Slashdot Mirror
Britain's Newest Warship Runs Windows XP, Raising Cyber Attack Fears (telegraph.co.uk)
Chrisq shares a report from The Telegraph: Fears have been raised that Britain's largest ever warship could be vulnerable to cyber attacks after it emerged it appears to be running the outdated Microsoft Windows XP. A defense source told The telegraph that some of the on-board hardware and software "would have been good in 2004" when the carrier was designed, "but now seems rather antiquated." However, he added that HMS Queen Elizabeth is due to be given a computer refit within a decade. And senior officers said they will have cyber specialists on board to defend the carrier from such attacks.
It makes sense to me. Where else are they going to get minesweeper?
they will have cyber specialists on board to defend the carrier from such attacks
They are supposed to defend unsupported proprietary software. The right name is not cyber specialist, but rather priest.
Yes, the Royal Marines like their meat fresh.
I am armed because I am free. I am free because I am armed.
... control system is assisted by Clippy.
that crash's when you enter zero into the data field for the Remote Data Base Manager
Ransomware writers around the world are salivating.
Seriously who would make such a boneheaded decision?
It might be high tech like US destroyers, but can it avoid becoming a hood ornament for a container ship? That is the test.
"And senior officers said they will have cyber specialists on board to defend the carrier from such attacks."
ALL UNPLUG FULL!
Answering all unplug full aye!
Every military appears subject to the same idiocy. Seriously, you are spending literally billions of USD, GBP, or EUR (I tried to use the actual symbols for GBP and EUR, but I forgot about Slashdot and unicode). You can't spring a few million for a custom built or customized (e.g., based on OS/2, QNX, VXWorks, Linux, etc.) OS that has all the networking and other non-essential components removed? Then you can allow network access via a very tightly controlled and well audited interface.
The main reason, I think, for this conundrum is that there are two competing objectives: 1) extremely rigorous system engineering processes with the attendant configuration control; 2) use more COTS and fewer custom components. For instance, those decisions were definitely made over a decade ago and any change to them would require tons of paperwork, additional certification, and also add to the cost and delay the schedule. It's no wonder they just stuck with what was already approved.
That said, I simply cannot believe that one or more of the big defense firms (e.g., BAE, Lockheed-Martin, Boeing) has not come up with something better than slapping Windows on it.
Now, I know (or rather, I truly hope) that things like navigation, fire control, and other critical ship functions are not dependent on any Windows (or other consumer OS). However, I know that some years ago the US Navy had a "Windows-power ship" end up dead in the water and had to have it towed back to port. That was the result of a divide by zero bug in some piece of software but Windows did not handle it gracefully, if I recall correctly.
Either way, they will be lucky if they don't end up with some very serious problems along the way. It seems like it is just not possible to keep ransomware out of any decently sized network. And I can imagine a major world power's flag ship being a tempting target.
... Windows for Warships? (Seriously, that exists) Anyway: despite windows XP's age Microsoft will still actively support it for organizations willing to send them a boatload of money, and the rates only go up the more time passes. But when you're talking about the operating costs of a large warship, the cost for continued xp support is only a rounding error in the total.
The last time I recall the Navy being concerned about running Windows was maybe 15 years ago. The LinuxBIOS project attracted a lot of attention from some Navy guys because of its rapid reboot capability.
At LANL, LinuxBIOS researchers could reboot a small (1K diskless compute nodes connected via Myrinet) scientific computing cluster in 3 seconds, ready for work. So, theoretically, one could change from a Linux cluster to a Windows cluster, but no one ever wanted to.
Whatever became of that technology?
The die-cision to use anything from Microsoft in a mission-critical environment, let alone a 16+ year old OS with a giant list of known exploits goes so far beyond amazingly stupid I can't even find the words.
Anyone over there watch the IT crowd?
Moss: "What kind of operating system does it use?"
Bomb squad: "Vista!"
Moss: "We're going to die!"
Is there even a word for this level of stupidity? The die-cision to use anything from Microsoft in a mission-critical environment, let alone a 16+ year old OS with a giant list of known exploits...
I believe the word you're looking for is "congressional". ;)
Anons need not reply. Questions end with a question mark.
The die-cision to use anything from Microsoft in a mission-critical environment, let alone a 16+ year old OS with a giant list of known exploits goes so far beyond amazingly stupid I can't even find the words.
Can you name a single known exploit that applies to this ships XP systems as deployed?
... has managed to develop their own QNX based base operating system to ensure safety & security. They've also been doing it for a couple decades.
It seems insane that the Royal Navy & BAE systems couldn't figure this out themselves. This has the smell of a kickback based sales agreement to me. Almost any other operating system is a better choice simply because they are smaller attack targets than any version of Windows.
Just fucking google it. There are large numbers of unpatched XP exploits. Microsoft themselves even admit the entire OS is fundamentally insecure and will never be fixed. They even said the same thing about Win 7 as soon as they wanted you to buy Win 8.
Here's a start:
https://www.cvedetails.com/vul...
The Register in 2009
According to the Ministry of Defence (MoD), HMS Montrose has now entered a planned docking and refit period during which BAE Systems plc will replace her original DNA(1) gear with DNA(2), said to be "based on the system being fitted to the Royal Navy's powerful new Type 45 Destroyers". This means it will be based on fairly everyday hardware running legacy Windows OSes - people who have worked on these programmes inform us that both Win2k and XP will be in use across the fleet.
Anons need not reply. Questions end with a question mark.
Just fucking google it. There are large numbers of unpatched XP exploits. Microsoft themselves even admit the entire OS is fundamentally insecure and will never be fixed. They even said the same thing about Win 7 as soon as they wanted you to buy Win 8.
The existence of exploits is different from question of which exploits are applicable to XP systems as actually deployed on this ship.
I believe the word you're looking for is "congressional". ;)
In England, they call it "Parliamentarian" old chap, bip-bip, cheerio.
The U.S. nuclear fleet still runs on Microsoft Bob.
I'd love to see the on boar systems they mention.
Website Just Down For Me? Find out
It looks like you are trying to turn the surface of the earth into glass. Would you like help?
Think of it from a UK mil perspective.
They have to find people to use the computer GUI. Make a bespoke UK OS? Thats a lot of new computer tasks to learn and teach to average people new to the navy.
Trying to keep people in the navy is not helped by some strange, new, expensive, complex new UK mil OS.
No need to teach the users how to write code in something like a new Ada to do GUI things.
That keeps teaching costs lower and makes teaching methods for new crews more easy. Just like a really big home computer but at sea.
The gov and mil security thinking works like this:
The port, repair areas are totally secure as all the contractors and mil staff are allowed to be on site and are 100% trusted.
When the ships need service or get towed back to port again contractors get all systems working again.
No cult, person who is loyal to their religion or another nation or is political motivated can get to the XP computers that are secure thanks to a big, high, strong fence around the port.
No person is allowed to bring any different electronic device with them from home. Thats a really strict rule and no personal equipment is allowed on any UK ship or near a ship in port.
So nothing can go wrong. The fence around the port is huge. When the ship is at sea its totally protected from random people walking onto the ship.
Staff, contractors and people at sea would never ever use or bring any other digital devices. From home to the port or for their own use for the long time spent at sea or under the sea.
People at sea are sleeping, learning about the GUI, eating or taking tests and are not alone. They have no time to use their own computers they would never have with them as they have been searched for such devices.
So the selection of the OS saves the gov money when teaching very new users, GUI applications look like what average people are used to, its easy for contractors to work with a lot and get overtime to fix when in port. Its win, win, win if everyone is vetted, the fence is big and nobody ever brings files or computer devices from home to the port or on the ship.
The term is air gap.
Domestic spying is now "Benign Information Gathering"
...but they’re held back by some unresolved incompatibility that causes Harpoon to crash on Windows Vista.
this hit fark a good 12 hours ago.
That said, I don't get the thinking here. WinXP is old, outdated, and insecure. If you don't want Win10 or whatever you've got linux, along with several modern RTOS's. Hell, rolling your own is probably better than WinXP.
If you've got a CNC machine, or bioassay device, or whatever, it's fine. As long as the internet can't find it. Soon as the $bad_guys find it, game over.
I think that probably the whole "you're being updated by forced and shoved ads up your ass" thing have a bit to do with it.
You know, I built a WinXP HMI back in 2010 and had it work wonderfully for me for years on an airgapped machine. And then about two years in, some screw condition with one of the proprietary hardware drivers on it causes the whole thing to reboot entirely on its own.
Now, you might ask, why would I do something like that at all. And the answer is that the nameless industrial controls vendors Allen-Bradley and National Instruments explicitly marketed a WinXP/LabView solution for HMI as an alternative (not even a cheaper alternative, just an alternative) to a dedicated touchscreen box for customers like me who needed more out of the HMI than what the touchscreen dowhicky came with, namely datalogging and additional helper logic that's naturally implemented somewhere besides the safety-critical ladders.
Now, a the Linux driver for that gizmo that caused the windows box to reboot didn't have that issue. And even if it had, Linux would have failed more gracefully and the controls would have still worked. But Allen Bradley was a Windows-only outfit. So the once a year spontaneous reboot is the price I paid for not having to reinvent a very expensive wheel. I suspect that this aircraft carrier is the same. They need Windows for something that would be very expensive to reinvent, and between their budget pressures, military procurement silliness, and the fact that they just might not have enough time and enough good people to do it...they went with WinXP.
It looks like you want to play global thermonuclear war
what side do you want??
1. USA
2. Russia
3. United Kingdom
4. France
5. China
6. India
7. Pakistan
8. North Korea
9. Israel
Just imagine if this was on one of their submarines and someone opened a Window while they were submerged. Talk about a crash dive.
Mind you, this is from the same country that bought you flammable warships during the Falklands war.
So new staff feel ok using the GUI.
Domestic spying is now "Benign Information Gathering"
Because it's cheaper to implement than the alternatives you listed and whatever security shortcomings it might have don't matter if they are properly isolated systems.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
I googled, could not find a single exploit that applied to the isolated systems of warship. perhaps you can point at some?
AC that should have all been ok.
The UK did not expect anyone to work out how to use that French systems in the time allowed.
It was an export grade weapons system and was expected to stay on an internal surrender setting.
Crews worked very hard and very quickly to discover full French access to the very complex system.
Most nations now know that have to fully trust who they buy from or what systems they use.
Domestic spying is now "Benign Information Gathering"
The last thing you want to see in naval warfare:
Your cruise misses have been encrypted. Do not bother trying to decrypt your cruise missles as they can only be decrypted by us. Send ${YOOGE_BITCOIN_MONIES} to our friendly decryption service to decrypt your cruise missles.
This is serious !
Back in 2015 the MoD declared that this vessel would be 'Windows-XP Free'
Read the article below if you do not believe ---
https://www.theregister.co.uk/...
"senior officers said they will have cyber specialists on board to defend the carrier from such attacks" translates to "they have the original installation floppies standing by".
When they came for the communists, I said "He's next door. Take him away. Goddam commies."
"Warship sunk by fat Russian boy on the couch of his mother's basement."
For the first 36 of those issues, you need local access. Someone with intent to cause damage, who has local access could probably do more damage to the ship than they could do using the computers.
Most of the remote issues are web based, so it might simply be an idea not to browse random websites.
Which could be used to affect an aircraft carrier in some way?
Probably... ROFL... Smoke another one. :P
[($)]
Article is here: https://www.theregister.co.uk/...
The fact it's connect to the INTERNET is the height of stupidity. If it wasn't it would matter all that much what OS it uses...
Damn. What's sodomy good for if you can't get whipped and drunk?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It doesn't matter if they never go to war with it, you mean?
Because that's basically the game BAE is in. Making weapon system that are peace-compatible. Not really battle worthy, but also not as expensive as they'd have to be to be battle-worthy.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Old joke: What does a navy pilot have in common with an internet junkie?
Both break out in cold sweat if their display shows NO CARRIER
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Hardly a surprise that it is going into service with such outdated, insecure systems. This is the Navy that genuinely put this out as a recruitment video a few years back. Now it might have been a joke from the crewman, but the ad is edited in such a way that it suggests not.
re "physical access prevention"
"Margaret Thatcher ordered troops to shoot intruders on sight after protesters boarded nuclear-armed Navy sub
The PM was livid when three demonstrators broke into the control room of vessel carrying Polaris missiles, newly released files show"
http://www.mirror.co.uk/news/u...
Domestic spying is now "Benign Information Gathering"
Just think how fucked up you have to be to pick that as your username. Man you must have had an unhappy childhood, overbearing (maybe worse) parents? Gotta love the weird hangups and kinks of people raised by conservative christians. I'm sure having a handle called 'gay boner sex' is just a part of it.
Most of the rest of us grew up and stopped finding differing sexualities interesting a looooong time ago. What a sad little prick you must be. Even if you're straight, which is probably debatable, you evidently think about men fucking a LOT.
I think the point of him picking that name seems to be getting people like you up. Who gives a shit? You claim not find differing sexualities 'interesting' yet you can't help having a go at a stranger on the internet for reminding you of it. Grow up and don't feed the trolls.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
The U.S. Navy develops Tor and the Airforce, as well as several other agencies use LPS to log into places. You'd think the UK navy would be smart enough to not use Window$ anything. But, this is coming from a country that wants backdoors in everything. One country's bug is another country's feature, I guess.
The term I would use is "gross dereliction of duty".
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Rolls Royce still makes some of the finest engines in the world, right in Derby.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Boar does not mean wild pig. It means male pig with his balls intact. (/syntaxrant)
This aircraft carrier is so expensive that there are significant budget limitations for the rest of the Royal Navy, including the carrier group in question.
Since they don't have any airplanes for this carrier, their plan is to reach the enemy port, plug an ethernet cable and let Windows XP do its thing.
"Vampire! Vampire! Track 3872 bearing 285 at 20 klicks!" "Taking out track 3872 with bird--" (Screens all over the ship turn blue with the text "A problem has been detected and Windows has been shut down to prevent damage to your computer"...) "What the bloody hell?" "Gates, you arrogant ass! You've killed us!"
Some contractors used Windows XP or Windows 7 on laptops but the warship uses a custom built hardened version of Windows "Windows for Warships" it is mostly based on Windows 2000 server ...
This is much the same as the US fleet, which uses a mixture of Windows 2000 and Windows NT based custom systems ...
Puteulanus fenestra mortis
Agreed, not every thing is crap. Although for every good example you can provide, there are a hundred bad. And you must mean jet engines, as the cars are as German as Herman Goering.
Real reason for this decision is obvious, retro gaming. https://games.slashdot.org/sto...
A lot of people keep calling this stupid, but it's actually pretty simple. The design started back in 2004. When you're working a rigid project like this, things get locked in once approved, like design and technology. If you postponed even whenever a new Windows came out, you'd have to go back, have a new CONOPS, new requirements, and start all over again and the project would never finish. Yes you'd get to reuse a lot of the previous architecture, but just think about it. If you're running the program, and software people tell you they're going to just use a new OS, you have a whole host of new things to think about.
And in the government, hardware tends to drive software, so software is constantly trying to keep to the same milestones. And believe me, once you've tested, NOBODY wants to think about switching OS and libraries now. Throw in a few of the typical delays that come in the government, (funding/changing of the guard, etc...) and this all makes sense.
So stupid? That's not really the issue here. It's choosing between a rigid process, that can't afford to do things quickly and is very risk averse...or finishing quickly. The most common mitigation to this issue is to include an update later, with newer Windows and some regression testing. You can't really win with the public these days anyway...imagine if they pushed it out quickly and the report instead said that there was a malfunction because it was a rush job. These days, you're damned if you do (spend a lot of money but this is what we get) and damned if you don't (rush job leads to malfunction leads to public embarrassment).
Yep things sure have come around in 28 years!
But that's not what I meant either. I meant having physical access to the actual "box" itself. Getting onto the boat is a chunk of the battle but the ability to physically compromise the box is the most important part. Gonna be kind of hard to do that with 24 x 7 shifts running, no?
Depends on the navy, the security the person has and if the buddy system can be staffed for that rank, clearance, every mission.
After a while someone gets to be along and needs power for their USB device. They have hours and days to go looking and the need to find any USB power builds.
Domestic spying is now "Benign Information Gathering"
Using ANY Windows platform for a military application is the stupidest thing I have ever seen (yes, I've done it, but it was not tied to the world). I cannot see any reason why Linux is not the default OS for all military applications. You can make it as small as you need, or as powerful as you need. All with relative security.
It's good to see that you finally decided to create an account, APK.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
That was Windows N(eeds)T(owing). This is XP. They've probably improved it to the point that it eXplodes the Propellers instead.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
The die-cision to use anything from Microsoft in a mission-critical environment, let alone a 16+ year old OS with a giant list of known exploits goes so far beyond amazingly stupid I can't even find the words.
So, you're saying that a country's only aircraft carrier is a mission-critical environment? How so?
Can't they just pop another one out within a month? A boat is a boat, after all.
As a Brit i can tell you that there are MANY islamic people living in the UK as citizens, and are completely eligible to join the forces.
Like it or not it's a fact that the UK is living in denial about many real risks since its a repeat story of young UK Muslims being brainwashed/radicalized in UK mosques. Many have in the past even gone off to fight for IS.
Its a no-brainer that the smarter radical Imams are telling them all to get into positions of trust where they can perform Allah's will.
If you think everyone on that ship cannot possibly be in any way a security threat (even unintentionally) then you are beyond VERY naive.
Of course they can be. And they don't need a computer to do so.
Your assertion is completely baseless and reeks of FUD - the same thing GNU/Linux apologists like yourself have slammed Microsoft for for decades.
Why exactly are they not battle worthy for using some flavor of NT on some of their ships systems? Do have some inside knowledge of the design to share with everyone that would back up your assertion?
I don;t know much about the British, but I know for a fact that Microsoft products are used extensively in battlefield situations by the U.S. military. I've worked with a Sergeant in the U.S. Army who did two tours in Iraq and worked with Windows based systems. Windows was the least of his problems on the battlefield.
If you would like an example of Linux-based system being battle-tested, here you go:
https://www.theinquirer.net/in...
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.