Schneier on Security
A blog covering security and security technology.
« List of Default Router Passwords |
| Private Police Forces »
February 26, 2007
Windows for Warships
The Type 45 destroyers now being launched will run Windows for Warships: and that's not all. The attack submarine Torbay has been retrofitted with Microsoft-based command systems, and as time goes by the rest of the British submarine fleet will get the same treatment, including the Vanguard class (V class). The V boats carry the UK's nuclear weapons and are armed with Trident ICBMs, tipped with multiple H-bomb warheads.
And here's a related story about a software bug in the F-22 Raptor stealth fighter. It seems that the computer systems had problems flying West across the International Date Line. No word as to what operating system the computers were running.
EDITED TO ADD (2/27): Here's a related article from 1998, involving Windows NT and the USS Yorktown.
Posted on February 26, 2007 at 3:07 PM
• 72 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I just want to be a fly on the wall for the first technical support call.
Q:"We have a launch-in-progress indication on missile tube 7. How do we shut it down?"
A:"Have you tried closing all your running applications and rebooting?"
The call will go probably go downhill from there...
The Register item mentions that the operating system being used by the RN is Dimdows 2000. Why are they using something that old? NASA, for instance, has a long tradition of using old technology, but that's because human lives are at stake, and they want to be sure the stuff has been around long enough so most of the bugs have already been found. But that doesn't apply to the military, which is perfectly willing to suffer a certain percentage of losses to its own side ("friendly fire" and the like) in pursuit of its goals.
I was quite surprised when I saw this. I mean, it seems like a perfect fit for SE Linux with a stripped down kernel. Permissions can (and should) be heavily restricted and difficult to change. As the article mentions, set-up and administration complexity is a non-issue...
Lawrence, You should know better than to think 'old' software is bad. In this game, old means predictable.
Do you want to play a game ?
"The Register" on "Windows for Warships":
They point out that it isn't a major problem for the ICBM subs, as the computers are isolated and the weapons require much human intervention to launch.
The missile-defense destoyers, however, have defense weapons which have to be capable of destroying an incoming missile within 30 seconds of detecting it. These weapons are much more dependent on their computers, and the computers are much more networked.
"Do you want to play a game ?"
How about Global Thermonuclear War?
Good job they aren't using Vista.
"Deploy countermeasures. Cancel or Allow?"
"The Register item mentions that the operating system being used by the RN is Dimdows 2000. Why are they using something that old?"
Because development started back in 2002. Here is an interesting article that gives some of the history from someone who worked at BEA at the time.
they made a movie, I think.
ah! Operation Petticoat...
Does anyone remember USS Yorktown ?
Google: "Sunk by Windows NT"
Windows on a submarine?
I would have thought a Penguin would be much more appropriate...
Weren't there all sorts of problems with the F-16 as well when it first came on the scene? Things like flipping inverted when crossing the equator, allowing release of bombs while inverted, raising landing gear while on the runway...
Will Windows for Warships (WFW) shut down like Vista does when it can't contact the Microsoft server to validate the license information?
maybe, you get this msg:
"Sorry, Microsoft(R) Windows for Warships(C) has not been able to validate your license key. All generators, misssle bays, and navigation equipment will be shut down until your genuine license can be confirmed. Please contact the Microsoft(R) License Advocacy Hotline(TM) to re-activate your license."
Navy afloat has a 7-year tech refresh; that's how long a hull goes between refits, and the IT is only changed out at refit.
I saw a History Channel program on the US stealth bomber. A US Air Force commander explained that they were on the "bleeding edge" of technology because the flight crew could send/receive "Microsoft email [sic]".
This makes me sick on so many levels (security, software engineering, terminology, common sense).
I sure hope the F-22 incident is just a rumor. I've been trying, and I can't think of any good reason for any important part of the nav systems to know or care what the local time zone might be. I can just barely see a good reason for them to have a real time clock since they're using GPS. Otherwise, plain old dead simple uptime should be able to do pretty much whatever they need to do.
Some questions that need to be asked:
Will the navy buy enough copies, or run pirate versions?
If the ship sinks, can you re-install on another one? What about if you change the armaments?
Will sailors be able to take home the install CD and upgrade their personal boats?
Will the "devil's own key" work, or will we need "Neptune's own key"
Will the second Wednesday of each month be a really good time to launch an attack against the UK?
and of course....
"Hi there! It looks like you're trying to knock down an incoming missile. Would you like me to ..."[NO CARRIER]
I would like to think that when they say they are using Win2k, they really mean a highly customised version with as much of the MS protocols and useless fluff ripped out. Even so, no matter how hard they try to make it safe the fact is that neither Windows (or Linux) was originally designed for real time safety critical work. The only OS I know of that was properly desinged for this sort of thing is QNX.
Speaking as a UK citizen, I am a little saddened to read this on Bruce's blog; it should be on the BBC news and we should have some angry members of parliment asking awkward questions.
Great post Bruce but you're depressing me.
"Sir, we can't start lunche sequence, we just get the dreaded blue screen of death"
"Why is the papir clip suggesting new targets for me?"
"Every time I start solitaire, a lunche countdown starts, why?"
Maybe the best safety feature would be you have to have a winning strike of atleast 69 games of spider solitaire before activating any weapon systems :D
Windows on a submarine, eah. Now, it explains why Microsoft does not go for an open source software - "Open Windows on a submarine" would sounds like an anecdote.
In what possible sense are F-22 software problems "related" to the UK Navy deploying windows?
I mean, unless you were consciously trying to confuse people and associate Windows with problems that aren't even vaguely related to it.
Oh, and the year 2000 called - it wants its blue-screen jokes back.
I have served in the German Navy for a couple of years as an officer aboard a frigate (year of construction: 1977), working in the combat information centre. Old equipment is standard and it gets replaced when it's absolutely necessary AND when budget limits allow replacements. Very often, old equipment from other units is being used as replacement if it's newer than the already in place equipment. The weapon systems I have been working with weren't driven by Windows as the computer equipment was too archaic for running Windows. The targeting systems aboard fast patrol boats (they carry the Exocet MM38 missile which sunk a British frigate in the Falkland war) even run software from tapes! As far as I know the boats are still in service like that.
What I want to point out: old doesn't necessarily mean bad. If it works within the specification and there are no undocumented errors, bugs or the like then you don't replace it if it can do the job. It can do the job when the threat scenario doesn't throw something at you that decreases your chances of survival in an armed conflict. And believe me, there hasn't been much process in the deployment of new and better weapon systems that would make an arms race necessary.
Concerning the use of Windows on naval vessels: during my time of active duty I haven't seen any use of Windows for weapon control systems, communication systems or navigation systems. Workstations that were used to handle administrative stuff were equipped with Windows NT at the time, I guess because the system was officially certified somehow (and others weren't) and at the time alternative platforms were not available with the same properties.
I don't really see any benefit for Microsoft to benefit from this market anyway as it isn't a high volume market, there's not much money to make from license fees by volume. Germany currently has between 8 and 12 capital ships deployed, depending how you define "capital". The time of service these ships have to fullfill is way beyond 20 years in average. Will Microsoft offer support for a system all this time? I doubt it. So even if a specific version of Windows is used it will have to be replaced at sometime, even if this may be a newer version of Windows. Individual licenses will be much much more expensive than any license volume program an ordinary company will have at Microsoft and Microsoft will have to show sourcecode, especially to foreign buyers as they won't trust a US company with their defence stuff. These premises given, any Open Source system can compete at the same terms and quality will become the lever as support and source code access are essential for these kind of projects.
The Swedish military has already decided to ditch Windows by the way and go for GNU/Linux.
If I was still aboard a frigate doing active duty and I had to operate a weapon, communication or navigation system based on Windows I'd certainly be worried about overall security. Especially after having listened to the Metasploit talk at FOSDEM in Brussels this weekend...
One report on the F-22 Raptor stated it wasn't a time of day problem...
"The problem seems to have arisen not from the time change, but from the change in longitude from W179.99 degrees to E180 which occurs on the International Date Line."
Perhaps the navigational system showed the planes suddenly increased speed to 7,926 miles per second, which caused an overflow.
Ah, thanks--that makes more sense. It'd be a surprising bug to let through QA for a military application, but I could at least understand why someone might have designed the software that way.
Windows on a battleship? Why does this remind me of the Poseidon Adventure...
There was definitely some sort of SW problem requiring return to base and a multi-day delay for update. The details of the failure aren't mentioned, but I believe this to be a slightly more reliable source than a Slashdot post: http://www.af.mil/news/story.asp?id=123041553
Does anyone have a credible source linking the problem with crossing the IDL?
"YOU SUNK MY..."
...meh. Nevermind. The joke's too easy.
I would think that Microsoft would know better than to run Windows on the warships that would protect Redmond, WA.
Running Windows -- even the highly fault tolerant Windows NT 4.0 for life safety applications -- is begging to be hacked.
A friend of mine used to be IT on a US Navy warship. He quit and became a civilian techrep somewhere in Central Asia. He claims it's much safer to be shot at by muj than live on a ship whose propulsion is controlled by a Windows box . . .
For some time, Dave Brown has been using the sig quote (hey, does anyone here remember sig quotes?) "[W]ith the Smart Ship's reputation so far, they will have to build a bloody
big trebuchet for the damn thing to be useful as a weapon." Attributed to Derry Hamilton.
Another instance the Ministry Of Defenses inabilty to go shopping without burining up a few billion for something that doesnt work.
They may have choosen windows based software to even things up for the navy, after all the army is currently fighting a desert war with guns that dont work in hot dusty conditions, the air force is flying planes older than the pilots ( with an airbourne radar system based on a chip developed to run traffic lights).
Nobody ever gets fired at the MoD, incompetence seems to be the surest route to promotion.
A few observations
1: Advanced navigation systems needs to know the time. It’s used to calculate such minor things as tides.
2: I have been working at a ship in the Swedish navy, which used windows based navigation systems for a while. These systems were kept isolated and thought to be secure. That was until a technician came to update the maps and infected the computer with several viruses. It was not popular when this computer had a blue screen of death when we were doing complicated maneuvers. The system was later replaced, as it was not reliable enough.
3: Naval systems tend to go the KISS path. We have physical overrides for most of the electrical systems. Computers, especially modern computers with general purpose OS is just one more think that can break. One of the reasons old computers are used is that they tend to be more reliable in an environment that is damp, salty, warm, cold and has lots of vibration.
4: In general, windows (or Linux) don’t make much sense in a naval environment. Most of the systems are embedded and have specific tasks to solve. There are good and reliable real time OS that can be used. You don’t need to be able to play Doom 3 on your radar.
The civilian navy is a completely different thing. There they try to minimize the crews as much as possible and using windows based systems (“as everybody knows windows��?) makes sense for the monitoring and control software.
Iam sure fighter pilots are trained to navigate by their standard instruments if the computer nav breaks...?
> Iam sure fighter pilots are trained to navigate by their standard instruments if the computer nav breaks...?
The problem is that there are no "standard instruments" any more so you'd better get your software right. The same goes for the flight controls.
Windows for Warships : giving a new meaning to the phrase "blue screen of death".
By the way, when are they releasing the "Windows for Swiftboats" version ?
Someone mentioned product key validation, but they forgot to do the gag that with Windows Genuine Advantage (or "Windows' Genuine Advantage", or "Windows So-Called "Advantage""), if you add a new deck gun to your warship, Windows will think it has been re-installed on a different ship, and shut down.
That is all.
I don't want to be around when the first virus hits...
Will Microsoft be held liable for damage caused by missiles mistakingly launched by their system, or will the Royal Navy be required to sign an EULA?
What amount of code will the NSA be allowed to inject into the operating system?
While at the Army (year 1990), I once saw a coastal artillery battery. It was controlled by an ANALOG computer! Try to EMP that!
> Iam sure fighter pilots are trained to navigate by their standard instruments if the computer nav breaks...?
> The problem is that there are no "standard instruments" any more so you'd better get your software right. The same goes for the flight controls.
The real problem is that all modern fighters are fly-by-wire with computers doing the fine control of the flight surfaces. They are "dynamically unstable" and cannot be controlled directly by a pilot.
The best one I've heard:
Aren't they called "Portals" on ships?
Hehe...as they say, the Geeks shall inherit the Earth...
Call me naive, but does it bother anybody else that Microsoft is suddenly a Defense Contractor? Okay, okay, they've probably been a defense contractor forever and I just wasn't aware of it. I'm used to thinking of Microsoft as an 800 lb. technobusiness gorilla, but a business entity.
But ruining^H^H^H^H^Hnning U.S. industry isn't enough for Microsoft: now the Microsoft monopoly also controls our military? I'm sorry, but this is giving me a military-industrial complex!
So... are we selling Microsoft-enabled military equipment to other nations? Will our troops go into battle against an enemy that has decompiled their operating software and developed lethal DOS attacks? And does anyone care that Bill Gates potentially owns and runs EVERYTHING, including armies?
This just doesn't seem very wise.
This isn't all that new - the US Navy runs Windows on the control systems for some of their warships - imagine my surprise at seeing a bunch of consoles with the NT 4.0 logo when I was on a tour! I spoke with one of the chiefs there, who told me the systems are NEVER connected to the Internet.
It also makes sense, as if I recall MSFT licensed NT 4.0 source code to third parties to allow them to build in support for specialized hardware - which may explain why 4.0 is still popular among the Process Control Network crowd...
Windows tends to be used for displays rather than actual control of critical systems.
Unless someone -really- botched the contract ...
That was a shocker. I thought the Navy was sticking with an open architecture computing environment. I guess you never know.
Quoting from a report by the Committee on Armed Services of the U.S. House of Representatives, dated May 14, 2004...
The Aegis combat system engineering program includes the development of upgrades for cruiser and destroyer Aegis combat systems and the integration of new equipment and systems to keep pace with the threat and capture advances in technology. The committee notes that experiences aboard Aegis-equipped ships and shore sites have shown that the use of currently available commercial- off-the-shelf equipment requires periodic refreshment and additional development effort as new technologies become available and computer operating systems, device drivers, and interfaces are updated.
To overcome these problems, the Navy is developing an open architecture computing environment for Aegis-equipped cruisers and destroyers as a part of the Navy's overall open architecture program. The goal of the program is to evolve combat systems into a "system of systems" that resides on a common computing environment which will be less complex, more easily upgraded, and have lower total ownership costs.
Quote is at http://linuxdevices.com/news/NS4667725014.html
"IBM and Raytheon announced today the Navy will begin deploying one of its most extensive uses of IBM technology to accelerate the development of weapon systems and help reduce the number of crew members needed to sail the next generation of Navy Destroyers.
Addressing the Navy's need for a cost effective open architecture computing infrastructure, IBM and Raytheon are significantly reducing the complexity of the ship's computing environment and maintenance costs as compared to other ship classes, while providing the processing capabilities to address current and future threats.
In addition, IBM and Raytheon are deploying the most advanced computing environment and standards-based infrastructure software so the systems can perform at never before seen processing rates with high levels of reliability.
Under the contract, IBM will provide BladeCenter servers and WebSphere software technology running on custom Real-Time Linux."
(Submitted by Kathleen Keating of IBM)
Quoted from http://linuxpr.com/releases/9422.html
IBM and Raytheon are significantly reducing the complexity of the ship's computing environment and maintenance costs as compared to other ship classes. In other words not using Windows, which just keeps growing in complexity and cost. Simple is best just so it works.
Here's the site. I don't know if there is a Microsoft Navy site.
This is an Official U.S. Navy Web Site for NSWCDD, Dahlgren Laboratory, Dahlgren Va.
Approved for Public Release; Distribution is Unlimited.
Last Modified: Mar 2005
I'm in a similar field: To our consternation, vendors are going with Windows based on their ability to hire folks fresh out of college (or wherever) for development and support. It's not like we have dozens of vendors from which to choose, and they are all basing their products on Windows.
@Albatross: "Call me naive, but does it bother anybody else that Microsoft is suddenly a Defense Contractor? Okay, okay, they've probably been a defense contractor forever and I just wasn't aware of it."
Don't you remember all the noise about NT's "POSIX Layer", many years ago? That (now-deprecated) mis-functionality was specifically put there so Windows could (with assistance from a lawsuit) meet the defense-department requirements for "open" operating systems.
"That makes as much sense as a submarine with a screen door".
I'm sure the YouTube community is waiting anxiously for the first video showing some kid driving a British warship around the harbor from his laptop.
wow, some REALLY smart naval people chose Microsoft for nuclear submarines, and you all know better...
"""wow, some REALLY smart naval people chose Microsoft for nuclear submarines, and you all know better..."""
Some really smart naval people used to think the world was flat.
Some other guy thought he knew better...
if you haven't read Verner Vinge's _Deepness in the Sky_, please do.
Consider the plans to control the spider's world with "low quality business software"...
"I for one, welcome our new insect overlords.."
Will the U.K. be pwned by Russia? No.
Will the U.K. be pwned by Iran? No.
Will the U.K. be pwned by a computer glitch? Yes.
"Error! Microsoft(R) Windows for Warships(R) cannot find your cash reserves. Please insert quarters in the next 30 seconds, or the autolaunch sequence will begin..."
I dare them not to pay. =;o)
...And before anyone gets all serious about this and says I'm a moron, put your sense of humor in check. It's *hyperbole*, folks!
"I'm sure the YouTube community is waiting anxiously for the first video showing some kid driving a British warship around the harbor from his laptop."
..and them taking forever and a day to track him down, because he's made the dectective's lives hard with something like a botnet, or Tor..
I'm for one would encourage the military clowns to install the most flaky insecure crappy software imaginable.
This way they'll get to kill fewer people for no reason whatsoever in the remote lands.
"please keep all windows closed on submarines!"
When it is all said and done, it will come down to reliability. Unfortunately much of that is determined by complexity.
Reduce complexity and reliability goes up.
The lock-in motive is better fulfilled with interdependencies. Translation: complexity. Sure, it makes sense WfW would be a stripped down version, but keep in mind why today's software takes so long to release. Complexity. Don't need all that functionality? Remove it. Good Luck. Don't remove and you have more opportunities for failure. Remove incorrectly and you have more opportunities for failure. Rock and a hard place? (For the same reason it is hard for Microsoft to bolt in all those "features", it is equally hard for you to be sure you remove all the right hooks, and *only* the right hooks.)
So why not start with a good foundation?
And don't get me started with the argument "That's what the kids know". That line of reasoning is............
Consider the plans to control the spider's world with "low quality business software"...
I sort of did that this morning. The spider, it appears, does not care about standardization. it makes it up as it goes along. It's a good deal for humans, since it traps and kills the other bugs. It does all this with no toxic chemicals. The Iraqi army clowns dumped 168 million gallons of oil into the Persian Gulf following the first defeat. They didn't clean it up. The U.S. Army and Navy engineers dealt with the mess.
What the guy said about real-time OSs. It's not like they'll be using this for anything more scary than managing the canteen accounts.
Interestingly, though, the British Army disagrees with the Navy: the office suite installed on the BOWMAN comms system is OpenOffice 2.0.
USAirways servers quit working. "No word as to what operating system the computers were running."
A PR flack said,
"The team has been working 18 months to prepare for this,"
I believe they were running proprietary server software. I could be wrong.
The site says, "US Airways' web servers also use web beacon and other technologies to better understand what promotions are of interest to you. These technologies may be used on a number of pages on the website and allow us to tailor the content that we present to you online and in e-mails. Web beacons usually work in conjunction with cookies."
First I've heard of web beacon. Interesting stuff.
What are Web Beacons (also known as Web Bugs) and Clear GIFs?
Why are Web Bugs invisible on a page?
To hide the fact that monitoring is taking place.
They are automating the system and people can't even verify who is supposed to be on what aircraft, so everything shuts down. The airlines should just install ATM's, which never go down. At least then they could give you a refund so you could catch a working jet.
Best discussion of "Windows for Warships":
The press likes a good story, and most people probably couldn't even tell you what an operating system is. Think of the fun when someone points out that Windows 2K runs on the Airbus 380. ("No wonder it's so buggy!" Um, no, that's not why.)
None of the wiring worked in the A380!
"It's shaping up to be one of the costliest blunders in the history of commercial aerospace. Airbus' parent, European Aeronautic Defence & Space, expects to take a $6.1 billion profit hit over the next four years."
"The root cause of the problem is that the 3D digital mockup, which facilitates the design of the electrical harnesses' installation, was implemented late and that the people working on it were in their learning curve."
Some learning curve. Engineers are being replaced with programmers.
The F-16 was similarily plagued at first. "Can you raise wheels at zero alt and zero speed?" Yes. But you have to replace the gear bay doors. "Can you drop bombs in the inverted flight position?" Yes. But it dents the wings.
Both were eventually fixed; or ignored.
Some years back AW&ST ran a piece with puffs quotes from Airbus on how they were thinking about putting a Windows computer in the cockpit instrument panel...with chicklet keys and a trackball.
After I hoisted my jaw back, I wrote a letter to the editor, which they published, in which I pointed out that:
1) Trying to do anything with such a computer while descending through cumulonimbus was ludicrous...you'd need a Fischer-Price interface with 2" square keys to even hit a key, much less the right one...and a trackball? LOLROTF
2) Only the French could imagine that they could violate Murphy's Law like that.
3) They may say they were only going to use it for non-critical apps, but.......
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.