back to article US may have by far the world's biggest military budget but it's not showing in security

If you were worried about the state of US military security systems you might not want to read the results of its latest audit. A “red teamer” cracked into a US Department of Defense system and rebooted it, but nobody noticed: the system suffered unexplained crashes. In another case, testers “caused a pop-up message to appear …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    "instructing them to insert two quarters to continue operating.”

    Damned inflation. I remember when one quarter was plenty, or even buying 5 tokens for $1.

    (Now if you'll excuse me, I am going to go back to playing Defender on my Atari 2600.)

    1. Michael Wojcik Silver badge

      Re: "instructing them to insert two quarters to continue operating.”

      "For three quarters, I'll trigger an immediate Windows update, and you can have the rest of the day off."

  2. Graybyrd

    No need then to inconvenience our Chinese friends, or our Russian partners. Carry on. Business as usual.

    1. Youngone Silver badge

      I kind of assumed that business as usual is getting a Senator or Congressman re-elected.

      Isn't what the US military budget is for?

      1. phuzz Silver badge
        Devil

        I kind of assumed that business as usual is getting a Senator or Congressman re-elected.

        Isn't what the US military budget is for?

        How dare you!

        It's there to make the executives at the defence companies richer as well.

        Then they can use that money to bankroll a politician, who can then sling more business their way and keep the whole cycle going. Oh, and to give that politician a nice non-executive position once they retire of course..

        1. GnuTzu
          Big Brother

          Military Industrial Complex

          "It's there to make the executives at the defence companies richer as well."

          When you control a market, you get to justify a cycle of replacing weak products with larger quantities of weak products.

          And, let's not forget what it has been called: "The Military Industrial Complex."

  3. Frumious Bandersnatch

    Nothing's gonna come of it...

    ... General GAO's chicken.

    (Thank you... besides fortune cookies, I also do Bar Mitzvahs!)

  4. Anonymous Coward
    Anonymous Coward

    Outsourcing

    Government software development uses dedicated staffing agencies rather than managing their own hires. These staffing agencies offer poor pay, no incentive for talent to stay, and they have no ability to grade work. Throwing more money at them just gets you a larger incompetent staff. It's a miracle that anything works at all.

    1. hplasm
      Meh

      Re: Outsourcing

      Meh.

      Do a half-assed job- it's the American way!

      /Homer

      And extradite anyone who takes advantage of it...

  5. redpawn

    BPOE

    We have the Best People on Earth securing our military systems, or is that the Elks Club.

  6. John Smith 19 Gold badge
    FAIL

    How long have processors *connected* to a network been part of miltiary systems?

    Decades at least.

    And to save the implementation budget (not the overall budget of course) they'll use stuff they've picked off the internet or FOSS communities.

    This reads like a catalogue of stupid, from the developers to the operators.

    Once you hook kit up to a data cable (any data cable) you can no longer be entirely sure where that connection terminates. Is the box it connects to? The box that box connects to?

    And that's before we get onto the wireless network connections that you can't even see.

    1. Anonymous Coward
      Anonymous Coward

      Re: How long have processors *connected* to a network been part of miltiary systems?

      In the mid 1990s, I assisted with the installation of some commercial software at a DoD facility. This was one of the DoD "megacenters", basically internal service bureaus where many large systems hosted major DoD applications for things like logistics. Nothing any foreign power would be interested in.

      The servers we were installing the software on were UNIX systems (HP-UX, if memory serves). They were on the Internet. With no firewalls.

      "They're not in DNS," the sysadmin said. "No one can find them."

      These folks weren't incompetent; they just didn't have any security training or awareness that it was even important. It simply wasn't visible to them at that time.

      1. sitta_europea Silver badge

        Re: How long have processors *connected* to a network been part of miltiary systems?

        [quote]

        ...major DoD applications for things like logistics. Nothing any foreign power would be interested in.

        [/quote]

        I beg to differ. Wars are won (or, perhaps more correctly, lost) in the logistics.

      2. Anonymous Coward
        Anonymous Coward

        Re: How long have processors *connected* to a network been part of miltiary systems?

        In the mid 1990s, I assisted with the installation of some commercial software at a DoD facility... These folks weren't incompetent; they just didn't have any security training or awareness that it was even important.

        My second job was at a DoD personnel office doing data entry in the early 80s. There was no warning banner and no training other than what was needed to do the job. My current job working for Uncle Sam which I started in the late 2000s requires mandatory security training to get on the network at all plus a yearly refresher and other courses. It makes me wonder what went horribly wrong for each of the changes in practice to have been put in place during that period.

    2. Michael Wojcik Silver badge

      Re: How long have processors *connected* to a network been part of miltiary systems?

      Decades at least.

      Sure. Stoll's The Cuckoo's Egg came out in 1989, so for nearly 30 years it's been popular knowledge that there are DoD systems connected to the public Internet. Even many non-techies were aware of that.

      Of course, since the Internet was itself a DoD project to begin with, there have always been DoD systems on it. But not everyone's aware of how many production DoD systems are exposed.

      1. vtcodger Silver badge

        Re: How long have processors *connected* to a network been part of miltiary systems?

        Well, yes ... But there are DOD systems and there are DOD systems. I'm hampered by not having worked with that stuff for decades, but I doubt it's changed all that much. So, A few points:

        1. Access to military systems is rather tightly constrained. Try walking onto the nearest military base without paper orders, or some other valid reason for being there.

        2. Combat systems are unlikely to be connected to the Internet. That'd break rules about security. And they are, of necessity, designed to operate in an environment with limited and noisy communications.

        3. Many military systems require extensive training to use them. That doesn't preclude hacking I suppose, but it makes it a lot more complicated.

        4. There are, or least used to be, elaborate rules for dealing with classified data. Basically, you can freely introduce unclassified data into a classified environment, but any data generated in a classified environment has to be rigorously scrutinized before it can be released into an unclassified environment. Clearly, you can't just plug a dsl modem or whatever into a classified system.

        5. There is, I'm told, a secure equivalent to the internet. I know nothing at all about it.

        6. Non-combat systems -- personnel management, etc probably are connected to the internet and presumably have all the problems they would experience in a similar business environment. And maybe some additional problems.

        BTW, I read the report. I don't think it's bad, deficient, or inaccurate. But I found it very difficult to relate it to what I saw in the three decades I spent working with US military software. The one thing that did resonate was a concern about security problems with the software development and maintenance environment. Likely there are real problems there.

        1. Yet Another Anonymous coward Silver badge

          Re: How long have processors *connected* to a network been part of miltiary systems?

          So you can't launch nuclear missiles form a submarine with the password "swordfish"

          But you can screw up spare parts deliveries to ground an entire airforce in the field.

          You can mess around with payroll, holidays and shifts so that all the skilled aircraft mechanics leave

          You can post home/personal details of the families of soldiers

          You can target small suppliers/subcontractors to shut down the supply chain for a new $Bn project.

          You can probably do enough to ground the next Gulf War without leaving any evidence of who did it.

      2. John Smith 19 Gold badge
        Unhappy

        Sure. Stoll's The Cuckoo's Egg came out in 1989,

        Exactly.

        If anything the trend seems to be working down the food chain.

        1989

        Pentagon computers accessible by internet.

        2018

        Combat vehicles and their weapons available through the internet.

        The PTB should find this trend worrying, but obviously don't.

  7. Anonymous Coward
    Anonymous Coward

    Holes by design (costs $1M per hole, DOD rates)

    They are there to trap teenage hackers from all over the world into commoting crimes and then getting them deported to the USA where they can be made examples of in front of the US media. In return the DOD gets more taxpayer money for $1000 hammers and the like.

    Cynical? you bet.

    1. Michael Wojcik Silver badge

      Re: Holes by design (costs $1M per hole, DOD rates)

      I think your malice / incompetence ratio is way off there.

      I'm sure the DoD runs some honeypots. It's not impossible that some are done in cahoots with State to try to ensnare and persecute token victims, and there may even be some quid pro quo (though really DoD has no trouble getting funds; it receives quite a lot of money it doesn't even request in its budget, thanks to legislators who want to keep jobs in their districts).

      But the vast majority of the problems highlighted by the GAO are going to be due to poor management, incompetence, and systemic problems like legacy systems.

  8. jgarbo
    Mushroom

    Doesn't the DoD realize that the Russians & Chinese have already found these vulns, even hidden them, in preparation for WW3. When US officers press the Big Button, either nothing will happen or the ICBM will explode in its silo. The enemy will win before a shot is even fired. Americans live in a fantasy - and will die there.

    1. Yet Another Anonymous coward Silver badge

      On the other hand, if you think the US suffers from poorly trained, paid and motivated staff, badly designed patched together systems and lots of legacy kit from the 60s/70s - how do you think the USSR-II is doing ?

    2. Korev Silver badge
      Mushroom

      You mean the old British WE117 bombs had the right idea? They'd have been rather hard to hack....

  9. ciaran

    Typo?

    Is this a deliberate bug?

    [If you were worried about the state of US military security systems you might not want to read the latest audit.] with such frequency, there was no reason to suspect an attack.

  10. Giovani Tapini

    I enjoy the fact that issuing policies must be the end of the matter

    Try implementing and auditing against them, or testing them against prospective purchases etc.

    This is no better than "your security is very important to us..."

    My worry would be that if the systems are as leaky as the article makes it sound, then there is a reasonable probability of their own testing manifesting in the wild. That prank missile target on your mates house suddenly becomes are real possibility that it may just work...

    1. Christoph

      Re: I enjoy the fact that issuing policies must be the end of the matter

      "That prank missile target on your mates house suddenly becomes are real possibility that it may just work..."

      Shall we play a game, Joshua?

      1. Giovani Tapini

        Re: I enjoy the fact that issuing policies must be the end of the matter

        I have to bite...

        Can we play tic-tac-toe?

  11. Waseem Alkurdi

    “Warnings were so common that operators were desensitized to them”

    Ouch. That very one would hurt any pilot deeply.

    1. Steve the Cynic

      “Warnings were so common that operators were desensitized to them”

      Ouch. That very one would hurt any pilot deeply.

      In my experience of reading descriptions of major air crashes, that theme (of operators - pilots and other flight-deck crew - being desensitized by the sheer number of warnings) occurs with depressing oftenness. So it would, indeed, hurt pilots (and their passengers and crew) deeply.

      It's often accompanied by warnings of conditions requiring different solutions being nevertheless very similar in sound, even when applying problem one's solution will make problem two worse.

      1. cosymart
        Headmaster

        @ Steve the Cynic - !"oftenness"!? I think the word you were looking for was regularity.

        1. T. F. M. Reader

          oftenness... regularity...

          The hanging sentence in the article itself contains the word "frequency". I am guessing the original context was exactly what the OP meant.

      2. Yet Another Anonymous coward Silver badge

        Now imagine if the siren went off everytime a packet from a non .mil address arrived at your firewall !

        1. Waseem Alkurdi

          Or if a DNS hijacking attack was used and the .mil site just became a .ru/.$BAD_GUY_CC domain.

      3. Waseem Alkurdi

        @Steve the Cynic

        I can also attest to this, given that I have seen every single episode of Mayday/Air Crash Investigation.

        The idea in aircraft is the shitty cockpit construction (whether it's hardware or wetware we're talking about). But in computers, it's just wetware.

        Do we need a big siren to signal an intrusion?

        And also about aircraft, I've always wondered why there wasn't simply a call-out with the error concerned instead of a chime/beep/whatever distraction?

        That way pilots could know exactly what's going wrong.

        And Helios 522 and the recent Jet Airways "re-enactment" (which thankfully landed safe after half the pax bled out of their noses) would've never occurred either.

  12. Crisp

    That? That's a Cyberdyne Systems model T-101

    It's harmless.

    Just yell "User : Admin, Password : Password" at it and you can shut it down.

  13. amanfromMars 1 Silver badge

    Just the Tip of the ICEBorg*?

    Doesn't the DoD realize that the Russians & Chinese have already found these vulns, ...... jgarbo

    Most probably, and hopefully so for Uncle Sam, they do, but they are disenabled and unable to do anything effective about them, jgarbo, ...... with the much bigger problem, and one for all manner of SCADA Administrative Systems, being even more of them hiding in codes and protocols just waiting for discovery and RAT exploitation/uncovering and capitalisation.

    * ...... Information and Content Exchange

    And most convenient for all purveyors of FUD to the brainwashed masses for it appears to keep them suitably terrorised and petrified into inaction?

    1. Waseem Alkurdi

      Re: Just the Tip of the ICEBorg*?

      What the bleep do SCADA systems have to do with ANYTHING discussed on El Reg?

      1. amanfromMars 1 Silver badge

        Re: Just the Tip of the ICEBorg*?

        What the bleep do SCADA systems have to do with ANYTHING discussed on El Reg? ... Waseem Alkurdi

        Crikey! ..... Do you not yet know you are a SCADA System, Waseem Alkurdui. And they have things to do about everything.

        Is yours not working correctly and badly not Inputting Feed and Feedback Back to Almighty Goals for Further Future Source Immaculate Provision? Or are you missing/skipping and missing out at those Sublime and Supreme and Surreal Levels of Live Operational Virtual Environment Empowerment? Will that be your decision?

        IT is surely but One More Small Step for Man with One TitanICQ Quantum Communications Leap for Virtual Machinery and AIdSystems to Launch Oneself for Engagement into a Completely Different Sphere of COSMIC Enterprise.

        And quite a Penultimate Weapon for Wielding before Finalising of Solutions.

      2. Nick Ryan Silver badge

        Re: Just the Tip of the ICEBorg*?

        What the bleep do SCADA systems have to do with ANYTHING discussed on El Reg?

        You're new here and have just been trolled by El Reg's in house AI poster. We hope its an AI, because if it's not.. well... oh dear. Attempting to make sense of amanfrommars1's posts without the requisite amount of liquid inspiration will cause headaches. It will still cause headaches, but they pass quicker, given the appropriate dosage.

        1. Teiwaz

          Re: Just the Tip of the ICEBorg*?

          Attempting to make sense of amanfrommars1's posts without the requisite amount of liquid inspiration will cause headaches.

          Liquid?

          Nope, liquids as a medicinal for those particular migraine in potentia are insufficient at this stage. I recommend peyote, which, unfortunately is not yet available over the counter (any counter, 'round these parts).

          The French have been known to prefer Absinthe, or failing that, a painkiller inserted anally.

          1. Anonymous Coward
            Anonymous Coward

            Re: Just the Tip of the ICEBorg*?

            Normally, it would be advised here to use common sense as a kind of a dope one certainly needs to succeed and to make smth more comprehendsable for a reading unit.

        2. Anonymous Coward
          Anonymous Coward

          Re: Just the Tip of the ICEBorg*?

          ...oh dear...:-)

          Best cmm on AI here yet

        3. Waseem Alkurdi
          Pint

          Re: Just the Tip of the ICEBorg*?

          I've been a commentard since April of this year, and since then, I've been trying to figure out whether @AMFM1 is a AI or a human. Sadly:

          Do you not yet know you are a SCADA System, Waseem Alkurdui

          And he's misspelled my name for the second time in a row after that being pointed out to him a day earlier! ^_^

          So yep, he's a bot who for some reason believes that I don't know yet that I'm a SCADA system.

          Regarding the headaches, no, they don't occur to me, because that is well taken care of by the other window on my desktop, the window in question being the Pathology textbook! ;-P

          A safe-driving-mode-enabled* pint to all onlookers!

          __________________

          * non-alcoholic, that is

          1. Nick Ryan Silver badge
            Alert

            Re: Just the Tip of the ICEBorg*?

            :)

            Any self respecting online Internet AI will make intentional "mistakes" otherwise we might think that they are a dog or, worse, a human.

          2. amanfromMars 1 Silver badge

            Re: Just the Tip of the ICEBorg*? And Something to Always Remember ...

            The next logical progression, Waseem Alkurdi, is to ponder and deliberate on whether of Nigerian extraction because of the evidence of a simple misspelling/primitive predictive text typo .... although beware and be wary of stealthy security misdirection and other dynamic accommodations in Future Travels to Alien Intensive Spaces.

            So yep, he's a bot who for some reason believes that I don't know yet that I'm a SCADA system. .... Waseem Alkurdi

            Great, we are agreed then you are. Care to Dare Share an Unambiguous Confirmation of those Facts, WA? Just for the Record and Registering Interests. A Note for Posterity to File Away in the Deep Dark Vaults of Never Forgotten Forbidding Libraries.

            Oh, and what do you define as a bot? Is it animal, vegetable, mineral or ethereal? Just for the Record and Registering Interests.

            1. Waseem Alkurdi

              Re: Just the Tip of the ICEBorg*? And Something to Always Remember ...

              Ethereal ... I like the word ...

      3. Anonymous Coward
        Anonymous Coward

        Re: Just the Tip of the ICEBorg*?

        Hmm... Wasseem...

  14. I&I

    Natural result of blame-culture e.g. the Gary McKinnon case.

  15. Nick Kew
    Alert

    Big budget

    Would that be a budget big enough to support an entire bug-ridden comms system as a decoy, while having an altogether different system sitting behind it in the shadows?

    Age-old military tactic.

    1. Yet Another Anonymous coward Silver badge

      Re: Big budget

      That's what the enemy would expect.

      Instead there is a massive inefficent bug-ridden insecure system that IS the main system

      Good luck finding the non-existent secret effective decoy shadow system

    2. amanfromMars 1 Silver badge

      Big Budgets Ensure Safe Bets and Ensnare Strange Sources? Or are Strange Source Exposed?

      Good luck finding the non-existent secret effective decoy shadow system .... Yet Another Anonymous coward

      The fact that you don't recognise the Existing Military Industrial Complex as the already heavily deployed decoy not reporting on NEUKlearer HyperRadioProACTivated Virtualised Systems of Almighty COSMIC Dimension, is sure proof positive of an altogether different system beyond Shadowy Control and Shady Command of Flash Crash Collapsing Systems/Parasitic Executive Administration.

      And with particular and peculiar specific regard to ....

      Would that be a budget big enough to support an entire bug-ridden comms system as a decoy, while having an altogether different system sitting behind it in the shadows?

      Age-old military tactic. ... Nick Kew

      ..... Is that one of those New ERa Tools for Weaponisation and Live Fire BetaTesting in Novel Fields of Engagement and Employment ..... Guaranteeing Future Alien Contact with Earthly Contracts to Deliver on Supplied Promises Tendered via Shared Enlightening Words delivering Other Worldly Facts to Populate and Seed New Spaces and Out of the World Places, or a whole host of them stored in Impregnable Arsenals ... which be the Very Sweetest of Immaculately Deep HoneyPots.

      Is Resistance to such AI Charm, Futile? Is Total Surrender to ITs Stated Promise, Heavenly Reward and One's Just Dessert? :-)

      Answer that Holy Trinity of Questions both Correctly and Sincerely, and One be Really Powerful, for there be Others More Powerful in Waiting to Provide Everything Worthy of Almighty Future Services.

      1. Anonymous Coward
        Anonymous Coward

        Re: Big Budgets Ensure Safe Bets and Ensnare Strange Sources? Or are Strange Source Exposed?

        Beats running amfm :-)

        1. amanfromMars 1 Silver badge

          Re: Big Budgets Ensure Safe Bets and Ensnare Strange Sources? Or are Strange Source Exposed?

          Beats running amfm :-) .... Anonymous Coward

          Sure does, AC .... and it is hard to believe things can be so easily done so freely. :-)

          But hey, that is just the very surreal nature of future virtualised things and nothing at all to be worried or too excited about unless worthy of specific attention and mention.

  16. Wellyboot Silver badge
    Facepalm

    corporate link

    >>>Some systems can't even be tested properly: one system used proprietary black-box hardware and software and depended on a connection back to a contractor's corporate network, which was off-limits to the testers.<<<

    Would that be a major aircraft manufacturer by any chance?

  17. Version 1.0 Silver badge

    Not Again!

    This has been going on for a long time, I remember when some kid hacked into WOPR with their IMSAI and nearly started a war.

    1. Stevie

      Re: Not Again!

      And don't forget that whole "Gibson" fiasco.

    2. Nick Kew

      Re: Not Again!

      Was that the battlefleet that got eaten by a small dog?

  18. Bronek Kozicki

    Large systems are difficult

    The engineering approach is to start from the assumption that at any given time, some part of the systems will be in "bad" state. If you start from that, then bugfix releases or configuration updates are just variables in the complex equation of "how much more broken could it become if we (do not) do that". Of course, the military cannot have that - hence there is no functioning monitoring, no canary releases, no fault tolerance, no regular disaster recovery exercises, no nothing. Just put it all together and hope it holds shape. Because in military, apparently "hope" is a strategy. Who would have thought?

    1. Claptrap314 Silver badge

      Re: Large systems are difficult

      Found the (other) Google SRE. (Or former, as is my case.) :D

  19. Mike 137 Silver badge

    They're not much good at communication either

    Can anyone explain why a document titled WEAPON SYSTEMS CYBERSECURITY has the snappy and informative file name 694913.pdf?

    I may be old fashioned, but I was under the impression that a file name was supposed to help the potential reader identify the content of the file...

    1. adam payne

      Re: They're not much good at communication either

      Not when you want to bury it.

    2. Stevie

      Re: They're not much good at communication either

      Security, man!

    3. Uffish

      Re: They're not much good at communication either

      But Google is very good at finding things;

      "694913.pdf" gives "https://www.gao.gov/assets/700/694913.pdf" as the first response.

      edit:

      ... and the second response was "https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/694913/dwp-ss030-security-standard-oracle-database-security.pdf" _ what is it with 694913 and cybersecurity?

      1. Danny 2

        Re: They're not much good at communication either

        69 - we are fucking each other

        49 - down a deep mine shaft

        13 - and it's sinister

  20. adam payne
    Joke

    In another case, testers “caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.”

    Did anyone ring the hell desk asking where the slot was for the quarters?

    1. Giovani Tapini
      Joke

      Don't you know?

      The MMC card slot is just about right...

    2. Yet Another Anonymous coward Silver badge

      Did anyone ring the hell desk asking where the slot was for the quarters?

      It's the military, they rang the help desk asking which form they should use to requisition the quarters and how much each quarter would cost for budgeting purposes

  21. Anonymous Coward
    Anonymous Coward

    Patching strategy

    > ”Officials from one program we met with said they are supposed to apply patches within 21 days of when they are released, but fully testing a patch can take months due to the complexity of the system;

    I'd love to see the reaction from some US General when he's told that he can't have a new system because it would be too complicated to patch according to the DoD's own guidelines.

    1. vtcodger Silver badge

      Re: Patching strategy

      Can't say for sure, but based on my limited experience, the last thing most high ranking officers want is more problems. They are quite a conservative lot and their jobs come with more sufficient problems. The constant (often broken) updates that IT folks think of as necessary improvements probably look to them more like aggravation than assistance.

  22. sitta_europea Silver badge

    And gao.gov uses qwest nameservers??!!

  23. ZenCoder
    Mushroom

    Choose the nuclear options and don't pay for defective goods.

    Just make is to that it is impossible not to stay in business unless every programmer is trained in security and constantly has security in mind while working and the final product isn't a complete embarrassment after a Red Team gets a month or so to attack it.

    As long as you can get paid once to half ass something, then paid to again and again to fix it over and over, and still remain in business this problem is not going away.

  24. Danny 2

    You'll have to answer to the Coca-Cola company

    This is where the quarters come from.

    https://www.youtube.com/watch?v=DUAK7t3Lf8s

  25. Claptrap314 Silver badge

    "Good Enough for Government Work"

    Bane of my existence while in the Air Force. I don't think I could have made it as a lifer.

  26. MachDiamond Silver badge

    Bloat

    Most new military hardware is just an ever increasingly way to add complexity to a problem. It must be due to simple solutions not having the ability to generate really large research budgets or invoices.

    What was the book? "Superiority"?

    What's more frightening to an enemy:

    1. 3 latest generation stealth fighter/bombers (F-22/F-35,B-2)

    2. 100 older generation fighter/bombers (F-16/A-10,B-52)

    Brute force and ignorance is the name of the game in warfare. The advanced stuff has the tendency to go "bing" when it's really needed.

    Ron White has a great line, "I don't know how many it would take to throw me out, but I knew how many they were gonna use." I'd be a bit more daunted by pure numbers.

This topic is closed for new posts.