Air Force To Rewrite the Rules of the Internet

meridiangod writes "The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the 'laws of cyberspace.'" I'm sure that'll work out really well for them.

Disconnect

[electrictroy]

If they were smart, they would disconnect their computers from the public internet. People can't access hardware they can't access.

Re:Disconnect

[electrictroy]

People can't [hack] hardware they can't access.

Re:Disconnect

[Kagura]

They actually are smart, and any computers accessing Secret information and above are NOT allowed to be hooked up to the internet or a network with access to the internet, EVER.

Re:Disconnect

[morgan_greywolf]

You're right, of course. But this isn't about computers with Secret information, which are a non-issue when it comes to the Internet -- those machines are on their own completely air-gapped network and secured behind locked doors, alarms and armed guards.

This is about the Air Force's services that are on the public Internet. The Air Force, like the other branches of the military and other government agencies, needs to interface with the public. One of their primary means of doing that these days is through their Internet presence.

Of course, sites in the .mil domain are going to constantly be hammered by cyber criminals, bored teenagers and even spammer gangs trying to bring down the sites.

The USAF would like to alter the permissive and decentralized nature of the Internet through technological and possibly political means to suit itself.

All I have to say is good luck with that and uh, get in line. Companies have tried and failed for years to mold the Internet in their own image. Companies with billions and billions of dollars to throw at the matter. Companies who were once powerful juggernauts and 800 lb. gorillas finding themselves becoming increasingly irrelevant...

Re:Disconnect

[Atriqus]

Actually, I liked the previous version... it better illustrated the obviousness of the solution.

Re:Disconnect

[sam0737]

Someone, someday will carry lost a USB thumbdrive carrying the sensitive information.

Perhaps we need a new RFC, similar to this one [RFC1149], for USB thumbdrive.

Re:Disconnect

[evanbd]

Sure they can. It just adds a step: get the hardware connected. Sometimes that can be accomplished through social engineering, sometimes well-meaning people do it for you, and sometimes people simply don't realize the connection existed in the first place. Of course, it does make things harder, and it is a valuable step... but it should not, under any circumstances, be assumed to be bulletproof by itself. You still need to worry about security against an attack.

Re:Disconnect

[Swizec]

Then there is that one company that started off very small and ended up changing the rules of the internet completely.

You know ... Google.

Re:Disconnect

[hey!]

Correction: any computer which is supposed to be allowed to access Secret information is not allowed to be hooked up to the Internet. I suspect there is no way to enforce the rule as you state it without possibly divulging what is secret and what is not. For example if I'm monitoring a computer and find that a bunch of files have been deleted, I might look at one of the files I downloaded that was purged, and say, "hey, this memo implies the F35 can climb at over 330 meters/second."

What I'm saying is that it's best not to trust in systems to operate according to the rules.

Re:Disconnect

[MrNaz]

Because the Air Force can't catch people over the internet, that must mean that they are also vulnerable to vans with tinted windows in the car park of the armed forces branch head quarters with a 20" dish antenna mounted on top.

Re:Disconnect

[ChrisA90278]

Yes that is pretty much the first rule. any machine with senitive data is not hooked up to the Internet. Not even via a firewall. They call it an "air gap" but today with wireless the term is an anachronism but still you get the idea "no connection at all".

Computers that handle REALLY sensitive stuff can't even be connected to normal AC power systems or even to normal building ground wires.

Many of the computers have removable disk drives. That is where ALL of the drives can be removed without tools. The rule requires the drives to be removed and stored in a safe when not in use.

Believe me they do have a few smart people who understand security and they have a decent educational system in place where people have to go to class and read some papers before they can use systems that handle sensitive information. And they are required to re-take the classes periodically

But then there are always ideots and weven normal people forget and make mistakes. But then typically some guard is assigned the task to walk around a pull on safe handles and check that desks are clear and so on. Hell likely catch most of the mistakes

Re:Disconnect

[Firethorn]

That's called 'Somebody makes a call' and 'Guys with automatic weapons show up to ask questions'.

Re:Disconnect

[demachina]

If they were smart they would post their problem on Slashdot and let all the nerds figure out a solution for them for free......

Re:Disconnect

[Dun+Malg]

"hey, this memo implies the F35 can climb at over 330 meters/second."

Actually, there's plenty of that stuff around, and it's actually not necessarily classified, even if it's true. In the bad old days of the cold war, I asked the security officer in my Army unit why all this crap we were working with was classified SECRET and TOP SECRET when the same exact information was available to anyone purchasing a Jane's book by mail order. It was explained to me that it was not the raw information that was secret, but rather the positive verification that it was true that was being controlled. Most classified information falls into that category, really. Very little of it is truly secret, in that nobody without clearance knows it. I've seen quite a few pictures of "people and stuff at locations in Certain Southwest Asian Countries" that I know from personal experience would be classified SECRET or higher if they were government photos rather than casual snapshots taken by a yokel or journalist with a pocket camera. What the classification of the subject matter does is bar me (under penalty of waterboarding or whatever) from pointing out which pictures those are.

Re:Disconnect

I can vouch for that. Left a classified syquest cartridge (yes it was some years ago) out on my desk once and it was noticed within 10 minutes by security. My boss was pretty understanding. He said there wee two types of people, those who had committed security procedure breaches, and those who would do so in the future. Had to go through the training again.

Re:Disconnect

[Swizec]

Google changed something very important about the internet. It made bookmarking obsolete by actually being able to find the content you need quicker than browsing through a list of bookmarks.

That's a pretty radical change to before-google-became-all-too-popular times.

Re:Disconnect

[Firethorn]

Nah...

They generally start with the standard 'Sir, please get out of the vehicle'. If your response to that is not favorable, then stuff starts escallating.

The more impolite reactions are for more sensitive areas than a parking lot.

Re:Disconnect

[Ethanol-fueled]

Google is a verb.

Altavista, Hotbot, and MSN are not verbs. Yahoo! tried to make its name a verb(with their "Do you Yahoo?" slogan) but failed. Ask is a verb, but unlike Google, Ask was born a verb, it wasn't made one because of its ubiquity and popularity among the masses.

Re:Disconnect

[Narpak]

The USAF would like to alter the permissive and decentralized nature of the Internet through technological and possibly political means to suit itself.

I reckon that if any entity tries a large scale centralisation of the "the internet" then the users will simply adapt and decentralize in other ways.

The more surveillance present on the internet the less useful it will be as a way to transmit information anonymously. However with advances in wireless technologies setting up other ways to transmit data is not only possible, but easier and cheaper than ever before. It's not about doing things that are illegal, but rather that to ensure freedom, liberty and justice there needs to be ways of communicating that is not subject to government (or corporate) scrutiny.

Of course that is not what this specific case is about, but I fear that whatever measures they implement (or try to) will carry with it a host of other issues that could inhibit the ability of ordinary citizens to access knowledge or data without being logged in an ever growing database. The phrase "if you are not doing anything illegal you have nothing to worry about" is misleading. Since it does not consider the possibility that what you did today, while not illegal, could be used months, years, decades, down the line when the motivations of those with access to the database changes (or indeed the database falls into the hands of antagonistic person(s)).

Re:Disconnect

[redtail]

Whenever this topic comes up, someone always incorrectly says that an "air gap" separates SECRET networks from unclassified networks. "Cross Domain Solutions" connect SECRET networks to uclassified networks. And these include "low assurance" solutions like SELiux and Trusted Solaris.

And these CDS machines also connect TOP SECRET networks to SECRET networks. Thus, two copies of SELinux sit between TOP SECRET networks and the Internet.

Re:Disconnect

[DeusExMach]

A googol is a one with a hundred zeros.

I internet all the time.

Re:Disconnect

[steelfood]

This isn't true. Google by itself is only a part of the equation that led to the death of bookmarking. In truth, the more obscure stuff is still easier to get at via bookmarks and portals than Google.

What diminished the utility of bookmarks is a combination of Google, Wikipedia, blogs, and content aggregation (RSS/Atom).

What Google did is figure out a way to do zero-knowledge authentication. It will tell you that citibank.com is the site of Citibank, while citi-bank.com is probably not the site you're looking for, whitehouse.gov is the real official website of the executive branch, while whitehouse.org and whitehouse.com are not (though this example is a bit dated).

That feature, I think, is infinitely more valuable than a very marginal bit of convenience.

Re:Disconnect

[Jeff+Hornby]

Google changed something about how the internet is used and perceived by people. I'm not discounting this but the USAF is trying to change something more fundamental about the internet. The effects that they want would require scrapping TCP/IP and replacing it with something else (it may still be called TCP/IP but it will be something entirely different).

This is like claiming that the "Obama Revolution" is fundamentally changing the nature of the United States and then somebody coming along and saying that they want to change the Law of Gravity. They're just not on the same scale.

Re:Disconnect

[UnrealisticWhample]

As one who grew up on military bases, I can tell you that you generally aren't going to find too many opportunities to park van with tinted windows and a twenty inch dish antenna in front of buildings. Yes, I'm aware that social engineers can accomplish many things and that given enough motivation and resources, there isn't likely anything that can't be broken into. That being said, what was said about unplugging computers from the net is still a good idea because all too often the problems the military is running into these days don't come from advanced espionage groups with large resource pools and dedicated staff, but rather a bored individual with access to kiddie scripts which is fairly embarrassing to them.

The Air Force has announced similar programs to this in the past with little or no actual outcome. Every now and then they have to come out with another program with a spiffy name to distract us from the fact that they can't keep kids from breaking into their networks.

Re:Disconnect

[Thaelon]

I love Google as much as the next nerd, but exactly what rules are you talking about?

FTP, SMTP, HTTP, UDP, and TCP/IP still work pretty much as their respective RFCs dictated prior to Google. So do ping, tracert, and a whole host of other things.

Re:Disconnect

[adam613]

Pretty much, yes. I had several friends from college who went to work for government contractors on projects that required security clearance. The way they explained it, if I figure out on my own what they're working on, that's legal even if it is classified. What would be illegal is if they told me or gave me direct access to classified information about what they were working on.

(Also, in a lot of cases, what they were building wasn't classified, but who they were building it for was.)

Re:Disconnect

[pestilence669]

Right. Why leak sensitive information now, when you can just misplace some laptops later?

Re:Disconnect

[earlymon]

Not true. While working for the Dept of Defense I saw this scenario played out - it was around 1995.

A van pulled up about a quarter-block away from a BDM building (located on a very public street) but the van was just too suspicious, for reasons I'd rather not elaborate on. Secretaries returning from lunch noticed it and reported it to security. Local police cordoned off the area very, very quickly - almost real-time - coincident with a first-responder team from the local USAF base. Automatic rifles were pointed at the van from three directions, two Ruger AC-556s were layed against the back door, and the solid side of the van was struck with some sort of hammer, and a cry to get the fuck out of the van ensued. Public area, people put rapidly out of harm's way. I recall that from phone report to guy laid out being handcuffed took less than 20 minutes.

And yes, he was a spy, using the latest EM-based eavesdropping equipment. Saw it and heard it. None of this sir, please step out crap.

Maybe a decade later we've learned to coddle suspected spies... no, wait - I saw Harold and Kumar Escape from Guantanamo Bay (sorry, couldn't resist) - I rather doubt it, but then, I could be in error.

Re:Disconnect

I agree with your post with one exception. While Secret and up machines cannot be connected to the internet they are NOT air-gapped. They are on a glorified VPN (at least the secret machines I work with routinely both in the USA and Iraq are) with a hardware encryption solution that separates them from the rest of the internet.

We send large amounts of encrypted secret traffic over the internet everyday.

-AC for obvious reasons

Re:Disconnect

[morgan_greywolf]

It's not just public interface. They conduct a lot of non-battle-related stuff over the internet, or on computer systems that are indirectly linked to the internet. Obviously you don't plug an F-22 into comcast (although supposedly its electronics system is versatile enough that you could reprogram it to use the radar as a really powerful 802.11 antenna). However, it's quite a bit easier to just connect workstations to a typical LAN that has some computers online for logistics type stuff, even if all the actual communication takes place on the local side, than it is to maintain multiple networks for computers that need internet access and those that don't.

But not sensitive, classified material. NO systems with classified information are connected to the Internet. Trust me on this one.

Yes, some day-to-day non-classified systems do happen on computers connected to the Internet.

So, yes, they do maintain different systems -- one for classified information and one for non-classified information. What's maintained on the non-classified systems just day-to-day stuff like non-battle duty rosters or things like that.

Re:Disconnect

[zippthorne]

Actually.. most of the search engines (and especially Yahoo as originally envisioned) did this.

Google just happened to be "the one with the decent results right now" (i.e. the one the SEO jerks hadn't turned their attention to yet) when moderate-bandwidth "raw" connections became popular. Prior to that, you had Alta-Vista, Lycos, Web Crawler, Yahoo, etc.

All of which had their period of most-useful-results, but google was in vogue at just the time everyone got connected, so they got lots of mind-share.

I only wish they were as good now as they were then.

Re:Disconnect

[K.+S.+Kyosuke]

You Americans still have much to learn from us. The Czech Police is still using hacker-proof typewriters and I have not heard about a single hack of their...ehm...information systems. (This way they are at least spared the embarrassment, unlike the National Security Office of the Slovak Republic which had to introduce "Internet business hours" (sic!) to protect their servers after their whole infrastructure of servers and Cisco equipment was compromised by some ingenious outside guy who had the idea to try nbusr/nbusr123 as the user/pass combo only to discover that they are indeed using it all over the place. ;-))

Re:Disconnect

[Mistshadow2k4]

Bookmarking is obsolete? Since when? I and everyone I know who has a computer with internet access has some bookmarks.

Bookmarking would be obsolete for people who only do research on the internet (and not even for all of them) and only visit sites that are as popular as Slashdot or Digg. If they like any, even just one, slightly more unknown site than that they risk not being to find it again if they can't recall the exact url. How high on the list of results from a search engine a particular site would show up on changes day to day, even hour to hour. It might tenth in the results one day and not even on the first page of 100 the next. Anyone who tried to just use Google instead of bookmarking would quickly learn better. Seriously, how can you think Google made bookmarking obsolete and who modded up this nonsense? Google astroturfers, maybe?

Re:Disconnect

[jc42]

whitehouse.gov is the real official website of the executive branch, while whitehouse.org and whitehouse.com are not (though this example is a bit dated).

How so? Hasn't the White House been a commercial operation for the past 8 years, for sale to anyone for the right price?

Of course, the more cynical among us will claim that it has always been so. Others would suggest that at least whitehouse.org is inappropriate, though it might have been better to suggest that during the Clinton administration.

Re:Disconnect

[jonscilz]

NOT right. i work in secret environments with secret hardware and software projects and higher and most of them are connected to public access networks. the only networks with this clearance requirement (assuming the employees even adhere to these policies) that are restricted this way are government owned ones. contractors have their own rules and i see it every day. get your facts straight.

Re:Disconnect

[bluefoxlucid]

It's illegal for you to access and disseminate top secret information. Information is an object; a file at the NSA is top secret. A file at your house, generated by you, without previously reading the NSA file, containing the same information as the NSA file, is not top secret. If the NSA hears about it, shows up at your house, takes it, and debriefs you, it is now top secret.

Re:Disconnect

[Bromskloss]

the van was just too suspicious, for reasons I'd rather not elaborate on.

I will not ask you what made the van suspicious, but I would like to know why you don't want to elaborate on it. For whose sake?

Re:Disconnect

[earlymon]

My apologies - the result of working in an insular fashion is to rudely expect others to recognize an industry-specific TLA (three letter acronym).

BDM is/was a defense contractor. Here's a quick reference: http://www.business.com/directory/computers_and_software/bdm_international,_inc/profile/

Re:Disconnect

[jc42]

The more surveillance present on the internet the less useful it will be as a way to transmit information anonymously.

Actually, the Internet has always been highly susceptible to surveillance. This was done intentionally, but with different terminology that matches the motive. The intent was to make it reasonably easy to manage and troubleshoot. I.e., it's supposed to be easy for support people to examine the traffic, diagnose problems, and fix them. It's a large part of why the Internet has been so successful. And if the support crew can examine your packets, then anyone anywhere along the data path can do so.

This may seem odd considering that the early Internet was developed almost entirely with military funding. But it makes sense if you study their reasoning. The security people understood from the start that the only way you can get communication security is with end-to-end encryption.

Trying to push the security to a lower level is counterproductive, because the lower levels are inevitably close to invisible at the application level. This means that security breaches at lower levels will rarely be noticed for some time. And even when you notice a breach, digging into the lower levels of the protocols is inherently difficult for people who don't work with it every day. So they concluded that the IP layer should only worry about getting packets to their destination undamaged. That's difficult enough that you don't want the people working on it to be distracted by security issues; they'll just screw it up and block valid traffic. They don't need to know the contents of packets, just the headers, so if you encrypt all the contents, it doesn't affect the lower levels at all.

Or, more simply: Low-level encryption is a pure waste of cpu time and bandwidth, because you have to do it at the top level anyway. So don't bother. And nothing but top-level end-to-end encryption will give you secure communication.

Yes, this means that anyone can intercept your traffic and save it. If you are relying on this not happening, you can't ever be secure. You have to accept it, and make your data worthless to anyone but the intended recipients.

This was all understood decades ago by the folks who designed the Internet. Complaining about surveillance now really just shows poor understanding of the issues. You can't prevent surveillance on any network, so don't bother. You should be talking about making that surveillance a time and money sinkhole with no results. And you do that by encrypting stuff. There's a lot of research on this topic and most of it is pretty easy to find; go read some of it.

Re:Disconnect

[earlymon]

Negative on that full of shit, compadre. Happened in Albuquerque, NM. First responders came from Kirtland AFB - home to Sandia National Labs (where ALL of the country's nukes were managed), (at the time) the Air Force Weapons Lab and the Air Force Operational Test and Evaluation Center, as well (at the time) of the Air Force's contract management office.

Home to the cradle-to-grave, or inception to deployment to retirement, of our strategic nuke delivery systems. At the time, Albuquerque was a higher priority Soviet nuclear first strike target than Washington, D.C.

Sorry to burst your bubble, but there are scarier things in this world than the donut eaters you describe working for the purple-suiters. So, no apologies, not full of shit - not even a little.

And the guy in my story was a spy. And I'm not going to elaborate on what made the van different, as I said in my post.

Believe what you want. If you choose not to, it's just another horse-water-drink situation to me.

Re:Disconnect

[earlymon]

This may sound corny, but for America's sake. No reason to explain a poker tell when you're winning because of it. That was just part of my training from back then - I'm out of that world, but still respect the training.

Re:Disconnect

[INT_QRK]

Oh? See "National Industrial Security Program Operating Manual (NISPOM)," see http://www.fas.org/sgp/library/nispom.htm. Classified information = not yours. If your contract requires access to it, you need to abide by government rules in applying measures to protect it. Of course another problem is that not all government information is classified, and is not covered under NISPOM but still merits protection. For example using the aggregation principle, lots of otherwise unclassified information might through clever analysis reveal classified information. Also, unclassified, albeit sensitive, technical information (also protected, but under under separate directives) may not be initially identified as such until it, or the systems engineering process, reaches a certain level of maturity (e.g., back-of-napkin engineering rendered to memorandum or charts). The fact that an awful lot of unclassified information needing better control resides on networks of wildly varying quality and hardness is, or hould be, a national security concern.

Re:Disconnect

[pcgabe]

almost real-time

As opposed to turn-based?

Re:Disconnect

[ScrewMaster]

Yes, I wanted to tell my story in direct response to the parent of my post. Maybe you lost the thread, sorry.

Besides, it was an interesting story. If people stop telling interesting stories because other people get too concerned about "ontopicness", Slashdot will become significantly less worthwhile.

Now, I grant you that my girlfriend already thinks that Slashdot isn't worthwhile, but that's another story.

They've solved their own problem

[yttrstein]

""[M]ost threats should be made irrelevant by eliminating vulnerabilities beforehand by either moving them 'out of band' (i.e., making them technically or physically inaccessible to the adversary), or 'designing them out' completely," the request for proposals adds."

Luckily for the Air Force, they don't actually have to do any work at all to make this happen, since it's been not only possible, but actually implemented since at least 1998, when RFC 2341 was written all about Virtual Private Networks.

Helpful Hint for the Air Force: Pay your private sector computer engineers more and you'll get the innovation you're looking for.

Re:They've solved their own problem

[sexconker]

VPN?
How bout a private network.

Which is what all secret and above classifications use.

Physically disconnected from the internet.
Physically inaccessible by the plebes.

Code auditing, memory wiping, classification-based job scheduling (a machine works only on secret defense or only on top secret or only on top secret nuclear, or etc. jobs at a time, never mixing), secure attention keys, custom hardware, physical security, surveillance, custom hardware, etc.

I'd say that, for the shit that matters, they've got a pretty good setup. But let's listen to the internet nerds who think they know everything. They'll tell us how to fix it.

Re:They've solved their own problem

[zappepcs]

I'm not sure that means what you think it does....

The threats from the outside world can make their way into the physical spaces which are protected computer areas... via usb, camera, cell phone, and other yet to be named methods. So it is quite important that all military accessible computer networks are protected. It only takes ONE USB stick or MP3 player to plant what could turn out to be a very bad thing. Virus software has the patience and time to sit and wait, staying undetected. Antivirus programs only protect you against virus code that has been detected. Done correctly an undetectable virus can sit there for months waiting for access to other networks/computers. I would think DDoS is hardly the problem they lay awake at night thinking about. I'd think any kind of 3-10 minute disruption of NORAD data would be a nightmare for the USAF. That doesn't even mention or consider rogue flash message traffic on the communication network of the USA military. Imagine the damage of one seemingly authentic flash message to European based nuclear counterstrike commands. Even if it is detected as false in the first few minutes of it's life, those few minutes of confusion could be dramatically bad for the world. So I don't really think common network threats are what they are worried about.

Now they even have to worry that test equipment, laptops, test software packages, everything has the ability to import a nasty virus inside their network now. The more risks they can easily mitigate, the cheaper and easier the task of working on the others should be.

Re:They've solved their own problem

[evilkasper]

2006 the Air Force decided to drastically reduce the amount of 3C0X1's (Sys Admins for all you Civi's) and move to centralized management. Mostly from the various NOSC's, and with the exception of some bright individuals most the 3C0X1's that I know that are still in are filling Work Group Manager position, while the majority of the actual IT work has been contracted out. The really bright individuals are now contractors. All this while the Air Force initially conceived "Cyber Command".

Re:They've solved their own problem

[sexconker]

You check the news by using machines connected to the internet.

The machines that decide which hell hole to send you into with what gear and such are physically separate.

Also - as a Marine, you should already know the news, but in case you missed it: Yesterday, the Marines kicked ass. Today the Marines will kick ass. Tomorrow's forecast calls for the Marines to kick ass.

Anonymous has not place on a military net.

[FoolishBluntman]

How about no spoofing as a good start. No changeable MAC addresses and Client side certs.

There is porn of it.

I hope they don't overlook Rule 34.

It worked for the Army!

[David+Gerard]

Remember that the 304th Military Intelligence Battalion declared Twitter a terrorist weapon. God forbid they discover pen and paper. Or modulated farting, for that matter.

Re:It worked for the Army!

[Enderandrew]

No the Air Force listed Twitter as a tool that terrorists use.

There is a distinction. But thanks for playing.

Re:It worked for the Army!

[tadheckaman]

AM or FM?

Re:It worked for the Army!

[internerdj]

I was wondering who used Twitter.

Re:It worked for the Army!

anybody else noticed that Military Intelligence Battalion's acronym is M.I.B. ?

there's nothing wrong here

[circletimessquare]

for an organization the size of the air force, and with the mandate it has, there is nothing laughable or overly ambitious about say, creating and implementing your own supersecure protocol, and supporting it within its subnet

and, if successful, watch it leave its military surroundings, be adapted by universities, then corporations, then the general public

kind of like the internet itself

somebody is going to do this at some point, considering the various shortcomings of our present dominant protocol suite

that it would be the military to do it first makes sense

Re:there's nothing wrong here

[moderatorrater]

I would have more faith in this endeavor if it were the NSA implementing it rather than the air force, although the air force is the second most likely agency/group to pull it off. From what I've seen and heard, the air force has a lot of technically skilled people in programming and hardware that would be able to pull this off.

Re:there's nothing wrong here

[Ethanol-fueled]

there is nothing laughable

But this is very laughable, as is this and this. Now imagine what we don't know about!

Re:there's nothing wrong here

[Random+BedHead+Ed]

If the NSA did it, it would have a back door. I'd rather have the Air Force do it and ask the NSA to try to crack it.

Re:there's nothing wrong here

[ChrisA90278]

"for an organization the size of the air force, and with the mandate it has, there is nothing laughable or overly ambitious about say, creating and implementing your own supersecure protocol, and supporting it within its subnet"

Yes, All we have to do is look at history. The term "Internet". Meant a network that connected networks. Back when the term was coined networks did not use TCP/IP. "IP" was designed as "Internet Protocol" or literally the protocal to be used BETWEEN networks. Only later did almost all of those networks themselves begin to use TCP/IP internally.

So it is reasonable that the US Air Force could simply abandon the use of TCP/IP within the entire service and connect to the public Internet via a gateway. After all that is how everyone did it back in the 70's

There are a few things they might use that already exist and are already in use. They really need a network that is fully end to end encrypted and has strong authentication. TCP/IP is not that.

Re:there's nothing wrong here

[ipb]

Then when the NSA reports that they can't crack it would you believe them?

Internet + secure

[buchner.johannes]

The only useful and meaningful thing they could do, is implement a secure internet protocol (i.e. with the missing session and presentation layers) and provide a good interface to the internet. Then the inherited insecurity of network protocols could be avoided from the beginning.

If it is done right, has advantages and is promoted and laid open to others, it might catch on and replace parts of the internet step by step.
Will probably not be faster than the IPv6 transition, but hey, they made the internet, why not make another one ;-)

Laws can not reach internet phenomena, they are too slow, and when they do, it doesn't matter anymore.

Re:Internet + secure

[buchner.johannes]

After reading the article, e.g. quoting

Enabling Air Force servers to evade or dodge electronic attacks, somehow.

Its funny how they think so much in materials entering materials when talking about a electronic/information tech issue. Like the server could jump to the side when it sees a malicious packet coming ...

Reprise of the evil bit.

http://en.wikipedia.org/wiki/Evil_bit

Penny Arcade

[Sasayaki]

As usual, Penny Arcade predicted the future. (http://www.penny-arcade.com/comic/2007/07/16/)

Technician: Our webs are down, sir. We can't log in!

Agent: Which webs?

Technician: All of them.

Technician: They've penetrated our code walls. They're stealing the Internet!

Agent: We'll need to hack all IPs simultaneously.

Re:Penny Arcade

Here's a hint for future postings.
Enclosing your URL in parentheses prevents Slashdot from creating an automatic hyperlink. This is annoying, as it means that I have to copy and paste rather than just clicking. It's the difference between:
http://www.penny-arcade.com/comic/2007/07/16/
and
(http://www.penny-arcade.com/comic/2007/07/16/)
on the screen.

In general, it's a bad idea anyway because parentheses are valid in a URL. Parsers which try to automatically hyperlink URLs may get confused by the trailing ')'. For this same reason, despite the rules of English suggesting it, you should avoid punctuation immediately following a URL.

Re:Penny Arcade

[Just+Some+Guy]

Or you could type them like <URL:http://example.com/>, which renders like http://example.com/ and is a standard.

prevent IP spoofing - save the world

[iceco2]

actually there is a very simple measure ISPs can take to prevent many attacks.
and that is to prevent their customers from spoofing the source IP in their IP packets.
If governments (starting with the US) would pressure(force by law) ISPs to do this, it can be done with out much technological difficulties.
This anti-spoofing measure can be implemented on many levels, so that even if a certain ISP does not co-operate other ISPs could prevent its customers from spoofing any IP which does not belong to the problematic ISP. This in itself helps protect against IP spoofing.

Without IP spoofing attackers are more easily identified and blocked.

Re:prevent IP spoofing - save the world

[mshannon78660]

At least on Cisco routers (disclaimer: I used to work for Cisco), there is a command you can use. ip verify unicast reverse-path will cause the router to check the routing table for a path to the source address, and drop the packet if it came in on an interface which is not a candidate route for that address. You don't want to use this in the core of your network, where you may have asymmetric routing, but you can certainly use it on the edges. If an ISP does this uniformly on interface that connect to customers, they can prevent any of their customers from spoofing. Depending on the size of the ISP, they may also be able to implement it on their peer links, and prevent spoofed packets from entering their network from other parts of the internet.

Re:prevent IP spoofing - save the world

[MikeBabcock]

You've just eliminated IP spoofing by legitimate users of American ISPs. You've done nothing about the rest of the Internet. Besides, botnets don't require IP spoofing; they've already got control of random IP addresses to attack from.

Re:prevent IP spoofing - save the world

[gbjbaanb]

all dynamic IPs are owned by an ISP, and they log when you are using it (otherwise, how would they not bill you?)(and lets face it, to any ISP, military network security comes a long way down the list of priorities with 'bill you' right there at the top).

So, given the time of hack and the dynamic IP, the ISP knows who it was.

Re:prevent IP spoofing - save the world

[silanea]

Who in this godless world has modded this insightful? IP addresses, MAC addresses, host names, user agents - NEVER trust any information which comes from an untrustworthy source or has travelled along an untrustworthy path. Plain and simple. If you don't trust it, kick it out. If you trust it, check it out in detail and see whether your trust was warranted.

Your suggestion is akin to enforcing valid return addresses on letter bombs.

Besides, you did hear about bot nets, did you? You know, those pesky things that keep stuffing your e-mail box with all those nice ads for penis enlargement and cheap medication? If not: welcome to life!

good concepts, bad headline

[Tom]

If you actually RTFA, you see that they aren't bonkers. Quite to the contrary. See this quote, for example:

"[M]ost threats should be made irrelevant by eliminating vulnerabilities beforehand by either moving them 'out of band' (i.e., making them technically or physically inaccessible to the adversary), or 'designing them out' completely," the request for proposals adds.

Yeah, absolutely. Remember that this is the military we're talking about. These are the guys who are the "customers" of stuff like the NSA's formally verifiable code project. These are the guys who still use 10 year old computers because those are hardened and tested to military standards. If they upgrade to 5 year old computers, the gain in speed will offset pretty much any performance penalty that security methods that don't fly in the commercial world because of said performance penalties, could cause.

These are also the guys who do a ton of things badly.

So it'll be interesting to watch.

Rewrite the rules of the Air Force

Instead of letting them try to push us around, we the geeks can turn the tables and re-write government based on open source philosophy.

The plan for transition is practical, and folks like those running the Air Force will never see it coming until it is far too late for them to do anything about it.

A spokesman for the Air-Force said,

[Phizzle]

"Hey its just a series of tubes, how hard can it be?!"

Attack and defend?

[evanbd]

So they want to simultaneously change the underlying network fabric in order to make their systems unattackable, and also be able to successfully attack any other system at any time? Does no one there see a disconnect between these goals?

Re:Attack and defend?

[khallow]

So they want to simultaneously change the underlying network fabric in order to make their systems unattackable, and also be able to successfully attack any other system at any time? Does no one there see a disconnect between these goals?

No, I don't. In fact, they seem quite compatible as goals. Chinese are doing the same thing too.

The Rules are Simple

[dmomo]

First Rule: Don't talk about Internet
Second Rule: Don't talk about Internet
Third Rule: ???
Fourth Rule: Profit

Replace TCP/IP

[hey]

Its not so crazy that they would replace TCP/IP with something else fairly similar for their internal use.

Re:Replace TCP/IP

[mebrahim]

TCP\IP?

Windows

[ezwip]

Aren't we sentencing some guy for logging into Windows computers from over in Europe that had no pass and ran the Windows Operating System? Maybe we should stop playing all these games and have Microsoft rebuild their operating system correctly as not to have hundreds of thousands of zombie computers online. How many of those Zombies run Apple or Linux? What's that you say less then 1%, or perhaps the answer is none at all? The government built the internet but can't secure it? We need 500 different anti virus programs because one specific operating system is incompetent at security? Send the users to jail you say because we can't stop kids from ignoring laws? Who woulda thunk it?

In other news...

[theturtlemoves]

Newton, sick of all those apples falling on his head, is planning to rewrite the laws of physics to make gravitation a repulsive force.

Shouldn't the IPs all be in the same block?

[HighOrbit]

I would expect that all of an ISP's addresses should be in the block(s) they received from ICANN. If something on their sub-net is generating headers with foreign addresses, then they ought not to route it.

Re:Shouldn't the IPs all be in the same block?

[lysergic.acid]

that's still a pretty big IP address block for the attacker to choose from. and if they wanted to conceal their identity even further, they'd likely just use an anonymous proxy or tunnel through a zombie PC or other compromised hosts.

just as in real life, you cannot eliminate anonymity on the internet completely. you can tag & chip every individual from birth, but someone can still walk up to a wall with a can of spray paint and leave an anonymous message.

Low Bid Wins

[mfh]

Helpful Hint for the Air Force: Pay your private sector computer engineers more and you'll get the innovation you're looking for.

That doesn't work because the low bid always wins. What would be better would be if the government shifted from a bid system to a fixed bid system. ie: This job is for $50k, this is what we want, now tell us how you are better than the other guys. That would be 100x more effective, but also 100x more time consuming because then they would have to READ EVERY PROPOSAL, not just the two lowest ones.

Someone tell them the Evil Bit was an April Fool

[D.+Taylor]

Some of the rewrites being considered:

• Making hostile traffic inoperable on Air Force networks.

Why, no one has ever thought of that before..

achilles heel

[Eil]

The Air Force excels at just about everything they do. But for the past decade or two, their Achilles Heel has been computing technology because it moves faster than anything else they're used to.

The Air Force is a very old organization and although they can generally respond to most anything quickly, overall change tends to happen very very slowly. Not long after I enlisted in 1998, there were rumors that the uniform was going to change from the classic camouflage pattern to a kind of pixellated-marble look. Based on what recent photos I can find, they're still only about halfway through getting the new uniform out to everyone.

Also, I know for a fact we're still flying some planes with vacuum tubes in the autopilot computer even though upgrades for all airframes have been around since at least the 80's. Most of the technical manuals that I used to repair avionics were between 25-40 years old and still had technical errors in them. (We weren't able to make corrections to technical manuals any more than you'd be allowed to make pen-and-ink corrections to a federal law.)

Computer use only became common in most squadrons about 10 years ago and even then, they were not really used for the correct purposes. Some captain would get the bright idea that somebody should use a spreadsheet program instead of a paper form for some menial task, force everybody to use it, ignore the pleas from his subordinates that it tripled the effort required to perform the task, and then make up some elaborate report for his commander about how he just saved the Air Force $358,000.

While I was in the service, the Air Force never really caught on that you had to hire and train smart people who know about computers if you wanted to make the most of them. Some squadrons took young administrative airman fresh out of tech school and sat them down in front of the admin console and said, "All right, it's your job now to make sure this doesn't break." This is very uncharacteristic of the Air Force as you normally need at least several weeks of training before you can be trusted to mop the floor correctly. But when a commander has something that needs to be done and he doesn't know how to do it, it's not at all uncommon for him to assign someone to it while implying that they should be rather quiet about it.

Others units farmed out network administration to government contractors like Lockheed Martin which wasn't any better because most of their employees are old military retirees who thought they were going to get paid more as a civilian for doing the same thing they did in the military and ended up being wrong on both counts. (Got seven stripes and an MSCE? Then they're hiring!)

I guess this long-winded point it that it doesn't surprise me that high-level Air Force officers are saying, "Hey, who says we can't control this thing? We're the Air Force, after all." They're used to having fine-grained control over everything in their view and a high degree of security surrounding it.

"Defensive operations are constantly playing 'catch up' to an ever-increasing onslaught of attacks that seem to always stay one step ahead," says the Air Force Research Laboratory's "Integrated Cyber Defense" request for proposals. "In order to tip the balance in favor of the defender, we must develop a strategic approach to cyber defense that transcends the day to day reactive operations."

In other words, the Air Force is still nowhere near where they need to be in terms of network security. The only encouraging part of this is that they finally realize it.

Jurisdiction...

[LinuxGeek]

The AF can deal with someone in a nearby van, but not easily deal with someone anonymously using a free wifi connection in Europe that is bounced through 5 different servers. Even if they were able to completely track an attacker, how do they deal with multiple international jurisdictions?

Re:Jurisdiction...

[lysergic.acid]

rewrite international law? i mean, it's about as practical/realistic as rewriting the rules of the internet to give yourself the sole advantage in cyberspace.

aside from the impossibility of rewriting the rules of other people's networks and eradicating internet anonymity, what they're asking for is basically to change networking protocols to give them abilities that they want to deny others--how do you create a networking protocol that allows you to trace any packet back to its sender, but allows you to retain the ability to spoof your own attacks?

Re:Jurisdiction...

[interstellar_donkey]

Right. And some harsh realities have to be realized by the AF or any DOD department.

1) The Internet does not belong to America. Period. It is a global network of good guys and bad guys, and the rest of the world won't, nor should they abide by our rules.

2) The Internet does not belong to the military. It has far more to do with domestic and international trade and information than it does to various arms of the DOD.

If the USAF wants a secure network, then they should create their own isolated network completely divorced from the civilian Internet. I'm sorry if that means generals can't look at porn sites from their office, but that's the way things go.

Re:Jurisdiction...

[LarryRiedel]

they should create their own isolated network completely divorced from the civilian Internet

Sort of like the SIPRNet?

Larry

Re:Jurisdiction...

[Amigori]

As a former sys admin for the USAF, I think you should read up on SIPRNET and JWICS, 2 such secure networks.

Re:solution ..

[jandrese]

Yes, I'm sure every potential recruit would just love to have to install a VPN client to go check out af.mil.

Consider it done

[TubeSteak]

lameness filter forced me to munge the layout

RFC1149a - Standard for the transmission of flash memory on avia
Network Working Group_____________ TubeSteak
Request for Comments: 1149a__________LOL WTF
                                                  3 November 2008
      A Standard for the Transmission of Flash Memory on Avian Carriers

Status of this Memo
  This memo describes an experimental method for the encapsulation of
  flash memory in avian carriers. This specification is primarily
  useful in Metropolitan Area Networks. This is an experimental, not
  recommended standard. Distribution of this memo is unlimited.

Overview and Rational
  Avian carriers can provide high delay, low throughput, and low
  altitude service. The connection topology is limited to a single
  point-to-point path for each carrier, used with standard carriers,
  but many carriers can be used without significant interference with
  each other, outside of early spring. This is because of the 3D ether
  space available to the carriers, in contrast to the 1D ether used by
  IEEE802.3. The carriers have an intrinsic collision avoidance
  system, which increases availability. Unlike some network
  technologies, such as packet radio, communication is not limited to
  line-of-sight distance. Connection oriented service is available in
  some cities, usually based upon a central hub topology.

Frame Format
  The flash memory is packaged, inside a small waterproof container,
  and formatted to FAT32. The waterproof container is attached to the
  back of the avian, between the wings, as a backpack. The bandwidth
  is variable and limited by the carrying capacity of the avian.

  Upon receipt, the backpack is removed, the flash memory extracted
  and checked for physical and liquid damage.

Discussion
  Multiple types of service can be provided with a prioritized pecking
  order. An additional property is built-in worm detection and
  eradication. With time, the carriers are self-regenerating. While
  broadcasting is not specified, storms can cause data loss. There is
  persistent delivery retry, until the carrier drops. Audit trails
  are automatically generated, and can often be found on logs and
  cable trays.

Security Considerations
  Security is a problem during normal operation, as flash memory
  has a non-trivial and intrinsic value. Special measures must be
  taken (such as data encryption) when avian carriers are used in
  a tactical environment.

It'll work, if cyberspace != internet

[swordgeek]

The headline here says 'rewrite the rules of the internet', whereas the Wired article talks about 'rewriting the rules of cyberspace.' Subtle difference here.

The internet exists as it is--fundamentally an IP-based network connected in all the ways we know about, routing, addressing, etc.

The thing is, there's no reason that the Air Force (or anyone else) couldn't create their own, entirely incompatible version. Start with something that has guaranteed QoS, hard-wired source addressing, encryption at the equivalent of the transport layer, content-metadata in the packets (or equivalent to packets--it doesn't have to be a packet protocol at all), etc..

If you need to connect it to the internet, create a tunneling protocol, or a translating switch. Make it different. Make it incompatible. Make it rigid in its requirements. You CAN create a secure network, but not if it's based on the same technology that makes up the existing internet.

Re:Only traitors will vote for Oook-oook Banana

[Fujisawa+Sensei]

I am a Liberal.

I believe in the Constitution which contains the right to bear arms and seperation of church and state.

I believe in the United States of America, not Jesusland.

When the American Right stops trying to destroy the First Amendment, which incidentally comes before the Second Amendment, I will consider it.

Until then, you're welcome to relocate to a country more amiable to your theocratic oligarchy: I think Iran would suit you nicely.

Re:Only traitors will vote for Oook-oook Banana

[Shotgun]

I would mod it to +32,768.

Re:Only traitors will vote for Oook-oook Banana

[tuxgeek]

I couldn't have said it better.
Except I am neither liberal nor conservative. I am an American patriot and believe in the Declaration of Independence, the Constitution and the Bill of Rights. I also believe in capitalism and separation of church and state.

But, I will never again vote for any republican since they began their campaign to destroy the foundations of American democracy and switch the country to capitalistic dictatorship and the military industrial complex.

I have NO fear of Obama. And contrary to the neocon rhetoric, I have no doubt he will uphold the principals of democracy, unlike the last 2 douch bags he and Biden will be replacing shortly. I am also a gun owner and support the right for all Americans to form Militia to defend our land and freedoms.

Actually it's the neocon side of the isle that will seek to take our guns from us. Dictatorship is easier when the masses cannot shoot back.

Bush & Cheney have done more damage to the country and world than should have been allowed. I hold all republicans and their supporters guilty of high treason for this. Now they have 2 more whacked out fruit cakes, John McBush & Sarah McCheney they want in there to continue the destruction.

Isn't it obvious that McBush & McCheney, as people, are just as stupid as George W. Bush? Cheney is not stupid, he is just pure evil.

"Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we." George W. Bush

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Only traitors will vote for Oook-oook Banana

[merreborn]

I see far more first amendment attacks from the American Left than I do the American Right.

Internet boards, like this one, are filled to bursting with posters who bash on Religion, especially the Big C, with the heat of a thousand stars.

You seem to have confused people exercising their first amendment right with attacks on the first amendment.

Criticism of someone else's speech is not an attack on the first amendment. Geographically restricting free speech, on the other hand, is.

Re:Only traitors will vote for Oook-oook Banana

[afidel]

No, instead they exclude the non-Christians, do their best to game the rules to punish them, and actively try to suppress their education and rights. Once you stop your stupid Creationist backdoor indoctrination campaign, leave women's bodies to themselves, stop butting into my bedroom and entertainment and start acting like good neighbors THEN I will stop bashing 'Christians'. Every time I have debated religion with a lay 'Christian' I have always known more about the true teachings of Jesus than they have, they only know the hate and vemon spat from the pulpit and pushed by their local conservative politicos.

Re:Only traitors will vote for Oook-oook Banana

[0xygen]

Signed integer limit is +32767.
32768 is only possible in the - domain!

Re:Only traitors will vote for Oook-oook Banana

[Frnknstn]

In general web surfing I'd say the religion bashing posts outnumber the Atheist bashing posts by a ratio of about 10,000:1.

That's because you visit more atheist-friendly websites than religious websites. People prefer to express their opinions in like-minded company; thus you see more anti-religion post on your pro-atheist websites.

No I'm not exaggerating

On this comment page, there are at least two anti-atheist posts. That is for a single story. Twenty slashdot stories a day, 500 posts per story makes your 20 000 posts to cover that. So you claim that almost every post made on slashdot is anti-religion? Or does slashdot have a different ratio because it is a particularly pro-religion website?

Re:Only traitors will vote for Oook-oook Banana

[jonaskoelker]

I hold all republicans and their supporters guilty of high treason for this.

While I agree with a lot of what you say, I think you're overstepping a line here. Find the scumbags who've actually done something wrong, and hold them responsible for their wrongdoing. Charge them with treason if they've committed it.

But don't hold innocent republicans, or those who innocently vote republican, responsible. At least not if you value the rule of law.

"I disapprove of what you say, but I will defend to the death your right to say it."

I hate neocons just as much as you do, and I lean more left than right (so the republicans wouldn't get my vote, were I eligible to cast it) but I will defend them here in spite of that, so that someone will defend me when I need it.

Re:Only traitors will vote for Oook-oook Banana

[Oligonicella]

I'm hard core atheist and every blog I post on knows it. I've received more crap from atheists than the few uberChristians. All I do is point out their hypocracy and whammo, they lose their nut.

For instance, I'm not excluded from any blog at all, no one actively tried to suppress my education or rights or those of my daughter or her children. You list a line of talking points that don't stand up on scrutiny and I seriously doubt your every time statement. Sounds more like pompous self-aggrandizement than truth. Also, the 'true teachings' statement is similar to that made by religious bigots because they 'hold the understanding'. I live in Bible belt country and rarely hear local conservative politicos spit hate and venom.

Re:Only traitors will vote for Oook-oook Banana

[ScrewMaster]

Signed integer limit is +32767. 32768 is only possible in the - domain!

He went long.

Re:Only traitors will vote for Oook-oook Banana

[Plugh]

... and I am an Anarcocapitalist. I believe that there's no government you can design, that authoritarians of either the Communist-type or the Fascist-type won't eventually turn into their own tools of oppression (always, of course, "for everyone's benefit")

I know it sounds extreme, but if you're a fan of the work of Nobel-prize winning economist Milton Friedman, I suggest you have a look at the work of his son, David Friedman, which extended his father's work to its natural conclusion.

And in any case... whether you want a return to the limits of the Constitution, less government overall, or no government whatsoever, I suggest you check the link in my signature.

Re:Only traitors will vote for Oook-oook Banana

[afidel]

I've never persecuted Christians or people of any other religion. The 'worst' thing I have ever done is try to keep their views out of schools and the workplaces I have been a part of. I am perfectly willing to discuss religion in a non-antagonistic manner outside of work hours. As I said my personal experience living in a battleground state is that there has been a lot more attempts by the religious right to control people than the other way around.