Slashdot Mirror
Air Force Aims for Control of 'Any and All' Computers
Noah Shachtman on Wired.com's Danger Room reports that Monday, the Air Force Research Laboratory at Wright-Patterson AFB introduced a two-year, $11 million effort to put together hardware and software tools for 'Dominant Cyber Offensive Engagement.' 'Of interest are any and all techniques to enable user and/or root level access,' a request for proposals notes, 'to both fixed (PC) or mobile computing platforms ... any and all operating systems, patch levels, applications and hardware.' This isn't just some computer science study, mind you; 'research efforts under this program are expected to result in complete functional capabilities.' The Air Force has already announced their desire to manage an offensive BotNet, comprised of unwitting participatory computers. How long before they slip a root kit on you?
new meme -
Imagine an AirWolf cluster of these......
Service guarantees Citizenship! Questions Guarantee GITMO.... Amerika Uber Alles!
Sounds like the Air Force already has an overabundance of tools working for it.
Tools? Seriously? Any toolset is going to have to be constantly adaptable, and is going to fall victim to the same problem as all other computer security stuff: it's obsolete almost as soon as its written.
They'd be better building a strong infrastructure, and recruiting top talent than trying to build some kind of software package, presumably to be manned by some kind of enlisted man script kiddie.
Even then, they're going to get the same kind of penetration as everyone else. 20%, 30% maybe, on a good day. You can't even rely on vendors to insert backdoors; the best choice for that would be microsoft, and adding a backdoor to Windows would be redundant in most cases.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
This must be the ultimate example of "solutions" to engineering problems coming from a manager and not an engineer. I bet they'd like a pony while they're at it.
You know they'll get what they want out of commercial OSs by putting pressure on the vendors. Linux and the BSDs are too much of a moving target, and OpenBSD is run out of Canada anyway. If ever there was an article that needed to be tagged 'goodluckwiththat,' this would be it.
I'd say this was as illegal an idea as malicious botnets. My computer cpu cycles are NOT for sale to the US Government, or any government. They can have them when they pry them from my dead cold pc case...
Support NYCountryLawyer RIAA vs People
Establishing total and completely control across all hardware and operating systems, all patch levels, etc?
I admire your optimism, USAF, but $11 million dollars is simply not going to make that happen -if it can even be done. Software companies have enough trouble just getting their *own* software to work installed on *willing systems*, and some of the bigger ones spend that kind of money just getting it to work on one operating system withing a reasonable set of constraints.
Take into account the fact that you will also be most likely using pre-existing exploits, which will be repaired swiftly by responsible developers that watch security RSS feeds, and this is a red herring task. If you are talking about spending 11 million dollars on doing your own research towards establishing remote control by examining source code or reverse engineering to find new exploits, then honestly, you aren't just crazy- you are batshit crazy. You're going to need a whole hell of a lot of money to do that.
The internet is said to route around censorship; however, you don't need to censor the internet if you can pwn the world's PCs.
At first glance, it seems that this would easier to do by simply mandating government backdoors in all operating systems. Wait. Not only does a legislative fix not work work for FOSS, it's also likely to start a tremendous uproar until you show enough people a video of Britney Spears's latest car accident...
... is a taxpayer money sink.
Over time, systems change. That means after this two-year study and eleventy-million dollars later, it's worth very little a year down the road. In three years, we're virtually guaranteed to have nothing for the efforts, except a statement saying "Oh, we learned a lot, and now need continuing funding. Please give us more money."
Although many holes in software exist for a long time, they are generally patched within a couple months once discovered, usually sooner. And as soon as the military activates one of these holes, it'll be analyzed and patched. That will remove one of their finite resources.
100% control of all platforms and systems is beyond ludicrous. They might as well wish they could read minds, teleport, and find Carmen Sandiego. Or at least Osama.
it would be unethical!
This space available.
You know my fear is when I wake up one day and my cable, phones, and internet doesn't work because the US and some nerd terrorist group are caught up in some sort of cyber war. Knowing that war fair has finally started to use network assaults the same way they use stealth planes is really a sign of the times.
We all know that the internet is not secure, we all fight to keep it open. I assure you the last day we freely browse to other country sites will be the day we get a news worthy terrorist botnet attack that shuts down the likes of teh red cross. and gives the government a chance to sever the cables that connect us to the rest of teh world and insert some sort of keyed routers that you need a passport ID to traverse.
The whole botnet thing just shows how absurdly out of touch they are. A botnet is a tool created by a bunch of guys who have limited computer resources in a bid to increase those resources.
Why the fuck would the United States Air Force want a botnet, when they could have the real thing? A tightly integrated computer network with near unlimited bandwidth, satellites, super computers, massive clustering, and secure, integrated control.
Botnet. Jesus. Someone take the freaking tech magazines away from the air force brass before they start doing social networking or some crap.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Are you serious? "Protect"? Just how they protect it against terrorism, communism and religions?
Personally I feel fear out of this since I run OS X nowadays and Apple aren't the most security aware and patch decisive* company/group/.. around. And I don't want to computer owned by the american government thank you, and preferably noone else either.
* (I tried to find some opposite to hesitate)
not to click on the DonaldRumsfeldNude.mpg.exe attachment in my inbox.
Monstar L
I bet when the military was studying psychic remote viewing and psychic assassination the project goal was for completely functional capabilities as well. How did that turn out? ;)
They are going to have to put in a chip in every single piece of hardware shipping out of every single manufacturer. That would be the only way to get something of this magnitude to work. Somehow I don't see all the manufactures and consumers getting on board with this. Any software solution to this would face too much trouble - I for one am not willing to let the government take cycles away for good or evil use. Its just not a good idea. 11 Million could probably go to better use elsewhere.
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
They already have done "some crap". You've heard of America's Army right?
Good luck hacking my laptop. It runs BeOS.
http://pinopsida.com
That doesn't bother me; games can be a legitimate training tool, and paying for the tool, then making it available to the public is acceptable. It doesn't even bother me when they use it to recruit.
What bothers me is when they do something that's just flat boneheaded, and clearly the result of someone in the chain of command who doesn't know crap about anything, shooting his mouth off and making policy.
If they want to do the whole "cyberwar" thing, they need to take it seriously, and put people in charge who have the faintest fucking CLUE about what they're supposed to be doing.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
So the Air Force can do whatever the spooks (and their Bush crony masters) want, like fly surveillance drones, record and datamine us against satellite surveillance, and help the NSA filter every bit of our telecom.
Because these people hate the Constitution. They hate our freedoms and rights the Constitution instructs them to protect. They hate us. Because we get in the way of business, which is to spend on war the maximum amount Americans can make or borrow.
Feel safer?
--
make install -not war
Why would the USAF want a botnet? One, a botnet is distributed and harder to block than a centralized computing facility, or even a reasonably distributed one. Two, a botnet can grow as needed. When fighting an enemy botnet, this could prove very necessary.
Not that I'm condoning any of this, mind you. Just saying, I don't think the Air Force brass are all total idiots.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
$11 Million. To hack every computer in the world. Which has to includes all the overhead of government salaries and equipment. I'm shaking in my boots.
(Holds pinkey finger to corner of mouth) "One Million Dollars." (The one where he travels forward in time, not the one from the 60s.)
"Soft-kill" would mean destroying you computer and therefor rendering you ineffective. "Hard-kill" would mean shooting you in the face and therefor rendering you dead.
Hollow words will burn and hollow men will burn.
Isn't there a law that says the government can't use the Armed Forces against us? Like isn't that the reason why the National Guard is called to stop riots and not like the Marines? If the Air Force is building a bot net that comprises American PC's then shouldn't that follow under the same law?
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
Humorously, I could see a lawsuit from this opening up the door for the first expansion of the 3rd Amendment since Engblom v. Carey if they did compromise the machines of US citizens to use in an offensive botnet. Arguably being forced to host Air Force activities on your private property violates the same kinds of rights that the 3rd Amendment protects.
The Second Circuit said: [W]e hold that property-based privacy interests protected by the Third Amendment are not limited solely to those arising out of fee simple ownership [of homes] but extend to those recognized and permitted by society as founded on lawful occupation or possession with a legal right to exclude others. The court was talking about state-owned rental properties where striking prison guards were evicted and replaced with National Guardsmen, but I can see an argument for extending this to being forced to host Air Force use of one's chattels within a home (or maybe even outside of a home since the same possessory "right to exclude others" exists). I don't see Scalia or Thomas buying the argument, but it would be fun to watch someone try and argue it before the rest of the court.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The dumb thing is, we've already proven that we are the world leader in unleashing the "hard kill" smackdown on information infrastructure.
Just putting effort into the software side would only add to that threat, and doing what the NSA does and just smirking and saying, "That's classified" when anyone asks them about their cyber crap would only make the threat more credible.
This is like watching some script kiddie waltz into an IRC channel and start swaggering. You know people are going to sneer, and you know someone is going to take a shot at them.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Time to set up my boxes to reboot every day from LiveCDs. That'll show 'em. :-)
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
you don't defeat your enemies by engaging in their tactics. that just makes you the moral equivalent of your enemy, thereby nullifying any moral high ground you claim to have, thereby nullifying any reason any citizen of your country or ally of your country would side with you
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Hmm...not sure how many computers have downloaded America's Army, but how hard would it be to slip a botnet agent into a patch or download?
Good thing the Galactica isn't networked!
You must be new here, there are no exploits in OSX.
I think it's you that doesn't have a clue. By having their own botnet not only can they infect people in the country they are attacking locally they can deny any responsibility for the attack. It also costs the virtually nothing when then enemy is paying for those computers to be online.
The third amendment to the US Constitution reads: "No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law." This idea is so important that the founders put it in before trial by jury or cruel and unusual punishment. Aside from the "because we said so" Bush regime's retorts, is there any way that involuntary botnet participation could be even slightly legal?
The land of the free: where nothing is. But you're free to blog about it unless your voice is heard too clearly by the majority of blockheads.
How many marijuana spotting drones are YOUR tax dollars paying for today?
Your country is closer to Communist China's philosophies than you think, but you're too busy working and consuming to care.
Rise, Bill Hicks, Rise from your grave! We have no one like Hicks or John Lennon to rally and speak to the people. SLAVES!
I've worked at an Air Force Research Laboratory for the past 3 years. I can guarantee you nothing will come of this, it is a giant waste of taxpayer dollars, and no one should be worried about their privacy (just their pocket books).
Now the previous comments about them spending $11m and then 3 years later asking for $11m is close but also wrong. They will ask for at least double that, every 3 years (take a look at their POMs in the future), indefinitely...
Umm, America's Army is produced by the US Army, not the USAF. Hell, the US Army logo is everywhere in that game. Two very separate branches of the US armed forces.
If I'm not mistaken, the 3rd and 4th in the Bill of Rights should prevent this.
3rd:prohibits the government from using private homes as quarters for soldiers without the consent of the owners.
4th:guards against searches, arrests, and seizures of property without a specific warrant or a "probable cause" to believe a crime has been committed.
"Lame" - Galaxar
And, on top of that, you know it'll end up on bash.org.
The Air Force's notion of a covert op is bombing someone using a stealth bomber. If they start that sort of computer attack, it'll almost certainly be part of a more general strike, and the ability to "deny responsibility" in that situation is worthless.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
You think the Air Force is dumb enough to use their own computers to download porn?
Not necessarily true. They take some soldiers who were wounded in battle and spend good of time and money to retrain them in certain fields... I know a guy who was a marine and never had any interest in computers at all. He took some shrapnel in the face, so they went and trained him in everything he could learn in networking, and now he's freaking great at it. The same could apply to many other aspects of technology.
I have a C64 connected to the internet. Have at it.
Starts up fifteen minutes late, reads your e-mail, browses cnn.com, then takes the rest of the day off for "training."
What?
Why the fuck would the United States Air Force want a botnet, when they could have the real thing? A tightly integrated computer network with near unlimited bandwidth, satellites, super computers, massive clustering, and secure, integrated control
In your excitement you've overlooked one minor detail; the US gov't has decreed it is going to move all its systems down to 50 or so access points to the wider internet. So no matter how big and bad a system the Air Force might concoct on its own internal network, it would still be hampered by the internal to external gateway speed and if those 50 gateways are known, they're easily blocked. So they wouldn't be able to Botnet-bomb the whoever nearly as well.
What did you connect it with - a rope?
Excuse me, but please get off my Pennisetum Clandestinum, eh!
US gov: We want a backdoor in all of your operating systems.
Microsoft: How deep would you like this backdoor? There are some existing features that could seamlessly integrate the functionality you want, we could roll it out as a critical update.
Apple: We can make an awesome GUI for that! With multitouch! And widgets!
Linux community: NO WAY IN HE...hey don't touch that! Somebody stop those guys!
"When information is power, privacy is freedom" - Jah-Wren Ryel
My computers have flat feet, except one that has casters. The one with casters has a Windows partition though, so it conscientiously objects a lot.
use of compromised average computers as a tool of cyberwarfare is hardly a new thing: http://www.guardian.co.uk/world/2007/may/17/topstories3.russia . Seems the US military is only just waking up to how powerful a tool this can be.
sun tzu would have appreciated the wisdom of not engaging in tactics which win you the battle but lose you the war
the battle of course, is abstract. it is the battle for the hearts and minds of the people in your country and other countries. so if you invalidate the cause you fight for, what have you won?
it is not good enough to merely dominate in all matter of physical warfare. you must also dominate in ideological warfare. and ideological warfare is not about media manipulation or propaganda. it is about simply picking a cause to stand for and adhering to it
if the people don't believe in what you are fighting for, then your physical military efforts are pointless. likewise, if the people do believe in what you are fighting for, then your enemy can achieve stunning battlefield dominance, and yet it all of their gains will fade over time. you have to ask yourself what the point of war is. is war merely a shoving match over physical turf? on one level it is, but it involves the values of the societies fighting over that turf as well. the groups that achieve physical military dominance and solidify their gains over time, are the ones that fight for values that actually have greater staying power than their enemy's. so the only lasting victories are the ones that actually stand for something
i am not in any way failing to understand traditional military wisdom. but i will suggest to you that my pov might have a better understanding of traditional military wisdom
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
You've never had coworkers disappear only to find out later they moved close to NSA headquarters and they've now got money out the wazoo, have you? The _really_ good computer folk get paid a lot of money to do neat things by you and me (well, me anyway; not sure if you're from the U.S.). Even if they were only getting paid the same, they'd probably still do it because it's interesting work, and you can't beat a government job for benefits and stability.
Yeah. Aren't those the guys that invaded Iraq or something? Heard something about it on Fox I think.
From the article at the root of the Slashdot post to which you are reacting:
"The U.S. would not, and need not, infect unwitting computers as zombies. We can build enough power over time from our own resources.
Rob Kaufman, of the Air Force Information Operations Center, suggests mounting botnet code on the Air Force's high-speed intrusion-detection systems. Defensively, that allows a quick response by directly linking our counterattack to the system that detects an incoming attack. The systems also have enough processing speed and communication capacity to handle large amounts of traffic.
Next, in what is truly the most inventive part of this concept, Lt. Chris Tollinger of the Air Force Intelligence, Surveillance and Reconnaissance Agency envisions continually capturing the thousands of computers the Air Force would normally discard every year for technology refresh, removing the power-hungry and heat-inducing hard drives, replacing them with low-power flash drives, then installing them in any available space every Air Force base can find. Even though those computers may no longer be sufficiently powerful to work for our people, individual machines need not be cutting-edge because the network as a whole can create massive power."
"As God is my witness, I thought turkeys could fly." A. Carlson
Under the Computer Misuse Act, you'd be breaking the law, even if you *are* the US Air Force.
Legal papers or lead? Your choice...
Current work on Linux per-process capabilities, role-based access controls and mandatory access controls may render the concept of "root" or a "superuser" under Linux obsolete. What would you need such a user account for? But if there is no superuser, in the traditional sense of the term, then there is no account on the system that would grant the air force (or anyone else) total control of that system. Control would be properly segmented and independently managed, limiting the value of such an attack. Well, it would need to be via the kernel, if no user had those access rights, and it would need to be via a user that could load things into the kernel, and it would need to make use of some exploitable kernel bug that bypassed the security modules.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
And in that article, it was also mentioned that the US government controls enough points to make a botnet mostly pointless.
The real reason is probably to hide who's doing the attack.
Don't thank God, thank a doctor!
This whole Air Force concept speaks to a larger issue or misconception within our society, particularly among non-IT professionals, that it is somehow possible for technology to be available for use by the "good guys" and yet not also available for use by the "bad guys". There was a similar case (sorry have no citation) where a senator expressed the viewpoint that copyright holders should have the capability to remotely "break in" to any computer system and "destroy it" once they have shown to a judge, perhaps through some warrant processes, that it contains their copyrighted materials (of course nothing was mentioned about how this would be achieved or even could be achieved in practice). If we want the benefits of a secure operating system and strong encryption then we must also be willing to accept the possibility that such tools might be used against us, but in such cases it is wise to remember the words of one of our founding fathers, Benjamin Franklin, who said that, "Any society that would give up a little liberty to gain a little security will deserve neither and lose both."
[insert witty quote here]
But if there's one thing that armed services habitually put more effort in to than preparing for war, it's engaging in bureaucratic cold wars between themselves. And if one branch of the US government puts their hand up to do "cyber-war", you can bet your bottom dollar that half a dozen others will want a piece of it too.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
And the government cant get service from a regular ISP to mask their identity?
HINT: they do it all the time during investigations.
---- Booth was a patriot ----
The Air Force's notion of a covert op is bombing someone using a stealth bomber.
Oh ye of little clue.
Better get a few pairs of eyes to start guarding the guards. Since the NSA is a spying organization, it kind of seems silly to take them at their word about trying to make Linux more secure.
The open security community has been turning a jaundiced eye on NSA ever since its existence was leaked.
As far as I can tell, trapdoor algorithms and public-key cryptography in the public sector were developed based on speculation on the sort of thing NSA MIGHT have built into what became DES.
(Eventually - about the end of DES' design lifetime - it turned out that the funny symmetries that were noticed in the NSA-prescribed S-boxes were apparently a defense against a type of cryptoanalysis that the public sector hadn't reinvented yet. NSA has a dual charter: Spy on everybody else, but protect info in the US, both public and private sector, from bad guys foreign and domestic. Apparently they were actually living up to the nicer side of the coin. THAT time. B-) )
I'm sure the private sector crypto researchers will continue keeping a sharp eye out for shenanigans. (But it doesn't hurt to publish a reminder now and then. B-) )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
You think the Air Force is dumb enough to use their own computers to download porn?
The 'Air Force'? No. Idiot individual members? Yes.
14 yrs ago, we had an E-4 busted for having 100mb of porn on his work PC. 11 yrs ago, we had an entire office reprimanded for having a 'not illegal in the US but illegal in Saudi Arabia' screensaver on the office PC's.
Granted, its a lot harder now, because individual machines, and the network, are a locked down a lot more. But idiots will still bring stuff in from home on a DVD or USB stick.
Most people think of the fifth amendment as just the right to not incriminate yourself. But it also goes on to say. . .
.nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation."
". .
I would say that, were this air force initiative technologically successfuly, it, at least, could not be used on any computers of US citizens, because of the fifth ammendment. Of course, what the government will say is that this capability would only be used against computers of foreign nationals, foreign corporations, and foreign governments. I'm still not sure that makes it right, unless the foreign nation is at war with us, and then it should only be allowed against nations that are directly at war with us.
I shouldn't, but lets think; has the USPATRIOT Act ever been used against US citizens? Now, that wouldn't happen would it? .... right...
.... Bruce Springstein
Keep dreaming and drinking the red/white/blue coolaid my friend. Blind faith and support for your government is NOT patriotism, it's pure folly
Blind faith in your government, or anything is folly.
"blind faith in a leader will get you killed"
That's just how it is. Would you like some quotes from the USA's founding fathers on this topic? They too think you a fool. Here is a pretty damn good start for you:
http://www.poliwatch.org/archives/Analysis/2003/06/11/03.03.51/
Support NYCountryLawyer RIAA vs People
This could easily fit under the necessary and proper clause. In an emergency where a botnet were taking over massive internet resources and threatening the global financial system or even energy grid they could deploy this thing as a counter insurgent application to take over and halt the spread of a malicious botnet. What's so different about taking over your pc that is being used to attack a bank vs taking a car that is being used to run away from a bank robbery.