DARPA Cyber Range Project Doomed to Failure 41
carusoj writes "Former black-hat hacker Noah Schiffman details why DARPA's National Cyber Range project is bound to fail. The NCR is proposed as a simulation of the Internet, including replicating 'human behavior and frailties.' Schiffman argues that if the Defense Department is really building something of this scope, it might as well use the actual Internet."
What does "failure" mean though? (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
"Why build one internet when you can build two for twice the price."
~X~
What goes around comes around (Score:1)
Re: (Score:1, Funny)
I took the lead, and went ahead and created the Internet. Now DARPA is trying to rip me off. Luckily the Earth is going to self-combust here in a matter of 12-18 months, so DARPA probably won't have enough time to pull off this dastardly deed.
- Al
Re: (Score:2)
Al Gore never said that and Quayle spelt potato according to an archaic, but accepted, variant. I have no clue why this stupid lie makes me angry, except it cost me hundreds of thousands of dollars.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
If I had one of these (Score:4, Funny)
Re:If I had one of these (Score:5, Funny)
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:1)
By using the actual internet.... (Score:5, Insightful)
On the other hand, by using the internet, the powers that be wouldn't be able to rig or dumb down any tests so that they succeed. Like they did with some of the Star Wars tests. Useful when justifying budgets to Congress.
sigh (Score:3, Interesting)
Re: (Score:1)
They're building a bot-net!
I disagree (Score:4, Insightful)
Don't underestimate social engineering (Score:1)
Considering that the social engineering attack has been around since society started, as opposed to software and protocol vulnerabilities which are rather recent developments, I'd have to say that I think you're dead wrong (I assume, based on context, that your use of "system" didn't include society).
This is in addition to the added argument that fixing software or protocol vulnerabilities on a society
Pretty good idea. (Score:2, Insightful)
I disagree... (Score:5, Interesting)
I also find it interesting to find that people say a realistic simulation is impossible, while in the same breath complaining this project costs too much. $30 Billion obviously won't get you 100% there, but I'll bet it'll get you there with 95% confidence. Yeah, I suppose you could argue that because that 5% exists, the project has no meaning, but any engineering effort has a little slack in it. If history is any indication DARPA should do a fairly good job at managing that risk.
Re:Exactly (Score:1, Flamebait)
Bogus analysis - not 30 billion. (Score:5, Insightful)
Nothing in the solicitation has a $30 billion price tag on it. No idea where that number came from. There are no dollar amounts at this stage; DARPA is soliciting bids.
What DARPA is asking for is a 10,000 node Internet simulator, and that's in the final phase. The whole system can be started, stopped, and flushed to a clean state for new tests. Users are simulated: "Replicants will simulate physical interaction with device peripherals, such as keyboard and mice. Replicants will drive all common applications on a desktop environments." Attacks on the network are supported; the vendor even has to provide a "malware library".
The simulated machines have to be simulated at a fine level of detail. "The NCR must be capable of taking a physical computer and rapidly creating a functionally equivalent, logical instance of that machine that can be replicated repeatedly and injected into a testbed. Given a never-before-seen physical computing device, create logical instantiations of the physical native machine that accurately replicates, not only the software on the machine, but hardware to the interrupt level, chipset, and peripheral cards and devices.". That's going to be hard. They may end up with real computers hooked up to peripherals that simulate human inputs. (DoD does this all the time; it's how flight control software is debugged. Serious flight simulators use the real "black boxes" of real aircraft with simulated inputs and outputs.) They need that level of fidelity because they want to observe virus and attack behavior.
This is going to be a useful asset.
MOD PARENT UP! (Score:2)
Re: (Score:1)
Replicants are a really bad idea. I mean seriously? Why don't they just activate skynet while they're at it?
Chat Attack (Score:3, Funny)
1) get enemy's AIM s/n and post it on a public chat room with a cute profile picture.
2) Soon enough all of enemy's supercomputers will be flooded with trillian windows with "a/s/l" and "wanna cyber?" messages
3) ???
4) Profit!!!
Cheers!
I don't see a problem. (Score:2)
Something has to provide an environment where potential damage from various existing kinds of malware and attacks, and effectiveness of various countermeasures, can be evaluated without waiting for those things to happen in
Re: (Score:2)
"that military and not computer scientists are running it" Since when the hell did military mean not smart...or is this another one of those braindead ultraliberal repeated lies. The military as a whole has never been more educated and has been responsible for some pretty impressive things in the past. Do you understand how utterly moronic it is to say "Well those stupid DARPA guys aren't computer scientists and can't possib
Re: (Score:2)
"that military and not computer scientists are running it" Since when the hell did military mean not smart...or is this another one of those braindead ultraliberal repeated lies. The military as a whole has never been more educated and has been responsible for some pretty impressive things in the past. Do you understand how utterly moronic it is to say "Well those stupid DARPA guys aren't computer scientists and can't possibly do this". Uhm...they did it once already...remember that real internet thing?
Actually I am against military running it because military is not the right organization to provide protection against criminals and crooks in the time of peace. "by its nature malware can not specifically target people in particular organizations". Ok...you are obviously not clear as to how the internet came to be or exists today. By all means...go poke around with RIPE and ARIN and tell me if you can't target particular organizations. For fucks sake there are lists all over the net that show specific US
Re: (Score:1)
While I agree with the point of view that law enforcement is a civilian function, the military still need to train for cyberwar, and much of the hardware in use by law enforcement today is a direct result of military reasarch. It seems reasonable to me to conclude that in time this research will provide benefits to law enforcement.
Also, I think it would be less inflammatory to simply state that in a given attack, as network selec
Re: (Score:2)
the military still need to train for cyberwar
There is no "cyberwar". There never was a "cyberwar". There never will be a "cyberwar". What we have now is a bunch of assholes and crooks exploiting idiotic vulnerabilities in systems and procedures that should be never in any way related to anything military, or in any way safety-critical.
Also, I think it would be less inflammatory to simply state that in a given attack, as network selectivity increases, total population decreases. With experience and various models, a commander should be able to dial in with relative accuracy the impact of a given attack.
More like, the only way to keep a self-propagating attack running is including systems with lowest of the lowest level of security and users' competence. Exclude them, and you can just as well ping -f your "enemies" fr
Re: (Score:2)
Re: (Score:2)
Stories are not.
Re: (Score:2)
"that military and not computer scientists are running it" Since when the hell did military mean not smart...or is this another one of those braindead ultraliberal repeated lies. The military as a whole has never been more educated and has been responsible for some pretty impressive things in the past. Do you understand how utterly moronic it is to say "Well those stupid DARPA guys aren't computer scientists and can't possibly do this". Uhm...they did it once already...remember that real internet thing?
Actually I am against military running it because military is not the right organization to provide protection against criminals and crooks in the time of peace.
"by its nature malware can not specifically target people in particular organizations". Ok...you are obviously not clear as to how the internet came to be or exists today. By all means...go poke around with RIPE and ARIN and tell me if you can't target particular organizations. For fucks sake there are lists all over the net that show specific US military installations IP ranges.
Any piece of malware needs hordes of personal computers to run on. So if you write one you have to make it use every opportunity to infect a vulnerable computer, or it will fail to survive. This means, no "but we won't let it run on AMERICAN computers!" stupidity. Not that it would be any less illegal.
When it comes to targets of DDoS, targeting a
Thank god. (Score:1)
Missing the point of DARPA altogether (Score:3, Interesting)