Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DARPA Seeks Input On Securing Networks Against Attackers

Unknown Lamer posted more than 2 years ago | from the license-required-to-surf dept.

Government 119

hessian writes with an article in Wired about the problems facing the U.S. Government's networks in an increasingly hostile world. From the article: "The Pentagon's far-out research agency and its brand new military command for cyberspace have a confession to make. They don't really know how to keep U.S. military networks secure. And they want to know: Could you help them out? DARPA convened a 'cyber colloquium' at a swank northern Virginia hotel on Monday for what it called a 'frank discussion' about the persistent vulnerabilities within the Defense Department's data networks. The Pentagon can't defend those networks on its own, the agency admitted."

cancel ×

119 comments

Sorry! There are no comments related to the filter you selected.

If the Us can't (0)

Anonymous Coward | more than 2 years ago | (#37983938)

Then who can?

Re:If the Us can't (1)

Chrisq (894406) | more than 2 years ago | (#37984026)

Then who can?

Super Man?

Re:If the Us can't (2)

Mr. Freeman (933986) | more than 2 years ago | (#37984246)

The candy man can

Re:If the Us can't (1)

piripiri (1476949) | more than 2 years ago | (#37984294)

Another country?

Re:If the Us can't (0)

Anonymous Coward | more than 2 years ago | (#37985724)

Another country?

Nope. Countries are lines on a map. It'll have to be a person. Or an advanced Artificial Intelligence. Or God. But not a Country.

Re:If the Us can't (1)

alexborges (313924) | more than 2 years ago | (#37985850)

4chan!

They ANYPA

Go basic (0)

L4t3r4lu5 (1216702) | more than 2 years ago | (#37983946)

Air gap and superglue in the USB ports.
Oh, you want really secure? Turn it off and never use it.

Re:Go basic (1)

sgt scrub (869860) | more than 2 years ago | (#37984132)

Oh, you want really secure? Turn it off and never use it.

No doubt!

Gooberment:"Please secure my network from any possible attack."

l4t3r4lu5: Yoink. bzzzzzzrrrrr. "There you go!"

Re:Go basic (1)

Mr. Freeman (933986) | more than 2 years ago | (#37984278)

TYPEWRITERS! TYPEWRITERS FOR EVERYONE!

Filter error: Don't use so many caps. It's like YELLING.

Re:Go basic (0)

Anonymous Coward | more than 2 years ago | (#37984710)

Just so you know (because of your sig), the downmod was neither for disagreeement nor because you were trolling. Its because you ignored the filter's warning-- dont yell please.

Re:Go basic (0)

Anonymous Coward | more than 2 years ago | (#37985428)

One presenter at the DARPA Colloquium showed a hacked typewriter. Sorry, even a typewriter isn't safe!

Re:Go basic (1)

Joshua Fan (1733100) | more than 2 years ago | (#37985914)

That solution has always befuddled me. Why bother physically securing hardwired, functioning USB ports when you can

1. Remove the USB ports or
2. Disable the USB ports in Group Policy.

The simplest way to prevent burglars from coming in your windows is to not have windows. Though you may like your windows, USB ports are not a necessity.

Re:Go basic (0)

Anonymous Coward | more than 2 years ago | (#37986166)

Heh...

1. You can remove them in the front pretty easy- back ones, though, require desoldering. Easier to get a custom mobo without USB (expensive), or epoxying shut.
2. Presumes Windows and presumes that you can't circumvent it- BIOS, etc. will BOOT USB in many cases, which Group Policy can't prevent.

You're not thinking security the moment you suggested either of the two items...seriously.

Re:Go basic (1)

Greystripe (1985692) | more than 2 years ago | (#37986292)

Actually if you wanted real USB security you'd open the system pull the wires off the headers then epoxy/clip the header so no one could open the system and add a stealth usb port to the header. Keep in mind there are anywhere from 1-6 sets of headers on the motherboard and a few minutes of work would allow someone to attach usb devices whenever they wanted.

Re:Go basic (0)

Anonymous Coward | more than 2 years ago | (#37988160)

Often the actual ports are on the outside of the box and the wires aren't connected. You superglue the ports shut so that someone won't crack the case and attach the ports.

Re:Go basic (1)

tlhIngan (30335) | more than 2 years ago | (#37986218)

Air gap and superglue in the USB ports.
 

Then you run into problems with data that needs updating, like say, a map. Putting it on CD/DVD only works until malware realizes it needs to embed itself on said media, and once it has, there's nothing to prevent another stuxnet-like attack.

If data needs to flow somehow between airgapped networks, you're screwed. Doesn't matter if you use a data diode, physical separation, etc. As long as there is some way that data needs to go from an insecure network or insecure PC to a secure one, it's a vulnerability vector. Stuxnet has proved it's possible.

Oh, and patches count too - regardless of what needs patching. Unless the patches originate as developed on the secure network, it's a mechanism for insecure systems to pass data to secure networks. Even if you go so far as to enforce that the source code be displayed on the insecure PC, and typed in manually on the secure PC - the typists may get complacent and type in the malware as well.

And there's a LOT of data that often has to be passed into a secure network - Intel (photos - where did the digital camera's memory card get plugged into?, maps - like the UAV fleet got infected, etc), reports, etc.

Re:Go basic (0)

Anonymous Coward | more than 2 years ago | (#37988926)

We are 240 guys with $3.2B budget asking for help with anything?

OpenBSD. (0)

Anonymous Coward | more than 2 years ago | (#37983948)

OpenBSD.

Re:OpenBSD. (0)

Anonymous Coward | more than 2 years ago | (#37984196)

They looked into that, but they got the following response: "You morons. Don't contact me again. Ever."

Re:OpenBSD. (0)

Anonymous Coward | more than 2 years ago | (#37986026)

They'd better port the Windows pasians to the system or they'll never going to get the critical mass. How else could the military keep their brains awake during the long hours, other than some random adrenaline shots from mishandling secret information, playing "catch the spy" in the building or pretending the wardrobe of the staff is not in order and requires immediate outdoor inventory check?

Wrong audience (4, Insightful)

EdZ (755139) | more than 2 years ago | (#37983970)

Darpa convened a “cyber colloquium” at a swank northern Virginia hotel on Monday for what it called a “frank discussion” about the persistent vulnerabilities within the Defense Department’s data networks.

Well there's your problem! The ones at the forefront of breaking-into-electronic-systems-in-interesting-ways aren't the usual crowd the DoD are used to wooing (heads of industry, academic engineers, the conference-at-swanky-hotel crowd) but people working out of their basements fiddling with things for the fun of it.

If they want a real assessment, offer a honeypot network with some stand-in data, and set a prize for whoever can get it and tell them how.

Re:Wrong audience (0)

Anonymous Coward | more than 2 years ago | (#37984562)

I don't want to rain on anyone's late-90's idea of who our most capable "hackers" are, but I sincerely doubt Chinese intelligence will participate... even for a cash prize.

Re:Wrong audience (1)

FriendlyLurker (50431) | more than 2 years ago | (#37984754)

"They don’t really know how to keep U.S. military networks secure." Translation: "Hand up if you want to go on our security risk Suspects List". Could you help us out?

Re:Wrong audience (1)

Stubot (2439922) | more than 2 years ago | (#37986012)

This was my first thought as well..

Re:Wrong audience (1)

Ihmhi (1206036) | more than 2 years ago | (#37984604)

We used to use tiger teams - hell, maybe we still do. A group of professionals that would try to break into government facilities or steal data. I think the best way to secure the systems would be to have the best people we can spare try to break into them and then recommend how we can make it harder for them.

Re:Wrong audience (1)

SomePgmr (2021234) | more than 2 years ago | (#37984802)

I imagine NSA's red team, or "Vulnerability Analysis and Operations Group", is still around.

Extraordinarily capable, loyal, well-trained professionals that act as hostile foreign agents to expose security gaps in government systems.

Re:Wrong audience (1)

t0rkm3 (666910) | more than 2 years ago | (#37985292)

The Army still employs the Red Team, Blue Team model as well. There is a Warrant Officer billet for it. The few that I have met weren't terribly competent though. They were the one's who were persistent enough to hang around and get into the "cool" program. (Although my sample size is slightly more than a handful of reservists.)

Re:Wrong audience (1)

timeOday (582209) | more than 2 years ago | (#37985866)

If they want a real assessment, offer a honeypot network with some stand-in data, and set a prize for whoever can get it and tell them how.

No, that's exactly what everybody's doing now - an endless game of find-and-patch whack-a-mole. That's not DARPA, it's Norton anti-virus.

What they want is to go back to first principles for a fresh start, to preclude as many attacks as possible from arising in the first place. How possible that is, nobody really knows. I'm afraid it will be determined that there's a sort of negative application of Turing completeness that means any computer capable of doing much of anything can do everything, including bad things. Security can't be entirely engineered in because the goals are fundamentally subjective - keep the "bad guys" out without denying access to the "good guys." No formal system will completely match our varying intuitions on who is good or bad and what exactly is a breach etc.

Re:Wrong audience (1)

HiThere (15173) | more than 2 years ago | (#37989294)

OK. Write your own operating system from scratch. You can use Linux or BSD as a model, but change all the system calls, factor things differently, and use a language that will prohibit wild pointers. There's a dialect of D (Digital Mars D) that would work. There's also supposed to be a dialect of Ada, but I don't know enough about it to be sure. DON'T use C or C++, as you can't secure array boundaries.

Then write your own network protocol. You can use IP as a guide, but change everything. I'm not just talking cryptogram here, refactor the protocols. And build in positive identification from the start. (Presume that Quantum Computers will be successful, and that you can't depend on prime factorization to keep your data safe, so you need a handshake that can't be broken that way.)

Yes, this would be a lot of work. Yes, you would never be able to make this public, so you'd need to maintain the whole system. And it would be just as well if the communications could masquerade as https sessions, but they better not BE https sessions.

Don't expect to keep this secret. So plan things so that they will work even if your opponent knows the entire system. But try. And really try to keep the details of the protocols secret. (This means that if someone attempts to break in over the internet, you lead them to a fake site. A kind of honeypot that they can't tell isn't the site they were trying to reach. And require enough id information for them accessing that site that you can tell where the vulnerability is that let them get that far, so that you'll be able to fix that.)

For that matter, use custom connectors for storage devices, so that only specially modified devices can be plugged in. USB keys have slightly different voltages supplied in slightly different locations on the plug. The part that's insulating and the part that's conducting aren't in the same places. Disk drives write oddly sized blocks in an unusual order. Etc. None of this can't be circumvented, of course, but when they get the file blocks in the "right order" the data itself wasn't written as expected. Different error correction coding, etc.

N.B.: Much of this is just an enhancement of things that were done in the 1960's. They stopped doing them for reasons of cost. But a secure network isn't going to be cheap. If you build a cheap network, it won't be secure. If you build a secure network, it won't be cheap. And if you want a REALLY secure network, it will be REALLY expensive.

Parallel infrastructure (0)

Anonymous Coward | more than 2 years ago | (#37983976)

end-to-end that shit. Things will be a little trickier to figure out in war-zones, but there is no need to have someone in the Pentagon routing out through an exposed network to exchange data with Ft. Meade or Langley.

Re:Parallel infrastructure (1)

LordLimecat (1103839) | more than 2 years ago | (#37984744)

Thats what VPNs and ACLs are for. You dont think you could securely configure VPNs and ACLs for less than it would cost for a parallel infrastructure? What happens when someone bridges a wifi device onto your network?

Re:Parallel infrastructure (0)

Anonymous Coward | more than 2 years ago | (#37985530)

you're absolutely right - the cost of a parallel network would be prohibitively high. The problem with a VPN is that you still have a forward-facing service. Just sitting there, waiting for incoming connections. Not all of those connections will be legitimate

There are two things that the DOD and other government agencies do (or at least appear to do) extremely well:

  • spend money (which should lay the cables)
  • physical security (which should mitigate the risk of a wifi device making its way to an area of effectiveness)

an end-to-end network (though incredibly expensive) would cut down the pool of risky attacks to those within a physical radius.

However, there just isn't a very practical way to lay cable from branch offices in Hawaii to D.C. But if the central offices are hard-wired end-to-end and are able to segregate and manage their data, they could at least make tiered cost-risk decisions. And maybe that's part of the answer. It's been said that when you classify everything, nothing is classified. Likewise, maybe it's time to stop treating all data as super-max-secure. People need to stop treating undercover agent lists with the same level of respect that they give to the office NCAA pool

Re:Parallel infrastructure (1)

LordLimecat (1103839) | more than 2 years ago | (#37985622)

Not all of those connections will be legitimate

Which is why we have things like PKI infrastructures, pre-shared keys, and RSA tokens. At least there you know what the threat is, and can fortify around it.

Im not sure Ive ever heard of a scenario where someone broke into a secure network by bruteforcing both the PKS and the secondary form of authentication; invariably, breaches are because someone made a stupid mistake like getting a virus, or by letting someone walk out with un-secured media, or connecting a wifi device to the secured network.

And with your parallel infrastructure, the problem is that (unless you have other control mechanisms in place) a single wifi device on the network compromises the security of the whole segment.

I wonder what this says about (1)

Chrisq (894406) | more than 2 years ago | (#37983990)

I wonder what this says about their own confidence in SELinux [wikipedia.org] .

Re:I wonder what this says about (0)

Anonymous Coward | more than 2 years ago | (#37984048)

SELinux doesn't run on windows....

The real problem is that there is no such thing as "network security".

There is only "host security". No matter how wires are run, they only connect hosts - whether those hosts are routers (a host that handles messages transfer) or a computation server, or a user workstation.

Use insecure hosts, you have an insecure network.

Placing the focus on "networks" causes people to not look at the real problem - the HOSTS in the network.

Re:I wonder what this says about (1)

bhmcintosh (19563) | more than 2 years ago | (#37984564)

I love those faculty and sysadmin types here who expect us to write these hideously involuted Access Control Lists on our routers to make up for their steadfast desire to avoid actually administering their systems. (*eyeroll*)

Re:I wonder what this says about (1)

ka9dgx (72702) | more than 2 years ago | (#37989162)

You're correct... and nobody things that hosts can be secure, because our current conception of security is that it makes something unusable. It doesn't have to be that way, and I've pointed that out many times, but preaching about capability based security to this choir just doesn't work.

Re:I wonder what this says about (1)

moderatorrater (1095745) | more than 2 years ago | (#37984090)

Nothing really. SELinux helps you implement least privilege [wikipedia.org] , but that's about it. There are many, many more aspects to securing a network and what's on it than just least privilege.

Re:I wonder what this says about (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37984144)

Probably not too much, in an achitectural sense. Probably a lot, but not a terribly surprising lot, in an institutional sense.

Building impressively secure systems(while by no means easy, it is serious software engineering and/or comp sci) is something that people can do and have done.
Building impressively secure systems that aren't wildly expensive and wholly incompatible with the shoddy-but-feature-rich crap that people like to buy is substantially harder.
Building impressively secure systems that aren't wildly expensive, or wholly incompatible, and provide security by association to said shoddy-but-feature-rich crap is Just Plain Hard.

I suspect that their problem is less that there is something fundamentally broken with SELinux and more that they have no realistic chance of being able to say "SHUT DOWN EVERYTHING!"(on both their own networks and those of contractors who might as well be an extension of them, in terms of sensitivity) and give BOFH Hardass the opportunity to run roughshod over every consideration that isn't security to his heart's content for a few years and make the users live with the results...

Re:I wonder what this says about (1)

Danathar (267989) | more than 2 years ago | (#37984444)

Nothing since SELinux is not about securing networks.

Re:I wonder what this says about (2)

morgauxo (974071) | more than 2 years ago | (#37985702)

If you walk into any given government office what do you expect to see on their monitors? I don't think it's Linux. That's one of the things they need to fix. Dump Windows. Yah, just blaming everything on Windows would be a troll, there is certainly more to security than that. Any OS and the applications must be configured correctly, the network itself must be secured, all that is true. Still, there is little good to be said about Windows security. Having it on the networks automatically makes the network less secure. Ban it AND secure the OSs and network which remains.

Yes, We Can! (0)

Anonymous Coward | more than 2 years ago | (#37984070)

* Create cs-class.org (cybersecurity) ala Stanford's ai-class.org
* Make most government IT professionals take it
* Create Khanacademystyle security Videos for non-IT Staff
* Recruit some government employees to do fake intrusion simulation: Create fake USB Devices that will not compromise the computers, but will issue a warning/prank to the users so that people now why they failed.

Easy (-1)

Anonymous Coward | more than 2 years ago | (#37984076)

Call and ask the IT people in India your stupid assholes and eat shit.

Secure systems (5, Interesting)

Tomato42 (2416694) | more than 2 years ago | (#37984140)

Start using systems that were designed to be secure in the first place. Stuff that works on a "deny by default" basis, that refuse to process any data that it doesn't understand, use OCSP as a white list on the CA side, defence in depth: use strict validation of input on multiple levels (when making web app: using default deny application firewal, then strict validation in form processing and finally use modular application design that validates data received from other modules) and so on.

This will require throwing away most, if not all, software in use. Including OSs, probably even Linux as I'm not sure if SELinux (or other such systems) go deep enough on the kernel side. Then making new software from scratch with primary design objective to be secure. As no politician or PHB can justify spending this amount of money on such nebulous concept as security, the whole idea will fail. Because this won't eliminate, just reduce the number of security related bugs, won't help the cause.

We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.

Re:Secure systems (1)

canipeal (1063334) | more than 2 years ago | (#37984232)

I wish I had some mod points to mod parent up. I would also suggest they remove the bureaucracy involved in the C&A and pen testing phases. Anyone who's ever been a part of the process can clearly see what little value is added against APT.

Re:Secure systems (1)

Tomato42 (2416694) | more than 2 years ago | (#37984838)

Well, if running pentest is only a first step in evaluating security of the system (after all it verifies if its secure against most common attacks) and throw it away as soon as it fails it, I'd say it adds large value.

I completely agree, test and patch doesn't work, if it did sendmail and IE would be the most secure software packages in existence.

Re:Secure systems (0)

Anonymous Coward | more than 2 years ago | (#37988722)

I agree. However, the words missing from the list of answers for Question 2 in the article include "Training for Developers", "Training for Security", "Security Development Lifecycle", etc.

The vector that Manning used could have been prevented by a couple of checkboxes in InfoPath at design-time. It disgusts me that these Defense Contractors get paid *Billions* and don't even do basic best practices for development/security.

Answer from Developer that didn't know InfoPath could be locked down better: "Where did you find that?"
Someone: "VS 2008, 'Form Options' when designing InfoPath form in VS"
Some Big Defense Contractor Employee (JAVA Developer): "It doesn't matter, these forms are deployed to SIPRnet. It's not our problem. Someone else should have caught it and they approved it for deployment"
Someone: "1) "They" don't know anything about the code behind these forms, hell you don't! 2) You're saying it is not our problem to provide basic security for the forms/reports we develop? InfoPath saves the form data as an un-encrypted plain text xml file. And encrypting xml elements is not the answer. Here's a solution: [not disclosed]"
Results: Ignored.
Recommendations presented: Ignored.
Sub-contractor (Someone) paid and released: Check.

Re:Secure systems (0)

Anonymous Coward | more than 2 years ago | (#37985518)

Yup, the best way to secure our systems is to introduce a shitton of brand new untested code, especially in the Linux kernel.

Please don't fucking go at that rendezvous.

Re:Secure systems does include SE Linux (1)

davecb (6526) | more than 2 years ago | (#37985780)

It's B1 in the old (stringent) rating scheme, and can be configured to provide a lot of protection against theft of data, via
- mandatory access controls (not changeable by the process or user)
- secure path (knowing it's really you at the keyboard)
- covert channel analysis (genuinely hard, this is often "ongoing")
- audit (which eventually runs you out of disk (;-))

There is some protection against attack, but more or less as a side-effect of protecting against spies leaving with data.

--dave

Re:Secure systems does include SE Linux (1)

Tomato42 (2416694) | more than 2 years ago | (#37987602)

AFAIK SELinux can protect you from attack only from user-space. It won't help for attack on kernel itself (it's important if we want secure networks). But then I'm not sure if any system in a monolithic kernel would be able to do this. On the other hand, monolithic kernels are the only OS kernels that actually work outside academics. This would suggest that the highest security rating a general purpose OS can have is B1...

Re:Secure systems (1)

morgauxo (974071) | more than 2 years ago | (#37985816)

My prediction... any OS or other software written by security experts with security as it's number 1 goal would be worthless. It probably wouldn't allow real people in real situations to get any work done, or if it did it would require them to go through convoluted productivity limiting steps to do so. I suspect any computer running such an OS would be about as useful as a pet rock.

What is needed is more well rounded professionals that understand both security and user's needs. I don't think our current system of universities where higher degrees = higher specialization or the average corporate culture where higher specialization = higher pay are ever likely to produce such individuals. Instead what we will have is government organizations and companies running insecure in order to get work done until things reach a breaking point. Then they bring in the BOFH. Then they remember why they cut all the security corners in the first place when they can no longer be productive bringing the cycle full circle.

Re:Secure systems (0)

Anonymous Coward | more than 2 years ago | (#37986610)

Well we already know that a system written by security experts would only allow numeric input or if we're luckily lower ascii characters. I have never seen an example program that actually demonstrated taking in real unicode input. Why? How do you sanitize that? A whitelist would take you decades and you need people that know the languages. A blacklist isn't inherently secure.

Re:Secure systems (1)

Tomato42 (2416694) | more than 2 years ago | (#37987970)

Control characters are limited to first 127 ASCII characters in UTF-8. Any of those characters encoded as multi byte character, which is possible, is not valid UTF-8. You may not know how to render all characters, but you definitely can sanitize UTF-8 input: list of all characters that can be rendered by a given font is finite.

Re:Secure systems (1)

Tomato42 (2416694) | more than 2 years ago | (#37987866)

Secure systems aren't useless, they are highly inflexible.

If you have a workstation commissioned to run 2 or 3 very specific jobs (entering recruits data, administering SCADA system, piloting UAVs, etc.) it can be relatively easily secured even now. Unless it has to have access to web (with its Flash, HTML5, Java and ActiveX) it's impossible to secure if you don't use purpose build browser (that disables most of functionality). Of course in any scenario, a user can't be able to install new software or use flash drives non encrypted with company's crypto keys.

That would make any open computing system (working like Windows with its "download it yourself" installers) completely unusable for general user. At the same time, I could see a general purpose Linux distribution be actually usable. Installing 3rd party software on it would be hell though... Unfortunately that's the price we have to pay for really good security.

Re:Secure systems (0)

Anonymous Coward | more than 2 years ago | (#37986872)

This will require throwing away most, if not all, software in use. Including OSs, probably even Linux as I'm not sure if SELinux (or other such systems) go deep enough on the kernel side. Then making new software from scratch with primary design objective to be secure

Complexity is the enemy of the security. Occam Razor applied to software sounds mighty good at least until the users realize that they no longer have the Windows pasians to use taxpayer money on. In other words, secure systems have to be fun to use as well. Look for those Inner Child Tested or Designed For The Inner Child logos. People spill their guts when they are bored, frustrated or in a morally uncomfortable position even if those guts would be classified. Back orifice systems need behavior and data access pattern recognition, with input from the physical security systems.
  All of this and the secure systems first idea will not be realizable if the current division of responsibilities and separation of professional competences is upheld.

Re:Secure systems (0)

Anonymous Coward | more than 2 years ago | (#37989254)

Exactly. The military doesn't make a nuclear weapon and THEN figure out how to protect it or keep it disarmed and they don't use much COTS parts or designs. They need to have a vertically integrated mentality based on security then use COTS where and when it makes sense.

kneejerk response (0)

Anonymous Coward | more than 2 years ago | (#37984150)

Before you repond with the kneejerk responses, look at what you have in your toolkit as an admin. Superglue the USB ports. Great, how do you propose to large decent sized chunks of data from one airgapped network to another? My example -- moving declassified imagery from the intelligence network to email to the Red Cross and USAID in Haiti. How do you communicate with your vendors if you cut email and web traffic? Do you happen to have the extra billions of dollars to upgrade custom software to each new OS release? Yes, we're running a bunch of old Ultra60's because it's cheaper to maintain them while we port software to current generation software than it would have been to port it 4 times from then to now. Yes, when you're betting people's lives on the software, we take the certification and validation seriously. It's not like your cute linux science fair project where unknown bugs are tolerated. I'm a hater, but exchange is entrenched because the calendar works from crackberries to laptops on modems. As much as the military has fucked it up, and fucked it up well, Active Directory is the least fucked up way to maintain several million desktop users, who need roaming profiles over many continents. This is why those idiots are asking real professionals instead of the small time hacks. It's not a small problem. Imagine the cost of trying to train 2 million people to swtich from PC to mac or linux or VT320 or whatever your pet solution is, in a world where infrastructure is not assumed. Do you really want to pay for that?

Re:kneejerk response (0)

Anonymous Coward | more than 2 years ago | (#37984368)

Great, how do you propose to large decent sized chunks of data from one airgapped network to another? My example -- moving declassified imagery from the intelligence network to email to the Red Cross and USAID in Haiti.

Simple solution: print it, scan it to a public (non-secure) terminal, email it . Security risk: zero. PITA: through the roof.

Part of the question has to be where we draw the line between efficiency and security. That will always be part of the equation

A more middle-of-the-road solution would be some sort of automated screen-capture system from an unlinked terminal. For example, a (higher-tech) camera pointed at a monitor, capturing data when powered on, which is saved as a PDF/PNG/whatever type image or (OCR'ed) text file onto a public terminal

none of it will come without costs (whether financial or to efficiency), but it's unrealistic to hope that you can have (for any length of time) a system that is cheap, convenient for you to use, and hard for other people to use

Re:kneejerk response (0)

Anonymous Coward | more than 2 years ago | (#37987054)

You might still print or screen-capture the wrong data by mistake.

Don't let Linux users work there (-1)

Anonymous Coward | more than 2 years ago | (#37984154)

They're all cheap and want to steal secrets to make money.

Taking this seriously would be both sad and funny. (-1, Offtopic)

Barryke (772876) | more than 2 years ago | (#37984234)

Slashdot please inform me, and Stop Gossip

Wait... (0)

Anonymous Coward | more than 2 years ago | (#37984262)

DARPA and swank hotel in northern Virginia? Now last I checked, it was part of the NSA's mandate to protect our nation's communications and advise the nation on best practices which means to me they technically ought to be the lead here. Then there is the location right in the heart of defense contractor territory. This sounds like a luncheon for overpaid wonks that still can't get the FBI on electronic records to pitch their latest brain dead notions. If this was at a HoJo outside Vegas around Defcon like day before or after and was say Tweeted, then I might think that the government was getting it's money's worth.

Still in the spirt of helping our government not be idiots.... Physical access ie wired networking. Written operating procedures that are intelligible ie turn off ports not in use. And basic computer security practices ie secure the service ie end single signon ought to be the basics. Also we live in a democracy prepare to be audited by extremists every two years.

baby steps... (0)

Anonymous Coward | more than 2 years ago | (#37984290)

application whitelisting, host based ids systems that alert and block on any files that are not white listed. BLOCK SOCIAL NETWORKING SITES. Whitelisting websites, VMs while using email applications and surfing the web (users will always be dumb users....) Ubuntu, virtualbox, open office = free....

Enforce Policy. (1)

indros (211103) | more than 2 years ago | (#37984308)

If you're not willing to make the hard calls when someone can't do something as simple as patching, you're doomed from the start.

Re:Enforce Policy. (1)

Tomato42 (2416694) | more than 2 years ago | (#37984654)

Software that requires regular patching is not secure at any point in time.

Re:Enforce Policy. (0)

Anonymous Coward | more than 2 years ago | (#37986344)

Not only are you correct, but your forgetting the most important thing...

what software is secure?

Even Linux isn't 100% secure, because it relies to much on its daemons, which while most are OK and secure, there are still lots of bugs and flaws that are found every year.

Everything is man made, and everything man does has flaws. It's why we have so many checks and balances. While we strive for perfection, there is always someone who will reach it before you do. So how can perfection and security really exist the way we want it?

we need a multiple tiered approach.

So while software that requires patching can never be secure, focusing on just the software is not the correct answer for this subject.

My price. (0)

Anonymous Coward | more than 2 years ago | (#37984348)

Anyone helping them remove visibility should put the price tag at invisibility for all. It is a well know fact that the U.S. government supports more intrusive activities on internet users. If they want my help to secure them from prying eyes, I want the same in return. Anyone with any moral dignity should insist on the same. [cough]Mudge[/cough] The more intrusive they get, the more intrusion they deserve.

Get rid of Windows (3)

GameboyRMH (1153867) | more than 2 years ago | (#37984364)

Securing the network on Windows is just about impossible. It was originally designed when computer security was nothing but a far-out concept and attempts to retrofit security into it without tossing out the basic design have been unsuccessful so far, actually securing it would require a silly level of hacked-up modification (try to prevent wifi dual-homing, I dare you). Toss out Windows, start with a custom Linux distro and go from there. Network-booting machines secured with in-house-administered TPM will be extremely hard to break into. Allow centralized control of all software so that any change to a computer's OS that wasn't signed off on by the IT department sets off the biggest red flag in the world.

It can be done but not while trying to pussyfoot around with commercial consumer-grade toys.

Re:Get rid of Windows (1)

MadKeithV (102058) | more than 2 years ago | (#37984776)

(try to prevent wifi dual-homing, I dare you).

Physically remove WiFi capability from your system?

Re:Get rid of Windows (1)

GameboyRMH (1153867) | more than 2 years ago | (#37984864)

Har har.

Re:Get rid of Windows (1)

MadKeithV (102058) | more than 2 years ago | (#37984972)

Har har.

I don't see why you think that's funny - we're talking capital-S security with DARPA here. Relying on encryption to keep your broadcasted-to-anyone-in-the-neighborhood data safe is clearly strictly less secure than not broadcasting your data in the first place.
And don't think that I'm limiting myself to WiFi when I mean "broadcasting" - just audio could be enough to compromise security: https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information [freedom-to-tinker.com] .

Linux is doing SO WELL (not) on security lately (0)

Anonymous Coward | more than 2 years ago | (#37985420)

Recent security breaches on Linux listed next:

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Mysql.com (runs Linux) Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

Then, there's ANDROID, and it's showing us all that all the FUD on /. for years now that Linux is secure is just that, fud. ANDROID's being torn up in the hundreds with exploits and yes, ANDROID uses Linux kernel.

"Toss out Windows, start with a custom Linux distro and go from there" - by GameboyRMH (1153867) on Tuesday November 08, @09:04AM (#37984364)

Isn't ANDROID a "custom Linux"? Then, how come it's being TORN UP SO BADLY IN SECURITY & NEARLY DAILY YOU HEAR ABOUT EXPLOITS ON IT FOR YEARS NOW??

* That's all recent news of Linux security breaches there above, folks, and for all those years we all kept hearing "Linux = secure" around here, well... read 'em & weep above!

APK

P.S.=> By the way - You CAN secure Windows, & I've done so (remained uninfected since 1996 in fact on Windows NT-based OS by using what's in the link below):

http://www.google.com/search?sclient=psy-ab&hl=en&site=&source=hp&q=%22HOW+TO+SECURE+Windows+2000/XP%22&btnG=Search&gbv=1&ei=2Em5TufwI-qe2AWdvY2dBw [google.com]

And, yes, it actually WORKS...

However: Don't let ME just say it, I'll let others from the links above say it instead:

SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2 [xtremepccentral.com]

"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral

AND

"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral

AND

http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3 [xtremepccentral.com]

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)" - THRONKA, user of my guide @ XTremePcCentral

---

So yes: A SECURE SAFE WINDOWS IS POSSIBLE, if you follow what's in the guide above's points TO THE LETTER!

... apk

Re:Linux is doing SO WELL (not) on security lately (0)

Anonymous Coward | more than 2 years ago | (#37985524)

You think a 32-bit IP address of 0.0.0.0 takes up less space in RAM than a 32-bit IP address of 127.0.0.1?

You sound SMRT!

Makes 4 smaller HOSTS/faster parsing (0)

Anonymous Coward | more than 2 years ago | (#37985704)

Since 0.0.0.0 is smaller by 2 characters than 127.0.0.1 & it DOES make for a smaller file too, especially in LARGISH hosts files, where those 2 chars per line only 'compound bloat').

Put it THIS way, some "evidence thereof" to that very effect, quoted next below:

Even Microsoft's mgt. (Windows Client Performance Division head (who has a CSC degree mind you)) was FORCED to agree on that point, here (on slashdot no less):

http://slashdot.org/comments.pl?sid=1467692&cid=30384918 [slashdot.org]

* "Read 'em & WEEP", naysayer...

APK

P.S.=> This? This was just "too, Too, TOO EASY - just '2EZ'"... as it usually is, vs. naysayers like yourself!

... apk

Re:Linux is doing SO WELL (not) on security lately (1)

GameboyRMH (1153867) | more than 2 years ago | (#37985600)

Come on, Android is hardly Linux, the Linux-based kernel isn't even compatible with the mainline Linux kernel. Apart from that distinction, it's about as far from a locked-down security-centric distro as you can get.

And yes you can lock down Windows with an insane amount of work, but why not put that work towards a more fundamental and long-term solution, instead of slapping armor onto a vulnerable black box that was never designed to do the job?

Using a Linux kernel, ANDROID (0)

Anonymous Coward | more than 2 years ago | (#37985822)

Certainly isn't Windows - and? Looks like it is a Linux by using a Linux kernel, because lol, again: That's SURE NOT WINDOWS! It's a custom Linux, but one being destroyed out there security-wise, almost daily for years now in various exploits!

"And yes you can lock down Windows with an insane amount of work" - by GameboyRMH (1153867) on Tuesday November 08, @10:40AM (#37985600)

It's no "insane amount of work"... it's just regular patching, smarter surfing, & being aware of HOW Windows works to a decent extent (or really any OS & apps that run on it - mostly, it's user education awareness, along with configuration settings, not just "hacking" it...)

* INCIDENTALLY: Doing that guide? Takes about 1-2 hours of your time, but you can run for years in the distance safe & secure (as the testimonials showed, not including my own mind you) IF you follow that guide to the letter...

(It really comes down to what you said: USING A CUSTOMIZED 'SECURITY-HARDENED' SETUP, along with user awareness (I attempt to impart SOME of that to folks there too), & that's exactly what those guides give you!)

APK

P.S.=> It does work... and, as far as this from yourself?

"but why not put that work towards a more fundamental and long-term solution, instead of slapping armor onto a vulnerable black box that was never designed to do the job?" - by GameboyRMH (1153867) on Tuesday November 08, @10:40AM (#37985600)

I did, and it "holds its mud" well (put it this way - I ran Windows Server 2003 the day it came out, to the day I installed Win7 instead (2009) & am still on the SAME INSTALL of Win7, uptime solid & secure... all via principals in the guide, and using CIS Tool (yes, Win7 has a version of it as well, it does help, & make securing Windows actually "FUN" in a nerdy kind of way - like running a security benchmark test really!))...

... apk

Incidentally, I forgot to list the CA's (0)

Anonymous Coward | more than 2 years ago | (#37986120)

Breached recently (past week or two now) that RUN LINUX:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

Each was compromised, per this article's proof thereof -> http://itproafrica.com/technology/security/cas-hacked/ [itproafrica.com] AND per this article on /. also -> http://it.slashdot.org/story/11/10/28/1954201/four-cas-have-been-compromised-since-june [slashdot.org]

APK

P.S.=> So, std./"OEM STOCK" Linux isn't the answer... @ least NOT a non-security hardened one (& I mean above + beyond just std. SeLinux even)

NOW... I noted CIS Tool for Windows 2000/XP/Server 2003 & yes, even Windows 7/Server 2008 have it, here in my other posting to GameBoyRMH -> http://yro.slashdot.org/comments.pl?sid=2514010&cid=37985822 [slashdot.org]

THERE IS ALSO A BUILD OF CIS TOOL FOR LINUX VARIANTS AS WELL, look into it...

That is, IF you're after that "custom security hardened build" he notes should be used (which he's right about, because I've done pretty much the same thing for Windows really, & it's worked for myself since 1996, & that post shows others doing the same since 2008 onwards)...

... apk

Re:Get rid of Windows (1)

morgauxo (974071) | more than 2 years ago | (#37985876)

While I agree with your conclusion, that Windows is hopeless I question your logic. Linux is a Unix clone which is older than Windows. Certainly decent security can be added onto an existing OS. The difference is more the environment in which the two are developed, not when they were originally designed in relation to when network security became important.

You MAY wish 2 read these (0)

Anonymous Coward | more than 2 years ago | (#37986258)

To reconsider ur statement on Windows http://yro.slashdot.org/comments.pl?sid=2514010&cid=37985420 [slashdot.org] and http://yro.slashdot.org/comments.pl?sid=2514010&cid=37986120 [slashdot.org] because very recent history has shown Linux to be quite poor on the security front in practice.

Now - You note history: Did you know that as far back as Windows NT 3.x that Windows achieved the "Orange Book" C-2 security rating?

* Windows NT-based OS's HAVE been built with that in mind (witness ACL's which Linux only gained an analog of in MAC, via SeLinux which the NSA produced as an addon/bolt on for std. Linux mind you, clearly copying a good idea from Windows no less).

APK

P.S.=> The problem out there is two-fold, imo @ least:

1.) For everything & anything the coders or designers can think of, the hacker/cracker types will "unthink" & work-around (eventually that won't be the case & the cracks WILL get 'sealed' but takes time) - I've said this since my 1st security presentation back in 1984 @ LeMoyne College in fact, & it's held true ever since

2.) The end user, & programs they use that are insecure... in fact, want to know what's causing the MOST hassles on Windows (2 widely used programs), read here:

JAVA, & Adobe Products MOSTLY (99.8% in fact), per this:

http://net-security.org/malware_news.php?id=1863 [net-security.org]

& this:

http://www.net-security.org/secworld.php?id=11759 [net-security.org]

You MAY find those links, QUITE "enlightening" actually...

... apk

Security begins at home (0)

Bob Cat - NYMPHS (313647) | more than 2 years ago | (#37984450)

I can't believe this silly disclaimer DARPA has on their site. Read it carefully. They're doing it wrong.

http://www.darpa.mil/external_Link.aspx?url=http://i.imgur.com/slZOR.jpg [darpa.mil] ;)

Re:Security begins at home (0)

Anonymous Coward | more than 2 years ago | (#37987668)

lol asp

We need talent (1)

bbasgen (165297) | more than 2 years ago | (#37984492)

The core problem for the US government, and whichever of the many branches that is taking responsibility for this or that part of the government's cyber infrastructure, is a lack of pervasive talent among the staff. In order to attract talented staff, it is essential to have a very transparent mission and vision for an organization. Is the US government really committed to securing the infrastructure?

With out the military part up or out will force ou (1)

Joe_Dragon (2206452) | more than 2 years ago | (#37985068)

out good tech people or force them to be mangers and then on to some other post.

Also alot of tech people are to old for the military others don't have the mine set to make it though a military boot camp. If some of it needs to be military maybe then it's needs a special rank systems so techs are not forced to start at private pay and officers should not be the same way as the rest of the military is.

Also have a special boot camp say maybe little to no exercise part, no forced gun trading, no other battle field skills (we want people to work on IT and not be a soldiers that can be sent any where) Maybe even have some kind of tech school but I don't know if they should come officers (As some of tech people make for poor managers) maybe have techs become team leaders.

Prevent spear-phishing (1)

satuon (1822492) | more than 2 years ago | (#37984580)

Well if you look at the Chinese attacks they are all based on spear phishing. So what you need to secure is prevent people from running code sent to them via emails. Its really easy to do - simply enforce whitelists - not blacklists, whitelists. For example, the OS should refuse to run unsigned exe files - not simply ask you if you're sure, but actually tell you that you can't, period. And by unsigned I mean anything not signed with the private keys of your organization. Also, make a whitelist of domain names so only approved websites can be visited. That cuts a large swath of infection vectors - now you can't enter into the computer network with the help of gullible employees because even if they want to run your exe or follow that link to your website and enter their password THEY CAN'T.

Re:Prevent spear-phishing (0)

Anonymous Coward | more than 2 years ago | (#37984984)

So what you need to secure is prevent people from running code sent to them via emails. Its really easy to do - simply enforce whitelists - not blacklists, whitelists. For example, the OS should refuse to run unsigned exe files

This isn't done with EXEs anymore. They are taking advantage of buffer overflows or other exploits in 3rd party software like flash, office, acrobat reader, and sometimes java or silverlight (less seen in spearfishing). There are exploit kits that package a payload with numerous different software exploits in the hopes that one of the many exploits they packaged will not be patched on your system.

Re:Prevent spear-phishing (0)

Anonymous Coward | more than 2 years ago | (#37987126)

This could be solved using a minor, but important variation of a CPU. It merely needs to support light
encryption of data in the main RAM by decrypting data as it loads it into the cache RAM.
  The data in the system would all be encrypted of course, and unencrypted data would be converted to
unpredictable data by the decryption step. The encryption would be something very simple like XOR-ing
each 32-bits it loads with a 32-bit key.
  Anyone attempting code injection would have to know the key in order to have any idea what his
code would do on the target system.

"frank" is the 1st step (2)

bzipitidoo (647217) | more than 2 years ago | (#37984718)

Frank discussion? That's the 1st problem.

Security seems to be extra vulnerable to fraud. Many times, I saw military customers wooed by vendors who are perfectly willing to give them a load of bull about how they can't explain why their devices, software, and ideas are secure, because that would compromise the security. Then the military goes a step further, and abuses their secret classification system to cover up security problems, keeping important information even from their own people. They base security decisions on politics. They are more interested in getting a system approved as secure, than in whether it is actually secure. and will lean on people to just rubberstamp systems. They play favorites. They like Windows, because they find it more user friendly, so they push to have it declared secure. Systems they don't like are held up to extremely difficult standards, the better to reject them. They engage in plenty of their own bull to pull that off. For instance, Linux is coded by foreigners, which they deem automatically makes it insecure. How can they know some foreign programmer won't put a back door into the Linux kernel? Never mind that Microsoft might employ Indians to work on Windows. And who's to say that US citizen programmers would never sell out?

They want COTS (Commercial Off The Shelf), to save money, but there is no COTS that meets their needs. They play a funny game with contractors too. Employ people as contractors and treat them with deep suspicion, but won't employ them as their own experts who just might possibly be a touch more committed and loyal.

No surprise that the military stinks up their security.

Re:"frank" is the 1st step (0)

Anonymous Coward | more than 2 years ago | (#37985960)

you think DARPA is the military?

Easy (1)

koan (80826) | more than 2 years ago | (#37984784)

Stop putting critical systems online.

Too many secrets (0)

Anonymous Coward | more than 2 years ago | (#37984940)

Two winning strategies:

Stop connecting computers to the Internet

and/or

Stop having secrets

Wrong OS? (1)

sammyo (166904) | more than 2 years ago | (#37985834)

Was anyone ever able to compromise a correctly configured VMS box? Has anyone broken strong well configured public key encryption? Security is not a big secret, not easy, but good, effective practices are not unknown. So is the question "how do we keep script kiddies off our sharepoint site installed by a neophyte sysadmin"? Really the only valid response is a well quoted "*sigh*".

Back to basics (0)

Anonymous Coward | more than 2 years ago | (#37985980)

There are too many items to list here.

* Non-networked systems
* Air-gaps
* No way for end users to bring in any programs or data. No USB, no optical media, no firewire, no eSATA. PS/2 keyboards and mice.
* All non-secure OS settings need to be removed. If an OS cannot be setup in that way, DO NOT USE IT.
* Avoid the so-called industry experts from any current contractors. They look for ways to make money as their primary goal, not secure the networks and systems. Boeing, GD, CDC, EDS, and similar contractor management all need to be thrown out.
* Personal responsibility for any breaches.
* End users do not need internet access by default. Having internet should be harder than getting a TS clearance with mandatory bi-annual training and constant testing.
* FLOSS should be used by default - commercial software should only be used as a last resort. The government can mandate this in contracts. It will make FLOSS better for the entire world and end the stranglehold that software vendors currently have. Start with mandatory open formats to achieve political wins in the short-term. This goes to servers as well. Source code provided and available for all. I'd like my government tax dollars helping not just the US government, but the entire planet.
* Without the source code, it is impossible to ensure the code is updated as security issues are found.
* I'm not anti-commercial vendors, just anti-closed source. Commercial vendors can change their software release models and retain support contracts, charge for new features, run the systems too. If their prices are out of line, another group of experts (often from former employees) will be able to take over.

Its not just the system, the OS, or the network... (0)

Anonymous Coward | more than 2 years ago | (#37986202)

Its all 3.

1. put a device that detects attacks between your WAN and your infrastructure is key, IE an IPS/IDP, Ideally you'd want this attached to all your switch ports as well. (These Devices go in both directions, so it will also be able to see what gets sent out as well as in)

2. Use Linux as the Core System on the workstations, disable all over the air type connections (Wireless is and never will be secure), Drop in a proper Firewall (IP_Tables is good, but you need a layer7 Policy software firewall here, not just Layer3/4 as you want to be able to read into your applications and packets at the layer7 level, then setup rules based on what you expect and don't expect)

3. sand box the Users OS between your Linux Core system and whatever OS they will be running (At this point, they could run windows, because anything they run on it could and would be filtered, detected, logged, and controlled at the Sandbox, the L7 Soft Firewall, the and the IPS between their Workstation and the Network)

All the above is already being used in many govt facilities, University campuses, and in the private sector.

Just not all the of above at the same time. and that IS the main problem.

You can say 'wow thats alot of software, and there will be overhead' all you want. But with the latest hardware (I7, AMD x8-Operton, 8gigs/16gigs of ram) this is 100% feasible now. And should be considered Standard Practice for secure facilities today.

For developer systems and the like, drop them off the shared network and build them into their own network that is isolated. If they need the extra horsepower with out the need of the above, then they do NOT need to be attached to the network.

Does it really need to be online ? (1)

mikei2 (2321972) | more than 2 years ago | (#37986340)

Any Internet connected system will be compromised at some point in it's design life. The only way to prevent this is to get really important things offline, and keep them off the Internet ( including all of those government networks like Intelink, Siprnet, Nipnet, etc, etc, etc, etc, etc, etc, etc. )

Hire from without (0)

Anonymous Coward | more than 2 years ago | (#37986454)

I've said it before and I'll say it again: Hire people you don't know. I realize that sounds bad at first, but it's better than what the DoD does now.

I read an interview in TIME a year ago with the guy (the name Montgomery or Mitchell or Marshall or something with an M sounds right) in charge of the Air Force's cyber command. He hit the nail on the head. They created the cyber command by picking out the most skilled computing personell who were already within the military, then transferring and promoting them as needed, The problem? The kind of people who joined the military before the cyber command was created are all shooters. They're gun people, not keyboard people. As a result, the cyber command started by filling its ranks with the best of the worst. Everyone there would list their knowledge of Linux command syntax (if they have it) secondary to their ability to hit a target at 300 yards. And that's the problem.

The guy in the interview knew it. At the time, he was lobbying congress to get special recruitment exemptions for geeks. Skipping the more physical aspects of basic training, skipping rifle training, etc. He was doing his dead level best to make the military a place geeks want to work. The result? A bunch of senators from the south (including the one I didn't vote for from my state of Alabama) telling him that "the military shouldn't be employing a bunch of namby-pamby whiners who can't make it through basic training." And to give the man (the commander, not the senator, he's a douche) his response was totally on target: "With all due respect sir, the equivalent of those namby-pamby whiners in China could shut down the US electrical grid in about 20 minutes. It seems more than prudent to ensure we have our own whiners to combat theirs, sir." That pretty much sums up the problem.

Re:Hire from without (0)

Anonymous Coward | more than 2 years ago | (#37987154)

You got it!

My uncle is now a security officer in the military. he's a highly skilled Linux Programmer, and knows how to attack the network if he needs/wants to.

the only reason he got in the military and is now in security is because he had a 96% accuracy at 300 yards.

After all this time, the military still values killing over technical skills. While they should be on equal footing.

If an Iranian Nuclear power plant can be attacked by a virus, which could have caused major damage we are just lucky it didn't, you'd think the military would take a better look at their skill requirements.

But they rely on their current ranks, the NSA/FBI/CIA to foot for when they can't make up. (and the majority of their skills are about as good as the Military)

we need a skill refresh, its long over due.

Easy (0)

Anonymous Coward | more than 2 years ago | (#37986780)

Secure against spam, all else is then trivial.

"three tenths of a per cent" (0)

Anonymous Coward | more than 2 years ago | (#37987434)

This kind of thing pisses me off, mixing fractions and percentages here in this way has no advantage.

Just say "0.3 percent" for fuck sake.... needlessly obscuring the wording and format of statistics are almost as useless as individually unrelatable statistics used by politicians. I've lost all respect for the writer and will not read the rest of the article.

Why should we help with no Consitution? (0)

Anonymous Coward | more than 2 years ago | (#37987580)

Maybe if the US Constitution was restored.... and these fucking oath breakers removed, I might have more motivation.

But until then I offer the Common Sense Security Skeleton. (it's to be taken and improved as you become wiser)

1. Nothing is going to secure a network forever.
2. Keep secret technology in a vault with a logbook.
  3. in the "rare situation" where sharing classified crap with the wild west, use a VM, large data can be carried by portable drive (non real time) to the VM for transmission
4. Real time video, get's a video converter which then dumps to a sacrificial VM to broadcast it. (A video camera on a tripod can work in a pinch)
5. All "Websites" get air gap, and are to be considered fair game if facing the web.
6. Parts Manufacturers for parts which Darpa uses, must be manufactured by Darpa or the process must be completely controlled 100% by Darpa with a logged chain of custody and oversight of the entire process. (it's not okay to order mil spec chips from a foreign country even if you have an unconstitutional fucking treaty with the scumbags)
7. Spies get portable aes 16384 keys and cb radios with funny channels, just kidding. They get ftp access and a daily list of proxies, okay okay just kidding. Spies are just bitchy little girls train them or shoot them.
8. "throw off" the oath breakers and bankster enablers soon, or nothing is going to matter.
9. If you can't secure it destroy or de-activate it.
10. Design a human chain of custody 100% through and through. One man who swore an oath can move 20 Yards of classified boxes a mile alone, as long as he is able to keep an eye on all boxes 100% of the time, and keeping everything isolated for the trip, pick up one box, set it down 50 yards, go back, rinse repeat. This is different from electronic voting where more than one interest in the data (you know paper ballots) not being tampered with.
11. Don't hire contractors who are connected to the ponzi banksters. Block their iframes
12. Security Clearance Audit 100% everyone, sit down, look at past activities, if there are "problems", then person is never to work for, hold office, contract, or access networks, information ever again.
13. Cleanse the NSA, CIA, PENTAGON of these horrible logan act violators, FIX the LOGAN ACT so it has big teeth. no more AIPAC, CFR, PNAC, EU BS.
14. At some point, when all the treasonous oath breakers have been removed from the picture, a trusted network (intranet) will be created, let people use whatever tools they want (granted they are not worms (reverse engineer them) and other unsafe shit) to get the job done on this network.
15. If you are worried about the electrical system. Fix the Solar and Hydrogen situation so the people can start to get off this (not so) smart grid bs. Cheap panels and a fucking set of plans to convert water into bottled hydrogen for joe home owner (who can't even light a fucking fire in the fireplace because of all the bs brainwashed state and federal green laws and carbon fraud, and meanwhile all the other nasty bullshit coming down in the air from fukushima fallout to aerial spraying to create the electronic battlefield. Turn that shit off, before everyone is too sick to work on your fucking networks)

Same old, same old (0)

Anonymous Coward | more than 2 years ago | (#37989144)

The US Government has screwed up for a long time in this area, and they are not about to change. They laughed at the French when the Germans marched around the Maginot line, yelping out "hey silly, they aren't going that way, they are going this way over here, ha ha! But they don't learn from the French mistake. Smart people learn from other peoples mistakes, stupid people learn from their own. Here the US government is doing exactly what the French did, but over and over. A terrorist delivers a bomb via an airplane, so all airports are home to mountains of security, "Because thats the way they always do it". Its like there is a rule or something (some might even call it a rule). But there is no rule. The next time, they probably do something else. In cyber security, they see a vulnerability, and play whack-a-mole. They fix one hole in the colander, and the next time the water goes through the next. Then they fix that hole, and the exploit goes through the next. Rinse, repeat. Would it be that hard to build a 'hardware entrance' to a network that is well designed and only allows registered people in, and only allows certain IP addresses from certain routes in, with proper credentials? You can add optical fiber and Heisenberg encryption (so if there is someone performing a man-in-the-middle snoop, everything gets muddled). But they don't, and won't. Ha, ha, the Germans went around the line and came from the north through Belgium! Fighting the last battle over and over is never a good strategy. Thats the thing to learn.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>