Slashdot Mirror
Air Force To Rewrite the Rules of the Internet
meridiangod writes "The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the 'laws of cyberspace.'" I'm sure that'll work out really well for them.
How about no spoofing as a good start. No changeable MAC addresses and Client side certs.
for an organization the size of the air force, and with the mandate it has, there is nothing laughable or overly ambitious about say, creating and implementing your own supersecure protocol, and supporting it within its subnet
and, if successful, watch it leave its military surroundings, be adapted by universities, then corporations, then the general public
kind of like the internet itself
somebody is going to do this at some point, considering the various shortcomings of our present dominant protocol suite
that it would be the military to do it first makes sense
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
If you actually RTFA, you see that they aren't bonkers. Quite to the contrary. See this quote, for example:
"[M]ost threats should be made irrelevant by eliminating vulnerabilities beforehand by either moving them 'out of band' (i.e., making them technically or physically inaccessible to the adversary), or 'designing them out' completely," the request for proposals adds.
Yeah, absolutely. Remember that this is the military we're talking about. These are the guys who are the "customers" of stuff like the NSA's formally verifiable code project. These are the guys who still use 10 year old computers because those are hardened and tested to military standards. If they upgrade to 5 year old computers, the gain in speed will offset pretty much any performance penalty that security methods that don't fly in the commercial world because of said performance penalties, could cause.
These are also the guys who do a ton of things badly.
So it'll be interesting to watch.
Assorted stuff I do sometimes: Lemuria.org
Instead of letting them try to push us around, we the geeks can turn the tables and re-write government based on open source philosophy.
The plan for transition is practical, and folks like those running the Air Force will never see it coming until it is far too late for them to do anything about it.
Sure they can. It just adds a step: get the hardware connected. Sometimes that can be accomplished through social engineering, sometimes well-meaning people do it for you, and sometimes people simply don't realize the connection existed in the first place. Of course, it does make things harder, and it is a valuable step... but it should not, under any circumstances, be assumed to be bulletproof by itself. You still need to worry about security against an attack.
Its not so crazy that they would replace TCP/IP with something else fairly similar for their internal use.
Aren't we sentencing some guy for logging into Windows computers from over in Europe that had no pass and ran the Windows Operating System? Maybe we should stop playing all these games and have Microsoft rebuild their operating system correctly as not to have hundreds of thousands of zombie computers online. How many of those Zombies run Apple or Linux? What's that you say less then 1%, or perhaps the answer is none at all? The government built the internet but can't secure it? We need 500 different anti virus programs because one specific operating system is incompetent at security? Send the users to jail you say because we can't stop kids from ignoring laws? Who woulda thunk it?
"I guess I'm gonna fade into Bolivian."
I would expect that all of an ISP's addresses should be in the block(s) they received from ICANN. If something on their sub-net is generating headers with foreign addresses, then they ought not to route it.
I can vouch for that. Left a classified syquest cartridge (yes it was some years ago) out on my desk once and it was noticed within 10 minutes by security. My boss was pretty understanding. He said there wee two types of people, those who had committed security procedure breaches, and those who would do so in the future. Had to go through the training again.
At least on Cisco routers (disclaimer: I used to work for Cisco), there is a command you can use. ip verify unicast reverse-path will cause the router to check the routing table for a path to the source address, and drop the packet if it came in on an interface which is not a candidate route for that address. You don't want to use this in the core of your network, where you may have asymmetric routing, but you can certainly use it on the edges. If an ISP does this uniformly on interface that connect to customers, they can prevent any of their customers from spoofing. Depending on the size of the ISP, they may also be able to implement it on their peer links, and prevent spoofed packets from entering their network from other parts of the internet.
The USAF would like to alter the permissive and decentralized nature of the Internet through technological and possibly political means to suit itself.
I reckon that if any entity tries a large scale centralisation of the "the internet" then the users will simply adapt and decentralize in other ways.
The more surveillance present on the internet the less useful it will be as a way to transmit information anonymously. However with advances in wireless technologies setting up other ways to transmit data is not only possible, but easier and cheaper than ever before. It's not about doing things that are illegal, but rather that to ensure freedom, liberty and justice there needs to be ways of communicating that is not subject to government (or corporate) scrutiny.
Of course that is not what this specific case is about, but I fear that whatever measures they implement (or try to) will carry with it a host of other issues that could inhibit the ability of ordinary citizens to access knowledge or data without being logged in an ever growing database. The phrase "if you are not doing anything illegal you have nothing to worry about" is misleading. Since it does not consider the possibility that what you did today, while not illegal, could be used months, years, decades, down the line when the motivations of those with access to the database changes (or indeed the database falls into the hands of antagonistic person(s)).
The Long Now Foundation
Years ago, some worm hit the net whose name seems to be evading me at the moment. I had sent an email to a friend of mine in the Air Force. The email didn't get through and was bounced back to me. The Air Force had apparently disabled email temporarily, but they did so in such a way that my one email continuously and non-stop produced replies bouncing back over the course of the entire weekend. Since it was a weekend I wasn't able to get in touch with anybody to correct this. I set my computer up to fetch my mail every thirty seconds or so and hoped for the best. Eventually come the next business day I received a response from some admin somewhere advising me the problem had been fixed. I thanked them, and told him since I thought I'd earned the right to be a bit bent out of shape, I advised that next time they shut down a system, they might wish to do it /properly/ because while I didn't know what the system was doing besides handling mail, I'm sure that they didn't want it to come crashing down under the weight of my responses if I chose to just start bouncing everything they sent run on back to them.
Their response was for the CO to call my friend into his office. The CO asked if I was a threat and my friend said something along the lines of, "No sir. If he'd wanted the system to come down, it would have already been done."
To this day, I don't send email to .mil domains.
This isn't true. Google by itself is only a part of the equation that led to the death of bookmarking. In truth, the more obscure stuff is still easier to get at via bookmarks and portals than Google.
What diminished the utility of bookmarks is a combination of Google, Wikipedia, blogs, and content aggregation (RSS/Atom).
What Google did is figure out a way to do zero-knowledge authentication. It will tell you that citibank.com is the site of Citibank, while citi-bank.com is probably not the site you're looking for, whitehouse.gov is the real official website of the executive branch, while whitehouse.org and whitehouse.com are not (though this example is a bit dated).
That feature, I think, is infinitely more valuable than a very marginal bit of convenience.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
As one who grew up on military bases, I can tell you that you generally aren't going to find too many opportunities to park van with tinted windows and a twenty inch dish antenna in front of buildings. Yes, I'm aware that social engineers can accomplish many things and that given enough motivation and resources, there isn't likely anything that can't be broken into. That being said, what was said about unplugging computers from the net is still a good idea because all too often the problems the military is running into these days don't come from advanced espionage groups with large resource pools and dedicated staff, but rather a bored individual with access to kiddie scripts which is fairly embarrassing to them.
The Air Force has announced similar programs to this in the past with little or no actual outcome. Every now and then they have to come out with another program with a spiffy name to distract us from the fact that they can't keep kids from breaking into their networks.
Not true. While working for the Dept of Defense I saw this scenario played out - it was around 1995.
A van pulled up about a quarter-block away from a BDM building (located on a very public street) but the van was just too suspicious, for reasons I'd rather not elaborate on. Secretaries returning from lunch noticed it and reported it to security. Local police cordoned off the area very, very quickly - almost real-time - coincident with a first-responder team from the local USAF base. Automatic rifles were pointed at the van from three directions, two Ruger AC-556s were layed against the back door, and the solid side of the van was struck with some sort of hammer, and a cry to get the fuck out of the van ensued. Public area, people put rapidly out of harm's way. I recall that from phone report to guy laid out being handcuffed took less than 20 minutes.
And yes, he was a spy, using the latest EM-based eavesdropping equipment. Saw it and heard it. None of this sir, please step out crap.
Maybe a decade later we've learned to coddle suspected spies... no, wait - I saw Harold and Kumar Escape from Guantanamo Bay (sorry, couldn't resist) - I rather doubt it, but then, I could be in error.
Pathological kinda promises Path + Logical - but instead, you get stuck with pathetic.
anybody else noticed that Military Intelligence Battalion's acronym is M.I.B. ?
the van was just too suspicious, for reasons I'd rather not elaborate on.
I will not ask you what made the van suspicious, but I would like to know why you don't want to elaborate on it. For whose sake?
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
The more surveillance present on the internet the less useful it will be as a way to transmit information anonymously.
Actually, the Internet has always been highly susceptible to surveillance. This was done intentionally, but with different terminology that matches the motive. The intent was to make it reasonably easy to manage and troubleshoot. I.e., it's supposed to be easy for support people to examine the traffic, diagnose problems, and fix them. It's a large part of why the Internet has been so successful. And if the support crew can examine your packets, then anyone anywhere along the data path can do so.
This may seem odd considering that the early Internet was developed almost entirely with military funding. But it makes sense if you study their reasoning. The security people understood from the start that the only way you can get communication security is with end-to-end encryption.
Trying to push the security to a lower level is counterproductive, because the lower levels are inevitably close to invisible at the application level. This means that security breaches at lower levels will rarely be noticed for some time. And even when you notice a breach, digging into the lower levels of the protocols is inherently difficult for people who don't work with it every day. So they concluded that the IP layer should only worry about getting packets to their destination undamaged. That's difficult enough that you don't want the people working on it to be distracted by security issues; they'll just screw it up and block valid traffic. They don't need to know the contents of packets, just the headers, so if you encrypt all the contents, it doesn't affect the lower levels at all.
Or, more simply: Low-level encryption is a pure waste of cpu time and bandwidth, because you have to do it at the top level anyway. So don't bother. And nothing but top-level end-to-end encryption will give you secure communication.
Yes, this means that anyone can intercept your traffic and save it. If you are relying on this not happening, you can't ever be secure. You have to accept it, and make your data worthless to anyone but the intended recipients.
This was all understood decades ago by the folks who designed the Internet. Complaining about surveillance now really just shows poor understanding of the issues. You can't prevent surveillance on any network, so don't bother. You should be talking about making that surveillance a time and money sinkhole with no results. And you do that by encrypting stuff. There's a lot of research on this topic and most of it is pretty easy to find; go read some of it.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
That's because you visit more atheist-friendly websites than religious websites. People prefer to express their opinions in like-minded company; thus you see more anti-religion post on your pro-atheist websites.
On this comment page, there are at least two anti-atheist posts. That is for a single story. Twenty slashdot stories a day, 500 posts per story makes your 20 000 posts to cover that. So you claim that almost every post made on slashdot is anti-religion? Or does slashdot have a different ratio because it is a particularly pro-religion website?
If it's in you sig, it's in your post.
I'm hard core atheist and every blog I post on knows it. I've received more crap from atheists than the few uberChristians. All I do is point out their hypocracy and whammo, they lose their nut.
For instance, I'm not excluded from any blog at all, no one actively tried to suppress my education or rights or those of my daughter or her children. You list a line of talking points that don't stand up on scrutiny and I seriously doubt your every time statement. Sounds more like pompous self-aggrandizement than truth. Also, the 'true teachings' statement is similar to that made by religious bigots because they 'hold the understanding'. I live in Bible belt country and rarely hear local conservative politicos spit hate and venom.
... and I am an Anarcocapitalist. I believe that there's no government you can design, that authoritarians of either the Communist-type or the Fascist-type won't eventually turn into their own tools of oppression (always, of course, "for everyone's benefit")
I know it sounds extreme, but if you're a fan of the work of Nobel-prize winning economist Milton Friedman, I suggest you have a look at the work of his son, David Friedman, which extended his father's work to its natural conclusion.
And in any case... whether you want a return to the limits of the Constitution, less government overall, or no government whatsoever, I suggest you check the link in my signature.
Part of the Second American Revolution!