Slashdot Mirror
Air Force Aims for Control of 'Any and All' Computers
Noah Shachtman on Wired.com's Danger Room reports that Monday, the Air Force Research Laboratory at Wright-Patterson AFB introduced a two-year, $11 million effort to put together hardware and software tools for 'Dominant Cyber Offensive Engagement.' 'Of interest are any and all techniques to enable user and/or root level access,' a request for proposals notes, 'to both fixed (PC) or mobile computing platforms ... any and all operating systems, patch levels, applications and hardware.' This isn't just some computer science study, mind you; 'research efforts under this program are expected to result in complete functional capabilities.' The Air Force has already announced their desire to manage an offensive BotNet, comprised of unwitting participatory computers. How long before they slip a root kit on you?
Or when Microsoft and Apple crumble and are forced to insert backdoors (I say "forced", because as sceptical as I am, I don't WANT to believe that they'd do it willingly, even if it is the case)...
Problem is (for them, not us), after this, any commits made to Linux or BSD or anything that don't seem to add anything, make unnecessary use of network commands or seem in any way unsafe will be set upon by every tinfoil hat freak out there, same with new contributors, so they'll have a really hard time doing this.
Are you serious? "Protect"? Just how they protect it against terrorism, communism and religions?
Personally I feel fear out of this since I run OS X nowadays and Apple aren't the most security aware and patch decisive* company/group/.. around. And I don't want to computer owned by the american government thank you, and preferably noone else either.
* (I tried to find some opposite to hesitate)
So the Air Force can do whatever the spooks (and their Bush crony masters) want, like fly surveillance drones, record and datamine us against satellite surveillance, and help the NSA filter every bit of our telecom.
Because these people hate the Constitution. They hate our freedoms and rights the Constitution instructs them to protect. They hate us. Because we get in the way of business, which is to spend on war the maximum amount Americans can make or borrow.
Feel safer?
--
make install -not war
Humorously, I could see a lawsuit from this opening up the door for the first expansion of the 3rd Amendment since Engblom v. Carey if they did compromise the machines of US citizens to use in an offensive botnet. Arguably being forced to host Air Force activities on your private property violates the same kinds of rights that the 3rd Amendment protects.
The Second Circuit said: [W]e hold that property-based privacy interests protected by the Third Amendment are not limited solely to those arising out of fee simple ownership [of homes] but extend to those recognized and permitted by society as founded on lawful occupation or possession with a legal right to exclude others. The court was talking about state-owned rental properties where striking prison guards were evicted and replaced with National Guardsmen, but I can see an argument for extending this to being forced to host Air Force use of one's chattels within a home (or maybe even outside of a home since the same possessory "right to exclude others" exists). I don't see Scalia or Thomas buying the argument, but it would be fun to watch someone try and argue it before the rest of the court.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Hmm...not sure how many computers have downloaded America's Army, but how hard would it be to slip a botnet agent into a patch or download?
Of course, there's nothing to stop you from setting up some honey-pots, figuring out the control commands, and taking control of a large chunk of the botnet, since it *isn't* centralized. then turn it on the parts you don't control, or the central c&c computers, or other "targets of interest."
Or use it to create "false flag" attacks.
Or a few rounds of "Do you want to play a game?"
Kevin Smith on Prince
Not necessarily true. They take some soldiers who were wounded in battle and spend good of time and money to retrain them in certain fields... I know a guy who was a marine and never had any interest in computers at all. He took some shrapnel in the face, so they went and trained him in everything he could learn in networking, and now he's freaking great at it. The same could apply to many other aspects of technology.
You are probably thinking about the Posse Comitatus Act (http://en.wikipedia.org/wiki/Posse_Comitatus_Act). However what that act really prohibits is the use of military forces as peace officers within US borders. Hacking into citizen's machines to use them as part of a botnet wouldn't fall under that.
A couple of people have brought up the Third Amendment (http://en.wikipedia.org/wiki/Third_Amendment_to_the_United_States_Constitution) which covers the quartering of soldiers in private homes. I am not a Constitutional lawyer but I'm guessing that doesn't really apply either in a strict literal sense or in the spirit of what the authors intended. The intent was purely in people being forced to quarter soldiers. There's no mention of whether or not the military has the right to seize assets they might need, which is closer to what they would be doing in this case.
If I had to guess (and I would have to) I would think the Fifth Amendment (http://en.wikipedia.org/wiki/Fifth_Amendment_to_the_United_States_Constitution) is probably more applicable. Its final clause is "nor shall private property be taken for public use, without just compensation". Hacking your system and using CPU cycles and bandwidth without permission would seem to constitute at least a form of taking of my property. They may not physically take it but they take control of it and even though I get it back later the clause doesn't say it's ok for them to take property as long as they bring it back.
You've never had coworkers disappear only to find out later they moved close to NSA headquarters and they've now got money out the wazoo, have you? The _really_ good computer folk get paid a lot of money to do neat things by you and me (well, me anyway; not sure if you're from the U.S.). Even if they were only getting paid the same, they'd probably still do it because it's interesting work, and you can't beat a government job for benefits and stability.
Current work on Linux per-process capabilities, role-based access controls and mandatory access controls may render the concept of "root" or a "superuser" under Linux obsolete. What would you need such a user account for? But if there is no superuser, in the traditional sense of the term, then there is no account on the system that would grant the air force (or anyone else) total control of that system. Control would be properly segmented and independently managed, limiting the value of such an attack. Well, it would need to be via the kernel, if no user had those access rights, and it would need to be via a user that could load things into the kernel, and it would need to make use of some exploitable kernel bug that bypassed the security modules.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
not at all - it will go into the CPUs.
accidental downloading of large bits of "spam" will contain encrypted data which, when the CPU notices that the network interfaces (or the nearby electro-magnetic spectrum) are blipping up-and-down in some not-exactly-random pattern, begins to interpret the SPAM (or EM noise) in some morse-code-like way that activates the CPU to "phone home".
suddenly all the DRM in your hard drive and motherboard which is normally used for DMCA coercion, gets activated for other purposes.
given that the encryption in the DRM is at a level higher than the highest level specified by the DoD for ultra-top-secret material, it will of course be perfect for taking over your computer.
overall i wish i was entirely joking about this, but it unfortunately makes far too cohesive a story.
let's call it a joke, anyway. ha ha.