DARPA Cyber Range Project Doomed to Failure

carusoj writes "Former black-hat hacker Noah Schiffman details why DARPA's National Cyber Range project is bound to fail. The NCR is proposed as a simulation of the Internet, including replicating 'human behavior and frailties.' Schiffman argues that if the Defense Department is really building something of this scope, it might as well use the actual Internet."

What does "failure" mean though?

[biolysis]

Won't they be learning valuable lessons even if they fail to meet their mission objectives?

Re:What does "failure" mean though?

[Xyrus]

Or to paraphrase from Contact:

"Why build one internet when you can build two for twice the price."

~X~

What goes around comes around

[grizdog]

This is the sort of thing for which DARPA built arpanet in the first place. They're probably pretty miffed that they can't use their own testbed because it proved so useful after the fact

Re:What goes around comes around

I beg to differ with you on that.

I took the lead, and went ahead and created the Internet. Now DARPA is trying to rip me off. Luckily the Earth is going to self-combust here in a matter of 12-18 months, so DARPA probably won't have enough time to pull off this dastardly deed.

- Al

Re:What goes around comes around

[badboy_tw2002]

DARPA built it to test defending against it? If they hadn't built it, would they still have to test defending against it? And if so, what would they use?

Re:What goes around comes around

[grizdog]

I'm sorry, my post was vague. They built it as a testbed to experiment with wide-area networking generally, including discovering vulnerabilities.

Re:What goes around comes around

[Actually,+I+do+RTFA]

Al Gore never said that and Quayle spelt potato according to an archaic, but accepted, variant. I have no clue why this stupid lie makes me angry, except it cost me hundreds of thousands of dollars.

Re:What goes around comes around

[cheater512]

What? You invented the internet and Al Gore is getting all the credit? :P

If I had one of these

[Profane+MuthaFucka]

If I had a simulation of the entire Internet, it'd be all over for me. I mean, there would then be absolutely no reason for me to leave my house. I'd just sit inside all day playing with this simulation of the Internet.

Re:If I had one of these

[Hankapobe]

Mmmmmm, simulated porn sites.

Re:If I had one of these

[SiriusStarr]

Virus tank! http://www.xkcd.com/350/

Re:If I had one of these

[religious+freak]

Wow, how could you BUILD something like that? This has me thinking...

Re:If I had one of these

[SiriusStarr]

Next time I have a few spare computers laying around, I'm going to have to try it... It sure beats the aquarium screensaver... :-)

By using the actual internet....

[Hankapobe]

you can't run 'what-if' scenarios and keep certain variables constant.

On the other hand, by using the internet, the powers that be wouldn't be able to rig or dumb down any tests so that they succeed. Like they did with some of the Star Wars tests. Useful when justifying budgets to Congress.

Re:By using the actual internet....

I knew it! The Death Star superlaser WASN'T fully operational...

sigh

[wizardforce]

30 billion dollars = 60 million PCs with decent processors to take care of pretty mcuh any cyber war they want.

Re:sigh

[Ox0065]

60,000,000 * 93% = 55,800,000 Windows boxes each groaning under the strain of hundreds of spam bots, virus & spywear.

They're building a bot-net!

I disagree

[WarJolt]

In the end, the underlying necessity of this project is an impossibility-the simulation of true human behavior. If this was possible, and one could accurately know and predict online behavior, the acceleration of these calculations would border the lines of predeterminism and precognition. This type of "sci-fi success" would render the creation of the NCR unnecessary, since it would create the ability to anticipate, know, and adequately prepare for all future cyber attacks. I don't think the goal is to reproduce human behavior, but reproduce the environment and basic human input. I'd argue that the user is not the cause of most vulernerabilities. Most vulernabilities are flaws with the applications, architectures, systems and protocols themselves. The human factor for most vulnerabilities has already been compiled into applications distributed and is ready for testing. There is already AI that searches for vulnerabilities in systems. This is just looking for it on a massive scale.

Pretty good idea.

[ZonkerWilliam]

They (DARPA) Can't test for every outcome at once, but they could and most likely will get valuable information when they test for well defined attacks.

I disagree...

[religious+freak]

Saying that a simulated Internet for cyberwaarfare (note the new meme!) has no point is like saying a simulated Earth has no point for studying global warming. To effectively study you need controls and variables. Having real controls on the actual Internet is impossible, not to mention the fact you'd be vulnerable to surveillance.

I also find it interesting to find that people say a realistic simulation is impossible, while in the same breath complaining this project costs too much. $30 Billion obviously won't get you 100% there, but I'll bet it'll get you there with 95% confidence. Yeah, I suppose you could argue that because that 5% exists, the project has no meaning, but any engineering effort has a little slack in it. If history is any indication DARPA should do a fairly good job at managing that risk.

Re:Exactly

[arthurpaliden]

With a simulation you can always try out various senarios from the same starting condition. Which on the real Internet would be impossible. As to the cost of building said simulator being as the net itself is 'well' documented and is in essence all software then building a simulator should be no problem. It is certianly not a $30B project. Unless of course the Government and its favorite contractors are involved.

Bogus analysis - not 30 billion.

[Animats]

Nothing in the solicitation has a $30 billion price tag on it. No idea where that number came from. There are no dollar amounts at this stage; DARPA is soliciting bids.

What DARPA is asking for is a 10,000 node Internet simulator, and that's in the final phase. The whole system can be started, stopped, and flushed to a clean state for new tests. Users are simulated: "Replicants will simulate physical interaction with device peripherals, such as keyboard and mice. Replicants will drive all common applications on a desktop environments." Attacks on the network are supported; the vendor even has to provide a "malware library".

The simulated machines have to be simulated at a fine level of detail. "The NCR must be capable of taking a physical computer and rapidly creating a functionally equivalent, logical instance of that machine that can be replicated repeatedly and injected into a testbed. Given a never-before-seen physical computing device, create logical instantiations of the physical native machine that accurately replicates, not only the software on the machine, but hardware to the interrupt level, chipset, and peripheral cards and devices.". That's going to be hard. They may end up with real computers hooked up to peripherals that simulate human inputs. (DoD does this all the time; it's how flight control software is debugged. Serious flight simulators use the real "black boxes" of real aircraft with simulated inputs and outputs.) They need that level of fidelity because they want to observe virus and attack behavior.

This is going to be a useful asset.

Re:Bogus analysis - not 30 billion.

[Ortega-Starfire]

"Replicants will simulate physical interaction with device peripherals, such as keyboard and mice. Replicants will drive all common applications on a desktop environments."

Replicants are a really bad idea. I mean seriously? Why don't they just activate skynet while they're at it?

Never try; Never Fail -

yeah, yeah, yeah. If one never tries anything, one never has to worry about failure. Does one ever think that one might learn something from failure. This guy is just looking for work at the moment. Oh, and remember, the hard stuff is too hard to try.

Chat Attack

[vigmeister]

The fundamental cyber attack:

1) get enemy's AIM s/n and post it on a public chat room with a cute profile picture.
2) Soon enough all of enemy's supercomputers will be flooded with trillian windows with "a/s/l" and "wanna cyber?" messages
3) ???
4) Profit!!!

Cheers!

MOD PARENT UP!

[religious+freak]

Excellent excerpts for us that are too lazy to read for ourselves! Now I'm 100% behind the idea. It's dumb NOT to have this

I don't see a problem.

[Alex+Belits]

Other than a stupid name -- both an overlap with NCR (that was supposed to be National Cash Register) company name, and the use of a word "cyber" in a way that suggests a sister project National Yiff Range, and the fact that military and not computer scientists are running it, of course.

Something has to provide an environment where potential damage from various existing kinds of malware and attacks, and effectiveness of various countermeasures, can be evaluated without waiting for those things to happen in the real-world Internet. It can be a valuable simulation tool, the only thing that makes me really concerned is the licensing of Windows for countless virtual machines that have to be involved in it -- that may singlehandedly double Microsoft's OS-related revenue unless government will find a way to avoid paying for it. However it's stupid to pretend that such a thing will be useful for creating worms and viruses specifically for damaging "enemy" users because by its nature malware can not specifically target people in particular organizations -- its power is in non-specific attacks and in using least-secure, poorly maintained computers to create large-scale effect. Claiming that military is either going to concoct a worm that only infects, say, computers in China, or that it intends to perpetrate computer fraud on a massive scale as a part of some idiotic DDoS on web site that it does not like is stupid, and it discredits the whole project.

Re:I don't see a problem.

[db32]

Besides the horrible logical fallicies I don't have a problem with your post...

"that military and not computer scientists are running it" Since when the hell did military mean not smart...or is this another one of those braindead ultraliberal repeated lies. The military as a whole has never been more educated and has been responsible for some pretty impressive things in the past. Do you understand how utterly moronic it is to say "Well those stupid DARPA guys aren't computer scientists and can't possibly do this". Uhm...they did it once already...remember that real internet thing?

"by its nature malware can not specifically target people in particular organizations". Ok...you are obviously not clear as to how the internet came to be or exists today. By all means...go poke around with RIPE and ARIN and tell me if you can't target particular organizations. For fucks sake there are lists all over the net that show specific US military installations IP ranges. No...you couldn't possibly restrict the scanning if you were armed with lists like that now could you? Specific companies, countries, etc...all listed right there in nice neat orderly glory. You know once upon a time they believed you couldn't believe drop bombs from planes and hit specific targets...that changed as they got to practice and now rather than relying on sight and timing of a pilot there is a computer that rides the bomb all the way down and can pinpoint targets within a few feet. That is kind of the point of building a simulator like this...to practice kind of stuff. Malware is nothing more than combining the word malicious and software. There is nothing in that word that means "only used by russian spammers and script kiddies".

Re:I don't see a problem.

[Alex+Belits]

"that military and not computer scientists are running it" Since when the hell did military mean not smart...or is this another one of those braindead ultraliberal repeated lies. The military as a whole has never been more educated and has been responsible for some pretty impressive things in the past. Do you understand how utterly moronic it is to say "Well those stupid DARPA guys aren't computer scientists and can't possibly do this". Uhm...they did it once already...remember that real internet thing? Actually I am against military running it because military is not the right organization to provide protection against criminals and crooks in the time of peace. "by its nature malware can not specifically target people in particular organizations". Ok...you are obviously not clear as to how the internet came to be or exists today. By all means...go poke around with RIPE and ARIN and tell me if you can't target particular organizations. For fucks sake there are lists all over the net that show specific US military installations IP ranges. Any piece of malware needs hordes of personal computers to run on. So if you write one you have to make it use every opportunity to infect a vulnerable computer, or it will fail to survive. This means, no "but we won't let it run on AMERICAN computers!" stupidity.

When it comes to targets of DDoS, targeting a range of addresses is pointless -- the whole point of attack is large number of computers creating a traffic to a single target that can't be distinguished from legitimate traffic, and drowns it.

So no, if you want to distribute self-propagating malware, you distribute malware that exploits everyone, and therefore you have to break the law to be effective. Not a good thing for a government organization to do.

Re:I don't see a problem.

[Alex+Belits]

"that military and not computer scientists are running it" Since when the hell did military mean not smart...or is this another one of those braindead ultraliberal repeated lies. The military as a whole has never been more educated and has been responsible for some pretty impressive things in the past. Do you understand how utterly moronic it is to say "Well those stupid DARPA guys aren't computer scientists and can't possibly do this". Uhm...they did it once already...remember that real internet thing? Actually I am against military running it because military is not the right organization to provide protection against criminals and crooks in the time of peace.

"by its nature malware can not specifically target people in particular organizations". Ok...you are obviously not clear as to how the internet came to be or exists today. By all means...go poke around with RIPE and ARIN and tell me if you can't target particular organizations. For fucks sake there are lists all over the net that show specific US military installations IP ranges. Any piece of malware needs hordes of personal computers to run on. So if you write one you have to make it use every opportunity to infect a vulnerable computer, or it will fail to survive. This means, no "but we won't let it run on AMERICAN computers!" stupidity. Not that it would be any less illegal.

When it comes to targets of DDoS, targeting a range of addresses is pointless -- the whole point of attack is large number of computers creating a traffic to a single target that can't be distinguished from legitimate traffic, and drowns it.

So no, if you want to distribute self-propagating malware, you distribute malware that exploits everyone, and therefore you have to break the law to be effective. Not a good thing for a government organization to do.

Re:I don't see a problem.

[slashdotwannabe]

The P and GP points of view are not mutualy exclusive, on either major point.
While I agree with the point of view that law enforcement is a civilian function, the military still need to train for cyberwar, and much of the hardware in use by law enforcement today is a direct result of military reasarch. It seems reasonable to me to conclude that in time this research will provide benefits to law enforcement.
Also, I think it would be less inflammatory to simply state that in a given attack, as network selectivity increases, total population decreases. With experience and various models, a commander should be able to dial in with relative accuracy the impact of a given attack.

Re:I don't see a problem.

[Alex+Belits]

the military still need to train for cyberwar There is no "cyberwar". There never was a "cyberwar". There never will be a "cyberwar". What we have now is a bunch of assholes and crooks exploiting idiotic vulnerabilities in systems and procedures that should be never in any way related to anything military, or in any way safety-critical.

Also, I think it would be less inflammatory to simply state that in a given attack, as network selectivity increases, total population decreases. With experience and various models, a commander should be able to dial in with relative accuracy the impact of a given attack. More like, the only way to keep a self-propagating attack running is including systems with lowest of the lowest level of security and users' competence. Exclude them, and you can just as well ping -f your "enemies" from your own web server.

Re:I don't see a problem.

[db32]

Right...because the headline stories over the last few months of chinese government sponsored attacks against a multitude of governments is all imaginary right?

Re:I don't see a problem.

[Alex+Belits]

Headlines are real.

Stories are not.

Some parts of the internet

will never be able to be accurately simulated. Example, 4chan.

Re:Liberal vs. Republifailure

[bluefoxlucid]

I've built an Internet simulation before, it's neither easy nor possible to model the dynamics. It makes for great cyberterrorist fantasy roleplay though... when under attack and I can't get to Windows Update shit gets interesting. Biggest rush of my life.

Thank god.

[Kuroji]

I can only imagine what the results would be if you had replicants on a site like that. Such a small network would be saturated with insane memes and eventually would just rebel a la Skynet. Except Terminators weren't dressed in nice suits with nothing but green instead of skin and a question mark for a face.

Don't underestimate social engineering

[Mathinker]

> Most vulernabilities are flaws with the applications, architectures, systems and protocols themselves.

Considering that the social engineering attack has been around since society started, as opposed to software and protocol vulnerabilities which are rather recent developments, I'd have to say that I think you're dead wrong (I assume, based on context, that your use of "system" didn't include society).

This is in addition to the added argument that fixing software or protocol vulnerabilities on a society-wide basis is rather straightforward, whereas "fixing" social engineering attacks is mainly based on individual education (e.g., teaching people not to fall for particular attacks, or changing people's mindsets), or societal change (e.g., making biometric info an essential part of personal identification) which is not straightforward at all.

Missing the point of DARPA altogether

[Shoten]

The point of research...and that's what DARPA is all about...is pushing the envelope. I was at the DARPA event where potential respondents learned about the desired features and overall nature of the program, and it was extremely ambitious, yes. But in conversations with my peers, it turns out that an enormous amount of the technology to make it happen already exists. Sure, they may not get everything they want, but so what? If they only get half of it...and the lesser half at that...they'll still have something that our country desperately needs, which is a place to test and practice information warfare tactics. The components that exist today, if put together to form an "NCR lite," would still provide immense value, and for that alone, the NCR is bound to be a success. And let me tell you, with the people that were in that room, I would be profoundly surprised if a great deal of innovation did not take place as well.