Not so RuggedCom… time to set up a blacklist
Published April 28, 2012 | 
RuggedCom has sold mission critical routers to the US Gov’t, utilities, and others with an undocumented backdoor installed. This is totally inexcusable and RuggedCom should be out of business as a result. Under no circumstances should any IT company produce a product with a backdoor installed. I can understand the need to for an easy way for the company to work with the router’s internals, but having a default admin account password should be sufficient. At least then the customers could change the default password and make the router secure.
I don’t know if RuggedCom’s leadership knew of this backdoor. This could have been the result of a lazy engineer, or in response to a program manager putting pressure on the team to get things down quicker. No matter what, there was a definite failure in both the technical leadership at the company and in their Quality Assurance team.
RuggedCom is a Seimen’s company. This is the same Seimens that was targeted by Stuxnet, and the same Seimens with a long history of security issues in their industrial controllers.
If a company is caught doing this crap they should be publicly blacklisted, and they should loose all of their customers and as a result, go out of business. Just the fear of a possible backdoor has caused Huawei serious problems in getting contracts with non-Chinese governments. While there is no proof that I’m aware of, they still can’t get several of the big contracts that they want to. There is also fear that when IT equipment is manufactured overseas, that the foreign companies may put backdoors into the systems. This fear is so serious, that at least one IT company I know of only installs their firmware in the US after the systems are manufactured. Talk about adding complications to your manufacturing and testing procedures, especially when you can’t test the equipment until it is shipped half way around the world.
RuggedCom got caught, and I applaud the researcher that found the backdoor. Had this been just an accidental vulnerability, then this would be a very different story. However, with an intentional backdoor… it is a much more serious story. RuggedCom should pay to replace all of their compromised routers with equivalent non-RuggedCom routers and shut down. If they sold compromised routers to the US Gov’t, then they should be investigated for treason or other applicable law violations.
I suspect RuggedCom will try to spin this as best as they can, and to update their routers to remove the known backdoor. I give them credit for at least admitting that there is a factory backdoor. It would have been interesting to see if there was any internal discussions on just the approach of just denying it. However, this isn’t a typical design flaw. This is incompetence and a complete misrepresentation of their expertise. Here’s what their webpage says about their products:
RuggedCom products are designed for use in harsh environments such as those found in electrical power substations, oil refineries, military applications, roadside traffic control cabinets and metals and minerals processing.
Now, I don’t think that any of their customers that are responsible for oil refineries, military, and so on will agree that a system with a factory backdoor are really designed with those harsh environments. Farewell RuggedCom, and I hope that as each of your employees find new jobs that you’ll take security seriously and be an advocate for secure products in your new companies.
I hope that with the pending demise of RuggedCom and the need for a blacklist of incompetent manufactures, that those that don’t take security seriously now, will start doing so.
Is Open Source Software a Threat?
Published March 3, 2012 | I have recently gone through a governmental Information Assurance (IA) process to gain permission to connect a stand alone development network to a broader government network. In the process, we got feedback on potential “threats” to our approach. While none of these were serious enough to prevent getting permission, one of the comments made really irritated me. It stated that the use of Open Source Software (OSS) posed a threat to the security of the network.
So, is OSS a threat? I don’t believe so, and in fact, I believe that in most cases quality OSS pose less of a threat than their commercial counterparts. All software, both OSS and commercial, may introduce vulnerabilities into a system. Software has bugs, bugs can be exploited, and therefore all software may pose a threat (hint, don’t keep software on your system you don’t need). But, is OSS more threatening than commercial software.
It will certainly depend on the software. If the actual question is if there is someone that is actively updating and patching the software, then it depends. For example, Firefox is an open source piece of software that is constantly being patched and improved. However, Windows 2000 is commercial software that is no longer being patched. So, which one is more secure? Firefox. However, if the roles are reversed and the open source software has been abandoned, and you are comparing it to a commercial piece of software that is being actively patched, then the commercial software is more secure.
However, what happens if everything is equal. Let’s say that both the open source software and the commercial software are being actively patched. Now, here’s where my opinion is that the open source software is actually more secure. The key issue is that as a customer I can look at the code if I wish. While that may be unlikely and I may not understand what I’m looking at, the fact that it is doable is a motivating factor for the open source developer to be more careful in writing the program. Their success is based on being able to stand behind their source code, not just the application itself. In a commercial application, it is about the program and not the source code. It could be a good looking and capable piece of software but written by monkeys from a security perspective.
It is frustrating with the IA community isn’t filled with software developers, but instead a new breed of engineers that are groomed by the marketeers of commercial software. Not many, if any, open source developers go out and sell their software to the government. If you hear it enough, it must be true. Well, here’s my challenge to the IA community. Show me some actual facts to back up your claims. If you can’t, then stop being biased towards commercial software. I want you to do your job and to do it well, and that means that you have the trust of your customers. With crap like this you loose all trust and so when you have something important to say, it is likely going to be received with doubt.
Again, all software has the potential to introduce security concerns into a network. It doesn’t matter if it is open source or commercial.
Posted in Computers, Military, Technology | 
IA, Information Assurance, Open Source, OSS | 
Leave a commentLightsquare Loses
Published March 3, 2012 | Well, it is done. Lightsquare has lost its battle to compete with GPS. While I’m glad that GPS is safe for the time being, but I do agree with several of Lightsquare’s arguments. I hope that the FCC will take some of Lightsquare’s technical criticisms to heart, and mandate better engineering in new GPS receivers. They really should implement better filters to ensure that they are not jammed by nearby frequencies. Even if there is nothing in those frequencies, that is just good engineering.
I doubt that Lightsqare will be along for much longer. I don’t blame them for their efforts. They played the crappy hand they were dealt the best they could, but the political mistakes in this issue couldn’t replace physics. The FCC shouldn’t have allocated the frequencies to Lightsquare in the first place. That was a political decision made without consideration to the technical approach Lightsquare was going to take. As a result, Lightsquare gets screwed because it couldn’t break the laws of physics and as a result, everyone involved loses. Sorry Lightsquare.
Did Chinese Spies Delay F-35?
Published February 6, 2012 | Defense Tech has an interesting article questioning if some of the delays associated with the F-35 program was due to rework necessary to recover from Chinese spying. If this is true, it represents a critical failure in information security within the DoD acquisition community and the Defense Industrial Complex. There have been many reports of government contractors’ networks being compromised but I don’t know if anyone is tallying up the bill.
If true, the bill here is Billions of dollars. Dollars spent on extending the lives of aircraft slated to be replaced by the F-35, dollars spent on the engineering rework to change the design of the F-35, and dollars spending on how to counter the possible improvements to Chinese systems due to their adoption of American technology. And for some reason, I doubt Lockheed, the Prime Contractor for the F-35 is opening up their checkbook to cover these costs.
I hope that this report is untrue and that the Chinese didn’t delay the F-35. If so, then we still have a lot of unanswered questions as to why the F-35 is so late and over budget. It was suppose to be a low-risk cheap jet, and it has mushroomed to be the DoD’s most expensive program… EVER. Not good, with or without Chinese help.
The Stupidity of Conventional SLBMs
Published January 29, 2012 | Wired had another well written article titled “Pentagon Confused by its Own ‘Subs vs. Terrorists’ Plan”. The basic idea is that the US wants to conduct conventional global strike from submarines. One of the many Holy Grails for the DoD is instanteous global strike; the ability to hit any target anywhere on the face of the earth in a moments notice.
The article does a good job of calling this what it is, a farse. There is no way that either China, Russia, or any other nuclear equipped nation will sit aside while a conventional warhead is sailing overhead to strike some target. The DoD is trying to make this new conventional warhead to fly a different trajectory, as to indicate to our allies and potential adversaries “Hey, trust us, it isn’t a nuke”. While it may be a conventional warhead, but how will anyone beside the DoD know? If you can make a worhead fly this unique trajectory, why can’t it be a nuclear warhead?
Being able to hit a target in a moments notice is a mixed blessing. I’m reminded of the discussion during Dr. Strangelove where they discuss the benefits of bombers over ICBM’s. The arguement was that bombers took longer, and that was a good thing. Time allows the US and Russia (in Dr. Strangelove) to open up diplomancy and to try to calm things down. This doesn’t happen if the immediate answer is and ICBM launch.
So, if we have this capability, what becomes the role of diplomancy. In addition, we’ll be tempted to use this on the terrorist in a mountain cave. Is that guy really worth it? To launch a conventional ICBM or SLBM will cost millions per launch. Is this guy really worth that price? Is this guy worth the possible nuclear response? I would seriously doubt it, but there may be specific cases where it is worth it.
If money was no object, if we had a sound foreign policy, strong diplomatic capabilities, and if everyone trusted us, then this could be a good idea. In reality, it isn’t. We don’t have enough money to keep being the World’s Policeman, so why do we want to go down this route. It is hard to imaging that this type of weapon would not only start, but end a conflict. This would be just the opening round to an extended conflict involving thousands of American soldiers. If it was possible to avoid war through the use of this weapon, I’d be a big fan… but I just don’t see it.
At best, this is going to be a huge work program for the Military Industrial Complex similar in scope and cost as SDI. At worse, this will get us into an accidental nuclear war and end our civilization. With those being two of many plausible outcomes, we should be wary of going down this path. Let’s hope that the budget hawks will stop it in its tracks before we waste millions of our precious dollars.
Sea Sheperd’s Drone
Published December 26, 2011 | Now, this is interesting. I just read a story about the Sea Shepherd activist organization has now deployed a drone to track Japanese whalers. If you aren’t familiar with Sea Shepherd, it is an anti-whaling organization that follows the Japanese whaling fleet and attempts to disrupt their operations. You can watch their activities on a reality show.
Well, they just got a donated drone, and are now using it to track the whaling fleet. This is pretty cool. This is also an interesting use of the technology that probably wasn’t thought of by the drone inventors. It makes me wonders where this technology may go in the future. What would happen if Occupy Wallstreet had a drone overhead constantly, alerting them as to what the police were doing? How would constant monitoring change police tactics? Does the police shoot down the drone before evicting the protestors?
In this case, Sea Shepherd and the Japanese whalers are in international waters so there is not police that will claim jurisdiction. I have to wonder how the Japanese will respond? Will they even try to shoot down the drone? I would doubt that they have anything on board the ship that will effectively shoot down a drone. Maybe they could get lucky with a harpoon, but I doubt it.
This is an interesting development in this multi-year conflict between Sea Shepherd and the Japanese whaling fleet. As the technology continues to develop it will continue to influence this battle. Just wait until someone decides to bring along torpedoes.
Virus Takes Down AF Drones…WTF
Published October 8, 2011 | Wired has an article on a computer virus that has infected the Predator and Reaper control stations at Creech AFB. Someone screwed up big here. First of off, why was infected media introduced to the classified system? Secondly, why wasn’t there a clean backup that they could use to restore to?
These systems operate on a classified network. So, either the bad guy has access to the classified network and introduced the malware there (not a happy thought), or someone broke the rules and transferred media from the internet to the classified network (another no-no). Now, there are always exceptions to the rules, but in those cases all media should have been scanned prior to connecting them to the classified network. So, what happened here? Someone screwed up. Someone didn’t follow the rules assuming that they didn’t apply to them, or that what they were doing at the moment was too critical to slow down and follow the rules. Maybe the system they use to scan media was broken, or perhaps it wasn’t loaded with the right virus signatures. Either way, something went wrong.
Secondly, why don’t that have a clean system to backup from? This is a weapon system, not a video game. In the article they go on about how they had to build the system from scratch again and again, always resulting in the same re-infection? Why? Doesn’t the system have a clean backup? With the advent of virtual machines, snapshots, backup tapes, replication, and so on… you’d think they should be able to backup without a problem. Now, the exception would be if the virus is hiding in some firmware and if that is the case, they are in more trouble that they realize.
I guess the real last question is why are they using Windows at all? Why is the military using a commercial grade operating system that is the largest target on the planet for viruses to run a critical weapon system? Shouldn’t this be on SELinux? I bet the decision was made in the name of convenience and cost savings… so, how convenient is it now? Saving money? We need to realize that if IT systems are weapon systems, then we need to treat them as such. This isn’t the same as my PC at home. People generally don’t die if my PC goes up in smoke at home, but what happens if someone through the virus learns how to insert commands to a Reaper. How does it look when the Reaper fires a missile at friendly troops… and we learn that it was the result of someone highjacking the system. If they can highjack people using their bank’s website, they could certainly do this… and learning the system through a keylogger is the first step in that direction.
The Predator program has been an insane success. It went from a science project to a major weapon system overnight. Had it gone through the traditional acquisition cycle, it would have likely failed. However, in its rush to be fielded, they took shortcuts such as their selection of operating systems. It might be time now to rethink this. If you are going to go with Windows, then you need to secure it correctly. If you are a critical system, then you need to be able to boot from a clean backup. Yes, this means more engineering and more costs, without any obvious operational value… but it also means that you can continue to operate through these type of issues. Mission availability and robustness should be a valued operational characteristic. I doubt that this incident will cause anything to be changed. I just hope that it won’t take one of our UAV’s to be highjacked and the death of friendly troops to finally make us change how the system is designed and used.
Airport Scanners Fail German Tests
Published August 6, 2011 | AFP has reported that the TSA used body scanners are a failure.
Body scanners being tested at Germany’s Hamburg airport have had a thumbs down from the police, who say they trigger an alarm unnecessarily in seven out of 10 cases, a newspaper said Saturday.
Not a surprise to anyone that has been through them, nor any high school graduate. I’m glad that at least Germany is testing them. I get the feeling that the TSA skipped that part, drank the kool-aid, and emptied the piggy bank. Just because a defense contractor tells you that it will work doesn’t make it so. These scanners make no sense in an airport. They simply do not make flying any safer, but they do increase the ability of the TSA to terrorize, embarrass, and intimidate innocent travelers.
This doesn’t mean that these scanners don’t have a place in the world. These could be useful in Iraq and Afghanistan at entry control points to detect suicide bombers. However, the first bomber than blows them self up along with the scanner wins. I doubt you could make a bomb proof scanner, but it would be worth the false positives to stop a suicide bomber. But for the rest of the world, it is time to put some common sense into security and to address the reality that we can’t afford to live in a continuous police state.
Religion and Nuclear Weapons Ethics Training
Published July 30, 2011 | Does Christianity and Christian beliefs have a role in the deployment of nuclear weapons? The Air Force has just pulled some Christian-themed ethics for the use of nuclear weapons. Apparently, they pulled it after truth-out.org published a report on the topic. While I don’t believe that it is proper to have one religious view dominate ethics training, it is a reasonable question to discuss whether or not any religion should be involved.
Religion can be very powerful within a society and can dominate its morals and ethics. Even atheism is a religion and influences society. A society that has many religions within itself is forced to deal with the differences and contradictions, while a society that is homogeneous in religion may adopt it as the basis of their society mores and laws. We’ve seen this in both Japan and Islamic nations. The fact that I wrote it as Islamic nations is an indicator of how the majority of Arab nations are seen.
The men and women that are responsible for the launch of nuclear weapons will bring their own religious view into their job. There is no way around that as long as humans are involved. But, should the Air Force teach nuclear weapon ethics based on religion. Yes and no. First of all, ethics are taught through religion as well as non-religious means. Even the same ethical teachings can be supported by both religious and non-religious thought.
The article cites the Just War Theory as one of the many religious topics in the ethics class. While religion can be used to support the Just War Theory, non-religious teaching could also be used. I do think it is important that people that control nuclear weapons understand the Just War Theory, since it may be used to justify the use of nuclear weapons. One of the fundamental questions here is whether or not officers responsible for nuclear weapons should blindly follow orders or if they should evaluate those orders through an ethical lens prior to destroying large portions of this planet. If they didn’t want humans in the loop, we would simply fully automate the systems and remove the humans, so the Air Force is expecting their nuclear weapons officers to not only follow orders, but also to use their brain in doing that.
I suspect that if our society is in a position that we are ready to launch nuclear weapons that those launch officers will have access to the news and have a sense of the rhetoric that is taking place. Politicians would be citing many justifications for the escalation of the war, and each officer will have to decide if they will follow launch orders for themselves.
The ethics class is followed by the signing of a legal document stating that the officer will not hesitate to launch nuclear weapons if legally ordered to do so. While in the time of a nuclear war, this paper is worth what it is printed on… it is reasonable that you want launch officers that do not have an ethical issue with launching nuclear weapons. I don’t know if we ever came to pulling the trigger if any of those officers will remember that class, signing that paper, or what. My bet is that they will be thinking (or perhaps praying) for their family, their loved ones, and hoping that this crisis will be over soon, and that unleashing nuclear weapons will somehow result in a better world.
I think that it is reasonable to have an ethics class based on a wide range of sources, including religious. I don’t think I’d stick to just Christianity, but also include other beliefs. Not only would the Just War Theory be relevant, but so would the Islamic concept of lessor Jihad (protecting your country from attack). I think most importantly is to have an honest discussion about the ethical dilemma every single launch officer will have when and if the time comes. How do you quickly resolve that and either do your job and launch the weapons, or decide to disobey.
In the end I’m glad that the Air Force is evaluating the ethics training, but I don’t see the Christian beliefs used to support ethical arguments as an indictment against the Air Force.
Excellent Stuxnet Article
Published July 11, 2011 | Wired has an excellent Stuxnet article. The times are a changing.