Entries Tagged "military"

Page 13 of 16

Sex Toy Security Risk

This sounds like bullshit to me:

Small, egg-shaped and promising ‘divine’ vibrations, a UK sex toy has been deemed a threat to Cyprus’s national security. According to the company Ann Summers, the Love Bug 2 has been banned because the Cypriot military is concerned its electronic waves would disrupt the army’s radio frequencies. Operated by a remote control with a range of six metres, it is described by Ann Summers as ‘deceptively powerful’. The company said: “The Love Bug 2 is available in Cyprus but we have had to put a warning out urging Cypriots not to use it.”

Posted on May 11, 2007 at 12:19 PMView Comments

Low-Tech Air Force Grounds High-Tech Air Force

Good story:

SRI Lanka’s powerful air force has been grounded by single-engined, propeller-driven aircraft adapted by Tamil Tiger guerillas to carry bombs under their wings.
The “Flying Tigers”—the tiny air wing of the brutal LTTE insurgents fighting for a separate Tamil state—are proving more than a match for Sri Lanka’s well-equipped air force.

After a second night raid on the capital, Colombo, it is clear to South Asian military analysts that the world’s only guerilla movement with an air-strike capacity has been able to attack virtually unchallenged by the conventional air force.

Flying hundreds of kilometres from secret jungle airstrips, the Flying Tigers, in what are believed to be adapted Zlin Z-142 aircraft of Czech design, have been untroubled other than by ground fire as they have successively raided the country’s biggest military base, next to the international airport, and oil and gas installations on the fringes of the city.

After each attack, they have returned to their bases, outwitting the Sri Lankan air force, which has a fleet of more than 100 aircraft.

Even sophisticated radar and air defence systems have done little more than warn of impending attacks and allow time for anti-aircraft batteries to open fire into the night sky, aiming at targets they cannot see.

The air force’s Israeli Kfirs, Russian Mig-27s and Y-8 bombers have remained grounded, along with its force of MI-17 and MI-24 helicopter gunships.

Posted on May 9, 2007 at 6:09 AMView Comments

U.S. Government Contractor Injects Malicious Software into Critical Military Computers

This is just a frightening story. Basically, a contractor with a top secret security clearance was able to inject malicious code and sabotage computers used to track Navy submarines.

Yeah, it was annoying to find and fix the problem, but hang on. How is it possible for a single disgruntled idiot to damage a multi-billion-dollar weapons system? Why aren’t there any security systems in place to prevent this? I’ll bet anything that there was absolutely no control or review over who put what code in where. I’ll bet that if this guy had been just a little bit cleverer, he could have done a whole lot more damage without ever getting caught.

One of the ways to deal with the problem of trusted individuals is by making sure they’re trustworthy. The clearance process is supposed to handle that. But given the enormous damage that a single person can do here, it makes a lot of sense to add a second security mechanism: limiting the degree to which each individual must be trusted. A decent system of code reviews, or change auditing, would go a long way to reduce the risk of this sort of thing.

I’ll also bet you anything that Microsoft has more security around its critical code than the U.S. military does.

Posted on April 13, 2007 at 12:33 PMView Comments

Cyber-Attack

Last month Marine General James Cartwright told the House Armed Services Committee that the best cyber defense is a good offense.

As reported in Federal Computer Week, Cartwright said: “History teaches us that a purely defensive posture poses significant risks,” and that if “we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests.”

The general isn’t alone. In 2003, the entertainment industry tried to get a law passed giving them the right to attack any computer suspected of distributing copyrighted material. And there probably isn’t a sys-admin in the world who doesn’t want to strike back at computers that are blindly and repeatedly attacking their networks.

Of course, the general is correct. But his reasoning illustrates perfectly why peacetime and wartime are different, and why generals don’t make good police chiefs.

A cyber-security policy that condones both active deterrence and retaliation—without any judicial determination of wrongdoing—is attractive, but it’s wrongheaded, not least because it ignores the line between war, where those involved are permitted to determine when counterattack is required, and crime, where only impartial third parties (judges and juries) can impose punishment.

In warfare, the notion of counterattack is extremely powerful. Going after the enemy—its positions, its supply lines, its factories, its infrastructure—is an age-old military tactic. But in peacetime, we call it revenge, and consider it dangerous. Anyone accused of a crime deserves a fair trial. The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty.

Both vigilante counterattacks, and pre-emptive attacks, fly in the face of these rights. They punish people before who haven’t been found guilty. It’s the same whether it’s an angry lynch mob stringing up a suspect, the MPAA disabling the computer of someone it believes made an illegal copy of a movie, or a corporate security officer launching a denial-of-service attack against someone he believes is targeting his company over the net.

In all of these cases, the attacker could be wrong. This has been true for lynch mobs, and on the internet it’s even harder to know who’s attacking you. Just because my computer looks like the source of an attack doesn’t mean that it is. And even if it is, it might be a zombie controlled by yet another computer; I might be a victim, too. The goal of a government’s legal system is justice; the goal of a vigilante is expediency.

I understand the frustrations of General Cartwright, just as I do the frustrations of the entertainment industry, and the world’s sys-admins. Justice in cyberspace can be difficult. It can be hard to figure out who is attacking you, and it can take a long time to make them stop. It can be even harder to prove anything in court. The international nature of many attacks exacerbates the problems; more and more cybercriminals are jurisdiction shopping: attacking from countries with ineffective computer crime laws, easily bribable police forces and no extradition treaties.

Revenge is appealingly straightforward, and treating the whole thing as a military problem is easier than working within the legal system.

But that doesn’t make it right. In 1789, the Declaration of the Rights of Man and of the Citizen declared: “No person shall be accused, arrested, or imprisoned except in the cases and according to the forms prescribed by law. Any one soliciting, transmitting, executing, or causing to be executed any arbitrary order shall be punished.”

I’m glad General Cartwright thinks about offensive cyberwar; it’s how generals are supposed to think. I even agree with Richard Clarke’s threat of military-style reaction in the event of a cyber-attack by a foreign country or a terrorist organization. But short of an act of war, we’re far safer with a legal system that respects our rights.

This essay originally appeared in Wired.

Posted on April 5, 2007 at 7:35 AMView Comments

Interview with Sandia Whistleblower

Interesting interview with Shawn Carpenter, the Sandia National Labs whistleblower who just won a $4.3 million lawsuit for wrongful termination.

What prompted you to conduct that independent investigation into the Sandia intrusion in the first place? As a network intrusion detection analyst, I regularly used similar “back-hacking” techniques in the past to recover stolen Sandia password files and retrieve evidence to assist in system and network compromise investigations.

We were able to better defend our networks as a direct result of the intelligence we gained. I authored in-depth analyses of these intrusions that were sent for reporting and educational purposes to the Department of Energy’s (DOE) Computer Incident Advisory Capability (CIAC), investigators at the DOE Inspector General (IG), Sandia Counterintelligence, DOE Cyber Counterintelligence, Sandia IT management and my entire department. Even to a novice, it was obvious after reading the analyses how intelligence was gleaned on the adversaries.

For example, phrases substantially similar to this were used in my reports: “I used their credentials to access the systems in Brazil and China, identify their hacking tool caches, and [pulling] down all of their tools, e-mails and other information to aid in their identification.” Numerous exhibits of these activities were presented at trial for the jurors. In a meeting with them after the verdict was rendered, even the less cyber-savvy folks understood what the e-mails represented.

What were you hoping to achieve through this investigation? My objective started out with a purpose similar to the other investigations I engaged in while at Sandia. The difference in this instance was that the rabbit hole went much deeper than I imagined.

In late May of 2004, one of my investigations turned up a large cache of stolen sensitive documents hidden on a server in South Korea. In addition to U.S. military information, there were hundreds of pages of detailed schematics and project information marked “Lockheed Martin Proprietary Information ­ Export Controlled” that were associated with the Mars Reconnaissance Orbiter. Ironically, Sandia Corp., the private company that manages Sandia National Laboratories, is a subsidiary of Lockheed Martin Corp. It was this discovery that prompted my meeting with [supervisors] and when I was told that “it was not my concern.” Later, I turned it over to the U.S. Army and the FBI and helped investigate how it was taken and where the path led.

Posted on March 12, 2007 at 6:56 AMView Comments

Windows for Warships

No, really:

The Type 45 destroyers now being launched will run Windows for Warships: and that’s not all. The attack submarine Torbay has been retrofitted with Microsoft-based command systems, and as time goes by the rest of the British submarine fleet will get the same treatment, including the Vanguard class (V class). The V boats carry the UK’s nuclear weapons and are armed with Trident ICBMs, tipped with multiple H-bomb warheads.

And here’s a related story about a software bug in the F-22 Raptor stealth fighter. It seems that the computer systems had problems flying West across the International Date Line. No word as to what operating system the computers were running.

EDITED TO ADD (2/27): Here’s a related article from 1998, involving Windows NT and the USS Yorktown.

Posted on February 26, 2007 at 3:07 PMView Comments

Iraqi Gunmen Dressing Up in American Military Uniforms

I’ve previously written about how official uniforms are inherent authentication tokens, even though they shouldn’t be (see also this and this for some less deadly anecdotes).

Now we see this tactic being used in Baghdad:

The armored sport utility vehicles whisked into a government compound in the city of Karbala with speed and urgency, the way most Americans and foreign dignitaries travel along Iraq’s treacherous roads these days.

Iraqi guards at checkpoints waved them through Saturday afternoon because the men wore what appeared to be legitimate U.S. military uniforms and badges, and drove cars commonly used by foreigners, the provincial governor said.

Once inside, however, the men unleashed one of the deadliest and most brazen ambushes of U.S. forces in a secure, official area. Five American service members were killed in a hail of grenades and gunfire in a breach of security that Iraqi officials called unprecedented.

Uniforms are no substitute for real authentication. They’re just too easy to steal or forge.

Posted on January 29, 2007 at 1:37 PMView Comments

On the "War on Terror" Rhetoric

Echoing what I said in my previous post, Sir Ken Macdonald—the UK’s “director of public prosecutions”—has spoken out against the “war on terror”:

He said: “London is not a battlefield. Those innocents who were murdered on July 7 2005 were not victims of war. And the men who killed them were not, as in their vanity they claimed on their ludicrous videos, ‘soldiers’. They were deluded, narcissistic inadequates. They were criminals. They were fantasists. We need to be very clear about this. On the streets of London, there is no such thing as a ‘war on terror’, just as there can be no such thing as a ‘war on drugs’.

“The fight against terrorism on the streets of Britain is not a war. It is the prevention of crime, the enforcement of our laws and the winning of justice for those damaged by their infringement.”

Sir Ken, head of the Crown Prosecution Service, told members of the Criminal Bar Association it should be an article of faith that crimes of terrorism are dealt with by criminal justice and that a “culture of legislative restraint in the area of terrorist crime is central to the existence of an efficient and human rights compatible process”.

He said: “We wouldn’t get far in promoting a civilising culture of respect for rights amongst and between citizens if we set about undermining fair trials in the simple pursuit of greater numbers of inevitably less safe convictions. On the contrary, it is obvious that the process of winning convictions ought to be in keeping with a consensual rule of law and not detached from it. Otherwise we sacrifice fundamental values critical to the maintenance of the rule of law – upon which everything else depends.”

Exactly. This is not a job for the military, it’s a job for the police.

Posted on January 26, 2007 at 6:56 AMView Comments

SAS Troops Stationed in London

British special forces are now stationed in London:

An SAS unit is now for the first time permanently based in London on 24-hour standby for counter-terrorist operations, The Times has learnt.

The basing of a unit from the elite special forces regiment “in the metropolitan area” is intended to provide the police with a combat-proven ability to deal with armed terrorists in the capital.

The small unit also includes surveillance specialists and bomb-disposal experts.

Although the Metropolitan Police has its own substantial firearms capability, the fatal shooting of Jean Charles de Menezes, the Brazilian electrician who was mistakenly identified as a terrorist bomber on the run, has underlined the need to have military expertise on tap.

While I agree that the British police completely screwed up the Menezes shooting, I’m not at all convinced the SAS can do better. The police are trained to work within a lawful society; military units are primarily trained for military combat operations. Which group do you think will be more restrained?

This kind of thing is a result of the “war on terror” rhetoric. We don’t need military operations, we need police protection.

I think people have been watching too many seasons of 24.

Posted on January 25, 2007 at 3:34 PMView Comments

RFID Tattoos

Great idea for livestock. Dumb idea for soldiers:

The ink also could be used to track and rescue soldiers, Pydynowski said.

“It could help identify friends or foes, prevent friendly fire, and help save soldiers’ lives,” he said. “It’s a very scary proposition when you’re dealing with humans, but with military personnel, we’re talking about saving soldiers’ lives and it may be something worthwhile.”

Posted on January 22, 2007 at 12:27 PMView Comments

1 11 12 13 14 15 16

Sidebar photo of Bruce Schneier by Joe MacInnis.