Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pentagon's New Next-Gen Weapons Systems Are Laughably Easy To Hack (zdnet.com)

Posted by BeauHD on from the easy-as-1-2-3 dept.

An anonymous reader quotes a report from ZDNet: New computerized weapons systems currently under development by the U.S. Department of Defense (DOD) can be easily hacked, according to a new report published today. The report was put together by the U.S. Government Accountability Office (GAO), an agency that provides auditing, evaluation, and investigative services for Congress. The report detailed some of the most eye-catching hacks GAO testers performed during their analysis: "In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing. Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators' terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded. Another test team reported that they caused a pop-up message to appear on users' terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data."

The report claims the DOD documented many of these "mission-critical cyber vulnerabilities," but Pentagon officials who met with GAO testers claimed their systems were secure, and "discounted some test results as unrealistic." GAO said all tests were performed on computerized weapons systems that are still under development. GAO officials highlighted that hackers can't yet take control over current weapons systems and turn them against the U.S. But if these new weapons systems go live, the threat is more than real, GAO said.

93 comments

  1. Gee, good thing they didn't open source any of it. by Narcocide · · Score: 0

    [comment redacted]

  2. GB vs. CD by Anonymous Coward · · Score: 0

    When will the rest of the world starting measuring data volume in CD's instead of bytes?

    1. Re:GB vs. CD by dexotaku · · Score: 1

      Exactly this .. I was previewing my exact comment on that - it's a sign that GAO are measuring storage in compact discs, still. Welcome to the 1990s?

    2. Re:GB vs. CD by careysub · · Score: 1

      During the era of dead tree publishing the unit was the "Encyclopedia Britannica".

      --
      Starships were meant to fly, Hands up and touch the sky - Nicky Minaj
    3. Re: GB vs. CD by Type44Q · · Score: 1

      Maybe in Blightey; here it was always Libraries of Congress.

    4. Re: GB vs. CD by Hentai007 · · Score: 1

      With our new blistering fast broadband options you can see speeds up to 0.17857142857CDps!

  3. What? by TimMD909 · · Score: 4, Insightful

    This smells like the result of MBAs ignoring engineers...

    1. Re:What? by Anonymous Coward · · Score: 0

      Stop pretending you know what the fuck you're babbling about please moron.

    2. Re:What? by AHuxley · · Score: 0

      A multi national wants to get into the mil no bid contracts.
      They set up a front company in the USA with a few staff who have the needed security clearances and the needed legal team.
      The actual products and services then get done in the low cost nations with just enough final US oversight to win a bid.
      Nobody knows who is making what, who worked on what computer system.
      The result is products and services from deep in the EU, China getting passed as from a US company.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:What? by ShanghaiBill · · Score: 5, Interesting

      This smells like the result of MBAs ignoring engineers...

      It is worse in the military, because communication is inherently unidirectional, and they can go years between real world validations (i.e. wars).

      "War games" are setup by the same people that are being tested, so if they fail the test, they can just change the rules and have a do-over. This famously happened during the run up to the 2003 Iraqi invasions, when opfor was repeatedly banned from using unconventional tactics, such as underage bicycle messengers and roadside bombs, because that was "unrealistic".

      I had personal experience with this nonsense when I was a young lieutenant. I was part of the Red Team (opfor), and we were hopelessly out numbered and out gunned since we were playing "insurgents". So we decided to go asymmetric ... and cut off the Blue Team's water supply. I was told that wasn't allowed, and to turn it back on immediately. So then we set up road blocks that targeted their chow trucks. Nope, that wasn't allowed either.

      But we were permitted to launch a hopeless frontal attack directly into their entrenchments, which we did on the last day of the exercise so we could go home early. In the after-action critique, I can remember the colonel getting up and congratulating everyone on a job well done. That's when I decided a military career was not for me, and I am not surprised that America proceeded to lose several wars.

      Semper Fi.

    4. Re:What? by Anonymous Coward · · Score: 0

      >RE: This smells like the result of MBAs ignoring engineers... This is usually the cause of engineering issues in my experience. Investors love MBAs.

    5. Re:What? by 1369IC · · Score: 2

      >It is worse in the military, because communication is inherently unidirectional, and they can go years between real world validations (i.e. wars). This is not as true, if true at all, on the R&D side. I work in one R&D command and we have almost 14,000 people and fewer than 200 military personnel. So you don't see the classic military structure you see in uniform. Also, in the Army, at least, if you're working on an actual system you're probably working for a Program Manager. PMs can have whoever they want do their engineering for them, buy technology from Army labs, Federal labs, industry or international entities. So again, it's not a military structure as the rest of the Army understands it (I'm a retired NCO, so I've been around a pair chunk of the Army). And the Army Futures Command is going to change a lot of these relationships.

    6. Re:What? by DNS-and-BIND · · Score: 1, Insightful

      That's because the purpose of wargames is to test systems and get people used to doing their jobs under stress. They're not there so that young jackass lieutenants can show off how clever they are. See, if you were actually smart you'd understand wargames and why the military has them. But you don't. IYI in action. The IYI pathologizes others for doing things he doesnâ(TM)t understand without ever realizing it is his understanding that may be limited. He thinks people should act according to their best interests and he knows their interests.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    7. Re: What? by Anonymous Coward · · Score: 0

      Uh why do you think corporate security is so shitty in general? Since youre an idiot I will tell you why. Its because short sighted MBAs like you have determined that massive data breeches etc are just a cost of doing business.

    8. Re:What? by TomGreenhaw · · Score: 1

      Maybe... Being old enough to witness and understand the invention of nearly all of our modern computing technology, I can tell you that when you are inventing something new you are concerned with getting it to work. Safety and security improvement often comes later (if at all).

      --
      Greed is the root of all evil.
    9. Re: What? by Type44Q · · Score: 1

      Thanks for the link; very insightful read.

    10. Re:What? by Anonymous Coward · · Score: 4, Insightful

      "That's because the purpose of wargames is to test systems and get people used to doing their jobs under stress"

      Im genuinly curious, why do they call it war games then and not system testing?
      Why do they not provide a procedure for the Red team to follow?
      If not a procedure, why do they not provide limitations for the Red team?

      I mean if the purpose is to test the systems under specific circumstances then why not lay those circumstances out ahead of time? If they do, then yes the previous poster that you replied to is an idiot for not following the rules of the game. If not, then isnt it someone else's fault that they didn't define the rules properly in the first place?

      I mean if you go and tell me to perform action X (like attack a base) and then i perform action X, how can anyone call me an IYI if they didn't specify how they want action X done? wouldn't that mean that someone higher up the food-chain is the IYI by assuming that someone else would perform action X in a specific manner? To me it sounds like there were several IYI's in the scenario mentioned.

      note: I do not actually know anything about war-games in the us military, so i am curious how these things are supposed to work.

    11. Re:What? by Anonymous Coward · · Score: 0

      No, it's Contracts and Budgeting DAWIA fields not having good info. It's the PM not wanting to deal with the Risks determined by challenging the assessments to bring mitigation costs down. It's prime contractors not wanting to do a good job because they don't want their Cyber-aware people currently doing IC work to work on less valuable contracts until they can bill more money for a critical fix that now requires a lucrative contract-mod fee. It's Information Assurance using DISA info that is 2+ years old. It's other non-performance requirement groups which have been ignored and shunned forever continuing to be ignored and shunned.

      However:

      -USAF CROWS Office is now stood up
      -USN NOSSA is _supposed_ to be assembling some policies on this**. NAVAIR has their own thing going because others have drug their heels for so long. (Cyber TechWH?)
      -USA(rmy) INSCOM has given inputs. CBL / CCoE and the relevent TCM's are also working on this.
      -USMC relies on USA or USN for complex weapon systems, so they are dependent on those groups to a large (but not total) extent.
      -USCG (see USMC)
      So, change is (mostly) in the works...

    12. Re:What? by Anonymous Coward · · Score: 0

      This smells like the result of MBAs ignoring engineers...

      It is worse in the military, because communication is inherently unidirectional, and they can go years between real world validations (i.e. wars).

      "War games" are setup by the same people that are being tested, so if they fail the test, they can just change the rules and have a do-over. This famously happened during the run up to the 2003 Iraqi invasions, when opfor was repeatedly banned from using unconventional tactics, such as underage bicycle messengers and roadside bombs, because that was "unrealistic".

      I had personal experience with this nonsense when I was a young lieutenant. I was part of the Red Team (opfor), and we were hopelessly out numbered and out gunned since we were playing "insurgents". So we decided to go asymmetric ... and cut off the Blue Team's water supply. I was told that wasn't allowed, and to turn it back on immediately. So then we set up road blocks that targeted their chow trucks. Nope, that wasn't allowed either.

      But we were permitted to launch a hopeless frontal attack directly into their entrenchments, which we did on the last day of the exercise so we could go home early. In the after-action critique, I can remember the colonel getting up and congratulating everyone on a job well done. That's when I decided a military career was not for me, and I am not surprised that America proceeded to lose several wars.

      Semper Fi.

      More should be done to retain good Marines that think different. Everyone that stays in makes it what it is, and that will always have momentum.

      But... lose? Give me a break and get some perspective. You don’t lose a war, go home to eat nachos and play WoW, that’s not losing.

      - 4067

    13. Re:What? by Anonymous Coward · · Score: 0

      That's because the purpose of wargames is to test systems and get people used to doing their jobs under stress. They're not there so that young jackass lieutenants can show off how clever they are. See, if you were actually smart you'd understand wargames and why the military has them. But you don't. IYI in action. The IYI pathologizes others for doing things he doesnâ(TM)t understand without ever realizing it is his understanding that may be limited. He thinks people should act according to their best interests and he knows their interests.

      The circular IYI author is an IYI aspect made it impossible to get to the end of the article, because I kept rereading from the top trying to figure out how the circle was supposed to be broken... maybe it needs worse grammar and some misspelled words.

      Alternate title might be Stupid People Can be Smart Too.

      It’s OK to Be Dumb

      Smart People Are Stupid

      Everyone Else is an Idiot

      Science and Intelligence What Are They

    14. Re:What? by Anonymous Coward · · Score: 0

      Sounds like the Millennium Challenge.

    15. Re:What? by Anonymous Coward · · Score: 0

      >"War games" are setup by the same people that are being tested, so if they fail the test, they can just change the rules and have a do-over. This famously happened during the run up to the 2003 Iraqi invasions, when opfor was repeatedly banned from using unconventional tactics, such as underage bicycle messengers and roadside bombs, because that was "unrealistic".

      The issue there was abusing the simulation parameters - the guy said "You can't intercept any of my communications because they're all bicycle messengers", but didn't have any time lag or logistical issues for that - basically the bicycles inerrantly teleported to their targets.

      Similar exploits include navy exercises where only sufficiently large ships are 'notable', and then one guy says "well, these tiny-ass boats have been armed with missiles that are half as big as they are, but they're smaller than the notability threshold so they don't get mentioned on the other guy's briefing".

  4. creimer is fat and a gay! Everybody say yay! by Anonymous Coward · · Score: 0

    Moscow Don's pooper is easy to hack with the anaconda swinging between my legs. WOOOOOOOOOO~~~~~!!!!

  5. Not vulnerabilities at all by Anonymous Coward · · Score: 0

    They are not vulnerabilities, they are features and backdoors for the NSA.

    1. Re:Not vulnerabilities at all by K.+S.+Kyosuke · · Score: 2

      Unless they're using SuperMicro boards. ;)

      --
      Ezekiel 23:20
  6. Laugh by Anonymous Coward · · Score: 0

    Yeah. Lets laugh. Russia or China hack them and use them on us. Yeah. Lets laugh. /sarcasm

  7. joshua by Joe_Dragon · · Score: 0

    just enter that as the username

  8. Simple solution: by Tablizer · · Score: 1

    ban laughing.

    --
    Table-ized A.I.
  9. Security as an afterthought by phantomfive · · Score: 5, Insightful

    GAO said all tests were performed on computerized weapons systems that are still under development.

    You can't add security on as an afterthought. It needs to be a core feature.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Security as an afterthought by 1369IC · · Score: 1

      There are many steps to development, so it's hard to say if they have a case or not. Some of these things go from the most basic research all the way to final engineering. So if you're at the stage where you're trying to get it to "Hello World" and somebody tests your security, you might have a fair complaint. Or if you've got a working prototype as a technology demonstrator so you can try out different components like sensors or smart munitions or propulsion systems to see if they operate in the kinds of conditions the system will have to operate in, or to see which one gives you the best trade-off between weight and performance or whatever, then it seems fair that you wouldn't have the security working right yet because you're still picking out core hardware pieces that you'll have to integrate with everything else.

    2. Re: Security as an afterthought by phantomfive · · Score: 2

      If they were at the "hello world" stage no one would bother doing penetration testing.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Security as an afterthought by Anonymous Coward · · Score: 0

      You said most of what needed said, but basically you have to have a realistic plan for security, and once you begin to get a little stability you need to start implementing it to make sure there are no surprises. Some approaches may have to be rejected early on depending on your threat environment. You also want security to be as early as practical so you can find and address issues early that may not appear easily except through use. Of course if you have a high threat environment you go from best practices to active search for problems, but that is expensive.

    4. Re:Security as an afterthought by Anonymous Coward · · Score: 0

      Yes you can, silly. Windows added security after the fact in the early 90s and it only took them... ...oh wait, they're still working on it.

    5. Re:Security as an afterthought by Anonymous Coward · · Score: 0

      You don't pen test systems at the hello world stage. Security needs to be a core part of system design and build and if you are at the stage of a working system and pen testers were able to discover previously unknown flaws then you have serious design and test issues.

    6. Re:Security as an afterthought by Anonymous Coward · · Score: 0

      And now the hardware companies add security as an afterthought to their speculating processors. Hopefully that doesn't take as long. Otherwise "Press any key to launch" becomes the new bane of missile system operators anywhere.

    7. Re:Security as an afterthought by Anonymous Coward · · Score: 0

      There are many steps to development, so it's hard to say if they have a case or not.

      If the GAO was doing a report on the security of it, they were far enough along in the process to warrant an outside agency doing the testing.

      So if you're at the stage where you're trying to get it to "Hello World" and somebody tests your security, you might have a fair complaint.

      At what point in any development process you think they bring in outside agencies? It sure wasn't at "Hello World".

      This is what it sounds like at face value, something far enough in the development process to have a third party check security, that third party finding abysmal security, and the Pentagon saying "oh, that's not realistic". Yeah, sure, trying to attack weapons systems is unrealistic.

      I don't see how this can be anything but shit security implemented by idiots bidding on a government contract.

    8. Re:Security as an afterthought by jeff4747 · · Score: 2

      You can't add security on as an afterthought. It needs to be a core feature.

      Adding security in and of itself is dangerous. If the operator can't fire the weapon because he's locked out of the terminal, it is worse than not having that weapon there at all. Because you make your plans assuming the weapon is present, and when it won't work then your plans are fucked.

      Military security comes from people walking around with guns and not plugging everything into the Internet.

    9. Re: Security as an afterthought by phantomfive · · Score: 2

      And next will you argue that guns shouldn't have safeties?

      --
      "First they came for the slanderers and i said nothing."
    10. Re: Security as an afterthought by jeff4747 · · Score: 1

      If the safety disables the gun until a tech unlocked it, yes we should not have those.

      If the safety is a simple lever that any half-sentient being can successfully operate under extreme stress, then have the safety.

  10. Have they tried using creimer by Anonymous Coward · · Score: 0

    ebooks and dropping them on the enemy? In tests almost half of enemy soldiers committed suicide just seeing "C.D. REIM".

  11. Quid pro quo by PopeRatzo · · Score: 1, Offtopic

    Pentagon's New Next-Gen Weapons Systems Are Laughably Easy To Hack

    Especially since Trump gave Putin and Netanyahu all the passwords.

    --
    You are welcome on my lawn.
    1. Re:Quid pro quo by Anonymous Coward · · Score: 1

      PopeRatzo, one of the most legendary hate preachers and conspiracy theorists on Slashdot.

    2. Re:Quid pro quo by Anonymous Coward · · Score: 0

      Hey Pope! There's a Nazi under your bed! Better go catch him!

    3. Re: Quid pro quo by Type44Q · · Score: 1
      Even you should be able to come up with better than that.

      You're losing your edge.

  12. Rational risk/reward calculations by Tablizer · · Score: 5, Insightful

    To be fair, managers are more likely to be rewarded for delivering a sufficient product on time than ensuring proper safeguards. A missed deadline will almost surely be noticed and put on them, while slipshod security has roughly a 1 in 10 chance of showing its head during a manager's actual reign. (The marketing people negotiated the contract, not the project manager, and the marketers often under-bid to win.)

    They are behaving "rationally" in terms of their OWN risks versus rewards. The managers are following the carrots and sticks which are actually applied to them like donkeys would.

    It's kind of like debt and pensions versus politicians: they won't likely be in office anymore if they muck either of those up bad enough for the public to notice, so they give short-term handouts instead, dumping the long term problem onto the future. In the future, you will hear, "I didn't do it, my predecessors did."

    --
    Table-ized A.I.
    1. Re:Rational risk/reward calculations by 1369IC · · Score: 0

      >while slipshod security has roughly a 1 in 10 chance of showing its head during a manager's actual reign Systems that handle classified information are usually (perhaps always; only got involved in a few) validated by another, 3-letter, government agency outside the service. So if your system sucks, I would think there's a good chance the 3-letter agency would find it.

    2. Re:Rational risk/reward calculations by Tablizer · · Score: 2

      There's only so much inspection-by-checkbox can do. The actual source-code would have be carefully read (and understood) for a good inspection, and that cost is probably more than most want to pay. (A compromise might be random spot checking.)

      --
      Table-ized A.I.
    3. Re:Rational risk/reward calculations by Anonymous Coward · · Score: 1

      To be fair, managers are more likely to be rewarded for delivering a sufficient product on time than...

      The ellipses at the end seemed appropriate, since you can fill in the blank.

      In short managers, like politicians of late, particularly on the R side are more than happy to burn ethics to fuel their futures, even if the world burns, and a lot of people are happy enough to go along with it, particularly if at the end of it is something they really wanted.

      Is it even possible to teach ethics such that people are truly ethical? I'm doubtful. The hard right seems to have found a way around many of those religious teachings, since they are "serving a higher purpose," which come to think of it sounds a lot like a cult.

      How can we expect anyone to be ethical when the prevailing attitude seems to be crush your enemies and hear the lamentations of their women. Bonus for cheating and scamming your way into it. People know that politicians like Trump and all the rest are corrupt. It simply wasn't that important to them. They want to win at all costs and do a dance as ethics are burned, particularly if it sticks it to their opponents.
      '
      Are there any students of history here? Does this kind of thing ever burn itself out, or does it just get worse? The manager is only a symptom. Right now we have the 1.) Trump's actions make democrats and reasonable people extremely angry. 2) Extremely angry people peacefully protest. 3) Would you look at that angry mob? They can't be trusted!

      Seriously every one in America should call bullshit on this stuff. Other employees should call bullshit on a manager passing off crap as gold. It's not like they don't know.

      Perhaps it is not so much the one in charge we should focus on, but all the others that say, "Everything's fine."

    4. Re:Rational risk/reward calculations by Anonymous Coward · · Score: 0

      And novice engineers often know too little about security to write secure code in the first place. And even if they have the knowledge in an academic way, the initial push is always "just get it working," and when in that frame of mind there is a LOT that one simply doesn't think about, including security.

      Seasoned veterans, of the kind that consistently deliver well-secured and high-quality code, are expensive and tend to hold up projects with their insistence that things be done right.

    5. Re:Rational risk/reward calculations by Tablizer · · Score: 2

      Seasoned veterans, of the kind that consistently deliver well-secured and high-quality code, are expensive and tend to hold up projects with their insistence that things be done right.

      I can personally vouch for that, except I'm not expensive, just ignored. People in general do NOT like accurate news. They prefer hearing what they want to hear. It's partly why the country is polarized: it's easier to find sources now that tell you what you want to hear.

      People actually like fake news:       they just kvetch about others' fake news.

      --
      Table-ized A.I.
    6. Re: Rational risk/reward calculations by Anonymous Coward · · Score: 0

      And preaching ethics while claiming a segment of the population are unreachable... you write, describing yourself. Thatâ(TM)s why itâ(TM)s so easy for you to detail such dis function.

      Diagnosing people you havenâ(TM)t met or questioned about ethics. Itâ(TM)s pretty damn stupid.

      You prove the point of the dangers of low intelligence. On both sides.

    7. Re: Rational risk/reward calculations by cyber-vandal · · Score: 2

      The foundations of Trump's rise to power were laid by both parties. Taking people's futures from them and telling them it's their own fault was never going to end well.

    8. Re:Rational risk/reward calculations by Archtech · · Score: 2

      The managers are following the carrots and sticks which are actually applied to them like donkeys would.

      That says it all, really.

      For better results, a good start would be appointing managers who are smarter (and more moral) than donkeys.

      If they can find any.

      --
      I am sure that there are many other solipsists out there.
    9. Re:Rational risk/reward calculations by Anonymous Coward · · Score: 0

      No, the better approach is carrots & sticks that reflect reality.

      As in: 'We demand a certain level of security. If we or our hacker friends (or our enemies) find something below standards, both "corporation" & "current management" are collectively responsible.' In other words, you can't cash out your stock options and leave safely. They come after you & take your mansion & yacht 20 years from now if something turns up. Charge whatever you want for a contract like that, but you'll be forced to do long-term planning.

      Found a fault? Better get the fix out *now*, while the upgrade will merely be a little dip in the profits. Can't delay and risk loosing it all when they eventually discover the flaws anyway. Better do some serious testing in advance. Hire those former blackhats, see if they can find & fix anything. Big rewards for anyone finding a problem,instead of hushing it up. Any bug found, is a boomerang that won't come back to bite later.

  13. security is always a balance on life & death s by Anonymous Coward · · Score: 0

    Guns & defribulators donâ(TM)t have passwords for a reason: you donâ(TM)t want to be killed or watch someone die because ohhhh right cyber security. I work on industrial control systems where the rule is âoeanyone with physical access to equipment is authorized to operate it.â Admin/config/db/etc is locked down appropriately.

    This garbage article has no real details from which to evaluate its claims. Does GAO even know how, where, or with what access controls these systems might be installed?

  14. A paperclip by Anonymous Coward · · Score: 0, Funny

    is all that it would take MacGuyver to take full control.

  15. Weapons are already not protected against insiders by Anonymous Coward · · Score: 0

    Mass hyperbole.

    "For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders"

    Oh, just like...

    -..... an ammunition depot protected against attacks from intruders, but not against an insider planting a bomb inside it

    -..... a plane protected against being shot down by missiles, but not against having its engine sabotaged on the airfield

    -..... a tank protected against electronic warfare weapons, but not against someone sitting inside the tank trying to sabotage it

    Protected against remote attackers but not against insiders is the current standard.

  16. Admiral Ackbar by Anonymous Coward · · Score: 0

    "It's a trap!"

  17. s-h-a-l-l w-e p-l-a-y a g-a-m-e by hcs_$reboot · · Score: 1

    That's the password actually.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  18. please insert two quaters...... by Anonymous Coward · · Score: 0

    Shit not original.... NUKE BING BANG ...GAME OVER !!
    thats more like it

  19. unit conversion help by n3r0.m4dski11z · · Score: 4, Funny

    "including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data."

    Not archaic enough. I'm gonna need that in number of baskets of scrolls please.

    --
    -
    1. Re:unit conversion help by Anonymous Coward · · Score: 0

      Paper, papyrus, or parchment?

    2. Re:unit conversion help by ImprovOmega · · Score: 2

      *deep breath in*

      So lets assume a bushel basket as that is fairly easily hand-held and a Torah scroll as a standard (still in use!) scroll. Well in that case your bushel (2150-2219 cu. in.) can hold right at two Torah scrolls (roughly 1100 cu. in. per scroll). Now the Torah scroll contains exactly 304,805 characters. If we use a standard 7-bit ASCII character set that's ((304805 * 7) / 8)/1024 = 260.453 KB per scroll, or 520.91 KB per basket.

      Now 100GB is 104,857,600 KB so you would need 104,857,600 / (520.91) = 201,299 baskets of scroll for 100GB of data. Admittedly the 201,299th basket would only have one scroll in it, partially completed, but it would still be part of your basket count.

      TLDR: 100 gigabytes is 201,299 baskets of scrolls.

  20. Something Something by Greyfox · · Score: 2

    Something Something government contractors something something lowest bidder.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  21. Did the GAO hack into the Pentagon cloud, too? by Anonymous Coward · · Score: 0

    Amazing report. The GAO must have gained access to cloud data, although the report doesn't mention the cloud. It would be too blatant, shameful, and embarrassing to have that revealed.

  22. Re:Rational risk/reward calculations [correction] by Tablizer · · Score: 2

    Correction re: "they won't likely be in office anymore if...

    Corrected version: ...they won't likely be in office down the road. If they muck either of those up bad enough for the public to notice, it will probably be after their reign. Therefore, they give short-term handouts instead, dumping the long term problem onto the future.

    --
    Table-ized A.I.
  23. 142 compact discs of data by Anonymous Coward · · Score: 0

    What is that in terms of 5.25" floppies?
    That's the only archaic storage medium analogy I consider worthy of consideration

  24. Re: Gee, good thing they didn't open source any of by Anonymous Coward · · Score: 0

    Lets not forget the anti hacking. A bullet in the head of the traitor.

    Systems in development are not complete
    Systems are in very high security locations, especially when deployed
    Systems are surrounded by many soldiers

    So letâ(TM)s be realistic and intelligent about this. Security is needed, is intrinsic, and focus should be concentrated on important areas. Which are mostly secret so letâ(TM)s read the arm chair guys chime in on python scripts and WiFi

  25. CDs by bagofbeans · · Score: 0

    It's because with no conception of storage sizes obviously are completely aware that a CD holds 650/700MB.

    At least the comparo isn't 'songs'. Love me do long? Or day in the life long? 128kb/s MP3 or 44k1 s/s WAV?

  26. Not the problem by Anonymous Coward · · Score: 0

    The problem is obviously HACKERS from the CYBER SPACE. With HACKS. HACKING. I'm TELLING YOU.

  27. SEXPUPPEN LOVE SEX by Genauer · · Score: 0

    https://www.gutdolls.com/ Die medizinische Simulation von Mannequins, Modellen oder verwandten Handarbeiten, wie SimMan, [9] transparente anatomische Mannequins oder Harvey, sind in der medizinischen Ausbildung weit verbreitet. https://www.gutdolls.com/silik... https://www.gutdolls.com/leben...

    --
    https://www.gutdolls.com/lebensechte-TPE-puppe-von-voll-erotikmarkt-kaufen.html
  28. Target audience detected by stealth_finger · · Score: 2, Funny

    "100 gigabytes, approximately 142 compact discs, of data."

    Probably the same type of people that call the internet AOL.

    --
    Wanna buy a shirt?
    https://www.redbubble.com/people/stealthfinger/shop?asc=u
    1. Re:Target audience detected by chrish · · Score: 1

      Bah, that's not even one football field of CDs.

      --
      - chrish
    2. Re:Target audience detected by Anonymous Coward · · Score: 0

      100 gigabytes, or one BDXL disc.

      (which is still a lot of data)

  29. Auditing a mockup by Anonymous Coward · · Score: 0

    I was part of a cancelled program. AFOTEC failed it for a lack of "field maintenance ability" ... it wasn't even a fucking prototype. It was a mockup.

  30. Arcade Military by Anonymous Coward · · Score: 0

    "Another test team reported that they caused a pop-up message to appear on users' terminals instructing them to insert two quarters to continue operating."

    Private Snafu: Sir! I need to you to break a dollar so I can keep firing, sir!
    Commander: Damn.. anyone got some quarters? Someone ride on back and get us a hand full of quarters!

  31. Insiders though? by Gilgaron · · Score: 4, Insightful

    Not that they shouldn't do better, but, say, if someone can only hack a Phalanx system from inside the aircraft carrier from a secure access terminal then it is probably not going to end up exploited, since if you can get a mole in that deep they can probably do more damage throwing a wrench into the right place.

    1. Re:Insiders though? by jeff4747 · · Score: 2

      That's really the dumb part of this story. These systems are air-gapped.

      At that point, you have to decide if the air gap is enough or if you want to add more security. When making that decision, you have to consider things like "If we can't fire this when we need to because a certificate expired, we will die".

      And "an operator could sabotage this" doesn't require hacking the computer. As you say, throw a wrench in it. Or unplug it. Or fill the operator's station with bullets.

    2. Re:Insiders though? by G00F · · Score: 1

      Well, the fact that a single spy, working as a service member, could make the whole ship unusable. And with out methods to detect, deter, or catch the person doing this.

      Now think of that single person, planting something that accepts remote (like via satellite phone, or even cellular if in port) can now remotely own these billion dollar weapon platforms.

      So while physical is important, that physical should be protected, not just some random terminal on the ship.

      --
      The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
    3. Re:Insiders though? by jeff4747 · · Score: 1

      Now think of that single person, planting something that accepts remote (like via satellite phone, or even cellular if in port) can now remotely own these billion dollar weapon platforms.

      Now think about how they could do this even if you apply any security measures you can come up with.

      "We kept him from hacking the phalanx system! Instead, he planted something that broke the engines, so the phalanx system is down because we have no power."

  32. 142 CD-ROMs = 65,636 1.44MB floppies! by cacheMan · · Score: 1

    More fun data conversions here: http://www.unitarium.com/data

  33. The threat is "more than real" by ScentCone · · Score: 1

    I wonder what "more than real" means. Is it surreal? Is it hyper-real? Wait, this is 2018. The only thing that can be more than something is is when it's Literally Real. Like, "that hack is literally better than my soy chai latte." The data was so much more than real that it was as much data as 10 real Libraries of Congress.

    --
    Don't disappoint your bird dog. Go to the range.
  34. Dangers of faith in any weapons tech by Glasswire · · Score: 2

    Blind faith in systems and strategy, just because you are heavily invested in it, will not necessarily save you

  35. Re: Gee, good thing they didn't open source any of by Sarten-X · · Score: 4, Interesting

    No, no, fuck you, and no.

    This is a horribly bad approach to security. You're making assumptions about the external environment, and using them to excuse system vulnerabilities. That's not realistic or intelligent. It's just lazy.

    Lets not forget the anti hacking. A bullet in the head of the traitor.

    That's assuming you can find a traitor. If the system logs aren't secure, or if their integrity is questionable, or if they don't uniquely identify an individual, you have no hope of identifying exactly who attacked the system.

    Systems in development are not complete

    So? Security isn't something to be bolted-on late in the development process. Systems should be secured first, then the functionality is applied on top of that. If that means you have to use more-costly (but more secure) solutions in your design, so be it. When functionality comes before security, management is far too justified in saying "but we've spent too much already developing this insecure system!" and refuse to reimplement it securely.

    For a related example in the public sector, we're almost done implementing HTTPS, after only 10 years or so...

    Systems are in very high security locations, especially when deployed

    At first, maybe... then a truck gets ambushed, or a base is overrun, or we get an impulsive politician who promises an arbitrary date to get out of an unpopular conflict area. Then those systems fall into enemy hands, and you just have to hope that it's a useless pile of hardware by then.

    Systems are surrounded by many soldiers

    Soldiers are underpaid, overworked, and usually focused on things other than countering highly-technical intelligence techniques. If an attacker walks onto a base, steals classified data (or even whole systems), and tries to leave, they'll be saluted at the gate as long as their paperwork looks right.

    There is no valid excuse for leaving a system insecure by design. Every layer of the system should be built securely, with the functionality added afterward.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  36. Most of the Responsibility Falls on the Pentagon by Koreantoast · · Score: 2

    Most of the responsibility of this falls on the Pentagon. The government insists on tightly controlling all the requirements, and so in an environment where cost is king, if the customer doesn't properly write in cyber as a requirement, there isn't any incentive by the contractors to go beyond what is written. That is what the GAO report is primarily criticizing: that the DoD did not take cyber seriously until recently and that they are still trying to figure out how to architect a secure environment and write requirements for it. So even if a contractor says, "Hey, government Contracting Officer, you should tighten security around this system," the government Contracting Officer, if they understand even what's going on, will probably say, "I dunno, does that change the requirements? We're not going to pay you for it."

  37. Duh! Say all of us that work in the field by Anonymous Coward · · Score: 0

    Anonymous and Tor for obvious reasons.

    Here is a quick thumbnail of the environment we who do this kind of cyber security work live with:

    Point out probable issues during early development and get told, "We don't believe that, you can't prove that, we'll fix it if it actually happens."

    Prove the problems after the system is built and get told, "We've already spent millions of dollars, it's too late now!"

    Mix in being forced to restrict testing to a subset that's nothing more that a rubber stamp.

    Continuously being told we're: not team players, hard to get along with, trouble makers, need to go along to get along.

    We have our jobs threatened and are transferred awayor fired if our revelations are large enough to embarrass the powers that be.

  38. Re:Most of the Responsibility Falls on the Pentago by jeff4747 · · Score: 1

    if the customer doesn't properly write in cyber as a requirement

    There's a more important question: Is it proper?

    Computerized gun turret. It is only connected to a network that goes to a small number of secure terminals, which are not connected to any other network.

    Why do you need to encrypt that link? If you control physical access via people with guns, why do you need secure logins?

    "We made this guy change his 16-character password every 2 months and he forgot it while getting shot at. Now he's locked out of the terminal due to three failed login attempts. The local sysadmin is dead, so he can't unlock it. It would be nice to return fire, but we gotta have network security on this air-gapped network!"

    Military requirements are not the same as civilian requirements. There's a reason tanks do not have ignition keys like cars do.

  39. they are secure by iggymanz · · Score: 1

    so only those with physical access can hack them, a remote user can't. nothing is secure from someone with physical access. someone with physical access could pour a gallon of locktite into the mechanism of a weapon too too.

    non-news

  40. Re: Gee, good thing they didn't open source any of by Anonymous Coward · · Score: 0

    Lets not forget the anti hacking. A bullet in the head of the traitor.

    So you kill some traitors then. Won't prevent the betrayal. Some are more loyal to another country - who is paying enough that "it is worth the risk". Some really believe in the other country's ideology or religion. They either succeed in betraying you, or become martyrs while trying. Becoming a martyr is not a problem for some. Your bullet simply don't scare them.

    During WWII, the loosers learned the hard way the cost of insecure communications. They were so sure their enigma & purple machines could not be hacked. So sure - until they were defeated and learned that every order & every report had been read by their enemy - and used for what it was worth. Took an estimated 2 years off the war effort, to know the position of every u-boat & the contents of every order from hq. The fights get easier, when you know their plans in advance. Getting remote control of enemy weapons is even better. Failing that, knowing how to jam comms so those screens only show garbage.

  41. Re:Weapons are already not protected against insid by Anonymous Coward · · Score: 0

    Protected against remote attackers but not against insiders is the current standard.

    In battle, the two sides overrun each others positions. Sometimes, weapons get captured & recaptured. Loosing one piece of artillery is bad, but not the end of anything.

    It is different with computer-controlled stuff like automated artillery or drones. If one guy getting too close can turn such weapons around - or control them via network intrusion - then you have worse problems. Suddenly, your base or carrier is bombed by your own drones. Or all the artillery fires - on your own positions. Not one big gun, but all of them. Or your soldiers retreat from hard-won positions, because they got such an order on their battle-hardened iPads. Because one guy got too close with hacking equipment somewhere. They can convince people to go on suicide missions, for spectacular results like that. Or perhaps they don't even need a suicide mission, if all they need is to hack into comms somewhere.

  42. Re: Gee, good thing they didn't open source any of by G00F · · Score: 2

    If an attacker walks onto a base, steals classified data (or even whole systems), and tries to leave, they'll be saluted at the gate as long as their paperwork looks right.

    This!, even a moderate physical secure systems need to be secured. Everyone assumes everyone else is doing what they are suppose to, and question only when they are suppose to, and wouldn't know otherwise.

    --
    The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
  43. Re: Gee, good thing they didn't open source any of by arglebargle_xiv · · Score: 2

    Friend of mine was part of a team that did a security assessment on an automatic 5in gun used for naval purposes. It was pretty much a tour de force of how not to do it, everything connected and enabled by default, little to no security/encryption, ancient insecure libraries, terrible coding practices, you name it, it was there. Apart from the direct security implications that anyone who gets access to the ship network, e.g. while berthed, has full control of an automatic 5in gun turret, it said really bad things about the rest of the software controlling the thing. They were limited in scope with what they were allowed to do, but said it responded in very unexpected ways to garbled control messages sent to it. In other words just normal, non-malicious operation in the presence of errors would cause it to do God knows what. Their recommendation was to disable as much computer-controlled automation on it as possible and run things under human control.

  44. Imagine the fusion by Anonymous Coward · · Score: 0

    Between a competent IA and this. Every time I hear or read an article about how secure is IA and like never going to happen a terminator-like scenario I always wonder if the people in IA do know something about the (lacking) security in HIGH VALUE installations.