Slashdot Mirror
Security Flaws Could Cripple Defense Network
userexec wrote to mention an FCW.com article about the uninspiring future for the Missile Defense System's software. The developers are apparently very worried about poor information security on the project. From the article: "The report said that neither MDA nor Boeing officials saw the need to install a system to conduct automated log audits on unencrypted communications and monitoring systems. Even though current DOD policies require such automated network monitoring, such a requirement 'was not in the contract.' The network, which was also developed to conform to more than 20-year-old DOD security policies rather than more recent guidelines, lacks a comprehensive user account management process, the report said. Neither MDA nor Boeing conducted required Information Assurance (IA) training for users before they were granted access to the network, the report stated. "
The subcontractor they hired to do the programming was called Diebold?
We'll no doubt see "All your missile base are belong to us" written on the system's password file.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
Someone's head is going to roll over this one. The military has been really tight on network security lately, even with contractors. A hole as big as this is simply unacceptable.
Someone save me from this sanity.
Why not contract an Indian company to write it? Or make it a Sourceforge project. That always seem to generate high-calibre, error-free code.
Did you know my dad's dog died?
This does not suprise me at all, after all, we as Americans are quickly proving that we're becoming the bastion of incompetence. From NASA,
to the war in IRAQ,
irregularities in elections,
collapsing health care system,
cronyism in government,
out-sourcing out of hand,
the massive trade deficit,
the fact that communist China, Japan and the UK now help us with our balance of payments,
failing education system,
Katrina,....one wonders whether we as a nation can ever do anything right.
Question is: Is there eanything really?
Does this mean the big fat trackball might not respond? Who's going to defend those six cities?
This sig, aah-ah, is comin' like a ghost-sig...
The Missile Defense Agency (MDA) is George W. Bush's name for the Ballistic Missile Defense Organization (BMDO), which was Bill Clinton's name for the Strategic Defense Initiative Organization (SDIO), which was Ronald Reagan's "Star Wars."
How many more $500 USD toliet seats does the taxpayers have to buy before Boeing upgrades their network?
No matter what you do to design a system there will always be some hack who comes along to crap on your project. Just because you think you know better doesn't make it true. It certainly doesn't help that sites like this one jump on every little aberrant report like a pack of jackals.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
system is to get the AI to play tic-tac-toe against itself. I saw it on a documentary ages ago. I think.
Somebody correct me if I am wrong about this, but a system like this should be run in an airgapped environment where external interfaces (radars, etc) are not ones which you can ssh over or anything like that. Most likely every interface into the system will do exactly what it is designed for and nothing else.
People who have access to workstations on the system should need to go through a significant amount of physical security before they are able to do anything. At least thats how similar systems I have seen are run.
http://michaelsmith.id.au
Their plans totally Bombed... I mean seriously, they Blew Up in their faces.
EpiAdv - if you like Pokey the Penguin, try this comic!
I'm sure this will be just as fixable as the Command Navigation Program. Trust the government.
In Soviet Russia, backwards is everything.
"You can count on the same anti-American slashbotism to get modded to 5, adding nothing, really, to the conversation."
Oh, we're getting our revenge. Slashdot's disk array is filling up fast, and we'll need another one soon. So here's to useless conversations, and bad moderation.
This software was probably one of the easiest parts to this whole missile defense debacle. What's worse is that there has been evel less success with the hard parts. i.e. Actually hitting incomming missiles, or even getting permission from governments such as Canada to even try to hit them over their airspace. Perhaps even harder yet is justifying the need for missile defense at all when the only likely source of a nuclear attack is from terrorists who would most likely smuggle a bomb in through the U.S.'s patchy port security and detonate it from the ground.
I tell you, this is all George Lucas' fault! The missile defense program was once called Star Wars, back when Star Wars was cool. Now the idea of shooting incomming missiles out of the sky is subconciously linked with Jar Jar Binks in the minds of the nation. Whoopsie!
We'll just make talking about DOD security flaws illegal in Patriot Act 3 and then nobody will know.
It appears Ockham lost his razor and grew a beard.
Security Flaws Could Cripple Defense Network
Drunk Driving Could Be Dangerous
Microsoft Goes Head-to-Head With IBM
Mixing Household Chemicals Could Be Dangerous
notice a pattern? none of these headliness says or means anything. they border between "no $hit" and "duh".
instead of that say-nothing giberish how about "group passwords threaten MDA's communications network"? see, now the head line says something.
ps, not to be a jerk, just to point out an area where slashdot can be better than the rest.
--iggy_mon - www.ananonymouskiller.com - Die Trying -
Dont worry, Skynet will find a way.
How about Global Thermonuclear war?
"We are all geniuses when we dream"
- E.M. Cioran
...You'd think after the Cylon's infiltration of the Caprica global network that someone would have taken this a little more seriously.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
I'm not surprised in the slightest by the "revelation" in this FA.
The only reason the program exists at all is to hand out taxpayer money to campaign contributors.
And the thousands of American scientists, engineers, technicians and support staff that design and work on these systems. Based on comments like this, you'd think that the government is stuffing shells full of cash and launching them at the enemy. Where do you think these "weapon systems" are designed and built?
Maybe my perspective is skewed. The only job offers (early career engineer) I was able to secure (in a timely manner) were from "big aerospace." If they were not "wasting taxpayer money" on large, risky (read: cutting-edge) R&D technologies, I'd be out of a really interesting, fulfilling job. And unfortunately, until some "other" interesting R&D area (energy would be a good one) is as big a target in the crosshairs of national/international interest, or until I have enough experience to start my own company, I am pretty happy working in the defense industry.
if its not in the contract, it is fraud for a government contractor to implement an extra feature or add-on to the system because the govt has to pay for the extra expenses (software developers' hours, testing, etc) incurred to make those improvements.
so if the security is bad, and it wasnt in the contract, the only people who can begin to address this are actually the purchasing organization, not the developers. the purchaser **needs** to add these stipulations in the contract or else the contractor legally is not allowed to work on fixing it.
Back in 1983, I saw this great documentary about a teenager hacking into a defense computer. Can't quite remember the name, though...
ta suck a nigga's cock iz slap those bitch-ass titties 'bout, knowhumsayin'? Yo, I SAW that on dem porno vids I sell, brotha. I think.
these are cost plus contracts, if you implement something the government didnt put in the contract, you are making them pay more money for something they didnt ask for.
this is a federal crime, if you do this and the government finds out, YOU GO TO JAIL, dumbass!
the contractor can work with the purchaser to explain why certain features should be added to the contract, but ultimately the customer always has the final decision. even if the govt underspecified the system, the developers all have to follow the contract specifications or they can all suffer criminal penalties for defrauding the government.
I must say this is astounding from a legal services point of view. I've seen defence contracts here in Australia, working at a law firm that works for Defence (and other government agencies). The usual practice is to start with a standard form contract which says something to the effect that the contractor must comply with the Defence Security [Directive / Policy / Determination / etc] dated []. And you always do a search before the final draft for "" and replace with appropriate information if it hasn't already been done. Alternatively a contract will say the latest Defence Security Directive issued from time to time - so the latest one always applies.
So I really find it amazing that this could sneak through... who's drafting this stuff?
Pessimism of the intellect, optimism of the will! - Antonio Gramsci.
If you read the history of the last days of the Roman Empire, it does not read a lot different than this. It was basically power struggles, greed and corruption from within. The foundational requirements of any society is conformance to some agreed minimal ethical and moral standards. When the foundation crumbles the building collapses.
My guess is the MDA was not reading the DOD guidelines on IA http://www.dtic.mil/whs/directives/corres/html/850 02.htm (among many other pubs) which is pretty clear. Being a classified mission critical system used for warfighting, they would fit into the MAC I, confidentiality=high baseline.
Lets hope their contract gets recompeted so my company can head over there!
Oh comon, everyone who watches "24" knows that you have to open a SOCKET before you talk to other defense-department computers! And it's really hard to do - all the CTU big-bosses always need to ask one of the geeks in the office to "open a socket to Division". The defense network is SECURE, I REST MY CASE!
Horns are really just a broken halo.
A couple years ago they were booted off the Navy's DD(X) program, due to incompetence/negligence. That program is _huge_. In the space of a couple years they billed millions for work done, but in the end they never actually did anything useful for their money. It's almost unheard of for a contractor of that size to be replaced in a major project mid-contract, but it happened to them. They lost a $billion+ immediately, and will lose many billions more as the military branches avoid them on other contracts. Don't be surprised within the not-too-distant future to see portions of Boeing (or maybe the whole thing) bought out by the other major defense contractors.
In big military contracts the requirements aren't fixed. During development an important part of the process is finding anything that isn't covered by the contract (that's the main job of some of the contractors). All involved parties work to resolve issues and update requirements (and in some cases that can even lead to added funding). Boeing has no excuse for not solving security problems. Military projects always have excessive security requirements, and anybody who says they didn't know is lying.
One weakness in many defense organizations is that so much of policy (IA) is a pain in the ass, but you learn to live with the pain as part of the job. If the people administering accounts, policy, and systems do not appreciate the reasons why the policies exit, they will not enforce them. If you are handed a 150 page procedure to read and sign that you have read it and you need the information access now, what are the chances you skipped the page that says you must do X to do Y? They are very high.
Also, we have loss of experienced cold war people (retirement, lay off, etc) means there is little continuity in the business process worsened by the tremendous growth in the programs and pressure to produce something now. Large programs require a large support staff.
Aerospace work is challenging and offers a low risk of being outsourced, or at least I hope it has a low chance of being outsourced.
Then, you have cases where companies "accidently" give advanced technology to foreign companies to gain some advantage. Examples are Iridium contractors giving advanced rocket technology to China and Toshiba improperly selling the machines and technology to make submarines quiet to the Soviets back when we were in cold war.
All this comes down to every engineer and manager enforcing policy.
Yeah, and monkeys might fly out of my behind. The acceleration due to gravity at the surface of the earth may be 9.8 m/s^2. Who's to say?
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Not just GMD, but the whole system of systems including Aegis, THAAD, Airborne Lasers, advanced sensors and more. So in the long run I think MDA is following the right strategy - build stuff quick and refactor as needed. I believe this is far more efficient that spending 20 years on a monolithic waterfall development project.
And yes, overall I think national missile defense is a total waste of money compared to other places we could be spending it. But given its a real program (and pretty damn cool from an engineering perspective), they are doing the right thing.
Anyone realize that the report was pulled off the IG's website? It was 06-53 according to google. Now it's gone.
I do security
I interviewed iwth one of these groups last summer. Believe it or not, they tolde me that they do a lot of sourcing to american companies who foreign outsource (thus staying off the radar as far as foreign outsourcing concerns go)
More significantly, they use COTS software products, some of which are produced and maintained in countries that are likely to be on the receiving end of the target list. It should be fascinating to find out what happens if they ever try using it against one of those countries.
Incidently, I lost the interview for criticising some of their more glaring security holes. It was an technical architecture position, I thought that was a deliberate ommission to see if I knew what I was doing. It turns out that they are not simply too lazy to follow procedure, they are most clearly opposed to it.
Why, I cannot say, but it appeared to me at least that it was pressure from a few key people, rather than a general attitude, most of the low level techies seemed to appreciate teh need for more security and were quite frustrated by the lack of concern.
Missle system kills security leaks!
(Sorry, I'm really sorry. I can't stop.)
From the article: more than 20-year-old DOD security policies
So that would put it in the early 1980s... but in the 60s and 70s, the missile launch passwords were all "00000000" (also see here).
$nice = $webHosting + $domainNames + $sslCerts
Having been involved with the Air Force since 1985 and done my shair of IA traing, I can say it is basically worthless and more or less comes down to "Don't give out your password, or run software from home".
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
There are sourceforge projects that *maybe* two people on the planet earth have accessed, and one of them might be googlebot. It's the perfect place to hide in semi plain sight, just label it an MP3 metadata morpher skindesigned to be posix non compliant text console only alpha planning stage and only run on os2 beta or something,and it'll stay hid forever.
...I was reading an article about this a few hours ago. Helicopter insertion into some peasants field. No one there but an old lady baking bread. So what happens? The soldiers and reporters *steal* her bread and walk around looking for weapons caches munching away.
WTG heroes! That'll show 'em! Steal peasants bread! Maybe they got to shoot a few dogs while they were there, seeing as how there weren't any rock throwing nine year old "terrorists" to take headshots at. Or do you prefer a little "detaining" and "rigorous interrogation" first, just for sport?
Give it up. You're just mad because you made the boneheaded mistake of joining up regular instead of going dyncorp or blackwater merc for the large bucks and less rules.
In the '06 and '08 elections, if a candidate for a federal-level race won't commit to ending this pointless, then don't vote for them.
If they do commit to ending the project, send them cash, since they won't be getting any from the defense contractors.
[o]_O
Our problems do not come from a "failure" to socialize medicine. When I was up in Canada, the news was that brain scanners were mostly going to places with powerful politicians. Quebec got an unfair share. Money was disappearing for political reasons. Over in the UK, people are being sent to France for surgery because they'd die on the waiting lists if they didn't go. Here in the USA we install brain scanners (lots of them too) where there will be patients and we don't die on waiting lists for anything other than an organ transplant -- and that only because we made it illegal to pay the dead person's estate.
Our real problems are:
Some of these problems are not really solvable. Economics is what it is, people like new technology, and nobody wants to see their little children die. The lawyers have some mighty lobbiests, but a change would at least be theoretically possible. The same goes for the co-pay insurance system, which could be replaced by a sliding scale or percentage system. (example insurance fix: the patient's payment must increase by at least 10 cents for every dollar of the treatment cost up to "$200 for $2000", then by 1 cent per dollar thereafter)
The Microsoft Effect strikes again...
I used to work for a defense contractor on classified networks. When we stood up a new lab, there was a briefing for all employees with access (AKA need to know). They were told that the SA's (I was one) were the first line. In other words, if we said no, the answer was to be interpreted as "no way in hell". My group, however, was in the minority (we said no more often than we said yes). Every request was checked into using the NISPOM. Every software request was extensively checked. Unfortunately, this was the exception rather than the rule. In other areas, the mentality was "that which is not expressly prohibited is allowed", not the DOD/DSS standard of "that which is not allowed is expressly probibited". I spent 3+ years fighting management over this issue, despite the fact that any "unusual" request to DSS/DOD went through the 3 people (myself included) who had the respect and trust of the officials who were required to approve the request. I also quashed (on one occaision 3x) requests that violated the rules. The rules are there. They make sense. They only work when the people on the ground feel they make sense. I left the environment when the stress of meeting the regulations exceeded the stress of fighting with management. YMMV
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
and to think we've only spent $10 trillion on the "war on poverty" since LBJ. That sure is working out well..
Any fool can criticise, condemn, and complain, and most fools do. - Benjamin Franklin