Air Force To Rewrite the Rules of the Internet

meridiangod writes "The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the 'laws of cyberspace.'" I'm sure that'll work out really well for them.

They've solved their own problem

[yttrstein]

""[M]ost threats should be made irrelevant by eliminating vulnerabilities beforehand by either moving them 'out of band' (i.e., making them technically or physically inaccessible to the adversary), or 'designing them out' completely," the request for proposals adds."

Luckily for the Air Force, they don't actually have to do any work at all to make this happen, since it's been not only possible, but actually implemented since at least 1998, when RFC 2341 was written all about Virtual Private Networks.

Helpful Hint for the Air Force: Pay your private sector computer engineers more and you'll get the innovation you're looking for.

Internet + secure

[buchner.johannes]

The only useful and meaningful thing they could do, is implement a secure internet protocol (i.e. with the missing session and presentation layers) and provide a good interface to the internet. Then the inherited insecurity of network protocols could be avoided from the beginning.

If it is done right, has advantages and is promoted and laid open to others, it might catch on and replace parts of the internet step by step.
Will probably not be faster than the IPv6 transition, but hey, they made the internet, why not make another one ;-)

Laws can not reach internet phenomena, they are too slow, and when they do, it doesn't matter anymore.

Re:Disconnect

[Kagura]

They actually are smart, and any computers accessing Secret information and above are NOT allowed to be hooked up to the internet or a network with access to the internet, EVER.

Re:Penny Arcade

[Anonymous Coward]

Here's a hint for future postings.
Enclosing your URL in parentheses prevents Slashdot from creating an automatic hyperlink. This is annoying, as it means that I have to copy and paste rather than just clicking. It's the difference between:
http://www.penny-arcade.com/comic/2007/07/16/ [penny-arcade.com]
and
(http://www.penny-arcade.com/comic/2007/07/16/)
on the screen.

In general, it's a bad idea anyway because parentheses are valid in a URL. Parsers which try to automatically hyperlink URLs may get confused by the trailing ')'. For this same reason, despite the rules of English suggesting it, you should avoid punctuation immediately following a URL.

Re:Only traitors will vote for Oook-oook Banana

[Anonymous Coward]

troll? sounds more like what may happen to me.

Re:Disconnect

[Dun Malg]

"hey, this memo implies the F35 can climb at over 330 meters/second."

Actually, there's plenty of that stuff around, and it's actually not necessarily classified, even if it's true. In the bad old days of the cold war, I asked the security officer in my Army unit why all this crap we were working with was classified SECRET and TOP SECRET when the same exact information was available to anyone purchasing a Jane's book by mail order. It was explained to me that it was not the raw information that was secret, but rather the positive verification that it was true that was being controlled. Most classified information falls into that category, really. Very little of it is truly secret, in that nobody without clearance knows it. I've seen quite a few pictures of "people and stuff at locations in Certain Southwest Asian Countries" that I know from personal experience would be classified SECRET or higher if they were government photos rather than casual snapshots taken by a yokel or journalist with a pocket camera. What the classification of the subject matter does is bar me (under penalty of waterboarding or whatever) from pointing out which pictures those are.

Re:Disconnect

[Anonymous Coward]

I'm all for rebellion and making fun of peoples' cliques, but, um, I can't tell what you're rebelling against.

http://en.wikipedia.org/wiki/Air_gap_(computing) [wikipedia.org]

It's a common term in network security.

To avoid these terms altogether, get your technical news here [barney.com].

Re:Disconnect

[Firethorn]

Nah...

They generally start with the standard 'Sir, please get out of the vehicle'. If your response to that is not favorable, then stuff starts escallating.

The more impolite reactions are for more sensitive areas than a parking lot.

Re:Disconnect

[Anonymous Coward]

This isn't technically true. A lot (and increasingly more and more) classified (SIPRNET) traffic is carried over the non-classified network (NIPRNET) using bulk encryption devices such as TACLANEs.

http://en.wikipedia.org/wiki/TACLANE

Re:Disconnect

[Anonymous Coward]

You are absolutely correct. The USAF uses a system called SIPRNET for secret information.

Regarding your second point, you might be surprised as to how stringently the USAF, and the military in general, controls secret data. Classified Message Incidents are exceedingly rare.

Re:prevent IP spoofing - save the world

[silanea]

Who in this godless world has modded this insightful? IP addresses, MAC addresses, host names, user agents - NEVER trust any information which comes from an untrustworthy source or has travelled along an untrustworthy path. Plain and simple. If you don't trust it, kick it out. If you trust it, check it out in detail and see whether your trust was warranted.

Your suggestion is akin to enforcing valid return addresses on letter bombs.

Besides, you did hear about bot nets, did you? You know, those pesky things that keep stuffing your e-mail box with all those nice ads for penis enlargement and cheap medication? If not: welcome to life!

Re:Disconnect

[redtail]

Whenever this topic comes up, someone always incorrectly says that an "air gap" separates SECRET networks from unclassified networks. "Cross Domain Solutions" connect SECRET networks to uclassified networks. And these include "low assurance" solutions like SELiux and Trusted Solaris.

And these CDS machines also connect TOP SECRET networks to SECRET networks. Thus, two copies of SELinux sit between TOP SECRET networks and the Internet.

Re:Disconnect

[Thaelon]

I love Google as much as the next nerd, but exactly what rules are you talking about?

FTP, SMTP, HTTP, UDP, and TCP/IP still work pretty much as their respective RFCs dictated prior to Google. So do ping, tracert, and a whole host of other things.

Re:Disconnect

[adam613]

Pretty much, yes. I had several friends from college who went to work for government contractors on projects that required security clearance. The way they explained it, if I figure out on my own what they're working on, that's legal even if it is classified. What would be illegal is if they told me or gave me direct access to classified information about what they were working on.

(Also, in a lot of cases, what they were building wasn't classified, but who they were building it for was.)

Re:Disconnect

[pestilence669]

Right. Why leak sensitive information now, when you can just misplace some laptops later?

Re:Penny Arcade

[Just Some Guy]

Or you could type them like <URL:http://example.com/>, which renders like http://example.com/ [example.com] and is a standard.

Re:Disconnect

[Anonymous Coward]

I agree with your post with one exception. While Secret and up machines cannot be connected to the internet they are NOT air-gapped. They are on a glorified VPN (at least the secret machines I work with routinely both in the USA and Iraq are) with a hardware encryption solution that separates them from the rest of the internet.

We send large amounts of encrypted secret traffic over the internet everyday.

-AC for obvious reasons

Re:Disconnect

[morgan_greywolf]

It's not just public interface. They conduct a lot of non-battle-related stuff over the internet, or on computer systems that are indirectly linked to the internet. Obviously you don't plug an F-22 into comcast (although supposedly its electronics system is versatile enough that you could reprogram it to use the radar as a really powerful 802.11 antenna). However, it's quite a bit easier to just connect workstations to a typical LAN that has some computers online for logistics type stuff, even if all the actual communication takes place on the local side, than it is to maintain multiple networks for computers that need internet access and those that don't.

But not sensitive, classified material. NO systems with classified information are connected to the Internet. Trust me on this one.

Yes, some day-to-day non-classified systems do happen on computers connected to the Internet.

So, yes, they do maintain different systems -- one for classified information and one for non-classified information. What's maintained on the non-classified systems just day-to-day stuff like non-battle duty rosters or things like that.

Re:Disconnect

[marafa]

People can't [crack] hardware they can't access.

Re:Disconnect

[zippthorne]

Actually.. most of the search engines (and especially Yahoo as originally envisioned) did this.

Google just happened to be "the one with the decent results right now" (i.e. the one the SEO jerks hadn't turned their attention to yet) when moderate-bandwidth "raw" connections became popular. Prior to that, you had Alta-Vista, Lycos, Web Crawler, Yahoo, etc.

All of which had their period of most-useful-results, but google was in vogue at just the time everyone got connected, so they got lots of mind-share.

I only wish they were as good now as they were then.

Re:They've solved their own problem

[evilkasper]

2006 the Air Force decided to drastically reduce the amount of 3C0X1's (Sys Admins for all you Civi's) and move to centralized management. Mostly from the various NOSC's, and with the exception of some bright individuals most the 3C0X1's that I know that are still in are filling Work Group Manager position, while the majority of the actual IT work has been contracted out. The really bright individuals are now contractors. All this while the Air Force initially conceived "Cyber Command".

Re:Disconnect

[jonscilz]

NOT right. i work in secret environments with secret hardware and software projects and higher and most of them are connected to public access networks. the only networks with this clearance requirement (assuming the employees even adhere to these policies) that are restricted this way are government owned ones. contractors have their own rules and i see it every day. get your facts straight.

Re:Disconnect

[earlymon]

My apologies - the result of working in an insular fashion is to rudely expect others to recognize an industry-specific TLA (three letter acronym).

BDM is/was a defense contractor. Here's a quick reference: http://www.business.com/directory/computers_and_software/bdm_international,_inc/profile/ [business.com]

Re:Jurisdiction...

[LarryRiedel]

they should create their own isolated network completely divorced from the civilian Internet

Sort of like the SIPRNet [wikipedia.org]?

Larry

Re:Jurisdiction...

[Amigori]

As a former sys admin for the USAF, I think you should read up on SIPRNET [wikipedia.org] and JWICS [wikipedia.org], 2 such secure networks.

Re:Disconnect

[earlymon]

Negative on that full of shit, compadre. Happened in Albuquerque, NM. First responders came from Kirtland AFB - home to Sandia National Labs (where ALL of the country's nukes were managed), (at the time) the Air Force Weapons Lab and the Air Force Operational Test and Evaluation Center, as well (at the time) of the Air Force's contract management office.

Home to the cradle-to-grave, or inception to deployment to retirement, of our strategic nuke delivery systems. At the time, Albuquerque was a higher priority Soviet nuclear first strike target than Washington, D.C.

Sorry to burst your bubble, but there are scarier things in this world than the donut eaters you describe working for the purple-suiters. So, no apologies, not full of shit - not even a little.

And the guy in my story was a spy. And I'm not going to elaborate on what made the van different, as I said in my post.

Believe what you want. If you choose not to, it's just another horse-water-drink situation to me.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Disconnect

[INT_QRK]

Oh? See "National Industrial Security Program Operating Manual (NISPOM)," see http://www.fas.org/sgp/library/nispom.htm [fas.org]. Classified information = not yours. If your contract requires access to it, you need to abide by government rules in applying measures to protect it. Of course another problem is that not all government information is classified, and is not covered under NISPOM but still merits protection. For example using the aggregation principle, lots of otherwise unclassified information might through clever analysis reveal classified information. Also, unclassified, albeit sensitive, technical information (also protected, but under under separate directives) may not be initially identified as such until it, or the systems engineering process, reaches a certain level of maturity (e.g., back-of-napkin engineering rendered to memorandum or charts). The fact that an awful lot of unclassified information needing better control resides on networks of wildly varying quality and hardness is, or hould be, a national security concern.

Re:Only traitors will vote for Oook-oook Banana

[0xygen]

Signed integer limit is +32767.
32768 is only possible in the - domain!