on apologist. If he admitted to the cyberwar that has been going for two years at least, then he'd open the door to an investigation of the situation the US finds itself in and how it got there. He and the other Microsoft party members would find themselves in very hot water, fast.

Besides, with all the Microsoft products permeating even military bases, it's not a war it's nasty beating. The US is permeated with Windows, which are systems designed to be taken over back door or hole. There's no reason why any Microsofter, from your average asshole MCSE on up to the party chairman Bill Gates should be walking free. It's one thing for them to be racketeering and destroying the US' ability to compete in research or industry. It's an entirely additional problem once it affects national defense and standing. From Bill's party, we've already had a sampler of navy ships dead in the water, power blackouts, disaster recovery clusterfucks, air traffic outages, and many hundreds of billions of malware damage.