Slashdot Mirror

← Back to Stories (view on slashdot.org)

DoD Networks Completely Compromised, Experts Say

Posted by timothy on from the but-are-they-iso-9000-compliant-is-the-question dept.

AZA43 writes "A group of U.S. federal cybersecurity experts recently said the Defense Department's network is totally compromised by foreign spies. The experts suggest the agency simply accept that its networks are compromised and will probably remain that way, then come up with a way to protect data on infected machines and networks."

53 of 164 comments (clear)

  1. or it is used as a tool by FudRucker · · Score: 5, Interesting

    to spread misinformation to those foreign spys that only think they compromised DoD computers (naw too good to be true) the US Gov is too stupid to do anything like that

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:or it is used as a tool by cparker15 · · Score: 5, Funny

      The entire DoD network is one massive honeypot. All the real data is sent by carrier pigeon.

      --
      Have you driven a fnord... lately?

      You must wait a little bit before using this resource; please try again later.

    2. Re:or it is used as a tool by erroneus · · Score: 4, Insightful

      There is no shortage of "stupid" at the DoD. As every security expert knows, the weakest link is the user. And it doesn't matter how high or low ranking that user may be... if fact it kind of helps if they are "full of themselves" because they tend to demand that restrictions are relaxed so they can have access more easily. There is LOTS and lots of stupid out there.

      And nothing helps more than the fact that running Windows as the standard has. Why? Isn't it obvious? We know from the headlines that every government has been demanding the source code and decryption keys for just about everything. Microsoft, I expect, has been no different when faced with such requirements... we certainly know that's true in the case of RIM. And the source code is now always enough or even completely helpful, but it definitely helps that governments are willing to hire black-hats to find the billions of holes available in the platform EVERYONE USES.

      Sure, Microsoft profits lots... they are what everyone uses... including and especially the weakest links.

    3. Re:or it is used as a tool by AioKits · · Score: 5, Funny

      The entire DoD network is one massive honeypot. All the real data is sent by carrier pigeon.

      Damnit man! Why did you let them know?! Now I gotta figure out how to armor the pigeons so they're not shot out of the skies... How tiny do they make bullet proof vests? Maybe I could use a swallow instead. Does anyone here know the air speed velocity of... Never mind, I'll figure something out.

      --
      "Quote me as saying I was mis-quoted." -Groucho Marx
    4. Re:or it is used as a tool by g0bshiTe · · Score: 4, Interesting

      I'd hate to think the DOD would be dumb enough to keep sensitive data on a network that was internet accessible.

      --
      I am Bennett Haselton! I am Bennett Haselton!
    5. Re:or it is used as a tool by Anonymous Coward · · Score: 2, Interesting

      I just hope that they're RFC 2549 compliant, with (hopefully) an encryption layer along with that.

    6. Re:or it is used as a tool by FudRucker · · Score: 3, Insightful

      and dont forget the windows users that insist on logging in and running as admin/root for a regular user account because they dont want to be inconvenienced with having to type in a password for anything

      my own brother runs his PC like that and i explain to him the concept of a multi-user system that has root and user accounts and he just stares off in to space with that deer in the headlights look on his face

      --
      Politics is Treachery, Religion is Brainwashing
    7. Re:or it is used as a tool by elgeeko.com · · Score: 3, Interesting

      Honeypot was my first thought too. You could keep the enemy scrambling to build the mind control ray gun we developed back in the 80s using technology we stole from the cities on the far side of the moon. Knowing someone is hacking your system can be a lot of fun.

    8. Re:or it is used as a tool by Anonymous Coward · · Score: 4, Funny

      You ever tried encrypting a bird? They don't like that.

    9. Re:or it is used as a tool by Bigby · · Score: 3, Funny

      Is that like putting a bird in a crypt?

    10. Re:or it is used as a tool by Beardo+the+Bearded · · Score: 5, Informative

      They don't.

      I work with a lot of military documents. I've got some in the other windows right now. 99.9% of military documents are not important, security-wise. Sure, you can find out what kind of cable is used to plug in that receptacle. It's not important. It's not Classified. Nobody gives a shit.

      The Classified stuff, should I ever even look at any of it, is really quite a different type of animal. Here's how I'd handle it:
      1. Make sure it had to be me since they're a PITA.
      2. Our document control folks would burn a copy and FedEx to me.
      3. It would be sent to the Secure Room once it arrives.
      4. When I went to work on it, I'd get a supervisor, sign in to the secure room, and pull out the removable HDD from the vault.
      5. Check the Secure Machine for oddities, like anything in the USB ports or the sudden appearance of an Ethernet port. Seriously, there isn't even a phone jack in the room.
      6. Boot the Secure Machine. Yes, it is Win XP. While it's booting, draw the blinds and close the door.
      7. Work on the Classified document.
      8. Once I'm done, I can burn a disk to send back and have it printed by the document control group. Then I power down, put the HDD in the vault, and then sign out.

      Seriously, the important stuff is airgapped. The really important stuff is airgapped and guarded by people with weapons.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    11. Re:or it is used as a tool by Peristaltic · · Score: 5, Funny

      What the DoD will do is hire a contractor to armor the pigeons, who will then design armor that puts the pigeons over max gross weight, so they'll add wing extensions, but since pigeon wing muscles can't flap the modified wings as fast, they'll replace their little pigeon wings with fixed composite wings and pigeon-scale turbine engines.

      Unfortunately the turbine engine exhaust burns pigeon tail feathers, so they'll replace these with composites also. The Air Force will see an opportunity at this point to add hard-points to the composite wings, so the wing area and turbines will be made larger, increasing cruising speed and altitude, requiring life-support for the pigeons.

      Cost: about $500,000 / pigeon for the Block 20 model, assuming the contractor will be allowed to sell Block 10 Pigeon Communication and Reconnaissance (PCR) units to our allies in Saudi Arabia. Test flights slated for 2020.

    12. Re:or it is used as a tool by erroneus · · Score: 2

      ...my own boss insists that his staff be made administrators on servers... I have always disagreed with that. He says it's for accountability and I can kind of see it, but make it a separate unique account, not my normal user account.

    13. Re:or it is used as a tool by An+ominous+Cow+art · · Score: 2

      This little guy might have benefited from some body armor.

    14. Re:or it is used as a tool by NIN1385 · · Score: 3, Funny

      You left out the part where another contractor designs another version of said pigeons and undercuts this contractor with an inferior product because they had the lowest bid and then the people that awarded the bid to the cheaper contractor are left wondering why the cheaper pigeons are falling from the skies and killing innocent citizens.

      --

      If carrots got you drunk, rabbits would be fucked up. - Comedian Mitch Hedberg R.I.P. 03/30/68-2/24/05
    15. Re:or it is used as a tool by mikael · · Score: 2

      As long there is plenty of seed, and not too much salt. You might try adding some skipjack. But if you see little knapsacks, you know they are going off on Feistel rounds.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    16. Re:or it is used as a tool by SCPRedMage · · Score: 3, Informative

      Speaking as someone who used to administrate an Air Force base's SIPRNet systems, I don't believe for a second that they're talking about anything other than NIPRNet (which is the military's way of referring to their unclassified, Internet-connected base networks).

      I find it HIGHLY suspect that classified networks are compromised, simply because of what would be required to do so. The SIPRNet has NO Internet connectivity at all; you simply cannot send packets between the two, at all, in either direction.

      --
      My sig can beat up your sig.
    17. Re:or it is used as a tool by Anonymous Coward · · Score: 2, Interesting

      Actually it isn't just to make access easier. We do it to make working feasible. Im sure you've heard of problems like mine and gloss over it at work and online, Mr Important Security Expert.
      Because of stigs, on our dod network I couldn't run the installer for the software we were developing. I also didn't have the development tools I needed. It took over 6 months to get a approval for new tools. Some tools, like virtual pc, would not be allowed. I usually just gave up on my wishes for tools just like the people before me.
      I could go on. Security broke features of the tools that I did have. Hotdeploy didn't work in tomcat. Eclipse autocomplete didnt work. Random memory errors and terminated processes. Eventually, cut and paste would hang the computer for several seconds.
      Additionally, much time was spent on forms. Finding them, completing them, finding the right person to give it to, and following up when that idiot doesn't pass it on to the next idiot.
      And thats when I got a job working for a japanese company. See ya!!

    18. Re:or it is used as a tool by AdamWill · · Score: 2

      This post is all the proof anyone should need that Slashdot comment scores should go up to 6.

    19. Re:or it is used as a tool by AdamWill · · Score: 3, Informative

      They're not talking about either of those things. Those are military networks. They're talking about the Department of Defense network - the network of the civilian agency which oversees the military. Different organizations, different networks.

    20. Re:or it is used as a tool by erroneus · · Score: 3, Interesting

      Consider working with something other than Windows. (I know, not always an option depending on who you are working for.) And as for Japanese companies... you don't, by chance, mean the Japanese defense contractor which was breached just like Lockheed and the others do you?

      I completely believe and understand your point of view. It's completely valid. It's one of the many reasons why the MS Windows platform is simply bad for security. It's not only Microsoft's fault, but also the fault of crappy developers who do not respect security models... even the bad ones Microsoft has put forward.

      To be frank, there's really no way to get out of the hole that is MS Windows without doing some drastic, ugly and unpopular things. 1. Microsoft needs to significantly change their next OS breaking compatibility with the previous versions. 2. Microsoft needs to review and somehow disallow software which does not meet security principles. The result of this type of move could be disasterous for Microsoft for many reasons, though. It could mean a huge backlash from developers. It could mean a huge rejection by users since they wouldn't be able to get access to applications.

      Security is a PITA. No question about it. But when security is built into the OS, it helps a lot. Windows as we know it today, evolved from DOS. I know, I know, there's little if any DOS in Windows today, but its evolutionary genetics still show today.

      And in some ways, it can't be helped that administrator/root is needed to install applications. I wouldn't have it any other way, actually. But requiring administrator/root to USE tools which do not affect the OS is quite a problem. And that problem comes from a wide range of bad practices by both Microsoft and developers for Microsoft's Windows platform. With the exception of OS manipulating/managing tools, I have yet to see this problem in Linux. In fact, I see the OPPOSITE occur when programs actively discourage and even DENY the ability to run as the 'root' user. That's a huge diference in programming/development culture.

      And before anyone calls me a fanboy or a troll or whatever, I use Linux primarily... it's true. I also use and support Windows and I have to admit I have been warming up to Windows 7 quite nicely. I don't *HATE* Windows as much as you might think. In the end, I hold that I don't actually CARE what I run so long as it works. And your point, once again, is quite valid in that in "MS Windows reality" usability and security are, in practice, diametrically opposing needs. I'm here to say it doesn't HAVE to be, but to make a change is painful if not impossible.

    21. Re:or it is used as a tool by jamiesan · · Score: 3, Funny

      They will also create Pigeon Reconnaissace Intelligence Construction Kit Systems for our allies, but they will be smaller versions than the ones the US uses.

  2. Best use of the word cyber ever! by synapse7 · · Score: 4, Funny

    “DoD is capability-limited in cyber, both defensively and offensively,”

    Anyways, are we talking a bunch of old NT boxes plugged right into the internets, I mean the cyber.

    1. Re:Best use of the word cyber ever! by HBI · · Score: 2

      The best part is that what they are really saying there is that they lack the skilled personnel to compete with other nations. The reason they lack said personnel is that no one who is any good would like to work for the government. It's an unpleasant work environment in a lot of ways, especially in light of current budget expectations for DoD and certain mandated cuts.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    2. Re:Best use of the word cyber ever! by Lucractius · · Score: 3, Interesting

      I dont know how well the "original" hacker mentality of 'everything is worth poking at' mentality would be tolerated in a state run hack team.
      I cant give much in the way of proof for this but this argument is based on organisational psychology vs personal psychology... but anyway

      China, the USA, Russia... I would imagine that the dog tag & rank 'military' hackers are selected via a process much like test pilots (different criteria obviously)

      If you show aptitude in mathematics, logic, and attention to detail, you get funneled into a program, they hone your skills and teach you computer security theory & practice much like the basics I learned in university courses.
      The goal of a state organisation would be a 'state hacker' who's priorities rank something like 1) the defense of the state, 2) their own life, 3) hacking
      I would not call these "Hackers". They are soldiers with computer security training who follow orders.

      Most true to the name and tradition/ethos hackers will not have this ordering, so 'recruiting' or 'nurturing' "free range"/"wild" hackers doesnt fit well with the goals of any nation.
      The idea that "no your not allowed to try that" doesnt sit well with a dedicated old school type hacker. Because the first place the mind turns is 'Why?'
      They may decide not to do something (eg: hack a SCADA system & shut down a hospital, killing people) but this decision usually comes after they worked out how to do it anyway, just because it was there to be worked out.

      --
      XML - A clever joke would be here if /. didn't mangle tag brackets.
  3. Best Practice by jcaldwel · · Score: 4, Insightful
    From TFA:

    “We’ve got the wrong model here. I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway."

    Its nice to see the DoD finally catching up with basic best software practices.

    1. Re:Best Practice by FormOfActionBanana · · Score: 3, Informative

      More specifically, the principles I would ascribe to this is "Defense in Depth" and "Fail Securely".

      --
      Take off every 'sig' !!
  4. cut the wire by the_Bionic_lemming · · Score: 5, Insightful

    Why does the network have to be accessible remotely? It should be isolated and need a meat sack to get the information from the system and relay it to the party that needs the information. Same thing with public utilities and such - why is it wired so that someone remote can tap a few buttons and remotely access controls for water plants?

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
    1. Re:cut the wire by tomhath · · Score: 4, Informative

      That's called an "air gap". And yes, DoD has many systems behind them.

    2. Re:cut the wire by HBI · · Score: 5, Informative

      There are physically isolated networks.

      They are referring to the NIPRnet which is directly connected to the rest of the internet. NIPR is all about web apps - time trackers and such, and e-mail. The actual secure stuff has an air gap.

      This is mostly hyperbole. These people who are testifying don't know jack shit about technology, and neither do the people who are listening to them.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    3. Re:cut the wire by cpu6502 · · Score: 2

      My thoughts exactly. Or setup a separate ARPA-owned network that no one can access except DOD employees.

      BTW the recent news about an electric utility plant being "hacked" by foreign spies was a false flag. In reality it was one of the workers while he was on vacation, logging-in remotely, but of course we never hear that followup story on the Pro-war FOX, CNN, NBC networks. They'd rather scare everyone into thinking we need to bomb Iran and Russia (and then the defensecorps profit).

      --
      My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    4. Re:cut the wire by Kadin2048 · · Score: 5, Informative

      Or setup a separate ARPA-owned network that no one can access except DOD employees.

      This exists, it's called the SIPRnet. You can only access it from secure workstations in secure facilities, and in theory all the network hardware is also secure, etc., etc.

      AFAIK, the only recent SIPRnet compromise was Bradley Manning, and that was more of a social exploit than a technical one.

      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    5. Re:cut the wire by heypete · · Score: 2

      It was actually a water pump, not an electric utility.

    6. Re:cut the wire by Whorhay · · Score: 5, Insightful

      From what I've heard that's mostly true. There are a number of 3 letter agencies that have been known to be so egotistical as to believe they are above the air gap requirements and actually run machines that cross that gap.

      Besides which an air gap is not as full proof as one might think. Just look at what stuxnet managed to do to the Iranians nuclear program. And it would only take a single compromised person on whatever air gapped network to gather the datadumps and send them back to whatever party they work for. Off the top of my head I can think of at least one publisized account of malware being found on an airgapped system that seemingly couldn't be removed.

      Whatever your technical measures and implementations, your security is always limited by the personnel using it. What percentage of people with clearances and access are turnable? It's impossible that it'd be zero, and even at a tenth of a percent it'd mean hundreds or thousands of compromised people and consequentially the networks they have access to.

      All this ignores that classified information is often derivable from other non-classified sources.

    7. Re:cut the wire by Penguinisto · · Score: 2

      No, it is "Meat Popsicle".

      Geez - am I the only one who knows the correct terminology around here?

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    8. Re:cut the wire by Anonymous Coward · · Score: 5, Informative

      Little anecdotal story from my time in the military (can't speak to the policies of all the 3-letter-agencies) USMC had (has) a very VERY strict policy about crossing the streams.

      There are "normal" computers that access the internet and what not, and other computers which exist on a completely separate self-contained network. And never the two shall meet. At all.

      For the most part, the secure computers were in a completely different building, or at very least in a different room behind lock and key. If someone was important enough to warrant access to the secure networks in their office (usually restricted to O-5 at bare minimum) the ports for the secure side were emblazoned in bright red and stuffed behind lock-boxes, so there was no possible way to confuse the two. Oh, and the office itself had to be secured. Certain quality of lock on the door, no windows, etc.

      Any computers that became part of the secure networks, were part of that network for LIFE. When replacement time came, the secure computers had their HDDs wiped via electromagnets and then holes drilled through the platters.

      Even non-computers had to live by a one-way pathing. If you plugged a monitor into a secure computer, that is now a secure monitor and CANNOT leave the secure area. Fax machines, copy machines, etc etc etc. Anything that interfaced with ANY secure data was locked down.

      Suffice to say, there was no crossing the streams, and no matter how infected or compromised the "normal" networks were... there was practically zero chance of any info getting out of the "air gapped" secure networks.

  5. Re:Would that include .. by tripleevenfall · · Score: 3, Informative

    Stuxnet was still able to reach such methods, though direct control wasn't possible, it was more of a phone home/carrier pigeon type of compromise.

  6. Scary by gmuslera · · Score: 4, Insightful

    Surely will convince public opinion that the new measures of surveillance on all internet connections have a good reason and they should give up on privacy forever.

  7. this is all retarded anyway by HBI · · Score: 2

    The military would like a bunch of script kiddie canned attacks as their 'offensive' capability. They don't want to rely on anyone with a brain in real time. That doesn't work very well in practice.

    They're never going to get what they want.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  8. Well it's defense so... by Anonymous Coward · · Score: 2, Insightful

    Well it's defense so ultimately what this boils down to is: "here's a file that says they're going to kick our ass". Can they do that? "Yes". Well, at least we infiltrated their network so we know our asses are going to get kicked and we can prepare for that. "No we can't, we'd have to move the entire country and kick somebody elses's ass to do it. What's more is our network is infiltrated too so they'd know we were going to do it and what's worse is we don't have much ass kicking capability". So. We're dead meat; but we know it in advance. That showed them!

  9. It's not surprising... by SCHecklerX · · Score: 4, Interesting

    ... given the general below-mediocre quality of the contractors and government employees that work for the DoD, and the amount of senseless policies for policy's sake claiming to be for 'security' but, uh, no, not really. The people in charge are the worst.

    I just started working for DoD again, and want to punch people in the face all day long.

    1. Re:It's not surprising... by Anonymous Coward · · Score: 3, Interesting

      Hilarious. I'm a fed here in IT (not DOD) and feel the same exact way. There are idiots that are high up and make decisions without knowing the technical consequences. I keep telling myself they will retire and leave soon, but it never happens.

      It's going to be interesting in the next 5 to 10 years as all of the old folks are going to retire, and there's no new blood to take over for them. I don't know how it is at other places, but that's how it is here. And unfortunately, the new blood (me) is getting too frustrated to hang around much longer because of idiotic decisions that are made.

      I'm only hoping that things will change and people will step down... Surely, it can't be like this at every government facility!

  10. DOD security, not so good. by Anonymous Coward · · Score: 3, Interesting

    Reminds me of when I was sent to a DOD site to try to figure out why everyone was scoring 97% on a certain test.

    30 seconds of looking around and I had a pretty good guess:

    (1) The unused tests were printed out in print runs of 10,000 and kept in an alcove in a dusty unused office. Said alcove had a plywood door with 18 inch gaps at top and bottom. Padlocked, but with the hasp mounted backwards, with all the screws exposed.

    (2) There was a 50 page per minute xerox copier in the same room, no access card needed.

    That was a rude introduction to DOD security measures, and the cluelessness of the security folks.

  11. The problem with the DOD by WindBourne · · Score: 3, Interesting

    is that they will do political things. As such, they have LOADS of windows. And yes, they are LOADED with spies (and the DOD knew it). However, I differ with the expert. NSA should step in and help DOD upgrade everything to a decent set-up. Secure Unix or Linux (with SEL). NO MORE WINDOWS. In addition, restore the security that we used to have back in the 80's. We have slacked so much that many of the contractors are spies. Hell, I have dealt with a probable Chinese spy that was married to a USAF officer.

    The USS reagan should be refitted with secured systems, or we should simply send it in the middle east and allow Iran to blow it up (better iran than china).

    What amazes me is that EU, Russia, and China are all brighter than so many of the idiots in the DOD and at American companies.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  12. Smart Move by drkstr1 · · Score: 2

    The experts suggest the agency simply accept that its networks are compromised and will probably remain that way, then come up with a way to protect data on infected machines and networks.

    This is actually one of the smartest things I've heard come out of the DoD relating to information security, in a long while.

    One of the first rules of thumb when developing secure client-server applications is, never trust the client. One must assume that given a high enough incentive, any public facing interface can and will be exploited in one way or another, and there is no way to reliably anticipate all attack vectors.

    It is smart to develop policies and procedures around this assumption.

    --
    Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
  13. Re:The problem with the DOD by Whorhay · · Score: 5, Insightful

    While I agree that I'd like to see the DoD move to more secure technical solutions, I don't think it'd solve the security problem. Like you pointed out the system is only as good as the people that are using it. And even with a very small percentage of people willing to spy it'd be almost trivial for a foreign government to buy their way into almost any system.

    Prior to 2001 everything was more compartmentalized, which was good for Information Security's sake. But it proved to be bad for our national safety as the CIA wouldn't pass on information about a potential threat to the FBI for what amounts to dick measuring reasons. In the aftermath of 9/11 the policies swung the other way and we end up with Bradley Manning having access to way more information than he needed for his job.

    A proper solution is a multi faceted problem. We need technical systems that are secure and yet still useable by a barely trained 18 to 50 year old volunteer. We need systems designed to be as secure as possible but still interface with each other and work in a timely manner. We need people that are as immune to corruption and insanity as possible. And the hardest part is probably sticking to fights and engagements that don't force those people to question the morality of the job they are tasked with doing.

  14. Re:Funny by Greyfox · · Score: 2

    Oh har har har. Do you know how much paperwork that's going to require? To re-write all the specs that specify Windows 3.11 for Workgroups will cost TEN BILLION DOLLARS! So do we re-write all those specs or do we buy the FRONT TIRE of a Joint Strike Fighter! It won't be so funny when a Joint Strike Fighter can't land because it doesn't have a front tire!

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  15. Cyano-Acrylate by Anonymous Coward · · Score: 5, Interesting

    We use CA epoxy as a very effective security measure. For any commodity hardware we buy, we fill all of the USB ports with a CA epoxy that prevents access. We also use it to permanently attach mouse and keyboard. Motherboard USB headers are also filled with CA to prevent the casual attachment of devices (although users cannot physically get to their machines, since they are in locked cabinets, with IDS tied to building security. Same goes for unused SATA, PCIe, and other ports. Any plug that isn't used is made unusable.

    PCs are on a network, but users have no physical access to cables, and similarly we use a secure cable type with a current loop and TDR to detect physical tampering. If the current loop is cut, building security knows precisely where the cut is within seconds.

    There is no wireless, and no bluetooth. Employees are not allowed to bring in cell phones, MP3 players, or anything else with any capability of capturing data, and yes, we 100% search at the door with metal detectors and millimeter wave detection like you see at the airport (except we actually know how to use it). We're also in a steel building with no windows and and EMI shielding, just in case.

    We're not on the Internet. We have absolutely no need to connect to it. Even if we did have a spy as an employee, they would have to reproduce anything they did on another machine outside the office in order to transmit it anywhere else. And obviously, there is no means to allow employees to "work from home" in their pajamas in sandals.

    Any new software has to go through a thorough vetting process, and any vendor wanting to sell us software is required to allow us to load the source code and build environment onto our build farm, review and inspect the code for possible attacks, and then compile it ourselves. This is a lot easier to achieve than you might think.

    Finally, we're old school. Everything is compartmentalized. The guy working on the math routines has no idea why he's working on them, or what they will be used for. All he knows is that he's a software engineer in charge of high-level math function development. He doesn't know what the product is or what it does.

    1. Re:Cyano-Acrylate by OneMadMuppet · · Score: 4, Funny

      OMG - you work for Apple?

  16. don't worry, ex l0pht hacker is on the job by decora · · Score: 3, Informative

    millions-of-dollars research projects, are underway right now. in fact, a guy from the l0pht, named Midge.

    see

    http://en.wikipedia.org/wiki/Cyber_Insider_Threat

    im sure theres no coincidence between 'experts' pushing this and the industry about to 'provide the solution'.

    nevermind that they are basically, built around theories like "maybe a guy changes the time he eats lunch".

    and that 'insider threats' also = whistleblowers.

    1. Re:don't worry, ex l0pht hacker is on the job by Shoten · · Score: 2

      I think you mean Mudge. Mudge is the L0pht Heavy Industries alumnus who is at DARPA.

      Also, the reason why 'insider threat' = whistleblowers in this scenario is because technical controls cannot interpret or extrapolate intent. They can't tell the reason why information is being extracted from a secure environment, only that it is. The lack of differentiation is not some nefarious scheme to catch well-meaning whistleblowers along with spies, just a shortcoming of technology. A hammer doesn't know whether or not it's being used for good or bad either.

      --

      For your security, this post has been encrypted with ROT-13, twice.
  17. What all the experts have in common... by Shoten · · Score: 2

    "A group of guys whose budgets revolve around coming up with new cybersecurity defenses testified today that they should be given a LOT more money to play with."

    --

    For your security, this post has been encrypted with ROT-13, twice.
  18. Oblig. by Anonymous Coward · · Score: 2, Funny

    But when did the Soviets begin this type of research?

    Well, sir, It looks like they found out about our attempt to telepathically communicate with
    one of our nuclear subs. The Nautilus, while it was under the Polar cap.

    What attempt?

    There was no attempt. It seems the story was a French hoax. But the Russians think the story about the story being a French hoax is just a story, sir.
    So, they've started psi research because they thought we were doing psi research,

    When in fact we weren't doing psi research?

    Yes, sir. But now that they're doing psi research, we're gonna have to do psi research, sir.
    We can't afford to have the Russians leading the field in the paranormal.