Air Force Aims for Control of 'Any and All' Computers 468
Noah Shachtman on Wired.com's Danger Room reports that Monday, the Air Force Research Laboratory at Wright-Patterson AFB introduced a two-year, $11 million effort to put together hardware and software tools for 'Dominant Cyber Offensive Engagement.' 'Of interest are any and all techniques to enable user and/or root level access,' a request for proposals notes, 'to both fixed (PC) or mobile computing platforms ... any and all operating systems, patch levels, applications and hardware.' This isn't just some computer science study, mind you; 'research efforts under this program are expected to result in complete functional capabilities.' The Air Force has already announced their desire to manage an offensive BotNet, comprised of unwitting participatory computers. How long before they slip a root kit on you?
new meme (Score:5, Funny)
Imagine an AirWolf cluster of these......
Re:new meme (Score:5, Funny)
Comment removed (Score:4, Funny)
Re:Open Farce (Score:4, Informative)
The open security community has been turning a jaundiced eye on NSA ever since its existence was leaked.
As far as I can tell, trapdoor algorithms and public-key cryptography in the public sector were developed based on speculation on the sort of thing NSA MIGHT have built into what became DES.
(Eventually - about the end of DES' design lifetime - it turned out that the funny symmetries that were noticed in the NSA-prescribed S-boxes were apparently a defense against a type of cryptoanalysis that the public sector hadn't reinvented yet. NSA has a dual charter: Spy on everybody else, but protect info in the US, both public and private sector, from bad guys foreign and domestic. Apparently they were actually living up to the nicer side of the coin. THAT time. B-) )
I'm sure the private sector crypto researchers will continue keeping a sharp eye out for shenanigans. (But it doesn't hurt to publish a reminder now and then. B-) )
Hmmm... (Score:4, Insightful)
Tools? Seriously? Any toolset is going to have to be constantly adaptable, and is going to fall victim to the same problem as all other computer security stuff: it's obsolete almost as soon as its written.
They'd be better building a strong infrastructure, and recruiting top talent than trying to build some kind of software package, presumably to be manned by some kind of enlisted man script kiddie.
Even then, they're going to get the same kind of penetration as everyone else. 20%, 30% maybe, on a good day. You can't even rely on vendors to insert backdoors; the best choice for that would be microsoft, and adding a backdoor to Windows would be redundant in most cases.
Re:Hmmm... (Score:4, Insightful)
Re: (Score:3)
I think they are going about it the wrong way. By throwing around buzzwords for the sake of doing so, those who actually have a clue will avoid them like the Jar Jar Binks show.
The Air Force Cyber Command [af.mil] has already shown that it lacks original thought in its choice of a command patch [airforcetimes.com], which hasn't pleased everyone [afblues.com]. I'm beginning to think that the USAF just need
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Whether they succeed on not the implied precedence is that the government has the right to take over your "extended mindspace" whenever they jolly well feel like it.
Re:Hmmm... (Score:5, Insightful)
Trying to use automated tools is exactly the sort of thing I'd expect to see them do, but automated tools are of limited utility these days. Maybe one day computer systems will achieve some sort of "normal" configuration, where one size will fit all, but I don't see that happening for years.
My home machine takes innumerable hits from scripts trying automated attacks; 95% of them are trying to exploit software I'm not running. The ones that actually have it right still have a very low rate of trying attacks that could possibly succeed.
Some random hacker in China wouldn't care that they had to run an automated attack against 10,000,000 machines to infect 1,000, but that won't cut it in war. You need trained people. Those people need amazing resources.
This? This is a joke. That money could be better spent by not buying pre-hacked security appliances.
Re:Hmmm... (Score:5, Insightful)
Anyway, hacking is more likely to be the domain of No Such Agency.
If you want "gifted," don't bother looking in Washington and environs. Plodders, ass-kissers and shysters, those you can easily find. It's the company town from hell.
Who comes up with ideas like this? (Score:5, Insightful)
You know they'll get what they want out of commercial OSs by putting pressure on the vendors. Linux and the BSDs are too much of a moving target, and OpenBSD is run out of Canada anyway. If ever there was an article that needed to be tagged 'goodluckwiththat,' this would be it.
Re:Who comes up with ideas like this? (Score:5, Funny)
My boss called me two seconds after the conf call ended. Since I saw the caller ID, I knew what was coming, and I answered the phone, "Was that inappropriate?" "Yes," was the answer, "but very funny. Don't do it again."
Re:Who comes up with ideas like this? (Score:5, Insightful)
It's pretty much the same as in some European countries, where they try to create some sort of "cop trojans" for eavesdropping on suspects. They just heard how effective those bots and trojans are for the criminals and want the same efficiency for themselves.
Yes, botnets are hell of efficient in bringing down a network. Yes, trojans enable you to control your victim's computer. What they do not realize in either case is that the efficiency comes from liberal shotgun application of the infection. You spread your malware a billion times, it gets looked at a million times, it gets installed a thousand times.
In the case of the "copper trojan" it won't work because the chance to actually infect a machine is so minimal that it won't warrant the necessary expense (not to mention that it's far more likly to warn your suspect rather than get you any information). In the case of an "Air Force botnet", the fallout from negative PR is certainly going to do more damage than good.
Both problems don't apply to the criminals. Why should a botnetter care that nobody in the US likes him? Why should a phisher care whether he infects a certain machine?
And that's what our representatives (and military brickheads) don't get. Using criminal tactics first of all doesn't work. And second, resorting to the same tactics criminals use gives you really, really bad press.
I think you don't know what "hard-kill" means. (Score:5, Funny)
"Soft-kill" would mean destroying you computer and therefor rendering you ineffective. "Hard-kill" would mean shooting you in the face and therefor rendering you dead.
Re:Seconded. (Score:5, Insightful)
Just putting effort into the software side would only add to that threat, and doing what the NSA does and just smirking and saying, "That's classified" when anyone asks them about their cyber crap would only make the threat more credible.
This is like watching some script kiddie waltz into an IRC channel and start swaggering. You know people are going to sneer, and you know someone is going to take a shot at them.
Re: (Score:3, Funny)
If you ask me.... you didn't but.... (Score:5, Insightful)
Re:If you ask me.... you didn't but.... (Score:4, Interesting)
Problem is (for them, not us), after this, any commits made to Linux or BSD or anything that don't seem to add anything, make unnecessary use of network commands or seem in any way unsafe will be set upon by every tinfoil hat freak out there, same with new contributors, so they'll have a really hard time doing this.
Re:If you ask me.... you didn't but.... (Score:5, Interesting)
accidental downloading of large bits of "spam" will contain encrypted data which, when the CPU notices that the network interfaces (or the nearby electro-magnetic spectrum) are blipping up-and-down in some not-exactly-random pattern, begins to interpret the SPAM (or EM noise) in some morse-code-like way that activates the CPU to "phone home".
suddenly all the DRM in your hard drive and motherboard which is normally used for DMCA coercion, gets activated for other purposes.
given that the encryption in the DRM is at a level higher than the highest level specified by the DoD for ultra-top-secret material, it will of course be perfect for taking over your computer.
overall i wish i was entirely joking about this, but it unfortunately makes far too cohesive a story.
let's call it a joke, anyway. ha ha.
Re: (Score:3, Informative)
The GP post wasn't speaking literally. He was saying that the Government doesn't regard its own illegal actions as illegal.
It's a Nixon quote that he's referring to. "Well, when the president does it that means that it is not illegal."
http://www.landmarkcases.org/nixon/nixonview.html [landmarkcases.org]
Re:If you ask me.... you didn't but.... (Score:4, Insightful)
1) there is virtually 0 chance of implimentation
2) there are too many people out here who are smart enough to code there way out of anything the AirForce might attempt to implement
3) just how do they plan on getting root access to my box? I mean honestly - 11 Million dollars isn't going to cover the cost of getting to root on my little home computer - how precisely do they plan on getting root on every single server and home PC?
Re: (Score:3, Interesting)
Re:If you ask me.... you didn't but.... (Score:5, Insightful)
In fact I think I'll set up a honeypot just for them. Bastards got 4 years of my life, they're NOT welcome to the contents of my computer. Like you said, it is illegal for them to do so, and whatever lawless nutcake Colonel that thought up this outrage should be court-martialed and sent to Leavenworth [wikipedia.org].
3rd Amendment fun? (Score:5, Interesting)
Humorously, I could see a lawsuit from this opening up the door for the first expansion of the 3rd Amendment since Engblom v. Carey [wikipedia.org] if they did compromise the machines of US citizens to use in an offensive botnet. Arguably being forced to host Air Force activities on your private property violates the same kinds of rights that the 3rd Amendment protects.
The Second Circuit said:
Re: (Score:3, Insightful)
Also, for all of the inevitable "They'd never be able to pwn MY PC" post here, please stop thinking that typical
Re: (Score:3, Insightful)
which immediately makes the host countries "complicit" with the efforts of the united states, thus making them legitimate targets as well.
which, in the case of a wartime situation, would arguably make them justifiably _real_ targets as well.
overall this is a monumentally fucking stupid idea of the united states air force, at every single level, in every single possible way, without exception and without any
Re: (Score:3, Insightful)
Re:If you ask me.... you didn't but.... (Score:4, Funny)
They aren't buying your machine, they're drafting it.
Re: (Score:3, Insightful)
Like it or not, the US has been pretty benevolent for a lone super power. Yes, you can point to Iraq where the US toppled a longstanding dictator that really was "evil". Sure, but that's about as bad as it gets less you go back a few 100 years to the native Americans. There are lesser evils the US has done, like some issues with South American governments. And more.
Eleven million? Good luck. (Score:5, Insightful)
I admire your optimism, USAF, but $11 million dollars is simply not going to make that happen -if it can even be done. Software companies have enough trouble just getting their *own* software to work installed on *willing systems*, and some of the bigger ones spend that kind of money just getting it to work on one operating system withing a reasonable set of constraints.
Take into account the fact that you will also be most likely using pre-existing exploits, which will be repaired swiftly by responsible developers that watch security RSS feeds, and this is a red herring task. If you are talking about spending 11 million dollars on doing your own research towards establishing remote control by examining source code or reverse engineering to find new exploits, then honestly, you aren't just crazy- you are batshit crazy. You're going to need a whole hell of a lot of money to do that.
Re: (Score:3, Insightful)
I am less pessimistic. WMF files were exploitable for what? 11 years before it was leaked? JPG files via Quicktime for years. Excel exploits that were not fixed for years. Just becauase a vulnerability was discovered on the 1st and patched on the 20th doesn't mean it only existed for 20
Re:Eleven million? Good luck. (Score:4, Insightful)
They'll need more than luck. (Score:4, Interesting)
Better than the Great Firewall of China (Score:5, Insightful)
At first glance, it seems that this would easier to do by simply mandating government backdoors in all operating systems. Wait. Not only does a legislative fix not work work for FOSS, it's also likely to start a tremendous uproar until you show enough people a video of Britney Spears's latest car accident...
The big problem with this... (Score:5, Insightful)
Over time, systems change. That means after this two-year study and eleventy-million dollars later, it's worth very little a year down the road. In three years, we're virtually guaranteed to have nothing for the efforts, except a statement saying "Oh, we learned a lot, and now need continuing funding. Please give us more money."
Although many holes in software exist for a long time, they are generally patched within a couple months once discovered, usually sooner. And as soon as the military activates one of these holes, it'll be analyzed and patched. That will remove one of their finite resources.
100% control of all platforms and systems is beyond ludicrous. They might as well wish they could read minds, teleport, and find Carmen Sandiego. Or at least Osama.
Re:The big problem with this... (Score:4, Informative)
Usually the types of holes stay consistent, and a hole can go unnoticed for quite a while (take a look at the recent Debian issue).
Yes, this is the sort of thing that needs to evolve over time, but even then, the computers you want to compromise may not have the latest patches and updates (may not be in the position to get them, may not be undergoing regular maintenance, may be deemed to critical to risk on untested patches leaving them vulnerable which the patches are tested, or the company may have simply EOL the OS/software and there may be no patch to get).
If you were right, and all holes were patched and fixed, leaving computers invulnerable, then there wouldn't be a problem today with malicious botnets being used to send spam, perform DDoS attacks, and for use in Phishing and other Fraud/Identity theft schemes.
Re: (Score:3, Interesting)
A popular
Th
Comment removed (Score:5, Funny)
Re: (Score:3, Insightful)
Military ethics are written by the military. If their code of ethics says it's OK to drop napalm on civilians (as the ethics were during Vietnam) than it is not unethical to drop napalm on civilian villages, even though it is certainly immoral by any moral standard I've ever heard.
Re: (Score:3, Interesting)
The thief's code of ethics says that stealing is necessary. His code of ethics forbits leaving something where it might be stolen.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
my fear ..... (Score:3, Interesting)
You know my fear is when I wake up one day and my cable, phones, and internet doesn't work because the US and some nerd terrorist group are caught up in some sort of cyber war. Knowing that war fair has finally started to use network assaults the same way they use stealth planes is really a sign of the times.
We all know that the internet is not secure, we all fight to keep it open. I assure you the last day we freely browse to other country sites will be the day we get a news worthy terrorist botnet attack that shuts down the likes of teh red cross. and gives the government a chance to sever the cables that connect us to the rest of teh world and insert some sort of keyed routers that you need a passport ID to traverse.
Re:my fear ..... (Score:4, Insightful)
Disrupting communications is frequently an important move before attacking.
Re: (Score:3, Funny)
Or...
"A communications disruption can mean only one thing... invasion!"
Sorry... couldn't resist.
Even more reason (Score:5, Funny)
Re:Even more reason (Score:5, Funny)
what they want and what they'll get rarely match (Score:5, Insightful)
Re:what they want and what they'll get rarely matc (Score:3, Funny)
Hardware - the only solution to this problem (Score:3, Interesting)
Re:Hardware - the only solution to this problem (Score:4, Insightful)
Yeah, sure. (Score:5, Funny)
Re:Yeah, sure. (Score:5, Funny)
Constitution Violated by Domestic Military Ops (Score:5, Interesting)
So the Air Force can do whatever the spooks (and their Bush crony masters) want, like fly surveillance drones, record and datamine us against satellite surveillance, and help the NSA filter every bit of our telecom.
Because these people hate the Constitution. They hate our freedoms and rights the Constitution instructs them to protect. They hate us. Because we get in the way of business, which is to spend on war the maximum amount Americans can make or borrow.
Feel safer?
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
I didn't say it's "malice". I said it's greed. It's certainly not "idiocy", unless you call "idiocy" the brilliant execution for decades a plan that has stolen $TRILLIONS from hundreds of millions of Americans for killing millions of people, to their exclusive benefit. Idiots don't pull that off. And it takes even smarter people to get people in the public
$11m? (Score:4, Insightful)
(Holds pinkey finger to corner of mouth) "One Million Dollars." (The one where he travels forward in time, not the one from the 60s.)
Armed Forces used against American Citizens (Score:5, Insightful)
Re:Armed Forces used against American Citizens (Score:5, Interesting)
You are probably thinking about the Posse Comitatus Act (http://en.wikipedia.org/wiki/Posse_Comitatus_Act [wikipedia.org]). However what that act really prohibits is the use of military forces as peace officers within US borders. Hacking into citizen's machines to use them as part of a botnet wouldn't fall under that.
A couple of people have brought up the Third Amendment (http://en.wikipedia.org/wiki/Third_Amendment_to_the_United_States_Constitution [wikipedia.org]) which covers the quartering of soldiers in private homes. I am not a Constitutional lawyer but I'm guessing that doesn't really apply either in a strict literal sense or in the spirit of what the authors intended. The intent was purely in people being forced to quarter soldiers. There's no mention of whether or not the military has the right to seize assets they might need, which is closer to what they would be doing in this case.
If I had to guess (and I would have to) I would think the Fifth Amendment (http://en.wikipedia.org/wiki/Fifth_Amendment_to_the_United_States_Constitution [wikipedia.org]) is probably more applicable. Its final clause is "nor shall private property be taken for public use, without just compensation". Hacking your system and using CPU cycles and bandwidth without permission would seem to constitute at least a form of taking of my property. They may not physically take it but they take control of it and even though I get it back later the clause doesn't say it's ok for them to take property as long as they bring it back.
Heh. (Score:4, Funny)
dear air force morons: (Score:5, Insightful)
Re: (Score:3, Insightful)
I'm against it mostly because I think it's just a foolish waste of money that will only breed ill-will and accomplish nothing, or next to nothing.
Re: (Score:3, Insightful)
Certainly you want to copy your enemy if the tactic is say, 'duck!'
Re: (Score:3, Interesting)
The putative "high ground" you would have us claim here is: "We do not dabble in cyber hacking." If we take that position, and fancy ourselves morally superior for doing so, then the next (and inevitable) cyberwar will be over very v
there are many battlefields (Score:4, Insightful)
the battle of course, is abstract. it is the battle for the hearts and minds of the people in your country and other countries. so if you invalidate the cause you fight for, what have you won?
it is not good enough to merely dominate in all matter of physical warfare. you must also dominate in ideological warfare. and ideological warfare is not about media manipulation or propaganda. it is about simply picking a cause to stand for and adhering to it
if the people don't believe in what you are fighting for, then your physical military efforts are pointless. likewise, if the people do believe in what you are fighting for, then your enemy can achieve stunning battlefield dominance, and yet it all of their gains will fade over time. you have to ask yourself what the point of war is. is war merely a shoving match over physical turf? on one level it is, but it involves the values of the societies fighting over that turf as well. the groups that achieve physical military dominance and solidify their gains over time, are the ones that fight for values that actually have greater staying power than their enemy's. so the only lasting victories are the ones that actually stand for something
i am not in any way failing to understand traditional military wisdom. but i will suggest to you that my pov might have a better understanding of traditional military wisdom
Commander Adama was right... (Score:3, Insightful)
Third Amendment, anyone? (Score:5, Insightful)
Re: (Score:3, Insightful)
USA = United States of Advertising (Score:3, Informative)
How many marijuana spotting drones are YOUR tax dollars paying for today?
Your country is closer to Communist China's philosophies than you think, but you're too busy working and consuming to care.
Rise, Bill Hicks, Rise from your grave! We have no one like Hicks or John Lennon to rally and speak to the people. SLAVES!
From experience... (Score:5, Insightful)
Now the previous comments about them spending $11m and then 3 years later asking for $11m is close but also wrong. They will ask for at least double that, every 3 years (take a look at their POMs in the future), indefinitely...
Isn't this a violation of my rights? (Score:3, Insightful)
3rd:prohibits the government from using private homes as quarters for soldiers without the consent of the owners.
4th:guards against searches, arrests, and seizures of property without a specific warrant or a "probable cause" to believe a crime has been committed.
Any and All? (Score:3, Funny)
Pushing rope (Score:5, Funny)
Re: (Score:3, Informative)
This would break the law in the UK. (Score:3, Interesting)
Legal papers or lead? Your choice...
Good Security is a Two Edged Sword (Score:3, Informative)
This whole Air Force concept speaks to a larger issue or misconception within our society, particularly among non-IT professionals, that it is somehow possible for technology to be available for use by the "good guys" and yet not also available for use by the "bad guys". There was a similar case (sorry have no citation) where a senator expressed the viewpoint that copyright holders should have the capability to remotely "break in" to any computer system and "destroy it" once they have shown to a judge, perhaps through some warrant processes, that it contains their copyrighted materials (of course nothing was mentioned about how this would be achieved or even could be achieved in practice). If we want the benefits of a secure operating system and strong encryption then we must also be willing to accept the possibility that such tools might be used against us, but in such cases it is wise to remember the words of one of our founding fathers, Benjamin Franklin, who said that, "Any society that would give up a little liberty to gain a little security will deserve neither and lose both."
Sounds like inter-service turf wars (Score:3, Interesting)
But if there's one thing that armed services habitually put more effort in to than preparing for war, it's engaging in bureaucratic cold wars between themselves. And if one branch of the US government puts their hand up to do "cyber-war", you can bet your bottom dollar that half a dozen others will want a piece of it too.
Re:SETI@Home (Score:5, Insightful)
Why the fuck would the United States Air Force want a botnet, when they could have the real thing? A tightly integrated computer network with near unlimited bandwidth, satellites, super computers, massive clustering, and secure, integrated control.
Botnet. Jesus. Someone take the freaking tech magazines away from the air force brass before they start doing social networking or some crap.
Re: (Score:3, Insightful)
Re:SETI@Home (Score:5, Insightful)
What bothers me is when they do something that's just flat boneheaded, and clearly the result of someone in the chain of command who doesn't know crap about anything, shooting his mouth off and making policy.
If they want to do the whole "cyberwar" thing, they need to take it seriously, and put people in charge who have the faintest fucking CLUE about what they're supposed to be doing.
Re:SETI@Home (Score:5, Insightful)
Re: (Score:3, Interesting)
Re: (Score:3, Funny)
Oh ye of little clue.
Re:SETI@Home (Score:5, Interesting)
Re:SETI@Home (Score:4, Informative)
Re: (Score:3, Funny)
I can think of a few reasons (Score:5, Insightful)
Not that I'm condoning any of this, mind you. Just saying, I don't think the Air Force brass are all total idiots.
Re:I can think of a few reasons (Score:5, Interesting)
Of course, there's nothing to stop you from setting up some honey-pots, figuring out the control commands, and taking control of a large chunk of the botnet, since it *isn't* centralized. then turn it on the parts you don't control, or the central c&c computers, or other "targets of interest."
Or use it to create "false flag" attacks.
Or a few rounds of "Do you want to play a game?"
Re:SETI@Home (Score:5, Insightful)
Re: (Score:3, Informative)
The real reason is probably to hide who's doing the attack.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
The 'Air Force'? No. Idiot individual members? Yes.
14 yrs ago, we had an E-4 busted for having 100mb of porn on his work PC. 11 yrs ago, we had an entire office reprimanded for having a 'not illegal in the US but illegal in Saudi Arabia' screensaver on the office PC's.
Granted, its a lot harder now, because individual machines, and the network, are a locked down a lot more. But idiots will still bring stuff in from home on
Re:SETI@Home (Score:4, Insightful)
In your excitement you've overlooked one minor detail; the US gov't has decreed it is going to move all its systems down to 50 or so access points to the wider internet. So no matter how big and bad a system the Air Force might concoct on its own internal network, it would still be hampered by the internal to external gateway speed and if those 50 gateways are known, they're easily blocked. So they wouldn't be able to Botnet-bomb the whoever nearly as well.
Re:SETI@Home (Score:5, Interesting)
Re:SETI@Home (Score:4, Interesting)
Re: (Score:3, Interesting)
Personally I feel fear out of this since I run OS X nowadays and Apple aren't the most security aware and patch decisive* company/group/.. around. And I don't want to computer owned by the american government thank you, and preferably noone else either.
* (I tried to find some opposite to hesitate)
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
HINT: they do it all the time during investigations.
Fifth amendment, I should think. . . (Score:3, Insightful)
". .
I would say that, were this air force initiative technologically successfuly, it, at least, could not be used on any computers of US citizens, because of the fifth ammendment. Of course, what the government will say is that this capa