Slashdot Mirror

← Back to Stories (view on slashdot.org)

Germany Readying Offensive Cyberwarfare Unit, Parliament Told

Posted by timothy on from the approve-or-face-our-blackmail-threats dept.

concertina226 writes to note that it's not just the U.S. that's increasingly open about using malware as an offensive tool of state security: From the TechWorld story: "According to German reports, the Bonn-based Computer Network Operations (CNO) unit had existed since 2006 but was only now being readied for deployment under the control of the country's military. 'The initial capacity to operate in hostile networks has been achieved,' a German press agency reported the brief document as saying. The unit had already conducted closed lab simulations of cyber-attacks." "Unlike physical attacks," concertina226 writes, "cyber-weapons can't be isolated from their surroundings with the same degree of certainty. If, as a growing body of evidence suggests, the U.S. Government sanctioned the use of cyber-malware such as Stuxnet, are the authorities also held responsible should such campaigns hit unintended victims?"

32 of 55 comments (clear)

  1. so we must prepare now by Anonymous Coward · · Score: 3, Funny

    for a bitskrieg?

    1. Re:so we must prepare now by DragonDru · · Score: 1

      If the Germans are announcing this, I can imply that many governments have just such an organization. I don't think my 1337 skills are up to the task of fighting off actual armies.

      --
      20 characters max for the password? How will I use my favorite poems as passwords?
    2. Re:so we must prepare now by xevioso · · Score: 1

      This is a great pun, and it's a word I predict will be used much more often.

    3. Re:so we must prepare now by An+ominous+Cow+art · · Score: 1

      Mein Paket-Sniffer hat keine Nase.

    4. Re:so we must prepare now by camperslo · · Score: 1

      There was no mention of specific projects, but Israel has been talking about such activities also.

      http://www.iba.org.il/world/?lang=en&entity=847869&type=1

  2. It's our own damned fault by ka9dgx · · Score: 1

    Instead of fixing this situation (our broken computer security model) we've been blaming Vendors, Users, Programmers, government. None of this is going to fix it.

    When you can confuse a root process and get root, nothing is safe. Windows, Mac, Linux, all are vulnerable to this.

    It doesn't have to be this way.

    1. Re:It's our own damned fault by SuricouRaven · · Score: 1

      Then what is your alternative?

    2. Re:It's our own damned fault by Slyfox696 · · Score: 2

      Then what is your alternative?

      The return of Sneakernet.

    3. Re:It's our own damned fault by ka9dgx · · Score: 4, Interesting

      Instead of running processes with all the rights of the given user account, use Capability Based Security. This means that for a given process, at run-time (not before hand like app-armor), you tell the OS which files and access type a process will need. This doesn't fix everything, but it does let you isolate security decisions and eliminate the side effects of running any code (trusted, untrusted, or downright evil) to the capabilities you chose to give it. This means that even if you confuse a process, you can't get more capabilities than it was given. Privilege escalation goes away, which is a major attack vector, along with stack injection, buffer overflows, etc. (Of course it does require a secure kernel, which you have to trust).

      It's my firm believe that capability based security will eventually be what we all use... but due to the need to make people aware of the concept (which is several layers of abstraction away from what we usually deal with) and the cost of revamping everything... we're still 15 years out.

    4. Re:It's our own damned fault by noh8rz3 · · Score: 1

      I think this is valid, especially for large networks. does the computer of a secretary in alabama need the capability to access payroll data in new york city? break the links in the network, so each computer can connect to reasonable resources but not extensive. This contains any rampant issues.

      similarly, payroll transmits data monthly to banks. does the sensitive payroll data need 24x7 online access?

    5. Re:It's our own damned fault by 0123456 · · Score: 2

      We already have that with Apparmor and SELinux. The problem is that common attack vectors such as web browsers already need access to all files on the machine; how can you upload that Lolcat picture to Facebook if your web browser is restricted to only accessing specific files on your system? How can you prevent a malware addon installing by blocking writes to the addon install directory if the web browser supports automatic installation of addons?

      So it's an improvement, but still leaves big holes.

    6. Re:It's our own damned fault by Anonymous Coward · · Score: 1

      web browsers already need access to all files on the machine

      1. Applications don't get access to user files, unless
      2. The user has explicitly opened the file in the application using a secure OS file open dialog, in which case
      3. The OS passes a list of file names and read-only handles (or file descriptors or whatever) to the application.

      I don't know if Apparmor or SELinux do this, but that's how you do it right.

    7. Re:It's our own damned fault by ka9dgx · · Score: 1

      It's not the scale of the networks that is the real problem. It's the need to trust code that is the big issue. If a program can be tripped up, or in any way manipulated to do something, it becomes the basis of a system breach. If the scope of what can be done by a process is by default limited to a very select set of actions, you eliminate this basis of attack.

      It the person in Alabama needs access to the payroll, that's fine. But why does she need write access to the system folder? Why does that same process need to be able to upload files to the internet at large?

    8. Re:It's our own damned fault by noh8rz3 · · Score: 1

      did you read teh apple i0s security design document? it talks a lot about "chain of trust" from boot-up through application use. this sounds like what you're talking about. as stephen hawking would say, "it's turtles, all the way down!"

    9. Re:It's our own damned fault by ka9dgx · · Score: 1

      Chain of trust doesn't do jack sh*t for the security as far as users are concerned. It's all about DRM.

      If the user doesn't have a way to tell the OS exactly what side-effects they are willing to tolerate from a program they want to run, then how is the OS supposed to know?

      Linux, Windows, Mac all don't even have a way to express this intent, let alone code to enforce it.

    10. Re:It's our own damned fault by noh8rz3 · · Score: 1

      please don't use bad language. it makes the internet much coarser, not to mention the person who says it and the person who reads it.

    11. Re:It's our own damned fault by eriqk · · Score: 1

      The return of Sneakernet.

      Sneakernet didn't protect Iran against Stuxnet.

  3. Reads like a Cyberpunk novel by ConaxConax · · Score: 1

    The future is here guys!

  4. Why not? It's cheap. by Beardo+the+Bearded · · Score: 5, Insightful

    Bombs are expensive. You want to stop enemy production in a war, right? So you blow up the factories, the power plants, etc.

    What if, instead of blowing them up, you just shut them all off? It worked with Iran's atomic development and ushered in a new era of warfare. Up until WWI, war was a grand and glorious adventure, swords and arrows, showing the bad guys what for! Then chemical weapons killed so many people all at once, the game wasn't fun anymore, but you could still send your plebians out to rattle your sabres. Once atomics showed up, we go to the point where war could kill the country's leaders as well as the people sent out to the front lines.

    This new era lets anyone, anywhere, pick off any target. You can shut down an Iranian centrifuge. You can dig up dirt on the Prime Minister and give it to the newspaper. Everyone with an Internet connection has the potential to hold a weapon far more dangerous and far more powerful than anything that goes "bang". We can make anyone, anywhere, go "whimper".

    That's why we're seeing cyberwarfare units and Internet censorship / monitoring. We can't have people rocking the boat.

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  5. unintended victims by fustakrakich · · Score: 1

    You mean collateral damage? Non issue. This is WAR!

    --
    “He’s not deformed, he’s just drunk!”
  6. 'capacity to operate in hostile networks' by NettiWelho · · Score: 3, Funny

    "'The initial capacity to operate in hostile networks has been achieved,'" Took them 6 years to notice their ethernet cable wasnt plugged in?

    1. Re:'capacity to operate in hostile networks' by a90Tj2P7 · · Score: 1

      "'The initial capacity to operate in hostile networks has been achieved,'" Took them 6 years to notice their ethernet cable wasnt plugged in?

      No, they were downloading a copy of Windows XP when the jerk stopped seeding at 99%.

  7. Room for IPv6 by andersh · · Score: 1

    Notice that this was announced shortly after IPv6 was "rolled out". You're right, they're looking for more space, address space!

  8. Re:Why not? It's cheap. by TubeSteak · · Score: 3, Insightful

    This new era lets anyone, anywhere, pick off any target.

    And that right there is the problem.
    In the past, when war was purely about bombs and boots on the ground, you could rely on your physical defenses and alliances to protect you from retaliation.
    The USA and Germany don't have to worry about Jihadist drones dropping bombs on New York or Dusseldorf,

    But they certainly have to worry about malicious hackers with a grudge.
    Today, the internet is such a soft target that it's tragic.

    The developed world may be starting a war where they can't project numerical or tactical superiority.
    LulzSec and Anonymous show that you don't need the resources of the NSA to go after big targets.
    http://cryptome.org/2012/06/lulzsec-sneak-preview.htm

    --
    [Fuck Beta]
    o0t!
  9. The perfect weapon by ThatsNotPudding · · Score: 1

    Destroying both the target and the user.

    Ingrates.

  10. Love them Jackboots. by infonography · · Score: 1

    you know, the uniform, the lowslung stun ray holster, the mindless tedium

    --
    Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
  11. Re:Why not? It's cheap. by PPH · · Score: 1

    But cheap upsets the status quo. Conventional war is (and always was) expensive. And that means you can predict the outcome based on GDP. Not so with cyber war. Almost anyone can play and wealth serves to provide more targets, not more weapons. So it turns the winner/loser equation on its head.

    And what cyber war doesn't do, which makes it feared, is to directly produce body count. Body count is what makes war morally abhorrent. The cold war never turned 'hot' because all of the major players found the outcome to be unacceptable, even in the event of their winning. With cyber war, the perception is going to be that a bunch of banks and other financial institutions are damaged or taken down. And right now, that's even a fantasy of the average Joe, not a terrifying prospect.

    --
    Have gnu, will travel.
  12. Finally - now I can really be an internet warrior by jafir · · Score: 1

    Who knew! All this time I was learning coding I was actually training to be a soldier! Well, that's one less thing on the bucket list...

  13. Re:Why not? It's cheap. by dkf · · Score: 1

    Then chemical weapons killed so many people all at once, the game wasn't fun anymore, but you could still send your plebians out to rattle your sabres.

    Unfortunately for your thesis, it wasn't chemical weapons that made things "not fun" (they were too uncertain to be reliable weapons) but rather more prosaic things like machine gun nests and artillery.

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  14. Re:Why not? It's cheap. by rtb61 · · Score: 1

    World war 2 computers were not a big thing. Calculation where done largely mechanically in the field and the internet did not exist, yet there were nukes. Cyberwarfare is bullshit and the lie relies upon unprepared and insecure enemy with computers connected to the internet. The reality of course is a free for attacks people, corporations and the internet backbone itself. Anything but a purely defensive stature is insane. Any bugs or security failures that are found and then not disclosed to be corrected is simply relying on dumb luck that the enemy doesn't also find them and use. Basically any attack only suits criminals with criminal intent.

    If you're going to play bullshit games like that, just use off the shelf hardware to create a stealth cruise missile to start murdering foreigners and destroying technical infrastructure at random. If it is all about being destructive and not getting caught when go half measures. If you hacks when released start infecting hospital prescriptions and making lethal alterations, really just how stupid has your cyberwarfare game become.

    No government department ever has the right to with hold discovered faults from repair in the hopes of deploying it themselves only to see their own citizens become victims of it when used by organised crime. That's what bullshit cyber warfare is really about. Find back doors, keep them secret and then toss them aside when criminals also start finding and using them and basically screw the victims created until the fault is fixed. Instead of proper policing find back doors and remove them. In fact what you end up with government departments working against each other at taxpayer expense.

    --
    Chaos - everything, everywhere, everywhen
  15. Re:Offensive Unit by eriqk · · Score: 1

    No, no, no, you all misunderstand. By "Offensive Cyberwarfare Unit", they just mean the group will be incredibly rude. It's all in intimidation, people!

    4chan.de/b/?

  16. OOPS by ka9dgx · · Score: 1

    It turns out that you should care about the "chain of trust", and "trusted computing base" type terms, but not if they are used to back DRM.

    When you do want to pay attention is when the developers of Genode talk about them in their development of a microkernel based (pick 1 of the 8 they offer) operating system which uses capability based security, and yet can run linux inside of itself.

    Genode is cool stuff...