Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

In an Age of Cyber War, Where Are the Cyber Weapons?

Soulskill posted about 7 months ago | from the left-them-in-my-other-cyber-pants dept.

Security 94

chicksdaddy writes "MIT Tech Review has an interesting piece that asks an obvious, but intriguing question: if we're living in an age of cyber warfare, where are all the cyber weapons? Like the dawn of the nuclear age that started with the bombs over Hiroshima and Nagasaki, the use of the Stuxnet worm reportedly launched a global cyber arms race involving everyone from Syria to Iran and North Korea. But almost four years after it was first publicly identified, Stuxnet is an anomaly: the first and only cyber weapon known to have been deployed. Experts in securing critical infrastructure including industrial control systems are wondering why. If Stuxnet was the world's cyber 'Little Boy,' where is the 'Fat Man'? Speaking at the recent S4 Conference, Ralph Langner, perhaps the world's top authority on the Stuxnet worm, argues that the mere hacking of critical systems is just a kind of 'hooliganism' that doesn't count as cyber warfare. True cyber weapons capable of inflicting cyber-physical damage require extraordinary expertise. Stuxnet, he notes, made headlines for using four exploits for "zero day" (or previously undiscovered) holes in the Windows operating system. Far more impressive was the metallurgic expertise needed to understand the construction of Iran's centrifuges. Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country's uranium enrichment operation."

cancel ×

94 comments

Sorry! There are no comments related to the filter you selected.

Really? (3, Interesting)

Anonymous Coward | about 7 months ago | (#46130063)

Haven't you been watching the news for the last six months?

Re:Really? (4, Interesting)

icebike (68054) | about 7 months ago | (#46130241)

MIT Tech Review, (of all organizations) should know that cyber weapons aren't loaded onto airplanes and dropped like bombs, nor do they make a big noise.

When you read the article they don't sound quite as clueless as the summary makes them out to be. Yet the comparison with nuclear weapons is one the article made right off the top.

They speculate that Stuxnet was an anomaly not likely to be repeated. But that is only because Stuxnet was intended to be stealth and un-traceable. It is hardly the platform you would expect for a WAR time attack.

Such weapons probably already exist, but since nobody with the cyber-weapon capability is actually at war with any other cyber target country, the weapons aren't being used. Its not like we used nuclear weapons on Iraq. Its not like the Syrian Electronic Army is much besides a bunch of script kiddies looking for weak spots.

To use Cyber weapons, (as opposed to stealth cyber sabotage) you pretty much have to be at war. No one is willing to start one just to test a weapon. You can use clean room labs for that, and you are not likely to invite the MIT Tech Review to watch.

Re:Really? (1)

gmuslera (3436) | about 7 months ago | (#46130279)

Knowing how much damage people do misusing current normal systems, you really need weapons when you can intrude everywhere and be attributed to someone's else stupidity ?

Thursday - a weapon to take down gvt computers (1)

raymorris (2726007) | about 7 months ago | (#46130941)

The government's newest major computer system is healthcare.gov. What kind of weapon you need to take down major, modern government computer systems ? Apparently, Thursdays are you sufficient to take down healthcare.gov.

Super advanced cyber weapons simply aren't needed. How many programmers who ended up working government jobs even know what a "SQL injection" is, much less how to prevent it? One small sample suggests only 20% of government programmers know what it is, and 10% use parameterized queries, leaving most systems open to trivial attacks.

Re:Really? (2)

rusty0101 (565565) | about 7 months ago | (#46131443)

As fast as the internet generations flash by, I hate to say it, but cyber weapons are still at the throw rocks, wave spears and scream cat calls level. Think of cyber weapons (for now anyway) more as PC based biological warfare.

We currently have limited vectors available. Stuxnet was sneakernet delivered to the systems it was designed to attack. It was essentially at the VD level of disease propagation. Yes it reached a large number of systems, but look at how many people end up with Syphilis and Gonorrhea every year.

Botnets are fundamentally the common cold. You find out your system was infected, get it cleaned up, commit to washing your hands (install personal firewall software at least) and find out all your neighbors picked it up from somewhere as well, it sort of runs it's course, the immune system figures out how to take it out (AV software gets new signatures) and the virus mutates starting the cycle over again.

We're a long way from the smallpox to ebola level of contagion. And the types of attacks that we're being told are cycber warfare attacks are substantially similar to monkeys throwing crap at the people watching them.

Re:Really? (1)

icebike (68054) | about 7 months ago | (#46131681)

True, and from the disease perspective, a very apt example.

But instead of relying on the disease model, perhaps there is still a capability for attack more along the bullet model.

Its not inconceivable that a small bug could be found (or built) in every network chipset that just waits for that magic sequence of packets, and fries itself. You don't need to take out every PC, all you need to do is disable routers.

Is the US worry about having Chinese infrastructure components (routers and cellular equipment) less about the spying platform it might provide and perhaps more about the availability angle? If one call from home takes down all your major routers, you can kiss your backbone goodbye. Built into a low level component, this might never even reside in the router management software.

(That's not to discount the possibility of undersea cable cutting, and other physical means).

Disease model works for you if you are small, remote, and relatively powerless. Bullet to the brain works if you are large, widely distributed and stealth.

Re:Really? (1)

rusty0101 (565565) | about 7 months ago | (#46131979)

I would point to 3com as an exaple of an instance of your magic bullet to the brain bug, though that bug did not 'fry the chip,' it simply introduced an error into the packet that caused any packet carrying a specific bit pattern to be discarded by the next ethernet adapter the packet traversed and was checksummed before doing any further handling. That bug caused a large number of problems as the symptom looked like there was random noise on the network, but was very repeatable. As a result, there are a reasonable number of network engineers who take into consideration the problem described.

That's not to say that you can't generate such a magic bullet, or sniper shot, just observing that at some level many engineers are already looking for it. Also making it work may not be quite as easy to implement as people think, as it very well may depend on how the packets are handled by the device you are looking to take out, and different classes of routers and network switches handle the packets differently. Which I won't get into here.

Because of what it was intended to do, Stuxnet could very well be considered a targeted sniper bullet, but again the delivery was by sneakernet. Which didn't prevent it from getting around in other ways, just that it needed to use sneakernet to get to it's target systems. At some level it worked via the genetic match system, look for this type of associated hardware, and do work on this type of material. From a biological hazard equivalent, look for a genetic marker, say a combination of markers that gives someone blond hair, facial hair, blue eyes, and greater than 30% body fat, then work by destroying heart muscle tissue. You may end up affecting thousands of men, but miss your actual target because you didn't know that your target bleached his hair and wears blue colored contackt lenses to hide his brown hair and eyes. Stuxnet shows that we can do something like this within the technolgy field, but at this point we can't do the same thing with humans. Most of that has more to do with the lack of complexity within the computer industry, more than the fact that it's a statement of how poorly we can do biological attacks.

Re:Really? (1)

mikael (484) | about 6 months ago | (#46136281)

It happened in the past with telephone exchanges. They had some self-maintenance code built in such that if one exchange detected a malfunction of some sort (accounts balance fail to match, line quality not good enough), it would send a fault message and a shutdown notice to it's neighboring exchanges. But there was a little bug. The message first hop was correct as it sent the ID of the originating exchange, the message relayed second and later hops was wrong because it sent the ID of the current exchange. Thus when one exchange went down, it shut down all the other exchanges.

Re:Really? (0)

Anonymous Coward | about 7 months ago | (#46132131)

"They speculate that Stuxnet was an anomaly not likely to be repeated"

Were they taking bath salts when they came to that conclusion.

Re:Really? (1)

gzuckier (1155781) | about 7 months ago | (#46136581)

Heck, I've been wondering for years where are all the corporate malware? I mean, back when MSWord was fighting of Word Perfect, for instance (kids, ask your parents) I would have bet that one side or the other would have issued some worn or virus or something that would have had some subtle effect like making the other product take an extra 20 seconds opening a file. I didn't think it would be management, mind you, but I can't believe that none of the programming nuts on either side went rogue. Not to mention any of the volunteer partisans out there in early netland.

Re:Really? (1)

Mister Liberty (769145) | about 7 months ago | (#46130849)

Indeed, it's a question that only somebody who has his head up his ass could ask.
Cyberwar -- class war, and guess what, you're the victim. If you don't see this, enjoy
your remotely controlled life.

Classified (2, Interesting)

Anonymous Coward | about 7 months ago | (#46130073)

REALLY stupid question. It is not like they are going to wave them about for everyone to see. They most likely exist.

Re:Classified (2)

NFN_NLN (633283) | about 7 months ago | (#46130167)

If Stuxnet was the world's cyber 'Little Boy,' where is the 'Fat Man'?

Cisco gear is deployed in enterprise environments throughout the world.
Windows dominates most desktops and has a large foot print for servers.

The NSA has back-doors into all of them.

Re:Classified (1)

mjwalshe (1680392) | about 7 months ago | (#46130795)

the U2, and Blackbird maybe

Re:Classified (1)

cavreader (1903280) | about 7 months ago | (#46131153)

You have absolutely no proof of any NSA backdoors. The NSA doesn't really need any backdoors when they can waltz right in the front door using legal and not so legal warrants, social engineering attacks, and subtle and not so subtle coercion. Stuxnext was a specifically targeted attack that required expert knowledge of the SCADA configuration and centrifuge control systems. It required physically breaking into two companies to steal the signed certificates used in conjunction with the 0-day exploits used. And most importantly it required an inside agent in the highly secure Iranian labs to inject the attack using a thumb drive. The reports of others (non-Iranians) detecting the Stuxnext virus in their systems was most likely a test designed to map the effectiveness of the transport mechanism. A mechanism that might be used for future attacks. After all a wide spread attack needs a big test bed if you actually need to determine if your attack even has a chance of being successful.

Re:Classified (1)

NFN_NLN (633283) | about 7 months ago | (#46137805)

You have absolutely no proof of any NSA backdoors.

Eat shit, how fucking naive can you be:
[NSA’s backdoor catalog exposed: Targets include Juniper, Cisco, Samsung, Huawei] http://gigaom.com/2013/12/29/n... [gigaom.com]

Re:Classified (1)

cavreader (1903280) | about 7 months ago | (#46141013)

So there is a catalog containing high end network hacks that even includes pricing for the various hacks? Is the NSA actually marketing their super secret technology? That would sort of defeat the whole purpose of secret backdoors now wouldn't it. Have any of the listed hacks been proven to exist? I mean you have the exact details on the equipment so it seems it would be pretty strait forward for a knowledgeable computer or network security firm to prove the existence of these backdoors. You basically linked to an article that links to a second article which contain no details other than someone has formed the opinion that a released document is a catalog of super secret spy technology. Well if that's what they think it must be true even with out an corroborative supporting evidence? Case closed. Oh and the linked article also goes on to mention that they cannot verify the providence of the information they have based their article on. That little missive is the mechanism to protect the journalist or publisher from being accused of making shit up wholesale.

Re:Classified (1)

NFN_NLN (633283) | about 7 months ago | (#46147371)

Cisco responded to the claim of a backdoor. They didn't acknowledge it but they didn't deny it either. What do you think that means?
Let me guess, you don't think the NSA is spying on citizens either because there is no evidence that meets your criteria.

Re:Classified (1)

cavreader (1903280) | about 7 months ago | (#46157907)

I think it means CISCO wants to avoid the entire discussion so they are going with "no comment" strategy.

CISCO SVP John Stewart declared "As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security âback doorsâ(TM) in our products," CISCO investigated the matter in detail and couldn't find the "backdoor" in their product but they did leave open the small possibility that a "backdoor" could exist and they just couldn't find it. This is preposterous but it does cover their assess in the event something turns up no matter how unlikely. Google, MS, and Apple have also formally denied their data centers or any of their products or services were compromised by NSA backdoors. These companies provided data when presented with a valid warrant issued from a normal court or from the FISA court. National security letters have also been used to get a company to provide the information requested. And while people may not agree with the FISA program or national security letters it does not mean they are technically illegal. Both of these methods can be and are being re-evaluated to determine what changes should be made to provide the average citizen with a higher level of privacy.
I am pretty sure the NSA does spy on citizens but I believe it is targeted at individuals and not the entire population. But I have doubts they are capturing and analyzing all phone metadata, e-mails, and text messages generated by the entire US population. I also believe that the NSA spying activities and technical capabilities has been over exaggerated in some areas. I see a lot of people automatically believing any accusations made against the NSA without examining the details and veracity of the information used to make the accusations in the first place. I am not defending the NSA or the government I just think any accusations made should be examined in detail before formulating an opinion. It's come to the point where any accusation of wrong doing by the government is automatically 100% true and that type of thinking creates more problems than it solves. Personally I think the government missteps and over zealous security programs are the result of a high level of incompetence and bureaucratic idiocy instead of any malicious intent aimed at the average citizen.

Re:Classified (1)

mrbluze (1034940) | about 7 months ago | (#46130371)

REALLY stupid question. It is not like they are going to wave them about for everyone to see. They most likely exist.

Yes, the weaponization is built into every Intel processor, and probably most other processors and controllers. The weapons in cyber warfare start with the smart phones we point at our own heads and will shortly be the cars which can crash us into the next tree or fail to stop at the next busy intersection.

Re:Classified (1)

ShoulderOfOrion (646118) | about 7 months ago | (#46131899)

I fail to see the difference, then, between future cyber warfare and the ongoing carnage I see on the sidewalks and streets right now.

Re:Classified (1)

KernelMuncher (989766) | about 7 months ago | (#46130539)

Not only do they exist but they're almost assuredly being used right now. It's just that the virus writers are the best (CIA / NSA) money can buy so their work remains anonymous.

catalog of them (1)

Anonymous Coward | about 7 months ago | (#46130075)

http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/

Seems we heard little of them because secrecy was maintained for quite a while and (shocker) it was the US building/using most of them.

Re:catalog of them (1)

Anonymous Coward | about 7 months ago | (#46130207)

Only the US has had a mole leak its list. Are you kidding yourself that Russia and China don't have their own?

Re:catalog of them (1)

Kishin (2859885) | about 7 months ago | (#46132119)

China and Russia are certainly involved in cyber espionage, especially for state secrets or intellectual property. I was simply pointing out that the US is the main country talking about how we have to be worried about cyberwar and is also the main country using a vast arsenal of cyberweapons against most developed nations, including allies & neutrals.

This is both a nice irony and a potential explanation for why we know neither specifics of cyber weapons nor how to stop good ones.

LOIC? HOIC? (2)

ganjadude (952775) | about 7 months ago | (#46130099)

We have E-cannons already, skript kiddies have been using them for years now.

Re:LOIC? HOIC? (0)

Anonymous Coward | about 7 months ago | (#46131563)

You mean being hilariously ineffective.

Backhoes? (3, Informative)

TheVillageIdiot (137836) | about 7 months ago | (#46130101)

Is there a doubt in anyone's mind?

Well that's obvious... (1)

Mashiki (184564) | about 7 months ago | (#46130119)

The cyberweapons are between your fskin' ears. Malware, virii, etc, are just the tools.

Re:Well that's obvious... (1)

Ceriel Nosforit (682174) | about 7 months ago | (#46130393)

Not between everybody's ears... Polymorphic shell code was spreading in the 90s and since then the researcher has moved far beyond. Most recently a single binary blob which hooks into wildly different embedded operating systems and even architectures was presented openly to the public. The most frightening thing about this current situation is that the NSA turned out to be an industrial-scale bottom-feeder instead of at the forefront in the field. Their lack of sophistication must be why they have resorted to attacking instead of defending.

Attack is much easier than defence. The industry though the NSA was engaged in defence as per their charter as written in US law. There is a huge deficit of security compared to traditional business estimates, as is evident by the norm of routine dismissal of alarming information as the delusions of paranoid conspiracy theorists, who have since been vindicated by Mr. Snowden.

Security has palpable economic value. Deficit in security is a deficit in economic potential. Because of this it appears as if the NSA has been engaged in economic warfare against the entire global economy. Huge engineering projects should be put on hold while the SCADA industry rectifies a culture of negligence, but they are forced to endanger eg. people living near hydroelectric dams since they are unable to suddenly provision the budget needed for security. - The NSA and its ilk took this, the tax-payers' money earmarked for defence, and used it for their... what should one call it, evil?

All because they failed to recognize and recruit talent, idiotically opting for buzz-cuts over sandals. - They persist at trying to use primate social instincts to validate fields of expertise far outside their own. We are fortunate that Stuxnet and its predecessor were the best this culture could achieve.

Re:Well that's obvious... (2)

Tablizer (95088) | about 7 months ago | (#46130625)

I found the weapon! [slashdot.org]

Decentralized war? (0)

Anonymous Coward | about 7 months ago | (#46130127)

You can look back at sensationalist war-propaganda in the 21st century and notice that most of the wars fought in the west were not against big militarized powers with guns blazing and large banners. Where was Fat Man after 9/11? Where was the Fat Man of the war on drugs? The cyber war will not be fought in the power of viruses/security leaks, but in their number. Not only that, but even the smaller security vulnerabilities are exploited to harm many people, as in the recent Target security breach or the Sony Playstation credit card leak. The fight is not against complex, politically motivated (or facilitated) viruses/information breaches, but against your average neighborhood kid who knows basic SQL.

Metallurgical expertise? (0)

Ellis D. Tripp (755736) | about 7 months ago | (#46130131)

Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them...

No, they didn't.

They just needed to have a rough idea, and make sure that they experienced forces well in excess of that figure.

Re:Metallurgical expertise? (0)

Anonymous Coward | about 7 months ago | (#46131399)

Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them...

No, they didn't.

Exactly. Stuxnet did two things to sabotage: Spinning down the centrifuge for a moment made the separating layers of isotopes re-mix. Doing that now and then would hamper the effort a lot, without any traces.

Speeding up enough to do damage was also easy. Such centrifuges are run at the highest speed they can take, or the separation will be slower. So, increase by 20% or so and you'll have your damage. If they could run safely with 20% more speed, they would be doing that already. And your attack speed would then be 20% above that point.

Speeding up to instant destruction would make debugging easier. Better to overspeed slightly now and then. Chances are good they get random failures and breakage happening when the things run at normal speed.

Oh for fucks sake. Can't you read? (0)

Anonymous Coward | about 7 months ago | (#46130137)

Here you MIT idiots go: This is where the cyber-weapons are. [theatlantic.com] The same place all the other weapons are. The Black Fucking Market. What morons, get real.

Re:Oh for fucks sake. Can't you read? (1)

mysidia (191772) | about 7 months ago | (#46130275)

Actually... the real cyberweapons are most likely in government storage; right by the WMDs.

I bet the NSA or FBI has all the decryption keys, required to activate most of them.

The president's nuclear football, probably now includes cyberweapon deployment, and internet shutdown codes.

Re:Oh for fucks sake. Can't you read? (1)

Dodgy G33za (1669772) | about 7 months ago | (#46130379)

I wonder how the world would react to a global internet shutdown.

It would cause immense economic and probably industrial damage. I wouldn't be surprised if it were treated as an act of war by many countries.

The weapons are on chips, firmware or in the OS! (5, Informative)

RocketRabbit (830691) | about 7 months ago | (#46130147)

The weapons are on chips, firmware or in the OS! Did you not read that catalog that the Snowden fella kindly leaked for us?

Ask Intel about iAMT and vPro. Ask China about Manchurian Microchips. Ask Microsoft about NSAKEY again, because if we didn't believe their lame excuses 10 years ago, we REALLY don't buy them today.

Sure, the NSA probably has a large virus arsenal too, but when you can issue a National Security Letter to MS or Apple or Google or Mozilla, or simply activate one of our many programmer agents in place (such as in the IETF or at MS or Google) and just put the exploits wherever you like, viruses start seeming pretty silly. Heck, even our geopolitical adversaries are using US-made cyber-weapons - ahem, I mean operating systems and applications.

Re:The weapons are on chips, firmware or in the OS (2)

deconfliction (3458895) | about 7 months ago | (#46130303)

Re:The weapons are on chips, firmware or in the OS (2)

RocketRabbit (830691) | about 7 months ago | (#46130431)

I received the Slashdot Death Penalty for making fun of Roblimo's video Slashvertisements a while back, and even if my comments get tons of positive karma they will eventually be god-modded down. Read at -1, people, that's where we Slashdot political prisoners are.

Re:The weapons are on chips, firmware or in the OS (1)

deconfliction (3458895) | about 7 months ago | (#46130747)

I received the Slashdot Death Penalty for ...

Well, I'm guessing it was more for things like-

Stallman is an ethnic Jew and I think we all know that sometimes Jewish folks are given to exaggeration and hyperbole. [slashdot.org]

But still, thats wierd because I've made (arguably non credible) death threats against Hillary Clinton and jcr, and somehow I now have 2 accounts with excellent karma. I'd suggest watching, and abandoning your racial stereotyping and focus on the legitimate issue of the ultimate opposite of seperation of church and state going on with Israel.

Still, of the last dozen or so comments of yours I read, your mods do seem pretty consistently unreasonable (compared to mine).

Sadly we do live in a day and age where various political un-topics do exist-

- criticizing Israel on the seperation of church and state
- criticizing China on the Tiananmen Square Mass^H^H^H Incident of 1989
- criticizing the NSA and the tech oligarchs on the laughable insecurity of closed source OS-accessable reflashable without write-enable jumper firmware

etc....

Thank God for the Snowden Revelations. (and yes, the 'god' was a perhaps freudian typo for 'got', but you knew that and deftly jumped on it in an information warfare [slashdot.org] way anyway. Good Job!

Re:The weapons are on chips, firmware or in the OS (1)

fermion (181285) | about 7 months ago | (#46131525)

To Wit [schneier.com] Many weapons, though a common person cannot understand how they work, at least understand how they can be used and effective.

Re:The weapons are on chips, firmware or in the OS (1)

complete loony (663508) | about 7 months ago | (#46133191)

Most of that catalog listed firmware and bootloader hacks to patch an OS in memory. Most firmware is horribly buggy and rarely updated. Getting your payload into windows / android / iOS directly runs the very great risk of being noticed.

Re:The weapons are on chips, firmware or in the OS (1)

RocketRabbit (830691) | about 6 months ago | (#46135541)

No, you just send some guys over with a National Security Letter and force Google / MS / Apple to put your backdoor into your OS or firmware. Who would notice?

Re:The weapons are on chips, firmware or in the OS (1)

complete loony (663508) | about 6 months ago | (#46135899)

And how many times has malware started to take advantage of bugs that Microsoft just patched?

There are people who examine every change to find the backdoors that have been closed so they can attack them on unpatched machines. Do you think they'd ignore a backdoor that was just opened?

Use a weapon? (0)

Anonymous Coward | about 7 months ago | (#46130149)

Why would you use a weapon, when that only means mechanisms will be put into place to prevent it. That's the problem with cyberwar, you only get so many shots with them.

And you damn well would prefer not to get caught anyway.

Yes (0)

Anonymous Coward | about 7 months ago | (#46130153)

Yes it's called a programming language

Here's where they are. (4, Informative)

Animats (122034) | about 7 months ago | (#46130161)

Where are the cyber weapons? Already deployed and awaiting activation. Undocumented errata in major CPUs which allow bypassing memory protection. Preset keys in network cards allowing remote administration. Undocumented admin passwords in network firmware. Code signing certs in the hands of intelligence agencies. That's where.

Yes, they're called Jews (-1)

Anonymous Coward | about 7 months ago | (#46130189)

And they don't even need to hide.

It's stored for later use... (0)

Anonymous Coward | about 7 months ago | (#46130203)

Virtual weapons need victims and a goal to be obtained. It will be used when required, just as with all collected information.

Cyberwar is real - just not how the media portrays (0)

Anonymous Coward | about 7 months ago | (#46130227)

The real 'cyberwar' is the governments' and corporations (RIAA, etc.) war against the free & open internet. I fear they may have nearly won by now as well, as people continue to embrace iTunes, Google, and their ilk, and tolerate censorship & spying on email and other electronic communications.

We had one chance, people. We'll never get back what we've already lost.

The internet: no place for critical infrastructure (1)

DTentilhao (3484023) | about 7 months ago | (#46130309)

"What is Critical? To what degree is critical defined as a matter of principle, and to what degree is it defined operationally? I am distinguishing what we say from what we do.

Mainstream media love to turn a spotlight on anything they can label “hypocrisy,” the Merriam-Webster Unabridged Dictionary meaning of which is:

'[T]he act or practice of pretending to be what one is not or to have principles or beliefs that one does not have, especially the false assumption of an appearance of virtue.`

The debate topic I propose here can therefore be restated as calling out, “Hypocrisy!” on the claim that the Internet is a critical infrastructure either drectly or by transitive closeure with the applications that run on or over it
" Dan Geer [www.uta.fi] June 2013 ...

Microwave audio...? (0)

Anonymous Coward | about 7 months ago | (#46130333)

Sending microwave audio into someone's brain can't be used as a cyber weapon? Targeting a schizophrenic with said technology to get them to do your bidding doesn't make them a weapon?

First Cyber-Weapon? (2)

kenwd0elq (985465) | about 7 months ago | (#46130349)

Wouldn't the Morris Worm qualify as the first "cyber weapon"? Granted it was crude and uncontrollable, but I'd bet that the same could have been made for the Mark 1 Mod 0 Blunderbuss 500 years ago.

And I think that the power of a cyber-weapon would lie primarily in secrecy, like land mines; you don't know you're under attack until you've already taken considerable damage.

Re:First Cyber-Weapon? (0)

Anonymous Coward | about 7 months ago | (#46132123)

No. It wasn't designed or intended as a "weapon" against the systems.

Cybernetics? (1)

HalAtWork (926717) | about 7 months ago | (#46130383)

In a cyber war, where are all the cybernetics? What even makes it "cyber"?

Re:Cybernetics? (0)

Anonymous Coward | about 7 months ago | (#46131897)

I... I don't know! I guess nobody else here does either...

There have been other since Stuxnet (4, Informative)

seibai (1805884) | about 7 months ago | (#46130411)

Stuxnet was in 2010. Since then we have at the very least:
  1. 1. Duqu in 2011 [wikipedia.org]
  2. 2. Finfisher in 2011 [wikipedia.org]
  3. 3. Flame in 2012 [wikipedia.org]

All of those were used by governments. One was used for industrial sabotage; the other two to spy on people who were then assassinated. Are these not "cyber-weapons"? What makes them different from Stuxnet but the degree of press they received?

Single points, no mass deployment (0)

Anonymous Coward | about 7 months ago | (#46130419)

I am very certain the weapons are there, the sophisticated ones are just used on single point targets and a custom-adjusted by humans.

The flashy mass deployment is rare and usually ineffective. You do not want to be known and only use it as last resort (stuxnet). I am very certain that all kinds of hackers and advanced cyber weapons are used regularly. We do not hear about it because the targets do not want to disclose they got hit or often do not even know they got hit. No matter if it is industrial espionage or stuff governments do, it happens in the shadows.

Same as usual (1)

Tablizer (95088) | about 7 months ago | (#46130421)

I'd tell you, but then I'd have to kill you.

Where else? (2)

Chris Mattern (191822) | about 7 months ago | (#46130485)

In the hands of the Cybermen, [wikipedia.org] of course.

They Are So Effective (0)

Anonymous Coward | about 7 months ago | (#46130491)

we'll never know they were used.

There is no such thing as "cyber war" (1)

vikingpower (768921) | about 7 months ago | (#46130517)

Nor are there any such things as "cyber weapons". Whatever an ever-hype-producing press may want to sell to us. Whatever successive US governments, spending money they don't have, may want us to fear. The things simply don't exist.

Re:There is no such thing as "cyber war" (1)

TapeCutter (624760) | about 7 months ago | (#46133155)

Knowledge is the most powerful weapon in any contest. Read up on Alan Turing and the enigma machine and how it sank the U-boat fleet and was later used to set up the naval ambush at Midway island. But most of this spook stuff that's been going on since the end of WW2 is about the "five eyes" gathering and sharing industrial espionage from supposedly friendly democratic nations such as Germany and Indonesia.

Self weaponizing infrastructure. (3, Interesting)

ka9dgx (72702) | about 7 months ago | (#46130563)

If we started building bunkers out of blocks of TNT, someone would rapidly figure out it was a bad idea.... but not so when it's abstracted several layers deep.

In conventional munitions, it's necessary to deliver an explosive to a target. Thanks to the Unix security model, with its lack of any notion of multi-level security, we've created an entire infrastructure that's ready to self-destruct at a moment's notice. The military went on to actually procure and use multi-level security in a number of cases, while the idea is perceived as impossible, or unnecessary in the civilian space.

All of our Linux, Mac OS, and Windows machines share the same brain dead security model. When you run code, you have to trust it not to be a virtual grenade, each and every time.

The existence of billions of computers which blindly run code without actual security protecting the operating system (as a multi-level secure system does) is astoundingly stupid, and yet 99.9% of the "tech" community is just fine with this state of affairs.

The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'

Re:Self weaponizing infrastructure. (0)

Anonymous Coward | about 7 months ago | (#46130965)

"The existence of billions of computers which blindly run code without actual security protecting the operating system (as a multi-level secure system does) is astoundingly stupid, and yet 99.9% of the "tech" community is just fine with this state of affairs."

It never was, the real reason security wasn't implemented was profit. Everything was sacrificed on the alter, in a capitalist society doing the best job you can comes a lot further down then maximizing profit and getting products to market ASAP.

Let's not forget the laws of nature here, the bad security could simply explained by entropy - it takes a lot more resources and energy and then you get into 'tech cold wars' where everyone is one upping one another because people are constantly hacking at you security. It's an endless game you can't truly win unless you got near bottomless resources.

Re:Self weaponizing infrastructure. (1)

davydagger (2566757) | about 7 months ago | (#46131465)

thats why the government wrote SELinux, which is a completely diffrent approach to permissions than Drwxrwxrwt

and yes, there are other permission schemes in various UNIX implementations to include linux, besides traditional POSIX two byte permissions.

Re:Self weaponizing infrastructure. (1)

ka9dgx (72702) | about 7 months ago | (#46131999)

Access control lists are not adequate security, no matter how careful you are. You need the Bell-LaPadula or something like it that implements mandatory access controls to actually secure a system.

SELinux is an attempt to push a little bit towards a secure system, but it's not the real deal.

Re:Self weaponizing infrastructure. (0)

Anonymous Coward | about 7 months ago | (#46133061)

SELinux doesn't stop the trigger from being pulled, it only pretends to be a bit more precise when choosing who gets to do it.

You might as well say you use a firewall as an UPS to convey precisely the same lack of understanding.

Re:Self weaponizing infrastructure. (1)

Tom (822) | about 7 months ago | (#46132967)

The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'

We've already tried changing it for the past 20 years. The problem is that IT is largely commercial, and in the commercial world, "good enough" is enough. If it's not threatening the bottom line, then it's ok. And that's not limited to IT security. Physical security at most corporate headquarters is pathetic and only detracts non-determined break-ins. It's trivial to get hired into a position with access to even sensitive areas (say, in the cleaning crew) with no background checks. And I could say something about how finances are really handled in the corporate world, but unless you already know, you wouldn't believe me.

It's not IT security. That is just part of the bigger whole. Our entire economy is a house of cards, and since the economy has come to dominate our society (politicians have long ceased to have visions, much less actually change things, they're purely reactive), that leaks into everything.

Re:Self weaponizing infrastructure. (1)

TapeCutter (624760) | about 7 months ago | (#46133193)

Security at my home tonight is lax, it's 11pm, both doors are wide open and there's a nice breeze coming through after a hot Aussie day, most of the day tourists have left the nearby beach. Security is just another word for distrust, and I generally trust my countrymen not to sneak in while I'm napping on the couch. Re sig below: more security may save your life, but more trust may make it worth something.

Re:Self weaponizing infrastructure. (1)

Tom (822) | about 7 months ago | (#46133523)

As with most things, the proper balance and context matter.

When you're in the countryside or suburbs, leaving your door unlocked is probably cool. When you live in the center of a large city, less so.

In times of NSA... (1)

Parker Lewis (999165) | about 7 months ago | (#46130591)

... they don't need a cyber weapon, as they can use the law to enforce any american company responsible for the major OS players to give them everythink they need.

To kill a centrifuge (1)

Maj Variola (2934803) | about 7 months ago | (#46130629)

You just need to understand critical speeds, resonances, and that you shouldn't suddenly change the speed of the rotors. But in _To kill a centrifuge_ Langner describes some games with pressures as well. Adding random valve openings and closings in a refinery, gas plant, sewage plant, etc. will look like intermittent failures and just as hard to 'debug'. Eventually you'll hit a particularly nasty set. Errant monkeys playing with your PLCs. But it must be a slow day at Tech Review..

See shiny interface? ... (0)

Anonymous Coward | about 7 months ago | (#46130815)

See that shiny new interface of Windoze-8, Mac monitor-X or Anne Droid... the new cyberweapons are designed to not look like weapons.

cold cyber war - 100,000 attacks from China daily (3, Interesting)

raymorris (2726007) | about 7 months ago | (#46130871)

I'd guesstimate on average, we log about 50-100 attack attempts from Chinese IPs per server per day. Our sample size is only several thousand customer servers, but that's enough to get a rough idea of what's happening on the internet generally.

There IS cyber war going on, much like the Cold War. It's not on the news every day, but it's happening just as much as Reagan was trying to defeat the USSR. The weapons aren't that advanced most of the time simply because they don't need to be - the targets very cooperatively run PHP scripts written by kids with NO security training whatsoever. When your admin interface is open to brute force and SQL injection attacks, advanced weapons aren't needed. The secretary of state and chairman of the senate defense committee have the same unpatched Linksys router at home as any random person. How many high level bureaucrats have VoIP at home? VoIP "protected" by Netgear's firewall?

Re:cold cyber war - 100,000 attacks from China dai (0)

Anonymous Coward | about 7 months ago | (#46132955)

Are most of those IP addresses originating from China or are these attacks just being routed through China?

why go through double firewalls unnecessarily (2)

raymorris (2726007) | about 7 months ago | (#46134169)

All available evidence suggests that the vast majority originate in China. That makes sense - it would be silly to go through the great firewall, twice, and slow yourself down by going around the world and back, when you could just as easily use a US zombie.

Great Firewall of china (1)

Infestedkudzu (2557914) | about 7 months ago | (#46130873)

China could probably ddos attack all of the uSA that counts.

Where are they? (3, Interesting)

PPH (736903) | about 7 months ago | (#46131063)

Sitting in some cyber arsenal, awaiting use. The problem with cyber attacks is that once discovered, they can be defended against. So from a tactical point of view, they are best kept in reserve until the case for their use is overwhelming.

As a part of Operation Orchard [wikipedia.org] , it is theorized that Israel may have disabled Syrian air defense via back doors in their IT systems. If so, the existance of such back doors was revealed by a post mortem analysis and the holes in the systems plugged. So that would be a case of a one time use. It had better be worthwhile (and arguably, it was).

The cyber weapons in the hands of criminal organizations are best used in a very low key manner, so as not to attract attention and patches. Criminals are probably continuing to bleed some credit cards for $9.85 here and there, hoping to stay under the radar for as long as possible.

The best cyber weapons... (0)

Anonymous Coward | about 7 months ago | (#46131457)

...are the ones you never hear about. Because the moment you hear about them, someone has countered it.

Overloading unprepared equipment isn't difficult. (1)

couchslug (175151) | about 7 months ago | (#46131567)

" Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country's uranium enrichment operation."

Mechanic with machinist training here. That's no big deal. Overloading a system by running it as hard as the drive motors allow will often break it as many machines aren't built with protective mechanical safeties such as simple wasp-waist shear points on driveshafts, shear pins, or mechanical governors.

It's easier to control machinery electrically and when a targeted operator doesn't expect malicious control operation they aren't likely to have designed with it in mind.

Re:Overloading unprepared equipment isn't difficul (1)

deconfliction (3458895) | about 7 months ago | (#46132559)

Overloading a system by running it as hard as ...

Not that I'm accusing Lennart Poettering of cyberwarfare, but a highly relevant anecdote is that when pulseaudio was first thrust upon me in fedora, I and many(?) others discovered that it was only software that was preventing our PC's audio out from being overdriven to the point of health and property risk. I discovered this as my volume, due to bug, instantaneously jumped to 400% as I had my sony earbuds in listening to music. The result was excruciating ear pain for the duration of time (about half a second) it took my body to react and rip the earbuds out of my ears. I wonder (not enough to experiment) what would have happened if my speakers had been connected. It would have certainly taken me more than half a second to cause things to stop, and I'm guessing permanent damange to my speakers may have occurred.

Of course, I'm not sure how expensive it would have been for sony to have put a safety in the earbuds. Still, quite the educational experience that was precisely illustrative of what you described, but in a more personal non-industrial sort of way.

Not the only one. (1)

jcr (53032) | about 7 months ago | (#46132691)

Stuxnet is an anomaly: the first and only cyber weapon known to have been deployed.

What about this? [wikipedia.org]

-jcr

botnets (0)

Anonymous Coward | about 7 months ago | (#46132983)

They have existed for years.

systemd is the weapon (0)

Anonymous Coward | about 7 months ago | (#46133311)

Developed and shipped by a close partner of US Department of Defense and NSA.

The greatest cyberweapons are... (0)

Anonymous Coward | about 7 months ago | (#46133601)

Internet Explorer and Windows. This Swiss cheese programs are the greatest threat for computer security known to lifekind. And most of the ducks in duckland have no ideas you have run Windows Update every month, but even then zero-exploits are oh so coommon. I find it hard to believe this an accident, and then all evidence suggest people are really that stupid.

Re:The greatest cyberweapons are... (1)

kmoser (1469707) | about 6 months ago | (#46135675)

They are the sleeper cells of cyber warfare.

cyber-physical damage (1)

mnt (1796310) | about 7 months ago | (#46134127)

hm. let's translate that to a form that may make more sense: computer-physical damage. nope, still makes no sense.

Where are the cyberweapons? (1)

easyTree (1042254) | about 6 months ago | (#46135855)

Iraq?

Social Media / News are weapons going at each othe (0)

Anonymous Coward | about 7 months ago | (#46137597)

Sure, we can talk about things like the ION cannon, and what-not but let's be real. Government controls the news, but Social media corrects the news and the government says "oh no! they caught us!" and then they realize that social media can either be used for propaganda (so they passed a bill to allow disinfo agents to exist about 2 years ago) or to spy on its users so they can keep tabs on who they want (NSA) and prosecute/execute them without warrant (NDAA). The real war is the people of the world against the Chinese and American governments but really it's mainly against the American government. The weapons are social media outlets, p2p, proxies, vpn, and anything else on the CIA's blacklist of "you might be a terrorist if...". Sure, there exists TOR and the darknet but it has virtually almost no negative impact on real people other than give the government a reason to monitor us and to expand into that sector. Remember, we were told that terrorists were a problem after 9/11 and Bush signed into bill the most expensive military budget in history of the world. The cold war did something similar and now this.

The weapons are... (0)

Anonymous Coward | about 7 months ago | (#46138931)

in my mom's basement.

An age of cyber (0)

Anonymous Coward | about 7 months ago | (#46150671)

In an age of cyber-sex where are the cybermen?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>