Slashdot Mirror
Security Flaws Could Cripple Defense Network
userexec wrote to mention an FCW.com article about the uninspiring future for the Missile Defense System's software. The developers are apparently very worried about poor information security on the project. From the article: "The report said that neither MDA nor Boeing officials saw the need to install a system to conduct automated log audits on unencrypted communications and monitoring systems. Even though current DOD policies require such automated network monitoring, such a requirement 'was not in the contract.' The network, which was also developed to conform to more than 20-year-old DOD security policies rather than more recent guidelines, lacks a comprehensive user account management process, the report said. Neither MDA nor Boeing conducted required Information Assurance (IA) training for users before they were granted access to the network, the report stated. "
The subcontractor they hired to do the programming was called Diebold?
We'll no doubt see "All your missile base are belong to us" written on the system's password file.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
Why not contract an Indian company to write it? Or make it a Sourceforge project. That always seem to generate high-calibre, error-free code.
Did you know my dad's dog died?
This does not suprise me at all, after all, we as Americans are quickly proving that we're becoming the bastion of incompetence. From NASA,
to the war in IRAQ,
irregularities in elections,
collapsing health care system,
cronyism in government,
out-sourcing out of hand,
the massive trade deficit,
the fact that communist China, Japan and the UK now help us with our balance of payments,
failing education system,
Katrina,....one wonders whether we as a nation can ever do anything right.
Question is: Is there eanything really?
Does this mean the big fat trackball might not respond? Who's going to defend those six cities?
This sig, aah-ah, is comin' like a ghost-sig...
The Missile Defense Agency (MDA) is George W. Bush's name for the Ballistic Missile Defense Organization (BMDO), which was Bill Clinton's name for the Strategic Defense Initiative Organization (SDIO), which was Ronald Reagan's "Star Wars."
How many more $500 USD toliet seats does the taxpayers have to buy before Boeing upgrades their network?
No matter what you do to design a system there will always be some hack who comes along to crap on your project. Just because you think you know better doesn't make it true. It certainly doesn't help that sites like this one jump on every little aberrant report like a pack of jackals.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Why is anyone going to care about a weapon system everyone knows is a dud anyway?
The system has never once demonstrated that it works, every single test has either failed outright or been rigged. The only reason the program exists at all is to hand out taxpayer money to campaign contributors.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
We'll just make talking about DOD security flaws illegal in Patriot Act 3 and then nobody will know.
It appears Ockham lost his razor and grew a beard.
Security Flaws Could Cripple Defense Network
Drunk Driving Could Be Dangerous
Microsoft Goes Head-to-Head With IBM
Mixing Household Chemicals Could Be Dangerous
notice a pattern? none of these headliness says or means anything. they border between "no $hit" and "duh".
instead of that say-nothing giberish how about "group passwords threaten MDA's communications network"? see, now the head line says something.
ps, not to be a jerk, just to point out an area where slashdot can be better than the rest.
--iggy_mon - www.ananonymouskiller.com - Die Trying -
How about Global Thermonuclear war?
"We are all geniuses when we dream"
- E.M. Cioran
There is an airgap in the system.
All the modems are connected to unlisted telephone numbers.
I'm not surprised in the slightest by the "revelation" in this FA.
The only reason the program exists at all is to hand out taxpayer money to campaign contributors.
And the thousands of American scientists, engineers, technicians and support staff that design and work on these systems. Based on comments like this, you'd think that the government is stuffing shells full of cash and launching them at the enemy. Where do you think these "weapon systems" are designed and built?
Maybe my perspective is skewed. The only job offers (early career engineer) I was able to secure (in a timely manner) were from "big aerospace." If they were not "wasting taxpayer money" on large, risky (read: cutting-edge) R&D technologies, I'd be out of a really interesting, fulfilling job. And unfortunately, until some "other" interesting R&D area (energy would be a good one) is as big a target in the crosshairs of national/international interest, or until I have enough experience to start my own company, I am pretty happy working in the defense industry.
if its not in the contract, it is fraud for a government contractor to implement an extra feature or add-on to the system because the govt has to pay for the extra expenses (software developers' hours, testing, etc) incurred to make those improvements.
so if the security is bad, and it wasnt in the contract, the only people who can begin to address this are actually the purchasing organization, not the developers. the purchaser **needs** to add these stipulations in the contract or else the contractor legally is not allowed to work on fixing it.
My guess is the MDA was not reading the DOD guidelines on IA http://www.dtic.mil/whs/directives/corres/html/850 02.htm (among many other pubs) which is pretty clear. Being a classified mission critical system used for warfighting, they would fit into the MAC I, confidentiality=high baseline.
Lets hope their contract gets recompeted so my company can head over there!
Anyone realize that the report was pulled off the IG's website? It was 06-53 according to google. Now it's gone.
I do security
Having been involved with the Air Force since 1985 and done my shair of IA traing, I can say it is basically worthless and more or less comes down to "Don't give out your password, or run software from home".
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
I used to work for a defense contractor on classified networks. When we stood up a new lab, there was a briefing for all employees with access (AKA need to know). They were told that the SA's (I was one) were the first line. In other words, if we said no, the answer was to be interpreted as "no way in hell". My group, however, was in the minority (we said no more often than we said yes). Every request was checked into using the NISPOM. Every software request was extensively checked. Unfortunately, this was the exception rather than the rule. In other areas, the mentality was "that which is not expressly prohibited is allowed", not the DOD/DSS standard of "that which is not allowed is expressly probibited". I spent 3+ years fighting management over this issue, despite the fact that any "unusual" request to DSS/DOD went through the 3 people (myself included) who had the respect and trust of the officials who were required to approve the request. I also quashed (on one occaision 3x) requests that violated the rules. The rules are there. They make sense. They only work when the people on the ground feel they make sense. I left the environment when the stress of meeting the regulations exceeded the stress of fighting with management. YMMV
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)