NSA Wages Cyberwar Against US Armed Forces Teams

← Back to Stories (view on slashdot.org)

NSA Wages Cyberwar Against US Armed Forces Teams

Posted by ScuttleMonkey on Monday May 11, 2009 @09:18AM from the next-time-take-the-gloves-off dept.

Hugh Pickens writes "A team of Army cadets spent four days at West Point last week struggling around the clock to keep a computer network operating while hackers from the National Security Agency tried to infiltrate it with methods that an enemy might use. The NSA made the cadets' task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world. The competition was a final exam for computer science and information technology majors, who competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Ideally, the teams would be allowed to attack other schools' networks while also defending their own but only the NSA, with its arsenal of waivers, loopholes, and special authorizations is allowed to take down a US network. NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.' The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems."

219 comments

Linux by sleekware · 2009-05-11 09:24 · Score: 5, Insightful

Anyone surprised by the OS choice of the winner? It was going to be either that or BSD.
1. Re:Linux by sleekware · 2009-05-11 09:30 · Score: 2, Informative
  
  I see this was marked as a trolling comment, but I meant with respect of the ability to really harden the security (and great security that is usually comes with a Linux or BSD package by default).
2. Re:Linux by LaskoVortex · 2009-05-11 09:42 · Score: 3, Funny
  
  Anyone surprised by the OS choice of the winner?
  No. The NSA doesn't run Linux so they don't know how to attack it. You have to log in with that text thingy and then type some stuff to get it to do what you want. The other kind of OS with the pictures of things works much better. You can point at the pictures and click them and it does what you want. If no one at the NSA runs Linux, how do you expect them to write a virus for it? It's obvious why it won because it is an underrepresented OS that no one uses anyway.
  
  --
  Just callin' it like I see it.
3. Re:Linux by ouimetch · 2009-05-11 09:44 · Score: 2, Insightful
  
  Great security comes by keeping yourself off the grid of would be attackers. Even the most secure systems can be tapped if somebody wants to bad enough and knows where to find it.
4. Re:Linux by sleekware · 2009-05-11 09:49 · Score: 1
  
  I hope you are joking in the part of your statement that says "that no one uses anyway"... ;)
5. Re:Linux by Anonymous Coward · 2009-05-11 09:54 · Score: 0
  
  Actually, the article says nothing about the OS used by other teams. All of them might well have been using Linux. (After all, if it's such a slam-dunk obvious choice, those teams would know that, too.) The West Point team might have won simply because they were better than the other academy teams, not because of the OS.
6. Re:Linux by Bellegante · 2009-05-11 09:55 · Score: 5, Informative
  
  NSA linux : http://www.nsa.gov/research/selinux/index.shtml
7. Re:Linux by Burkin · 2009-05-11 09:56 · Score: 5, Funny
  
  Whoosh!
8. Re:Linux by Erikderzweite · 2009-05-11 10:08 · Score: 1
  
  That is exactly why motivated NSA professionals were easily able to penetrate the Linux system of the winning team. Wait, what?
9. Re:Linux by gravesb · 2009-05-11 10:40 · Score: 4, Interesting
  
  I participated in this as a Cadet in 2001. We used a variety of operating systems, including Windows 2000, Solaris, Linux, and Mac OS9. Even back then, the Linux server and desktop client had by far the greatest uptime. Well, except for me, as I was attempting to rebuild the Windows server after they had taken it down, yet again.
  
  --
  http://bgcommonsense.blogspot.com
10. Re:Linux by Bellegante · 2009-05-11 10:41 · Score: 1
  
  Oh.. yea. I suppose I could pretend that I caught that but.. I didn't. Still, I always thought that it was nice the NSA released those recommendations. I'm sure they didn't leave themselves a hole to exploit in that!
11. Re:Linux by Windrip · 2009-05-11 10:50 · Score: 2, Interesting
  
  I wonder if VMS was even allowed in the competition. Yeah, I know: "It wasn't banned, the rules were changed!"
12. Re:Linux by Anonymous Coward · 2009-05-11 10:54 · Score: 5, Informative
  
  I was involved in the exercise. We used FreeBSD and Fedora Core 10 as our base server platforms. We'd used FreeBSD last year, so we were confident that it would give us a solid base to work from.
  According to the exercise directive, we had to run several windows workstations. We used Window2008 as the Active Directory and Domain Controller. We didn't go so far as try the "read only" mode, but W2k8 seemed solid enough for the duration of the exercise. Wasn't easy to get set up and locked down, however.
13. Re:Linux by Anonymous Coward · 2009-05-11 11:13 · Score: 0
  
  No whoosh involved when a comment that stale, pointless, and banal is not seen as humorous. I applaud Bellegante for so generously assuming that the parent poster simply could not be so stiff and unfunny that they considered their worthless post a joke.
14. Re:Linux by socceroos · 2009-05-11 11:33 · Score: 2, Insightful
  
  That, my friend, is a dangerously shallow explanation of security.
15. Re:Linux by MoonBuggy · 2009-05-11 11:54 · Score: 4, Interesting
  
  Although you jest, I'm actually surprised at how confident and competent the NSA seem here. Maybe it's just an (unfair?) association I've built up that government organisation = technically incompetent, and I know they employ a lot of very smart people, but it surprises me that they were so far ahead of the teams that they could pick exactly what level of difficulty to set their attacks at.
  Seeing at some of the work that's presented at conventions, the brilliantly paranoid security systems that the likes of OpenBSD have, and some of the distinctly embarrassing news stories about the latest government network being hacked by some guy in a basement, I guess I was just expecting the NSA to get more of a run for their money than "Yeah, we pitched it so they couldn't quite win. No problem really."
  I'd be interested to see how a team harvested from the basements of MIT or Caltech would stack up in a challenge like this, actually.
16. Re:Linux by Anonymous Coward · 2009-05-11 12:00 · Score: 2, Insightful
  
  No whoosh involved when a comment that stale, pointless, and banal is not seen as humorous.
  I think it was making fun of the traditional arguments about why Linux has fewer security risks. I.e. That Linux is "underrepresented" or benefits from security through obscurity. The post, though not funny to you, is funny to those who see through this disingenuous argument.
17. Re:Linux by civilizedINTENSITY · 2009-05-11 12:01 · Score: 1
  
  "All of them might well have been using Linux. (After all, if it's such a slam-dunk obvious choice, those teams would know that, too.)"
  
  Isn't there quite a bit of difference in terms of Linux use between the different branches? I was under the impression that the Army was the most interested in Linux, whereas the Navy was totally a Microsoft shop. If so, war games are especially useful.
18. Re:Linux by mikek2 · 2009-05-11 12:05 · Score: 3, Interesting
  
  As a CGA cadet back in the day, I would've LOVED to have done this. Alas, this was in the early 90's before this competition became reality.
  Alas, the Coast Guard has since completely eliminated the academy's CS major altogether (instead replacing it with some bullshit Op Analysis degree). Talk about being told your services aren't wanted anymore!
  But screw 'em and their horrible decision; I make more than an admiral now, anyway.
19. Re:Linux by rtb61 · 2009-05-11 13:22 · Score: 2, Insightful
  
  This still makes the assessment grossly unfair. They others teams forced to run windows were effectively discriminated against and stuck in a no win situation, especially as the NSA created a more secure OS SELinux, so obviously there secure OS of choice and effectively checked for any known hacks they could implement.
  Of course for real security you need to involve the CIA, rather than hacking the software, you hack the admins, free love, hard currency etc. and, you get direct access and the hardware of your choice installed, good luck trying to secure software on insecure hardware ;D.
  
  --
  Chaos - everything, everywhere, everywhen
20. Re:Linux by ArcherB · 2009-05-11 13:41 · Score: 4, Insightful
  
  Great security comes by keeping yourself off the grid of would be attackers. Even the most secure systems can be tapped if somebody wants to bad enough and knows where to find it.
  For a Soldier/Marine/Sailor/Airman, the ability to communicate is just as important as the ability to shoot. The greatest marksman in the world is worthless when he is cut off from his unit and surrounded by enemies that are in constant contact with each other.
  So to unplug the network cable from these machines kinda makes them worthless.
  
  --
  There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
21. Re:Linux by EEDAm · 2009-05-11 13:41 · Score: 4, Insightful
  
  You were surprised how confident and competent the NSA seems here? Honestly that got me scratching my head hugely. Not because I have some god given insight into the strength of the NSA but simply because this was an *under-grad* evaluation where they pitched the task as slightly too hard for the best under-grad team. Nuff respect to under-grads who study hard, but being an under-grad is just part of the journey and you have so much more you can develop when you finish that phase of your life. You really think it's surprising the NSA (or for that any fact any corporation / organisation / entity) is fairly or in fact let's make that *hugely* more advanced than the undergrads entering it? For every genius entrepreneur who comes out of college with a hot idea, there's a million who are just beginning their development. The world would be f$cked if we stoppped at that point...
22. Re:Linux by CajunArson · 2009-05-11 13:46 · Score: 1
  
  Bear in mind that the defenders in this case are in military academies, meaning they are the equivalent of college undergrads. It looks like they did a very competent job, but even Bruce Schneier could have trouble dealing with NSA level attackers if they pulled out all the stops.
  
  --
  AntiFA: An abbreviation for Anti First Amendment.
23. Re:Linux by Anonymous Coward · 2009-05-11 14:01 · Score: 0
  
  Yes, government org does not always == technically incompetent. I used to have the same opinion, until I started spending a lot of time around such organizations.
  I believe the USMC Red team generally fairs pretty well at the Defcon hacking contest, and I can tell you that the NSA team participating in this event are top notch.
  Now, this is not to say that ALL gov organizations are worthy.. I have come across several that are not.
24. Re:Linux by rcw-home · 2009-05-11 14:10 · Score: 1
  
  Obviously, if the winning team used that, and the NSA found a vulnerability in their own code, then it'd either make them look really bad or give them some serious explaining to do about the backdoors they planted.
  The NSA is all about not tipping their own hand.
25. Re:Linux by Bombula · 2009-05-11 14:26 · Score: 3, Interesting
  
  I'm actually surprised at how confident and competent the NSA seem here
  No offense to West Point and the other military academies, but I'd like to see NSA take on the top team from MIT, Cal Tech, etc and see how they fare before putting total confidence in the NSA.
  
  --
  A-Bomb
26. Re:Linux by belmolis · 2009-05-11 15:04 · Score: 1
  
  Where does it say that the other teams were required to use MS Windows? And where does it say that West Point used SE Linux?
27. Re:Linux by Anonymous Coward · 2009-05-11 16:08 · Score: 0
  
  custom INF files and ADM's make hardening a breeze, guidance is freely available on the NSA site. Look for hardening Operating Systems.
  Also the DOD puts out STIGs (secure technical information guides), these are updated quarterly.
  group policy is the way to go for windows
28. Re:Linux by Daniel+Dvorkin · 2009-05-11 16:16 · Score: 3, Insightful
  
  If the other teams were "forced to run Windows" (which it doesn't say anywhere in the story) then it would have been because of service policy ... in which case hopefully the Army's relatively favorable attitude Linux will get the other services' attention.
  
  --
  The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
29. Re:Linux by Software+Geek · 2009-05-11 21:18 · Score: 3, Insightful
  
  The competence of the NSA or the cadets has nothing to do with it. At the moment, the attacker simply has a huge advantage over the defender, no matter who the attacker and defender are. The defender must deploy a host of applications whose primary development goal was time to market, and security is still somewhere near the bottom of the todo list. The defender must rely on the discipline of end users with no interest or understanding of network security. The attacker can download all kinds of prepackaged exploits from the internet. The attacker only needs for a handful of those exploits to succeed. The defender can not afford to lose even once.
  Government networks get hacked because they are defending. I would venture to guess that the NSA can hack into Chinese and Russian government networks just as easily as they can hack into ours.
  
  --
  http://xkcd.com/756//
30. Re:Linux by Tom · 2009-05-11 21:57 · Score: 5, Informative
  
  I'd be interested to see how a team harvested from the basements of MIT or Caltech would stack up in a challenge like this, actually.
  Get their asses handed to them, essentially.
  We all laugh about the military and the secret services, but we forget what an impressive amount of things they do that we do not hear about. Sure, you learn about that double-agent fuckup in the middle east and think "how could anyone be that stupid?" - but you never learn about the other 20 agents that never get caught or uncovered.
  MIT is an impressive university, and they can floor Vegas with card counting. But the NSA is the largest employer of mathematicians in the world, and is still several years ahead of the world-wide scientific community in some areas of math research, especially cryptography.
  They have their share of fuckups, like every organisation of that size. Wouldn't underestimate them, though.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
31. Re:Linux by Anonymous Coward · 2009-05-11 23:43 · Score: 0
  
  No offense to MIT, Cal Tech, etc, but the NSA would win. Hands down. They've stacked the deck in their favor.
32. Re:Linux by Anonymous Coward · 2009-05-12 00:28 · Score: 0
  
  But the NSA is full of top teams from MIT, Cal Tech, etc.
33. Re:Linux by aetherworld · 2009-05-12 00:44 · Score: 1
  
  The NSA made the cadets' task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world.
  Well, I can easily see how Linux might be your OS of choice then (as a defending team). The NSA would have a hard time finding some rootkits/viruses/trojans that can be hidden on your Linux machines...
34. Re:Linux by bytethese · 2009-05-12 02:02 · Score: 1
  
  With grads from MIT, Cal Tech, etc...
35. Re:Linux by reddburn · 2009-05-12 02:05 · Score: 1
  
  Let's not forget: some governmental job series in some agencies (like NSA cyberdefense) can offer healthy salaries in addition to top secret technologies to the people they want to attract. Also, whoever implied that the NSA would be as incompetent as, say, the Veterans Administration (lost records & break-ins) couldn't have been thinking clearly.
  
  --
  "Those who believe in telekinetics, raise my hand" - Kurt Vonnegut, Jr.
36. Re:Linux by Anonymous Coward · 2009-05-12 02:17 · Score: 0
  
  No mention of the Canadian team at the Royal Military College of Canada (Kingston, Ontario)...who did, incidentally use BSD.
37. Re:Linux by Icegryphon · 2009-05-12 03:12 · Score: 1
  
  hahahahahaha, oh wow
38. Re:Linux by MikeBabcock · 2009-05-12 03:16 · Score: 1
  
  ... who would be working against their own teams while under contractual obligation to misrepresent their intentions :-)
  "Agent Rolf has successfully inserted the new back-door in the database system."
  
  --
  - Michael T. Babcock (Yes, I blog)
39. Re:Linux by Wyatt+Earp · 2009-05-12 04:51 · Score: 1
  
  Seeing has how hard the standards are to get in and maintain a GPA at a service school, I'd put money on West Port or the Naval Academy verses MIT/Cal Tech
40. Re:Linux by hesaigo999ca · 2009-05-12 05:46 · Score: 1
  
  THE NSA DOES NOT KNOW HOW TO OPERATE LINUX?
  So how long exactly did you say you worked there for?
41. Re:Linux by island_tux · 2009-05-12 06:13 · Score: 0
  
  i'm pretty sure it wasn't !
  
  --
  What Sig
42. Re:Linux by Anonymous Coward · 2009-05-12 07:08 · Score: 0
  
  Probably has a lot more to do with the teams competing against the NSA being undergrads than it does with any competency on the part of the NSA. I'm guessing that if the NSA were to try to break or protect machines against teams of civilian security experts they would be MUCH harder pressed to succeed.
43. Re:Linux by Anonymous Coward · 2009-05-12 10:58 · Score: 0
  
  I'd like to see NSA take on the top team from MIT, Cal Tech, etc and see how they fare
  Answer: NSA would kick their butt. They are well financed and have the top minds working on this. All top computer workers and hackers go there. Those who don't claim they would "never work for the NSA". But inside they cry a little because they were not invited.
44. Re:Linux by Lally+Singh · 2009-05-12 14:02 · Score: 1
  
  Certainly the service schools will bring in intelligent, hard-working, dedicated people.
  But how much natural hacker talent are they going to attract? My main concern with US cyberwarfare capabilities is the culture delta between the classic hackers and literally 'working for the man.'
  
  --
  Care about electronic freedom? Consider donating to the EFF!
45. Re:Linux by CAIMLAS · 2009-05-12 22:43 · Score: 1
  
  Yep.
  I'd take a Service school graduate over an MIT or Cal Tech graduate any day of the week - whether he's guarding my ass or my computer. :P
  
  --
  ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
46. Re:Linux by Anonymous Coward · 2009-05-12 22:48 · Score: 0
  
  Methinks you grossly under estimate the NSA. They needn't FIND rootkits, they bake their own, nor would they risk exposing their good stuff in a little exercise like this....
47. Re:Linux by Mr.+Firewall · 2009-05-13 03:29 · Score: 1
  
  I guess I was just expecting the NSA to get more of a run for their money than "Yeah, we pitched it so they couldn't quite win. No problem really." I'd be interested to see how a team harvested from the basements of MIT or Caltech would stack up in a challenge like this, actually.
  Forget MIT and Caltech. I, for one, would like to see how they'd stack up against Mr. James T. "I-don't-believe-in-no-win-scenarios" Kirk.
  
  --
  In times of universal deceit, telling the truth gets you modded -1 Troll
48. Re:Linux by Wyatt+Earp · 2009-05-13 04:32 · Score: 1
  
  There is that problem, getting in the Service Academies is going to take being well rounded with a number of interests outside of "hacking" but not a cookie cutter corporate type who "works for the man".
  They will get intellectuals and outside the box thinkers but not one discipline people. I knew a guy back in the late 90s that was a UNIX sysadmin at a USGS station in Alaska but also a qualified para rescue diver/swimmer. Yea, multiple discipline people.
NCCDC by Anonymous Coward · 2009-05-11 09:25 · Score: 5, Informative

Looks a lot like the National Collegiate Cyber Defense Competition. Any college student team can participate in that one, however, and the NSA or Secret Service have participated in past events iirc.
The competition is a lot of fun, 64 teams last year.
1. Re:NCCDC by nametaken · 2009-05-11 09:28 · Score: 3, Insightful
  
  How bad-ass must one be to withstand concerted hack attempts by the NSA? I'd think that would look really, really impressive on a resume. Especially for someone applying for a .gov job!
2. Re:NCCDC by Burkin · 2009-05-11 09:35 · Score: 2, Interesting
  
  Except as the story says this wasn't even the worse they could do. They tamed down their attacks to the level of the undergraduates.
3. Re:NCCDC by Atlantis-Rising · 2009-05-11 09:40 · Score: 5, Insightful
  
  The fact that the NSA was willing to participate at all strongly suggests to me that the NSA was just playing games, and was not in fact utilizing anywhere near their full capabilities in this exercise. Which says something pretty impressive about the NSA.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
4. Re:NCCDC by Anonymous Coward · 2009-05-11 10:03 · Score: 0
  
  So basically you are saying this was just propaganda? :)
5. Re:NCCDC by fluffy99 · 2009-05-11 10:16 · Score: 1
  
  The NSA basically scanned their network for known vulnerabilities and took advantage of them. I hardly call flooding someones email a sophisticated attack either. The NSA has a much bigger toolbox than we give them credit for. I'm sure there is a classified file somewhere with a list of zero-day exploits waiting for that "special occassion" when they'll be needed. Open source makes this much easier, btw.
6. Re:NCCDC by Anonymous Coward · 2009-05-11 10:29 · Score: 3, Funny
  
  The NSA has a much bigger toolbox than we give them credit for.
  No, we don't. I work for the NSA, and I promise, you've seen it all. Move along here, nothing else to see. These aren't the droids you're looking for...
7. Re:NCCDC by Torvaun · 2009-05-11 10:42 · Score: 2, Interesting
  
  You really think that if the NSA went to Microsoft and asked for source code, that Microsoft would say no?
  
  --
  I see your informative link, and raise you a pithy comment.
8. Re:NCCDC by Capt.DrumkenBum · 2009-05-11 10:51 · Score: 1
  
  You really think this has not already happened?
  I have said too much.....
  
  --
  If I were God, wouldn't I protect my churches from acts of me?
9. Re:NCCDC by Chris+Burke · 2009-05-11 10:54 · Score: 2, Funny
  
  Except as the story says this wasn't even the worse they could do. They tamed down their attacks to the level of the undergraduates.
  Exactly. Which is why Linux and Open Source won.
  You see, it's true that Open Source is superior and more potent at staving off cyber attacks than Closed Source. However, to defeat the next level of tests you need Secret Reverse Unclosed Source (of Ineffable Primes, +3). However the big boys aren't exactly going to be giving that away, what with it defeating the purpose and all. So far though Open Source is the best we mortals have managed. Maybe through meditation and large amounts of coffee we will be enlightened.
  A couple things I have been able to glean, though: The Ultimate OS ends with a 'z', and penguins are important.
  
  --
  
  The enemies of Democracy are
10. Re:NCCDC by c_forq · 2009-05-11 11:01 · Score: 4, Funny
  
  You really think the NSA bothers to ask?
  
  --
  Computers allow humans to make mistakes at the fastest speeds known, with the possible exception of tequila and handguns
11. Re:NCCDC by swillden · 2009-05-11 11:03 · Score: 1
  
  The fact that the NSA was willing to participate at all strongly suggests to me that the NSA was just playing games, and was not in fact utilizing anywhere near their full capabilities in this exercise. Which says something pretty impressive about the NSA.
  That's just what they want you to think.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
12. Re:NCCDC by Jah-Wren+Ryel · 2009-05-11 11:05 · Score: 4, Informative
  
  You really think that if the NSA went to Microsoft and asked for source code, that Microsoft would say no?
  Hell, MS even said yes when China asked.
  Open-source just levels the playing field for the rest of us.
  
  --
  When information is power, privacy is freedom.
13. Re:NCCDC by Jah-Wren+Ryel · 2009-05-11 11:08 · Score: 1
  
  The fact that the NSA was willing to participate at all strongly suggests to me that the NSA was just playing games, and was not in fact utilizing anywhere near their full capabilities in this exercise. Which says something pretty impressive about the NSA.
  That's circular reasoning. You are impressed by the NSA because they are so awesome they wouldn't normally play these reindeer games.
  
  --
  When information is power, privacy is freedom.
14. Re:NCCDC by Anonymous Coward · 2009-05-11 11:22 · Score: 0
  
  "If"? "Would"?
15. Re:NCCDC by fluffy99 · 2009-05-11 11:32 · Score: 3, Interesting
  
  I've seen to many examples of the NSA having insider information to believe that. We get told to change some obscure registry setting or files and then a month later MS quietly announces an update that fixes the problem. For example, we were had to go into the registry and gut the autorun function entirely instead of just using the GPO. At the time I thought it was a f'd up mandate, but alas 6 weeks later MS admits that disabling autorun via the normal policy did not disable it in certain situations. Think the NSA knew ahead of time?
  Or how about their partnership with Symantec? Where the detections for some zero-day exploits are present in the symantec definitions files long before the zero-day exploit shows up in the wild?
  No, NSA isn't ahed of the game at all....
16. Re:NCCDC by fluffy99 · 2009-05-11 11:36 · Score: 1
  
  Yup. MS shared the Win2k code with China. It is a coincidence that most of the zero-day exploits we find in Chinese network attacks exploit holes dating back to the Win2k code? Doubt it.
  Having your code out in the open makes you more vulnerable to exploitation of software bugs because they're easier to find. I don't buy the BS argument that open source code is more vetted either. Go sift through any Linux bugzilla sight and see all the glaring bug reports. When basic features have serious unpatched holes, it certainly raises some doubt that minor, hidden security gotchas have all be caught.
17. Re:NCCDC by Anonymous Coward · 2009-05-11 11:39 · Score: 0
  
  The fact that the NSA was willing to participate at all strongly suggests to me that the NSA was just playing games, and was not in fact utilizing anywhere near their full capabilities in this exercise. Which says something pretty impressive about the NSA.
  I wonder if they focus this impressive-ness on US citizens in order to tap their communications.
18. Re:NCCDC by Johnny+Mnemonic · 2009-05-11 12:13 · Score: 1
  
  I think there's a strong likelihood that Microsoft agreed to backdoor Win2K for the NSA if the US anti-trust lawsuit was neutered by the DOJ.
  
  --
  
  --
  $tar -xvf .sig.tar
19. Re:NCCDC by Anonymous Coward · 2009-05-11 12:47 · Score: 0
  
  More vetted != perfectly screened.
  The plethora of reverse-engineered zero day exploits ought to be proof enough that lack of source code is not a significant detriment to serious hackers.
20. Re:NCCDC by Artemis3 · 2009-05-11 13:51 · Score: 2, Insightful
  
  Did you forget "KEY" "NSAKEY" found when someone let windows slip with debug symbols and variable names on? This is the reason you don't trust black boxes known as proprietary software.
  
  --
  Artix
  Your Linux, your init.
21. Re:NCCDC by fluffy99 · 2009-05-11 16:24 · Score: 2, Interesting
  
  Certainly with closed software, its easier to lean on the company to get a backdoor inserted without anyone noticing. You still can't rule this out with open-source.
  You think the NSA hasn't been trying to weasel a backdoor into Firefox? I'm willing to bet the NSA (or another foreign intelligence agency) has done their own review of the code, and they are saving a few exploitable bugs for future use.
  Sorry open source fans. The cold hard reality is that once open source code is written and accepted into a project, nobody actually looks at it again unless it has a functional bug, they want to add a feature, or someone exploits the code. It's a myth that software, either closed or open source, gets any kind of periodic review out of good practice.
22. Re:NCCDC by Tubal-Cain · 2009-05-11 19:59 · Score: 1
  
  Maybe through meditation and large amounts of coffee we will be enlightened.
  Coffee is for those that merely pay lip service to seeking enlightenment. One finds their true purpose when fueled by a Caffine IV.
  
  The Ultimate OS ends with a 'z'
  What are you talking about? 'WOPR' doesn't end with a 'z'.
23. Re:NCCDC by The+Cisco+Kid · 2009-05-12 01:34 · Score: 1
  
  You are a fool if you think MS needs to *intentionally* put any special 'backdoors' in any of their software in order for even the average scipt-kiddy to be able to Pwn their system.
  Expecting anything from Microsoft to be 'secure' is like building a fence with toothpicks, and using pocket lint to hold it together.
24. Re:NCCDC by MikeBabcock · 2009-05-12 03:22 · Score: 1
  
  You're missing a major difference between opening your source and Open Source -- people can compile in the changes that would fix the bugs in Open Source, nobody's allowed to use their own compiled binaries from Microsoft source except Microsoft (check the licensing).
  As a result, you end up with people who simply work on bug proofing the kernel and other applications because it scratches and itch or because they're paid by an organization who cares (RedHat, Novell, Oracle, the NSA themselves). Those advantages are implicitly made available to the users of those systems and therefore the entire community (due to GPL licensing).
  
  --
  - Michael T. Babcock (Yes, I blog)
25. Re:NCCDC by Atlantis-Rising · 2009-05-12 09:27 · Score: 1
  
  No- that's not what I meant at all. I meant that if I were the NSA and I didn't think there was a reasonable chance I could shut them down rapidly without adverse effort, I would not have participated at all. You gain nothing by participating and you stand to lose a lot in revealing your capabilities to the enemy.
  The fact that they chose to participate means that either a) they don't see the tactical situation as I do, or b) they didn't consider they were revealing anything particularly impressive.
  The latter, IMNSHO, is perhaps more frightening than the former.
  
  --
  "It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
26. Re:NCCDC by Anomylous+Howard · 2009-05-12 22:53 · Score: 1
  
  Ah, a troll of ancient vintage rises again. This old canard is not worth my time to refute. I'll just call BS, and let myself be flamed for lack of content.
Yay NSA? by DoofusOfDeath · 2009-05-11 09:27 · Score: 1

I'd feel a lot more positive about the NSA's capabilities, if they didn't have a track record of illegal wiretaps.
1. Re:Yay NSA? by DeadDecoy · 2009-05-11 09:34 · Score: 1
  
  And yet the funny/sad thing is, they would seem less crafty if they didn't.
2. Re:Yay NSA? by mrmeval · 2009-05-11 10:27 · Score: 2, Interesting
  
  I don't think the classified portion of the Executive Order that created them has been released. For all we know it contains a classified pardon.
  
  --
  I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
3. Re:Yay NSA? by Anonymous Coward · 2009-05-11 12:36 · Score: 0
  
  More likely a mandate to spy on USA foreign "allies" like Canada, which could seriously damage relations with those countries if it got out that it was "official policy".
Not as many? by Twillerror · 2009-05-11 09:29 · Score: 2, Interesting

"It is also much easier to secure because "you can tweak it for everything you need" and there are not as many known ways to attack it, he said."
I'm not sure I agree with this. There are plenty of ways to hack all OSs. Maybe a generic underhardened Windows install has more know ways...but how would one even quantify what is know and not know. Public is one thing, but given that Linux is open source and even compiled code can be broken down there is likely many known ways to hack products that are not public yet.
I'd be more interested in the permiter defenses they used. Like what kind of IDS/IPS did they use? Where they using email firewalls to prevent floods of emails or just blocking. I think you also have to harden your servers, but I'd rather have something protecting my email server and have more layers to dig thru..and to alert you.
1. Re:Not as many? by Anonymous Coward · 2009-05-11 09:35 · Score: 0
  
  'Public is one thing, but given that Linux is open source and even compiled code can be broken down there is likely many known ways to hack products that are not public yet.'
  You forget that BECAUSE it is open source, bugs and loop holes are found and subsequently patched.
  The programmers that contribute to OS projects are pretty adamant about good code, something Microsoft will learn one day.
2. Re:Not as many? by Burkin · 2009-05-11 09:38 · Score: 3, Insightful
  
  The programmers that contribute to OS projects are pretty adamant about good code, something Microsoft will learn one day.
  And yet in practice this statement doesn't hold up because there is plenty of shit code floating around in open source projects.
3. Re:Not as many? by ross.w · 2009-05-11 09:38 · Score: 2, Interesting
  
  With Windows, you have to just trust Microsoft. With Linux or BSD, you don't have to trust anyone.
  It is even more of an issue for a non-US military. If you have the source code, you can vet it and make sure no one has planted back doors that the US Govt has insisted on.
  With Windows, you have to trust Microsoft when they tell you there are no backdoors. If you were the Chinese, would you believe them?
  
  --
  If my call is important, why am I talking to a recording?
4. Re:Not as many? by Burkin · 2009-05-11 09:42 · Score: 0, Redundant
  
  Ah yes because the Chinese government has a long history of being trustworthy and never lying to it's citizens or attempting to rewrite history.
5. Re:Not as many? by RiotingPacifist · 2009-05-11 09:43 · Score: 1
  
  AC must have meant Operating system projects. And trust me linus and theo are pretty fucking adamant!
  
  --
  IranAir Flight 655 never forget!
6. Re:Not as many? by jjohnson · 2009-05-11 09:44 · Score: 3, Interesting
  
  How many people actually vet the Linux source code, or would recognize various weaknesses and backdoors if they were staring at them?
  
  --
  Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
7. Re:Not as many? by Burkin · 2009-05-11 09:45 · Score: 1
  
  Linus may be adamant, but the Linux kernel has plenty of its own shitty code inside of it.
8. Re:Not as many? by ross.w · 2009-05-11 09:47 · Score: 2, Informative
  
  I never said they don't. They do, and that's bad. But that doesn't change the point that the ability to inspect and audit all your code for vulnerabilities is an attractive feature to any Government not wanting to trust a proprietary vendor beholden to a foreign power. China was just an example. The same would be true of France or Germany.
  
  --
  If my call is important, why am I talking to a recording?
9. Re:Not as many? by TheRealMindChild · 2009-05-11 09:48 · Score: 1
  
  Not sure what they used, but I like the trusty "Unplug the router from the internets" to ward off an attack.
  
  --
  
  "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
10. Re:Not as many? by Anonymous Coward · 2009-05-11 09:48 · Score: 0
  
  With Windows, you have to just trust Microsoft. With Linux or BSD, you don't have to trust anyone.
  It is even more of an issue for a non-US military. If you have the source code, you can vet it and make sure no one has planted back doors that the US Govt has insisted on.
  With Windows, you have to trust Microsoft when they tell you there are no backdoors. If you were the Chinese, would you believe them?
  So you have personally inspected every single line of the various Linux distros that you use? Otherwise, you are trusting that someone else did... just like you would do with Windows.
  
  The Windows source code *is available* to third party companies (if you have enough clout or money). The US Government certainly has access to it, along with just about every major University in the US and several in Japan.
  
  Most people that run Linux don't bother to examine the source. They may compile it, but they are still trusting that someone else performed a security audit.
11. Re:Not as many? by iphayd · 2009-05-11 09:52 · Score: 1
  
  Except I already turned on the 3G network adapter that is embedded in the laptops.
  Bwahahahaha
12. Re:Not as many? by Anonymous Coward · 2009-05-11 09:55 · Score: 0
  
  Thank you for the specification.
  I did, indeed, mean Operating System projects.
  Sadly I forgot OS has another, also important, meaning.
  For those still saying that there's crappy OS code in open source projects, please compare to what we have been able to get out of closed OSes (ie: windows for the most part).
  For those about to say OS-X is better, please note that OS-X was built based upon a solid BSD core first. And I've frozen my OS-X box 3 times in the past week with normal usage.
  My linux webserver, however, is running fine and is a lot more open to the net than either my windows or os-x boxes.
13. Re:Not as many? by greenbird · 2009-05-11 09:57 · Score: 1
  
  I'm not sure I agree with this. There are plenty of ways to hack all OSs. Maybe a generic underhardened Windows install has more know ways...but how would one even quantify what is know and not know. Public is one thing, but given that Linux is open source and even compiled code can be broken down there is likely many known ways to hack products that are not public yet.
  Ummm...The code is public and it's known but not to the public...hmmm...yeah, makes perfect sense.
  
  --
  Who is John Galt?
14. Re:Not as many? by Anonymous Coward · 2009-05-11 10:01 · Score: 4, Insightful
  
  More than do the same with Windows
15. Re:Not as many? by nausea_malvarma · 2009-05-11 10:04 · Score: 1
  
  Most people that run Linux don't bother to examine the source. They may compile it, but they are still trusting that someone else performed a security audit.
  We ain't talkin bout most people. We talkin bout the military, and I would expect the military to investigate the security of their software.
  Well ok, maybe I expect to much... These days, it feels like the government can't do much of anything right. But my point is the average user doesn't have to expect lines of source code (the average user probably doesn't know any code to begin with), but a big group like the military could inspect lines of code, find potential errors, and perhaps even contribute fixes for these errors back to the open source community.
16. Re:Not as many? by blitzkrieg3 · 2009-05-11 10:04 · Score: 5, Informative
  
  There are plenty of ways to hack all OSs. Maybe a generic underhardened Windows install has more know ways...but how would one even quantify what is know and not know.
  When getting attacked by the NSA, I'd prefer to use something that they developed to stem such an attack. And I don't want to hear, "well they developed it, so they probably have a backdoor." The many eyes argument definitely applies, since patches from the NSA would undoubtedly come under much more scrutiny. Espeically since this has yet to be proven for other operating systems.
  
  Anyway, the winning team was using Fedora 8, which has SELinux on by default.
17. Re:Not as many? by RiotingPacifist · 2009-05-11 10:04 · Score: 1
  
  With stuff like nsa contributed rootkey, you can stop any new processes running as root at meaning Linux can be customized to be much more secure than windows. Im a bit disappointed that they couldn't fully secure the system, between stuff like rootkey,selinux/apparmor,iptables and qmail it should be possible to make your basic setup 100% safe. I suppose it depends on what services needed to be up and running but with there must be plenty of tools to help prevent against injection attacks out there.
  I got the impression from the older article that they use a good old C(adet)IDS, by simply putting a cadet with wireshark on duty (although wireshark itself has been known to have a few holes, which isnt too much of an issue aslong as you run wireshark with low privileges).
  
  --
  IranAir Flight 655 never forget!
18. Re:Not as many? by Unordained · 2009-05-11 10:05 · Score: 4, Informative
  
  And regardless, can you trust the build based on that source code? ACM Classic: Reflections on Trusting Trust (about the need for a bootstrap compiler, and the concern that this compiler might be infiltrated.)
19. Re:Not as many? by RiotingPacifist · 2009-05-11 10:10 · Score: 1
  
  For example?
  
  --
  IranAir Flight 655 never forget!
20. Re:Not as many? by shentino · 2009-05-11 10:23 · Score: 1
  
  The fact that you CAN audit it at will is a deterrent to malicious coding. If an open source developer ever got caught slipping malicious code into something, the consequences to his reputation would be devastating. With proprietary code, the motives behind the code are shrouded and we really don't know whether or not the RIAA pressured the company to plant torrent-watching spyware.
  Bottom line, as long as humans code, no code will be perfect.
21. Re:Not as many? by Runaway1956 · 2009-05-11 10:40 · Score: 1
  
  but how would one even quantify what is know and not know.
  You could start here: http://en.wikipedia.org/wiki/List_of_computer_viruses That is certainly not all-inclusive, but it's a decent start. I'll leave you to google for the host of Linux exploits.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
22. Re:Not as many? by Shikaku · 2009-05-11 10:53 · Score: 1
  
  The driver modules.
  If a bad wireless driver can freeze all of Ubuntu AND prevent me from opening tty1 (press ctrl+alt+F1) AND even if I get to tty1, I can't run or kill anything, not even top, then I think there's a serious problem.
  Then again it is probably bad coding due to ndiswrapper. Sorry, I'm a little bitter from trying for 5 hours to make the Marvell TOPDOG (TM) PCI-Express 802.11n Wireless (EC85)on my Gateway MT6458 laptop working, and all I get are Ubuntu lockups.
23. Re:Not as many? by socceroos · 2009-05-11 11:48 · Score: 4, Insightful
  
  You're talking about bad drivers like its the OS's fault.
  
  The trade-offs of having drivers in userspace outweigh the positives.
24. Re:Not as many? by socceroos · 2009-05-11 11:52 · Score: 1
  
  If you RTFA, you'll probably notice that they had to keep their systems online.
25. Re:Not as many? by Anonymous Coward · 2009-05-11 13:13 · Score: 0
  
  You can hack all OSs? For proprietary, closed sources software: sorry, you have now voided your license agreement and your organization will no longer be able to use that software. (That kind of defeats the purpose, no?)
  So while you might be able to in secret, you can't widely deploy such "hacks" (which is what they would be, probably unproven code, modifying unproven code) unfortunately, which is why open source is attractive.
26. Re:Not as many? by Shikaku · 2009-05-11 14:19 · Score: 1
  
  Bad drivers do exist.
  That's not my point. Unless it is a driver for something really important to system stability, it should not take down the whole OS. That is my point. These are only drivers for accessing the internet.
27. Re:Not as many? by Anonymous Coward · 2009-05-11 14:28 · Score: 0
  
  The core Linux kernel development team has about 1000 people, but there are people dedicated to looking for security problems, logic races, performance and so on. The Department of Homeland Security(tm) did a code audit of the Linux kernel about 2 years ago. The found that the kernel had 2 potential bugs per every 100,000 lines of code, which is about 5-9 times as 'clean' as commercial software (commercial operating systems and large software applications). The Linux kernel development team includes people working at Intel, HP, RedHat, Novell, IBM and other miscellaneous organisations such as the Internet Engineering Task Force, US Navy, etc.
28. Re:Not as many? by TED+Vinson · 2009-05-11 14:44 · Score: 3, Informative
  
  I'd be more interested in the permiter defenses they used. Like what kind of IDS/IPS did they use?
  The rules require the teams to construct the network within the constraints of a notional budget. This forces the teams to make choices about what infrastructure and security measures to deploy. They cannot have everything they might want; this is a taste of the risk-benefit decisions managers and admins have to make. It is also intended to make it feasible for the Red Team to penetrate a well-watched network, having only a minimal user-base, in only four days.
  IPS and other automated response systems are prohibited in the CDX.
  For IDS the West Point team used Snort on BSD, with a custom-blended set of rules from VRT and Emerging Threats.
  The budget decisions did not support deploying a dedicated firewall device. Firewalling had to be done using Cisco ACLs; however, some creative use of NAT and VLANs helped to make the Red Team's job a bit harder.
29. Re:Not as many? by mokus000 · 2009-05-11 14:50 · Score: 2, Insightful
  
  I don't think fault is relevant. The consequence of bad code in drivers that can trash the kernel is that the OS, which is all but useless without drivers, has bad code actively executing in kernel space on some deployed systems.
  Obviously, a choice had to be made about how to provide drivers. I personally have no problem with the one that was made, and I suspect many security-conscious linux users would rather not accept the efficiency trade-offs for user-space drivers. The current situation does mean, though, that if you want to analyze or talk about the security of Linux you can't just dismiss drivers as "not part of the OS" - at least not the ones you're running on any systems you care about.
  
  --
  Additive identity, multiplicative cancellation, distributive multiplication over addition: pick any two (unless 1 = 0)
30. Re:Not as many? by Anonymous Coward · 2009-05-11 14:55 · Score: 3, Informative
  
  Unless it is a driver for something really important to system stability, it should not take down the whole OS.
  Your complaint is against the PC platform, not the OS. It is impossible to operate PCI hardware without trusting it and the corresponding driver stack. This is due to the way DMA and interrupts work. This may change some day with the "I/O virtualization" features of late, but given the track record of other PC virtualization not being secure, I would not hold my breath.
31. Re:Not as many? by socceroos · 2009-05-11 15:34 · Score: 1
  
  Again, this would change if the drivers were in userspace - but they're not for good reasons.
32. Re:Not as many? by Yogiz · 2009-05-11 20:14 · Score: 1
  
  Isn't the point that there only needs to be one?
Kobayashi Maru? by HaeMaker · 2009-05-11 09:35 · Score: 5, Insightful

NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.'
Nobody wins, but lets see how long you hold out.
1. Re:Kobayashi Maru? by jpedlow · 2009-05-11 09:40 · Score: 0
  
  "Bones, how are their shields?..."
2. Re:Kobayashi Maru? by Anonymous Coward · 2009-05-11 09:45 · Score: 0
  
  I like apples.
3. Re:Kobayashi Maru? by Anonymous Coward · 2009-05-11 09:48 · Score: 0
  
  NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.'
  So, how did they know who the strongest team was if this was exam?
4. Re:Kobayashi Maru? by oGMo · 2009-05-11 09:59 · Score: 1
  
  It's like any benchmark though ... if the samples are all clipping, you can't compare it. Finding the maximum is the point. If your code runtime tests finish in 0.00s (or within the margin of error), you can't tell which is fastest. If all the graphics cards render at maximum FPS, you can't tell which is best. Likewise, if a team "wins", you can't really tell how good they are: "win" is not a useful metric, because you can't tell how far beyond "win" they went.
  
  --
  Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
5. Re:Kobayashi Maru? by timeOday · 2009-05-11 10:18 · Score: 3, Informative
  
  This is called "ceiling effect" and "floor effect." (cite).
6. Re:Kobayashi Maru? by PitaBred · 2009-05-11 10:47 · Score: 2, Informative
  
  Who fell last, basically. If it wasn't hard enough, multiple teams would have finished and you couldn't have distinguished between them.
  
  --
  My blog. Good stuff (when I remember to update it). Read it.
7. Re:Kobayashi Maru? by Anonymous Coward · 2009-05-11 10:49 · Score: 0
  
  I like turtles! Your point?
8. Re:Kobayashi Maru? by Johnny+Mnemonic · 2009-05-11 11:59 · Score: 4, Insightful
  
  Also, note that the NSA isn't saying that they used the full force of their power and creativity. This is probably for several reasons:
  -it's not worthwhile to simply crater all of the teams. You want to see who's the best graduates and the most receptive to a couple of years of schooling, even if they need 25 years worth of real world experience to stand up to a real world exercise.
  -You don't want to reveal your whole strategy just for a graduation exam.
  -Even if you do reveal your whole strategy, you don't want your opposition to know that you did.
  I would be tempted to use something pretty rare, and mask the id strings--I would think that it would take so long to understand what OS I was really using to serve, and to research and characterize it's failures, that I would win. Like use BeOS and make it look like OS X as much as possible.
  
  --
  
  --
  $tar -xvf .sig.tar
9. Re:Kobayashi Maru? by 3waygeek · 2009-05-11 12:22 · Score: 0, Offtopic
  
  Damnit, Jim -- I'm a doctor, not a tactical officer!
10. Re:Kobayashi Maru? by ufoolme · 2009-05-11 17:37 · Score: 1
  
  Sounds like what ever tutor does, plan assessments in their own field of expertise - so they can steal any good ideas and destroy the known bad ideas.
11. Re:Kobayashi Maru? by Anonymous Coward · 2009-05-11 20:27 · Score: 0
  
  I would be tempted to use something pretty rare, and mask the id strings--I would think that it would take so long to understand what OS I was really using to serve, and to research and characterize it's failures, that I would win. Like use BeOS and make it look like OS X as much as possible.
  Why would they bother using the id strings to identify the host when it's so much easier to just wiretap you when you devise your strategy?
Modern day Kobayashi Maru... by alchemist68 · 2009-05-11 09:38 · Score: 1, Informative

This appears like a modern day Kobayashi Maru exercise. And instead of it being designed and executed by a single Vulcan whom we all know, it was done by the best and brightest of our 'No Such Agency'. I say congratulations to both parties, the NSA and the winning West Point Team.
1. Re:Modern day Kobayashi Maru... by jdgeorge · 2009-05-11 09:53 · Score: 4, Funny
  
  This appears like a modern day Kobayashi Maru exercise. And instead of it being designed and executed by a single Vulcan whom we all know, it was done by the best and brightest of our 'No Such Agency'. I say congratulations to both parties, the NSA and the winning West Point Team.
  Man, do I ever long for the good old days of the Victorian era Kobayashi Maru.
Finally! 2009... by jimbudncl · 2009-05-11 09:38 · Score: 2, Funny

The year of the Linux... undergraduate military PC?
wtf??? by Anonymous Coward · 2009-05-11 09:40 · Score: 0

As soon as i read "[..] used an SQL Injection to [..]" in TFA, I stopped and realized they already failed. How amazing? The NSA calls SQL injection sophisticated? I can't wait to tell what would happen if someone took down a few root backbones.
1. Re:wtf??? by rickb928 · 2009-05-11 10:10 · Score: 1
  
  You don't have to be sophisticated, just successful.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
OpenBSD? by wandazulu · 2009-05-11 09:46 · Score: 4, Insightful

When it comes to stories like this, or the one about the Dali Lama's computers being compromised, etc., I'm always surprised that no one considers using OpenBSD as their operating system; it's the only one that I know of that is specifically, purposely built, for security. Because it's Unix, it can still run pretty much everything (though you want to use the OpenBSD version because it's been reviewed for security holes, etc.).
Seriously, if I wanted to keep my battle plans, aircraft designs, etc. out of the hands of the "enemy", I'd lock them up in an OpenBSD server, preferably on some less-common architecture like the Alpha, so that anyone trying to hack my system would have an enormously hard time.
Yes I understand this doesn't take into consideration social networking. So I'd take a page from the elevated privilege playbook and say that in my organization, no one trusts the person below him/her so as secrets can never flow downhill. Going back to the operating system, this would presumably be handled by ACLs.
Of course, no system is immune from the booze-n-hookers style of temptation, but that's someone else's job; I'm just here to install and configure software. :)
1. Re:OpenBSD? by debrain · 2009-05-11 10:00 · Score: 1
  
  I whole-heartedly agree. OpenBSD is an answer to many-a-question of security, in my humble opinion. Using off-mainstream platforms (like Alpha) is also valuable against those pesky low level vectors.
  Parent should be modded up.
2. Re:OpenBSD? by Anonymous Coward · 2009-05-11 10:01 · Score: 3, Interesting
  
  Yep. That or if OpenVMS if you have Alpha or Itanium hardware. OpenVMS was banned from some of those hack-or-be-hacked competitions, because no one could ever get into them. :)
3. Re:OpenBSD? by Chirs · 2009-05-11 10:05 · Score: 1
  
  Odd architectures are an interesting option. Not a surefire guarantee of safety, but can be a useful delaying tactic.
  I once was visiting with a friend when a mutual friend at defcon contacted him asking if he had a C compiler for an old mips-based Irix box.
4. Re:OpenBSD? by rickb928 · 2009-05-11 10:14 · Score: 1
  
  People keep telling me security by obfuiscation doesn't work. I can buy a working Alpha server this afternoon for $70, and it is already running Red Hat 7.x. I can steal one faster and cheaper.
  Blockbuster was running Alphas a few years ago. Those may be traded out, but thinking your CPU will confuse your attacker is rather pointless.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
5. Re:OpenBSD? by RiotingPacifist · 2009-05-11 10:20 · Score: 2, Insightful
  
  I keep hearing that BSD is sooo much safer than linux, but isn't it all about the userspace, which is pretty much the same? For there to be much of a difference between linux & BSD you'd have to get to the point where you can make nasty system calls first, which provided your using SELINUX/apparmour/bsd equivalent is pretty hard.
  I also fail to see how using a less thoroughly tested platform like alpha is better than using an x86 processor (specifically an x86 that has all the security enhancements)?
  Despite my bias being that you are wrong, i am open to suggestions about how BSD is more secure and using alpha is a good idea?
  
  --
  IranAir Flight 655 never forget!
6. Re:OpenBSD? by AnfieldSierra · 2009-05-11 10:20 · Score: 1
  
  Of course, no system is immune from the booze-n-hookers style of temptation, but that's someone else's job; I'm just here to install and configure software. :)
  OK, where do I sign up for the booze-n-hookers job ?
7. Re:OpenBSD? by bobbuck · 2009-05-11 10:21 · Score: 1
  
  Does OpenBSD have any of the SELinux type security features?
8. Re:OpenBSD? by commodoresloat · 2009-05-11 10:23 · Score: 5, Funny
  
  Yes I understand this doesn't take into consideration social networking.
  
  Exactly. OpenBSD lacks the kind of application client support for Facebook and Twitter that the NSA has come to expect.
9. Re:OpenBSD? by Isao · 2009-05-11 10:37 · Score: 1
  
  Going back to the operating system, this would presumably be handled by ACLs.
  Actually, you'll probably want to employ some type of multi-level security, something that provide mandatory access controls via security labels. This generally provides a model more robust than ACLs.
10. Re:OpenBSD? by ColdWetDog · 2009-05-11 10:52 · Score: 1
  
  OK, where do I sign up for the booze-n-hookers job ?
  It's easiest if you get elected.
  
  --
  Faster! Faster! Faster would be better!
11. Re:OpenBSD? by drinkypoo · 2009-05-11 10:57 · Score: 2, Informative
  
  I'm always surprised that no one considers using OpenBSD as their operating system; it's the only one that I know of that is specifically, purposely built, for security.
  What? OpenBSD was forked from netbsd, it's not specifically built for security. It's specifically forked from netbsd, and since then the focus has been on security. Arguably the approach is no more or less valid than using a security layer like selinux. The two have certain parallels; getting some software to run on OpenBSD is a bitch, and getting selinux configured and useful is a bitch :)
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
12. Re:OpenBSD? by rubycodez · 2009-05-11 11:25 · Score: 1
  
  OpenVMS has had its security flaws (and patches) over the years, I get e-mailed on them, last "update kit" put out for 8.2 on ia-64 was 10/19/2006
13. Re:OpenBSD? by 680x0 · 2009-05-11 11:26 · Score: 1
  
  but isn't it all about the userspace, which is pretty much the same?
  In general, you're correct. Apache (on, say, NetBSD)is generally as secure as Apache (on Linux). However, OpenBSD has reviewed a lot of the ported applications, and so Apache (on OpenBSD) should be better than other versions of Apache. That review may be done by other operating systems (e.g. the RedHat/Fedora version of Apache, if you get the RPM), but OpenBSD is famous for it.
14. Re:OpenBSD? by iggymanz · 2009-05-11 11:40 · Score: 1
  
  yes, and the newfangled 8.3 1H1 had one December 2008
15. Re:OpenBSD? by wandazulu · 2009-05-11 13:47 · Score: 1
  
  According to their website, it is built for security:
  The first sentence under goal: OpenBSD believes in strong security. Our aspiration is to be NUMBER ONE in the industry for security (if we are not already there).
16. Re:OpenBSD? by drinkypoo · 2009-05-11 13:56 · Score: 2, Insightful
  
  I do not think that word [built] means what you think it means. OpenBSD is a fork of netbsd with a heavy code audit process and an even slower release schedule. I've run it myself (though not in a while) and even bought a CD and tee shirt and have a pretty clear idea of the OpenBSD situation. In fact, if you dug through my posting history you could probably even find me defending TdR's attitude. I am glad that they have such a focus on security, but it's not like they built it from the ground up with security in mind. Rather, their goal is to have the most secure Unix implementation. It's clear that it is possible to construct a more secure operating system than OpenBSD; it's not clear that you could have it be POSIX compliant.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
17. Re:OpenBSD? by wandazulu · 2009-05-11 14:04 · Score: 3, Informative
  
  I mentioned this in another post, but the point of using an Alpha, or a MIPS, or Itanium, or whatever, is not meant to be a cure-all, it's meant to present yet-another-barrier to entry. Since malware typically relies on being pre-compiled, your x86-based exploit isn't going to work. Somehow you find out I'm running OpenBSD on an Itanium. Okay, you have that information, but I've still made your job harder, now you have to go out and get an Itanium to build your malware on before you try to hack my box because you can't assume I'll have a compiler on it (and I would never have a compiler on it).
  Using a OS like OpenBSD and a different chip architecture will not guarantee a hack-proof box, but it's going to make it that much harder; if you're just looking for a box to turn into a zombie, it won't be worth it. If you're a foreign government trying to get at my battle plans, the booze-n-hookers method is likely going to be easier and faster.
18. Re:OpenBSD? by Anonymous Coward · 2009-05-11 14:42 · Score: 0
  
  Large parts were rewritten and it was forked in like 1995. I think it's safe to say it's a different beast now.
  As a developer on a BSD project, I can tell you there are differences between the BSDs. Even if you think the smaller projects are a joke, the big three are certainly different.
19. Re:OpenBSD? by wandazulu · 2009-05-11 14:50 · Score: 1
  
  Okay, I agree with your point; it's the most secure version of Unix, but that isn't the same thing as starting with a fresh sheet of paper and designing an OS that is meant to be bullet-proof.
  Though that leads to an interesting question: what *is* a bullet-proof OS? I suppose if I had a amount of money, and was the NSA, I presumably could spend the amount to build some super-duper custom OS that doesn't so much as blink the cursor without a 1024-bit AES-generated certificate.
20. Re:OpenBSD? by Corbets · 2009-05-11 16:28 · Score: 2, Interesting
  
  Actually, we had a similar - but much less involved - exercise in one of my senior classes at Purdue University back in 2002. I *did* use OpenBSD. I'm pretty sure the instructor didn't even understand that was an operating system.... but it was an easy A, because pf is a great little firewall.
21. Re:OpenBSD? by Tom · 2009-05-11 21:47 · Score: 2, Interesting
  
  The NSA decided, many years ago, that hardening Linux would be the better route, and they released SELinux to the world.
  You can read up their reasoning, history, etc. on nsa.gov/selinux, at least you could last time I checked. Otherwise, ask Google.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
22. Re:OpenBSD? by Anonymous Coward · 2009-05-11 23:28 · Score: 0
  
  It's not neccesarily a good idea to change to an "exotic" architecture. x86 is well tested and supported, i.e. it may have non-executable stacks, address space randomization and other "modern" security features that may not be supported on other architectures, either because nobody had the time to implement them or because they are just plain unsupported by the simpler (or all) implementations of that particular architecture. This is apparently the case e.g. for Linux on MIPS/MIPSLE, where non-executable stack is at bst "just about" to be implemented, while it is more or less a standard feature even on mainstream distributions for x86.
  For low profile script-kiddie level attacke with pre-made off-the-shelf exploits, you actually gain some security advantage, for a determined attacker, it may as well be a disadvantage.
So.. by oneofthose · 2009-05-11 09:47 · Score: 1

So either Linux is more secure than other operating systems or Linux users are smarter than other computer users.
1. Re:So.. by Anonymous Coward · 2009-05-11 10:02 · Score: 0
  
  c. All of the Above.
  /ego
2. Re:So.. by Anonymous Coward · 2009-05-11 10:27 · Score: 0
  
  Or linux is a fucking fail of an operating system that only niggers and fags use it.
3. Re:So.. by rts008 · 2009-05-11 11:16 · Score: 1
  
  Or:
  c. Both of the above.
  
  --
  Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Good practice by Anonymous Coward · 2009-05-11 09:48 · Score: 0

This is good practice for those NSA hacker teams who will be executing the upcoming "cyber-warfare" false flags against various US targets in the coming year. This will be blamed on China/N.Korea/Iran/"Axis-of-Evil"member.
So uh... by Anonymous Coward · 2009-05-11 09:52 · Score: 0

Where's the site that sells tickets?
I never went to summer camp, help me live my childhood dreams!
Anyone have experience in the program? by Anonymous Coward · 2009-05-11 09:52 · Score: 0

I'm in my early thirties and am therefore becoming ineligible for some branches of the military, but I know I still have a coupe of years left to think about joining the army. It'd be interesting to hear from people with any experience doing tech work (especially security or software engineering) in the Army.
Re:Linux CNET URL to TFA by davidsyes · 2009-05-11 09:55 · Score: 5, Informative

Cadets trade trenches for firewalls
http://news.cnet.com/2100-7350_3-6249633.html
(if you don't have nor want a subscription to the NYT....)
This part probably is getting lots of attention here in /.:
Cadet Brian McCord, part of the team that installed the operating system, said he was chosen because his senior project was deeply reliant on Linux. The West Point team used this open-source operating system, freely available on the Internet, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems.
But this part probably says it all:
""It seems weird for the Army with its large contracts to be using Linux, but it's very cheap and very customizable," McCord said. It is also much easier to secure because "you can tweak it for everything you need" and there are not as many known ways to attack it, he said."

--
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
An error in the original article by Frequency+Domain · 2009-05-11 10:01 · Score: 1, Informative

There is no "Naval Postgraduate Academy," it's the "Naval Postgraduate School". If the authors of the article couldn't be bothered to take 15 seconds to confirm that with Google, it makes me wonder what else is incorrect in their writeup.
1. Re:An error in the original article by Anonymous Coward · 2009-05-11 10:50 · Score: 0
  
  Considering the pejoratives used, it wouldn't surprise me if the winning team indeed use BSD or something truly "non-proprietary".
  Sorry but there are too many variations of Linux to say it was simply Linux. Unless you say which Distro and Kernel, it's not really reporting - it's just hack blogging at best.
Secure Linux for the win by WillAffleckUW · 2009-05-11 10:05 · Score: 2, Insightful

That said, the assumption that the NSA are up to the off-the-reservation methods that true Black Hats would use may not be a correct assumption.
What we anticipate and plan for frequently is not what is used against us by someone who truly is our enemy.

--
-- Tigger warning: This post may contain tiggers! --
1. Re:Secure Linux for the win by drinkypoo · 2009-05-11 11:00 · Score: 1
  
  off-the-reservation methods
  I've never heard this phrase before in my life, and now I've heard it twice in a month or two, both times on slashdot. To what do you attribute its resurgence in popularity? Is someone out there astroturfing against indian casinos?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:Secure Linux for the win by WillAffleckUW · 2009-05-11 11:42 · Score: 1
  
  It's an old phrase we who used to code on the first ARPA*NET use.
  If you haven't heard it ... well, that says something. Most likely, that you need more life experience.
  
  --
  -- Tigger warning: This post may contain tiggers! --
3. Re:Secure Linux for the win by drinkypoo · 2009-05-11 13:37 · Score: 1
  
  When I have as much "life experience" as you, will I be a stodgy old racist too?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:Secure Linux for the win by Corbets · 2009-05-11 16:32 · Score: 1
  
  You're posting on Slashdot. Odds are good you drink too much sugar, eat too much pizza and see too little sunlight to ever reach the "old" part.
5. Re:Secure Linux for the win by Anonymous Coward · 2009-05-11 18:26 · Score: 0
  
  Native Americans you mean? I mean since we are talking about being racist and all! You could at least talk about the correct group of peoples right?
You're looking at it backwards... by malevolentjelly · 2009-05-11 10:08 · Score: 2, Insightful

They weren't testing the operating systems, they were testing the cadets. A linux system is a sieve for the NSA-- I think this simply demonstrates that the team using the Linux boxes knew their system better than the teams on Windows or Solaris respectively. It's clear that a group of passionate linux admins can maintain an acceptably secure system at this level of expertise.
However, actually infiltrating the systems would have proven nothing. I guarantee the *level of difficulty* the NSA used in order to properly test the undergrads is beneath what the Chinese government would use if trying to infiltrate a U.S. site.
The reality is that none of these three systems are acceptably secure for government networks one their... if you're relying on just the Unix security model or Windows security model, you're basically wide opened to a dedicated and well-funded attack. It's situations like these where you need to keep your systems well behind a decent level of virtualization like secure separation kernels with more than competent internal security policies. The operating system like Windows, Linux, or Solaris, is really just the "interface" to the system for the users, so to speak.
1. Re:You're looking at it backwards... by Burkin · 2009-05-11 10:31 · Score: 1
  
  Unless they had it disabled the Red Hat systems they used would have had SELinux enabled by default so if their linux systems really were a sieve then that doesn't speak to highly of SELinux and the NSA.
2. Re:You're looking at it backwards... by malevolentjelly · 2009-05-11 10:38 · Score: 3, Informative
  
  Unless they had it disabled the Red Hat systems they used would have had SELinux enabled by default so if their linux systems really were a sieve then that doesn't speak to highly of SELinux and the NSA.
  SELinux merely brings linux up to par with other popular commercial systems in security, not beyond them. It brings Linux to the level where it may receive a government EAL 4+ certification, which certifies that the system is safe from casual or inadvertent attacks. These systems do not reflect the level of security necessary to defend government networks.
3. Re:You're looking at it backwards... by mikek2 · 2009-05-11 12:24 · Score: 3, Insightful
  
  They weren't testing the operating systems, they were testing the cadets.
  Agreed 100%. While supposedly the country's best & brightest, Cadets truly aren't more than horny 21 year-olds (I was a cadet... trust me I know! ;).
  Yes, the NSA could've SMASHED them in minutes. But the bigger concept here is to get the cadets to wrap their brains around the idea of a Pearl Harbor on the US' IT infrastructure & how to protect against it.
  Assuming this exercise started this year (it didn't... just saying), we'll start to benefit in ~5 yrs, as these horn-dogs assume senior roles.
4. Re:You're looking at it backwards... by Nursie · 2009-05-11 13:20 · Score: 2, Interesting
  
  CCEAL 4+ is the highest level one can attain without designing for CC from the ground up.
  SELinux presents much tougher security than is commonly available on commercial systems.
  There are hardened variants of others (solaris, for instance), but none of the vanilla, commonly available OS variants come close to SELinux.
5. Re:You're looking at it backwards... by malevolentjelly · 2009-05-11 13:49 · Score: 1
  
  CCEAL 4+ is the highest level one can attain without designing for CC from the ground up.
  I disagree. I think this simply represents a deficiency in operating system security. It isn't tricks or hacks that gets an operating system above 4, simply attention to detail and modern design. The NSA is very forward about best practices in security when writing operating systems, it's simply ignored by most of the consumer market.
  
  SELinux presents much tougher security than is commonly available on commercial systems... There are hardened variants of others (solaris, for instance), but none of the vanilla, commonly available OS variants come close to SELinux.
  Actually, I believe the version of Windows XP verified was suitably vanilla SP2-- or at least that's what the validation report seems to suggest. I maintain that SELinux simply gets Linux to the point that it's technically as secure as Windows from an abstract perspective. Linux vs. Windows security is only a matter of maintenance and implementation. Microsoft has enough control over Windows to theoretically improve on this, but I don't believe it's possible for Linux to exceed the security level it's at without scrapping the kernel as it stands and rethinking it from the ground up. EAL 4+ represents design where security was taken into account, but it's still not at the level of security we should require for government networks. It's essential these products are run behind highly secure separation kernels.
6. Re:You're looking at it backwards... by Anonymous Coward · 2009-05-11 14:45 · Score: 0
  
  Oh my how you are uninformed. Is this your first day using computers, or are you a paid shill working for some gawd awful computer company, here to astroturf and hawk your broken wares?
7. Re:You're looking at it backwards... by troll8901 · 2009-05-11 21:04 · Score: 1
  
  Cadets truly aren't more than horny 21 year-olds (I was a cadet... trust me I know!
  I've just watched Star Trek. I think you right-on. (Woooohooo! Female cadets wearing micro-skirts and showing off their legs!!)
  Very insightful comment by the way. It's also a complete turnabout from Clifford Stoll's "nobody taking responsibility" era 20 years ago.
8. Re:You're looking at it backwards... by Nursie · 2009-05-12 05:08 · Score: 1
  
  It really doesn't. SELinux goes way beyond whaat is available on XP, I suggest you read about it sometime.
  CC is about design documentation and validation.
  SELinux is about very, very granular control over which processes running as which users have access to which files - i.e. running something other than passwd, even as root, would have no access to /etc/shadow. But a verified passwd binary can access it.
  Windows can't currently compete with that.
9. Re:You're looking at it backwards... by malevolentjelly · 2009-05-12 05:35 · Score: 1
  
  SELinux is about very, very granular control over which processes running as which users have access to which files - i.e. running something other than passwd, even as root, would have no access to /etc/shadow. But a verified passwd binary can access it.
  Windows does not have a weak security model. It's when these security models are broken that problems occur. Linux is generally more protected than Windows through artificial means... you just don't run untrusted code in Linux nearly as often if ever. If you have any sort of execution privileges (or any access at all, really), you can always use a POSIX-like system's shared memory architecture to break the security model.
  Furthermore, talking about SELinux's security model as though it's anything more than an extension of Linux's security model is just misleading. We could talk about all sorts of features regarding NT's fine-grained ACL's and group-policy and such, but they only work when they work- when they're not broken. Although a default Windows desktop with the user running as administrator is quite insecure, a well maintained enterprise windows system that is fully enforcing its policy and security model to its fullest extent is as secure an SELinux system, if not more. Modern Windows systems are generally more secure against remote attacks because they're loaded up with anti-exploit code. They have more anti-exploit code because they're more often exploited- it's very trial and error.
  SELinux was a process where linux was retro-fitted with a competitive level of security. It brings Linux to the plate in terms of security, and that was very important considering how wide the adoption of linux had gotten up to the point that it was introduced. If too many businesses and schools etc. had adopted linux with the misguided belief that the unix security model was somehow able to stand on its own against attacks, it would have been a national security problem.
  
  CC is about design documentation and validation.
  The common criteria is very relevant. Any level of "secure" Linux is a toy to a well-funded and dedicated attacker, especially if the attacker is able to plant exploit code within hardware in use by the systems running it. With all our computer hardware coming from China, for instance, our operating systems should be completely immune from attack from untrusted hardware. If a hardware device or driver has any capability of taking down the system from the inside, then it is simply not secure enough to deal with the sort of attacks we will see. The level of confidence people have in the NSA's emergency bandage work on the Linux security model simply demonstrates that we're poorly outfitted to deal with cyber attacks as a population.
10. Re:You're looking at it backwards... by Nursie · 2009-05-12 09:04 · Score: 1
  
  You have no idea what SELinux is, go read a book. It's not group policy.
11. Re:You're looking at it backwards... by malevolentjelly · 2009-05-12 09:32 · Score: 1
  
  You have no idea what SELinux is, go read a book. It's not group policy.
  Yes, it basically is a series of security policies and mandatory access controls comparable to the MAC's and ACL's in NT. I suggest you go read up on the Windows security model, because it offers similar relevant features to their model.
  You know, the NSA offers security consulting to Sun and Microsoft, as well. You simply don't see the NSA security work that goes into Windows because it's closed source. FLASK has been openly adapted to FreeBSD, Solaris, and Darwin also, but these systems still see their fair share of security flaws. It isn't a silver bullet.
  SELinux was a shot in the arm for Linux security, it's industry-competitive but certainly not unique and it is far from the last page in security for multi user systems.
12. Re:You're looking at it backwards... by Nursie · 2009-05-12 21:59 · Score: 1
  
  SELinux was introduced in 2003, whereas windows didn't get any sort of MAC until it released MIC in Server 08 and Vista, years later.
  On top of that, I have read about ACL's. They do not provide the same capabilities as SELinux in any way, they are simply an extended set of user top object permission mappings. SELinux goes much further than that in defining different permission levels for the same user, on the same file, dependant on what program they are running at the time. D/SACL does not provide this.
  I say again, you don't know what SELinux is, go and read about it.
13. Re:You're looking at it backwards... by malevolentjelly · 2009-05-13 04:46 · Score: 1
  
  I say again, you don't know what SELinux is, go and read about it.
  I'm sorry. It's just a mandatory access control scheme and connected set of security policies. These fine grained controls are great for enforcing policy on a multi-user systems, but they still can't protect these systems from well-funded attackers. SELinux is a retro-fitted security model, no matter how you look at it. The security model is a later addition to an otherwise completely insecure system, and it still only works until it works. Devices and drivers can still DMA all over the system and destroy the security model. It's got a lot of armor on it now, but that's only going to protect it from conventional attackers.
  It is impossible for a system designed like Linux to ever achieve a higher security certification than it current has. The system is completely maxed-out in security and it still does not offer the level of verification the NSA considers ideal (EAL 6+/7).
  
  On top of that, I have read about ACL's. They do not provide the same capabilities as SELinux in any way, they are simply an extended set of user top object permission mappings. SELinux goes much further than that in defining different permission levels for the same user, on the same file, dependant on what program they are running at the time. D/SACL does not provide this.
  MAC's vs the DAC's available in Windows XP are a minor detail in the scope of what I was originally talking about, to be fair. The level of enforcement they offer still succeeds mostly in protecting users from themselves and their own organization and casual malicious attacks. The system is secure until the security model is violated. Windows XP SP2 has still seen fewer critical exploits than the equivalent RHEL... there's something to be said about just having cleaner code and architecture. SELinux has effectively defeated Windows XP, Microsoft's now unsupported prior product, in keeping to front door closed, but that's not going to stop someone from coming in through the wall. The above article was about "organized attacks".
  It's all just terms unless they are actually practically keeping the system safe, though.
  One might maintain that the SELinux features necessary to lock down a system are more intrusive in Linux than in Windows Vista, for instance, so when it comes to remote attacks and exploits, a Vista user is probably safer in that more of these features might be enabled by default. If I remember correctly, when running SELinux on a Fedora system, certain basic features of the system will not work due to security policy. Certain bundled applications might not even run properly.
  If you look at the actual number of critical exploits released for the various major desktop systems yearly, Vista suffers from the fewest as compared to Linux or Mac OS X at the highest. Despite implementing Mandatory Access Control, Mac OS X systems, for instance, remain easily remote exploitable. Linux, on the other hand, cannot truly secure itself without completely wrecking what POSIX compliance it has.
  But it's all moot because none of these systems have a true protected memory architecture. I wouldn't be surprised if a more stripped down and less backwards-compatible NT 6.x system was able to achieve the next EAL level, but it simply won't happen with Linux. If an open source system accomplishes this, it will be one with a different kernel.
14. Re:You're looking at it backwards... by Nursie · 2009-05-13 05:11 · Score: 1
  
  Right, so you concede on your original claim that SELinux was a patch to bring it up to comparability with other commercial systems, windows included?
  Given how it goes over and above what MS offers and has had it for longer?
  You're right that none of these systems have been designed for security from the ground up, sure, but you seem to overestimate MS operating systems which simply don't provide some of these features. Open systems are just not done that way.
  I, personally, would be very surprised if a stripped down NT 6 system could achieve a higher grade, simply because it requires (semi) formal design from the ground up, not hacked on later.
  As for the MS security model... LOL
15. Re:You're looking at it backwards... by malevolentjelly · 2009-05-13 05:55 · Score: 1
  
  Right, so you concede on your original claim that SELinux was a patch to bring it up to comparability with other commercial systems, windows included?
  No, it's a security module hacked onto the kernel. It is not the first example of Mandatory Access Control, either. I think SELinux brought Linux up to par with Trusted Solaris from 2000. The NSA saw fit to harden Solaris years before they bothered with Linux.
  At that time, consumer-level Windows was not designed with those security goals in mind.
  
  Given how it goes over and above what MS offers and has had it for longer?
  It went over what Microsoft offered at the time. NT 6's security model is equivalent if not beyond SELinux. They may be equivalent in MAC's, but group policy got far more fine-grained in NT 6, and their DEP/NX implementation is much better.
  It's only helping if people are using it in either case, too.
  
  As for the MS security model... LOL
  It's not any less impressive than the Linux security model. These just aren't very secure systems. I still contend that NT 6 is more secure than current Linux, whatever you might add to it. The difference is negligible, though.
  
  I, personally, would be very surprised if a stripped down NT 6 system could achieve a higher grade, simply because it requires (semi) formal design from the ground up, not hacked on later.
  The NT kernel changes and develops at a more rapid rate than the linux kernel. It's about a decade or so ahead in most respects... I don't think Linux has even caught up to NT 5 yet, in some ways. (I've seen the code) The point I am trying to make is that Microsoft has more control over their platform than any specific party involved in Linux. However, they won't be able to do it without dropping all manner of backwards compatibility, which is just built-in insecurity. Whether its general win32 compatibility in Vista or POSIX in Linux, compatibility with legacy systems means insecurity. If it were Microsoft or the linux horde getting it to the next security level, though, I'd say Microsoft has a better shot at this.
  I think the level of overconfidence in the Linux community over security is just dangerous. This viral sense of immunity from attack is starting to spread to naive buyers within the government- on a whole, I think this attitude is going to and has already cost our government networks some level of security. I am not recommending Windows as an alternative, merely making the point that Linux really is not more secure at this time. If that doesn't worry you, it should.
  At this time, any of these systems should be well virtualized where they can't hurt themselves or others in any security context behind a secure separation kernel like Integrity PC or something.
How Much Do You Want to Bet.... by BJ_Covert_Action · 2009-05-11 10:14 · Score: 1

...that in about one week's time there will be a report in the mainstream media about how multiple US Armed Forces' networks underwent a thorough attack by unknown sources that were probably of Russian or Chinese origin, not realizing that it was this training exercise?

--
Motorcycles, Robots, Space Gossip and More!
number of comments back by Anonymous Coward · 2009-05-11 10:15 · Score: 0

Totally off-topic but it's good to see the number of comments back on the front page summary
The sad truth... by rickb928 · 2009-05-11 10:20 · Score: 2

Is that if your system is attached to a publicly-available network, you cannot be curtain of a secure system. Don't even try to tell me you can secure your network against all network-based attacks, current and future.
All you can do is raise the bar sufficiently to deter and defeat the lam0rs, and be able to focus your attention on detection, remediation, and retribution - if that's your style.
Having been rooted a few times, I would have loved to slip a little Ex-Lax into their Dew, but my boss said leave them alone. Just as well, they always come back for revenge. Our government may think differently.
But if it's hooked up to the Internet, count on it being compromised. Encrypt your data separately. Make backups and disaster recovery plans. Pray for this to happen on an otherwise quiet weekend, not the day before the quarterlies go out. And have an alternative. Anything is better than nothing.
In case you're wondering, I am a fatalist when it comes to network security. I see little hope.

--
deleting the extra space after periods so i can stay relevant, yeah.
1. Re:The sad truth... by PhxBlue · 2009-05-11 10:36 · Score: 2, Funny
  
  Don't even try to tell me you can secure your network against all network-based attacks, current and future.
  Sure I can. All I have to do is pull out this little cable right here an
  
  --
  !#@%*)anks for hanging up the phone, dear.
2. Re:The sad truth... by drinkypoo · 2009-05-11 11:04 · Score: 3, Funny
  
  Sure I can. All I have to do is pull out this little cable right here an
  --
  !#@%*)anks for hanging up the phone, dear.
  Never have I seen comment and sig in such harmony.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
That's great, but... by Endo13 · 2009-05-11 10:26 · Score: 1

In other words, grasshopper, nice work -- but the NSA is capable of much craftier network take-downs.
Thank you Mario! But our princess is in another castle!

--
There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
Finally! by K.+S.+Kyosuke · 2009-05-11 10:46 · Score: 1

"The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems."
2009 will be the Year of the Linux MBT!

--
Ezekiel 23:20
Nothing new here by ronmon · 2009-05-11 10:50 · Score: 4, Informative

I was in the AF from 1977-1981 and worked directly for the NSA when they still had some scruples. In fact, my last posting was at Fort Meade after several years in the far east.
As a '202xxA'(Radio Communications Analyst), that focused on foreign military communications, I could have been reassigned at any time as a 202xxB (Radio Communications Security Specialist) with no retraining. The B job just meant we were testing our own weaknesses instead of exploiting those of our opponents. It is important to look inward, find your flaws, and fix them. Kind of like debugging open source code, huh?
That's what they were doing. Good job.
Why would talented hackers want to expose themselv by melted · 2009-05-11 11:25 · Score: 1

Why would talented hackers want to expose themselves like this to NSA? That's what I don't get. It's like submitting freaking fingerprints to the police before you rob a store.
An obvious question not answered: by Tired+and+Emotional · 2009-05-11 11:43 · Score: 1

What did the losing teams use? If they all used Linux then the fact that the winning team did so is uninteresting. I assume that the teams were required to provide some set of services as well otherwise a winning strategy would be to simply pull the network connections.

--
Squirrel!
I'd rather watch this rather than Army vs Navy fb by PottedMeat · 2009-05-11 12:14 · Score: 1

When will I be able to watch an event as this live somewhere with play-by-play?
Re:Why would talented hackers want to expose thems by jeff4747 · 2009-05-11 12:15 · Score: 1

Why would talented hackers want to expose themselves like this to NSA?
Well, #1: They want their degree.
#2: They already work for the government, since these are service academies
#3: Working for the NSA pays nicely, and you don't have to worry about jail cells or bullets in the head.
Reverse of the Medal by rlseaman · 2009-05-11 12:34 · Score: 1

Very interesting! It's good to see a completely positive story about DoD activities.
Ideally, the teams would be allowed to attack other schools' networks while also defending their own but only the NSA, with its arsenal of waivers, loopholes, special authorizations is allowed to take down a US network.
How about inverting the competition? Presumably this "arsenal of waivers" could be used as a letter of marque to protect the various academy teams when attacking an NSA prepared target. It could be even more revealing to see "No Such Agency" playing defense.
1. Re:Reverse of the Medal by samcan · 2009-05-11 13:05 · Score: 1
  
  These kind of competitions always sound like so much fun. Attacking the NSA, with permission? Sign me up!
2. Re:Reverse of the Medal by TED+Vinson · 2009-05-11 15:13 · Score: 1
  
  The reason for preventing the teams from conducting attacks is not legal, it is technical. This exercise is not on a LAN like the typical capture the flag game. The academies are connected via WAN links for the CDX.
  Unconstrained force-on-force attacks would probably collapse this network or result in an ugly scrum of flooding attacks and bandwidth starvation, rather than an educational exercise.
Platforms by wandazulu · 2009-05-11 13:59 · Score: 1

A lot of malware assumes that if it can get on the system, even if it's just a stub program, it can then open a connection and download the rest of it. Since most malware assumes an x86 architecture, the program is downloaded already compiled for said architecture.
By introducing a less-common processor, first, any pre-compiled code simply won't work. Plus you'd have to now figure out what type of processor your target is using, which is not necessarily easy (if I was maintaining such a machine, I'd make sure no program, like Apache, identified the architecture by stripping out any mention of it on the 404 pages, etc.).
Even assuming you figure out the architecture, the machine would never ever ever have any kind of compiler on it so even if you got into it, you wouldn't be able to build anything, you'd have to get ahold of another machine of a similar chipset and build it separately.
All of this can be done, and sure, you could pick up an Alpha if you want from ebay, but for 99.99% of attacks, no one wants to. If you are a foreign government trying to get at my aircraft blueprints, it might be worth it to try, though I'd argue the booze-n-hookers approach would be easier.
1. Re:Platforms by RiotingPacifist · 2009-05-11 23:14 · Score: 1
  
  I suppose it protects you from simple attacks (hopefully these would be stopped anyway) but a determined hacker wouldn't have much trouble, they could just cross compile from x86 without needing an Alpha box.
  
  --
  IranAir Flight 655 never forget!
What this really shows by WindBourne · 2009-05-11 14:04 · Score: 3, Interesting

Up until 9/11, the nation's top computer security ppl were NSA. They had responsibility for it, which is why they created and pushed SEL. In addion, they insisted on running SECURED *NIX on all of their important systems. But then W and his staff created DHS and put them in charge of computer security. So far, that group has been a total set of f-ups. I used to work with several of those guys, and they were worthless back in 2000. Absolutely little to no real knowledge.

It is time to put the NSA back in charge of this.

--
I prefer the "u" in honour as it seems to be missing these days.
This problem is your fault by symbolset · 2009-05-11 15:06 · Score: 1

If you wanted a Linux computer, you should have bought one. You're not going to ever get what you want if you keep encouraging them to use the crap chips and subsystems with secret interfaces.
If you want a Linux laptop, buy a freaking Linux laptop. It's not like they're not all over the place. Here, for example.
If you quit paying them to jerk you around, they'll quit doing it. Capiche?

--
Help stamp out iliturcy.
Going too far by Max_W · 2009-05-11 17:13 · Score: 1

Not only this. Forums of RuNet (Russian segment of Internet) are overrun and occupied by the paid bots. They sit tight and at every new original post react with dozens twin posts, which inevitable express the interests of Uncle Sam.
Maybe it is good for interests of the democracy worldwide in perspective, but it surely makes forums uninterstiong and suffocates a free discussion. When State Department announced couple of years back a creation of the Information Special Forces I could not imagine that it will be so massive and omnipresent.
I mean will not Internet die if rich political entities flood it with the political spam? And now this - attacks are being polished again by political forces. Will it grow the same ugly way as the Information Special Forces?
1. Re:Going too far by Max_W · 2009-05-11 17:26 · Score: 1
  
  I can break with a sledgehammer any door, even reinforced. Just give me ten minutes, good sledgehammer, and protective glasses.
  Should I walk around and break doors to people's houses and apartments to train them to make safe doors?
  Or should we try instead to make good calm cities and villages where people can live in harmony? And which are policed by the trained faire police?
  I think such entities like NSA, the US armed forces shall work on creating the fair co-developed world, work with the United Nations organizations, InterPol to police the Internet worldwide. But not developing attack techniques. Is it a good way to spend limited resources?
Poorly funded FOSS vs well funded Proprietary by troll8901 · 2009-05-11 18:47 · Score: 1

... SELinux simply gets Linux to the point that it's technically as secure as Windows ... Microsoft has enough control over Windows to theoretically improve on this, but I don't believe it's possible for Linux to exceed the security level it's at without scrapping the kernel ...
You've just brought up an interesting discussion:
Can a poorly-funded open source software become as secure as a well-funded proprietary software?
Woah! I've just became flamebait! Goodbye, mod points, I'll miss you.
1. Re:Poorly funded FOSS vs well funded Proprietary by malevolentjelly · 2009-05-12 04:44 · Score: 1
  
  Can a poorly-funded open source software become as secure as a well-funded proprietary software?
  We're not supposed to acknowledge these sorts of things on slashdot...
  People throw barrels of money at Linux, but it's simply a weak and archaic design. There's a lot of money and effort going towards it, but it's poorly organized so it lacks vision. The reality is that you can't "retro-fit" security to be above the EAL 4+ security level, which linux is currently at. It's that simple. Implementing security on linux will always be a case of "retro-fitting" because it lacks a modern kernel design at the very core.
  Some might argue that this makes the linux kernel easier to develop for or more accessible, but any system that goes beyond the big three in security will likely be a true micro-kernel that is written entirely by highly skilled and qualified developers. Microsoft's kernel has a much more rapid development cycle and sees far more architectural changes... it's about a decade "ahead" of linux right now. However, they have to secure the entire stack on top of the kernel, also, which suffers from *more compatibility*... so it's easier to come across a generic piece of untrusted code for it. If people ran as much untrusted code on SELinux as they ran on Windows, it would be quite clear that it's no more secure than anything else mainstream.
The winning team by M-RES · 2009-05-11 19:22 · Score: 1

...were running a ZX80. The NSA didn't expect THAT now did they?
NSA Agent: "How can we possibly run a virus in 1k of RAM?"
Why is windows used at all then? by Anonymous Coward · 2009-05-11 19:45 · Score: 0

The MoD use it and demand it. Your DoD purchase it for their warships as do we.
If using windows is such a handicap to security, why are they being used?
As such it is a valid inclusion in the test.
If Windows with all the propriatory security software in the world to choose from cannot hold its own, it shouldn't have been used anywhere in the DoD.
Leaving it out of the test would have unfairly crippled the test since MS and vendors would have been able to say "Well, we are more secure than any of them, if used correctly".
Now they can't.
RTFA by Anonymous Coward · 2009-05-11 20:57 · Score: 0

But the way the cadets designed their network was a big factor in their victory, too. The NSA dictated some terms: All networks had to be capable of e-mail, chat and other services and had to be up and running at all times despite any attacks or defensive measures. Beyond that, the teams were free to come up with their own designs.
West Point's took three weeks to build. The cadets settled on a fairly standard Linux and FreeBSD-based network with advanced routing techniques for steering incoming traffic in directions of the IT team's choosing.
Systrace by SgtChaireBourne · 2009-05-11 21:05 · Score: 1

Does OpenBSD have any of the SELinux type security features?
systrace is a different kind of tool. It does allow you to set access policies, but for the system calls. Also, SE Linux is an add-on for the Linux kernels only. Systrace is available for Linux and the BSDs, which would include systrace for OpenBSD, You'll have to check if OS X is still covered.

--
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Richard Bejtlich's Observation of CDX 2009 by Helevius · 2009-05-12 00:49 · Score: 1

Richard Bejtlich from the TaoSecurity Blog was invited by NSA's Tony Sager to visit the CDX in person:
http://taosecurity.blogspot.com/2009/05/thoughts-on-2009-cdx.html
Bejtlich mentions that CDX participants were given a budget for the exercise. This means it cost them "marks" (in exercise language) to replace the Windows images NSA provided with alternative systems like FreeBSD or Linux. That decision caused the team to have less resources for other tasks.
The Army didn't win just because they used Linux. Bejtlich posts reasons why they won here:
http://taosecurity.blogspot.com/2009/05/lessons-from-cdx.html
Mac classic OS by Anonymous Coward · 2009-05-12 00:57 · Score: 0

Are there any remote exploits for classic OS? I am not aware of any if file sharing is turned off. That might have been an interesting wildcard to throw at NSA as a defense.
quid pro quo by Anonymous Coward · 2009-05-12 01:10 · Score: 0

I thought that is how they got around "domestic spying" alleged illegalities. They have a gentleman's spook agreement to share info. Their spooks spy on your citizens and vice versa, circumventing the rules while not actually breaking them. They then share intel gathered.
Yet another by The+Cisco+Kid · 2009-05-12 01:23 · Score: 1

goddamn link that leads to a login page instead of the described articles.
I've said it before, I'll say it again - if you cant find a link to a news story that goes directly to the story instead of a login page, DON'T FUCKING POST IT!
editors: It would be nice, if when you get links like these, you could take ten seconds once to use google to find the same story hosted by a site thats not run by ASSHOLES, and potentially save thousands of people from having to waste ten seconds each (thus resulting in tens of thousands of wasted seconds)
Anyone have more details on the attacks? by zaffir · 2009-05-12 02:26 · Score: 1

The article only mentions "flooding an email server" and "installing viruses." This couldn't have been just a glorified DoS from the NSA, could it?

--
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway