Slashdot Mirror
In an Age of Cyber War, Where Are the Cyber Weapons?
chicksdaddy writes "MIT Tech Review has an interesting piece that asks an obvious, but intriguing question: if we're living in an age of cyber warfare, where are all the cyber weapons? Like the dawn of the nuclear age that started with the bombs over Hiroshima and Nagasaki, the use of the Stuxnet worm reportedly launched a global cyber arms race involving everyone from Syria to Iran and North Korea. But almost four years after it was first publicly identified, Stuxnet is an anomaly: the first and only cyber weapon known to have been deployed. Experts in securing critical infrastructure including industrial control systems are wondering why. If Stuxnet was the world's cyber 'Little Boy,' where is the 'Fat Man'? Speaking at the recent S4 Conference, Ralph Langner, perhaps the world's top authority on the Stuxnet worm, argues that the mere hacking of critical systems is just a kind of 'hooliganism' that doesn't count as cyber warfare. True cyber weapons capable of inflicting cyber-physical damage require extraordinary expertise. Stuxnet, he notes, made headlines for using four exploits for "zero day" (or previously undiscovered) holes in the Windows operating system. Far more impressive was the metallurgic expertise needed to understand the construction of Iran's centrifuges. Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country's uranium enrichment operation."
Haven't you been watching the news for the last six months?
REALLY stupid question. It is not like they are going to wave them about for everyone to see. They most likely exist.
http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/
Seems we heard little of them because secrecy was maintained for quite a while and (shocker) it was the US building/using most of them.
We have E-cannons already, skript kiddies have been using them for years now.
have you seen my sig? there are many others like it but none that are the same
Is there a doubt in anyone's mind?
Perception is reality
The cyberweapons are between your fskin' ears. Malware, virii, etc, are just the tools.
Om, nomnomnom...
You can look back at sensationalist war-propaganda in the 21st century and notice that most of the wars fought in the west were not against big militarized powers with guns blazing and large banners. Where was Fat Man after 9/11? Where was the Fat Man of the war on drugs? The cyber war will not be fought in the power of viruses/security leaks, but in their number. Not only that, but even the smaller security vulnerabilities are exploited to harm many people, as in the recent Target security breach or the Sony Playstation credit card leak. The fight is not against complex, politically motivated (or facilitated) viruses/information breaches, but against your average neighborhood kid who knows basic SQL.
Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them...
No, they didn't.
They just needed to have a rough idea, and make sure that they experienced forces well in excess of that figure.
Remember "News for Nerds, Stuff that Matters"? Help make it a reality again! http://soylentnews.org
Here you MIT idiots go: This is where the cyber-weapons are. The same place all the other weapons are. The Black Fucking Market. What morons, get real.
The weapons are on chips, firmware or in the OS! Did you not read that catalog that the Snowden fella kindly leaked for us?
Ask Intel about iAMT and vPro. Ask China about Manchurian Microchips. Ask Microsoft about NSAKEY again, because if we didn't believe their lame excuses 10 years ago, we REALLY don't buy them today.
Sure, the NSA probably has a large virus arsenal too, but when you can issue a National Security Letter to MS or Apple or Google or Mozilla, or simply activate one of our many programmer agents in place (such as in the IETF or at MS or Google) and just put the exploits wherever you like, viruses start seeming pretty silly. Heck, even our geopolitical adversaries are using US-made cyber-weapons - ahem, I mean operating systems and applications.
Why would you use a weapon, when that only means mechanisms will be put into place to prevent it. That's the problem with cyberwar, you only get so many shots with them.
And you damn well would prefer not to get caught anyway.
Yes it's called a programming language
Where are the cyber weapons? Already deployed and awaiting activation. Undocumented errata in major CPUs which allow bypassing memory protection. Preset keys in network cards allowing remote administration. Undocumented admin passwords in network firmware. Code signing certs in the hands of intelligence agencies. That's where.
Virtual weapons need victims and a goal to be obtained. It will be used when required, just as with all collected information.
The real 'cyberwar' is the governments' and corporations (RIAA, etc.) war against the free & open internet. I fear they may have nearly won by now as well, as people continue to embrace iTunes, Google, and their ilk, and tolerate censorship & spying on email and other electronic communications.
We had one chance, people. We'll never get back what we've already lost.
Actually... the real cyberweapons are most likely in government storage; right by the WMDs.
I bet the NSA or FBI has all the decryption keys, required to activate most of them.
The president's nuclear football, probably now includes cyberweapon deployment, and internet shutdown codes.
Wow, parent god modded to -1 ...
http://cryptome.org/2014/01/nsa-codenames.htm
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
http://www.wired.com/threatlevel/2013/12/nsa-hacking-catalogue/
"What is Critical? To what degree is critical defined as a matter of principle, and to what degree is it defined operationally? I am distinguishing what we say from what we do.
...
Mainstream media love to turn a spotlight on anything they can label “hypocrisy,” the Merriam-Webster Unabridged Dictionary meaning of which is:
'[T]he act or practice of pretending to be what one is not or to have principles or beliefs that one does not have, especially the false assumption of an appearance of virtue.`
The debate topic I propose here can therefore be restated as calling out, “Hypocrisy!” on the claim that the Internet is a critical infrastructure either drectly or by transitive closeure with the applications that run on or over it" Dan Geer June 2013
Sending microwave audio into someone's brain can't be used as a cyber weapon? Targeting a schizophrenic with said technology to get them to do your bidding doesn't make them a weapon?
Wouldn't the Morris Worm qualify as the first "cyber weapon"? Granted it was crude and uncontrollable, but I'd bet that the same could have been made for the Mark 1 Mod 0 Blunderbuss 500 years ago.
And I think that the power of a cyber-weapon would lie primarily in secrecy, like land mines; you don't know you're under attack until you've already taken considerable damage.
I wonder how the world would react to a global internet shutdown.
It would cause immense economic and probably industrial damage. I wouldn't be surprised if it were treated as an act of war by many countries.
In a cyber war, where are all the cybernetics? What even makes it "cyber"?
Twinstiq, game news
All of those were used by governments. One was used for industrial sabotage; the other two to spy on people who were then assassinated. Are these not "cyber-weapons"? What makes them different from Stuxnet but the degree of press they received?
I am very certain the weapons are there, the sophisticated ones are just used on single point targets and a custom-adjusted by humans.
The flashy mass deployment is rare and usually ineffective. You do not want to be known and only use it as last resort (stuxnet). I am very certain that all kinds of hackers and advanced cyber weapons are used regularly. We do not hear about it because the targets do not want to disclose they got hit or often do not even know they got hit. No matter if it is industrial espionage or stuff governments do, it happens in the shadows.
I'd tell you, but then I'd have to kill you.
Table-ized A.I.
I received the Slashdot Death Penalty for making fun of Roblimo's video Slashvertisements a while back, and even if my comments get tons of positive karma they will eventually be god-modded down. Read at -1, people, that's where we Slashdot political prisoners are.
In the hands of the Cybermen, of course.
we'll never know they were used.
Nor are there any such things as "cyber weapons". Whatever an ever-hype-producing press may want to sell to us. Whatever successive US governments, spending money they don't have, may want us to fear. The things simply don't exist.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
If we started building bunkers out of blocks of TNT, someone would rapidly figure out it was a bad idea.... but not so when it's abstracted several layers deep.
In conventional munitions, it's necessary to deliver an explosive to a target. Thanks to the Unix security model, with its lack of any notion of multi-level security, we've created an entire infrastructure that's ready to self-destruct at a moment's notice. The military went on to actually procure and use multi-level security in a number of cases, while the idea is perceived as impossible, or unnecessary in the civilian space.
All of our Linux, Mac OS, and Windows machines share the same brain dead security model. When you run code, you have to trust it not to be a virtual grenade, each and every time.
The existence of billions of computers which blindly run code without actual security protecting the operating system (as a multi-level secure system does) is astoundingly stupid, and yet 99.9% of the "tech" community is just fine with this state of affairs.
The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'
... they don't need a cyber weapon, as they can use the law to enforce any american company responsible for the major OS players to give them everythink they need.
You just need to understand critical speeds, resonances, and that you shouldn't suddenly change the speed of the rotors. But in _To kill a centrifuge_ Langner describes some games with pressures as well. Adding random valve openings and closings in a refinery, gas plant, sewage plant, etc. will look like intermittent failures and just as hard to 'debug'. Eventually you'll hit a particularly nasty set. Errant monkeys playing with your PLCs. But it must be a slow day at Tech Review..
I received the Slashdot Death Penalty for ...
Well, I'm guessing it was more for things like-
Stallman is an ethnic Jew and I think we all know that sometimes Jewish folks are given to exaggeration and hyperbole.
But still, thats wierd because I've made (arguably non credible) death threats against Hillary Clinton and jcr, and somehow I now have 2 accounts with excellent karma. I'd suggest watching, and abandoning your racial stereotyping and focus on the legitimate issue of the ultimate opposite of seperation of church and state going on with Israel.
Still, of the last dozen or so comments of yours I read, your mods do seem pretty consistently unreasonable (compared to mine).
Sadly we do live in a day and age where various political un-topics do exist-
- criticizing Israel on the seperation of church and state
- criticizing China on the Tiananmen Square Mass^H^H^H Incident of 1989
- criticizing the NSA and the tech oligarchs on the laughable insecurity of closed source OS-accessable reflashable without write-enable jumper firmware
etc....
Thank God for the Snowden Revelations. (and yes, the 'god' was a perhaps freudian typo for 'got', but you knew that and deftly jumped on it in an information warfare way anyway. Good Job!
See that shiny new interface of Windoze-8, Mac monitor-X or Anne Droid... the new cyberweapons are designed to not look like weapons.
I'd guesstimate on average, we log about 50-100 attack attempts from Chinese IPs per server per day. Our sample size is only several thousand customer servers, but that's enough to get a rough idea of what's happening on the internet generally.
There IS cyber war going on, much like the Cold War. It's not on the news every day, but it's happening just as much as Reagan was trying to defeat the USSR. The weapons aren't that advanced most of the time simply because they don't need to be - the targets very cooperatively run PHP scripts written by kids with NO security training whatsoever. When your admin interface is open to brute force and SQL injection attacks, advanced weapons aren't needed. The secretary of state and chairman of the senate defense committee have the same unpatched Linksys router at home as any random person. How many high level bureaucrats have VoIP at home? VoIP "protected" by Netgear's firewall?
China could probably ddos attack all of the uSA that counts.
The government's newest major computer system is healthcare.gov. What kind of weapon you need to take down major, modern government computer systems ? Apparently, Thursdays are you sufficient to take down healthcare.gov.
Super advanced cyber weapons simply aren't needed. How many programmers who ended up working government jobs even know what a "SQL injection" is, much less how to prevent it? One small sample suggests only 20% of government programmers know what it is, and 10% use parameterized queries, leaving most systems open to trivial attacks.
Sitting in some cyber arsenal, awaiting use. The problem with cyber attacks is that once discovered, they can be defended against. So from a tactical point of view, they are best kept in reserve until the case for their use is overwhelming.
As a part of Operation Orchard, it is theorized that Israel may have disabled Syrian air defense via back doors in their IT systems. If so, the existance of such back doors was revealed by a post mortem analysis and the holes in the systems plugged. So that would be a case of a one time use. It had better be worthwhile (and arguably, it was).
The cyber weapons in the hands of criminal organizations are best used in a very low key manner, so as not to attract attention and patches. Criminals are probably continuing to bleed some credit cards for $9.85 here and there, hoping to stay under the radar for as long as possible.
Have gnu, will travel.
...are the ones you never hear about. Because the moment you hear about them, someone has countered it.
To Wit Many weapons, though a common person cannot understand how they work, at least understand how they can be used and effective.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
" Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country's uranium enrichment operation."
Mechanic with machinist training here. That's no big deal. Overloading a system by running it as hard as the drive motors allow will often break it as many machines aren't built with protective mechanical safeties such as simple wasp-waist shear points on driveshafts, shear pins, or mechanical governors.
It's easier to control machinery electrically and when a targeted operator doesn't expect malicious control operation they aren't likely to have designed with it in mind.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Overloading a system by running it as hard as ...
Not that I'm accusing Lennart Poettering of cyberwarfare, but a highly relevant anecdote is that when pulseaudio was first thrust upon me in fedora, I and many(?) others discovered that it was only software that was preventing our PC's audio out from being overdriven to the point of health and property risk. I discovered this as my volume, due to bug, instantaneously jumped to 400% as I had my sony earbuds in listening to music. The result was excruciating ear pain for the duration of time (about half a second) it took my body to react and rip the earbuds out of my ears. I wonder (not enough to experiment) what would have happened if my speakers had been connected. It would have certainly taken me more than half a second to cause things to stop, and I'm guessing permanent damange to my speakers may have occurred.
Of course, I'm not sure how expensive it would have been for sony to have put a safety in the earbuds. Still, quite the educational experience that was precisely illustrative of what you described, but in a more personal non-industrial sort of way.
Stuxnet is an anomaly: the first and only cyber weapon known to have been deployed.
What about this?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Are most of those IP addresses originating from China or are these attacks just being routed through China?
They have existed for years.
Most of that catalog listed firmware and bootloader hacks to patch an OS in memory. Most firmware is horribly buggy and rarely updated. Getting your payload into windows / android / iOS directly runs the very great risk of being noticed.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Developed and shipped by a close partner of US Department of Defense and NSA.
Internet Explorer and Windows. This Swiss cheese programs are the greatest threat for computer security known to lifekind. And most of the ducks in duckland have no ideas you have run Windows Update every month, but even then zero-exploits are oh so coommon. I find it hard to believe this an accident, and then all evidence suggest people are really that stupid.
hm. let's translate that to a form that may make more sense: computer-physical damage. nope, still makes no sense.
All available evidence suggests that the vast majority originate in China. That makes sense - it would be silly to go through the great firewall, twice, and slow yourself down by going around the world and back, when you could just as easily use a US zombie.
No, you just send some guys over with a National Security Letter and force Google / MS / Apple to put your backdoor into your OS or firmware. Who would notice?
Iraq?
Requiem for the American Dream
And how many times has malware started to take advantage of bugs that Microsoft just patched?
There are people who examine every change to find the backdoors that have been closed so they can attack them on unpatched machines. Do you think they'd ignore a backdoor that was just opened?
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Sure, we can talk about things like the ION cannon, and what-not but let's be real. Government controls the news, but Social media corrects the news and the government says "oh no! they caught us!" and then they realize that social media can either be used for propaganda (so they passed a bill to allow disinfo agents to exist about 2 years ago) or to spy on its users so they can keep tabs on who they want (NSA) and prosecute/execute them without warrant (NDAA). The real war is the people of the world against the Chinese and American governments but really it's mainly against the American government. The weapons are social media outlets, p2p, proxies, vpn, and anything else on the CIA's blacklist of "you might be a terrorist if...". Sure, there exists TOR and the darknet but it has virtually almost no negative impact on real people other than give the government a reason to monitor us and to expand into that sector. Remember, we were told that terrorists were a problem after 9/11 and Bush signed into bill the most expensive military budget in history of the world. The cold war did something similar and now this.
in my mom's basement.
In an age of cyber-sex where are the cybermen?