Air Force To Rewrite the Rules of the Internet 547
meridiangod writes "The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the 'laws of cyberspace.'" I'm sure that'll work out really well for them.
Disconnect (Score:5, Insightful)
If they were smart, they would disconnect their computers from the public internet. People can't access hardware they can't access.
Re:Disconnect (Score:2, Insightful)
People can't [hack] hardware they can't access.
Re:It worked for the Army! (Score:3, Insightful)
No the Air Force listed Twitter as a tool that terrorists use.
There is a distinction. But thanks for playing.
prevent IP spoofing - save the world (Score:5, Insightful)
actually there is a very simple measure ISPs can take to prevent many attacks.
and that is to prevent their customers from spoofing the source IP in their IP packets.
If governments (starting with the US) would pressure(force by law) ISPs to do this, it can be done with out much technological difficulties.
This anti-spoofing measure can be implemented on many levels, so that even if a certain ISP does not co-operate other ISPs could prevent its customers from spoofing any IP which does not belong to the problematic ISP. This in itself helps protect against IP spoofing.
Without IP spoofing attackers are more easily identified and blocked.
Re:there's nothing wrong here (Score:5, Insightful)
Re:Disconnect (Score:4, Insightful)
You're right, of course. But this isn't about computers with Secret information, which are a non-issue when it comes to the Internet -- those machines are on their own completely air-gapped network and secured behind locked doors, alarms and armed guards.
This is about the Air Force's services that are on the public Internet. The Air Force, like the other branches of the military and other government agencies, needs to interface with the public. One of their primary means of doing that these days is through their Internet presence.
Of course, sites in the .mil domain are going to constantly be hammered by cyber criminals, bored teenagers and even spammer gangs trying to bring down the sites.
The USAF would like to alter the permissive and decentralized nature of the Internet through technological and possibly political means to suit itself.
All I have to say is good luck with that and uh, get in line. Companies have tried and failed for years to mold the Internet in their own image. Companies with billions and billions of dollars to throw at the matter. Companies who were once powerful juggernauts and 800 lb. gorillas finding themselves becoming increasingly irrelevant...
Re:They've solved their own problem (Score:5, Insightful)
VPN?
How bout a private network.
Which is what all secret and above classifications use.
Physically disconnected from the internet.
Physically inaccessible by the plebes.
Code auditing, memory wiping, classification-based job scheduling (a machine works only on secret defense or only on top secret or only on top secret nuclear, or etc. jobs at a time, never mixing), secure attention keys, custom hardware, physical security, surveillance, custom hardware, etc.
I'd say that, for the shit that matters, they've got a pretty good setup. But let's listen to the internet nerds who think they know everything. They'll tell us how to fix it.
Re:Disconnect (Score:5, Insightful)
You know
Re:Disconnect (Score:5, Insightful)
Correction: any computer which is supposed to be allowed to access Secret information is not allowed to be hooked up to the Internet. I suspect there is no way to enforce the rule as you state it without possibly divulging what is secret and what is not. For example if I'm monitoring a computer and find that a bunch of files have been deleted, I might look at one of the files I downloaded that was purged, and say, "hey, this memo implies the F35 can climb at over 330 meters/second."
What I'm saying is that it's best not to trust in systems to operate according to the rules.
Attack and defend? (Score:4, Insightful)
Re:Disconnect (Score:5, Insightful)
Yes that is pretty much the first rule. any machine with senitive data is not hooked up to the Internet. Not even via a firewall. They call it an "air gap" but today with wireless the term is an anachronism but still you get the idea "no connection at all".
Computers that handle REALLY sensitive stuff can't even be connected to normal AC power systems or even to normal building ground wires.
Many of the computers have removable disk drives. That is where ALL of the drives can be removed without tools. The rule requires the drives to be removed and stored in a safe when not in use.
Believe me they do have a few smart people who understand security and they have a decent educational system in place where people have to go to class and read some papers before they can use systems that handle sensitive information. And they are required to re-take the classes periodically
But then there are always ideots and weven normal people forget and make mistakes. But then typically some guard is assigned the task to walk around a pull on safe handles and check that desks are clear and so on. Hell likely catch most of the mistakes
Low Bid Wins (Score:3, Insightful)
That doesn't work because the low bid always wins. What would be better would be if the government shifted from a bid system to a fixed bid system. ie: This job is for $50k, this is what we want, now tell us how you are better than the other guys. That would be 100x more effective, but also 100x more time consuming because then they would have to READ EVERY PROPOSAL, not just the two lowest ones.
achilles heel (Score:5, Insightful)
The Air Force excels at just about everything they do. But for the past decade or two, their Achilles Heel has been computing technology because it moves faster than anything else they're used to.
The Air Force is a very old organization and although they can generally respond to most anything quickly, overall change tends to happen very very slowly. Not long after I enlisted in 1998, there were rumors that the uniform was going to change from the classic camouflage pattern to a kind of pixellated-marble look. Based on what recent photos I can find, they're still only about halfway through getting the new uniform out to everyone.
Also, I know for a fact we're still flying some planes with vacuum tubes in the autopilot computer even though upgrades for all airframes have been around since at least the 80's. Most of the technical manuals that I used to repair avionics were between 25-40 years old and still had technical errors in them. (We weren't able to make corrections to technical manuals any more than you'd be allowed to make pen-and-ink corrections to a federal law.)
Computer use only became common in most squadrons about 10 years ago and even then, they were not really used for the correct purposes. Some captain would get the bright idea that somebody should use a spreadsheet program instead of a paper form for some menial task, force everybody to use it, ignore the pleas from his subordinates that it tripled the effort required to perform the task, and then make up some elaborate report for his commander about how he just saved the Air Force $358,000.
While I was in the service, the Air Force never really caught on that you had to hire and train smart people who know about computers if you wanted to make the most of them. Some squadrons took young administrative airman fresh out of tech school and sat them down in front of the admin console and said, "All right, it's your job now to make sure this doesn't break." This is very uncharacteristic of the Air Force as you normally need at least several weeks of training before you can be trusted to mop the floor correctly. But when a commander has something that needs to be done and he doesn't know how to do it, it's not at all uncommon for him to assign someone to it while implying that they should be rather quiet about it.
Others units farmed out network administration to government contractors like Lockheed Martin which wasn't any better because most of their employees are old military retirees who thought they were going to get paid more as a civilian for doing the same thing they did in the military and ended up being wrong on both counts. (Got seven stripes and an MSCE? Then they're hiring!)
I guess this long-winded point it that it doesn't surprise me that high-level Air Force officers are saying, "Hey, who says we can't control this thing? We're the Air Force, after all." They're used to having fine-grained control over everything in their view and a high degree of security surrounding it.
In other words, the Air Force is still nowhere near where they need to be in terms of network security. The only encouraging part of this is that they finally realize it.
Jurisdiction... (Score:5, Insightful)
The AF can deal with someone in a nearby van, but not easily deal with someone anonymously using a free wifi connection in Europe that is bounced through 5 different servers. Even if they were able to completely track an attacker, how do they deal with multiple international jurisdictions?
Re:Disconnect (Score:5, Insightful)
That's a pretty radical change to before-google-became-all-too-popular times.
Re:solution .. (Score:3, Insightful)
Re:prevent IP spoofing - save the world (Score:3, Insightful)
You've just eliminated IP spoofing by legitimate users of American ISPs. You've done nothing about the rest of the Internet. Besides, botnets don't require IP spoofing; they've already got control of random IP addresses to attack from.
Re:prevent IP spoofing - save the world (Score:3, Insightful)
all dynamic IPs are owned by an ISP, and they log when you are using it (otherwise, how would they not bill you?)(and lets face it, to any ISP, military network security comes a long way down the list of priorities with 'bill you' right there at the top).
So, given the time of hack and the dynamic IP, the ISP knows who it was.
It'll work, if cyberspace != internet (Score:5, Insightful)
The headline here says 'rewrite the rules of the internet', whereas the Wired article talks about 'rewriting the rules of cyberspace.' Subtle difference here.
The internet exists as it is--fundamentally an IP-based network connected in all the ways we know about, routing, addressing, etc.
The thing is, there's no reason that the Air Force (or anyone else) couldn't create their own, entirely incompatible version. Start with something that has guaranteed QoS, hard-wired source addressing, encryption at the equivalent of the transport layer, content-metadata in the packets (or equivalent to packets--it doesn't have to be a packet protocol at all), etc..
If you need to connect it to the internet, create a tunneling protocol, or a translating switch. Make it different. Make it incompatible. Make it rigid in its requirements. You CAN create a secure network, but not if it's based on the same technology that makes up the existing internet.
Re:Disconnect (Score:5, Insightful)
Altavista, Hotbot, and MSN are not verbs. Yahoo! tried to make its name a verb(with their "Do you Yahoo?" slogan) but failed. Ask [ask.com] is a verb, but unlike Google, Ask was born a verb, it wasn't made one because of its ubiquity and popularity among the masses.
Re:Jurisdiction... (Score:3, Insightful)
rewrite international law? i mean, it's about as practical/realistic as rewriting the rules of the internet to give yourself the sole advantage in cyberspace.
aside from the impossibility of rewriting the rules of other people's networks and eradicating internet anonymity, what they're asking for is basically to change networking protocols to give them abilities that they want to deny others--how do you create a networking protocol that allows you to trace any packet back to its sender, but allows you to retain the ability to spoof your own attacks?
Re:Disconnect (Score:4, Insightful)
Google changed something about how the internet is used and perceived by people. I'm not discounting this but the USAF is trying to change something more fundamental about the internet. The effects that they want would require scrapping TCP/IP and replacing it with something else (it may still be called TCP/IP but it will be something entirely different).
This is like claiming that the "Obama Revolution" is fundamentally changing the nature of the United States and then somebody coming along and saying that they want to change the Law of Gravity. They're just not on the same scale.
Re:They've solved their own problem (Score:3, Insightful)
I'm not sure that means what you think it does....
The threats from the outside world can make their way into the physical spaces which are protected computer areas... via usb, camera, cell phone, and other yet to be named methods. So it is quite important that all military accessible computer networks are protected. It only takes ONE USB stick or MP3 player to plant what could turn out to be a very bad thing. Virus software has the patience and time to sit and wait, staying undetected. Antivirus programs only protect you against virus code that has been detected. Done correctly an undetectable virus can sit there for months waiting for access to other networks/computers. I would think DDoS is hardly the problem they lay awake at night thinking about. I'd think any kind of 3-10 minute disruption of NORAD data would be a nightmare for the USAF. That doesn't even mention or consider rogue flash message traffic on the communication network of the USA military. Imagine the damage of one seemingly authentic flash message to European based nuclear counterstrike commands. Even if it is detected as false in the first few minutes of it's life, those few minutes of confusion could be dramatically bad for the world. So I don't really think common network threats are what they are worried about.
Now they even have to worry that test equipment, laptops, test software packages, everything has the ability to import a nasty virus inside their network now. The more risks they can easily mitigate, the cheaper and easier the task of working on the others should be.
Re:Shouldn't the IPs all be in the same block? (Score:3, Insightful)
that's still a pretty big IP address block for the attacker to choose from. and if they wanted to conceal their identity even further, they'd likely just use an anonymous proxy or tunnel through a zombie PC or other compromised hosts.
just as in real life, you cannot eliminate anonymity on the internet completely. you can tag & chip every individual from birth, but someone can still walk up to a wall with a can of spray paint and leave an anonymous message.
Re:Penny Arcade (Score:1, Insightful)
Thanks for the tip! Maybe there should be a formatting FAQ-link for new posters above every news post or at the floating slider.
Re:Jurisdiction... (Score:5, Insightful)
Right. And some harsh realities have to be realized by the AF or any DOD department.
1) The Internet does not belong to America. Period. It is a global network of good guys and bad guys, and the rest of the world won't, nor should they abide by our rules.
2) The Internet does not belong to the military. It has far more to do with domestic and international trade and information than it does to various arms of the DOD.
If the USAF wants a secure network, then they should create their own isolated network completely divorced from the civilian Internet. I'm sorry if that means generals can't look at porn sites from their office, but that's the way things go.
Re:Only traitors will vote for Oook-oook Banana (Score:5, Insightful)
I am a Liberal.
I believe in the Constitution which contains the right to bear arms and seperation of church and state.
I believe in the United States of America, not Jesusland.
When the American Right stops trying to destroy the First Amendment, which incidentally comes before the Second Amendment, I will consider it.
Until then, you're welcome to relocate to a country more amiable to your theocratic oligarchy: I think Iran would suit you nicely.
Re:Disconnect (Score:4, Insightful)
Bookmarking is obsolete? Since when? I and everyone I know who has a computer with internet access has some bookmarks.
Bookmarking would be obsolete for people who only do research on the internet (and not even for all of them) and only visit sites that are as popular as Slashdot or Digg. If they like any, even just one, slightly more unknown site than that they risk not being to find it again if they can't recall the exact url. How high on the list of results from a search engine a particular site would show up on changes day to day, even hour to hour. It might tenth in the results one day and not even on the first page of 100 the next. Anyone who tried to just use Google instead of bookmarking would quickly learn better. Seriously, how can you think Google made bookmarking obsolete and who modded up this nonsense? Google astroturfers, maybe?
Re:Disconnect (Score:4, Insightful)
Re:Only traitors will vote for Oook-oook Banana (Score:1, Insightful)
Re:Only traitors will vote for Oook-oook Banana (Score:4, Insightful)
I couldn't have said it better.
Except I am neither liberal nor conservative. I am an American patriot and believe in the Declaration of Independence, the Constitution and the Bill of Rights. I also believe in capitalism and separation of church and state.
But, I will never again vote for any republican since they began their campaign to destroy the foundations of American democracy and switch the country to capitalistic dictatorship and the military industrial complex.
I have NO fear of Obama. And contrary to the neocon rhetoric, I have no doubt he will uphold the principals of democracy, unlike the last 2 douch bags he and Biden will be replacing shortly. I am also a gun owner and support the right for all Americans to form Militia to defend our land and freedoms.
Actually it's the neocon side of the isle that will seek to take our guns from us. Dictatorship is easier when the masses cannot shoot back.
Bush & Cheney have done more damage to the country and world than should have been allowed. I hold all republicans and their supporters guilty of high treason for this. Now they have 2 more whacked out fruit cakes, John McBush & Sarah McCheney they want in there to continue the destruction.
Isn't it obvious that McBush & McCheney, as people, are just as stupid as George W. Bush? Cheney is not stupid, he is just pure evil.
"Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we." George W. Bush
Re:Attack and defend? (Score:3, Insightful)
So they want to simultaneously change the underlying network fabric in order to make their systems unattackable, and also be able to successfully attack any other system at any time? Does no one there see a disconnect between these goals?
No, I don't. In fact, they seem quite compatible as goals. Chinese are doing the same thing too.
Re:Only traitors will vote for Oook-oook Banana (Score:1, Insightful)
I see far more first amendment attacks from the American Left than I do the American Right.
Internet boards, like this one, are filled to bursting with posters who bash on Religion, especially the Big C, with the heat of a thousand stars.
The reverse is not true. Most of the Atheist bashing I see is confined to odd little corners of the Internet, such as forums dedicated to fundamentalist worship of one flavor or another, or the 42nd page of the newspaper.
In general web surfing I'd say the religion bashing posts outnumber the Atheist bashing posts by a ratio of about 10,000:1. No I'm not exaggerating for dramatic effect.
When the American Left starts embracing the 2nd Amendment of the Constitution as strongly as the 1st then I'll consider joining.
This isn't to say that I'm comfortable with the hysterics of the "Religious Right", it's just that I don't find the hypocrisy of the "Sectarian Left" any more pleasant or rational.
Re:Disconnect (Score:4, Insightful)
This may sound corny, but for America's sake. No reason to explain a poker tell when you're winning because of it. That was just part of my training from back then - I'm out of that world, but still respect the training.
Re:Only traitors will vote for Oook-oook Banana (Score:4, Insightful)
You seem to have confused people exercising their first amendment right with attacks on the first amendment.
Criticism of someone else's speech is not an attack on the first amendment. Geographically restricting free speech [wikipedia.org], on the other hand, is.
Re:Only traitors will vote for Oook-oook Banana (Score:4, Insightful)
Re:Only traitors will vote for Oook-oook Banana (Score:4, Insightful)
I hold all republicans and their supporters guilty of high treason for this.
While I agree with a lot of what you say, I think you're overstepping a line here. Find the scumbags who've actually done something wrong, and hold them responsible for their wrongdoing. Charge them with treason if they've committed it.
But don't hold innocent republicans, or those who innocently vote republican, responsible. At least not if you value the rule of law.
"I disapprove of what you say, but I will defend to the death your right to say it."
I hate neocons just as much as you do, and I lean more left than right (so the republicans wouldn't get my vote, were I eligible to cast it) but I will defend them here in spite of that, so that someone will defend me when I need it.
Re:Disconnect (Score:3, Insightful)
Yes, I wanted to tell my story in direct response to the parent of my post. Maybe you lost the thread, sorry.
Besides, it was an interesting story. If people stop telling interesting stories because other people get too concerned about "ontopicness", Slashdot will become significantly less worthwhile.
Now, I grant you that my girlfriend already thinks that Slashdot isn't worthwhile, but that's another story.
Re:Only traitors will vote for Oook-oook Banana (Score:3, Insightful)
Re:Disconnect (Score:1, Insightful)
Be careful with the reductio ad absurdum there. No security is perfect security, fine. But disconnecting a device from the network is a damned good way to eliminate the network as an attack vector.