Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bush Wants an Unhackable Private Network

Posted by ryuzaki0 on from the and-i-want-a-cute-smart-girl dept.

Slur points out an article at the New York Times which says that the "Bush administration is considering the creation of a secure new government communications network separate from the Internet that would be less vulnerable to attack and efforts to disrupt critical federal activities," writing "It seems to me money would be better spent getting the next-generation Internet going, for the government to fund more of the existing research and standards boards to create protocols that are invulnerable to the kinds of attacks the government seems to fear, namely massive DOS attacks. Or is there something else a 'net terrorist' could do to 'disrupt the vital flow of information'?" Isn't hard-to-disrupt communication the reason that DARPA got involved in this "Internet" business anyhow? Update: 11/19 22:48 GMT by T : This was mentioned before a little while ago when USA Today wrote about the same concept, but apparently a Digital Pearl Harbor is still being flogged.

14 of 365 comments (clear)

  1. GOVNET analysis from Bruce Schneier by st.+augustine · · Score: 5, Informative

    Bruce Schneier has an informative story about this in the November 15 CRYPTO-GRAM, including some of the pros and cons. Basically, he says it would be better than what they have now, but still not all that great (he points out that the government already has several separate, secure internets, for various purposes, and they were still infected by Melissa and LoveLetter). And that this is one of the few cases where security and convenience might really be inversely proportional.

    --

    -- Some things are to be believed, though not susceptible to rational proof.
    1. Re:GOVNET analysis from Bruce Schneier by Philbert+Desenex · · Score: 5, Interesting

      the government already has several separate, secure internets, for various purposes, and they were still infected by Melissa and LoveLetter

      Now that's something we didn't see on C|Net.

      I worked in the aerospace industry from '86 to '92. Every big defence contractor had one or more classified IP networks. Unfortunately, the security measures imposed were sort of stupid: the ethernet cables of the classified net had to be at least so many feet from a phone line (they were worried that induced voltages from ethernet would allow someone on the phone to "tap" the classified net), keyboards attached to computers attached to the classified net couldn't be traded out to unclassified areas, and had to be elaborately destroyed when they broke. At the same time, you could walk through checkpoints with pockets full of floppies.

      It was as if a Korean War Drill Instructor dreamed up ways to actually impede using the classified network, but at the same time allow (possibly) classified information in and out of the building.

  2. Already exist by firewort · · Score: 5, Informative

    Bush may not know it, but these already exist in the form of SIPRNET, and INTELNET.

    SIPRNET

    SECRET INTERNET PROTOCOL ROUTER NETWORK

    SIPRNET will replace the DSNET-1 during the migration to DISN. It operates at the SECRET Collateral level and can interface with the TROJAN network. It provides higher and selectable data rates at a much lower O&M recurring cost. Inter-site data rates are 512 Kbps and in some cases T-1. Users can connect to the network at selectable data rates that meet the need.

    INTELNET

    NAVAL INTELLIGENCE COMMUNICATIONS SYSTEM

    The NICS is designed to consolidate Naval Intelligence communications systems. The system has three parts. INTELCAST plan calls for each FOCIC or Facility to consolidate up to 12 different message traffic circuits, including OPINTEL, MUSIC, FIST, and DODIIS through INTELDATA extended in an SCI LAN Extension and Stand Alone capability configuration. The SCI LAN encompasses a full suite of SOCRATES equipment, including workstations, secondary imagery dissemination systems, and a mapping and graphics capability. The Stand Alone capability provides a workstation with tailored data bases specific to unit operational orientation. Stand Alone capabilities are being provided to Guard and Reserve units as well as to certain active, lower-echelon units.

    NIPRNET

    UNIFORM INTERNET PROTOCOL ROUTER NETWORK

    The NIPRNET is the consolidation of several service/agencies networks (AFNET, NAVNET, MILNET) with common protocols and standards. It is a product of the DISN near Term Program, which sought a reduction in cost of operation through interoperability and standardization. Connectivity over high-speed trunking is supported by the NIPRNET. It operates at the unclassified level, while the SIPRNET supports classified networks in a similar manner.

    --

  3. In the beginning by Dirk+Pitt · · Score: 5, Insightful
    It seems to me money would be better spent getting the next-generation Internet going


    It seems to me this would evolve just the way the Internet did before; it would at first be used just by government agencies, next given to the large defense contractors, eventually adopted by the research universities, and then swallowed whole by Joe Public. This, IMHO, is the best way to get the next-gen Internet.

  4. Sign Says "Hack Here" by Anonymous Coward · · Score: 4, Interesting

    Wouldn't creating a wholly separate network for restricted traffic be a bit counterproductive?

    I mean and spy/hacker who found a physical location to hack into it (i.e. tapping into a line on a phone pole or at a phone company switch) would find *everything* on that network to be of interest. In essence they would have hit the jackpot for illicit information. We're kind enough to organise it away for them.

    True it would probably prevent 15 year old script kiddies from casually hacking in at home, but it would make any break into that 'other' network all the more catostrophic prospect.

  5. There are Always Inside Jobs by Ieshan · · Score: 5, Insightful

    What he's asking for is like asking for poison-free food. Sure, the ovens can be locked and the food can be tested over and over, but the cook is still there.

    The only concievable way to do this is to either:

    a) Eliminate Government Data Access to All But the Highest Officials (which still poses the same problem, in theory) or
    b) Eliminate the network altogether.

    Bush is asking for something that isn't possible because social engineering and the "inside job" is the oldest way to hack any system of anything. Hacking didn't start with computers, bank vaults, locks, jewelry stashes... they were all done in the past with inside work.

    It's impossible because of human error and human presence.

  6. Great opportunity by ez76 · · Score: 5, Funny

    Perhaps in the spirit of bipartisan cooperation, he could contract Al Gore to invent one?

  7. Why not demand IPv6? by pdqlamb · · Score: 4, Insightful

    None of the major backbones are willing to provide IPv6 connections. The U.S. Government contracts out almost all of its long-haul communication requirements. They used to get AT&T to build underground bunkers for them, but now they get nothing. Why not start by requiring IPv6 in all government RFPs/RFQs for long-haul comm? That should provide an instant market to kick-start IPv6, complete with all the security features that have already been designed.

  8. Fear the Backhoe by The+Dev · · Score: 5, Funny

    If the current telco and internet infrastructure is any example, their efforts will do no good. A dozen terrorists with rented (or commandeered) backhoes in select locations could cause massive disruptions in the Internet (and therefore the economy). Miss Utility could even be an unwitting accomplice.

    Don't even start with "physical diversity blah blah blah". The fact that your physically diverse circuits aren't has been proven time and again by the mighty backhoe/flaming hazmat car/junior achiever.

    Of course some improvements to BGP wouldn't hurt either.

  9. Re:Grow up, Georgie by dougmc · · Score: 4, Funny
    Feel free to hack into my home network. It's IP range is 192.168.0.1 - 192.168.0.13.
    Already done. My login and password are so ubitquious that they work on these systems as well!

    Alas, they don't seem to have any mp3s or warez that I don't already have. Bummer.

  10. Re:answer Re:question by man_ls · · Score: 5, Interesting

    According to The American Institute of Physics in their Physical Review Letters journal article "Resilience of the Internet to random breakdowns" (19 Oct 2000) [a copy of this article is available in .pdf from my personal web page on the left side bar for your reading pleasure.] stated that the Internet could lose 99% of its nodes, and still maintain routability. The content lost in those 99% of nodes is another matter, but the Internet would not segment until over 99% of the routing nodes were removed. That's pretty impressive.

  11. Re:Mae West/East by Arandir · · Score: 4, Interesting

    If it were just Mae West going down we could manage. That's how the internet was designed. We'll have some inconveniences and crap, but the internet will still operate just fine.

    The problem are all of the servers that are colocated there. Stupid stupid stupid.

    --
    A Government Is a Body of People, Usually Notably Ungoverned
  12. Re:Grow up, Georgie by Cally · · Score: 4, Informative

    Feel free to hack into my home network. It's IP range is 192.168.0.1 - 192.168.0.13.


    How wonderful, someone who still thinks NAT equals security!

    I'm not going to spell it out to you, but I suggest you:

    1. tighten up your firewall rules immediately. (You ARE running
    a firewall, aren't you?)and

    2. Start checking your IDS logs closely for the next few days.
    (You ARE running an IDS, aren't you?)


    OK, if you want further hints for your googling: firstly, look for `arp poisoning Dug Song MitM'. Then search the Bugtraq, and perhaps the sec-focus Pen-testing list archives, for info about how to own the OS/platform you're NATing with (ie if you're NATing thru Linux, I mean the Linux box.) Remember to check for known vulnerabilities in the services that show up when you nmap your external interface. Yeah, of course you're completely up to date with all current patches, but I bet that there was a window of vulnerability before you applied each one...

    In general, boasting on Slashdot about how secure one's network is, is a BAD idea.

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  13. Re:Already exist, doubt it'll work by budgenator · · Score: 4, Insightful

    Remeber JINTACCS? I doubt it, it was a messageing system, actualy kinda like XML. It allow an Army soldier to do things like call it Naval gunfire. On the lowest level it was a fill in the blank paper, then read over voice radios, at the higher levels a computerized intercomunications protocol.

    Actualy it was a good system, not perfect but good, but it was murdered. They did this by teaching it. They didn't start with the easiest and work to the hardest, they tought the hardest first so the average pvt Joe Snuffy got hopelessly lost. They actualy tought me how to report the laying of a naval mine field, I was in an light infantry organisation at the time, that report was for Naval ships Captains. This happened because the middle management types realy didn't want to lose their turf. I think the same thing is going to happen here.

    To us its easy, blow some fiber, install some routers between facilities, gateway to some secure sattalites and maybe change the networking code enough to make the civilian stuff incompatable. Add in an armor plated authetication, distr the software to authorized users and your done right? Well the Army won't like working with the Marines, DOD won't like working with DOJ, and Intell won't even like working with themselves.

    The only good thing I see from this is sonner or later some of the reasearch is going to trickle down to us and be usefull.

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds