Germany Readying Offensive Cyberwarfare Unit, Parliament Told 55
concertina226 writes to note that it's not just the U.S. that's increasingly open about using malware as an offensive tool of state security: From the TechWorld story: "According to German reports, the Bonn-based Computer Network Operations (CNO) unit had existed since 2006 but was only now being readied for deployment under the control of the country's military. 'The initial capacity to operate in hostile networks has been achieved,' a German press agency reported the brief document as saying. The unit had already conducted closed lab simulations of cyber-attacks."
"Unlike physical attacks," concertina226 writes, "cyber-weapons can't be isolated from their surroundings with the same degree of certainty. If, as a growing body of evidence suggests, the U.S. Government sanctioned the use of cyber-malware such as Stuxnet, are the authorities also held responsible should such campaigns hit unintended victims?"
so we must prepare now (Score:3, Funny)
for a bitskrieg?
Re: (Score:1)
Re: (Score:2)
There was no mention of specific projects, but Israel has been talking about such activities also.
http://www.iba.org.il/world/?lang=en&entity=847869&type=1 [iba.org.il]
Re: (Score:2)
This is a great pun, and it's a word I predict will be used much more often.
Re: (Score:2)
Mein Paket-Sniffer hat keine Nase.
Anyone with servers in Austria, France.... (Score:1)
Denmark, Norway, Poland, the Benelux states, etc., should consider moving them elsewhere.
It's our own damned fault (Score:2)
Instead of fixing this situation (our broken computer security model) we've been blaming Vendors, Users, Programmers, government. None of this is going to fix it.
When you can confuse a root process and get root, nothing is safe. Windows, Mac, Linux, all are vulnerable to this.
It doesn't have to be this way.
Re: (Score:2)
Re: (Score:2)
Then what is your alternative?
The return of Sneakernet.
Re: (Score:1)
I think this is valid, especially for large networks. does the computer of a secretary in alabama need the capability to access payroll data in new york city? break the links in the network, so each computer can connect to reasonable resources but not extensive. This contains any rampant issues.
similarly, payroll transmits data monthly to banks. does the sensitive payroll data need 24x7 online access?
Re: (Score:2)
It's not the scale of the networks that is the real problem. It's the need to trust code that is the big issue. If a program can be tripped up, or in any way manipulated to do something, it becomes the basis of a system breach. If the scope of what can be done by a process is by default limited to a very select set of actions, you eliminate this basis of attack.
It the person in Alabama needs access to the payroll, that's fine. But why does she need write access to the system folder? Why does that same proc
Re: (Score:1)
did you read teh apple i0s security design document? it talks a lot about "chain of trust" from boot-up through application use. this sounds like what you're talking about. as stephen hawking would say, "it's turtles, all the way down!"
Re: (Score:2)
Chain of trust doesn't do jack sh*t for the security as far as users are concerned. It's all about DRM.
If the user doesn't have a way to tell the OS exactly what side-effects they are willing to tolerate from a program they want to run, then how is the OS supposed to know?
Linux, Windows, Mac all don't even have a way to express this intent, let alone code to enforce it.
Re: (Score:1)
please don't use bad language. it makes the internet much coarser, not to mention the person who says it and the person who reads it.
OOPS (Score:2)
It turns out that you should care about the "chain of trust", and "trusted computing base" type terms, but not if they are used to back DRM.
When you do want to pay attention is when the developers of Genode talk about them in their development of a microkernel based (pick 1 of the 8 they offer) operating system which uses capability based security, and yet can run linux inside of itself.
Genode is cool stuff...
Re: (Score:1)
The return of Sneakernet.
Sneakernet didn't protect Iran against Stuxnet.
Re:It's our own damned fault (Score:5, Interesting)
Instead of running processes with all the rights of the given user account, use Capability Based Security. This means that for a given process, at run-time (not before hand like app-armor), you tell the OS which files and access type a process will need. This doesn't fix everything, but it does let you isolate security decisions and eliminate the side effects of running any code (trusted, untrusted, or downright evil) to the capabilities you chose to give it. This means that even if you confuse a process, you can't get more capabilities than it was given. Privilege escalation goes away, which is a major attack vector, along with stack injection, buffer overflows, etc. (Of course it does require a secure kernel, which you have to trust).
It's my firm believe that capability based security will eventually be what we all use... but due to the need to make people aware of the concept (which is several layers of abstraction away from what we usually deal with) and the cost of revamping everything... we're still 15 years out.
Re: (Score:3)
We already have that with Apparmor and SELinux. The problem is that common attack vectors such as web browsers already need access to all files on the machine; how can you upload that Lolcat picture to Facebook if your web browser is restricted to only accessing specific files on your system? How can you prevent a malware addon installing by blocking writes to the addon install directory if the web browser supports automatic installation of addons?
So it's an improvement, but still leaves big holes.
Re: (Score:1)
web browsers already need access to all files on the machine
1. Applications don't get access to user files, unless
2. The user has explicitly opened the file in the application using a secure OS file open dialog, in which case
3. The OS passes a list of file names and read-only handles (or file descriptors or whatever) to the application.
I don't know if Apparmor or SELinux do this, but that's how you do it right.
Room for IPv6 (Score:2)
Notice that this was announced shortly after IPv6 was "rolled out". You're right, they're looking for more space, address space!
Re: (Score:1)
No, no, no, you all misunderstand. By "Offensive Cyberwarfare Unit", they just mean the group will be incredibly rude. It's all in intimidation, people!
4chan.de/b/?
Reads like a Cyberpunk novel (Score:2)
Why not? It's cheap. (Score:5, Insightful)
Bombs are expensive. You want to stop enemy production in a war, right? So you blow up the factories, the power plants, etc.
What if, instead of blowing them up, you just shut them all off? It worked with Iran's atomic development and ushered in a new era of warfare. Up until WWI, war was a grand and glorious adventure, swords and arrows, showing the bad guys what for! Then chemical weapons killed so many people all at once, the game wasn't fun anymore, but you could still send your plebians out to rattle your sabres. Once atomics showed up, we go to the point where war could kill the country's leaders as well as the people sent out to the front lines.
This new era lets anyone, anywhere, pick off any target. You can shut down an Iranian centrifuge. You can dig up dirt on the Prime Minister and give it to the newspaper. Everyone with an Internet connection has the potential to hold a weapon far more dangerous and far more powerful than anything that goes "bang". We can make anyone, anywhere, go "whimper".
That's why we're seeing cyberwarfare units and Internet censorship / monitoring. We can't have people rocking the boat.
Re:Why not? It's cheap. (Score:4, Insightful)
This new era lets anyone, anywhere, pick off any target.
And that right there is the problem.
In the past, when war was purely about bombs and boots on the ground, you could rely on your physical defenses and alliances to protect you from retaliation.
The USA and Germany don't have to worry about Jihadist drones dropping bombs on New York or Dusseldorf,
But they certainly have to worry about malicious hackers with a grudge.
Today, the internet is such a soft target that it's tragic.
The developed world may be starting a war where they can't project numerical or tactical superiority.
LulzSec and Anonymous show that you don't need the resources of the NSA to go after big targets.
http://cryptome.org/2012/06/lulzsec-sneak-preview.htm [cryptome.org]
Re: (Score:2)
But cheap upsets the status quo. Conventional war is (and always was) expensive. And that means you can predict the outcome based on GDP. Not so with cyber war. Almost anyone can play and wealth serves to provide more targets, not more weapons. So it turns the winner/loser equation on its head.
And what cyber war doesn't do, which makes it feared, is to directly produce body count. Body count is what makes war morally abhorrent. The cold war never turned 'hot' because all of the major players found the out
Re: (Score:2)
Then chemical weapons killed so many people all at once, the game wasn't fun anymore, but you could still send your plebians out to rattle your sabres.
Unfortunately for your thesis, it wasn't chemical weapons that made things "not fun" (they were too uncertain to be reliable weapons) but rather more prosaic things like machine gun nests and artillery.
Re: (Score:2)
World war 2 computers were not a big thing. Calculation where done largely mechanically in the field and the internet did not exist, yet there were nukes. Cyberwarfare is bullshit and the lie relies upon unprepared and insecure enemy with computers connected to the internet. The reality of course is a free for attacks people, corporations and the internet backbone itself. Anything but a purely defensive stature is insane. Any bugs or security failures that are found and then not disclosed to be corrected i
unintended victims (Score:1)
You mean collateral damage? Non issue. This is WAR!
'capacity to operate in hostile networks' (Score:3, Funny)
Re: (Score:2)
"'The initial capacity to operate in hostile networks has been achieved,'" Took them 6 years to notice their ethernet cable wasnt plugged in?
No, they were downloading a copy of Windows XP when the jerk stopped seeding at 99%.
The perfect weapon (Score:2)
Ingrates.
Love them Jackboots. (Score:1)
you know, the uniform, the lowslung stun ray holster, the mindless tedium
Finally - now I can really be an internet warrior (Score:1)