Air Force To Rewrite the Rules of the Internet

meridiangod writes "The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the 'laws of cyberspace.'" I'm sure that'll work out really well for them.

Disconnect

[electrictroy]

If they were smart, they would disconnect their computers from the public internet. People can't access hardware they can't access.

Re:Disconnect

[electrictroy]

People can't [hack] hardware they can't access.

Re:Disconnect

[Kagura]

They actually are smart, and any computers accessing Secret information and above are NOT allowed to be hooked up to the internet or a network with access to the internet, EVER.

Re:Disconnect

[blueg3]

"People can't access hardware they can't access."

Good tautology there.

They already do this. Machines that don't need Internet access don't have it, and the DoD has its own network for secure communication. Sometimes, though, you want to provide services on the public Internet, yet not have them hacked.

Re:Disconnect

[morgan_greywolf]

You're right, of course. But this isn't about computers with Secret information, which are a non-issue when it comes to the Internet -- those machines are on their own completely air-gapped network and secured behind locked doors, alarms and armed guards.

This is about the Air Force's services that are on the public Internet. The Air Force, like the other branches of the military and other government agencies, needs to interface with the public. One of their primary means of doing that these days is through their Internet presence.

Of course, sites in the .mil domain are going to constantly be hammered by cyber criminals, bored teenagers and even spammer gangs trying to bring down the sites.

The USAF would like to alter the permissive and decentralized nature of the Internet through technological and possibly political means to suit itself.

All I have to say is good luck with that and uh, get in line. Companies have tried and failed for years to mold the Internet in their own image. Companies with billions and billions of dollars to throw at the matter. Companies who were once powerful juggernauts and 800 lb. gorillas finding themselves becoming increasingly irrelevant...

Re:Disconnect

[Atriqus]

Actually, I liked the previous version... it better illustrated the obviousness of the solution.

Re:Disconnect

[British]

Even without a wireless keyboard & mouse + TEMPEST hacking?

Or wireless + remote desktop?

Re:Disconnect

[sam0737]

Someone, someday will carry lost a USB thumbdrive carrying the sensitive information.

Perhaps we need a new RFC, similar to this one [RFC1149], for USB thumbdrive.

Re:Disconnect

[evanbd]

Sure they can. It just adds a step: get the hardware connected. Sometimes that can be accomplished through social engineering, sometimes well-meaning people do it for you, and sometimes people simply don't realize the connection existed in the first place. Of course, it does make things harder, and it is a valuable step... but it should not, under any circumstances, be assumed to be bulletproof by itself. You still need to worry about security against an attack.

Re:Disconnect

[Swizec]

Then there is that one company that started off very small and ended up changing the rules of the internet completely.

You know ... Google.

Re:Disconnect

[hey!]

Correction: any computer which is supposed to be allowed to access Secret information is not allowed to be hooked up to the Internet. I suspect there is no way to enforce the rule as you state it without possibly divulging what is secret and what is not. For example if I'm monitoring a computer and find that a bunch of files have been deleted, I might look at one of the files I downloaded that was purged, and say, "hey, this memo implies the F35 can climb at over 330 meters/second."

What I'm saying is that it's best not to trust in systems to operate according to the rules.

Re:Disconnect

[BLQWME]

Those methods still require access.

Re:Disconnect

[MrNaz]

Because the Air Force can't catch people over the internet, that must mean that they are also vulnerable to vans with tinted windows in the car park of the armed forces branch head quarters with a 20" dish antenna mounted on top.

Re:Disconnect

[ChrisA90278]

Yes that is pretty much the first rule. any machine with senitive data is not hooked up to the Internet. Not even via a firewall. They call it an "air gap" but today with wireless the term is an anachronism but still you get the idea "no connection at all".

Computers that handle REALLY sensitive stuff can't even be connected to normal AC power systems or even to normal building ground wires.

Many of the computers have removable disk drives. That is where ALL of the drives can be removed without tools. The rule requires the drives to be removed and stored in a safe when not in use.

Believe me they do have a few smart people who understand security and they have a decent educational system in place where people have to go to class and read some papers before they can use systems that handle sensitive information. And they are required to re-take the classes periodically

But then there are always ideots and weven normal people forget and make mistakes. But then typically some guard is assigned the task to walk around a pull on safe handles and check that desks are clear and so on. Hell likely catch most of the mistakes

Re:Disconnect

[Firethorn]

That's called 'Somebody makes a call' and 'Guys with automatic weapons show up to ask questions'.

Re:Disconnect

[demachina]

If they were smart they would post their problem on Slashdot and let all the nerds figure out a solution for them for free......

Re:Disconnect

[mcostas]

That's not exactly true. There's a huge demand for inline network encryption and cross domain filtering devices that DO allow Secret/Top Secret data to go out on insecure public networks. For example, products like this

Re:Disconnect

[MightyMartian]

Microsoft started out small too and it rewrote all the rules as well.

More like ignored all the rules, but we can see how it's new "rules" on development cycles has seriously bitten it in the ass.

Re:Disconnect

[jandrese]

How did Google change the rules of the internet? It's not like they were the first search engine (just the first one that wasn't evil). I still connect to their servers with a web browser and run queries. They do provide a previously rare amount of "web 2.0" functionality (their office suite for instance), but even that's a minor tweak, not "changing the rules of the internet completely" by any measure.

Re:Disconnect

[Dun+Malg]

"hey, this memo implies the F35 can climb at over 330 meters/second."

Actually, there's plenty of that stuff around, and it's actually not necessarily classified, even if it's true. In the bad old days of the cold war, I asked the security officer in my Army unit why all this crap we were working with was classified SECRET and TOP SECRET when the same exact information was available to anyone purchasing a Jane's book by mail order. It was explained to me that it was not the raw information that was secret, but rather the positive verification that it was true that was being controlled. Most classified information falls into that category, really. Very little of it is truly secret, in that nobody without clearance knows it. I've seen quite a few pictures of "people and stuff at locations in Certain Southwest Asian Countries" that I know from personal experience would be classified SECRET or higher if they were government photos rather than casual snapshots taken by a yokel or journalist with a pocket camera. What the classification of the subject matter does is bar me (under penalty of waterboarding or whatever) from pointing out which pictures those are.

Re:Disconnect

I'm all for rebellion and making fun of peoples' cliques, but, um, I can't tell what you're rebelling against.

http://en.wikipedia.org/wiki/Air_gap_(computing)

It's a common term in network security.

To avoid these terms altogether, get your technical news here.

Re:Disconnect

I can vouch for that. Left a classified syquest cartridge (yes it was some years ago) out on my desk once and it was noticed within 10 minutes by security. My boss was pretty understanding. He said there wee two types of people, those who had committed security procedure breaches, and those who would do so in the future. Had to go through the training again.

Re:Disconnect

[MikeBabcock]

I'm not sure they ask many questions in that situation.

Its more like being yelled at to get out of the vehicle and plant yourself on the ground before the bullets do it to you.

Re:Disconnect

[mweather]

Companies have tried and failed for years to mold the Internet in their own image. Companies with billions and billions of dollars to throw at the matter. Companies who were once powerful juggernauts and 800 lb. gorillas finding themselves becoming increasingly irrelevant...

How many of those companies had JDAMs?

Re:Disconnect

[Swizec]

Google changed something very important about the internet. It made bookmarking obsolete by actually being able to find the content you need quicker than browsing through a list of bookmarks.

That's a pretty radical change to before-google-became-all-too-popular times.

Re:Disconnect

[camperdave]

Dear Slashdot.

My computer keeps on being hacked. It can be reached at ::1 on the IPv6 network. Please help me secure it.

Re:Disconnect

[hey!]

I'm not necessarily disagreeing with what you are saying.

However, the power of networked computing is that with enough data and the right tools for sifting through it, you can make quite useful inferences. Verification of any data really amounts to checking it against different sources, after all. For example, if you know the Eurofighter can climb at a certain rate, and you know that in an exercise an F35 was unable to outclimb it, you can infer that the F35 cannot climb as quickly. Or vice versa.

This really comes back to "loose lips sink ships". Idle talk isn't very useful, but put it in the right context and it becomes intelligence.

Re:Disconnect

[PPH]

Microsoft didn't "get" the Internet until it was almost too late (for them). They still appear to be having trouble (look at Google's 'net presence vs MSN).

Re:Disconnect

[russ1337]

google invented nothing. changed nothing. what are you going on about?

altavista was one of the first search engines. predated google by years and years. (in fact google hired brian reid, one of the altavista architects (iirc) and then fired him later when his stock was about to vest. ....do no evil. yeah right.

google channged nothing at all about 'the internet'. they are simply yet another search engine and mail service (etc etc). big deal.

Who said anything about search. Google changed the internet landscape through it's advertising model. It revolutionized internet advertising - proven through their 53% market share. That is a big deal.

Too many people think Google is a search company. they do provide search, but all their revenue is all advertising.

Re:Disconnect

[ajs]

Exactly. However, there's always a trade-off between usability and security, and many in the military rely on the public internet for routine work (accessing contractor Web sites, presentation of information to the public, recruiting, etc.) They're also responsible for defending the public infrastructure in the same way that they're responsible for defending the physical nation.

These are the concerns that I think they're talking about, and those that spurred the creation of this new group.

Re:Disconnect

[Firethorn]

Nah...

They generally start with the standard 'Sir, please get out of the vehicle'. If your response to that is not favorable, then stuff starts escallating.

The more impolite reactions are for more sensitive areas than a parking lot.

Re:Disconnect

This isn't technically true. A lot (and increasingly more and more) classified (SIPRNET) traffic is carried over the non-classified network (NIPRNET) using bulk encryption devices such as TACLANEs.

http://en.wikipedia.org/wiki/TACLANE

Re:Disconnect

[Ethanol-fueled]

Google is a verb.

Altavista, Hotbot, and MSN are not verbs. Yahoo! tried to make its name a verb(with their "Do you Yahoo?" slogan) but failed. Ask is a verb, but unlike Google, Ask was born a verb, it wasn't made one because of its ubiquity and popularity among the masses.

Re:Disconnect

You are absolutely correct. The USAF uses a system called SIPRNET for secret information.

Regarding your second point, you might be surprised as to how stringently the USAF, and the military in general, controls secret data. Classified Message Incidents are exceedingly rare.

Re:Disconnect

[Narpak]

The USAF would like to alter the permissive and decentralized nature of the Internet through technological and possibly political means to suit itself.

I reckon that if any entity tries a large scale centralisation of the "the internet" then the users will simply adapt and decentralize in other ways.

The more surveillance present on the internet the less useful it will be as a way to transmit information anonymously. However with advances in wireless technologies setting up other ways to transmit data is not only possible, but easier and cheaper than ever before. It's not about doing things that are illegal, but rather that to ensure freedom, liberty and justice there needs to be ways of communicating that is not subject to government (or corporate) scrutiny.

Of course that is not what this specific case is about, but I fear that whatever measures they implement (or try to) will carry with it a host of other issues that could inhibit the ability of ordinary citizens to access knowledge or data without being logged in an ever growing database. The phrase "if you are not doing anything illegal you have nothing to worry about" is misleading. Since it does not consider the possibility that what you did today, while not illegal, could be used months, years, decades, down the line when the motivations of those with access to the database changes (or indeed the database falls into the hands of antagonistic person(s)).

Re:Disconnect

[redtail]

Whenever this topic comes up, someone always incorrectly says that an "air gap" separates SECRET networks from unclassified networks. "Cross Domain Solutions" connect SECRET networks to uclassified networks. And these include "low assurance" solutions like SELiux and Trusted Solaris.

And these CDS machines also connect TOP SECRET networks to SECRET networks. Thus, two copies of SELinux sit between TOP SECRET networks and the Internet.

Re:Disconnect

[DeusExMach]

A googol is a one with a hundred zeros.

I internet all the time.

Re:Disconnect

[DeusExMach]

Google's got a fighter jet...

Re:Disconnect

[steelfood]

This isn't true. Google by itself is only a part of the equation that led to the death of bookmarking. In truth, the more obscure stuff is still easier to get at via bookmarks and portals than Google.

What diminished the utility of bookmarks is a combination of Google, Wikipedia, blogs, and content aggregation (RSS/Atom).

What Google did is figure out a way to do zero-knowledge authentication. It will tell you that citibank.com is the site of Citibank, while citi-bank.com is probably not the site you're looking for, whitehouse.gov is the real official website of the executive branch, while whitehouse.org and whitehouse.com are not (though this example is a bit dated).

That feature, I think, is infinitely more valuable than a very marginal bit of convenience.

Re:Disconnect

[DeusExMach]

When I was an airman, I used to be in charge of the hard drive sledgehammer.

Y'know... just in case the bomb dump got invaded.

Re:Disconnect

[Jeff+Hornby]

Google changed something about how the internet is used and perceived by people. I'm not discounting this but the USAF is trying to change something more fundamental about the internet. The effects that they want would require scrapping TCP/IP and replacing it with something else (it may still be called TCP/IP but it will be something entirely different).

This is like claiming that the "Obama Revolution" is fundamentally changing the nature of the United States and then somebody coming along and saying that they want to change the Law of Gravity. They're just not on the same scale.

Re:Disconnect

[UnrealisticWhample]

As one who grew up on military bases, I can tell you that you generally aren't going to find too many opportunities to park van with tinted windows and a twenty inch dish antenna in front of buildings. Yes, I'm aware that social engineers can accomplish many things and that given enough motivation and resources, there isn't likely anything that can't be broken into. That being said, what was said about unplugging computers from the net is still a good idea because all too often the problems the military is running into these days don't come from advanced espionage groups with large resource pools and dedicated staff, but rather a bored individual with access to kiddie scripts which is fairly embarrassing to them.

The Air Force has announced similar programs to this in the past with little or no actual outcome. Every now and then they have to come out with another program with a spiffy name to distract us from the fact that they can't keep kids from breaking into their networks.

Re:Disconnect

[UnrealisticWhample]

I'm a bit sick today and I feel that my sarcasm sensors may very well be out of alignment.

meh

Re:Disconnect

[lysergic.acid]

so it's not illegal for unauthorized civilians to access or disseminate "top secret" information; it's only illegal for authorized personnel to verify it?

Re:Disconnect

[SeraphX2]

All you need to do is a system hooked up to the public internet for your interfacing with the public and keep your sensitive crap offline.

Re:Disconnect

[Smauler]

Bookmarking is most definitely not obselete. Google is getting worse IMO in many ways - have you tried searching for a walkthrough for a game with google? You end up with about 20 sites referencing each other, each providing advertisments and general useless information, and then a link you might want. Or you could just go to Gamefaqs, which you have bookmarked.

Anyway, back OT - FTA : it's extraordinarily difficult to find the hacker behind a cyberattack today. Well, no it's not if you have enough time and clout. If you really really want to find which computer something came from, you can. It just takes a while. Of course, then you've got the problem of deciding who was using that computer, but that's not an internet problem really.

Re:Disconnect

[Thaelon]

I love Google as much as the next nerd, but exactly what rules are you talking about?

FTP, SMTP, HTTP, UDP, and TCP/IP still work pretty much as their respective RFCs dictated prior to Google. So do ping, tracert, and a whole host of other things.

Re:Disconnect

[adam613]

Pretty much, yes. I had several friends from college who went to work for government contractors on projects that required security clearance. The way they explained it, if I figure out on my own what they're working on, that's legal even if it is classified. What would be illegal is if they told me or gave me direct access to classified information about what they were working on.

(Also, in a lot of cases, what they were building wasn't classified, but who they were building it for was.)

Re:Disconnect

[pestilence669]

Right. Why leak sensitive information now, when you can just misplace some laptops later?

Re:Disconnect

[Zader]

What I'm saying is that it's best not to trust in systems to operate according to the rules.

We have to know who to contact at our work every time there's a "dataspill", which seems to happen a few times a year. The problem with portals and such that make file exchange and whatnot easy ... is that it's maybe too convenient. I have a hard time believing that every incident is an accident - how can they not realize that they are not supposed to exchange classified files on non classified networks? Some of these folks must be willing to ignore the rules out of convenience.

What's worse sometimes is the documents that almost certainly should be classified ... but aren't. I'm mostly ignorant of the document classification process, but just some of the filenames make my head hurt. Having to dig up someone with clearance to investigate in the middle of the night due to suspect filenames on what's technically supposed to be a non-classified system sucks. They really need to buy more disk space so I can go years without having to see who the disk hogs are. :-)

Re:Disconnect

[hesaigo999ca]

It is just up to them to figure out some easy to understand concepts of setting up a webpage at
a regular website blog about stuff.com...with links that retrieve the info the person wants....so no special .mil website to let hackers know it is a military website. Keywords...sure everyone has
military keywords...all the call of duty gaming websites have it...so NO I don't think they would use a baysian filter to get at the military Ordinary site.

Re:Disconnect

[Maestro485]

then there are always ideots and weven

Who are these ideots and weven and how have the managed to penetrate the US Gov't?!?

No wonder we need a new internet!

Re:Disconnect

[earlymon]

Not true. While working for the Dept of Defense I saw this scenario played out - it was around 1995.

A van pulled up about a quarter-block away from a BDM building (located on a very public street) but the van was just too suspicious, for reasons I'd rather not elaborate on. Secretaries returning from lunch noticed it and reported it to security. Local police cordoned off the area very, very quickly - almost real-time - coincident with a first-responder team from the local USAF base. Automatic rifles were pointed at the van from three directions, two Ruger AC-556s were layed against the back door, and the solid side of the van was struck with some sort of hammer, and a cry to get the fuck out of the van ensued. Public area, people put rapidly out of harm's way. I recall that from phone report to guy laid out being handcuffed took less than 20 minutes.

And yes, he was a spy, using the latest EM-based eavesdropping equipment. Saw it and heard it. None of this sir, please step out crap.

Maybe a decade later we've learned to coddle suspected spies... no, wait - I saw Harold and Kumar Escape from Guantanamo Bay (sorry, couldn't resist) - I rather doubt it, but then, I could be in error.

Re:Disconnect

I agree with your post with one exception. While Secret and up machines cannot be connected to the internet they are NOT air-gapped. They are on a glorified VPN (at least the secret machines I work with routinely both in the USA and Iraq are) with a hardware encryption solution that separates them from the rest of the internet.

We send large amounts of encrypted secret traffic over the internet everyday.

-AC for obvious reasons

Re:Disconnect

[morgan_greywolf]

It's not just public interface. They conduct a lot of non-battle-related stuff over the internet, or on computer systems that are indirectly linked to the internet. Obviously you don't plug an F-22 into comcast (although supposedly its electronics system is versatile enough that you could reprogram it to use the radar as a really powerful 802.11 antenna). However, it's quite a bit easier to just connect workstations to a typical LAN that has some computers online for logistics type stuff, even if all the actual communication takes place on the local side, than it is to maintain multiple networks for computers that need internet access and those that don't.

But not sensitive, classified material. NO systems with classified information are connected to the Internet. Trust me on this one.

Yes, some day-to-day non-classified systems do happen on computers connected to the Internet.

So, yes, they do maintain different systems -- one for classified information and one for non-classified information. What's maintained on the non-classified systems just day-to-day stuff like non-battle duty rosters or things like that.

Re:Disconnect

[marafa]

People can't [crack] hardware they can't access.

Re:Disconnect

[Facegarden]

People can't [hack] hardware they can't access.

Well, that's too specific. People can't do *anything* to hardware they can't access, hence the parent's redundancy.

-Taylor

Re:Disconnect

[zippthorne]

Actually.. most of the search engines (and especially Yahoo as originally envisioned) did this.

Google just happened to be "the one with the decent results right now" (i.e. the one the SEO jerks hadn't turned their attention to yet) when moderate-bandwidth "raw" connections became popular. Prior to that, you had Alta-Vista, Lycos, Web Crawler, Yahoo, etc.

All of which had their period of most-useful-results, but google was in vogue at just the time everyone got connected, so they got lots of mind-share.

I only wish they were as good now as they were then.

Re:Disconnect

[Feanturi]

I've never had trouble finding a walkthrough for a game, unless it didn't exist. I don't see how Google can fix that particular instance, but it's been damn good finding me anything else. Usually within the top three results and very often the top one.

Re:Disconnect

[K.+S.+Kyosuke]

You Americans still have much to learn from us. The Czech Police is still using hacker-proof typewriters and I have not heard about a single hack of their...ehm...information systems. (This way they are at least spared the embarrassment, unlike the National Security Office of the Slovak Republic which had to introduce "Internet business hours" (sic!) to protect their servers after their whole infrastructure of servers and Cisco equipment was compromised by some ingenious outside guy who had the idea to try nbusr/nbusr123 as the user/pass combo only to discover that they are indeed using it all over the place. ;-))

Re:Disconnect

[Mistshadow2k4]

Bookmarking is obsolete? Since when? I and everyone I know who has a computer with internet access has some bookmarks.

Bookmarking would be obsolete for people who only do research on the internet (and not even for all of them) and only visit sites that are as popular as Slashdot or Digg. If they like any, even just one, slightly more unknown site than that they risk not being to find it again if they can't recall the exact url. How high on the list of results from a search engine a particular site would show up on changes day to day, even hour to hour. It might tenth in the results one day and not even on the first page of 100 the next. Anyone who tried to just use Google instead of bookmarking would quickly learn better. Seriously, how can you think Google made bookmarking obsolete and who modded up this nonsense? Google astroturfers, maybe?

Re:Disconnect

[QuantumG]

Yahoo diluted their search brand with news and email. Google had the sense to give their news and email offerings different branding. No-one hears the word "Google" and thinks of news, stock prices, chatting, playing games, etc, like they do for Yahoo.

Re:Disconnect

[jc42]

whitehouse.gov is the real official website of the executive branch, while whitehouse.org and whitehouse.com are not (though this example is a bit dated).

How so? Hasn't the White House been a commercial operation for the past 8 years, for sale to anyone for the right price?

Of course, the more cynical among us will claim that it has always been so. Others would suggest that at least whitehouse.org is inappropriate, though it might have been better to suggest that during the Clinton administration.

Re:Disconnect

[jonscilz]

NOT right. i work in secret environments with secret hardware and software projects and higher and most of them are connected to public access networks. the only networks with this clearance requirement (assuming the employees even adhere to these policies) that are restricted this way are government owned ones. contractors have their own rules and i see it every day. get your facts straight.

Re:Disconnect

[nurb432]

You hope anyway. But when people are involved, mistakes do happen.

Re:Disconnect

[bluefoxlucid]

It's illegal for you to access and disseminate top secret information. Information is an object; a file at the NSA is top secret. A file at your house, generated by you, without previously reading the NSA file, containing the same information as the NSA file, is not top secret. If the NSA hears about it, shows up at your house, takes it, and debriefs you, it is now top secret.

Re:Disconnect

So, how will "rewriting the rules of the internet" help foil spies using sophisticated EM-based eavesdropping equipment?

I think maybe you just wanted to tell your story?

Re:Disconnect

[bluefoxlucid]

You seem to not understand what SELinux is. SELinux is, in a nutshell, an extended version of chmod.

Re:Disconnect

[Whiteox]

Do you have anything as sophisticated as this?
The Ministry for State Security, known as the Stasi, which acted as East Germany's secret police and intelligence agency throughout the Cold War, used odour recognition to keep tabs on potential dissidents.

They often collected the samples surreptitiously - breaking into homes to steal suspects' underwear, or by wiping down chairs used during interrogations.

The samples were then stored in glass jars, each carefully labelled with details of whom the sample came from. Some of the jars are now on display at the Stasi museum in Berlin.
http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/europe/6683803.stm

Re:Disconnect

[Shotgun]

Why is it not illegal for you to tell us how it is illegal to verify Top Secret information or who it is to be secreted from?

Re:Disconnect

Really. Sorry, but it sounds like a load of shit. Guys in black suits hit all the news outlets and lean on the reporters, too? You need to get out of the basement more.

Re:Disconnect

[maxume]

When you type a group of letters that may be words into Google, it often suggests a real word that is close to that group of letters. This could change many things on the internet.

Re:Disconnect

[Fulcrum+of+Evil]

planning on calling an airstrike on Rosslyn, VA? Seriously, military force is irrelevant to this.

Re:Disconnect

[maxume]

Everybody knows that the golden toilet was for Rush.

Re:Disconnect

[mattcoz]

And more importantly, neither can Cylons.

Re:Disconnect

[north.coaster]

Sorry if this is a stupid question, but what is a "BDM building"?

Re:Disconnect

[Whiteox]

Agree. Google can't find anything unless there are links to it from an outside source. If the links are very few and you don't SEO on purpose, then it's hidden from Google eyes.
In fact, I know websites that use this for anonymity.

Re:Disconnect

[hey!]

Well, I think I didn't quite express myself clearly. It isn't just a matter of not trusting the systems to operate in accordance with the rules; it's a matter of rules not performing in accordance with expectations.

This gets right to your point about which documents are classified.

What I'm saying is you can't count on the classification process to do the right thing, and even when it does the right thing you can't count on that to be enough. Either way, sensistive intelligence can be leaked that is not necessarily something that would be flagged as a "dataspill".

Of course organizations have to rely on their rules, but one of the goals for defense systems, even non-classified ones, should be that information should only be released through officially sanctioned channels. If an FOIA request comes through, then information gets released; that's fine. If documents are released through public affairs, they are purged of any hidden editorial history. If computers are retired, then the disks are destroyed or at least reliably erased before they become surplus.

So, I think, adding a bit of paranoia around non-classified defense networks is good.

This probably is a good goal for any government system: the system should be as transparent as possible, but not transparent through any accidental channels. I'm a big believer in open government, but government agencies also handle a great deal of sensitive personal information. I don't want some IRS contractor to leave a laptop with my tax return data in a coffee shop somewhere, but I do want everyone to know how tax enforcement policy is set.

Re:Disconnect

[Bromskloss]

the van was just too suspicious, for reasons I'd rather not elaborate on.

I will not ask you what made the van suspicious, but I would like to know why you don't want to elaborate on it. For whose sake?

Re:Disconnect

[Fulcrum+of+Evil]

For example, if you know the Eurofighter can climb at a certain rate, and you know that in an exercise an F35 was unable to outclimb it, you can infer that the F35 cannot climb as quickly. Or vice versa.

Really, you only know what some plane did. Perhaps the pilot or software is sandbagging because it's an exercise and they don't want to show their hand. Your point stands about checking against sources, although the intelligence community has access to primary sources and a way to verify chains if communication, so that counts for a lot.

Re:Disconnect

[MozeeToby]

Anyone with physical access to secure computers knows exactly what secret and top secret mean. Everyone has been through the briefings and knows exactly what is and isn't secure, and what can and can't be hooked up to the open net. Even more, everyone knows exactly what the fines and punishment are for violating those rules, treason is still taken quite seriously in this country.

Unless you're arguing for actual intrigue, (as in get hired by a defense contractor, get your clearance, then purposefully break the security rules) the idea of someone 'helpfully' hooking a computer into the net is a lot less likely than you would think. This isn't Initech software we're talking about, there aren't uninformed secretaries or IT people wandering around secure labs; classified information is highly sensitive and the poeple with access to it know that.

Re:Disconnect

[earlymon]

My apologies - the result of working in an insular fashion is to rudely expect others to recognize an industry-specific TLA (three letter acronym).

BDM is/was a defense contractor. Here's a quick reference: http://www.business.com/directory/computers_and_software/bdm_international,_inc/profile/

Re:Disconnect

[theeddie55]

BDM was an IT company with a military contract.

Re:Disconnect

[jc42]

The more surveillance present on the internet the less useful it will be as a way to transmit information anonymously.

Actually, the Internet has always been highly susceptible to surveillance. This was done intentionally, but with different terminology that matches the motive. The intent was to make it reasonably easy to manage and troubleshoot. I.e., it's supposed to be easy for support people to examine the traffic, diagnose problems, and fix them. It's a large part of why the Internet has been so successful. And if the support crew can examine your packets, then anyone anywhere along the data path can do so.

This may seem odd considering that the early Internet was developed almost entirely with military funding. But it makes sense if you study their reasoning. The security people understood from the start that the only way you can get communication security is with end-to-end encryption.

Trying to push the security to a lower level is counterproductive, because the lower levels are inevitably close to invisible at the application level. This means that security breaches at lower levels will rarely be noticed for some time. And even when you notice a breach, digging into the lower levels of the protocols is inherently difficult for people who don't work with it every day. So they concluded that the IP layer should only worry about getting packets to their destination undamaged. That's difficult enough that you don't want the people working on it to be distracted by security issues; they'll just screw it up and block valid traffic. They don't need to know the contents of packets, just the headers, so if you encrypt all the contents, it doesn't affect the lower levels at all.

Or, more simply: Low-level encryption is a pure waste of cpu time and bandwidth, because you have to do it at the top level anyway. So don't bother. And nothing but top-level end-to-end encryption will give you secure communication.

Yes, this means that anyone can intercept your traffic and save it. If you are relying on this not happening, you can't ever be secure. You have to accept it, and make your data worthless to anyone but the intended recipients.

This was all understood decades ago by the folks who designed the Internet. Complaining about surveillance now really just shows poor understanding of the issues. You can't prevent surveillance on any network, so don't bother. You should be talking about making that surveillance a time and money sinkhole with no results. And you do that by encrypting stuff. There's a lot of research on this topic and most of it is pretty easy to find; go read some of it.

Re:Disconnect

[earlymon]

Negative on that full of shit, compadre. Happened in Albuquerque, NM. First responders came from Kirtland AFB - home to Sandia National Labs (where ALL of the country's nukes were managed), (at the time) the Air Force Weapons Lab and the Air Force Operational Test and Evaluation Center, as well (at the time) of the Air Force's contract management office.

Home to the cradle-to-grave, or inception to deployment to retirement, of our strategic nuke delivery systems. At the time, Albuquerque was a higher priority Soviet nuclear first strike target than Washington, D.C.

Sorry to burst your bubble, but there are scarier things in this world than the donut eaters you describe working for the purple-suiters. So, no apologies, not full of shit - not even a little.

And the guy in my story was a spy. And I'm not going to elaborate on what made the van different, as I said in my post.

Believe what you want. If you choose not to, it's just another horse-water-drink situation to me.

Re:Disconnect

[alexborges]

Well fuck me a googol, aunt marie, I think we have a winer.

Re:Disconnect

[rs79]

" If they were smart, they would disconnect their computers from the public internet. People can't access hardware they can't access. "

They actually did this. The ARPA net split into the MILNET and the Internet. It wasn't actually that cut and dry, but you get the point. They wanted no part of "the network". They wanted "their network".

What's this stuff about changing rules though? Is that so the guys hakcing them have a different set of rules to circumvent, is that the idea? Or so they believe these hackers will pay attention to new rules, it's just the dusty musty old rules they ignore?

Re:Disconnect

[earlymon]

Typo on that "At the time" should've been "At one time" - so sue me.

Re:Disconnect

[camperdave]

Everybody knows that the golden toilet was for Rush.

So, was it mounted in their tour bus, or in Geddy Lee's home?

Re:Disconnect

[jc42]

Note that RFC 1149 has been implemented and publicly demoed.

The ping times were a bit longer than most of us are accustomed to. But there's serious talk of extending the Internet to various space probes, and that will make the avian carrier protocol look speedy in comparison.

Re:Disconnect

[earlymon]

This may sound corny, but for America's sake. No reason to explain a poker tell when you're winning because of it. That was just part of my training from back then - I'm out of that world, but still respect the training.

Re:Disconnect

[jggimi]

BDM could mean BDM International, now part of TRW, or, it could mean "Base Defense Measure" or "Bomber Defense Missile" or perhaps "Banking and Debt Management."

Re:Disconnect

[earlymon]

Yes, I wanted to tell my story in direct response to the parent of my post. Maybe you lost the thread, sorry.

Re:Disconnect

[Tenebrousedge]

Anonymous web sites. I presume you mean 'private' instead of 'anonymous'. I'm trying to imagine that, and it just sounds stupid.

The Web is about the most massively public medium in existence. There are ways to have private content on it, but I can't imagine a circumstance where the content was intended to be exclusively private--why host it on the Web at all?

Re:Disconnect

[earlymon]

My office didn't especially like them, so we called them Brain Damaged Monkeys.

Re:Disconnect

[denobug]

Yeah... Can you really trust those people, they are so... non-Chaney Like!!! Secretely every generals love the Darth Vador. They just can't admit it out of fear of public outcry...

Re:Disconnect

[Tenebrousedge]

Free speech. In this case, it's also the law of the land. I don't intend any offense by saying so, but your question does not make very much sense to me. Perhaps you could clarify it somewhat.

Re:Disconnect

[ceoyoyo]

Yeah right. The other day I tried to find a hardware project that I read about last week. I even knew the exact keywords I searched before to find it last time. At the time, it was the first hit in Google.

Guess what? This week searching for it gives two full pages of useless hits on blogs that "reported" it, ie swiped the pictures and much of the text from that project. Naturally none of them include an actual link.

Now I have a bookmark so I don't have to go through that again.

Re:Disconnect

[INT_QRK]

Oh? See "National Industrial Security Program Operating Manual (NISPOM)," see http://www.fas.org/sgp/library/nispom.htm. Classified information = not yours. If your contract requires access to it, you need to abide by government rules in applying measures to protect it. Of course another problem is that not all government information is classified, and is not covered under NISPOM but still merits protection. For example using the aggregation principle, lots of otherwise unclassified information might through clever analysis reveal classified information. Also, unclassified, albeit sensitive, technical information (also protected, but under under separate directives) may not be initially identified as such until it, or the systems engineering process, reaches a certain level of maturity (e.g., back-of-napkin engineering rendered to memorandum or charts). The fact that an awful lot of unclassified information needing better control resides on networks of wildly varying quality and hardness is, or hould be, a national security concern.

Re:Disconnect

[orclevegam]

Microsoft has never "gotten" anything decentralized, what with them being the most centralized organization known to man. If it's not owned and distributed by MS, then they either want to buy it, destroy it, or maybe both. The internet is practically the anti-thesis to the entire Microsoft world outlook. Is it any surprise they've struggled to make headway?

This is also incidentally why they don't get open source. OSS is the decentralized software model to Microsofts centralized model.

Re:Disconnect

[orclevegam]

Slang, colloquialisms, vernacular, and jargon are all still valid parts of a language, just those that are the most motile, and least consistent (particularly over a large geographic area). Over time any and all of the above may evolve to the point of integration with the core language, and in fact google is swiftly approaching that stage.

Also, your point is poorly phrased as someone already pointed out. The implication in your sentence is that the majority of the world (per capita) speaks English which is demonstrably false, as opposed to the point you were attempting to make, that the verb "google" is not part of the English language.

Re:Disconnect

[Bromskloss]

This may sound corny, but for America's sake.

Thank you for taking the time to answer. Corny or not, you are of course free to have any reasons you want. Even "I just don't feel like it.".

However, I might have misunderstood something. He was a spy against America, right? Aren't you then protecting the "opponent team" by not revealing what they look like? Or do you mean that by describing the van's suspicious features, you would let enemy spies know what to avoid?

Sorry for the weird questions. I am just interested in understanding things.

Re:Disconnect

[jonbryce]

But if the secret information is gathering all the youtube videos that terrorists make to promote their methods of conducting terrorism, then there is going to have to be a link to the public network somewhere.

Re:Disconnect

[earlymon]

Yes, he was a spy against America.

Or do you mean that by describing the van's suspicious features, you would let enemy spies know what to avoid?

That one. N.B., our training was sufficient that a contractor's secretaries could see it for what it was and report it - so, the opponent team is not protected by this (my) obfuscation.

Re:Disconnect

[bishiraver]

If I know something is going to be on a particular site - let's take looking for a walkthrough for example - I just search for: "gamefaqs saga frontier." If I'm looking for something particular on wowwiki or thottbot, I just enter, "thottbot death's sting" or "wowwiki aldor."

I guess I could set up a quick search keyword, but I'm lazy.

Re:Disconnect

[bishiraver]

they do provide search, but all their revenue is all advertising.

Except the revenue which comes from business leasing blackbox solutions for email, docs, and internal search.

Re:Disconnect

[bishiraver]

Most of their inventions are algorithmic in nature.

Re:Disconnect

[pcgabe]

almost real-time

As opposed to turn-based?

Re:Disconnect

[Whiteox]

why host it on the Web at all?
Access.

Re:Disconnect

[earlymon]

Second comment, so I'll try to clarify - I didn't use preview and a few extra spaces screwed it up.

"almost real-time-coincident" with ... as opposed to ... "almost real-time - coincident" meaning these guys were very closely coordinated, in that the base guys got on those streets and right behind them the cops were closing it up.

Sheesh. So I'm unclear. Tough crowd.

Re:Disconnect

[mrmeval]

They do for the classified stuff unless it goes through the proper encryption. Tempest is supposed to protect that portion as well. The unclassified side may be protected but since the AF *lost* to the OMG *ARMY* in a simulated computer warfare game my confidence in them is low.

Re:Disconnect

[ScrewMaster]

Yes, I wanted to tell my story in direct response to the parent of my post. Maybe you lost the thread, sorry.

Besides, it was an interesting story. If people stop telling interesting stories because other people get too concerned about "ontopicness", Slashdot will become significantly less worthwhile.

Now, I grant you that my girlfriend already thinks that Slashdot isn't worthwhile, but that's another story.

Re:Disconnect

[ScrewMaster]

My office didn't especially like them, so we called them Brain Damaged Monkeys.

Big deal, man.

Re:Disconnect

[TheGratefulNet]

agreed.

but this does not help the case that 'they changed the internet'.

if they were really the first search engine, that would be one thing. but the idea was there and actually working well long before they got there.

these days, their search sucks. it returns mostly PAID FOR items that have unfairly been bubbled to the top. more and more I have to ignore google' first page of results and go beyond the 'shilled' results.

I simply have stopped trusting this geek-wonder of a company. their search is no better (at all) than even yahoo and I considered their tech very old as long as 5 yrs ago.

btw, google mail 'in beta' for HOW many years? hmmmm. can you get away with anything if you just say 'its not 1.0 yet' ? what a cop-out. who else could get away with such a long 'beta'. get real.

Re:Disconnect

[DeusExMach]

Not to split hairs or anything, but there's an "H" in "whiner".

Re:Disconnect

[ScrewMaster]

Google changed something very important about the internet. It made bookmarking obsolete by actually being able to find the content you need quicker than browsing through a list of bookmarks. That's a pretty radical change to before-google-became-all-too-popular times.

Not at all. That's top layer stuff, not a fundamental change in the way the Internet functions.

The Internet (as opposed to the World Wide Web) is still pretty much what it has always been. Bigger of course, and way faster, but it's still nothing more than a way to get binary blobs from here to there with a minimum of fuss. Everything else is just frosting on the cake.

Re:Disconnect

[h4x354x0r]

>shows up at your house, takes it, and debriefs you

Dang, I hate it when the steal my underwear!

Re:Disconnect

[maxume]

I see that you enjoy T-ball.

Re:Disconnect

[ScrewMaster]

They are on a glorified VPN (at least the secret machines I work with routinely both in the USA and Iraq are) with a hardware encryption solution that separates them from the rest of the internet.

I hope that hardware solution wasn't Made in China.

Re:Disconnect

[lgw]

Plenty of sensitive information is not classified. For example, the home address of almost everyone in the military. There's also plenty of logistical information that it's better for an opponent to not have access to.

In any case, the AF is getting tired of being attacked, because it drains resources to deal with that, regardless of the sensitivity of the information.

Re:Disconnect

[ScrewMaster]

But then there are always ideots and weven normal people forget and make mistakes.

Very true.

Re:Disconnect

[ScrewMaster]

then there are always ideots and weven

Who are these ideots and weven and how have the managed to penetrate the US Gov't?!? No wonder we need a new internet!

The scariest thing about all this is that some of them are boll weven!

Re:Disconnect

[jonaskoelker]

It made bookmarking obsolete

Almost. There are still some situations where bookmarking is useful.

If you search for something, trawl through a haystack of dead links, near misses and completely irrelevant stuff, only to find what you seek on page seven of the hits, you might want to bookmark it such that you can find it again without spending a lot of time.

Another situation, that you'll probably only discover too late, is when you can remember enough of a story to tell the broad strokes to someone else, but none of the ways you can describe the story can be used in a web search.

And I have two examples: one is a porn video of a class of Danish high school graduates partying in one of the graduates' garden, some nudity and blowing happening. Searching for studenterfest.wmv gave me dead rapidshare links, forum posts linking to the dead rapidshare, lots of nothing. Trawling through what felt like ~/dump_of_old_os/**/dump_of_old_os/bookmarks/saved_session_3/porn/**/ found it.

The second is NTP vandalism. On the Network Manager list, someone suggested to test the bandwidth once you hop onto an ESSID for the first time, cache the result and then let applications use that information [e.g. to select the best available small enough video stream]. I expressed my caution, talking about the NETGEAR ntp vandalism incident in broad and vague terms. I had tried finding it via google, but `"ntp on startup" router' and the like didn't prove to be useful.

What Google needs is a way to specify the sense of each word you're looking for. When searching for "type", it's no fun learning about taxonomies and Hindley-Milner when you want to learn how to use the dvorak keyboard layout.

It'd be nice to search for pages that talk about something from a category of things (and not the category) without enumerating all the members of the category. Say, I search for "consumer networking electronics", I get results on wireless APs, switches, routers, hubs, even if they don't use any of the words "consumer", "networking" or "electronics".

Google can do 90% of all searches perfectly. There's just the remaining 90% left :)

Re:Disconnect

[deniable]

The worst thing about Google to me is trying to find support for a product I've already bought. The first few pages are almost always stores trying to sell me another one.

Re:Disconnect

[earlymon]

Yep. But the one thing we did learn was that he wasn't an awareness test - which was what we were really hoping for.

Re:Disconnect

[lennier]

I know SELinux isn't a distro, but I assume the NSA also have their own Linux distros which include SELinux capabilities, given that they presumably wrote it for the purpose of being used?

Re:Disconnect

[igb]

The exception, for US citizens, is information about nuclear devices. If you happen to be dabbling in your back-yard laboratory and come up with a design for a classified component of a nuclear device, my understanding is that you have to treat that information as though you had obtained it as TOP SECRET (or some similar protective marking). Nuclear device designs are born classified, whoever does the work.

Re:Disconnect

[perlchild]

It's so obvious, it reminded me why we used to have "internets" that could be or not, connected to the "Internet". The main reason the latter was capitalised, was that it had no one body to rule over it, while the others were little fiefs.

Re:Disconnect

[digitalchinky]

Not true good man, not true at all. The 'internet' is only, like, one of the biggest intelligence sources ever. When sticking ones passive little fingers in the data stream to make a bit for bit copy, those same fingers can and do get burned at times. The air gap just helps to keep it all from flowing back out to the newspapers. This air-gap doesn't start at 'secret', it starts at the fence line.

Re:Disconnect

[Frosty+Piss]

Sorry, not buying. Would have hit the papers. Bunch of conspiracy bullshit. -- FP, McChord AFB

Re:Disconnect

[digitalchinky]

Classified information doesn't start life in a bubble.

While your office might stick internet accessible computers in a different room away from everything else, there are other areas where such delineation is at odds with the mission.

The internet is absolutely connected to classified systems, just not using 'your' definition of connected, but connected they are.

Re:Disconnect

Be careful with the reductio ad absurdum there. No security is perfect security, fine. But disconnecting a device from the network is a damned good way to eliminate the network as an attack vector.

Re:Disconnect

[jc42]

In any case, you should consider that we're talking about people who have in the past classified ICMP ("ping") packets as "hacking attacks".

Have you ever mistyped the name or IP address of a machine that you were trying to connect to? Did you try it a couple of times before you realized your mistake? If so, you may well be on a list of people who have "attacked" the actual machine that you were talking to.

When reading stories like this, you should always consider that, unless they tell you details of the attacks, they could be talking about such trivia, and you could be on their list of attackers.

Yes, there are real attackers out there doing scans to find new machines for their probes. There are also real network managers doing scans to map portions of the network and locate problems. And there are people mistyping machine names or addresses. To produce good numbers that get people's attention, it's fairly common for the security people to count all packets from unknown machines as "attempted attacks".

Re:Disconnect

[mysidia]

Really? So who's going to find the suspicious van suspicious next time if noone knows what the dead giveaway is?

Re:Disconnect

[syousef]

Google changed something very important about the internet. It made bookmarking obsolete

I use bookmarks now at pretty much the same rate that I used bookmarks when I was using Altavista.

But don't let that stop you drinking the cool aid.

Re:Disconnect

[silentblackhawk]

Actually you can still "hack" into networks whether they are connected to the internet or not. For many years now, hacking has been possible via power lines. There are many rumors about worms designed to spread via the worlds power grid. The truth is that there are ways to hack through power, but for obvious reasons it doesnt work out well. First off, hacking through power raises many problems. The obvious problem is that power to the host has to maintain at least enough energy to physically power the device its self. We have all unplugged a laptop cable and noticed that the light on the battery charger itself will stay on for a little while even after unplugging it from the wall. The same concept is applied when hacking via ac. Alternating Current moves from positive to negative polarity about 60 times each second, hence the name Alternating Current, and therefore opens the oppurtunity to shut down power to the host a few dozen times per second. An experienced hacker can write a program that can be sent to a hosts' motherboard via their onboard power supply, and install a program on their system to interpret these power fluxuations as none other than binary. Obviously the volume of information that can be handled through power depends on how much voltage is required to run the host. Other obstacles to tackle are knowing the address of your host on the grid. Power can be re-routed to neighboorhoods based on a mapping system that is very similar to Longtitude and Lattitude, thus your search can be cut down using a program to compute how far the power flux has traveled and for how long. Another thing to remember is that your neighborhood's power breaker, or power distribution, unit has a physical address that is sent back to your power company that enables that company to see if their unit is online or not. These addresses are verified by simple computers that are tied into the power companies' grid system to shut down power if a box blows or a line goes down. With a lot of experience, and some kick-ass gear, it is very possible to hack via power and find even the most singular networks. Keep in mind that this is not unknown to the government, as they created it, and you should watch out for the rocks to leave unturned. I find it interesting that the airforce it "tired" of countless attacks on their networks. You dont hear the greater part of the American population bitching and moaning that the man is listening to my phone call everytime I order pizza. I guess we just have to hope the new "laws" dont eliminate sites like this where we can enjoy each others company. After all, we nerds are quite dangerous, arent we?

Re:Disconnect

[RockWolf]

It will be a faded-red van, with "Free Candy" spray-painted on the outside. Just a tip. ;)

Re:Disconnect

[Smauler]

If you know you're going to that site anyway, why use google? With Gamefaqs, their search just works, and works _better_ than google for a faq search. YMMV, but in my opinion Gamefaqs searches get me what I'm looking for a hell of a lot quicker than googling it,

Re:Disconnect

[I.M.O.G.]

While you are mostly correct, I think the post you replied to wasn't talking about the RFCs for given protocols when it referred to the internet.

While HTTP works the way it was originally designed, individual usage of HTTP has considerably changed since googles inception. The way people find content and discern quality of content served over HTTP has been dramatically changed by google.

In that way, google has molded the intarwebs usage in its own image. They have successfully crafted a service which lends itself favorably to ludicrous monetization with tremendous penetration and acceptance throughout the entire web. So, changing the rules the game is played by is absolutely possible and you don't have to be an 800lb gorilla to do it. In fact, the bureaucracy and motives of an 800lb gorilla make changing the game pretty unlikely. But Google proved that by taking the right ideals and aligning them with your target userbase, the internet game can be dramatically changed.

Re:Disconnect

[earlymon]

If you work in Force Protection - I haven't - then I would assume that you're familiar with DISCO (assuming no name change over these years I've been away) and you should well aware that DISCO carefully chooses what to document for wide area dissemination. (And I don't mean that "if" as in "as if" I mean it as a respectful rhetorical.)

I am not assuming that you are referring to the local ABQ news, and if you are, you're way out of touch with what we had for protocols in the cold war days.

What would you like? A sign that reads, "Hey, that guy fucked up, but try it over here!" ?? C'mon. Really.

And what's with the conspiracy tag? If you've worked anywhere against foreign intel threats, you know well enough that little is ever documented to the public. Protocol, not conspiracy.

So, you've pretty much pegged yourself, hombre - not me.

You might as well join the gang slagging me for not describing the van, as if I'm making hard to find and am therefore full of shit, when I've already stated that DIS training was sufficient so that the secretaries could spot it.

Sad - does everyone on /. insist that unless info is spoon-fed as goggle-able factoids, it doesn't exist? Jeez - I'd hope not!

Re:Disconnect

[rtb61]

Actually it makes much more sense to run parallel computer infrastructure, something the NSA dose internally. Simply run two computers on two separate networks, one internal and one external with access to public resources. The external network can be on a computer by computer basis, so only the targeted computer, might go down or be taken over and beyond that it only leads back to the public network, simply done with netbooks on a wireless network for convenience.

The internal network would be hard wired with no direct connection to a public network, all data coming in would be filtered and analysed prior to entry and only specific locations would allow connection of portable media sources for input or output. It is cheap enough to do now and it follows KISS principles, a lot of governments already run 'airgap' internal networks as the only safe means by which any M$ products can be implemented in what is meant to be a secure secure environment.

Re:Disconnect

[swillden]

I don't use bookmarks any more. Haven't for years. Actually, that's not entirely true. I do bookmark stuff that I come across that I think maybe I'll want to look at later. However, I never *use* the bookmarks.

Re:Disconnect

[I.M.O.G.]

I disagree.

I have a personal website that's been online for several months. Visit it and you'll see there isn't much there.

I get regular traffic and much of it is not unique. The content that gets the highest traffic is about Gentoo, blackberry tethering, and wireless configuration. I get near-zero direct traffic (from bookmarks), but I get regular traffic from google queries.

I also don't personally use bookmarking - I find it pretty easy and quicker to remember query terms which target the content I'm looking for, and I find google especially apt to finding obscure yet relevant content. My website analytics seem to reflect the same thing. Even with bookmarking, if you use much of it you have to remember the terms, category, or whatever your looking for - google short circuits that for many people and they just go right to remembering the google terms they need.

Re:Disconnect

[Scarletdown]

That hardware solution is the KG-175 from General Dynamics. I can't say for certain, but I highly doubt they outsource that to China.

Re:Disconnect

[sumdumass]

Nah.. I seen shit similar to that happening.

It was just after 9/11 and I was doing some work at a power generation facility for Dayton Power and Light. A van parked alongside the road just down from the fence line surrounding the property. We had all been instructed to watch out for suspicious activities and about 3 minutes after I noticed the van (before I could report anything), a military style response team was there, helicopters in the air (with guns mounted) and the military persons had automatic weapons trained on the van. They proceeded in the same manor, beat on the side with something and started screaming get the fuck out. In fact, they screamed it so loud and often that we would hear it almost half a mile away. Two people got out, one was half naked, the other looked like he/she was getting naked with a shirt unbuttoned and flapping in the wind, they were both thrown to the ground, cuffed, a dog was taken to the van, then through it, the people were carted off to separate vehicles. After the dogs went through, two people in suits went through the van, they took a camera and I lost track of the events after that. This all went down apparently within 15 minutes of the van parking. About 35-40 minutes later, the van and all the people were out of sight as if nothing ever happened. About 45 minutes later, the station sounded the stand down siren meaning that whatever the threat was, it was over. I don't remember hearing the alert siren but that could have been because of all the excitement. Everyone and everything just came out of nowhere real fast.

Re:Disconnect

[atraintocry]

I know what *I'd* consider suspicious: an N'Sync bumper sticker, but "Backstreet's Back" pumping inside. Also if the license plate was registered to a man living at 123 Fake St.

Re:Disconnect

[nilbog]

Whatever dude, I saw a special on 20/20 about 10 years ago where kids were already able to do illegal haz0ring over power lines!

Re:Disconnect

[blueg3]

None of the DoD computer security folk I've worked with use such a broad classification for attacks.

Re:Disconnect

[element-o.p.]

If you aren't familiar with computer terminology, WTF are you doing on /.?

Re:Disconnect

[element-o.p.]

I wouldn't put any bets on the AlphaJet in a matchup against an F-22, though.

Re:Disconnect

[Chris+Mattern]

Someone, someday will carry lost a USB thumbdrive carrying the sensitive information.

Computers that carry secret access do not have readily accessable removable media ports. Putting secret informatino on removable media that is then removed from a secure area is prohibited. I'm not saying it'll never happen, but if it does happen it'll be because somebody broke enough regs that there's going to be a court-martial in his immediate future.

Re:Disconnect

[alexborges]

or two "N"s in winner, yes?

Re:Disconnect

[DeusExMach]

Yeah, but if you explain the joke, you kill the comedy...

Re:Disconnect

[gatkinso]

I don't believe it.

Horse shit. Pureset ray scerene.

If it actually happened you could provide a news link, if it was classified then you wouldn't be posting it here.

18 years of working for and with the DOD in the DC area, and 6 in the active military, I have never heard of such a thing. When there is a breach they call the cops - Federal preferably but will settle for local if they have to (who will secure the scene until Federal cops with clearances show up who can handle the material or go inside the site) and then the FBI. That is it.

Re:Disconnect

[earlymon]

Correct. If it was classified, I wouldn't be posting it here. And if was or wasn't, it could hit DISCO newsletter updates. But it didn't. And if local news had covered it - and if I knew that - and if I knew the exact date - and if Albuquerque's local news outlets archived everything beginning in the pre-dot com days, well, I would just post that news link.

Have you ever worked for a defense contractor? When's there's a suspected breach, one reports it immediately to one's security officer. This is a civilian employed by the contractor, on site (no running to corporate), who has no other duties. I can assure you that that officer does not call the cops. They call DIS and/or the FBI. They decide the action to take.

Now, TEMPEST techniques were well known well before the time frame I present. But there were a newly identified SIGINT threats at the time, so perhaps what I saw was unique, but perhaps not for its day. Most of the contractors here were working on matters related to our strategic nuclear mission.

I don't know how such matters are handled in the world, back there in Trantor. But I know how they were handled that day next to our nuclear stockpile. I know how they've been handled at a lot of other places, too.

It's one thing to not believe me because it's outside of your experience. It's another to call a brother's words horseshit. Thanks a lot, pal.

Re:Disconnect

[gatkinso]

Perhaps you should reread my post.

And yes, you are full of it.

Re:Disconnect

[redtail]

Have you never heard of Cross Domain Solutions?

How do you feel about Linux sitting between SECRET data networks and UNCLASSIFIED data networks? There was a time when "high assurance" systems were needed for such connections. Now, B1 or "EAL4" will do.

http://www.gcn.com/online/vol1_no1/46648-1.html?topic=security

Re:Disconnect

[ScrewMaster]

That hardware solution is the KG-175 from General Dynamics. I can't say for certain, but I highly doubt they outsource that to China.

I hope not. COTS programs have their benefits but this is one area we'd best keep in-house.

Re:Disconnect

[bluefoxlucid]

The GP was talking about SELinux like a bubble around information; it's nothing of the sort, it's simply rudimentary access control on a system. It doesn't do any sort of encryption, munging of network protocols, deep packet inspection, or firewalling.

SELinux doesn't sit "on" or "between" a network; it affects a single host only, and only for locally executing processes. It is not network security software.

Re:Disconnect

[MikeBabcock]

There's a very common practise in intelligence circles to not share ANYTHING in detail for a few reasons:

• The details may turn out to be important in a way you hadn't predicted.
   
• Leaving out only the classified details makes isolating the black box of classified details easier; leaving out additional details makes it harder to isolate what was and wasn't interesting.
   
• A lack of knowledge of why the opponent would want to know the information (see #1 above).
   
• Another reason I can't tell you. lol.

You don't, I repeat don't share details about events like this unless you're very stupid or unpatriotic or want to be arrested for national security reasons, and the original poster probably shared more details than he thought prudent already.

Re:Disconnect

[jonscilz]

in response to INT QRK below im not disputing the rules im telling you what actually goes on.

They've solved their own problem

[yttrstein]

""[M]ost threats should be made irrelevant by eliminating vulnerabilities beforehand by either moving them 'out of band' (i.e., making them technically or physically inaccessible to the adversary), or 'designing them out' completely," the request for proposals adds."

Luckily for the Air Force, they don't actually have to do any work at all to make this happen, since it's been not only possible, but actually implemented since at least 1998, when RFC 2341 was written all about Virtual Private Networks.

Helpful Hint for the Air Force: Pay your private sector computer engineers more and you'll get the innovation you're looking for.

Re:They've solved their own problem

[areusche]

Easy. Stop outsourcing your IT and pay well. Sounds almost too easy.

Oh and move all important critical information off of a network that has access to the outside world and make the penalties for doing work at "home" well known.

Re:They've solved their own problem

[sexconker]

VPN?
How bout a private network.

Which is what all secret and above classifications use.

Physically disconnected from the internet.
Physically inaccessible by the plebes.

Code auditing, memory wiping, classification-based job scheduling (a machine works only on secret defense or only on top secret or only on top secret nuclear, or etc. jobs at a time, never mixing), secure attention keys, custom hardware, physical security, surveillance, custom hardware, etc.

I'd say that, for the shit that matters, they've got a pretty good setup. But let's listen to the internet nerds who think they know everything. They'll tell us how to fix it.

Re:They've solved their own problem

[Rogerborg]

I prefer RFC 2541. The Mark 1 Air Gap is still the gold standard of security.

To be fair "physically inaccessible" shows that they sort of get it, but they wrap it up in so many buzzwords that it'll never get implemented.

Re:They've solved their own problem

[DeusExMach]

The Air Force doesn't outsource IT. That's what the Comm Squadron is for.

Re:They've solved their own problem

[zappepcs]

I'm not sure that means what you think it does....

The threats from the outside world can make their way into the physical spaces which are protected computer areas... via usb, camera, cell phone, and other yet to be named methods. So it is quite important that all military accessible computer networks are protected. It only takes ONE USB stick or MP3 player to plant what could turn out to be a very bad thing. Virus software has the patience and time to sit and wait, staying undetected. Antivirus programs only protect you against virus code that has been detected. Done correctly an undetectable virus can sit there for months waiting for access to other networks/computers. I would think DDoS is hardly the problem they lay awake at night thinking about. I'd think any kind of 3-10 minute disruption of NORAD data would be a nightmare for the USAF. That doesn't even mention or consider rogue flash message traffic on the communication network of the USA military. Imagine the damage of one seemingly authentic flash message to European based nuclear counterstrike commands. Even if it is detected as false in the first few minutes of it's life, those few minutes of confusion could be dramatically bad for the world. So I don't really think common network threats are what they are worried about.

Now they even have to worry that test equipment, laptops, test software packages, everything has the ability to import a nasty virus inside their network now. The more risks they can easily mitigate, the cheaper and easier the task of working on the others should be.

Re:They've solved their own problem

[toiletsalmon]

"But let's listen to the internet nerds who think they know everything."

Yes, let's.
*Sits down and looks at you attentively.

Re:They've solved their own problem

[evilkasper]

2006 the Air Force decided to drastically reduce the amount of 3C0X1's (Sys Admins for all you Civi's) and move to centralized management. Mostly from the various NOSC's, and with the exception of some bright individuals most the 3C0X1's that I know that are still in are filling Work Group Manager position, while the majority of the actual IT work has been contracted out. The really bright individuals are now contractors. All this while the Air Force initially conceived "Cyber Command".

Re:They've solved their own problem

[TehDuffman]

I hope not as a Marine I want to know how I would check... the news?

Re:They've solved their own problem

[tonekids]

I LOLed.

Re:They've solved their own problem

[DeusExMach]

Fair enough. That was right around the time I got out.

Re:They've solved their own problem

[sexconker]

You check the news by using machines connected to the internet.

The machines that decide which hell hole to send you into with what gear and such are physically separate.

Also - as a Marine, you should already know the news, but in case you missed it: Yesterday, the Marines kicked ass. Today the Marines will kick ass. Tomorrow's forecast calls for the Marines to kick ass.

Re:They've solved their own problem

[kramulous]

Someone forgot to take their chill pill this morning ... didn't he? Yes he did! I think you summed up your own post perfectly.

Anonymous has not place on a military net.

[FoolishBluntman]

How about no spoofing as a good start. No changeable MAC addresses and Client side certs.

Re:Anonymous has not place on a military net.

[Z00L00K]

Since the MAC address is local only to the segment where it is used that is of relatively limited use.

Client side certs are also a thing that isn't easy to spoof since they have to be signed to be useful. Any certs that are self-signed can easily be dismissed.

Network security is a lot about segmentation, and using routers with correct setups means that you can easily filter out spoofed addresses.

A bigger problem is all the proprietary protocols or encapsulated protocols circulating on a network. The big problem is that some of these protocols may be open to attacks of various kinds.

Re:Anonymous has not place on a military net.

[jgtg32a]

Yeah good luck with that

Re:Anonymous has not place on a military net.

[Bengie]

"[...]No changeable MAC addresses[...]"

You can output any combination of 1s and 0s through your network card, I'd like to see this one.

Re:Anonymous has not place on a military net.

[coolsnowmen]

Network security is a lot about segmentation, and using routers with correct setups means that you can easily filter out spoofed addresses.

I would conjecture that it is the opposite that is true.
It is because of the segmentation that spoofing is so easy. Because your ability to transmit and receive information across the net is only gated by the next link, and not by a central authority. As a receiver, you can either trust the next link, or not.

It is for efficiency at the cost of security that we have network segmentation. If we really prioritized security, everycomputer would have a routable ipv6 given to them by ONE central DHCP server that you would have to sign in to.
Just a thought,

Re:Anonymous has not place on a military net.

[geekboy642]

If we did that, the internet would only be secure by means of nobody using it. There's no server in the world that could handle every single net-connected device requesting an IP address from it. And I can't conceive of how you would tie the DHCP server into a DNS server at that scale, but I bet it would be incredibly complicated and need unbelievably beefy hardware.

Re:Anonymous has not place on a military net.

[coolsnowmen]

Well I never said it was perfect :-)

Also, you wouldn't use just ONE computer. the truster "server" would be like any other distributed load out there. Enough servers to handle the load, One intelligent router to shunt the load across them.

Now that I think about it, this same network would also have to maintain some other information so that an ip-loop up could be performed by the host to verify you are who you say you are.

That part is just a thought I had. My only point is that the internets distributed nature is an engineering bonus, but a security nightmare. It is this segmented nature, as you say, that prevents hosts from truly being able to trust a user that is more than one hope away at the mac/ip level.

There is porn of it.

I hope they don't overlook Rule 34.

Re:There is porn of it.

[wild_berry]

Apparently, none of them is as cruel as all of them.

Re:There is porn of it.

[Fumus]

They just never learned rules 1 & 2.

It worked for the Army!

[David+Gerard]

Remember that the 304th Military Intelligence Battalion declared Twitter a terrorist weapon. God forbid they discover pen and paper. Or modulated farting, for that matter.

Re:It worked for the Army!

[Enderandrew]

No the Air Force listed Twitter as a tool that terrorists use.

There is a distinction. But thanks for playing.

Re:It worked for the Army!

[tadheckaman]

AM or FM?

Re:It worked for the Army!

Or modulated farting, for that matter.

Polictical speeches, punditry, injecting rumors, diplomacy, etc, etc, etc have been well known for some time but still seem to slip under the radar of most citizens including far too many in the military. Answers given to many questions at polictical interviews or debates are perhaps best described as "modulated farting", they stink but are worded to distract you from the stench of their non-answers and they of course come from an a**hole.

Re:It worked for the Army!

[internerdj]

I was wondering who used Twitter.

Re:It worked for the Army!

[jdfox]

No the Air Force listed Twitter as a troll that terrorists use.

There, fixed that for ya.

Re:It worked for the Army!

[suggsjc]

AM - Longer transmission distance
FM - Higher fidelity

I believe a decision like this is above my pay grade.

Re:It worked for the Army!

[Quiet_Desperation]

Well, no, not really. And it would never have been made public if not for the Federation of American Scientists who, for some reason, thought it was news and not a low level report by some intel community noob.

But thanks for being a vector for the propagation of yet another inaccurate meme. Without the tireless work of people like you we'd have a well informed populace.

Re:It worked for the Army!

anybody else noticed that Military Intelligence Battalion's acronym is M.I.B. ?

Re:It worked for the Army!

[Fulcrum+of+Evil]

Terrorists also use radios and dirtbikes - hope they don't ban those too...

Re:It worked for the Army!

[bluefoxlucid]

FailWhale is a weapon of mass destruction?

Re:It worked for the Army!

[couchslug]

"Or modulated farting, for that matter."

That's a traditional area clearing method in the workcenter and military vehicles, but we didn't usually communicate using it. "MRE Ham Slice + black coffee" can empty an office quite smartly!

Re:It worked for the Army!

[Enderandrew]

The Air Force hasn't banned the use of Twitter. They noted that terrorists have been using Twitter. Honestly, terrorist groups have been using cheap forms of communication on the internet, where as the United States DOD spends bank on internal communication systems. It seemingly didn't even occur to the DOD until recently to take the fight against Al Qaeda to the internet.

Re:It worked for the Army!

[dangitman]

Modulated farting? Oh my god, Michael Moore is a terrorist!

Re:It worked for the Army!

[caluml]

Or modulated farting, for that matter.

Amplitude or Frequency modulation?

Re:It worked for the Army!

[atraintocry]

I think the GP was referring to the /. account twitter. That guy's definitely a terrorist, and maybe a tool.

Good luck with that.

[solraith]

In Cyberspace, there are no rules.

Rule 35

[oojimaflib]

If you can imagine it, there's some government out to stop it being on the internet.

Re:Rule 35

[Z00L00K]

Not only that, but also ISP:s are out to cut down the openness of the internet in order to be able to sell just their own services at a high price.

Re:Rule 35

[Muckluck]

I thought rule 35 was, "If no porn is found at the moment, it will be made"

there's nothing wrong here

[circletimessquare]

for an organization the size of the air force, and with the mandate it has, there is nothing laughable or overly ambitious about say, creating and implementing your own supersecure protocol, and supporting it within its subnet

and, if successful, watch it leave its military surroundings, be adapted by universities, then corporations, then the general public

kind of like the internet itself

somebody is going to do this at some point, considering the various shortcomings of our present dominant protocol suite

that it would be the military to do it first makes sense

Re:there's nothing wrong here

[moderatorrater]

I would have more faith in this endeavor if it were the NSA implementing it rather than the air force, although the air force is the second most likely agency/group to pull it off. From what I've seen and heard, the air force has a lot of technically skilled people in programming and hardware that would be able to pull this off.

Re:there's nothing wrong here

[Atriqus]

Better yet: the Air Force can contract out the work to the NSA.

Re:there's nothing wrong here

[Ethanol-fueled]

there is nothing laughable

But this is very laughable, as is this and this. Now imagine what we don't know about!

Re:there's nothing wrong here

[Random+BedHead+Ed]

If the NSA did it, it would have a back door. I'd rather have the Air Force do it and ask the NSA to try to crack it.

Re:there's nothing wrong here

[ThwartedEfforts]

for an organization the size of the air force, and with the mandate it has, there is nothing laughable or overly ambitious about say, creating and implementing your own supersecure protocol, and supporting it within its subnet

They're doing it with IPv6, right?

Re:there's nothing wrong here

[Timothy+Brownawell]

there is nothing laughable or overly ambitious about say, creating and implementing your own supersecure protocol,

What's wrong with using SSH or TLS with pre-distributed keys?

But I'm not sure that's even what they're talking about here, it almost sounds like they want to kill the Internet's extensibility and anonymity for everyone else. Which is really quite different from just making up a new protocol for your own use.

Re:there's nothing wrong here

I would recommend to them to install IPv6, and disallow any IPv4! How many sites and botnets running on peoples home PC's could access them then? They would get at least several years worth of a break, until others finally started going to IPv6.

Re:there's nothing wrong here

[ChrisA90278]

"for an organization the size of the air force, and with the mandate it has, there is nothing laughable or overly ambitious about say, creating and implementing your own supersecure protocol, and supporting it within its subnet"

Yes, All we have to do is look at history. The term "Internet". Meant a network that connected networks. Back when the term was coined networks did not use TCP/IP. "IP" was designed as "Internet Protocol" or literally the protocal to be used BETWEEN networks. Only later did almost all of those networks themselves begin to use TCP/IP internally.

So it is reasonable that the US Air Force could simply abandon the use of TCP/IP within the entire service and connect to the public Internet via a gateway. After all that is how everyone did it back in the 70's

There are a few things they might use that already exist and are already in use. They really need a network that is fully end to end encrypted and has strong authentication. TCP/IP is not that.

Re:there's nothing wrong here

[ipb]

Then when the NSA reports that they can't crack it would you believe them?

Re:there's nothing wrong here

[plasmacutter]

for an organization the size of the air force, and with the mandate it has, there is nothing laughable or overly ambitious about say, creating and implementing your own supersecure protocol, and supporting it within its subnet

and, if successful, watch it leave its military surroundings, be adapted by universities, then corporations, then the general public

The general public will never adopt a protocol which removes the freedom of the internet from the internet at the behest of government and corporate fatcats.

Yes, the competence of joe sixpack user is quite negligible, but joe sixpack does not develop and launch public apps, nor does joe sixpack fuel early adoption.

real, technical users understand what those new "subnets" mean, and will not touch them with a 10 ft pole, unless of course it is to design a tool to tap into those subnets and convert them to normal, free, internet packets with impunity. (hint: subnet may be locked down, but internet still allows you to spoof source!)

This protocol may have its place among the upper echelons of big business and the military, but if a large enough subset of the public touches it, it will be compromised and destroyed.

Re:there's nothing wrong here

[maxume]

Nothing, but you would have to rename them SUPER-SSH and SUPER-TLS.

Re:there's nothing wrong here

[stephanruby]

From what I've seen and heard, the air force has a lot of technically skilled people in programming and hardware that would be able to pull this off.

Yes, but those technically skilled people are obviously not high up in the chain of command. I don't care what kind of magical powers you think were bestowed upon those highly skilled people, but an unclear mission, unlimited scope creep, and a clueless and an unsupportive chain of command, are more than enough to sabotage any effort even by the greatest uber-genius-hacker-wizards you may have ever seen played in Hollywood action-packed movies.

Re:there's nothing wrong here

[stephanruby]

From what I've seen and heard, the air force has a lot of technically skilled people in programming and hardware that would be able to pull this off.

Pull what off? Keeping the computers on their planes secure? Keeping their own communication lines secure? Keeping their own web sites up? What's their end objective here? How will you ever know if this is something that they actually succeed in?

How about giving this task to the Marines? You don't ever hear anyone hacking into their computers.

This sounds to me like they're trying to create another unlimited mandate, with an unclear objective and an unlimited budget, like the war on terror or the war on drugs, which will only make the Air Force a bigger cybertarget because that will only piss everyone off. And personally, it just pisses me off to no end that the Air Force is attempting this money-power-grab on my hard earned cash, and that they will probably fuck things up on the internet and impose stupid rules for the rest of us. Airplanes, black planes, and satellites are cool enough, they should just stick to that.

Re:there's nothing wrong here

[Beezlebub33]

for an organization the size of the air force, and with the mandate it has, there is nothing laughable or overly ambitious about say, creating and implementing your own supersecure protocol, and supporting it within its subnet

and, if successful, watch it leave its military surroundings, be adapted by universities, then corporations, then the general public

The general public will never adopt a protocol which removes the freedom of the internet from the internet at the behest of government and corporate fatcats.

Which general public? The Chinese general public have already done so, and didn't have much choice about it. A number of Muslim countries have restrictions on what parts of the internet can be viewed (i.e. they insult Islam) so that general public has lost the freedom of the internet. In Germany and other parts of Europe, you can't buy certain items on the internet because they have certain symbols on them. It really looks like Australia and the U.K. are instituting limits that take away parts of the internet.

Sites block people from certain addresses, and countries block things like the Pirate Bay.

The general public has already lost much of the freedom of the internet. Further, 99% of the general public has no idea what a protocol is, and won't notice when it changes. Face it, we've already lost.

Internet + secure

[buchner.johannes]

The only useful and meaningful thing they could do, is implement a secure internet protocol (i.e. with the missing session and presentation layers) and provide a good interface to the internet. Then the inherited insecurity of network protocols could be avoided from the beginning.

If it is done right, has advantages and is promoted and laid open to others, it might catch on and replace parts of the internet step by step.
Will probably not be faster than the IPv6 transition, but hey, they made the internet, why not make another one ;-)

Laws can not reach internet phenomena, they are too slow, and when they do, it doesn't matter anymore.

Re:Internet + secure

[buchner.johannes]

After reading the article, e.g. quoting

Enabling Air Force servers to evade or dodge electronic attacks, somehow.

Its funny how they think so much in materials entering materials when talking about a electronic/information tech issue. Like the server could jump to the side when it sees a malicious packet coming ...

Re:Internet + secure

[starfishsystems]

I've heard the argument that the issue has to be addressed not principally at the session and presentation layers but in device authentication at Layer 2.

Physical identity is not the only thing to establish, and you're right that end-to-end security has to be implemented at higher layers. But really hardened communications also doesn't have the luxury of treating the lower layers as transparent.

Reprise of the evil bit.

http://en.wikipedia.org/wiki/Evil_bit

Penny Arcade

[Sasayaki]

As usual, Penny Arcade predicted the future. (http://www.penny-arcade.com/comic/2007/07/16/)

Technician: Our webs are down, sir. We can't log in!

Agent: Which webs?

Technician: All of them.

Technician: They've penetrated our code walls. They're stealing the Internet!

Agent: We'll need to hack all IPs simultaneously.

Re:Penny Arcade

Here's a hint for future postings.
Enclosing your URL in parentheses prevents Slashdot from creating an automatic hyperlink. This is annoying, as it means that I have to copy and paste rather than just clicking. It's the difference between:
http://www.penny-arcade.com/comic/2007/07/16/
and
(http://www.penny-arcade.com/comic/2007/07/16/)
on the screen.

In general, it's a bad idea anyway because parentheses are valid in a URL. Parsers which try to automatically hyperlink URLs may get confused by the trailing ')'. For this same reason, despite the rules of English suggesting it, you should avoid punctuation immediately following a URL.

Re:Penny Arcade

[Sepodati]

Or just get Text Link for Firefox and you can just double click on the URL to load it. :)

Re:Penny Arcade

[Just+Some+Guy]

Or you could type them like <URL:http://example.com/>, which renders like http://example.com/ and is a standard.

Re:Penny Arcade

Thanks for the tip! Maybe there should be a formatting FAQ-link for new posters above every news post or at the floating slider.

Re:Penny Arcade

[Lobster+Quadrille]

I've always used html-style hyperlinks, which also work fine.

Re:Penny Arcade

[Just+Some+Guy]

I've always used html-style hyperlinks, which also work fine.

Same here, unless I specifically want to give out the URL for some reason.

Re:Penny Arcade

[maxume]

Plain Text Links adds the ability/option to open the link in a new tab, and uses a context menu entry instead of a double click:

http://ted.mielczarek.org/code/mozilla/textlink/

Re:Penny Arcade

[Jesus_666]

That's why I always type out the <a> tag. That way I can be certain Slashdot won't mess up my links no matter what I put behind them.

Re:Penny Arcade

[Sasayaki]

Thank you, parent and parent of parent. Will do for the future.

Re:Penny Arcade

[mdielmann]

I prefer <a href></a>, which renders like some shit I made up, primarily because it allows me to put shit I made up between the tags. Being readable is a secondary benefit.

prevent IP spoofing - save the world

[iceco2]

actually there is a very simple measure ISPs can take to prevent many attacks.
and that is to prevent their customers from spoofing the source IP in their IP packets.
If governments (starting with the US) would pressure(force by law) ISPs to do this, it can be done with out much technological difficulties.
This anti-spoofing measure can be implemented on many levels, so that even if a certain ISP does not co-operate other ISPs could prevent its customers from spoofing any IP which does not belong to the problematic ISP. This in itself helps protect against IP spoofing.

Without IP spoofing attackers are more easily identified and blocked.

Re:prevent IP spoofing - save the world

[Fumus]

And this will stop dynamic IP based attacks how?

Re:prevent IP spoofing - save the world

[Zenaku]

It has been a long time since my network engineering classes, so do regard this as a genuine question from someone who simply doesn't know, and correct my impression if I am mistaken about the basics.

But I'm not clear on how exactly an ISP could prevent its customers from spoofing the source address in their packets. I thought the inherent security flaw in the IP protocol was the fact that you pretty much have to take each packets word for where it came from. What alternate mechanism do you see them using to verify the "real" source of a given packet?

It is not like they have a single dedicated physical line from their router to each customer's house, where traffic coming in on a given physical port can only have come from one place. (But hey, if they did, I bet my bandwidth would be a lot better)!

Re:prevent IP spoofing - save the world

[mshannon78660]

At least on Cisco routers (disclaimer: I used to work for Cisco), there is a command you can use. ip verify unicast reverse-path will cause the router to check the routing table for a path to the source address, and drop the packet if it came in on an interface which is not a candidate route for that address. You don't want to use this in the core of your network, where you may have asymmetric routing, but you can certainly use it on the edges. If an ISP does this uniformly on interface that connect to customers, they can prevent any of their customers from spoofing. Depending on the size of the ISP, they may also be able to implement it on their peer links, and prevent spoofed packets from entering their network from other parts of the internet.

Re:prevent IP spoofing - save the world

[MikeBabcock]

You've just eliminated IP spoofing by legitimate users of American ISPs. You've done nothing about the rest of the Internet. Besides, botnets don't require IP spoofing; they've already got control of random IP addresses to attack from.

Re:prevent IP spoofing - save the world

[gbjbaanb]

all dynamic IPs are owned by an ISP, and they log when you are using it (otherwise, how would they not bill you?)(and lets face it, to any ISP, military network security comes a long way down the list of priorities with 'bill you' right there at the top).

So, given the time of hack and the dynamic IP, the ISP knows who it was.

Re:prevent IP spoofing - save the world

[ACMENEWSLLC]

But then your ISP could not send out spoofed RST packets out to kill your P2P traffic. Or would they be allowed an exception?

Re:prevent IP spoofing - save the world

[RayMarron]

AKA "Egress filtering".

Re:prevent IP spoofing - save the world

[silanea]

Who in this godless world has modded this insightful? IP addresses, MAC addresses, host names, user agents - NEVER trust any information which comes from an untrustworthy source or has travelled along an untrustworthy path. Plain and simple. If you don't trust it, kick it out. If you trust it, check it out in detail and see whether your trust was warranted.

Your suggestion is akin to enforcing valid return addresses on letter bombs.

Besides, you did hear about bot nets, did you? You know, those pesky things that keep stuffing your e-mail box with all those nice ads for penis enlargement and cheap medication? If not: welcome to life!

Re:prevent IP spoofing - save the world

[Zenaku]

Thanks for the informative response.

But would there not still be many customers for whom the interface is a candidate route? I understand that they could use that to discard packets from IP addresses that are obviously spoofed, but there still isn't a one-to-one relationship between a packet's true source and the interface it arrives on. There could be hundreds of IP addresses to stick in the packet header that would still pass muster as being plausible, right?

I don't have any trouble understanding that measures like these can reduce the scope of the problem, but unless I am misunderstanding something at a very basic level, it is not possible to truly verify that an IP packet came from where it says it came from, as the post I was responding to seemed to imply. Certainly it isn't trivial, at least.

Or am I, in fact, misunderstanding something at a very basic level?

Re:prevent IP spoofing - save the world

[AaronW]

It's actually not difficult. Turn on reverse path forwarding and packets with source addresses that don't match their subnets will be dropped. Furthermore, they can match a source IP with the MAC address assigned via DHCP. Any halfway decent router should support RPF at least, and most should support access control lists.

With DSL and dial-up, RPF is even easier since there is usually only one IP address per connection. With cable modems it can be a bit more complex, but they can also filter in the modems themselves and I'm sure the head end can also do filtering.

Re:prevent IP spoofing - save the world

[jgs]

Start by taking a look at RFC 2827/BCP 38, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing."

Sadly, ten years since publication we're still not there, which would seem to suggest (GP's wishful thinking notwithstanding) that you not hold your breath.

Re:prevent IP spoofing - save the world

[iceco2]

Large botnets would still be a problem,
but small botnets(hundreds) still need IP spoofing to be harmful, because once I recognize I am under attack I can block several hundred IPs at the router/firewall and not overload my servers.
large botnets will cause traffic congestion and there is little you can do about them except identify infected machines and notify owners.
As for foreign ISPs I believe America should lead the way and lobby(/pressure/force) other countries to do the same.

Re:prevent IP spoofing - save the world

[Fumus]

How does this differ from spoofing IPs? I thought one can't actually connect to another computer without leaving a trace, one way or the other.

Re:prevent IP spoofing - save the world

[jschottm]

Without IP spoofing attackers are more easily identified and blocked.

What you're suggesting is only really useful against blocking some DoS attacks. Any serious attempt to hack a system can't be be done via spoofing unless you happen to have owned the switches in between the spoofing victim and the attack site. The exception would be if you can do the attack within the first SYN packet or via UDP. Otherwise you just get this:

1.1.1.1 (your real IP) sends a spoofed SYN packet labeled as 2.2.2.2 to victim 3.3.3.3
3.3.3.3 sends a SYN/ACK to 2.2.2.2
2.2.2.2 receives the packet (unless you also control the switches), doesn't know why it's getting an SYN/ACK and sends an RST
3.3.3.3 receives the RST and that's the end of that connection

ISPs should do reasonable restrictions on origination IP addresses but it won't address serious attacks.

Re:prevent IP spoofing - save the world

[jroysdon]

If your ISP filters the traffic it receives from you to only be IPs that it has assigned you, you can spoof all day long and it's just going to get dropped at your ISP's GW.

Once you cannot spoof traffic, then you can always point a finger. ISPs are required to keep logs, so you can always know the end-customer (but with open wireless APs and such, the customer can claim innocent, but perhaps could still get in trouble for negligence).

If all ISPs charge metered bandwidth amounts, the amount of open APs will drop soon as well.

Re:prevent IP spoofing - save the world

[jroysdon]

While cable and wireless providers use shared media, DSL, T1, fiber providers do have a physical connection to each customer.

Cable and wireless providers filter by MAC address (granted, you could fake your neighbors' MAC addresses, but typically the cable modem or wireless device is controlled by your ISP and you're locked out of it).

Either way, the ISP should be filtering and only allowing the IP addresses it "owns" (assigned by ARIN, RIPE, etc.) to come back from customers. The exception to this is when you've got a BGP multi-homed situation, but even then the ISP should only allow the IPs that you've been assigned by ARIN, RIPE, etc. or your other ISP, and not just any IP.

For this reason, even if you had a cable and dsl connection at home, you cannot just use one public IP on both connections (the old days you could, but it would just come back via one path).

The problem of course comes at the big peering locations, as they ISPs cannot easily filter between each other. Each has to trust that the other side is filtering properly.

However, this would still solve things within a single well-connected country (such as the US). No US traffic should really ever leave and come back in. Because of this, and if all ISPs were required to filter traffic from their customers by law, then you could trust that all US traffic came from where it said it was, and that you could prosecute attacks (at a minimum for negligence of having an unpatched PC). All non-US netblocks you could filter and drop or have more stringent rules.

For the longest time, I just dropped all traffic from netblocks from many uncivilized countries (CN, etc.). 99% of hacking attempts stopped against my servers. The other 1% responded to abuse@ emails. Now I use other filtering means (3 strikes and your netblock is out and I share the info with others who share the info with me, all automated, all very fast, via DenyHosts).

Pure Genius

[LeotheQuick]

"If you're not blue, you can't come in."

Using color codes for internet traffic - brilliant!

"Hanson is also interested in finding ways to dodge electronic attacks"

Do a barrel roll!

Re:Pure Genius

[Todd+Knarr]

His "blue" comment makes sense. It's how I run my wireless network: unencrypted at the 802.11a level, but the physical connection terminates at the gateway machine and the only traffic allowed in through that interface is that needed to negotiate and maintain an IPSec VPN connection. The IPSec server, meanwhile, will only negotiate a connection with someone presenting a certificate signed by my CA cert. If I don't know your machine, you don't get access. If you need access, you talk to me and I'll get you a certificate you can use.

Yes, I could enable security at the physical level. I prefer to drive home the point that the wireless portion is untrusted, potentially compromised at any and all times, and you configure your machine to live in that environment safely right from the start.

all that bork barrel spending

[Tyrannicsupremacy]

and the us air force is no match for a mere 100,000,000 chinese children being forced to hack them using computers that probably still have turbo buttons?

The best method of defense

[root777]

From the article "Enabling Air Force servers to evade or dodge electronic attacks, somehow" Like they say ... the most secure computer is the one that is unplugged.

good concepts, bad headline

[Tom]

If you actually RTFA, you see that they aren't bonkers. Quite to the contrary. See this quote, for example:

"[M]ost threats should be made irrelevant by eliminating vulnerabilities beforehand by either moving them 'out of band' (i.e., making them technically or physically inaccessible to the adversary), or 'designing them out' completely," the request for proposals adds.

Yeah, absolutely. Remember that this is the military we're talking about. These are the guys who are the "customers" of stuff like the NSA's formally verifiable code project. These are the guys who still use 10 year old computers because those are hardened and tested to military standards. If they upgrade to 5 year old computers, the gain in speed will offset pretty much any performance penalty that security methods that don't fly in the commercial world because of said performance penalties, could cause.

These are also the guys who do a ton of things badly.

So it'll be interesting to watch.

Re:good concepts, bad headline

[negRo_slim]

These are the guys who still use 10 year old computers because those are hardened and tested to military standards.

I tried to verify that claim via Google and the best thing I could find was the exact opposite of that statement:

Panasonic Computer Solution Companyâ(TM)s hardware providers help develop cutting-edge technology to address rapidly growing needs, including data storage, power backup, in-vehicle mounting, mobile display, deployable kits and rugged add-ons.

It's just a marketing page for sure... But where exactly do you suppose they use 10 year old tech other than in custom built kit for physical systems.

Re:good concepts, bad headline

[jandrese]

Really, the armed forces is a lot like any other large organization. If a piece of hardware has to be custom modified for some particular task (like something designed to go in a tank and manage fire control or something), then that piece of hardware will be very expensive and will only be upgraded when the needs are compelling (thus will tend to be 5-10 years old or more on average). For vehicles designed with just a laptop attachment point, then the upgrade cycle will be much faster because the procurement office will buy the available model and use that. The upgrade cycle may not even be so bad because soldiers are famously hard on their equipment and even hardened laptops can take only so much abuse.

Re:good concepts, bad headline

[Tom]

I didn't say they use only 10 year old machines.

However, much of the stuff that's used not in the office but in the field is pretty old, because reliability counts for more than speed or features. That's not just computers. The standard-issue guns are from when?

Rewrite the rules of the Air Force

Instead of letting them try to push us around, we the geeks can turn the tables and re-write government based on open source philosophy.

The plan for transition is practical, and folks like those running the Air Force will never see it coming until it is far too late for them to do anything about it.

one rule cannot change

[qw0ntum]

and that rule is rule 34.

solution ..

[rs232]

* Making hostile traffic inoperable on Air Force networks.

* Locating and identifying once-anonymous hackers.

* Enabling Air Force servers to evade or dodge electronic attacks, somehow.

Use PKI over VPN to carry all Air Force traffic and reject everything else. The VPN solution would run on customized hardened nodes spread across the globe. These would provide multiple redundant paths and the ability to reject 'electronic attacks', 'hostile traffic' and 'anonymous hackers' ...

Re:solution ..

[Firethorn]

Use PKI over VPN to carry all Air Force traffic and reject everything else. The VPN solution would run on customized hardened nodes spread across the globe. These would provide multiple redundant paths and the ability to reject 'electronic attacks', 'hostile traffic' and 'anonymous hackers' ...

Already done in many areas, and spreading. You still have the problem of how to run www.af.mil in a manner open to the public, as well as the public sites for many military bases, while still securing them.

Still, wouldn't you LIKE to find out who's sending you spam/phishing attacks/etc... so you can, if nothing else, impolitely ask them to stop at 0100 in the morning?

Re:solution ..

[jandrese]

Yes, I'm sure every potential recruit would just love to have to install a VPN client to go check out af.mil.

Re:solution ..

[tlambert]

Still, wouldn't you LIKE to find out who's sending you spam/phishing attacks/etc... so you can, if nothing else, impolitely ask them to stop at 0100 in the morning?

Hm. Probably not as much as I'd like to prevent some nut-job on the Internet taking offense to something I say online in a political forum and making me his personal projects because I no longer have deniability for the information about my location or who I am because some idiot wanted to build non-repudiation into IP packets. You might as well start implanting RFIDs, if you want non-repudiation everywhere, and just make keyboards not work without an RFID in range. I think Google does a pretty good job of filtering SPAM; maybe you need a different email provider?

-- Terry

A spokesman for the Air-Force said,

[Phizzle]

"Hey its just a series of tubes, how hard can it be?!"

The only rule I remember is

[Cajun+Hell]

Wait until after business hours before you start that long FTP transfer. Anything over a hundred kilobytes can wait until night.

Attack and defend?

[evanbd]

So they want to simultaneously change the underlying network fabric in order to make their systems unattackable, and also be able to successfully attack any other system at any time? Does no one there see a disconnect between these goals?

Re:Attack and defend?

[Firethorn]

Does no one there see a disconnect between these goals?

Not really; Standard military thinking. They want their guys alive and equipment intact; the enemy's troops dead and their equipment broken. In the course of that, they want all of our information unknown to the enemy, but to know all of their enemy's information. They want super-sonic stealth UAVs, but not for their enemies to have them.

In this case, consider the position of legitamcy. As the USAF is a legitimate organization in the US government, under such a system they'd enjoy greater powers by default than Joe Hacker/script kiddie. Packets coming from less secure areas will be marked as such and can be treated to greater scrutiney/restrictions.

Re:Attack and defend?

[kpainter]

Does no one there see a disconnect between these goals?

Square peg, round hole. What's the problem?

Re:Attack and defend?

[khallow]

So they want to simultaneously change the underlying network fabric in order to make their systems unattackable, and also be able to successfully attack any other system at any time? Does no one there see a disconnect between these goals?

No, I don't. In fact, they seem quite compatible as goals. Chinese are doing the same thing too.

Re:Attack and defend?

[starfishsystems]

What makes you assume that they need to use the same systems to perform secure operations and as points of attack over the public internet?

The Rules are Simple

[dmomo]

First Rule: Don't talk about Internet
Second Rule: Don't talk about Internet
Third Rule: ???
Fourth Rule: Profit

Re:The Rules are Simple

[whopub]

First Rule: Don't talk about Internet
Second Rule: Don't talk about Internet
Third Rule: ???
Fourth Rule: Profit

Stop teasing people!

Here's the complete list:

1st rule: don't talk about the internet
2nd rule: don't talk about the internet
3rd rule: get a real job
4th rule: profit from your non-webdesign-related job

Even if you don't really profit that much you'll end up eating more often.

Air Force Po'grammers!!

[TheCybernator]

by doing nothing less than the rewriting the 'laws of cyberspace.'

who will do the rewriting?

Air Force Po'grammers? :)

Re:Air Force Po'grammers!!

[atraintocry]

They'll outsource it to India. India won't be able to use their knowledge of the code to spy on us, however, because there will be language in the NDA forbidding this.

Re:Air Force Po'grammers!!

[atraintocry]

Not at all. I was trying to make a joke about creating a contract that essentially ask a foreign country nicely "don't spy on us" while having them write code for your communications infrastructure. No disrespect meant.

I think the rules will be rewritten, someday

[FourthAge]

Most of the article seems to be sensible; improve the security of internal air force networks, etc. Can't argue with that. But here:

"You can control your own networks, rewrite your own laws," says Rick Wesson, CEO of the network security firm Support Intelligence. "You can't rewrite everybody else's."

Of course, the Air Force does have a way to rewrite the rules of the entire Internet, although it won't be free. They can get the US government to mandate a change for public networks in the US. That change might affect other countries, who would need to adopt the new standard in order to stay compatible.

A change that I'm expecting is the forced adoption of security certificates. Someday, all Internet traffic will be encrypted, and routers will not permit traffic unless it has been signed by a certificate that has, in turn, been approved by an authority. It's not hard to imagine that this would be proposed as a solution to stop crackers, pirates, paedophiles, spammers, and (of course) terrorists.

To some extent, it might even work! Spam would be harder, so would piracy. Certainly, the days of mass piracy on TPB would be over: online piracy would move to VPNs, which would have to be small, as large ones would be easily detected by traffic analysis. Spammers and crackers would need to steal valid certificates, which could be difficult, as users would most likely rely on their TPM to sign packets for them. The real disadvantage is that Internet users would not be anonymous, which has many unpleasant implications.

Re:I think the rules will be rewritten, someday

[argent]

All that will mean is that botnets will be all the more valuable, as cutouts for anonymous traffic.

Re:I think the rules will be rewritten, someday

[atraintocry]

That change might affect other countries, who would need to adopt the new standard in order to stay compatible.

They might route around us, too. If we're talking about US national security and who gets to spy on whom, it's better that we keep as much traffic as possible going through backbone, and having root servers on American soil. Instead of essentially blacklisting ourselves :D

Also, it'd be pretty bad for American businesses.

fools and bigger fools

[cellocgw]

I'm not sure which old story to refer to here.
The guys who cracked PlayStation3 in a couple weeks?
The various top DoD and White House officials who took classified computers home to play with?
The various spooks and spook wannabes who dumped sensitive stuff into voicemail boxes, or Yahoo mail, or whatever it was, off their crackberries?

Security remains only as good as the control over the folks who have access.
"Now, before leaving the controlled area for the day, please look into this bright light..."

I'm confused and skeptical.

[fuzzyfuzzyfungus]

I have no doubt that the Air Force has the resources to, with suitable leadership and direction, implement seriously secure systems. They have serious secrets to protect, and don't need to fall for the "But $HORRIBLY_INSECURE_SOMETHING is a best of breed industry standard(tm)!" stuff.

That said, though, their "Rewrite the laws of Cyberspace" idea gets a giant WTF. With a lot of security improvements, the task is difficult; but the way forward is relatively clear(ie using PKI for everything, auditing the hell out of stuff, etc. are time consuming and nontrivial; but well understood). Ideas like "dodging rather than blocking attacks" just seem meaningless. The whole plan seems to be:
1. Heretofore unimagined security magic.
2. Air Force Computer are secure.(profit)

Maybe they actually have heretofore unimagined security magic; but they don't want to talk about it; but the whole thing seems dubious.

Re:You know, they could...

[exabrial]

And if you actually believe a politician is going to do anything he says, you are an idiot.

Replace TCP/IP

[hey]

Its not so crazy that they would replace TCP/IP with something else fairly similar for their internal use.

Re:Replace TCP/IP

[mebrahim]

TCP\IP?

Windows

[ezwip]

Aren't we sentencing some guy for logging into Windows computers from over in Europe that had no pass and ran the Windows Operating System? Maybe we should stop playing all these games and have Microsoft rebuild their operating system correctly as not to have hundreds of thousands of zombie computers online. How many of those Zombies run Apple or Linux? What's that you say less then 1%, or perhaps the answer is none at all? The government built the internet but can't secure it? We need 500 different anti virus programs because one specific operating system is incompetent at security? Send the users to jail you say because we can't stop kids from ignoring laws? Who woulda thunk it?

Re:Windows

[slashsun]

Just wait until Linux gets 30% of the OS market share. Then there will be rogue bash scripts and kernel modules running around the internet with rogue ubuntu repositories and all that stuff. And yeah, it's a lot harder to infect a *nix, but leave it to the hackers and they'll manage to put something together...

Re:Windows

[ezwip]

Windows is the problem in regards to botnets. I think everyone arounds here knows this. If I get bored I can have a rather capable zombie network of my own by the end of the week just downloading tools off p2p or visiting a few IRC channels. It wouldn't even require any programming on my own behalf, and that's just messed up. It's been messed up for a very long time. I'm glad they are finally addressing it and I honestly think Microsoft should share some of this blame. I've never agreed with them passing the buck to 3rd party software to protect an operating system they sold a user either. It's bunk and they know it. Let's go ahead and tax them for this and repay some of our national debt. How much do they have anyways?

Blue is military-speak for friendly

[HighOrbit]

"Blue" in the military means "friendly". It comes from military maps, where unit symbols depicted as color blue are friendly forces and unit symbols in red are enemy forces. For example, if you look in just about any book about the American Civil War, you will alway see by convention that United States forces are blue and Confederate forces red. I belive this convention has been adopted by NATO.

So when he says "If you're not blue, you can't come in.", I suppose he means that they will have some sort of positive identification to determine who the requester is and if a connection is accepted or refused.

In other news...

[theturtlemoves]

Newton, sick of all those apples falling on his head, is planning to rewrite the laws of physics to make gravitation a repulsive force.

motives and locations unclear?

[DragonTHC]

maybe they want to stop skynet from being built.

Re:motives and locations unclear?

[DeusExMach]

Too late.

Shouldn't the IPs all be in the same block?

[HighOrbit]

I would expect that all of an ISP's addresses should be in the block(s) they received from ICANN. If something on their sub-net is generating headers with foreign addresses, then they ought not to route it.

Re:Shouldn't the IPs all be in the same block?

[lysergic.acid]

that's still a pretty big IP address block for the attacker to choose from. and if they wanted to conceal their identity even further, they'd likely just use an anonymous proxy or tunnel through a zombie PC or other compromised hosts.

just as in real life, you cannot eliminate anonymity on the internet completely. you can tag & chip every individual from birth, but someone can still walk up to a wall with a can of spray paint and leave an anonymous message.

Re:Shouldn't the IPs all be in the same block?

[HighOrbit]

You're right about the proxies or zombies being the real problem. IP spoofing is of limited utility anyway because it is a one way deal. A spoofer can send packets but nothing gets routed back to them, so its really only good for DOS like a syn-flood or one way messaging like UDP.

However, depending on where the filtering takes place, I disagree about the size of the block. If the filtering is implemented at a low-enough level (like the neigborhood dsl exchange), then the block size is fairly small. It it is at the tier-1 level, then you are talking millions of addresses.

Low Bid Wins

[mfh]

Helpful Hint for the Air Force: Pay your private sector computer engineers more and you'll get the innovation you're looking for.

That doesn't work because the low bid always wins. What would be better would be if the government shifted from a bid system to a fixed bid system. ie: This job is for $50k, this is what we want, now tell us how you are better than the other guys. That would be 100x more effective, but also 100x more time consuming because then they would have to READ EVERY PROPOSAL, not just the two lowest ones.

Re:Low Bid Wins

[Leebert]

That doesn't work because the low bid always wins.

That's not at all true. Quite often the low bid isn't the winner of a government contract, many of them are best value.

questions over hot coffee?

of course, what if the van had no doors to open for the question to be asked?!? would they go down a chim chiminey chim chim charoo? i grow wheatgrass on my van roof, and no passenger doors and no cargo doors were made. Only have the front cab window and a Sun roof with a grill/cremation furnace underneath. do your worst, USAIRSDMCFFRIFAAFBCIABATFECES!

Re:questions over hot coffee?

[Austerity+Empowers]

You may find doors created where none previously existed. Insurance may not cover it.

Re:questions over hot coffee?

[Firethorn]

I'm picturing that scene in True Lies where they rip the end of the trailer off... :)

... with CONS/TP4 and CLNP/TP0

[argent]

They could always use CONS over TP4 and CLNP over TP0 like those Eurocommies wanted to back in the '80s.

I knew my OpenNET/DECnet skillz would come in handy again. Just let me at them AUI connectors...

Someone tell them the Evil Bit was an April Fool

[D.+Taylor]

Some of the rewrites being considered:

• Making hostile traffic inoperable on Air Force networks.

Why, no one has ever thought of that before..

achilles heel

[Eil]

The Air Force excels at just about everything they do. But for the past decade or two, their Achilles Heel has been computing technology because it moves faster than anything else they're used to.

The Air Force is a very old organization and although they can generally respond to most anything quickly, overall change tends to happen very very slowly. Not long after I enlisted in 1998, there were rumors that the uniform was going to change from the classic camouflage pattern to a kind of pixellated-marble look. Based on what recent photos I can find, they're still only about halfway through getting the new uniform out to everyone.

Also, I know for a fact we're still flying some planes with vacuum tubes in the autopilot computer even though upgrades for all airframes have been around since at least the 80's. Most of the technical manuals that I used to repair avionics were between 25-40 years old and still had technical errors in them. (We weren't able to make corrections to technical manuals any more than you'd be allowed to make pen-and-ink corrections to a federal law.)

Computer use only became common in most squadrons about 10 years ago and even then, they were not really used for the correct purposes. Some captain would get the bright idea that somebody should use a spreadsheet program instead of a paper form for some menial task, force everybody to use it, ignore the pleas from his subordinates that it tripled the effort required to perform the task, and then make up some elaborate report for his commander about how he just saved the Air Force $358,000.

While I was in the service, the Air Force never really caught on that you had to hire and train smart people who know about computers if you wanted to make the most of them. Some squadrons took young administrative airman fresh out of tech school and sat them down in front of the admin console and said, "All right, it's your job now to make sure this doesn't break." This is very uncharacteristic of the Air Force as you normally need at least several weeks of training before you can be trusted to mop the floor correctly. But when a commander has something that needs to be done and he doesn't know how to do it, it's not at all uncommon for him to assign someone to it while implying that they should be rather quiet about it.

Others units farmed out network administration to government contractors like Lockheed Martin which wasn't any better because most of their employees are old military retirees who thought they were going to get paid more as a civilian for doing the same thing they did in the military and ended up being wrong on both counts. (Got seven stripes and an MSCE? Then they're hiring!)

I guess this long-winded point it that it doesn't surprise me that high-level Air Force officers are saying, "Hey, who says we can't control this thing? We're the Air Force, after all." They're used to having fine-grained control over everything in their view and a high degree of security surrounding it.

"Defensive operations are constantly playing 'catch up' to an ever-increasing onslaught of attacks that seem to always stay one step ahead," says the Air Force Research Laboratory's "Integrated Cyber Defense" request for proposals. "In order to tip the balance in favor of the defender, we must develop a strategic approach to cyber defense that transcends the day to day reactive operations."

In other words, the Air Force is still nowhere near where they need to be in terms of network security. The only encouraging part of this is that they finally realize it.

Re:achilles heel

The Air Force is a very old organization

What? The US Air Force is one of the youngest Air Forces that exist, introduced as recent as 1947.
Nowhere near enough time for sodomy to become a tradition.

Re:achilles heel

[lunatic1969]

Years ago, some worm hit the net whose name seems to be evading me at the moment. I had sent an email to a friend of mine in the Air Force. The email didn't get through and was bounced back to me. The Air Force had apparently disabled email temporarily, but they did so in such a way that my one email continuously and non-stop produced replies bouncing back over the course of the entire weekend. Since it was a weekend I wasn't able to get in touch with anybody to correct this. I set my computer up to fetch my mail every thirty seconds or so and hoped for the best. Eventually come the next business day I received a response from some admin somewhere advising me the problem had been fixed. I thanked them, and told him since I thought I'd earned the right to be a bit bent out of shape, I advised that next time they shut down a system, they might wish to do it /properly/ because while I didn't know what the system was doing besides handling mail, I'm sure that they didn't want it to come crashing down under the weight of my responses if I chose to just start bouncing everything they sent run on back to them. Their response was for the CO to call my friend into his office. The CO asked if I was a threat and my friend said something along the lines of, "No sir. If he'd wanted the system to come down, it would have already been done." To this day, I don't send email to .mil domains.

Re:achilles heel

[DeusExMach]

When did you get out? INFOSEC, COMSEC, and just general OPSEC were defined fairly well by about 2 years ago. While I agree that not everyone knew WHY we had such stringent regulations, the Comm Squadron guys I worked with had a fairly good grip on the underlying protocols. In fact, just working in the same general office area near them is how I wound up with my current IT job.

Not a lot to do in Flight Admin, so I wound up helping reformat old PC's and learning Active Directory, since it sort of tied into my job, anyway.

Re:achilles heel

[fjo3]

I hate to be nitpicky, but I had to correct you. "The Air Force is a very old organization" http://en.wikipedia.org/wiki/United_States_Air_Force "...the USAF was formed as a separate branch of the military on September 18, 1947.[2] It was the last branch of the U.S. military to be formed."

Re:achilles heel

[Eil]

I was an Airman, trust me, I'm well aware of Air Force history. :)

I meant "old" in terms of "older than most U.S. corporations" which is the kind of organization that most Slashdotters would be familiar with.

Tag this unplugyourmodem

[Kepesk]

Don't like hacker attacks? Unplug your modem! Wait, does anyone still remember modems?

Re:Tag this unplugyourmodem

[Shotgun]

I read /. through a 9600baud modem, you insensitive clod!!

Re:In soviet Russia...

That sounds like a noble cause. It surely beats watching Sally Struthers blather on about how we have to help feed them.

Jurisdiction...

[LinuxGeek]

The AF can deal with someone in a nearby van, but not easily deal with someone anonymously using a free wifi connection in Europe that is bounced through 5 different servers. Even if they were able to completely track an attacker, how do they deal with multiple international jurisdictions?

Re:Jurisdiction...

[lordsid]

They've already said they are willing to bomb the shit out any threat to their network.

Re:Jurisdiction...

[CyberLord+Seven]

That's what the CIA, NSA, DIA, USIA, and NASA (Frances Gary Powers), are for.

Re:Jurisdiction...

[lysergic.acid]

rewrite international law? i mean, it's about as practical/realistic as rewriting the rules of the internet to give yourself the sole advantage in cyberspace.

aside from the impossibility of rewriting the rules of other people's networks and eradicating internet anonymity, what they're asking for is basically to change networking protocols to give them abilities that they want to deny others--how do you create a networking protocol that allows you to trace any packet back to its sender, but allows you to retain the ability to spoof your own attacks?

Re:Jurisdiction...

[interstellar_donkey]

Right. And some harsh realities have to be realized by the AF or any DOD department.

1) The Internet does not belong to America. Period. It is a global network of good guys and bad guys, and the rest of the world won't, nor should they abide by our rules.

2) The Internet does not belong to the military. It has far more to do with domestic and international trade and information than it does to various arms of the DOD.

If the USAF wants a secure network, then they should create their own isolated network completely divorced from the civilian Internet. I'm sorry if that means generals can't look at porn sites from their office, but that's the way things go.

Re:Jurisdiction...

[LarryRiedel]

they should create their own isolated network completely divorced from the civilian Internet

Sort of like the SIPRNet?

Larry

Re:Jurisdiction...

[von_rick]

Would be fun if the threat turns out to be the NSA.

Re:Jurisdiction...

[Amigori]

As a former sys admin for the USAF, I think you should read up on SIPRNET and JWICS, 2 such secure networks.

Re:Jurisdiction...

[QuantumRiff]

Cmon, we built roads for the military (why else would there be an interstate highway in hawaii) and then took them over for trade purposes. We built huge ports for the military, and now use them for trade purposes. We designed planes and then jets for the military, now used for trade purposes. What else do those guys still have left? We keep giving all of our military advances to the public to use. (oh, forgot nuclear tech). those poor guys have to keep inventing to stay on top of things!

Re:Jurisdiction...

[toodeepforme]

However, doesn't the CIA often hand over tasks such as monitoring chatrooms and other such sites(for people discussing or planning terrorist activities) to the air force? I was under the impression that they did. Anyone know? If they did, they would have to have a connection to the regular internet. Also, i'm not the most tech savvy guy around, but how hard would it be to create a separate network, with a program that asks you when you start up which network you would like to connect to?

Re:Jurisdiction...

[jonbryce]

They've got to find the target first though. When it is bounced through a load of different proxy servers, that's not so easy. You can bomb the proxy, but they just move onto another one.

Re:Jurisdiction...

[Fred_A]

If the USAF wants a secure network, then they should create their own isolated network completely divorced from the civilian Internet. I'm sorry if that means generals can't look at porn sites from their office, but that's the way things go.

But military porn is so dull !

Re:Jurisdiction...

[ScrewMaster]

but how hard would it be to create a separate network, with a program that asks you when you start up which network you would like to connect to?

Trivial. But that's not the issue: the mere presence of such a connection allows for possible remote exploits. If you want secure network, it really should be physically separate from the public network. Even then, people will try to tap into your private network and decrypt whatever they can, but they won't be able to sit in a comfortable computer room in China to do it.

Re:Jurisdiction...

[digitalchinky]

Intellink has been around for a lot of years now, I'm not sure how porn would go on that network though :-)

Speaking of Generals, at one point a girl in the room next to me (navy accommodation) was secretary to the Australian chief of the defence force (the head dude) - the internet was pretty new back then and he had his own pool of modems for remote access. This access also extended to the aforementioned secretary whenever the lines were not in use. Lets just say that it didn't take very long for fingers to get slapped on the quiet.

Re:Jurisdiction...

[mysidia]

Don't make it a program. make it a physical switch on the front of the PC to go from "isolated network" to public internet and back.

The switch can only be operated when the equipment is powered off, and actually is an A/B switch that physically disconnects one hard drive and connects another, disables one ethernet port on the NIC, and enables another.

The isolated network requires 802.1X/EAP authentication at the network switch, full encryption for access, complete isolation of each node (EVERY host on the LAN can communicate _only_ through a 'router'), and the encryption keys and authentication secrets are married to the hard drive as well as user identification which is also protected with full-disk encryption.

This also protects against unauthorized equipment connecting to the isolated network.

The strong authentication and isolation means a host cannot impersonate another host.

Since every host connects only to a router, individual host ip addresses can actually be completely random.

An adversary intruding without inside knowledge should have extreme difficulty discovering the obscured ip addresses of important equipment. Particularly if IPv6 addressing is utilized.

Re:Jurisdiction...

[atraintocry]

This would probably be doable if RFC 3514 was implemented. In that case, you'd simply flip the evil bit to 0 if you are the USAF, 1 if you are not. Still with me? Then you update everyone's router firmware allow tracing of packets back to individuals. *But* the router will only do it if the packets in question have the evil bit on, and the packets for the request came with the evil bit off.

Then again, getting everyone to flash their routers might take some work, so I dunno. But if we are really serious about securing the internet, we could probably all pull together and get it done.

Re:Jurisdiction...

[HungryHobo]

Problems: viruses which bury themselves in the BIOS would still get in, any periferal with any kind of rewritable memory is a potential liability, USB ports would be a no no etc etc.
easiers and cheaper to just have 2PCs in the office since then you can use off the shelf stuff rather than some custom system with hard disks which you can switch etc.

Re:Jurisdiction...

[mysidia]

Which is why the switch would power-cycle the unit if it had accidentally been left on during the switchover.

Thus causing writable ram to be flushed out.

As for the BIOS code ROM, that is not writable, and the EEPROM would either be removed or made unflashable.

Re:Jurisdiction...

[Steve001]

interstellar_donkey wrote:

Right. And some harsh realities have to be realized by the AF or any DOD department.

1) The Internet does not belong to America. Period. It is a global network of good guys and bad guys, and the rest of the world won't, nor should they abide by our rules.

2) The Internet does not belong to the military. It has far more to do with domestic and international trade and information than it does to various arms of the DOD.

If the USAF wants a secure network, then they should create their own isolated network completely divorced from the civilian Internet. I'm sorry if that means generals can't look at porn sites from their office, but that's the way things go.

I agree, and to piggyback on this I think that the Air Force needs to go to non-commercial software (including an OS) of its own creation (that way they own and control it), rather than using the same software used in the civilian world. In the short run it might be more expensive to do this, but it is likely to be much more secure than using the same software that anyone can buy off the shelf, and security can be built into the software at its creation (and as a prime consideration in its design) rather than having to be added to software that was not designed for security from its outset.

This would also save money in the long run since:

• It can be issued to users as needed without having to pay recurring licensing fees.
• Software could be upgraded based on the needs of the Air Force and its users, rather than requirements forced on them by non-Air Force agencies.
• Software could be designed so that it doesn't render obsolete many already-in-use-and-perfectly usable computer systems.

Re:Jurisdiction...

[HungryHobo]

Yet still- Why?

1 weird custom computer like this would be much more trouble and much more expensive than simply buying 2 bog standard PC's and hooking each up to a separate network. it's best to KISS

Re:Jurisdiction...

[Whorhay]

Having worked at one of the USAF's major software production facilities. I would like to say that would not work out in any kind of economically feasible manner. The vast majority of software that the military uses is written to be run on the OS's we have today. Using a new and different OS would mean rewriting most everything in use today and anything new you wanted to develop would have to be specially made for your systems. COTS is a pretty good way to save money in the majority of situations where the USAF needs something. Proprietary is almost always a bad idea except as a cash cow for the seller.

Going with Open Source software written to be as secure as possible is probably the best way to go. But there's the whole irrational fear from the people at the top that being open is dangerous. Security by obfuscation is still their favorite.

so much for that!

[cashman73]

There go my plans to connect to Cheyenne Mountain's WOPR computer to play Global Thermonuclear War! I guess they want to play Tic-Tac-Toe, instead?

ICANN save the world (ok, somewhat a pun)

[HighOrbit]

I think I can expand on your idea. While I know the idea of ICANN and the US Department of Commerce controlling the root servers is unpopular with many, I think the following senario is the kind of situation where it would be beneficial.

ICANN assigns blocks of addresses to ISPs. If an ISP is letting "customers" originate (spoof) addresses that are not part of the ISP's assigned block, then ICANN could just refuse to route (or resolve) any traffic from that ISP by decertifying its assigned address block, unless the ISP cleans up its sub-net.

Historically ICANN has had a *very* light hand, but somebody needs to be the responsible adult on the playground and ICANN's control of the address space is as good a place as any to do it.

hacking Russian Nuclear Subs ..

[rs232]

Whatever they do, don't do what the Russians did in last nights episode of Spooks. Those fiendishly clever Ruskies planned to launch a cyber attack on Brittan, to do this thay are going to tap into an undersea fiber optic link and cause a massive DOS attack against the UK commercial sector. MI5 came up with a counter-plan: bounce a zero-day-attack off the fiber link to the submarines communications and navigation system. To do this they would need the subs 'Remote Access Protocols'.

To do this MI5 blackmails the head of the FSB into sneaking into the Russian Embassy (where the nuclear access protocols are kept .. on computer ?) and steal the 'protocols' off the computer, copy them to CD and get out of the building.

They duly implement the plan, and on screen at MI5 headquarters, they see, the primary firewall and then the secondary firewall being disabled followed by the control screens on the sub going garbled and all the lights going out ..

In episode one, al-Qaeda is planning to detonate a bomb with the support of Chechens with links to Russia .. :o

Spooks Episode 2 Series 7

Re:hacking Russian Nuclear Subs ..

[Trent+Hawkins]

That sounds like a very complicated plan... The real Russian plan of attack however is far more effective: Just pay some geeks to do it. Geeks are more then happy to violate a target's computer systems and they're far more relentless and malicious then the most cold hearted ex-KGB agent.

Consider it done

[TubeSteak]

lameness filter forced me to munge the layout

RFC1149a - Standard for the transmission of flash memory on avia
Network Working Group_____________ TubeSteak
Request for Comments: 1149a__________LOL WTF
                                                  3 November 2008
      A Standard for the Transmission of Flash Memory on Avian Carriers

Status of this Memo
  This memo describes an experimental method for the encapsulation of
  flash memory in avian carriers. This specification is primarily
  useful in Metropolitan Area Networks. This is an experimental, not
  recommended standard. Distribution of this memo is unlimited.

Overview and Rational
  Avian carriers can provide high delay, low throughput, and low
  altitude service. The connection topology is limited to a single
  point-to-point path for each carrier, used with standard carriers,
  but many carriers can be used without significant interference with
  each other, outside of early spring. This is because of the 3D ether
  space available to the carriers, in contrast to the 1D ether used by
  IEEE802.3. The carriers have an intrinsic collision avoidance
  system, which increases availability. Unlike some network
  technologies, such as packet radio, communication is not limited to
  line-of-sight distance. Connection oriented service is available in
  some cities, usually based upon a central hub topology.

Frame Format
  The flash memory is packaged, inside a small waterproof container,
  and formatted to FAT32. The waterproof container is attached to the
  back of the avian, between the wings, as a backpack. The bandwidth
  is variable and limited by the carrying capacity of the avian.

  Upon receipt, the backpack is removed, the flash memory extracted
  and checked for physical and liquid damage.

Discussion
  Multiple types of service can be provided with a prioritized pecking
  order. An additional property is built-in worm detection and
  eradication. With time, the carriers are self-regenerating. While
  broadcasting is not specified, storms can cause data loss. There is
  persistent delivery retry, until the carrier drops. Audit trails
  are automatically generated, and can often be found on logs and
  cable trays.

Security Considerations
  Security is a problem during normal operation, as flash memory
  has a non-trivial and intrinsic value. Special measures must be
  taken (such as data encryption) when avian carriers are used in
  a tactical environment.

It'll work, if cyberspace != internet

[swordgeek]

The headline here says 'rewrite the rules of the internet', whereas the Wired article talks about 'rewriting the rules of cyberspace.' Subtle difference here.

The internet exists as it is--fundamentally an IP-based network connected in all the ways we know about, routing, addressing, etc.

The thing is, there's no reason that the Air Force (or anyone else) couldn't create their own, entirely incompatible version. Start with something that has guaranteed QoS, hard-wired source addressing, encryption at the equivalent of the transport layer, content-metadata in the packets (or equivalent to packets--it doesn't have to be a packet protocol at all), etc..

If you need to connect it to the internet, create a tunneling protocol, or a translating switch. Make it different. Make it incompatible. Make it rigid in its requirements. You CAN create a secure network, but not if it's based on the same technology that makes up the existing internet.

Re:It'll work, if cyberspace != internet

[starfishsystems]

Don't forget strong identity at the data link layer.

Re: open public secure milnet ..

[rs232]

"You still have the problem of how to run www.af.mil in a manner open to the public, as well as the public sites for many military bases, while still securing them"

A contradiction in terms. You can't secure *.mil, at least in my understanding of the term. Never mind in technological terms just keeping track of the information. For low level mil traffic and public access, continue to use the InterTUBES.

"Still, wouldn't you LIKE to find out who's sending you spam/phishing attacks/etc... so you can, if nothing else, impolitely ask them to stop at 0100 in the morning?"

Any such attacks are usually from some compromised desktop in JP. Once the VPN filters it out, I don't want to see it. The VPN node keeps such logs. Putting a 'secure' system on the Internet with only a username and password for protection, is dumb as dumb can be ...

HPDIA0200W Authentication failed. You have used an invalid user name, password or client certificate.

actually, that may not be a bad thing

[erroneus]

It could start with the need to do business with government. The government could adopt protocols and standards that are more secure than the ones we are [ab]using now. And then, just as with digital TV in the US, an announcement is made saying "as of Aug 2009 if you want to do business with the US government, you will have to start using these protocols." Suddenly, software makers have motivation to supply the next versions of their email software that works with the new government email protocol standard and on and on.

People know SMTP sucks. The trouble is getting that ball rolling for change. Who could individually start that ball rolling? The biggest spender of all time, of course, the US Federal Government.

potential recuit and af.mil ..

[rs232]

"Yes, I'm sure every potential recruit would just love to have to install a VPN client to go check out af.mil."

Pretending to be dumb is no excuse for a slashdot subscriber. Like the potential recuit isn't in du' Army yet, as such the recuitment site would have to be on du' InterTUBES ..

'Hey dude, how can I get onto this FaceBook from this here 'secure' computer'

Wired

[db32]

Why do these stories keep getting put on slashdot? Wired is god aweful reporting to begin with, and they make EVERY military related story into some stupid diatribe article. One day they are laughing that the Air Force allows users to surf the web, the next they are talking about how the Air Force is some draconian government gestapo crushing freedom because it blocked social networking sites. These people are tools...I mean for christ's sake there is a huge picture of Neo stopping bullets at the top of the article. The Air Force could discover the cure for cancer and these assholes would write a story about how they are killing millions of cells in humans.

I mean seriously...the DoD only has the largest enterprise network in the world. The DoD was a big part of the Internet even happening in the first place. I think it is pretty assinine to point and laugh and take quotes from the non technical people and further warp them by putting them out of context. Wired is pathetic.

It's not so bad...

[longacre]

If the RIAA can rewrite the laws of cyberspace, why not the Air Force?

Good thing they have smart bombs

[koan]

Because the military's decision making machine is seriously stupid.

Leave it to the US air force...

[hesaigo999ca]

Leave it to these guys to thinking THEY should be the ones to rewrite the internet...I have not read the article, but if the title holds true, and the USAF thinks its time to make some changes to
better track internet usage, then don't think whatever you come up with should be implemented...that is what the IEEE is for no?

Re:Only traitors will vote for Oook-oook Banana

[Fujisawa+Sensei]

I am a Liberal.

I believe in the Constitution which contains the right to bear arms and seperation of church and state.

I believe in the United States of America, not Jesusland.

When the American Right stops trying to destroy the First Amendment, which incidentally comes before the Second Amendment, I will consider it.

Until then, you're welcome to relocate to a country more amiable to your theocratic oligarchy: I think Iran would suit you nicely.

Random yet related tangent.

[SatanicPuppy]

In World War I one of the countermeasures the Russian's used against the possibility of a German invasion was to use a different gauge of railroad; the rationale was that the German's wouldn't be able to support their troops without rail, the German trains wouldn't be able to run on Russian tracks, and therefore they wouldn't be able to sustain an advance.

This practice cost the Russians a vast amount of trade revenue due to the inefficiencies of the system, and in the end it was all for nothing.

The Germans, not being morons, allowed the Russians to advance into German territory and then pulled the same trick on them: surrounding and destroying forces who had effectively cut their own supply lines by advancing past the end of their own rail lines.

So yes, on the one hand, making your system incompatible with the "enemy" system may have advantages, but it also has dramatic disadvantages. You won't have the benefit of the rest of the worlds security research, you won't benefit from the advances on more popular systems, and you won't be in a position to be aggressive with your resources because you'll have the same problems working on other people's networks as they'll have on yours.

Re:Random yet related tangent.

[swordgeek]

Fascinating, and very relevant. Thanks for some insight!

There are differences, though. For starters, it's not necessarily about making it incompatible with "the enemy" (i.e. the internet) so much as not explicitly tying it to internet compatibility. That is to say, if the AF came up with this new network (Internet 3?) and the rest of the world adopted it, the sudden compatibility wouldn't be a problem.

Also, the interface between the two realms would be much easier to achieve than with trains, because it would be strictly in the electronic/digital world. No shifting of cars and cargo between trains, for instance.

Also, the internet already exists, and the new network wouldn't invalidate that. It would be more like having two tracks of different gauges running parallel, but if you wanted to get to the military, you would have to be on the odd one. (which of course would have more switches, heavier security, etc.)

But all any of this is saying is that the analogy isn't perfect, which is no surprise--no analogy ever is. However, it's an important cautionary tale which anyone who undertakes to reinvent the wheel needs to keep in mind.

Re:Sipernet

[Old97]

I believe that the DoD's network for secure (TS, S) information - Sipernet - actually does run on the Internet infrastructure. It doesn't behave the same way as normal traffic and special devices are used at the end points that connect to the Internet to disguise the traffic.

Airforce and Rewriting

[tekiegreg]

Well unlike any other institute that has threatened to re-write the rules of cyberspace, they're probably that institution with the largest amount of (nuclear and conventional) weapons that has threatened to do so. So does that give them the right? :-p

You and whose army?

[argent]

Oh wait, nevermind...

To USAF: This is trivial. Where's the confusion?

[Khopesh]

Isn't this a simple issue of isolating a few "clean" networks and essentially NAT'ing them, denying access to any external address (at the BGP level, the way Sprint recently blocked Cogent)? Anybody coming in from elsewhere will have to VPN into some time-sensitive opening (see below). Done and done.

Time-sensitive opening: create a giant honeynet on the entry-way IP blocks which host the VPN. The VPN firmware/software would determine which IP:port to connect to with one-time "password" (OTP) generators like SecureID ... hell, you could even use the physical SecureID keychain for this part, thus gaining two-factor authentication. Connecting to the wrong one results in getting blocked by the entire VPN network for 10 minutes. Too many failed authentications on a OTP generator will result in that generator being revoked or frozen, just like your online bank account.

How does this not solve the problem? You're relatively immune to DDoS attacks, a strong enough level of security ensures only privileged accounts gain access, and facilitating access lists should be as secure as their physical equivalents.

Its a global tree- not a global web

[HighOrbit]

Yes, but... if you can think of the internet as a hierarchical tree instead of a web. People think of it as peer-to-peer like a web. But it is really subnet-backbone-subnet, both physically, and logically (DNS). All ISPs have to physically feed into a higher level link until you reach the tier-1 providers which put it on the backbone. Then the tier-1s have to resolve at the 13 root name servers to know where to send it. At each level of the tree, each subnet gets gate-wayed/routed to the higher (or lower) layer. Each level of subnet should have discrete sets of blocks of ICANN assigned numbers right down to the neigborhood dsl-exchange.

So, ICANN could, at least theoretically, make "being connected" conditional on a provision that would flow from tier-1 down to the neighborhood ISP -- "you only resolve and forward out-ward traffic if its origin headers match the assigned block(s) of the origin subnet(s)". If a subnet starts spewing spoofed packets, the next higher tier (up to tier-1) disconnects them until they agree to fix (or filter) the problem. ICANN then rides herd on tier-1 to keep it enforced.

Re:Its a global tree- not a global web

[MikeBabcock]

Riiigght, because the Tier-1's never receive traffic from those multi-homed ISPs via other routes. BGP is pretty cool, and traffic often flows the way you describe, but sometimes it doesn't, and you get packets from just over here *waves to his left* when you expected them from over here *waves to his right*.

Placing filters that are guaranteed to be correct on all the right ports all the time would be a maintenance nightmare.

Just one demand:

[KDR_11k]

Leave rule 34 intact!

Re:Only traitors will vote for Oook-oook Banana

[Shotgun]

I would mod it to +32,768.

What do they want?

[sfjoe]

Or perhaps today's protocols can be tailored, to make military networks "technically or physically inaccessible" to malicious traffic. "We'll start with blue," says Information Directorate chief Donald Hanson, using the military term for friendly forces. "If you're not blue, you can't come in."

WHat a great idea. We could call it a "firewall" or something.

Re: open public secure milnet ..

[Firethorn]

A contradiction in terms. You can't secure *.mil, at least in my understanding of the term. Never mind in technological terms just keeping track of the information. For low level mil traffic and public access, continue to use the InterTUBES.

Bastian fortress hardening - you're not looking to protect the information on it in the traditional sense, you're trying to prevent anybody from compromising the machine to either change the information on it or use it as a gateway for further hacking.

Once the VPN filters it out, I don't want to see it. The VPN node keeps such logs. Putting a 'secure' system on the Internet with only a username and password for protection, is dumb as dumb can be ...

The VPN isn't, by itself, going to be filtering out phishing emails. And we've graduated from username/passwords some time ago.

Re:Only traitors will vote for Oook-oook Banana

No Nazis from the Nuremburg trials ever made it to South America or the US.

Hey, we're the good guys! Right?

[mdrplg]

I'm sure that the air force has all of our best interest at heart. At least they think they do, or they might think they do. Or that is, er. Come to think of it maybe I will live in that bunker in Montana after all.

Re:Hey, we're the good guys! Right?

[justinlee37]

You don't know what you're talking about, do you?

Re:Hey, we're the good guys! Right?

[mdrplg]

I'm not sure I ever know exactly what I'm talking about. The epistemology of it all makes my head swim. Who wants to know?

Re:Hey, we're the good guys! Right?

[justinlee37]

It sounds like you assumed "re-writing the rules of the internet" to mean something that it doesn't without bothering to RTFA.

Re:Hey, we're the good guys! Right?

[mdrplg]

I did read the article. I think there were probably assumptions made by the Air Force and others...

Rewrite complete already?

[jep77]

The Air Force must have completed the rewriting of the rules today at 1:00 PM. That might be the answer to why there are no new stories on /. since then.

Re:Only traitors will vote for Oook-oook Banana

[tuxgeek]

I couldn't have said it better.
Except I am neither liberal nor conservative. I am an American patriot and believe in the Declaration of Independence, the Constitution and the Bill of Rights. I also believe in capitalism and separation of church and state.

But, I will never again vote for any republican since they began their campaign to destroy the foundations of American democracy and switch the country to capitalistic dictatorship and the military industrial complex.

I have NO fear of Obama. And contrary to the neocon rhetoric, I have no doubt he will uphold the principals of democracy, unlike the last 2 douch bags he and Biden will be replacing shortly. I am also a gun owner and support the right for all Americans to form Militia to defend our land and freedoms.

Actually it's the neocon side of the isle that will seek to take our guns from us. Dictatorship is easier when the masses cannot shoot back.

Bush & Cheney have done more damage to the country and world than should have been allowed. I hold all republicans and their supporters guilty of high treason for this. Now they have 2 more whacked out fruit cakes, John McBush & Sarah McCheney they want in there to continue the destruction.

Isn't it obvious that McBush & McCheney, as people, are just as stupid as George W. Bush? Cheney is not stupid, he is just pure evil.

"Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we." George W. Bush

Re:Only traitors will vote for Oook-oook Banana

[Buelldozer]

I see far more first amendment attacks from the American Left than I do the American Right.

Internet boards, like this one, are filled to bursting with posters who bash on Religion, especially the Big C, with the heat of a thousand stars.

The reverse is not true. Most of the Atheist bashing I see is confined to odd little corners of the Internet, such as forums dedicated to fundamentalist worship of one flavor or another, or the 42nd page of the newspaper.

In general web surfing I'd say the religion bashing posts outnumber the Atheist bashing posts by a ratio of about 10,000:1. No I'm not exaggerating for dramatic effect.

When the American Left starts embracing the 2nd Amendment of the Constitution as strongly as the 1st then I'll consider joining.

This isn't to say that I'm comfortable with the hysterics of the "Religious Right", it's just that I don't find the hypocrisy of the "Sectarian Left" any more pleasant or rational.

Makes sense. USAF doesn't need traffic

[Animats]

The USAF has the big advantage that they're not trying to grow their web traffic. If nobody on free mail services can talk to them, no problem. If executable downloads don't make it through the mail filters, no problem. If every incoming document gets run through a conversion to ODF to strip any funny stuff, no problem. If every incoming image is rendered and recompressed at the firewall, no problem. If their users's machines need a dongle to authenticate, no problem. If their servers have to run NSA Secure Linux or LynxOS or EAL4 QNX, no problem. They can take a hardass attitude if they want to.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Wussies!

[elgatozorbas]

Rewriting "the laws of cyberspace" is for wussies. to save on my heating bill I rewrote the laws of thermodynamics.

Comment removed

[account_deleted]

Comment removed based on user account deletion

i dont think

[nimbius]

this is so much of a pledge to rewrite the internet, so much as its toplevel brainstorming by folks who just dont know that much about the technology behind the internet. if its a wardog pondering, then the idea of 'dodging' and the concepts he implies sound vaguely related to tor routing. i think more than visions from leaders, the af is going to need to do some serious recruiting to find some very savvy sysadmins and network people, most of which are already purchased by fortune 500's. this is challenging, as most of the admins i know are rather opposed to joining the war machine agenda.

Re:Only traitors will vote for Oook-oook Banana

[merreborn]

I see far more first amendment attacks from the American Left than I do the American Right.

Internet boards, like this one, are filled to bursting with posters who bash on Religion, especially the Big C, with the heat of a thousand stars.

You seem to have confused people exercising their first amendment right with attacks on the first amendment.

Criticism of someone else's speech is not an attack on the first amendment. Geographically restricting free speech, on the other hand, is.

Re:Only traitors will vote for Oook-oook Banana

[afidel]

No, instead they exclude the non-Christians, do their best to game the rules to punish them, and actively try to suppress their education and rights. Once you stop your stupid Creationist backdoor indoctrination campaign, leave women's bodies to themselves, stop butting into my bedroom and entertainment and start acting like good neighbors THEN I will stop bashing 'Christians'. Every time I have debated religion with a lay 'Christian' I have always known more about the true teachings of Jesus than they have, they only know the hate and vemon spat from the pulpit and pushed by their local conservative politicos.

Re:Only traitors will vote for Oook-oook Banana

[Denial93]

In general web surfing I'd say the religion bashing posts outnumber the Atheist bashing posts by a ratio of about 10,000:1.

That should tell you something. By and large, people get bashed for pissing other people off, and best practice for pissing people off is interfering with their lives. Atheists, agnostics etc. do not have holy rules they believe they have to bugger mankind with, except agreeable basics such as the Golden Rule. They get bashed less because they deserve less bashing - according to those who bash.

Or do you prefer to believe there is some web-wide troll conspiracy going on that limits or directs anyone bashing impulses?

Now will you explain how bashing is an attack on the first amendment, rather than the exercise thereof?

Re:Only traitors will vote for Oook-oook Banana

[Mister+Whirly]

Wow. Can I have your weed dealer's number? That must be some great shit!

Here's my experience

[purpleraison]

Ok, so based on my experience with the Air Force the rules will be as follows:

1. kiss you superiors butts, even when they tell you to do something wrong

2. do crappy work - and bitch about it a lot

3. work sloooow

4. after steps 1-3 your superiors will tell you that you've been doing it wrong (nevermind the fact that they told you to do it that way), and you need to start over

5. Thank you boss for the opportunity to do it 'the right way' this time

6. start again, then someone else gets tasked with the project despite your objections

7. you tell the new guy to go to step 1, and continue until project completed

Re:Only traitors will vote for Oook-oook Banana

[Mister+Whirly]

Apparently you never listen to talk radio then.

Re:Only traitors will vote for Oook-oook Banana

[0xygen]

Signed integer limit is +32767.
32768 is only possible in the - domain!

Re:Only traitors will vote for Oook-oook Banana

[Buelldozer]

There's the "heat of a thousand suns" I referenced in my previous post!

I personally think that the Religious Right is far too active in U.S. politics. I won't argue that point.

Whatever our personal feelings it seems there are enough of the Religious Righties that they hold some sway in this representative Democracy that we have here in the United States.

Are you advocating silencing, or disenfranchising, a significant percentage of the citizens of this country to further what you personally believe? How does this make your behavior superior to theirs? Merely because you attack different targets or use different arguments?

I'm a lay Christian and I'd be happy to debate with you. Of course you'd then have to give up the "Every time" hyperbole at the start of that sentence. My email is available in the header of every post, feel free to contact me.

Re:Only traitors will vote for Oook-oook Banana

[Frnknstn]

In general web surfing I'd say the religion bashing posts outnumber the Atheist bashing posts by a ratio of about 10,000:1.

That's because you visit more atheist-friendly websites than religious websites. People prefer to express their opinions in like-minded company; thus you see more anti-religion post on your pro-atheist websites.

No I'm not exaggerating

On this comment page, there are at least two anti-atheist posts. That is for a single story. Twenty slashdot stories a day, 500 posts per story makes your 20 000 posts to cover that. So you claim that almost every post made on slashdot is anti-religion? Or does slashdot have a different ratio because it is a particularly pro-religion website?

Well Seasoned Experts

[b4upoo]

Some of the workers responsible for governmental, critical security are well trained, seasoned and dedicated. I would not discount their abilities one little bit.

Prescott Bush

[bobbonomo]

Interesting but I see no links to any documentation that I can can read to validate this. Is it theory or truth? ...or a fun thing to say? Anyone can make an accusation.

This is the first time I hear this. Surely it would (or should) have come out when the father or the son was campaigning (or Jeb).

Anyone have something on this?

For the record: I am not American and am not taking sides here and am not really up on all the information on the Bushes. (or is that Bushs?)

Re:Only traitors will vote for Oook-oook Banana

[jonaskoelker]

I hold all republicans and their supporters guilty of high treason for this.

While I agree with a lot of what you say, I think you're overstepping a line here. Find the scumbags who've actually done something wrong, and hold them responsible for their wrongdoing. Charge them with treason if they've committed it.

But don't hold innocent republicans, or those who innocently vote republican, responsible. At least not if you value the rule of law.

"I disapprove of what you say, but I will defend to the death your right to say it."

I hate neocons just as much as you do, and I lean more left than right (so the republicans wouldn't get my vote, were I eligible to cast it) but I will defend them here in spite of that, so that someone will defend me when I need it.

Re:Only traitors will vote for Oook-oook Banana

[Oligonicella]

I'm hard core atheist and every blog I post on knows it. I've received more crap from atheists than the few uberChristians. All I do is point out their hypocracy and whammo, they lose their nut.

For instance, I'm not excluded from any blog at all, no one actively tried to suppress my education or rights or those of my daughter or her children. You list a line of talking points that don't stand up on scrutiny and I seriously doubt your every time statement. Sounds more like pompous self-aggrandizement than truth. Also, the 'true teachings' statement is similar to that made by religious bigots because they 'hold the understanding'. I live in Bible belt country and rarely hear local conservative politicos spit hate and venom.

Re:Only traitors will vote for Oook-oook Banana

[ScrewMaster]

Signed integer limit is +32767. 32768 is only possible in the - domain!

He went long.

Columbus and the Internet

[Prius]

It's recently dawned on me that there more than seven continents taught to you at school, which are N. America, S. America, Europe, Africa, Asia, Australia, and Antarctica. In fact, there is an eighth: the Internet. Consider: the empires that colonized the Americas knew about them for years before there was serious Europeanization (E-ization from now on, because it is so hard to spell out.). Once they started becoming seriously interested in expanding into the Americas, they reacted in the following ways: they first began settling the regions and using what they could to be more efficient. Second, they vilified the natives, decrying what they learned was necessary to survive and the culture that sprang from it as barbaric and savage. Third, they imposed their culture on the natives, forcing them to submit to their laws until everything that was native was now part of Europe. Anything they keep is seen as a novelty. I see this happening with the Internet. People have known about it for a long time, but haven't really cared about it. Now it's becoming more and more necessary for them to operate within it. So, in recent years, they have begun using what we have had, like e-mail and online news sources. Now they are saying our websites are bad, like the article on CNN. In it, the author implies that our culture is savage, cruel, and callous. Now again, they have begun imposing their laws upon us, barging into our 'continent' and claiming it is theirs because we aren't responsible enough. By the time they realize that they are wrong, it will be too late; our culture will be long gone. I propose the following: we, as a culture, begin mass-migrating to another medium, or we fight for our lands and keep out the intruders. I vote for the latter. It is not their right to steal what is ours, nor is it their 'responsibility' to use it the way it was 'supposed' to be used. But don't listen to me. Think for yourselves, before it is too late.

Re:Only traitors will vote for Oook-oook Banana

[Plugh]

... and I am an Anarcocapitalist. I believe that there's no government you can design, that authoritarians of either the Communist-type or the Fascist-type won't eventually turn into their own tools of oppression (always, of course, "for everyone's benefit")

I know it sounds extreme, but if you're a fan of the work of Nobel-prize winning economist Milton Friedman, I suggest you have a look at the work of his son, David Friedman, which extended his father's work to its natural conclusion.

And in any case... whether you want a return to the limits of the Constitution, less government overall, or no government whatsoever, I suggest you check the link in my signature.

Re:Only traitors will vote for Oook-oook Banana

[afidel]

I give as I receive and this crap about the poor Christian minority being oppressed when my experience is exactly the opposite is the kind of thing that really pisses me off. I'm sorry but being punished for playing a game because it "encourages witchcraft" (Magic when I was in High School). Being told that I can be put in jail because of the salient material I choose to view or objects I choose to purchase (porn and vibrators) because they don't agree with someones 'morals', etc. The thing that really pisses me off the most is the attempted control over women's bodies. If it weren't for the availability of late term abortions my brothers and I wouldn't exist. My mother had an extremely high risk pregnancy with my older brother, to the point where the doctors wanted to abort him and tie my mothers tubes. If she hadn't had the option to abort the pregnancy if her life were threatened then she would have been forced to follow their advice. By having the option available to her there are three more generally good souls on this planet who try to be assets to their country and community.

War games...

[mcneely.mike]

Does this mean that when i try to access their servers i will no longer be greeted with:
"Hello Professor... would you like to play a nice game of 'surf pron'?"

Re:Only traitors will vote for Oook-oook Banana

[afidel]

Really, have you not been paying attention? The fundies are trying to dismantle science and replace it with thinly veneered proselytizing about their creation myth. Palin is on the record as saying she is against all abortions including in the cases of incest, rape, or the health of the mother and she gets cheered loudly while saying it. I would call that seriously suppressing the rights of your daughter. I have zero problem with most Christians, they are generally good people who try to lead decent lives. It's the more vocal minority that has gotten heavily involved in politics and tried to control how I live my life that I detest.

Rendition

[solweil]

>how do they deal with multiple international jurisdictions? Extraordinary rendition?

Rewriting the law of cyberspace? Whoo!

[PJ+The+Womble]

Next week: Fat guy tries to rewrite the law of gravity? Mortgage broker tries to rewrite the law of diminishing returns? Nobel prize for Average Joe who successfully rewrites the law of averages? I'm inclined to think that this is more: "Tarzan rewrites the Law Of The Jungle" (before consulting the tigers).

Re:Only traitors will vote for Oook-oook Banana

[ramandu]

I think you're missing the GP's point. Turning the other cheek, and actively loving those that despise you has more effect then you may think on those you mention that try to restrict others agency. Calling them names and embittering relations only increases the void between the two camps; no side has been entirely innocent, both have at one time or another been the persecuted or the persecutors.

"An eye for an eye will make the whole world blind." -- Mahatma Gandhi

Re:Only traitors will vote for Oook-oook Banana

[afidel]

I've never persecuted Christians or people of any other religion. The 'worst' thing I have ever done is try to keep their views out of schools and the workplaces I have been a part of. I am perfectly willing to discuss religion in a non-antagonistic manner outside of work hours. As I said my personal experience living in a battleground state is that there has been a lot more attempts by the religious right to control people than the other way around.

Re:Only traitors will vote for Oook-oook Banana

[tuxgeek]

Noted

Thomas Jefferson, Ben Franklin and many others saw the need to overstep certain boundaries to set foundational principals for the new colonies.

And some republicans have had the balls to come out and denounce publicly that they do not approve of what their kind are doing. I have no animosity towards them. These are the real patriots. Others that are just fine being led around by their noses and told what to do and think, are just mindless sheep.

But I do have issues with those that fervently defend Bush, Cheney, Ashcroft, James Baker, Rumsfled, Robert Novak, Rove, Rice, Jeb, Wolfowitz, and the rest of the neocon scum. These public figures should be the ones facing war crimes and crimes against humanity. They have disgraced us all. Their followers are the ones that would be better off just shot out of a cannon and into space.

Re:Only traitors will vote for Oook-oook Banana

[ramandu]

You make it sound as if I was accusing you; I wasn't. All I wished to emphasize is that pointless bickering between the two "sides" does nothing, we can't wait for the "other" side to change before we start being decent human beings. I believe that is what the Anonymous Coward #25619735 meant; though in a slightly less inflammatory tone.

New Air Force Rules of the Internets

[ben2umbc]

The first rule of the Air Force Internets is - you do not hack the Air Force Internets. The second rule of the Air Force Internets is YOU DO NOT HACK the Air Force Internets. Third rule of the Air Force Internets is if you get hacked, power down, the hack is over.

Montana? Good plan

[JSBiff]

I mean, Montana has an AFB in it, along with 6 Air Force bases in nearby states. There is no place anywhere in Montana that isn't relatively close to an Air Force Base. That's a great plan for getting to a place where "The Man" can't hit you. *grin*

Re:USAF History of Redefinition

[DynaSoar]

Can anyone explain how commenting on USAF attempting to solve a problem by redefining it to suit its own purposes by pointing out (humorously, which doesn't seem to be at issue) two other instances if it doing the same (and failing, also apparently not at issue) is off topic?

Re:Only traitors will vote for Oook-oook Banana

[tukkayoot]

I see far more first amendment attacks from the American Left than I do the American Right.

I take it you're from the Sarah Palin school of Constitutional interpretation, where extremely vocal criticism by the press or private citizens/organizations amounts to a violation of the first amendment. Or you're just throwing this statement out there, without offering any support for it.

The reverse is not true. Most of the Atheist bashing I see is confined to odd little corners of the Internet, such as forums dedicated to fundamentalist worship of one flavor or another, or the 42nd page of the newspaper.

You might have heard recently about how Elizabeth Dole called out Kay Hagan for attending an event hosted by a group called Godless Americans (among others, but none of the other groups were mentioned in Dole's attack ads). The implicit message here is that atheism is so horrible that having any association with an atheist group is counts as a black mark against a person's character and suitability as a member of Congress.

This is the Elizabeth Dole campaign, an sitting congresswoman. She's the wife of a former major party candidate for the presidency of the United States, not a "fringe group on the Internet."

Reaching back a bit, there is the infamous quote from George H. W. Bush when he was campaigning for the presidency: "... I don't know that atheists should be considered as citizens, nor should they be considered patriots. This is one nation under God."

People campaigning for public office today usually have a little more tact than that, but anti-atheist sentiment is not at all a fringe phenomenon, on the Internet or elsewhere. It's not uncommon at all for people to make comments about atheists, that if were said about Jews, would be called out by everyone as rank bigotry.

I wouldn't expect a non-atheist to see it though. We've been conditioned as a society to recognize the injustice faced by certain minority groups, but atheists usually aren't such a group, so a lot of the derogatory commentary about atheists might not even register as something potentially offensive. But it's definitely out there.

Re:Only traitors will vote for Oook-oook Banana

[LKM]

Is this post meant to be ironic? People who bash religion are not attacking the first amendment, they are making good use of it.

Re:Only traitors will vote for Oook-oook Banana

[LKM]

Are you advocating silencing, or disenfranchising, a significant percentage of the citizens of this country to further what you personally believe?

No, he's pointing out that they're wrong. He's saying that they should stop pushing their religious agenda, not that they should not be allowed to push their religious agenda.

USAF have more history here than NSA

[Shirotae]

If you look at the seminal works in computer security you will see that a lot of the most significant early ones were reports for the Electronic Systems Division of the Air Force Systems Command.

I don't know how much damage has been done to either or both of USAF and NSA by incompetent and technically illiterate managers and politicians since those days but a spy agency with expertise in cryptographic algorithms is not what you need in overall charge of the thinking about systems security. An organisation where systems must be usable by people overloaded with work in a high stress environment is more appropriate than one whose mission is to spy on foreigners and die rather than give up any information.

I would cite SELinux as an example in support of my argument. It is fine in theory but so hard to use in practice that the usual advice is to disable it if you want to get any work done. This fits the spy agency thinking that it is better for the system to be inoperable than for there to be any possibility of information leakage. That is totally unacceptable to anyone who needs to get a job done.

Having had my little rant, maybe I should read the article...

Re:Only traitors will vote for Oook-oook Banana

[haruchai]

Really? Thank you. I'll see if I can find a copy.

Re:Only traitors will vote for Oook-oook Banana

[raengler]

Nowhere in the Constitution do the words "seperation (sic) of church and state" exist. From Wikipedia (a convenient, but by no means the only source)

"The phrase SEPARATION of church and state is generally traced to the letter written by Thomas Jefferson in 1802 to the Danbury Baptists, in which he referred to the First Amendment to the United States Constitution as creating a "wall of separation" between church and state.[3] The phrase was then quoted by the United States Supreme Court first in 1878,[4] and then in a series of cases starting in 1948.[5] This led to increased popular and political discussion of the concept."

The First Amendment guarantees freedom OF religion, not freedom FROM religion. Nobody is forcing anyone to adopt any religion. Theocratic oligarchy???? Big words for someone who can't spell "separation"
 

Re:Please quit blaming the Right...

[Fujisawa+Sensei]

I'm one of those American Right people you speak of, however I think we're so far off on the horizon you can't see us clearly. You see, we're being obscured by all those people to the Left of us that are constantly trying to take away the First and our guns. We usually blame the Left for all our ills, but I guess the problem is that our view is just as obscured as your view by that huge mass of selfish people in the Middle. Oh and the Second is more important than the First: You don't need to yell if you're armed, or as Roosevelt said "Speak softly and carry a big stick."

Taliban controlled Afghanistan was an example of an armed society without the First Amendment.

Re: open public secure milnet ..

[rs232]

"The VPN isn't, by itself, going to be filtering out phishing emails. And we've graduated from username/passwords some time ago."

The email system would only accept email from identifiably PKI certified senders and while this one uses PKI certificates it hasn't yet graduated off the InterTUBES, as in I can still send malicious packets directly to the server, which if the current infrastructure were adequate then the US Air Force wouldn't be:

".. fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear.. "

Netperger Syndrome: an obsessive compulsion to argue with total stranger over the InterTUBES

Re:You are cutting out all the good guys

[MikeBabcock]

The public is not particularly useful at identifying suspicious behaviour. Call your local PD sometime and ask how many tips they get that are useless.

Besides, the enemy happens to know everything the public knows, plus has the benefit of planning the op in the first place. There's a reason national defence plans aren't public, even if they "might" help the public help back.