DARPA Seeks Input On Securing Networks Against Attackers

hessian writes with an article in Wired about the problems facing the U.S. Government's networks in an increasingly hostile world. From the article: "The Pentagon's far-out research agency and its brand new military command for cyberspace have a confession to make. They don't really know how to keep U.S. military networks secure. And they want to know: Could you help them out? DARPA convened a 'cyber colloquium' at a swank northern Virginia hotel on Monday for what it called a 'frank discussion' about the persistent vulnerabilities within the Defense Department's data networks. The Pentagon can't defend those networks on its own, the agency admitted."

Wrong audience

[EdZ]

Darpa convened a “cyber colloquium” at a swank northern Virginia hotel on Monday for what it called a “frank discussion” about the persistent vulnerabilities within the Defense Department’s data networks.

Well there's your problem! The ones at the forefront of breaking-into-electronic-systems-in-interesting-ways aren't the usual crowd the DoD are used to wooing (heads of industry, academic engineers, the conference-at-swanky-hotel crowd) but people working out of their basements fiddling with things for the fun of it.

If they want a real assessment, offer a honeypot network with some stand-in data, and set a prize for whoever can get it and tell them how.

Re:Wrong audience

[Ihmhi]

We used to use tiger teams - hell, maybe we still do. A group of professionals that would try to break into government facilities or steal data. I think the best way to secure the systems would be to have the best people we can spare try to break into them and then recommend how we can make it harder for them.

Re:Wrong audience

[FriendlyLurker]

"They don’t really know how to keep U.S. military networks secure." Translation: "Hand up if you want to go on our security risk Suspects List". Could you help us out?

Re:Wrong audience

[SomePgmr]

I imagine NSA's red team, or "Vulnerability Analysis and Operations Group", is still around.

Extraordinarily capable, loyal, well-trained professionals that act as hostile foreign agents to expose security gaps in government systems.

Re:Wrong audience

[t0rkm3]

The Army still employs the Red Team, Blue Team model as well. There is a Warrant Officer billet for it. The few that I have met weren't terribly competent though. They were the one's who were persistent enough to hang around and get into the "cool" program. (Although my sample size is slightly more than a handful of reservists.)

Re:Wrong audience

[timeOday]

If they want a real assessment, offer a honeypot network with some stand-in data, and set a prize for whoever can get it and tell them how.

No, that's exactly what everybody's doing now - an endless game of find-and-patch whack-a-mole. That's not DARPA, it's Norton anti-virus.

What they want is to go back to first principles for a fresh start, to preclude as many attacks as possible from arising in the first place. How possible that is, nobody really knows. I'm afraid it will be determined that there's a sort of negative application of Turing completeness that means any computer capable of doing much of anything can do everything, including bad things. Security can't be entirely engineered in because the goals are fundamentally subjective - keep the "bad guys" out without denying access to the "good guys." No formal system will completely match our varying intuitions on who is good or bad and what exactly is a breach etc.

Re:Wrong audience

[Stubot]

This was my first thought as well..

Re:Wrong audience

[HiThere]

OK. Write your own operating system from scratch. You can use Linux or BSD as a model, but change all the system calls, factor things differently, and use a language that will prohibit wild pointers. There's a dialect of D (Digital Mars D) that would work. There's also supposed to be a dialect of Ada, but I don't know enough about it to be sure. DON'T use C or C++, as you can't secure array boundaries.

Then write your own network protocol. You can use IP as a guide, but change everything. I'm not just talking cryptogram here, refactor the protocols. And build in positive identification from the start. (Presume that Quantum Computers will be successful, and that you can't depend on prime factorization to keep your data safe, so you need a handshake that can't be broken that way.)

Yes, this would be a lot of work. Yes, you would never be able to make this public, so you'd need to maintain the whole system. And it would be just as well if the communications could masquerade as https sessions, but they better not BE https sessions.

Don't expect to keep this secret. So plan things so that they will work even if your opponent knows the entire system. But try. And really try to keep the details of the protocols secret. (This means that if someone attempts to break in over the internet, you lead them to a fake site. A kind of honeypot that they can't tell isn't the site they were trying to reach. And require enough id information for them accessing that site that you can tell where the vulnerability is that let them get that far, so that you'll be able to fix that.)

For that matter, use custom connectors for storage devices, so that only specially modified devices can be plugged in. USB keys have slightly different voltages supplied in slightly different locations on the plug. The part that's insulating and the part that's conducting aren't in the same places. Disk drives write oddly sized blocks in an unusual order. Etc. None of this can't be circumvented, of course, but when they get the file blocks in the "right order" the data itself wasn't written as expected. Different error correction coding, etc.

N.B.: Much of this is just an enhancement of things that were done in the 1960's. They stopped doing them for reasons of cost. But a secure network isn't going to be cheap. If you build a cheap network, it won't be secure. If you build a secure network, it won't be cheap. And if you want a REALLY secure network, it will be REALLY expensive.

Re:Wrong audience

[SomePgmr]

Normally I'd avoid getting all "this one's better than that one", particularly since I come from an Army family, but it does seem like the NSA's team is the group you hear all the spook-ish stories about. And I assume they recruit reliable and talented people from the various branches.

That said, I'm sure there are smart people in all corners.

Re:Wrong audience

[ralphdaugherty]

No need to write the OS, it's been done. IBM iOS formerly i5/OS formerly AS/400. POSIX compliant, has the UNIX shell built in, all major languages, C++, Java, PHP, and yes RPG and COBOL. Apache and Websphere web serving. Also white list IP address ranges allowed access at entrance points to network.

Don't know the details of network administration, but PC's would be SELinux and not directly accessible from outside network for port scanning, etc.

This would be extremely secure network. It's there, it would make stealing data from servers a thing of the past. It would make a lot of expensive vendors very unhappy though.

Re:Wrong audience

[Ihmhi]

That fact that this kind of shit is happening means that they are either ineffective, understaffed, or both.

I mean, isn't one of the best tests of security by attempting to break into it? If we don't constantly test ourselves, we'll get complacent and shit like this happens. How long will it be before a foreign government fires off a missile or de-orbits a satellite?

Re:Wrong audience

[HiThere]

You're proposing something that's quite secure, but not *really* secure. Nobody has ever written the kind of system I proposed, because **it would be an incredible amount of work**. And you are proposing standard IP, which has known problems. E.g., you can't be sure who is on the other end of the line.

POSIX can't be used for real security, because it's got known holes. They aren't large, but they are there. SELinux is better in certain areas, but it's only better, not really secure.

It's true that the thing I was proposing wouldn't ever be done, but it would be secure. (Although, honestly, even that wouldn't be perfect. As others have said the only way to get real security is to melt down the disk drive, destroy all copies of the data, and then destroy the ram. And the CRTs. I had one system where I could read frequently displayed images on the CRT even with the power off. Don't know if LCD screens have the same weaknesses, so destroy them thoroughly also.)

Now a practical degree of security is reasonably available, but that's not what the summary said they were asking for. (And, in practice, the reports I've run across say they do an abysmal job of security. But I hear about banks & card companies being broken into more often...enough so that I won't activate electronic banking.)

This is probably meant about as seriously as the "petition submission site" was.

Re:Wrong audience

[ralphdaugherty]

You're proposing something that's quite secure, but not *really* secure.

I take it you don't know much about the IBM i OS. It's "really" secure. Used by hundreds of thousands of business and government organizations around the world.

In addition, whitelisting IP address ranges that can access network eliminates the source of most attacks, And using a security device along with password eliminates the rest.

You act like systems can't be secure but we have real businesses that successully fend off the constant attacks, It starts with IBM i OS though. POSIX compliance isn't inherently unsecure. But it does provide IBM i OS compatibility with Unix.

I wonder what this says about

[Chrisq]

I wonder what this says about their own confidence in SELinux.

Re:I wonder what this says about

[moderatorrater]

Nothing really. SELinux helps you implement least privilege, but that's about it. There are many, many more aspects to securing a network and what's on it than just least privilege.

Re:I wonder what this says about

[fuzzyfuzzyfungus]

Probably not too much, in an achitectural sense. Probably a lot, but not a terribly surprising lot, in an institutional sense.

Building impressively secure systems(while by no means easy, it is serious software engineering and/or comp sci) is something that people can do and have done.
Building impressively secure systems that aren't wildly expensive and wholly incompatible with the shoddy-but-feature-rich crap that people like to buy is substantially harder.
Building impressively secure systems that aren't wildly expensive, or wholly incompatible, and provide security by association to said shoddy-but-feature-rich crap is Just Plain Hard.

I suspect that their problem is less that there is something fundamentally broken with SELinux and more that they have no realistic chance of being able to say "SHUT DOWN EVERYTHING!"(on both their own networks and those of contractors who might as well be an extension of them, in terms of sensitivity) and give BOFH Hardass the opportunity to run roughshod over every consideration that isn't security to his heart's content for a few years and make the users live with the results...

Re:I wonder what this says about

[Danathar]

Nothing since SELinux is not about securing networks.

Re:I wonder what this says about

[bhmcintosh]

I love those faculty and sysadmin types here who expect us to write these hideously involuted Access Control Lists on our routers to make up for their steadfast desire to avoid actually administering their systems. (*eyeroll*)

Re:I wonder what this says about

[morgauxo]

If you walk into any given government office what do you expect to see on their monitors? I don't think it's Linux. That's one of the things they need to fix. Dump Windows. Yah, just blaming everything on Windows would be a troll, there is certainly more to security than that. Any OS and the applications must be configured correctly, the network itself must be secured, all that is true. Still, there is little good to be said about Windows security. Having it on the networks automatically makes the network less secure. Ban it AND secure the OSs and network which remains.

Re:I wonder what this says about

[ka9dgx]

You're correct... and nobody things that hosts can be secure, because our current conception of security is that it makes something unusable. It doesn't have to be that way, and I've pointed that out many times, but preaching about capability based security to this choir just doesn't work.

Re:If the Us can't

[Chrisq]

Then who can?

Super Man?

Re:Go basic

[sgt+scrub]

Oh, you want really secure? Turn it off and never use it.

No doubt!

Gooberment:"Please secure my network from any possible attack."

l4t3r4lu5: Yoink. bzzzzzzrrrrr. "There you go!"

Secure systems

[Tomato42]

Start using systems that were designed to be secure in the first place. Stuff that works on a "deny by default" basis, that refuse to process any data that it doesn't understand, use OCSP as a white list on the CA side, defence in depth: use strict validation of input on multiple levels (when making web app: using default deny application firewal, then strict validation in form processing and finally use modular application design that validates data received from other modules) and so on.

This will require throwing away most, if not all, software in use. Including OSs, probably even Linux as I'm not sure if SELinux (or other such systems) go deep enough on the kernel side. Then making new software from scratch with primary design objective to be secure. As no politician or PHB can justify spending this amount of money on such nebulous concept as security, the whole idea will fail. Because this won't eliminate, just reduce the number of security related bugs, won't help the cause.

We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.

Re:Secure systems

[canipeal]

I wish I had some mod points to mod parent up. I would also suggest they remove the bureaucracy involved in the C&A and pen testing phases. Anyone who's ever been a part of the process can clearly see what little value is added against APT.

Re:Secure systems

[Tomato42]

Well, if running pentest is only a first step in evaluating security of the system (after all it verifies if its secure against most common attacks) and throw it away as soon as it fails it, I'd say it adds large value.

I completely agree, test and patch doesn't work, if it did sendmail and IE would be the most secure software packages in existence.

Re:Secure systems

[morgauxo]

My prediction... any OS or other software written by security experts with security as it's number 1 goal would be worthless. It probably wouldn't allow real people in real situations to get any work done, or if it did it would require them to go through convoluted productivity limiting steps to do so. I suspect any computer running such an OS would be about as useful as a pet rock.

What is needed is more well rounded professionals that understand both security and user's needs. I don't think our current system of universities where higher degrees = higher specialization or the average corporate culture where higher specialization = higher pay are ever likely to produce such individuals. Instead what we will have is government organizations and companies running insecure in order to get work done until things reach a breaking point. Then they bring in the BOFH. Then they remember why they cut all the security corners in the first place when they can no longer be productive bringing the cycle full circle.

Re:Secure systems

[Tomato42]

Secure systems aren't useless, they are highly inflexible.

If you have a workstation commissioned to run 2 or 3 very specific jobs (entering recruits data, administering SCADA system, piloting UAVs, etc.) it can be relatively easily secured even now. Unless it has to have access to web (with its Flash, HTML5, Java and ActiveX) it's impossible to secure if you don't use purpose build browser (that disables most of functionality). Of course in any scenario, a user can't be able to install new software or use flash drives non encrypted with company's crypto keys.

That would make any open computing system (working like Windows with its "download it yourself" installers) completely unusable for general user. At the same time, I could see a general purpose Linux distribution be actually usable. Installing 3rd party software on it would be hell though... Unfortunately that's the price we have to pay for really good security.

Re:Secure systems

[Tomato42]

Control characters are limited to first 127 ASCII characters in UTF-8. Any of those characters encoded as multi byte character, which is possible, is not valid UTF-8. You may not know how to render all characters, but you definitely can sanitize UTF-8 input: list of all characters that can be rendered by a given font is finite.

Re:Secure systems

[DanielRavenNest]

The Internet was designed to be damage tolerant, not secure. So it is fundamentally the wrong design for a secure system. Instead, the current internet does it's best to *deliver* data. So likely their best choice is to build a new network from the ground up, designed to be secure. That probably means *not* based on the Internet Protocol.

Re:Secure systems

[The+Mr.K]

We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.

This theory can be applied to so many things when it comes to programming and designing. Many web applications are designed by designers, and security is never a consideration. Security awareness is increasing though, but it will take time to spread this knowledge through the industry.

Re:If the Us can't

[Mr.+Freeman]

The candy man can

Re:Go basic

[Mr.+Freeman]

TYPEWRITERS! TYPEWRITERS FOR EVERYONE!

Filter error: Don't use so many caps. It's like YELLING.

Re:If the Us can't

[piripiri]

Another country?

Enforce Policy.

[indros]

If you're not willing to make the hard calls when someone can't do something as simple as patching, you're doomed from the start.

Re:Enforce Policy.

[Tomato42]

Software that requires regular patching is not secure at any point in time.

Get rid of Windows

[GameboyRMH]

Securing the network on Windows is just about impossible. It was originally designed when computer security was nothing but a far-out concept and attempts to retrofit security into it without tossing out the basic design have been unsuccessful so far, actually securing it would require a silly level of hacked-up modification (try to prevent wifi dual-homing, I dare you). Toss out Windows, start with a custom Linux distro and go from there. Network-booting machines secured with in-house-administered TPM will be extremely hard to break into. Allow centralized control of all software so that any change to a computer's OS that wasn't signed off on by the IT department sets off the biggest red flag in the world.

It can be done but not while trying to pussyfoot around with commercial consumer-grade toys.

Re:Get rid of Windows

[MadKeithV]

(try to prevent wifi dual-homing, I dare you).

Physically remove WiFi capability from your system?

Re:Get rid of Windows

[GameboyRMH]

Har har.

Re:Get rid of Windows

[MadKeithV]

Har har.

I don't see why you think that's funny - we're talking capital-S security with DARPA here. Relying on encryption to keep your broadcasted-to-anyone-in-the-neighborhood data safe is clearly strictly less secure than not broadcasting your data in the first place.
And don't think that I'm limiting myself to WiFi when I mean "broadcasting" - just audio could be enough to compromise security: https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information.

Re:Get rid of Windows

[morgauxo]

While I agree with your conclusion, that Windows is hopeless I question your logic. Linux is a Unix clone which is older than Windows. Certainly decent security can be added onto an existing OS. The difference is more the environment in which the two are developed, not when they were originally designed in relation to when network security became important.

Re:Get rid of Windows

[HiThere]

Unix was designed with security in mind. It was designed to run as a multi-user system on college campuses, with lots of snoopy students...or students that wanted extra time to complete their projects.

MSDos intentionally stripped out all the security, in order to run more efficiently on minimally powered single user computers. The security didn't even START getting added back in for nearly a decade, and then it was mainly PR gestures.

It's not just the age of the system, it's the history. Every time MSWind starts to implement serious security measures they break many programs that users depend on, so even when they want to, they are quire slow and hesitant. OTOH, I have heard that recently they've increased their security measures. Certainly Linux has weakened theirs. (Single user systems really *don't* usually require the kind of security needed by multi-user systems.) And Linux has never been as secure as it's reputation. E.g. in a really secure system tar wouldn't be able to untar a file and assign it executable permissions. That would require a manual intervention. A part of it's security has always been that it was a less targeted system. I'm not sure the Android has changed this, as the Android is so different from standard Linux that it's doubtful that the same attacks would work.

We need talent

[bbasgen]

The core problem for the US government, and whichever of the many branches that is taking responsibility for this or that part of the government's cyber infrastructure, is a lack of pervasive talent among the staff. In order to attract talented staff, it is essential to have a very transparent mission and vision for an organization. Is the US government really committed to securing the infrastructure?

Prevent spear-phishing

[satuon]

Well if you look at the Chinese attacks they are all based on spear phishing. So what you need to secure is prevent people from running code sent to them via emails. Its really easy to do - simply enforce whitelists - not blacklists, whitelists. For example, the OS should refuse to run unsigned exe files - not simply ask you if you're sure, but actually tell you that you can't, period. And by unsigned I mean anything not signed with the private keys of your organization. Also, make a whitelist of domain names so only approved websites can be visited. That cuts a large swath of infection vectors - now you can't enter into the computer network with the help of gullible employees because even if they want to run your exe or follow that link to your website and enter their password THEY CAN'T.

"frank" is the 1st step

[bzipitidoo]

Frank discussion? That's the 1st problem.

Security seems to be extra vulnerable to fraud. Many times, I saw military customers wooed by vendors who are perfectly willing to give them a load of bull about how they can't explain why their devices, software, and ideas are secure, because that would compromise the security. Then the military goes a step further, and abuses their secret classification system to cover up security problems, keeping important information even from their own people. They base security decisions on politics. They are more interested in getting a system approved as secure, than in whether it is actually secure. and will lean on people to just rubberstamp systems. They play favorites. They like Windows, because they find it more user friendly, so they push to have it declared secure. Systems they don't like are held up to extremely difficult standards, the better to reject them. They engage in plenty of their own bull to pull that off. For instance, Linux is coded by foreigners, which they deem automatically makes it insecure. How can they know some foreign programmer won't put a back door into the Linux kernel? Never mind that Microsoft might employ Indians to work on Windows. And who's to say that US citizen programmers would never sell out?

They want COTS (Commercial Off The Shelf), to save money, but there is no COTS that meets their needs. They play a funny game with contractors too. Employ people as contractors and treat them with deep suspicion, but won't employ them as their own experts who just might possibly be a touch more committed and loyal.

No surprise that the military stinks up their security.

Re:Parallel infrastructure

[LordLimecat]

Thats what VPNs and ACLs are for. You dont think you could securely configure VPNs and ACLs for less than it would cost for a parallel infrastructure? What happens when someone bridges a wifi device onto your network?

Easy

[koan]

Stop putting critical systems online.

With out the military part up or out will force ou

[Joe_Dragon]

out good tech people or force them to be mangers and then on to some other post.

Also alot of tech people are to old for the military others don't have the mine set to make it though a military boot camp. If some of it needs to be military maybe then it's needs a special rank systems so techs are not forced to start at private pay and officers should not be the same way as the rest of the military is.

Also have a special boot camp say maybe little to no exercise part, no forced gun trading, no other battle field skills (we want people to work on IT and not be a soldiers that can be sent any where) Maybe even have some kind of tech school but I don't know if they should come officers (As some of tech people make for poor managers) maybe have techs become team leaders.

Re:Linux is doing SO WELL (not) on security lately

[GameboyRMH]

Come on, Android is hardly Linux, the Linux-based kernel isn't even compatible with the mainline Linux kernel. Apart from that distinction, it's about as far from a locked-down security-centric distro as you can get.

And yes you can lock down Windows with an insane amount of work, but why not put that work towards a more fundamental and long-term solution, instead of slapping armor onto a vulnerable black box that was never designed to do the job?

Re:Parallel infrastructure

[LordLimecat]

Not all of those connections will be legitimate

Which is why we have things like PKI infrastructures, pre-shared keys, and RSA tokens. At least there you know what the threat is, and can fortify around it.

Im not sure Ive ever heard of a scenario where someone broke into a secure network by bruteforcing both the PKS and the secondary form of authentication; invariably, breaches are because someone made a stupid mistake like getting a virus, or by letting someone walk out with un-secured media, or connecting a wifi device to the secured network.

And with your parallel infrastructure, the problem is that (unless you have other control mechanisms in place) a single wifi device on the network compromises the security of the whole segment.

Re:Secure systems does include SE Linux

[davecb]

It's B1 in the old (stringent) rating scheme, and can be configured to provide a lot of protection against theft of data, via
- mandatory access controls (not changeable by the process or user)
- secure path (knowing it's really you at the keyboard)
- covert channel analysis (genuinely hard, this is often "ongoing")
- audit (which eventually runs you out of disk (;-))

There is some protection against attack, but more or less as a side-effect of protecting against spies leaving with data.

--dave

Wrong OS?

[sammyo]

Was anyone ever able to compromise a correctly configured VMS box? Has anyone broken strong well configured public key encryption? Security is not a big secret, not easy, but good, effective practices are not unknown. So is the question "how do we keep script kiddies off our sharepoint site installed by a neophyte sysadmin"? Really the only valid response is a well quoted "*sigh*".

Re:Wrong OS?

[HiThere]

You can't assume that current public key systems will continue to be secure. Advances in Quantum Computing make that a dubious proposition. There are systems that will work, but they don't depend on prime factorization. (As for what they are, that's beyond the boundaries of my knowledge, but I don't believe they require quantum encryption, merely a system that can't be broken by a quantum computer, and actually, I'm told that they are rather limited in the areas where they have an advantage. (Though apparently elliptic encryption is one of them, so don't pick that one.)

As to how difficult it is to maintain a secure system, that depend partly on just how secure you want to make it, and for how long the data needs to be kept secret.

It's not clear that true security is possible short of dissolving the computers in acid and destroying all records. Reasonable security is much easier, the less secure it needs to be, the easier. But security on commodity hardware using commercial products...that has to be rated as towards the less secure end of the spectrum, especially if you allow network connections.

Re:If the Us can't

[alexborges]

4chan!

They ANYPA

Re:Go basic

[Joshua+Fan]

That solution has always befuddled me. Why bother physically securing hardwired, functioning USB ports when you can

1. Remove the USB ports or
2. Disable the USB ports in Group Policy.

The simplest way to prevent burglars from coming in your windows is to not have windows. Though you may like your windows, USB ports are not a necessity.

Re:Go basic

[tlhIngan]

Air gap and superglue in the USB ports.
 

Then you run into problems with data that needs updating, like say, a map. Putting it on CD/DVD only works until malware realizes it needs to embed itself on said media, and once it has, there's nothing to prevent another stuxnet-like attack.

If data needs to flow somehow between airgapped networks, you're screwed. Doesn't matter if you use a data diode, physical separation, etc. As long as there is some way that data needs to go from an insecure network or insecure PC to a secure one, it's a vulnerability vector. Stuxnet has proved it's possible.

Oh, and patches count too - regardless of what needs patching. Unless the patches originate as developed on the secure network, it's a mechanism for insecure systems to pass data to secure networks. Even if you go so far as to enforce that the source code be displayed on the insecure PC, and typed in manually on the secure PC - the typists may get complacent and type in the malware as well.

And there's a LOT of data that often has to be passed into a secure network - Intel (photos - where did the digital camera's memory card get plugged into?, maps - like the UAV fleet got infected, etc), reports, etc.

Re:Go basic

[Greystripe]

Actually if you wanted real USB security you'd open the system pull the wires off the headers then epoxy/clip the header so no one could open the system and add a stealth usb port to the header. Keep in mind there are anywhere from 1-6 sets of headers on the motherboard and a few minutes of work would allow someone to attach usb devices whenever they wanted.

Does it really need to be online ?

[mikei2]

Any Internet connected system will be compromised at some point in it's design life. The only way to prevent this is to get really important things offline, and keep them off the Internet ( including all of those government networks like Intelink, Siprnet, Nipnet, etc, etc, etc, etc, etc, etc, etc. )

Re:Secure systems does include SE Linux

[Tomato42]

AFAIK SELinux can protect you from attack only from user-space. It won't help for attack on kernel itself (it's important if we want secure networks). But then I'm not sure if any system in a monolithic kernel would be able to do this. On the other hand, monolithic kernels are the only OS kernels that actually work outside academics. This would suggest that the highest security rating a general purpose OS can have is B1...

The problem is who is reviewing solutions

[FtDFtM]

The problem is that they have government contractors reviewing potential solutions. The same people who are incapable of coming up with workable solutions themselves. So what makes anyone think they would know a good solution, even if it bit them in the ass?

DARPA announced a grant program for this last August at Black Hat. We spent a month crafting an RA for developing a solution based upon formal methods that would change the advantage from the attacker to the defender. Even if we were full of shit, you'd think DARPA would want to know more, in case we weren't. We got a form letter rejection for "Mudge". Am I bitter I spent a month trying to help out the DoD? you bet. I have better things to do.

It reminds me of when the Web was first emerging and I was getting my MBA - Anderson Consulting came to our school with a "contest" to see who could come up with the best business model for the web. Anyone know where AC is now? The DoD needs a good shot of Darwin.

Re:Hire from without

[Kagura]

You got it! My uncle is now a security officer in the military. he's a highly skilled Linux Programmer, and knows how to attack the network if he needs/wants to. the only reason he got in the military and is now in security is because he had a 96% accuracy at 300 yards. After all this time, the military still values killing over technical skills. While they should be on equal footing.

If an Iranian Nuclear power plant can be attacked by a virus, which could have caused major damage we are just lucky it didn't, you'd think the military would take a better look at their skill requirements. But they rely on their current ranks, the NSA/FBI/CIA to foot for when they can't make up. (and the majority of their skills are about as good as the Military) we need a skill refresh, its long over due.

I don't think you really know much about the military, or your Uncle is pulling your leg. That's not how the armed forces work in the U.S.

OMFG

[snowshell]

How to make a network secure, well lets see, enable OpenVPN configure IPSec, make sure everything inter-departmental is using a PKI token and ensure everyone has PGP. Separate various parts of the network after the employees have better things to be doing than browsing facebook or youtube updating their twitter status and reading there hotmail from a government system. Throw out all those copies of Windows (tm) software their really not doing you any good in a virtual environment or other, is everyone using the latest version of a secure and trusted OS like OpenBSD or Linux on their desktop?