superglaze writes "Lieutenant General Robert J Elder, Jr, a senior figure in US Air Force Cyber Command (AFCYBER), has told ZDNet UK that communication issues are hampering the division's co-ordination. 'IT people set up traditional IT networks with the idea of making them secure to operate and defend,' said Elder. 'The traditional security approach is to put up barriers, like firewalls — it's a defense thing — but everyone in an operations network is also part of the [attack] force. We're trying to move away from clandestine operations. We're looking for real physics — a bigger bang resulting in collateral damage.'"
I can no longer sit back and allow Communist infiltration, Communist indoctrination, Communist subversion and the international Communist conspiracy to sap and impurify all of our precious bodily fluids.
Not spammers, bot nets (which often generate spam). Taking down malicious and devious programs like the Storm network would help remove an existing threat and would help them brush up on both offensive and defensive tactics.
An attack mentality from an organization called Cyber Defense Command can only mean bad things are about to happen
The organization is call Cyber Defense Command for a reason, because they know that they should be "defending". If they were honest in their naming then perhaps it would be call Cyber Attack Command. Hmmm, I wonder what other countries would think of that.... It's probably the same reason that our Department of Defense isn't call the Department of Preemptive Strikes. It was called The Department of War until 1947. I know some here will say "the best defense is a good offense", but when you have organizations with "an attack mentality" they will always find someone and some reason to attack. War without End.
The problem with that is it makes absolutely no sense. In order to defend your public infrastructure, you must publicly implement systems that will protect against all know attacks, hence every other country can copy them.
If you launch a successful attack upon another county, chances are that attack can be readily mimicked and launched against your own public infrastructure. If you attempt to establish a defence against that attack you are back to square one.
The same problem applies overall to the "Department of Defense". When was the last time the "Department of Defense" actually DEFENDED U.S. soil? Pearl Harbor? It seems all they do nowadays is attack... Maybe they should change their name back to the "War Department."
This idea has come up many times in the past. The stumbling block always seems to come down to the matter of computer trespass, or unauthorized access to a computer. Even if you are doing it with the best intentions, you are still breaking the law to do it.
This is exploiting cyber to achieve our objectives.
I'm sorry, what? All I can picture is a pimply teenager sitting in front a flickering screen, typing "Wanna cyber????" into his chat field. I have no idea how to exploit cybering to achieve military objectives. Maybe they want to paralyze the target's networks by getting all lonely teenagers to respond to mass cyber requests?
All I can picture is a pimply teenager sitting in front a flickering screen, typing "Wanna cyber????"
You can only picture a teenager because for you, the implicit noun modified by cyber- is sex - arguably the default focus of a teen's attention. For the military, the implicit noun is war - that is the default focus of their attention. It is clear that cyber- is an adjective prefix that indicates computation. What it means when the noun is implied is in the mind of the beholder.
I've discussed with them, and we've all decided that we're just going to start dropping the new DHB (dozen hippie bombs) on hostile nations. The only question is.. what will we do with all the surplus dreadlocks?
"In the past 10 years the US has initiated 2 military actions against foreign powers."
Off the top of my head, I can think of 4:
1998: US launches cruise missiles at Sudan and Afghanistan 1999: US launches airstrikes against Yugoslavia to get it out of Kosovo 2001: US provides air support to forces in Afghanistan to overthrow the Taliban 2003: US invades Iraq
Well, the US makes up 75% of the NATO forces (by budget) and both strategic commanders of NATO are Americans by law (SACEUR and SACLANT), so nothing happens in NATO against the will of the US. The primary decision maker about any NATO bombing campaign is always first and foremost the White House/the Pentagon.
2? Just 2? We are actively nation building in 12 countries right now. Nation building is done by peacekeepers and peacekeeping is done by soldiers. Soldiers on the ground in another country with guns, getting shot at = ?...
Glad to hear that they're bringing "cyber(please excuse the prefix;)--attacks" out into the open. Hopefully this will lead to a cyber-Geneva Conventions, causing glorified hacking contests to replace bang-boom wars. Just that'd be a shame if some rogue nation hacked some nuclear plant's coolant pumps.
Your ISP has identified you as subscribing to a connection with >1Mbs upload speed. A recent top-secret national security bill requires all citizens with such bandwidth to become part of the national defense infrastructure. Attached to this email you will find an application. Install it. It will self register with homeland defense and be available for defense of the homeland should the need arise.
Thank you for your cooperation. ZZ
PS: you have 1 week to register or you will be added to the terrorism watch list and will be subject to extreme rendition if needed. PPS: we can't show you the bill, this is top-secret national defense stuff. PPPS: if you are thinking of decompiling or interfering with the operation of this software, see PS: PPPPS: yes this is MS windows Vista only software. Don't have Vista, see PS:
If they did that I'd smile I'd smile, and then give them a/very/ broken honeypot. Perhaps it will hurt rather than help their efforts. Then again...if they're putting it all on windows vista to begin with they've set up the honeypot for me.
This is just what we need. Perhaps if things had been properly defended in the first place there wouldn't be so much of a need for the "Cyber Command" in the first place. Or, here's another idea, perhaps critically important systems shouldn't be connected to the INTERNET!!!
perfect security is impossible, somehow "bringing the fight to the enemy" isn't a solution. Changing the way you think about the internet is.
I can't wait until it's "you're on our side of the internet or you're on their side!!"
Every time a government, or especially its military, does something stupid in regards to the internet, I feel the strong need to drink.
It's funny - usually the attack mentality gets shot down pretty quickly in the US. There was a thread a few years ago about using your IDS to go after people attacking your server...the consensus was it was a Bad Idea. It's pretty much illegal to do in the US anyway, but it also seen as bad karma.
OTOH, there's no technical reason not use snort + script kiddie tools to automatically detect intruders and try to whack them. You can identify botnet members pretty easily from the pattern of accesses (the probes tend to come in waves, as various parts of the swarm poke your boxes).
The US could just hide in that swarm of accesses, poking servers and doing slow scans to figure out what's where. It's pretty easy these days to do signature profiling on systems, and to just stash this info in a database somewhere. Update each entry every few weeks, and be able to update ranges on demand.
The only really hard part is getting your own botnet up and running. The US Government could, theoretically, tap into the search engines to do this for them, which would be pretty amusing. Nobody pays attention to web spiders, and well, if the spider does a slow port scan 'accidentally' who cares?
If all you do is defense, then eventually the enemy is likely to figure out, how to break you.
Attack is the best defense. You have to be able to retaliate. In "cyber" world this would mean some of the "hacking back", identifying him, putting him to jail, confiscating his computer, fining him.
This "active defense", however, is full of legal (and ethical) pitfalls and thus it is now wonder, the private companies are mostly sticking to passive defense. Private sector is also the main source of professional
You're right. I guess Douglas McArthur, like you, really UNDERSTOOD the art of war. After the bombing of Pearl Harbor he withdrew all marine craft from the pacific and focused entirely on defense. The next several years saw Japan make several unsuccessful invasions of the American heartland, thankfully America's invulnerable defense ensured our safety. Eventually Japan became disheartened and gave up attacking America, thus ending WWII. Sure we lost the Philippines, Australia, and eastern China is still par
Unfortunately it's the classic magic "tiger stone" - the protection is due to the fact that there are no actual tigers in the area and not due to the stone. Iraq has turned into a terrorist assembly line and Afganistan a vast source of opium to pay for it all.
As for changes at home - talk at the highest levels about how torturing people is OK, suspension of the rule of law in some cases for something a bit more Feudal and widespread hysteria awoken by things like advertising signs looks like a bit of a cha
Too many of the people that they'd want who are freakishly good at networking probably have a criminal record long enough to deter them from ever holding a TS, let alone a TS/SCI.
I would hazard to guess that the reason that China is able to keep its black hats at bay is the ability of their government to make you disappear in the middle of the night and wake up the next day in a labor camp if they even suspect you of compromising government systems.
I would hazard to guess that the reason that China is able to keep its black hats at bay is the ability of their government to make you disappear in the middle of the night and wake up the next day in a labor camp if they even suspect you of compromising government systems.
That may be the case, but more likely the Chinese government just puts them to work. The same thing happens here in the US. There were a couple of guys who went to the LA 2600 meetings in the early 1990s who got visits from the governm
by Anonymous Coward
on Wednesday April 02 2008, @01:11PM (#22942342)
Sorry, but the U.S. military just isn't going to get the best hackers around. The biggest problem is that the entire U.S. educational system actively discourages this type of education, in a hostile manner. Big businesses also work with the educational system to discourage creating knowledgeable and skilled people.
Someone posted about a class of theirs on Security issues that got shut down by one big corporation, who threatened not to hire any of their departments' students if they insisted on teaching that class.
So, the bottom line is that our Education system isn't turning out the skilled people that the Military is looking to hire.
This is compounded by the fact that the ones who DO get this knowledge, and have the right attitude, are snapped up by the Bad Guys. Crime is increasingly playing a big part on the internet, and those folks WILL pay good money for the right talent which can deliver results.
I suppose the Military could consider subcontracting out to the Mafia. That's really their only option if they are serious. Otherwise, the best they can get will just be second-rate talent, and more likely third-rate talent.
Good luck attacking, or defending, with that. As a US citizen, I find this frightening, but I've been saying it for years. I'm glad someone is finally waking up to the matter. But I doubt anything serious will ever be done until it's too late.
You're right that the military isn't going to get the best hackers. The NSA will. The educational system isn't the real problem. The best hackers have always been those who had a knack for it and lived and breathed the systems that they enjoyed playing with. Because for the best hackers, hacking is playing. It isn't a job, it isn't a career, it's a hobby that they enjoy. The education system could turn out "computer security professionals", but they will only be as effective as their last class. There simply aren't many people out there with the mental facilities required to be really good at hacking. All the guys I knew weren't wired right. They'd only sleep four hours a night, and had insanely accurate memories.. or they were seriously into drugs, everything from speed and coke to LSD and mushrooms. That's why the end up at the NSA. They can be compartmentalized and their idiosyncrocies can be overlooked. Those people would never make it in a military environment with a rigid chain of command.
I can see it now. Somewhere in China or Nigeria a hacker is trying to gain access to a U.S. government network and suddenly their own systems are attacked from hundreds of locations around the world bringing their network to it's knees! Revenge is sweet!
First they need older hackers, not script kiddies. Black hats, or at least former black hats.
Lot's of Jolt Cola, Cold Pizza and some dark dungeon supplied with what ever mind altering substances needed and a steady supply of nerdy Asian girls to look after them.
Also the boxed set of all Stargate, Star Wars, Star Trek, Battlestar Galactica and.. Na on second thought, we'll just grab them off Bit Torrent. Same for the HDTV, UPS delivery off some stolen credit card, old habits die hard.
Maybe more useful would be legal immunity/amnesty, from all of the collateral damage from relaxing hobbies like taking down the RIAA or Microsoft in the process, (oops).
But seriously, a License to hack anything domestic and foreign with total immunity as long at it's primarily against the enemy would be totally cool, I think a lot of us who had to give up the black hat because we have kids and just can't afford to go to prison, would be all over this.
Anyhow you can't play by the rules, if they think you can launch and offensive attack without some pre-preparation your wrong.
Making an offensive toolkit is fantasy. By definition this is script kiddie and lame.
> where vulnerabilities are introduced into chipsets during manufacturing that an adversary can then exploit, and electronics vulnerabilities.
I have been told years ago that this is already being done at Taiwanese fabs to us. Chips were designed to be resonant at some Ghz ranges and would be equivalent to an EMP when hit. This is done at the fab without changes to the chip design but layer thicknesses that is something the fab has total control over.
These attacks should be in any OS, Router, or any other electronic devices that get sold and without the knowledge if it manufactures either. This would hackers the greatest flexibility to exploit them when needed. They key is to make sure it's not detectable or exploitable by other hackers. An example would be to hack into Microsoft and muck with their distro before it goes out.
Of course with Microsoft and Apple, this would already seem to be unnecessary.
But seriously, a License to hack anything domestic and foreign with total immunity as long at it's primarily against the enemy would be totally cool, I think a lot of us who had to give up the black hat because we have kids and just can't afford to go to prison, would be all over this.
I completely agree. A lot of people stopped walking along the path that they were walking after age 18 because what they thought was, "Pretty damn cool." the government and law enforcement agencies thought was, "A federal fe
Someday this guy will have a big component of his ships, missiles, and robot vehicles taken down by a friggin' virus spawned by two guys in a garage somewhere in Asia.
And he'll go "Oh my god! We were totally taken by surprise! Who could have ever imagined or prepared for something as astounding as this!", for about the 4,000th time in the history of this administration.
Collateral damage, by definition, is unintentional. The contradiction aside, why would the most technologically advanced (arguably, I suppose) part of the US military seek to cause more than the necessary amount of damage?
Isn't it some kind of war crime to intentionally TRY to inflict collateral damage?
I thought there was an obligation to try to minimize collateral damage?
That rule is moot for quite a number of reasons. See firebombing of Dresden [wikipedia.org]. And remember, the term "war crimes" is either an oxymoron or redundant, depending on how you look at it.
No problem, we will be sending you the bill shortly. The taxes on this work will be calculated at $1.8m per second. We look forward to receiving your payment in a timely manner. -- IRS
Fantastic (Score:5, Insightful)
Re:Fantastic (Score:5, Funny)
Parent
Re:Fantastic (Score:4, Funny)
Parent
Re: (Score:3, Interesting)
Re: (Score:3, Funny)
Re:Fantastic (Score:5, Insightful)
Parent
Re: (Score:3, Interesting)
Truth in Naming (Score:5, Insightful)
The organization is call Cyber Defense Command for a reason, because they know that they should be "defending". If they were honest in their naming then perhaps it would be call Cyber Attack Command. Hmmm, I wonder what other countries would think of that.... It's probably the same reason that our Department of Defense isn't call the Department of Preemptive Strikes. It was called The Department of War until 1947. I know some here will say "the best defense is a good offense", but when you have organizations with "an attack mentality" they will always find someone and some reason to attack. War without End.
Parent
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
If you launch a successful attack upon another county, chances are that attack can be readily mimicked and launched against your own public infrastructure. If you attempt to establish a defence against that attack you are back to square one.
Most attacks on the internet, have targeted e
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
Cyber?? (Score:4, Funny)
I'm sorry, what? All I can picture is a pimply teenager sitting in front a flickering screen, typing "Wanna cyber????" into his chat field. I have no idea how to exploit cybering to achieve military objectives. Maybe they want to paralyze the target's networks by getting all lonely teenagers to respond to mass cyber requests?
Re:Cyber?? (Score:4, Insightful)
You can only picture a teenager because for you, the implicit noun modified by cyber- is sex - arguably the default focus of a teen's attention. For the military, the implicit noun is war - that is the default focus of their attention. It is clear that cyber- is an adjective prefix that indicates computation. What it means when the noun is implied is in the mind of the beholder.
Parent
Just what we need (Score:5, Insightful)
Re: (Score:2, Funny)
Re:Just what we need (Score:5, Informative)
Off the top of my head, I can think of 4:
1998: US launches cruise missiles at Sudan and Afghanistan
1999: US launches airstrikes against Yugoslavia to get it out of Kosovo
2001: US provides air support to forces in Afghanistan to overthrow the Taliban
2003: US invades Iraq
Parent
Re:Just what we need (Score:5, Informative)
Parent
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
-ellie
As silly as it sounds, (Score:2)
Translation (Score:2, Funny)
Re:Translation (Score:4, Insightful)
Parent
Hello Citizen (Score:5, Funny)
Your ISP has identified you as subscribing to a connection with >1Mbs upload speed. A recent top-secret national security bill requires all citizens with such bandwidth to become part of the national defense infrastructure. Attached to this email you will find an application. Install it. It will self register with homeland defense and be available for defense of the homeland should the need arise.
Thank you for your cooperation.
ZZ
PS: you have 1 week to register or you will be added to the terrorism watch list and will be subject to extreme rendition if needed.
PPS: we can't show you the bill, this is top-secret national defense stuff.
PPPS: if you are thinking of decompiling or interfering with the operation of this software, see PS:
PPPPS: yes this is MS windows Vista only software. Don't have Vista, see PS:
Re: (Score:2)
Then again...if they're putting it all on windows vista to begin with they've set up the honeypot for me.
Great... (Score:4, Insightful)
shouldn't
be
connected
to
the
INTERNET!!!
perfect security is impossible, somehow "bringing the fight to the enemy" isn't a solution. Changing the way you think about the internet is.
I can't wait until it's "you're on our side of the internet or you're on their side!!"
Every time a government, or especially its military, does something stupid in regards to the internet, I feel the strong need to drink.
Re:Great... (Score:5, Funny)
Java has so many bugs in it that it can't be hacked?
Parent
Re:Great... (Score:5, Funny)
That's why you just got the uncontrollable urge to eat brains.
Parent
IT Attack mentality? (Score:3, Interesting)
OTOH, there's no technical reason not use snort + script kiddie tools to automatically detect intruders and try to whack them. You can identify botnet members pretty easily from the pattern of accesses (the probes tend to come in waves, as various parts of the swarm poke your boxes).
The US could just hide in that swarm of accesses, poking servers and doing slow scans to figure out what's where. It's pretty easy these days to do signature profiling on systems, and to just stash this info in a database somewhere. Update each entry every few weeks, and be able to update ranges on demand.
The only really hard part is getting your own botnet up and running. The US Government could, theoretically, tap into the search engines to do this for them, which would be pretty amusing. Nobody pays attention to web spiders, and well, if the spider does a slow port scan 'accidentally' who cares?
AFCYBER - division patch (Score:2)
US Air Force Cyber Command (AFCYBER)
http://en.wikipedia.org/wiki/Shoulder_patch [wikipedia.org]
http://www.tioh.hqda.pentagon.mil/DUI_SSI_COA_page.htm [pentagon.mil]
Where's hypno-toad... (Score:2, Insightful)
...when you really need him?
random quote from forgotten source:
They are right (Score:2)
If all you do is defense, then eventually the enemy is likely to figure out, how to break you.
Attack is the best defense. You have to be able to retaliate. In "cyber" world this would mean some of the "hacking back", identifying him, putting him to jail, confiscating his computer, fining him.
This "active defense", however, is full of legal (and ethical) pitfalls and thus it is now wonder, the private companies are mostly sticking to passive defense. Private sector is also the main source of professional
Re: (Score:3, Insightful)
Attack is the best defense.
Spoken like someone who has no understanding of the art of war.
The first rule of war is: don't go to war.
The second rule of war is if you have to go to war make yourself invulnerable before you attack.
"Attack is the best defense" did not work for Germany in the 2nd world war. It didn't work in Vietnam
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
As for changes at home - talk at the highest levels about how torturing people is OK, suspension of the rule of law in some cases for something a bit more Feudal and widespread hysteria awoken by things like advertising signs looks like a bit of a cha
Collateral Damage? (Score:2, Funny)
It'll be too hard for them to staff up (Score:3, Insightful)
I would hazard to guess that the reason that China is able to keep its black hats at bay is the ability of their government to make you disappear in the middle of the night and wake up the next day in a labor camp if they even suspect you of compromising government systems.
Re: (Score:3, Informative)
That may be the case, but more likely the Chinese government just puts them to work. The same thing happens here in the US. There were a couple of guys who went to the LA 2600 meetings in the early 1990s who got visits from the governm
Good luck with that. (Score:4, Insightful)
Someone posted about a class of theirs on Security issues that got shut down by one big corporation, who threatened not to hire any of their departments' students if they insisted on teaching that class.
So, the bottom line is that our Education system isn't turning out the skilled people that the Military is looking to hire.
This is compounded by the fact that the ones who DO get this knowledge, and have the right attitude, are snapped up by the Bad Guys. Crime is increasingly playing a big part on the internet, and those folks WILL pay good money for the right talent which can deliver results.
I suppose the Military could consider subcontracting out to the Mafia. That's really their only option if they are serious. Otherwise, the best they can get will just be second-rate talent, and more likely third-rate talent.
Good luck attacking, or defending, with that. As a US citizen, I find this frightening, but I've been saying it for years. I'm glad someone is finally waking up to the matter. But I doubt anything serious will ever be done until it's too late.
Re:Good luck with that. (Score:5, Insightful)
Parent
Attack! (Score:2, Funny)
Didn't know the Airforce was into this stuff (Score:5, Funny)
First strike & offense capablity. (Score:5, Interesting)
First they need older hackers, not script kiddies.
Black hats, or at least former black hats.
Lot's of Jolt Cola, Cold Pizza and some dark dungeon supplied with what ever mind altering substances needed and a steady supply of nerdy Asian girls to look after them.
Also the boxed set of all Stargate, Star Wars, Star Trek, Battlestar Galactica and.. Na on second thought, we'll just grab them off Bit Torrent. Same for the HDTV, UPS delivery off some stolen credit card, old habits die hard.
Maybe more useful would be legal immunity/amnesty, from all of the collateral damage from relaxing hobbies like taking down the RIAA or Microsoft in the process, (oops).
But seriously, a License to hack anything domestic and foreign with total immunity as long at it's primarily against the enemy would be totally cool, I think a lot of us who had to give up the black hat because we have kids and just can't afford to go to prison, would be all over this.
Why domestic, I almost don't want to say this publicly but the best way to get in is start in.
http://www.c-program.com/kt/reflections-on-trusting.html [c-program.com]
Anyhow you can't play by the rules, if they think you can launch and offensive attack without some pre-preparation your wrong.
Making an offensive toolkit is fantasy. By definition this is script kiddie and lame.
> where vulnerabilities are introduced into chipsets during manufacturing that an adversary can then exploit, and electronics vulnerabilities.
I have been told years ago that this is already being done at Taiwanese fabs to us.
Chips were designed to be resonant at some Ghz ranges and would be equivalent to an EMP when hit.
This is done at the fab without changes to the chip design but layer thicknesses that is something the fab has total control over.
These attacks should be in any OS, Router, or any other electronic devices that get sold and without the knowledge if it manufactures either. This would hackers the greatest flexibility to exploit them when needed. They key is to make sure it's not detectable or exploitable by other hackers.
An example would be to hack into Microsoft and muck with their distro before it goes out.
Of course with Microsoft and Apple, this would already seem to be unnecessary.
Re: (Score:3, Insightful)
I completely agree. A lot of people stopped walking along the path that they were walking after age 18 because what they thought was, "Pretty damn cool." the government and law enforcement agencies thought was, "A federal fe
Someday in the Future... (Score:4, Insightful)
And he'll go "Oh my god! We were totally taken by surprise! Who could have ever imagined or prepared for something as astounding as this!", for about the 4,000th time in the history of this administration.
Collateral damage (Score:3, Insightful)
collateral damage (Score:5, Insightful)
I thought there was an obligation to try to minimize collateral damage?
Re: (Score:3, Informative)
I thought there was an obligation to try to minimize collateral damage?
Re:IPS? (Score:5, Funny)
Parent
Re: (Score:3, Funny)