Forgot your password?
typodupeerror
Government Security The Military United States IT Your Rights Online

DoD Networks Completely Compromised, Experts Say 164

Posted by timothy
from the but-are-they-iso-9000-compliant-is-the-question dept.
AZA43 writes "A group of U.S. federal cybersecurity experts recently said the Defense Department's network is totally compromised by foreign spies. The experts suggest the agency simply accept that its networks are compromised and will probably remain that way, then come up with a way to protect data on infected machines and networks."
This discussion has been archived. No new comments can be posted.

DoD Networks Completely Compromised, Experts Say

Comments Filter:
  • by FudRucker (866063) on Thursday March 22, 2012 @03:06PM (#39444287)
    to spread misinformation to those foreign spys that only think they compromised DoD computers (naw too good to be true) the US Gov is too stupid to do anything like that
    • by cparker15 (779546) on Thursday March 22, 2012 @03:18PM (#39444431) Homepage Journal

      The entire DoD network is one massive honeypot. All the real data is sent by carrier pigeon.

      • by AioKits (1235070) on Thursday March 22, 2012 @03:37PM (#39444623)

        The entire DoD network is one massive honeypot. All the real data is sent by carrier pigeon.

        Damnit man! Why did you let them know?! Now I gotta figure out how to armor the pigeons so they're not shot out of the skies... How tiny do they make bullet proof vests? Maybe I could use a swallow instead. Does anyone here know the air speed velocity of... Never mind, I'll figure something out.

        • by Peristaltic (650487) * on Thursday March 22, 2012 @04:15PM (#39445059)

          What the DoD will do is hire a contractor to armor the pigeons, who will then design armor that puts the pigeons over max gross weight, so they'll add wing extensions, but since pigeon wing muscles can't flap the modified wings as fast, they'll replace their little pigeon wings with fixed composite wings and pigeon-scale turbine engines.

          Unfortunately the turbine engine exhaust burns pigeon tail feathers, so they'll replace these with composites also. The Air Force will see an opportunity at this point to add hard-points to the composite wings, so the wing area and turbines will be made larger, increasing cruising speed and altitude, requiring life-support for the pigeons.

          Cost: about $500,000 / pigeon for the Block 20 model, assuming the contractor will be allowed to sell Block 10 Pigeon Communication and Reconnaissance (PCR) units to our allies in Saudi Arabia. Test flights slated for 2020.

          • by NIN1385 (760712) on Thursday March 22, 2012 @04:48PM (#39445409)
            You left out the part where another contractor designs another version of said pigeons and undercuts this contractor with an inferior product because they had the lowest bid and then the people that awarded the bid to the cheaper contractor are left wondering why the cheaper pigeons are falling from the skies and killing innocent citizens.
            • Re: (Score:1, Funny)

              by Peristaltic (650487) *

              ...then the people that awarded the bid to the cheaper contractor are left wondering why the cheaper pigeons are falling from the skies and killing innocent citizens.

              Maybe quietly to themselves, while DoD media relations at Fox informs their viewers: "...if they were innocent, they wouldn't be dead now, would they."

            • You left out the part where...

              What I left out was that before accepting their order, the Saudis, adhering to Wahhabi doctrine, demand assurances that none of the PRC weapon system pigeons are female, even demanding the program be renamed before they make the purchase.

              Boeing doubles the price and hopes to sell at least 1000 units of the Pigeon Reconnaissance Intelligence and Communication System each year to the Kingdom.

              • Re: (Score:3, Funny)

                by jamiesan (715069)
                They will also create Pigeon Reconnaissace Intelligence Construction Kit Systems for our allies, but they will be smaller versions than the ones the US uses.
          • by AdamWill (604569)

            This post is all the proof anyone should need that Slashdot comment scores should go up to 6.

        • This [af.mil] little guy might have benefited from some body armor.

          • This [af.mil] little guy might have benefited from some body armor.

            Looks like he didn't need it. He lived another 17 years after completing his mission. Incredible story; I hadn't heard it before. Thanks for the link.

        • by genner (694963)

          The entire DoD network is one massive honeypot. All the real data is sent by carrier pigeon.

          Damnit man! Why did you let them know?! Now I gotta figure out how to armor the pigeons so they're not shot out of the skies... How tiny do they make bullet proof vests? Maybe I could use a swallow instead. Does anyone here know the air speed velocity of... Never mind, I'll figure something out.

          Will you figure something out in Africa or Europe?

      • by Bigby (659157)

        With an RSA public encryption key around his neck

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        I just hope that they're RFC 2549 [ietf.org] compliant, with (hopefully) an encryption layer along with that.

      • by Anonymous Coward

        Might not be far from the truth...

        The question is, is this the unclassified worker-drone finance-weenie network, or are they claiming SIPRNET compromise?

        SIPRNET is audited out the wazoo, and many facilities only have 1-2 machines even connected to SIPRNET.

        Airgapped networks + sneakernetting CDs/DVDs is the norm. Inter-facility transfer is often done by double-wrapped overnight postal service mailings. (If something goes missing, it'll get reported.)

        • Re: (Score:3, Informative)

          by SCPRedMage (838040)

          Speaking as someone who used to administrate an Air Force base's SIPRNet systems, I don't believe for a second that they're talking about anything other than NIPRNet (which is the military's way of referring to their unclassified, Internet-connected base networks).

          I find it HIGHLY suspect that classified networks are compromised, simply because of what would be required to do so. The SIPRNet has NO Internet connectivity at all; you simply cannot send packets between the two, at all, in either direction.

      • by frisket (149522)
        All your pigeon are belong to us
      • by bryan1945 (301828)

        RFC 1149 to the rescue! Though they really should be using RFC 2549.

    • by erroneus (253617) on Thursday March 22, 2012 @03:26PM (#39444513) Homepage

      There is no shortage of "stupid" at the DoD. As every security expert knows, the weakest link is the user. And it doesn't matter how high or low ranking that user may be... if fact it kind of helps if they are "full of themselves" because they tend to demand that restrictions are relaxed so they can have access more easily. There is LOTS and lots of stupid out there.

      And nothing helps more than the fact that running Windows as the standard has. Why? Isn't it obvious? We know from the headlines that every government has been demanding the source code and decryption keys for just about everything. Microsoft, I expect, has been no different when faced with such requirements... we certainly know that's true in the case of RIM. And the source code is now always enough or even completely helpful, but it definitely helps that governments are willing to hire black-hats to find the billions of holes available in the platform EVERYONE USES.

      Sure, Microsoft profits lots... they are what everyone uses... including and especially the weakest links.

      • by FudRucker (866063) on Thursday March 22, 2012 @03:42PM (#39444663)
        and dont forget the windows users that insist on logging in and running as admin/root for a regular user account because they dont want to be inconvenienced with having to type in a password for anything

        my own brother runs his PC like that and i explain to him the concept of a multi-user system that has root and user accounts and he just stares off in to space with that deer in the headlights look on his face
        • by erroneus (253617)

          ...my own boss insists that his staff be made administrators on servers... I have always disagreed with that. He says it's for accountability and I can kind of see it, but make it a separate unique account, not my normal user account.

        • I can't stand the deer staring at headlights look. Are we really that stupid or do we just not give a sh#$?
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Actually it isn't just to make access easier. We do it to make working feasible. Im sure you've heard of problems like mine and gloss over it at work and online, Mr Important Security Expert.
        Because of stigs, on our dod network I couldn't run the installer for the software we were developing. I also didn't have the development tools I needed. It took over 6 months to get a approval for new tools. Some tools, like virtual pc, would not be allowed. I usually just gave up on my wishes for tools just like the p

        • by erroneus (253617) on Friday March 23, 2012 @04:07AM (#39448727) Homepage

          Consider working with something other than Windows. (I know, not always an option depending on who you are working for.) And as for Japanese companies... you don't, by chance, mean the Japanese defense contractor which was breached just like Lockheed and the others do you?

          I completely believe and understand your point of view. It's completely valid. It's one of the many reasons why the MS Windows platform is simply bad for security. It's not only Microsoft's fault, but also the fault of crappy developers who do not respect security models... even the bad ones Microsoft has put forward.

          To be frank, there's really no way to get out of the hole that is MS Windows without doing some drastic, ugly and unpopular things. 1. Microsoft needs to significantly change their next OS breaking compatibility with the previous versions. 2. Microsoft needs to review and somehow disallow software which does not meet security principles. The result of this type of move could be disasterous for Microsoft for many reasons, though. It could mean a huge backlash from developers. It could mean a huge rejection by users since they wouldn't be able to get access to applications.

          Security is a PITA. No question about it. But when security is built into the OS, it helps a lot. Windows as we know it today, evolved from DOS. I know, I know, there's little if any DOS in Windows today, but its evolutionary genetics still show today.

          And in some ways, it can't be helped that administrator/root is needed to install applications. I wouldn't have it any other way, actually. But requiring administrator/root to USE tools which do not affect the OS is quite a problem. And that problem comes from a wide range of bad practices by both Microsoft and developers for Microsoft's Windows platform. With the exception of OS manipulating/managing tools, I have yet to see this problem in Linux. In fact, I see the OPPOSITE occur when programs actively discourage and even DENY the ability to run as the 'root' user. That's a huge diference in programming/development culture.

          And before anyone calls me a fanboy or a troll or whatever, I use Linux primarily... it's true. I also use and support Windows and I have to admit I have been warming up to Windows 7 quite nicely. I don't *HATE* Windows as much as you might think. In the end, I hold that I don't actually CARE what I run so long as it works. And your point, once again, is quite valid in that in "MS Windows reality" usability and security are, in practice, diametrically opposing needs. I'm here to say it doesn't HAVE to be, but to make a change is painful if not impossible.

    • by g0bshiTe (596213) on Thursday March 22, 2012 @03:41PM (#39444649)
      I'd hate to think the DOD would be dumb enough to keep sensitive data on a network that was internet accessible.
      • by Beardo the Bearded (321478) on Thursday March 22, 2012 @04:07PM (#39444975)

        They don't.

        I work with a lot of military documents. I've got some in the other windows right now. 99.9% of military documents are not important, security-wise. Sure, you can find out what kind of cable is used to plug in that receptacle. It's not important. It's not Classified. Nobody gives a shit.

        The Classified stuff, should I ever even look at any of it, is really quite a different type of animal. Here's how I'd handle it:
        1. Make sure it had to be me since they're a PITA.
        2. Our document control folks would burn a copy and FedEx to me.
        3. It would be sent to the Secure Room once it arrives.
        4. When I went to work on it, I'd get a supervisor, sign in to the secure room, and pull out the removable HDD from the vault.
        5. Check the Secure Machine for oddities, like anything in the USB ports or the sudden appearance of an Ethernet port. Seriously, there isn't even a phone jack in the room.
        6. Boot the Secure Machine. Yes, it is Win XP. While it's booting, draw the blinds and close the door.
        7. Work on the Classified document.
        8. Once I'm done, I can burn a disk to send back and have it printed by the document control group. Then I power down, put the HDD in the vault, and then sign out.

        Seriously, the important stuff is airgapped. The really important stuff is airgapped and guarded by people with weapons.

        • by jamstar7 (694492)

          99.9% of military documents are not important, security-wise.

          Doesn't stop them from classifying said documents, even something as no-brainer as the menu down at the mess hall for the 'Lower 4's' and who's tending bar at the O-Club. Especially if it's the bartender schedule at the O-Club.

          Granted, it won't be classified much, but once you get in the habit...

          • by Sarten-X (1102295)

            something as no-brainer as the menu down at the mess hall for the 'Lower 4's' and who's tending bar at the O-Club. Especially if it's the bartender schedule at the O-Club.

            Of all the examples to pick, these make perfect examples of good things to keep secret (at least for a short while)

            The meal being served at a particular time can be strategically important, if your goal is to disable a certain group of "Lower 4's" at a later particular time. The timed poisons from spy movies aren't entirely fiction, and could be used to affect a crucial mission, just by contaminating a particular food shipment. Rather like using a shotgun to drill a pilot hole, but it's a risk the military

        • I've worked with secure documents before too, and can verify this, especially the PITA part. However, I haven't had to send docs before.. are the fedex guys that handle the copy cleared as well? Also, I know transporting the docs yourself can be quite an ordeal, because you're not supposed to let them out of your sight, even through security.
    • Re: (Score:3, Interesting)

      by elgeeko.com (2472782)
      Honeypot was my first thought too. You could keep the enemy scrambling to build the mind control ray gun we developed back in the 80s using technology we stole from the cities on the far side of the moon. Knowing someone is hacking your system can be a lot of fun.
      • Oblig. (Score:2, Funny)

        by Anonymous Coward

        But when did the Soviets begin this type of research?

        Well, sir, It looks like they found out about our attempt to telepathically communicate with
        one of our nuclear subs. The Nautilus, while it was under the Polar cap.

        What attempt?

        There was no attempt. It seems the story was a French hoax. But the Russians think the story about the story being a French hoax is just a story, sir.
        So, they've started psi research because they thought we were doing psi research,

        When in fact we weren't doing psi research?

        Yes, sir

    • by MtViewGuy (197597)

      You mean a "honeypot" operation? No wonder why intelligence agencies still think the best form of intelligence are still "feet on the ground," airplanes/RPV's that can do electronic intelligence/signals intelligence (ELINT/SIGINT), or spy satellites.

  • by Anonymous Coward

    Seriously?

    I mean....

    This is hardly surprising. I worked for a formerly existing mortgage servicing company that outsourced its servicing, and as part of the Soldiers and Sailors Relief Act during the Gulf War II, they wanted us to send military deployment orders offshore so they could be serviced for the benefits. Maybe they found it easier just to hack in and get it from the source and bypass the middle man.

  • by synapse7 (1075571) on Thursday March 22, 2012 @03:08PM (#39444317)
    “DoD is capability-limited in cyber, both defensively and offensively,”

    Anyways, are we talking a bunch of old NT boxes plugged right into the internets, I mean the cyber.
    • by HBI (604924)

      The best part is that what they are really saying there is that they lack the skilled personnel to compete with other nations. The reason they lack said personnel is that no one who is any good would like to work for the government. It's an unpleasant work environment in a lot of ways, especially in light of current budget expectations for DoD and certain mandated cuts.

      • by rrohbeck (944847)

        I have a feeling that China nourishes its hackers and pays them well.

        • by Lucractius (649116) <Lucractius@gma[ ]com ['il.' in gap]> on Thursday March 22, 2012 @10:54PM (#39447759) Journal

          I dont know how well the "original" hacker mentality of 'everything is worth poking at' mentality would be tolerated in a state run hack team.
          I cant give much in the way of proof for this but this argument is based on organisational psychology vs personal psychology... but anyway

          China, the USA, Russia... I would imagine that the dog tag & rank 'military' hackers are selected via a process much like test pilots (different criteria obviously)

          If you show aptitude in mathematics, logic, and attention to detail, you get funneled into a program, they hone your skills and teach you computer security theory & practice much like the basics I learned in university courses.
          The goal of a state organisation would be a 'state hacker' who's priorities rank something like 1) the defense of the state, 2) their own life, 3) hacking
          I would not call these "Hackers". They are soldiers with computer security training who follow orders.

          Most true to the name and tradition/ethos hackers will not have this ordering, so 'recruiting' or 'nurturing' "free range"/"wild" hackers doesnt fit well with the goals of any nation.
          The idea that "no your not allowed to try that" doesnt sit well with a dedicated old school type hacker. Because the first place the mind turns is 'Why?'
          They may decide not to do something (eg: hack a SCADA system & shut down a hospital, killing people) but this decision usually comes after they worked out how to do it anyway, just because it was there to be worked out.

  • Best Practice (Score:5, Insightful)

    by jcaldwel (935913) on Thursday March 22, 2012 @03:09PM (#39444329)
    From TFA:

    “We’ve got the wrong model here. I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume that the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway."

    Its nice to see the DoD finally catching up with basic best software practices.

  • cut the wire (Score:5, Insightful)

    by the_Bionic_lemming (446569) on Thursday March 22, 2012 @03:10PM (#39444339)

    Why does the network have to be accessible remotely? It should be isolated and need a meat sack to get the information from the system and relay it to the party that needs the information. Same thing with public utilities and such - why is it wired so that someone remote can tap a few buttons and remotely access controls for water plants?

    • Re:cut the wire (Score:5, Informative)

      by tomhath (637240) on Thursday March 22, 2012 @03:13PM (#39444379)
      That's called an "air gap". And yes, DoD has many systems behind them.
    • Re:cut the wire (Score:5, Informative)

      by HBI (604924) <kparadine@gmail.cTEAom minus caffeine> on Thursday March 22, 2012 @03:14PM (#39444381) Homepage Journal

      There are physically isolated networks.

      They are referring to the NIPRnet which is directly connected to the rest of the internet. NIPR is all about web apps - time trackers and such, and e-mail. The actual secure stuff has an air gap.

      This is mostly hyperbole. These people who are testifying don't know jack shit about technology, and neither do the people who are listening to them.

      • by Verdatum (1257828)
        It feels like hyperbole to the point of pure nonsense. If any network can be shown to be compromised, the hole would be closed. If we don't know about the compromise, then we can't make the claim the networks are "completely compromised". The only decent suggestion at least from the article (too lazy to read original, sue me) is to operate on a network with the assumption that it's already compromised; that's just the concept of Defense in Depth, and it is nothing new.
        • by HBI (604924)

          There is plenty of CND in the DoD's networks. The statement that they are completely compromised is one of those statements you can make without fear of it being falsified, but it's a bunch of bullshit nonetheless.

      • Re:cut the wire (Score:5, Insightful)

        by Whorhay (1319089) on Thursday March 22, 2012 @04:02PM (#39444913)

        From what I've heard that's mostly true. There are a number of 3 letter agencies that have been known to be so egotistical as to believe they are above the air gap requirements and actually run machines that cross that gap.

        Besides which an air gap is not as full proof as one might think. Just look at what stuxnet managed to do to the Iranians nuclear program. And it would only take a single compromised person on whatever air gapped network to gather the datadumps and send them back to whatever party they work for. Off the top of my head I can think of at least one publisized account of malware being found on an airgapped system that seemingly couldn't be removed.

        Whatever your technical measures and implementations, your security is always limited by the personnel using it. What percentage of people with clearances and access are turnable? It's impossible that it'd be zero, and even at a tenth of a percent it'd mean hundreds or thousands of compromised people and consequentially the networks they have access to.

        All this ignores that classified information is often derivable from other non-classified sources.

        • Re: (Score:2, Interesting)

          by HBI (604924)

          This post above deserves an upmod. Unfortunately, I can not comment further.

        • Re:cut the wire (Score:5, Informative)

          by Anonymous Coward on Thursday March 22, 2012 @06:41PM (#39446337)

          Little anecdotal story from my time in the military (can't speak to the policies of all the 3-letter-agencies) USMC had (has) a very VERY strict policy about crossing the streams.

          There are "normal" computers that access the internet and what not, and other computers which exist on a completely separate self-contained network. And never the two shall meet. At all.

          For the most part, the secure computers were in a completely different building, or at very least in a different room behind lock and key. If someone was important enough to warrant access to the secure networks in their office (usually restricted to O-5 at bare minimum) the ports for the secure side were emblazoned in bright red and stuffed behind lock-boxes, so there was no possible way to confuse the two. Oh, and the office itself had to be secured. Certain quality of lock on the door, no windows, etc.

          Any computers that became part of the secure networks, were part of that network for LIFE. When replacement time came, the secure computers had their HDDs wiped via electromagnets and then holes drilled through the platters.

          Even non-computers had to live by a one-way pathing. If you plugged a monitor into a secure computer, that is now a secure monitor and CANNOT leave the secure area. Fax machines, copy machines, etc etc etc. Anything that interfaced with ANY secure data was locked down.

          Suffice to say, there was no crossing the streams, and no matter how infected or compromised the "normal" networks were... there was practically zero chance of any info getting out of the "air gapped" secure networks.

          • by Whorhay (1319089)
            What you describe is the policy everywhere I've ever worked. Perhaps I overstated when I said "known". That bit came from my conversation with an inspection team once upon a time when I asked about the point of a security check regarding crossing the streams. I pointed out with the seperate networks for each classification levels it should never happen. And in the case of a spillage no one should be wasting time and effort marking up the finding instead of actually rectifying the situation, at which point i
    • by cpu6502 (1960974)

      My thoughts exactly. Or setup a separate ARPA-owned network that no one can access except DOD employees.

      BTW the recent news about an electric utility plant being "hacked" by foreign spies was a false flag. In reality it was one of the workers while he was on vacation, logging-in remotely, but of course we never hear that followup story on the Pro-war FOX, CNN, NBC networks. They'd rather scare everyone into thinking we need to bomb Iran and Russia (and then the defensecorps profit).

    • by cdrguru (88047)

      The utilities answer is an easy one. You take a city like Chandler with lots and lots of wells feeding the water supply and each and every single site is connected to some kind of network. Maybe public, maybe not - it is just not disclosed. But with a lot of different sites not being connected it would lead to a lot more staff cost and probably a lot more travel costs - fuel, vehicles, etc.

      So everything is networked and remotely controllable. Means instead of a staff of ten people they can have just one

    • by mikael (484)

      A lot of projects are cross collaborations between academic researchers , DoD, and corporations. Researchers need access to download/upload data, results, source code and documentation as well as use facilities like wind tunnels, supercomputers and wave machine water tanks.

      Its cheaper to give someone FTP access than to have them fly across the continen every time they want to do a simulation run.

    • by Shavano (2541114)

      The meat sacks are the least secure part of the system.

  • Scary (Score:5, Insightful)

    by gmuslera (3436) * on Thursday March 22, 2012 @03:13PM (#39444375) Homepage Journal
    Surely will convince public opinion that the new measures of surveillance on all internet connections have a good reason and they should give up on privacy forever.
  • The military would like a bunch of script kiddie canned attacks as their 'offensive' capability. They don't want to rely on anyone with a brain in real time. That doesn't work very well in practice.

    They're never going to get what they want.

  • Funny (Score:2, Funny)

    by DaMattster (977781)
    I guess the DoD should finally retire Windows 3.11 for Workgroups, huh? LOL!
    • They'll never do it. Do you have any idea how hard it is to get Windows 7 to work on a token ring?
    • by Greyfox (87712)
      Oh har har har. Do you know how much paperwork that's going to require? To re-write all the specs that specify Windows 3.11 for Workgroups will cost TEN BILLION DOLLARS! So do we re-write all those specs or do we buy the FRONT TIRE of a Joint Strike Fighter! It won't be so funny when a Joint Strike Fighter can't land because it doesn't have a front tire!
  • by Anonymous Coward

    Well it's defense so ultimately what this boils down to is: "here's a file that says they're going to kick our ass". Can they do that? "Yes". Well, at least we infiltrated their network so we know our asses are going to get kicked and we can prepare for that. "No we can't, we'd have to move the entire country and kick somebody elses's ass to do it. What's more is our network is infiltrated too so they'd know we were going to do it and what's worse is we don't have much ass kicking capability". So. W

  • by SCHecklerX (229973) <thecaptain@captaincodo.net> on Thursday March 22, 2012 @03:27PM (#39444519) Homepage

    ... given the general below-mediocre quality of the contractors and government employees that work for the DoD, and the amount of senseless policies for policy's sake claiming to be for 'security' but, uh, no, not really. The people in charge are the worst.

    I just started working for DoD again, and want to punch people in the face all day long.

    • by HBI (604924)

      I SO agree with you. I am getting out after 10 years - at least I keep promising myself that.

      The federal government is home to the most idiotic employees ever.

    • by Anonymous Coward

      Exactly. A Theo De Raddt quote is relevant here, "Do you trust the guys who can't make a secure OS to make a secure sandbox?"

      Only in this case, you're not trusting guys who make the OS, you're trusting DoD contractors.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Hilarious. I'm a fed here in IT (not DOD) and feel the same exact way. There are idiots that are high up and make decisions without knowing the technical consequences. I keep telling myself they will retire and leave soon, but it never happens.

      It's going to be interesting in the next 5 to 10 years as all of the old folks are going to retire, and there's no new blood to take over for them. I don't know how it is at other places, but that's how it is here. And unfortunately, the new blood (me) is getting

  • by Anonymous Coward on Thursday March 22, 2012 @03:48PM (#39444733)

    Reminds me of when I was sent to a DOD site to try to figure out why everyone was scoring 97% on a certain test.

    30 seconds of looking around and I had a pretty good guess:

    (1) The unused tests were printed out in print runs of 10,000 and kept in an alcove in a dusty unused office. Said alcove had a plywood door with 18 inch gaps at top and bottom. Padlocked, but with the hasp mounted backwards, with all the screws exposed.

    (2) There was a 50 page per minute xerox copier in the same room, no access card needed.

    That was a rude introduction to DOD security measures, and the cluelessness of the security folks.

  • by WindBourne (631190) on Thursday March 22, 2012 @03:54PM (#39444797) Journal
    is that they will do political things. As such, they have LOADS of windows. And yes, they are LOADED with spies (and the DOD knew it). However, I differ with the expert. NSA should step in and help DOD upgrade everything to a decent set-up. Secure Unix or Linux (with SEL). NO MORE WINDOWS. In addition, restore the security that we used to have back in the 80's. We have slacked so much that many of the contractors are spies. Hell, I have dealt with a probable Chinese spy that was married to a USAF officer.

    The USS reagan should be refitted with secured systems, or we should simply send it in the middle east and allow Iran to blow it up (better iran than china).

    What amazes me is that EU, Russia, and China are all brighter than so many of the idiots in the DOD and at American companies.
    • > What amazes me...

      Being stupid pays better in the short term.

    • by Whorhay (1319089) on Thursday March 22, 2012 @04:23PM (#39445155)

      While I agree that I'd like to see the DoD move to more secure technical solutions, I don't think it'd solve the security problem. Like you pointed out the system is only as good as the people that are using it. And even with a very small percentage of people willing to spy it'd be almost trivial for a foreign government to buy their way into almost any system.

      Prior to 2001 everything was more compartmentalized, which was good for Information Security's sake. But it proved to be bad for our national safety as the CIA wouldn't pass on information about a potential threat to the FBI for what amounts to dick measuring reasons. In the aftermath of 9/11 the policies swung the other way and we end up with Bradley Manning having access to way more information than he needed for his job.

      A proper solution is a multi faceted problem. We need technical systems that are secure and yet still useable by a barely trained 18 to 50 year old volunteer. We need systems designed to be as secure as possible but still interface with each other and work in a timely manner. We need people that are as immune to corruption and insanity as possible. And the hardest part is probably sticking to fights and engagements that don't force those people to question the morality of the job they are tasked with doing.

  • dump the contractors and sub contractors move it in house so not only do you cut out a lot middle man you also get more control.

    More control is nice so you don't have people who get moved site to site or have to go thought a reapply for the same job you have now paper work.

    Also it lets you say have trading and other stuff with out the staffing agencies say we don't want to pay for that or we don't or cut to go down paying for time off / travel time / costs come out of own margin. This one guy on a contract

  • The experts suggest the agency simply accept that its networks are compromised and will probably remain that way, then come up with a way to protect data on infected machines and networks.

    This is actually one of the smartest things I've heard come out of the DoD relating to information security, in a long while.

    One of the first rules of thumb when developing secure client-server applications is, never trust the client. One must assume that given a high enough incentive, any public facing interface can and will be exploited in one way or another, and there is no way to reliably anticipate all attack vectors.

    It is smart to develop policies and procedures around this assumption.

  • Cyano-Acrylate (Score:5, Interesting)

    by Anonymous Coward on Thursday March 22, 2012 @05:46PM (#39445923)

    We use CA epoxy as a very effective security measure. For any commodity hardware we buy, we fill all of the USB ports with a CA epoxy that prevents access. We also use it to permanently attach mouse and keyboard. Motherboard USB headers are also filled with CA to prevent the casual attachment of devices (although users cannot physically get to their machines, since they are in locked cabinets, with IDS tied to building security. Same goes for unused SATA, PCIe, and other ports. Any plug that isn't used is made unusable.

    PCs are on a network, but users have no physical access to cables, and similarly we use a secure cable type with a current loop and TDR to detect physical tampering. If the current loop is cut, building security knows precisely where the cut is within seconds.

    There is no wireless, and no bluetooth. Employees are not allowed to bring in cell phones, MP3 players, or anything else with any capability of capturing data, and yes, we 100% search at the door with metal detectors and millimeter wave detection like you see at the airport (except we actually know how to use it). We're also in a steel building with no windows and and EMI shielding, just in case.

    We're not on the Internet. We have absolutely no need to connect to it. Even if we did have a spy as an employee, they would have to reproduce anything they did on another machine outside the office in order to transmit it anywhere else. And obviously, there is no means to allow employees to "work from home" in their pajamas in sandals.

    Any new software has to go through a thorough vetting process, and any vendor wanting to sell us software is required to allow us to load the source code and build environment onto our build farm, review and inspect the code for possible attacks, and then compile it ourselves. This is a lot easier to achieve than you might think.

    Finally, we're old school. Everything is compartmentalized. The guy working on the math routines has no idea why he's working on them, or what they will be used for. All he knows is that he's a software engineer in charge of high-level math function development. He doesn't know what the product is or what it does.

    • by OneMadMuppet (1329291) on Friday March 23, 2012 @05:47AM (#39449071) Homepage
      OMG - you work for Apple?
    • by Whorhay (1319089)

      Those efforts sound like a very good setup. But it's still not as secure as you might think. I didn't see anything about rectal exams. They can make very small devices these days containing small enough amounts of metal that smuggling something in still sounds plausible, if uncomfortable. Although given the systematic way in which the hardware is locked down they would likely be limited to recording what a person could see or hear, which is a very good thing.

      All in all it sounds like quite enough to stop ca

  • by decora (1710862) on Thursday March 22, 2012 @05:47PM (#39445933) Journal

    millions-of-dollars research projects, are underway right now. in fact, a guy from the l0pht, named Midge.

    see

    http://en.wikipedia.org/wiki/Cyber_Insider_Threat [wikipedia.org]

    im sure theres no coincidence between 'experts' pushing this and the industry about to 'provide the solution'.

    nevermind that they are basically, built around theories like "maybe a guy changes the time he eats lunch".

    and that 'insider threats' also = whistleblowers.

    • by Shoten (260439)

      I think you mean Mudge. Mudge is the L0pht Heavy Industries alumnus who is at DARPA.

      Also, the reason why 'insider threat' = whistleblowers in this scenario is because technical controls cannot interpret or extrapolate intent. They can't tell the reason why information is being extracted from a secure environment, only that it is. The lack of differentiation is not some nefarious scheme to catch well-meaning whistleblowers along with spies, just a shortcoming of technology. A hammer doesn't know whether

  • by Shoten (260439) on Thursday March 22, 2012 @07:28PM (#39446711)

    "A group of guys whose budgets revolve around coming up with new cybersecurity defenses testified today that they should be given a LOT more money to play with."

  • "It is difficult to know how many of these warnings are hyperbole, since some, but not all of them, were accompanied by pleas for more funding."

You don't have to know how the computer works, just how to work the computer.

Working...