Arrogance Has No Place in Security

  • Comments posted to this topic are about the item Arrogance Has No Place in Security

  • Hello Steve,

    Bruce Schnieder has an interesting discussion about the implications (or non-implications) of this in his January news letter http://lists.virus.org/crypto-gram-10/msg00000.html. Worth a read.

    Regards

    Michael

  • Just before this story broke I watched a tv show depicting the very same thing. I thought it was quite the coincidence. The relationship between the two are two closely knit and thus I believe that somebody close to the Drone program probably knew about the issue and then leaked it to the TV networks in enough time for writers to create the story. I think it is extremely arrogant but not uncommon. If somebody knew about the issue and reported the issue, then it needs to be fixed - before it gets hacked. In this case, it has since been hacked and must be fixed. I believe the same principle also applies to DBAs and Developers in the private and public sectors.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • It's hilarious but it aint my tax money because I don't live in usa but in Sweden. One would however think that the manufacturer would take more pride in the products and would not compromise in security just to get a product out fast or what ever might have been the cause. One would also think the militry would have their own proper quality tests.

  • Is this really a problem with security? Or is it working as intended?

    The "big" story here is that someone unauthorised can (and does) use the feed from the camera of the drones and thus the logic goes, can avoid them.

    Just slapping some encryption (best something proprietary that is weak) is easy. Figuring out who can then use the feeds is the actual logistic problem. In addition it creates a lot of bad will among allies who can currently use the feeds. Does the USA need even more bad will among its allies?

    The "big" story in here is fearmongering. True, some bad guys can watch themselves watched - when was the last time an ATM was totally secure? They can't fire (yet) a rocket on a drone as this channel is encrypted. They can't control a drone. All they can do is watch themselves. So the bad guys won't do anything bad while the "policeman" stands at the corner of their block?

    This is probably good. It puts pressure on the bad guys.

    To me as ex-military this is a non-story just reported to create some hype and have a "big" story about inadequate military procedures. Actually the design is working as intended, just the bad guys have woken up and use it. Same happened with credit cards, same happened with spam, same happened with ATMs. Do we just slap more security on these too because the bad guys use them until the point where 99% of us are not allowed to use these anymore because our security clearance is too low?

  • As posted above, read the Bruce Schnier article about it as he gives a clear view on what effects securing this channel may have to the men on the ground relying on the devices. As another poster put the story has definitely been spun to create a fear mongering element to it, I'm sure all of us here have seen 10k spent to protect 10 cents worth of data in the name of 'security'. No one will dare question it though in the current cover you rear climate brought about by fear mongering articles like the above because it just may happen.

    I love those 'what if' meetings where it goes from the sublime to the ridiculous about what may happen (disaster recovery, security, pick your poison here)... I'm always waiting for chicken licken to burst through the door to tell us the sky is falling.

    I think I just showed my age there.

  • Bruce Schneier's blog post is good but he only addresses the technical implications and not the political fallout. In this regard the Wired Danger Room article and David Axe's comment are useful.

    (Sorry, but due to being at work I can't provide the links right now. Somehow certain websites trigger a few alarm bells. ;-))

  • Speaking as a former Air Force officer, your point is well taken, but unless you have lived a while in the co-joined reality and fantasy of the service, you don't understand how these things actually happen.

    Encryption is a great idea of course, but in the military as we have seen in many recorded instances, encryption is not going to save us from pure, unadulterated stupidity. Cases in point:

    When Ronald Reagan ordered a squadron of F-111's to bomb Libya, one of those planes flew off course and disappeared presumably into the sea. The F-111 (in those days) used 'slap-in' hard disks (similar to RAID drives). If some flight tech accidentally loaded the tracking data for say, Iowa - confusing that with Libya - the plane will do what it is told and... well, you know the rest of the story.

    We recently had a bomber fly across country with nuclear weapons; something that is a complete and utter "no-no". Weapon loads are marked carefully with colors to indicate ordinance. How someone confused one color with another leaves one to presume that clearly, whoever was in charge that day was color blind.

    Of course, we all know that in the first Gulf War, our first President Bush announced that the much-touted Patriot missile had a record of 42 launches, 41 kills. In fact, as the Israelis reported after that skirmish - we did not hit a single scud missile, and in fact, the Patriot was never designed for that task. Our record, in truth, was 42 launches, 0 hits.

    Sure, all our high tech is a potentially wonderful thing. And yes, encryption is a great idea. But the cold hard reality of pure, and utter good old stupidity should remind us that no matter how "cool", "slick" or hi tech any weapons system is, its the human trying to use it that is the weakest link in the chain, and no amount of encryption, security, or procedures are worth squat when simple mistakes can make a mess of "smart systems".

    There's no such thing as dumb questions, only poorly thought-out answers...
  • It isn't just that the "Military" missed it. The defense contactor should know better. I have no experience with General Atomics Aeronautical Systems but have worked with Northrop Grumman. They seem security conscious, at least in securing networks and data.

    M

  • Had I as a Systems Engineer made a similar decision it is unlikely that I would be able to find future work in the industry. The people behind this decision should similarly all be held accountable.

  • I didn't really want to debate this particular instance as being good or bad. Schneier has a good writeup and makes some points about why this might not be a bad things from a security standpoint. The thing that struck me was that it seemed the tone of the military was that "no one could hack this or use it", which is the problem I see. It's not that this might be a particularly bad issue, but they seemed to dismiss it out of hand.

    Hence the title.

  • mike.styers (1/28/2010)


    It isn't just that the "Military" missed it. The defense contactor should know better. I have no experience with General Atomics Aeronautical Systems but have worked with Northrop Grumman. They seem security conscious, at least in securing networks and data.

    M

    The Military and its contractors are currently overrun by security process and policy experts, nobody wants to talk about how both are not related to actual security implementation which in most cases is not accessible to most technical people. I got this error while connecting what is the context of the connection? There is nothing simple in security some day there will be a honest conversation.

    Kind regards,
    Gift Peddie

  • Steve Jones - Editor (1/28/2010)


    ...The thing that struck me was that it seemed the tone of the military was that "no one could hack this or use it", which is the problem I see. ...

    Kinda like the credit card companies saying: Online transactioning is safe? Then backtracking when proven wrong. Or the database designers who ensure their customers that "No one can break into this" and proven wrong?

    A lot of this has to do with finding someone to blame. Most humans are very prone to act in a way like this when faced with the moral dilemma to take on their part of blame. After all their own reputation is at stake. Or the one of their department. Or the company. And hell to anyone who brings a little black speck on the reputation.

    It's a different kind of arrogance.

    I guess this is when the military was faced with either admitting that their system is not secure or whether just outright to lie, they lied (probably of wrong fact telling) and used security by obscurity (just-pray-nobody-ever-will-notice-security). Also what is called between "experts": Security Theater. Something that looks good, makes every feeling fuzzy warm and is pretty much useless against real threats.

    However anyone ever encountered the guy/girl that readily admitted his/her own fault before being asked? And how that felt?

  • Knut Boehnert (1/28/2010)


    However anyone ever encountered the guy/girl that readily admitted his/her own fault before being asked? And how that felt?

    "Hi I'm Matt Miller, and I've screwed up before". I've been on the wrong end of an update several times, sometimes with bad, bad, bad consequences. To be sure it's a truly ugly feeling, but, it's incumbent on us to report the issues when you find them, whether someone came over to tell you first or not.

    Having seen fome of the previous feedback on this site, I think you would be surprised to see how many folks here are in the same mindset. We're the gatekeepers (or if you prefer a releigious undertone, "sacred guardian of the holy data repository"), so when we screw up, we own up to it, and fix it if given the chance to.

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

  • This post is not to be interpreted as an excuse for either the incompetence or the arrogance displayed by the parties involved in this fiasco.

    I have spent a good deal of time in the military and in private industry over the years. I have recent experience in Army IT in a deployed environment as well as experience with military contracting. Please consider the following points to perhaps explain what may have happened.

    1.The contracting process for sophisticated equipment like a drone takes a long, long time from the initial idea to the actual product being employed. When the contract was written and put in place security may not have been an issue or the security specifications in the contract may have been obsolete by the time the drone was fielded.

    2.Contracts are written and negotiated by Military Contracting Officers with limited IT backgrounds. Input from subject matter experts is often not considered in the process.

    3.The contractor will do what is in the contract, nothing more, and nothing less. For a price they may do more but the process to get more done is both long and painful.

    4.When an issue like this is revealed to the public the involved parties, in fine bureaucratic tradition, will slip into either extreme CYA mode or extreme finger pointing mode.

    5.By the time the issue eventually gets fixed the bad guys will have figured a way around the fix. This is a perpetual process………..

    Just my $00.02.

Viewing 15 posts - 1 through 15 (of 19 total)

You must be logged in to reply to this topic. Login to reply