Wednesday, May 28, 2014

Tell me more about your exquisite network ...

Long periods of peace for a military are times of both great opportunity, and peril. As you don't have the hard truth contact with an enemy to show you your strengths and weaknesses, you have to make certain assumptions and estimates.

If you are mostly smart leavened with a bit of luck, you have made assumptions for the right reasons. You don't assume away the difficult, the inconvenient, or that which makes your bosses uncomfortable. You make informed assumptions. Assumptions based on observation, realistic war gaming, and a vigorous jockeying for position in the marketplace of ideas.

You have to be ruthless against those who have agendas that are based on personal, ideological, or pet theories founded on emotion. You have to be brutally honest with yourself about your own ideas, how they reflect the lessons of history, and what the abilities are of possible opponents.

You need to clearly understand your critical vulnerabilities even more than you do that of others.

The well grounded person must guard against one human weakness even more that that of the self-focused agenda; that of the wide-eyed, overly enthusiastic advocate who holds aloft the bright shiny idol that they will build everything around.

Often, their idol is a good idea that, in proper design, is part of the future - but if over used and emphasized, becomes an actual obstacle to efficient prosecution of a war at best, at worst its overuse creates a gaping vulnerability itself.

In a nation that loves its latest technology, our fetish and faith in it, is such an idol.

They enemy gets a vote - and for a navy that has not been on the receiving end of a determined, sustained, and capable enemy at sea for decades - we seem to have forgotten this simple fact.

That is why it scares the crap out of me when I think all we have foolishly built on top of our shiny little idols from GPS to EHF Spot Beam - and thrown away the backup from celestial navigation to HF TTY.

For these reasons, my jaw sets when I hear otherwise smart people who who should know better tell others that the cornerstones of our future fleet - and the key to its success at war - will and must be tightly networked computers riding on the back of satellite based VOX and data streams. Faith and hope have supplanted critical thinking and robust, prudent planning.

Part of our national security apparatus appreciates the danger - hence the attempt to get the collective mind around cyber and playing "going dark" in a few selected war games, while the larger part just wants to pretend it isn't there - and thinks that war will be like peace, like their scripted training, where all your planning assumptions are true, where you own the air, space, and everything in between.

Let's leave the little lie we tell each other about perpetual supremacy of the electromagnetic spectrum for a bit, and instead let's look at the sea and shore COTS computer challenge.

Sweat espionage if you wish - but instead think of everything with a Windows interface just not working ... for weeks.

Stir the following around your planning. Via Quinn Norton over at Medium with a standard Kristen language warning (where ever she is now days);
Besides being riddled with annoying bugs and impossible dialogs, programs often have a special kind of hackable flaw called 0days by the security scene. No one can protect themselves from 0days. It’s their defining feature — 0 is the number of days you’ve had to deal with this form of attack. There are meh, not-so-terrible 0days, there are very bad 0days, and there are catastrophic 0days that hand the keys to the house to whomever strolls by. I promise that right now you are reading this on a device with all three types of 0days. “But, Quinn,” I can hear you say, “If no one knows about them how do you know I have them?” Because even okay software has to work with terrible software. The number of people whose job it is to make software secure can practically fit in a large bar, and I’ve watched them drink. It’s not comforting. It isn’t a matter of if you get owned, only a matter of when.

Look at it this way — every time you get a security update (seems almost daily on my Linux box), whatever is getting updated has been broken, lying there vulnerable, for who-knows-how-long. Sometimes days, sometimes years. Nobody really advertises that part of updates. People say “You should apply this, it’s a critical patch!” and leave off the “…because the developers fucked up so badly your children’s identities are probably being sold to the Estonian Mafia by smack addicted script kiddies right now.”
Recently an anonymous hacker wrote a script that took over embedded Linux devices. These owned computers scanned the whole rest of the internet and created a survey that told us more than we’d ever known about the shape of the internet. The little hacked boxes reported their data back (a full 10 TBs) and quietly deactivated the hack. It was a sweet and useful example of someone who hacked the planet to shit. If that malware had actually been malicious, we would have been so fucked.

This is because all computers are reliably this bad: the ones in hospitals and governments and banks, the ones in your phone, the ones that control light switches and smart meters and air traffic control systems. Industrial computers that maintain infrastructure and manufacturing are even worse. I don’t know all the details, but those who do are the most alcoholic and nihilistic people in computer security. Another friend of mine accidentally shut down a factory with a malformed ping at the beginning of a pen test. For those of you who don’t know, a ping is just about the smallest request you can send to another computer on the network. It took them a day to turn everything back on.
Yea ... read it all.

No comments: