Cracking Military Devices 193
Kenneth Ng was one of the folks who wrote to us about
an article CNN is running, courtesy of Federal Computer Weekly. The piece talks about scenarios that have caused the Army some consternation -- namely, crackers being able to take the wheel of remote-controlled military weapons systems like tanks, ships and planes. I dunno -- I kinda like the idea of being able to play Grand Theft Auto [?] with an M-1 Abrams tank.
Tactical versus strategic vulnerability (Score:1)
This thinking deeply concerns me. It appears that they are considering this as a purely tactical vulnerability, rather than as a strategic one. Rather than worry about an opposing force compromising tank controls in a single engagement, this suggests a very real possibility of a systematic hijacking of central control systems by an enemy, either military or what is euphemistically called a "rogue element."
If guidance systems and foe recognition systems alone can be compromised, one can wreak essentially unlimited havoc by (e.g.) sending troops unwittingly into the lines of enemy fire, causing troops to engage friendly troops unknowingly, or even drawing third parties into the fray by sending troops at another country. (Imagine if American troops in Korea had attacked China by mistake?)
Most seriously, such an attack would not necessarily be obvious even in retrospect; the usual errors associated with any military operation (just where did that enemy unit go again?) might be enough to obscure the true origin of these systematic errors over a prolonged period of time. Only a continuous process of error analysis (the statistical frequency of various sorts of errors, measured by the disagreement of multiple independent detection systems; e.g. AWACS versus ground-based reconaissance versus satellite reconaissance) could detect such attacks reliably, and that only over a prolonged period of time.
I think that this reveals a far more systematic weakness in modern, highly computerized and highly networked weaponry than the military has been willing to admit before; let us hope that they do not ignore the very pressing need for qualitatively new forms of defense by appealing to arguments such as tactical inapplicability.
Just what we need... (Score:1)
The Real Story about "Controlling Navy Warships" (Score:1)
Here is the real story of how an Air Force officer "controlled a Navy warship remotely".
The Air Force Officer in question (lets call him Fred) was at a Joint (meaning all armed services were involved, Army, Navy, et al) Interoperability demonstration in the Boston area. His resaon for being at the demonstration was to perform live penetration attempts on DoD computer systems for any of the high-ranking officers who might stop by their booth. Fred's computer was connected to a worldwide command and control (C2) network which was NOT connected to the internet, so he could potentially hack into C2 systems worldwide.
One day, a Navy Lt Commander (O-5) stopped by the booth. He asked Fred if it was possible to break into computers on board deployed Navy ships. Fred told him that it was quite possible. The Commander then asked Fred to try to penetrate the computers on board his ship, which was deployed in the Mediterranean. Fred, assuming the Commander had the authority to make this request, agreed to do so.
Fred broke into the systems quite easily, and the Commander was duly impressed. But the story doesn't stop there! Once the Navy senior leadership found out that an Air Force officer had broken into an operational Navy system, all hell broke loose. The Navy wanted to crucify Fred, but he had simply been following the orders of the Lt Commander. The Lt Cmdr, however, did get crucified.
So, the reality of the situation was:
- The Navy ship was NOT accessed from a hotel room
- The Navy ship was NOT access from the Internet
Re:... (Score:1)
Re:... (Score:1)
Re:The government really is the stupidest org. eve (Score:1)
Indeed. Imagine what a well-placed tfn/trinoo DDoS could do to in a critical situation!
Re:Oh, yes it is. (Score:1)
Re:It's not an issue with current platforms! (Score:1)
Re:Oh, yes it is. (Score:1)
The real problem. (Score:1)
http://theotherside.com/dvd/ [theotherside.com]
... (Score:1)
wopr:~# _
This is just like a movie (Score:1)
Lieutenant Saavik!
Quick! Punch up the Reliant's command console...
Now, order the Reliant to lower it's shields.
FIRE!!!!!! (kaboom)
You did it, Captian!
I DID NOTHING! All I did was get caught with my britches down.
Sounds like mostly a gimmick to get funds (Score:1)
M-1 (Score:1)
Is OpenSSH standard on the Abrams yet?
This is easy to prevent. (Score:1)
the good old impending Electronic Pearl Harbor (Score:1)
Re:Hacked Military Hardware (Score:1)
Re:Hacked Military Hardware (Score:1)
Amen to that, the Weather software I used, AWDS (Automated Weather Distribution System), was very ugly and crufty (and no hope of Y2K compliance, I hope they aren't still trying to use it). It was designed in the '80s but never funded or fielded untill the '90s, but they didn't update their hardware or software specs so people got 10 year old technology at 10 year old prices (remember how much that 40MB HDD cost 15 years ago). It ran on a "Barco Chromatics" machine running what appeared to be a Unix variant (never heard of them, but at least we were able to cannablize the SCSI drives for our 386 desktop machines (in 1997!))
Many of the features didn't work, or were too slow, it had much that was tailored to the Meterologist (ability to define some custom algorythms and do interesting data analysis (LGGs)) but were pretty useless to the work-a-day Forecaster and the features that would have helped were incomplete or broken (useless satellite images, poor/late vector charts from Global Weather, etc.)
They've been patching this system for many, many years and have almost got it useable but because it doesn't even have a hope of Y2K compliance they have to scrap it. Of course when I left last May the next system appeared to still be in the planning stages, without any code actually written. Well they were going to move everything to the WWW, I hope it worked out for them.
Re:Hacked Military Hardware (Score:1)
They are "upgrading" to a NT system because they think that it will be "easier to use", of course they are just fooling themselves. Where I currently work we use Novell and ZENWorks to manage Windows workstations and there isn't anything better or easier to use, it just requires a little elbow grease. For managing Windows workstations Novell is the best thing going (even if NetWare OS is crufty and really only good for file/print duty)
Police Force? (Score:1)
Cop: Look at that guy go.
By stander: Yea, but there went my car!
--
Re:This shouldn't be an issue. (Score:1)
I would have though that with military tech. being, what, 5 years or more in advance of what we civilians get they would be using multiple signal, spread spectrum, 2GB encryption keys and a slew of other technologies that make it at least infeasable to try and crack.
Alas, this isn't really the case anymore. Most military areospace computer technology is quite primitive by civilian standards. The problem is mainly radiation hardened electronic components. The highest end RAD-hardened CPU at the moment is a 486-ish device. Work to get a hardened pentium in production has faltered recently. Basically it just doesn't make any financial sense for any IC manufacturers to go through the trouble of developing these devices when they have such a limited market.
Re:Should GPL be amended to say "no killing"? (Score:1)
You are responsible for what your code does.
I am?
If you wrote a chemistry book which explained what nitrates are and someone went and used that knowledge to build an ammonium nitrate bomb and blew up a grade school, would you feel responsible?
I won't even go into the bit about Hussein and the chances of him (or anyone like him) following the GPL.......
Re:Tactical versus strategic vulnerability (Score:1)
Reading Aloud... (Score:1)
causing the ship/tank/plane to lose connectivity with the controller. I'm sure they may program in some generic routines for self defense/keep alive techniques, but maybe that would give "the enemy" enough of an advantage to destroy everything that is remotely controlled....
I think that would almost be more dangerous to us if the enemies figure out how to cut communications. As in traditional war, communication is key, and with big hefty robots, while there is no human factor at that point, I'm sure some government big wig will get pissed if they lose a few billion dollars worth of planes.
Re:Where's the Pentagon? (Score:1)
Re:Cracker (Score:1)
Re:Remote-control warfare (Score:1)
Not likely. (Score:1)
Not likely. Doing so would require specialized and intimate knowledge of the system(s) in question. This would mean actually having worked with the system(s) or working for the contractor which built them.
It would also require physical access or having a close proximity to these system(s). This is NOT something that Joe Hacker could do from his home.
It's possible a disgruntal contractor or military person could pass information to a hostile government. Even then, the chances of the system(s) being remotely hacked is not likely. And since all communications are encrypted ( No! The internet does NOT count! ) it would be almost impossible to do.
Re:Realities of Useful Military Hacks (Score:1)
Well, some minor problems with this. First, the purpose of artillery is to sow disruption amongst the enemy and make it difficult for them to mass together for both attacks and defences. 'Smart' weapons could be retargeted to attack the CQs and HQs from the side they came from, but they're not as effective as a nice rolling barrage at instilling terror amongst the soldiers. Perhaps in paralyzing the command and control structures and perhaps pinning down the air forces.
The other problem is one caused by everyone playing all these nice computer and video games. You keep forgetting that it's not a level playing field. In any given conflict between the US or NATO vs someone else, we are the ones with the 'smart' weapons, or (let's hope) the JATO-assisted dumb bombs (way cheaper). So almost any hack is going to be used against us, not against them.
How to get free security services on a budget ... (Score:1)
Maybe they realize that the real security experts don't work for them. Or maybe they've clued in that it's cheaper to have
Or, it could just be that they got a batch of bad circuit boards for some mil hardware forced on them by some Senator from New Jersey that they can't replace, and they're trying to innocculate themselves against the inevitable failure during combat when the weapons fire against friendlies.
Which unmanned vehicle would you prefer to hack? (Score:1)
Yeah, those are wierd dohickeys. Now we're talking
Totally Skynet if they wire some attack capable vehicle though
Re: Cracking Military Devices (Score:1)
Maybe the next Bond movie will be about 007 hacking his way into some foreign army's attempt at world domination. And subverting it with misdirection and false orders via signals.
Re:sounds like a cover up (Score:1)
How do you know that wasn't a hack?
Care to joyride the drone planes? (Score:1)
Actually, those cool drone planes are unmanned. No payload, but a nice camera and all that.
I guess you could intentionally crash it into another plane or do a top-down crash into a tank. But it's probably better used for taking on a joyride to a fuel dump.
Re:The government really is the stupidest org. eve (Score:1)
Johan
Re:Remote Controlled Artilary is great.. (Score:1)
Forget Grand Theft Auto.. (Score:1)
Re:linux submarines (Score:1)
Of course, XFree86 *really* sucks on it...
Re:Remote Controlled Artilary is great.. (Score:1)
And, it's hard to interrogate a machine for battle plans, as long as it doesn't store that information. Could be useful when going up against forces that don't exactly respect the Geneva Conventions.
Re:Reading Aloud... (Score:1)
If memory serves, there's been work here at Carnegie Mellon that's at least partly involved with some helicopter-ish drone, that can autonomously fly 'bout and land. So they're not completely clueless 'bout the issue.
Re:Sigh (Score:1)
And where's this "crippled" argument coming from? (Soldier + M16 + GPS) - GPS = perfectly capable of performing.
Grand Theft Auto (Score:1)
Auto Grand Theft Auto.
A Quick tip for the Defense Department: (Score:1)
Cheers,
SuperG
Re:Not likely. (Score:1)
The Folly of Security by Anonymity (Score:1)
scary (Score:1)
this type of thing is really scary... I mean giving a government a BFG is one thing, some cracker gaining access to that BFG is another thing entirely.
I would much rather have someone hack into my automated home system and put my coffee maker on the fritz than have a tank drive through my living room.
Re:The government really is the stupidest org. eve (Score:1)
In effect, they say that the device must not protect itself against external interference and/or probing.
This also reminds me of the NSA's "Clipper Chip". I wonder if the military will be using *those*.
Re:Risks of boys (and girls) with big toys. (Score:1)
They are having trouble finding people at the wages they want to pay. Its not 'they are having trouble finding people.'
Re:Hacked Military Hardware (Score:1)
Now with military spending programs looking for ways to cut back on costs by using "commercial where available" products there is a probability that damaging information could be gleaned from corporate databases.
Y2K De-Mythed... So lets Make a new one? (Score:1)
So now its, "Well would if 'hackers' (Crackers) break into our systems and blow everyone up."
Good thing there is no time table to disprove this one. Can't wait for the new anti-craker-terrorism laws....
Real-life Battlezone! (Score:1)
Seriously, tho this is scary as hell. I sure hope the nukes still require a couple of keys to be turned.
Re:Closer Than You Think? (Score:1)
Re:linux submarines (Score:1)
And yes I know that I have bad spelling!!!
Navy Nav Systems use NT (Score:1)
Bolo! (Score:1)
Wonder if they're still running NT? (Score:1)
Re:Hacked Military Hardware (Score:1)
- Steeltoe
What do you do today to limit yourself?
Re:Remote Controlled Artilary is great.. (Score:1)
Re:Security (Score:1)
Don't laugh, this is serious (Score:1)
Why hack? (Score:1)
Just walk into the army barracks, drive out in a tank, drive it up the main freeway towards the city etc
Just be sure to learn to secure the hatch properly. This guy didnt, and ended up with a smoke grenade in his lap...
Re:How about NOT installing "PC Anywhere"? (Score:1)
Re:How about NOT installing PC (Score:1)
I think I read this on the l0pht site somewhere.
nsa can have fun too (Score:1)
Closer Than You Think? (Score:1)
Um, how do you "closed circuit" control a plane? (Score:2)
Got 80,000 feet of wire hanging off the back of that F-117?
Actually a sit-in virtual station that relays the aircraft's environment back to you and makes you feel like you're there *is* a good idea. Besides protecting the pilot's life, the pilot can also do 20G air maneuvers that would kill a human being (9Gs max). The fighter plane could be used to maximum efficiency (unlike now) where the human is the limiting performance factor.
At home (Score:2)
Old hacker urban legend (Score:2)
Columbine Part 2 - The Recogning (Score:2)
Seems to me that it's the big boys in office playing their video games that might be the *real* threat in the years to come...
Sigh (Score:2)
[OT]Re: "PC Anywhere"? (Score:2)
Speaking of PC Anywhere, I got the funniest thing in the mail the other day. It was a typical "Free ISP for newbies" CD, with a long list of included software (mostly demos) on the back. The first item on the list, in bold type, was... PC Anywhere. It struck me that distributing such a widely-known vulnerability to the typical audience of this sort of CD is, well, a little reckless.
Hmmm... I guess it was funnier at the time. Oh well.
Re:So then... what *are* you responsible for? (Score:2)
"Yes it's my gun, but *I* didn't shoot him! This 8 year old friend of my kids did!"
Your analogy is invalid. A gun is final hardware. Source code is information. A correct analogy would be: "Yes, those are plans for my nail gun, but I didn't shoot him..."
"Yes I wrote SATAN, but *I* didn't crack those root nameservers and bring down the net! That evil script kiddie did!"
What tools do you use to secure your machines? SATAN and tools like it are the only reason those root nameservers are still operating.
Just keep on blaming everyone else for what they do with your creations, but someday, you won't be able to pass the buck.
Do you really see no difference between raw information and the intent behind how it is used? Perhaps fire-making knowledge should be hidden, since after all, thats how arsonists burn down buildings...never mind all the other people who will freeze to death.
Re:Hey Waitaminit... (Score:2)
Can one do arbitrary remote control via that interface? (i.e. any maneouver I want?) First thing after I hijack the control connection, could I pull one of those 20G moves someone mentioned earlier, killing the pilot to prevent him from shutting down?
How about killing the VTOL engines, and dropping the plane on the deck? Perhaps with the bombs armed?
Re:Realities of Useful Military Hacks (Score:2)
2. Fake AWACS might be possible if stuff was transmitted unencrypted over non-voice channels. Which sounds unlikely. I think open voice communications is already vulnerable, and non-voice is likely going to be encrypted (there's a real-time encryption system from the NSA, although I forget the name, that's used for voice, surely you could throw it into a cell modem...)
3. FOF tomfoolery might be possible. Although the other way around, making foes seem friendly, makes more sense. The FOF is a radar transponder system that essentially fiddles with the bounced signal, I'd think in order to change it you'd need physical access to the transponder.
What it sounds like they are looking at is large systems - computers that provide navigation and systems control for planes and boats, like fly-by-wire. Of course, it does make one wonder what the hell the military would be thinking allowing remote access or control of said computers. I mean, really... I don't know, I think it might be mis-information, getting the "bad guys" (whoever they are this week)to waste time looking at something that is irrelevant.
itachi
Realities of Useful Military Hacks (Score:2)
OK, so the example they give is faking the incoming navigation data for a ship. For vessels which depend on downloads of info (such as GPS locators), this might prove useful in that:
A. one could induce systems creep in a MBT so that the tank thinks it's a few hundred feet away from where it is, especially while on the move. "Charlie, I thought you said we were going 70kph, how come we're 20km closer than we should be?"
B. one could give false image info for targets beyond local range (e.g. fake data from an AWACS).
C. one could trick the Friend Or Foe signal data so that friendlies appear to be hostiles.
None of these sound very promising. And none of them "take control" of the system. Now if someone knows of any buffer overflow exploits with these systems, maybe we're talking a nifty hack; but otherwise, it's just smoke and mirrors.
Remote control of trains - true story (Score:2)
A 16 year old Danish boy managed for some hours to control the trains on a major switchyard using only knowledge of the switching system and a stolen radio from the train operator.
He got caught when he by mistake changed the switches so that a high speed passenger train would be led onto the switchyard ! (The Automatic Train Control system set off the alarms)
The boy is in all respects an ordinary and clever boy with a huge interest for trains and how to operate them. In other words - he is by no means nuts.
Never the less he could have caused a disaster if the passenger train was so close that the ATC couldn't stop the train fast enough.
Security is alway an issue with humans!
Re:Don't laugh, this is serious (Score:2)
//rdj
Risks of boys (and girls) with big toys. (Score:2)
What is stopping anyone from going to the armory and grabbing the big toys?
What is stopping the boy with the toy from pointing it at his buddies, rather than downrange?
What is stopping the makers of the toys from planting 'software bugs'?
The only reason anyone is caring here is digital is seen as invisible...hard to track.
The US Military has wanted smarter toys so they can use lesser trained people. The 'threat' expressed in the article is part of the trade off they accepted when they signed the contract.
Perhaps the military contractors need more money?
It's Calvinesque... (Score:2)
Taking control of a ship carrying cruise missiles now qualifies as "random harassment".
I'm gonna get me a script and randomly harass my old High School.
--
A few points to consider... (Score:2)
someone mentioned that "you'd need to have worked with this stuff to hack it"
time and time again this has been shown to be blatantly false. People that design systems are not clairvoyant. Interested parties can and do infiltrate and learn about systems that they've never seen before. Reading old phrack articles should leave you quite convinced of this.
Unmanned military vehicles are no longer an experiment. They are a reality. They were used successfully in the gulf war - in reconassiance roles. However, more traditional aircraft and military systems roles are also being moved to unmanned versions. It is my understanding that the JFX (or is it JSF or JSX ?) is the last planned manned fighter aircraft. Well, this summer they had mated the two halves fo the fuselage. In other words, don't expect too many more manned fighters. Fighter aircraft can already far outperform the limits of their frail human pilots.
The military is and will continue to use unmanned vehciles in an increasingly aggressive/active fashion. Many current generation missiles are "fire and forget" -- this is software driving the missle to the target once it is released. Commercial airliners already more or less fly themselves. Putting all these peices together is all thats left.
Someone else mentioned that taking a machine off a public network insured that it would not be hacked. I can't think of a more foolish statement. Systems were getting hacked -- and much more thoroughly than they are today -- long before everyone "had internet". The mentality which says "private network == unhackable" is the mentality that I don't want near _Any_ computer network with sensitive data. VPN's are just a matter of encryption. Isolated LANs invariably have some private dial-in #. Think of this problem in terms of telco stuff. What telco gear do you know of thats hooked up to the net ? Ask yourself how often that stuff gets completely compromised and understood by cajoling teens.
As far as buffer overruns in military systems, I wouldn't count on it. For instance, the majority of the F-15s software is written in Ada. C typically is _not_ used, and for good reasons.
The facts are clear. The future of the military is software automation. If people take the attitude that they are doing enough to safeguard their software and networks, then they probably really aren't. Paranoia is the only answer.
Re:Can't sleep, clown will eat me (Score:2)
nah...you should be more afraid of police dressed
up in military gear busting down your door and
shooting you because you moved too fast and
"they were scared" on the word of a junkie paid
informant who told them you were running a crack
house.
(oh wait...that never happens...oops)
Re:Can't sleep, clown will eat me (Score:2)
> more likely than one might think.
I know. Actually...with a little looking around
a few months back I found anice story. Police in
miami or something paid an informant, who was nice
and very forthcomming about this nice crack house.
They came in armed to the teeth...when an old
lady answered the door, she saw all their guns and
screamed. He husband herd the scream and came
rushing out of his bedroom with a gun to save her.
Needless to say the man was probably dead before
he realized what was going on (much less before
he hit the floor). It was a house owned by an old
retired couple...no crack found.
Another case police busted into a house looking
for drugs, chased a man into the bedroom and
shot him, emptied their clips into him. Coroner
said that most of the bulletts enterd "at a
downwards angle through his back" (ie he was
laying on the floor dead).
No drugs were found. The man was unarmed. The
police were not punished.
So, all in all, I don't think this remote
controlling military gear is too much of a worry.
Frankly....there are worst things that should
keep you up nights.
This is totally clueless! (Score:2)
All of our special networks are of course, QUITE encrypted, so good luck if you think you have a chance cracking them...
-Dextius Alphaeus
Maybe I'm just over-cynical.... (Score:2)
It could just be more of the government's "cyber-criminal/terrorist" rhetoric aimed at eroding more people's right to hack. Well, not that there is a right to hack....yet.
Am I just crazy? Am I placing to little faith in our military? Can you place too little faith in an organization that practices better ways to kill people?
Classified Stuff (Score:2)
Another thing I think worth mentioning:
I've seen a lot of posts that talk about the fact that the military wouldn't talk about it if they did have tanks and such hooked up to the internet. This is probably true for the most part. See most squadrons, wings(in the AF, for the Army it's probably battalions, companys etc.) have this neat guy called the PR officer. Basically any public statements or talking to the press is done/authorized by him/her. There are often things that are initially classified info, then de-classified, but aren't released to the press. No officer/enlisted personel are going to say a word, unless the PR gives it the okay. That's the cool thing. If the PR person doesn't say anything about it, no one outside the military would ever know. I've been fortunate enough to hear some 'confidential information not released to CNN' breifings. They were interesting to say the least. I once even heard about a hack that accomplished the next best thing to taking over a vehicle.
Wigs
Hey Waitaminit... (Score:2)
Yes...I am a civilian working for the Navy. (I feel like I'm at Defense Contractor's Anonymous...) In fact, I'm with a group of folks responsible for writing the software that is the official NATO test for military communications equipment.
[aside] Do you have any idea what the NDA for this company looks like? How many NDAs did you sign that said, "If you talk about the wrong things to the wrong people, or even to the right people at the wrong time, or even to the right people, at the right time, but in the wrong place, OR EVEN the right people at the right time at the right place but when that other person didn't Need To Know the information, we'll throw you behind bars with your new "husband" for the next 10 to 15 years!"??? *sigh*)
Well, anyhow, what I can talk about and is unclassified is that most of the military communications formats are encrypted, jamproof and in many ways just really dang hard to deal with. There are two exceptions. One of them is used to control airplanes remotely (usually for Automatic Takeoff and Landing, for carriers). It's not encrypted. Granted, the format of these communications isn't something the average joe can get a hold of easily. And there's probably a way for a pilot to shut down the communications.
But the unencrypted nature of this, not to mention the fact that it can be used to control a plane, handled cleverly, could be a risk. It's like the risk in Star Wars..."I've analzyed their attack, sir, and there IS a danger..."
Hmmm, I seem to have wandered off the point of the post I'm responding to...I know I had something relevant to this post to say...oh yeah, it was this: Even the civilians are underfunded. You'd be amazed at the crap our team here has to dig through. Our solution is that we're always having to reuse old code, rather than hacking an off-the-shelf product. But if you've been on a project where you've tried to reuse code and merely update a system over time, you know how nasty things can get...well, we've been updating the same code pretty much since...1993 or so. Seven years makes code fugly.
Okay, I'm going to stop now.
Re:The government really is the stupidest org. eve (Score:2)
Trouble is they weren't well EMC shielded. So along comes the hacker, with an illegally powerful ham radio.
He gets halfway through filling and: ZAP! - with luck, the pump will stop registering anymore fuel.
Before you rush out to try it, it doesn't work very well anymore. The shielding is much better.
Sure this isn't a software hack, but if it puts a military vehicle out of action it doesn't really matter. Also, theoretically it might in fact be possible to reprogram something remotely (even if the wires to do it have been cut, if you put the right voltages on it, its going to work ;-)
This shouldn't be an issue. (Score:3)
I agree with an earlier poster that if you don't want the ability for people to do it remotely, don't put it in there in the first place. This can't be done in all circumstances, of course, but read on.
I hope to God that the arming circuitry requires some kind of hardwire interface at least for the last stage of final go-ahead for launch.
I would have though that with military tech. being, what, 5 years or more in advance of what we civilians get they would be using multiple signal, spread spectrum, 2GB encryption keys and a slew of other technologies that make it at least infeasable to try and crack. And yes I do mean for navigation and indeed all subsystems of any kind of military device or even civillian device which has the possibility for far-reaching or deadly effects if such a system were to be compromised.
<sigh> I guess that's what they mean by "military intelligence".
Re:Realities of Useful Military Hacks (Score:3)
B. one could give false image info for targets beyond local range (e.g. fake data from an AWACS).
This ability can be extremely useful to a country undergoing bombardment.
One of the main reasons the V-1 and V-2's of WW2 did so little real damage is that the British controlled the german spies in England. They would report slightly altered impact coordinates back to the German launch teams. The end result was that, as the incorrect reports were worked into the targeting, the missile aim points would slowly move away from the city itself and into the surrounding farmland. The British could even tell when the launch crews moved to new sites, as the impact points would snap back to the center of London...
Anyone up for a game of Longbow? (Score:3)
Re:... (Score:3)
No, lets play Thermonuclear Warfare
WHAT SIDE DO YOU WANT TO PLAY?
1) LINUX ZEALOTS
2) BSD ZEALOTS
3) TROLLS
---> 3
VERY WELL THEN, I WILL PLAY 1) LINUX ZEALOTS
FIRST POST!!!!!
BSD SUCKS!!!!!
LINUX RULZE!
MICRO$~FT SUCKS!
FIRST POST!!!!!
BSD SUCKS!!!!!
LINUX RULZE!
MICRO$~FT SUCKS!
FIRST POST!!!!!
BSD SUCKS!!!!!
LINUX RULZE!
MICRO$~FT SUCKS!
Problem outside the vehicle (Score:3)
Most security problems that I know of are not fleeting, but are resident in the system. So you have a systematic bug in stead of a fleeting and unpredictable. This problem is real and might be a problem, but that is not what i think is meant here.
So I think that we shouldn't look at the error inside the systems to look at what mister Pike meant. I think that what mister Pike was aiming at is the problem of being able to send a vehicle the wrong data. For that you don't need to access the vehicles systems. You just need to be able to send fake data in such a way that your opponent interprets it as real. Deception in the end is a large part of Warfare.
Re:Methinks someone's been watching "Wargames". (Score:3)
Re:Hacked Military Hardware (Score:3)
we were military intel. (please hold the jokes), and the equiment we worked on was *almost* a stand alone network, small server that had a single encrypted data feed from outside.
the machines were brand new(we were some of the first trained to use them), but were already antiquated. the contractors spent more time working on them than us analysts. and there were so many holes in the gui that it wasnt funny.
even we, uneducated and unexperienced as we were with unix, were able to find several ways to do interesting stuff. its been too long to tell you the version of solaris running, but was a custom gui, with no command line for non-contractors. somehow, we found that it was easy to create a file with a few commands in it, save as .cshrc, and open a couple windows to execute it... and it didnt take us long to get transferred to another unit.
the point we were trying to make though, is before we got into trouble, we told the contractor what we could do, we reported everything we did to see if he could stop us. and he could never get the authorization. he tried a few things on his own, but we always found ways to circumvent them.
now, we query you, what if we had been malicious? or, for that matter, anything other than curious? we never broke anything, and only got root once (did nothing with it, but let the contractor know). granted we were right there, and that makes a difference, but there are many out there whom are much better than we (though we are still learning - not cracking, losing our job was enough to teach us a lesson), and many systems are not so remote.
just a thought.
It's not an issue with current platforms! (Score:4)
I hope to God that the arming circuitry requires some kind of hardwire interface at least for the last stage of final go-ahead for launch.
Hell yes!!! I work SMS (stores mgmt system) right now. This is what we do. In order to launch a missile or drop a bomb, the master are switch is required by the hardware to be in the armed position and the weapon release is required by the hardware to be depressed. If either of those interlocks (and a whole mess of software interlocks and other software/hardware interlocks) aren't OK, the missile never comes of the rail. (or isn't ejected)
I would have though that with military tech. being, what, 5 years or more in advance of what we civilians get they would be using multiple signal, spread spectrum, 2GB encryption keys and a slew of other technologies that make it at least infeasable to try and crack. And yes I do mean for navigation and indeed all subsystems of any kind of military device or even civillian device which has the possibility for far-reaching or deadly effects if such a system were to be compromised.
The keys aren't THAT big (on the stuff I know about, which isn't all that much since I'm not with the NAV team) but freaking EVERYTHING is encrypted. The JTIDS shared tactical info, the comms, the datalink to your wingman, nav, gps, etc. And yes most of it is spread spectrum. There is a bunch of anti-spoof stuff built into a lot of it as well.
Basically some cracker hijacking a manned combat vehicle will not happen. Ever. Period. Even if someone got around 1 layer of crypto, they would have more to deal with other stuff. (like the fact that these systems are unbelievably complex, and use some pretty strange hardware.)
The issue is the new UCAVs. (unmannded combat air vehicles) These could be hijacked somehow if the crypto on the link was broken. These are not gonna be deployed for quite some time, and I'm sure the link encryption will be heavy duty. (I would guess to the point of requiring dedicated proprietary hardware on both ends. that's just a guess based on past experience however.)
dv
Re:Maybe I'm just over-cynical.... (Score:4)
--
This is why the military uses "air gap" firewalls (Score:4)
Now, the Navy seems to be having trouble with their "smart" ships, but so far, their track record there isn't too hot (remember the whole NT debacle?). That whole program seems to be more like some Star Trek fan's wet dream then your "standard", ultra-paranoid military project. I can only hope it is the exception and not the rule.
You will find the military is very strict with regards to what you connect to what, how you can connect it, and how you have to protect it and shield it. And with good reason.
If you've got a PC with classified data on it, then the entire system is classified. Including the keyboard and monitor. (No, I'm not making that up. I've seen many Air Force PCs with red "SECRET" stickers on the keyboard and monitor.)
If you so much as put a floppy disk in the drive and take it back out, that floppy is now classified as well. You also cannot connect just any hardware to the system; you need to make sure everything is properly shielded for EMSEC (emissions security; what used to be called TEMPEST). This applies all the way down to serial cables connecting to external SDDs (Secure Data Devices).
I'm fairly confident this article is pointing out exceptions in design policy to ensure that the exceptions do not become the norm.
Re:[OT]Re: "PC Anywhere"? (Score:4)
Members were reported as saing "We have cought a lot of flack for hackers who write remote administration software. This has allowed inferior products like PC Anyware to take some of our market. This merger is benifitial to both PC Anyware and Back Orafice. It will provide PC Anyware customers with the more powerful Back Orafice which has a better interface, plugin support, more portable clients, and is open source. Back Orafice will recieve use of the PC Anyware name which should allow more companies to use the product officially."
The U.S. millitary seems happy about the merger. They reported that they have had security and preformance problems related to their new PC Anyware / NT driven missles. "Back Orafice's encrypted connections and higher preformance are exactly what we were lookng for in a remote administratin product and the Butt Plugs feature offers a better interface to specialised hardware then PC Anyware could" the report said. The repost went on to say that Back Orafice's interface looked cryptic and difficult when the product was first considered, but apperently a large portion of recruting age males recieve training in the use of Back Orafice from their High Schools and this is expected to offset any difficulties encountered.
Hacked Military Hardware (Score:5)
As opposed to the USAF, which just barely does most of their work in house.
At anyrate, talk to a military programmer, and they'll admitt that quality control can be iffy, budgets are short, and the Brass is always looking for a way to trim budgets. Even if it means going with an off the shelf product, hacked and crammed into working by only one or two enlisted men, who leave a few months later for higher paying civillian jobs.
And now the Military is looking at things like fully autonomous combat vehicles. The next US Army MainBattleTank, in later versions will operate autonomously, Both the Navy and Airforce hope to fly UCAV (unmanned combat air vehicles) that for a large part operate autonomously, if not fully.
Hackability of these systems may not be practical, many of them will operate without external data connections, being solid systems.
What is my concern more than anything, is that these systems need their software to perform at all, and the trend at cutting corners, and having a shrinking qualified personnell base, is what the Military is really in danger of.
sounds like a cover up (Score:5)
Taiwan: Why did you attack us!!!
US: Wasn't us, someone must have hacked into our computers and done it.
Later that day
US: *snicker* fools