Worm Attack Prompts DoD To Ban Use of External Media

An anonymous reader writes "The Pentagon has suffered from a cyber attack so alarming that it has taken the unprecedented step of banning the use of external hardware devices, such as flash drives and DVDs [...] The attack came in the form of a global virus or worm that is spreading rapidly throughout a number of military networks."

heh

[Anonymous Coward]

be careful where you stick in the USB stick.. :)

This isn't alarming...

[Hahnsoo]

This sounds like common sense. Seriously. Several years ago, a military bud of mine said that the worst threat to their security is the USB flash drive.

Re:

[Brett Buck]

Absolutely - our internal company network has banned personally-owned USB drives in DoD closed areas for years. It's obvious.

        Brett

Re:

[ShieldW0lf]

That's all well and good, but it's not going to stop grunts from using them to look at porn in the field. If I was going to do a cyber attack on the DoD, I'd be leaving virus infected DVDs full of porn lying around in occupied areas. You're pretty much guaranteed that it'll get passed from person to person.

Re:This isn't alarming...

[Creepy Crawler]

It needs to be said:

In linux, one can remove exec permissions from a whole device via the noexec switch in /etc/fstab .

Re:

[i_ate_god]

It needs to be said:

There is no technological defense against PEBKAC.

I'm still not entirely against the idea of a license for internet use. By "not entirely" I mean my idea of a license would never get used since it'll get abused.

My idea is simply, get a license that says you know about the dangers, and you have demonstrated a basic understanding on how to avoid them. When you sign up for internet service, provide license number and you get an account.

If my idea were taken into consideration though, it'll t

Re:This isn't alarming...

[Creepy Crawler]

---There is no technological defense against PEBKAC.

You are absolutely wrong. If a system is designed properly, or set up properly, the user cannot wreak havoc on a system or the network.

In windows, there are many ways to do X behavior that changes the system. Therefore, Windows is hard to secure properly. It is possible, only by globally applying over-secure regedits that disable even basic functionality. Instead, I propose Linux as a good starting point.

PEBKAC, at least in the business setting can be effectively eliminated by the use of simply being unable to even execute the programs.
Games? Not on the HD.
Web browser? If you need it, you'll be in the webbrowser group.
Some document program? does your job require documents, if it does, you'll have that.
Are you a developer for 3d stuff? If so, you get DRI rights. If not, no permission. Can Windows restrict access to the 3d device?

My question is why do you grant rights to users when they do not justify those rights? We need to provide granular access so that the user is limited in what they do and act only in prescribed ways.

As for that, the only way users can then screw things up is if they do not back up their user files, which you should already have thought of. A morning rsync of the /home (which should be mounted from the server) should take care of basic backup issues. Then it turns to your problem of access to the backups (which could be automated also). It really is a game of admin vs user, and you must outsmart stupidity. You do that by providing 1 way as the only way.

---Something about "internet license"

meh. You do that by providing a punishment via the lines of willful negligence. If one does not provide basic security to prevent infection/takeover or notices and takes no heed, one is guilty and owes a fine to the party harmed. In the course of a botnet, that would be the proportion of bandwidth they used (based upon the actions of the the takeover tool).

Simply put: use the laws we already have now, and not some new, easily to corrupt, new license.

Re:

[billcopc]

Or, you know, we could just drop offenders off the network.

I don't give a crap what people do to their PCs, as long as they don't mess with mine. Nuke them right at the switch if you can!

Re:

[Dr_Barnowl]

noexec doesn't prevent exploits of applications that read the data though. But yes, it makes it a lot harder.

Re:This isn't alarming...

[CaptainDefragged]

You can with Windows as well.

Re:

[CaptainDefragged]

Perhaps I should clarify that statement... In windows, you can remove exec permissions from a removable device with group policy and USB Drive Letter Manager.

Re:This isn't alarming...

[Creepy Crawler]

Why is everything in Windows managed by tools that do not come with the default installation?

I can perfectly manage a Linux installation without 3rd party or "optional" tools found on some website. Windows requires X tools that provide basic functionality on their site, and not default on the CD.

I hate that.

Re:This isn't alarming...

[Anonymous Coward]

Why is everything in Windows managed by tools that do not come with the default installation

We prefer to be called administrators you insensitive clod.

Re:

[Chr0nik]

It's actually quite a bit easier to do than that. Just disable usbstor.sys with GPO. done. Keyboards still work. Mice still work. Just mass storage devices. And whoever said you can't prevent execute on windows systems is ignorant. You've been able to deny "Read & Execute" via NTFS permissions since NT 3. Note: Read is a seperate right. Since you have to be able to read it to exectute it, it's just included in the permission description. Semantics. Here's something that may help you understand it. It

Re:

[cheater512]

No thats what the admins at my old school thought too.

It only means explorer cant execute anything from there.
Any other program can in fact still execute programs.

For example a single line of vbscript in a word document works rather well. :)

noexec on Linux prevents any execution at all.

Re:

[waffle zero]

You can still execute any binary by loading it with ld-linux.so, the dynamic loader.

I.E.

/lib/ld-linux.so.2 SOME_EVIL_BINARY

Re:

[JCSoRocks]

I've always felt the same way. For a long time our company was able to control the risk of data walking out the door by limiting who had CD burners. Nothing worth taking could fit on a floppy...

Unfortunately, we haven't updated our policies and anyone could bring or take anything. Firewalls and e-mail scanning are all designed to protect anything from outside coming in... those don't work so well when someone just slaps a thumbdrive with the latest worm in their machine. 'Cause lets be honest - no matter

Re:

[richlv]

um, i'm not. i'm not really afraid sticking whatever cd or usb drives to my computer - and i haven't run antivirus for 7 or so years. ok, the same goes for windows...

Re:

[LWATCDR]

We had that problem with travel notebooks. We use Linux firewalls and never had any problems with worms... Until a programmer brought back a notebook that he took on a trip and plugged it into the network.
Well live and learn. It isn't just thumb drives you have to worry about when it comes to data growing legs.
I have a 6 gig memory card in my cellphone and my PC has bluetooth.
The amount of data you can move easily today is just scary.

We had this problem...

[RulerOf]

Only it was with people bringing in docx files and expecting to use them with OpenOffice and blaming the IT department when it wouldn't work. So I followed some guides and wrote a script, threw it up in a GPO and now only Admins can use USB storage.

The procedure is a HUGE pain in the ass (you need to modify ACL's on registry keys and the whole 9 to cover all angles) but scripted it was as simple as "USBStorage.exe </enable|/disable>" in a logon script.

I think it took all of two hours.

Re:

[azuredrake]

Yeah, it's pretty ridiculous that DoD is only now banning external media on their premises, when that's been standard operating procedure in the video game industry for years. Let's see, what matters more... the next year's copy of Madden, or the next Patriot missile specs?

*facepalm*

Re:This isn't alarming...

[mrjohnson]

It is.

But then the network is also so locked down that often times that's the only way to transfer large files. There are shared network drives in the States but they're paltry and always 100% used by some officer's powerpoint presentation and his 2 hour home video.

When my unit was deploying to Iraq I gave all of my guys 2g thumb drives loaded with the data that the company needed. They attached it to their dog tag chain and I had them swear up and down to wear it at all times.

There was simply no other way provided.

Re:

[Yvanhoe]

The problem isn't the external media, it is the OS that considers as safe any exe labeled as a autorun on it. Seriously, this is the feature that made me install an antivirus on WinXP. Until then I thought that windows updates and sane practice would be enough but then I discovered that even without user prompting (as they usually and annoyingly do for almost everything) they execute untrusted application from an unidentified third party. I can't think of a single good reason for this :
1) to exist at all
2

Re:

[BoT_Bizarro]

Yeah, what's more alarming is that the military is several years behind on their operating systems, such as running Windows 2000. They are even severely behind on applying patches to these machines as well, because of the amount of testing they require to patch a machine. So the rule of thumb: To infect the military, use an outdated attack and it will probably succeed.

Re:

[PitaBred]

Which just goes to show you that Windows should never be let on the Internet, or use removable media of any sort.

In Soviet Russia...

[markov_chain]

... external media bans DOD! [slashdot.org]

Auto-infect

[robo_mojo]

Sounds like someone forgot to disable auto-run.

Re:Auto-infect

[Nerdfest]

It's quite sad that you need to with most (all?) versions of Windows. This should be the default state, especially with viruses coming right from the factories in digital picture frames, etc.

Re:

[supernova_hq]

While I agree with you (I disable it on ALL my systems), just image Joe Bob phoning Blizzard bitching that noting happened when he put the CD in the drive!

But then again, I also believe that banking sites should authenticate to YOUR private key, that credit cards should have rolling pins and that it should be illegal to run windows on anything that handles security or financial information...

While all these ideas seem sane, practical and necessary to me, the average person would become irate when they find

Re:Auto-infect

[Dr_Barnowl]

credit cards should have rolling pins

For a moment I pictured a credit card making pastry.

Re:

[WD]

Not at all. Please read:
http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html [cert.org]

Basically:
1) U3 devices emulate CD-ROM devices, which will automatically run code with zero user interaction.
2) Clicking a drive icon in Windows explorer may run code specified in the autorun.inf file rather than exploring that drive location.

It's not intuitive how to disable AutoRun

[WD]

Forgot to disable AutoRun, perhaps. But actually, it's quite non-intuitive how to disable AutoRun in Microsoft Windows. There are several options, and none of them (and even all of them combined) will disable AutoRun and AutoPlay features in their entirety. In fact, up until recently, Windows Vista had the logic reversed for one of the AutoRun features! i.e., if you take the effort to disable the AutoRun feature, you actually put yourself at more risk. More details here:
http://www.kb.cert.org/vuls/id/889747 [cert.org]

But luckily, there is a single registry value that can disable AutoRun at its core. Once this change is made, Windows will not interpret the Autorun.inf file on any device, effectively disabling AutoRun for all devices, including USB drives, network shares, and more. Get the scoop here:
http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html [cert.org]

Re:

[whoever57]

Forgot to disable AutoRun, perhaps. But actually, it's quite non-intuitive how to disable AutoRun in Microsoft Windows.

And then, after disabling Autorun, iTunes whines at you about it.

The obvious solution

[DesScorp]

Chuck Windows, and adopt Unix. I realize there are some possible implications of using Linux because of the GPL, but then use BSD. There are bright Comp Sci guys in the military and DOD. Customize a military Unix, and use it throughout all the services. In fact, I think it's long past time DOD did this. With the computerization of everything from planes to ships, now's a smart time to do it. There's no way Windows should be running a ship of war.

Warfare without Clippy?

[robinsonne]

It looks like you're trying to blow up that building. Would you like to use:

1)Grenade
2)An RPG
3)Airstrike

Re:Warfare without Clippy?

[haystor]

4)Windows

Re:Warfare without Clippy?

[DarthJohn]

5) Banana Bomb
6) Super Sheep
7) Holy Hand-Grenade

Re:

[j79zlr]

I love worms. One of the best addictive games ever!

Re:

[gad_zuki!]

You can have windows, but you cant have windows and running as administrator 24/7, the same way you cant have linux and running as root 24/7. If this is the same trojan from that wired.com article then it doesnt work without admin rights. Autorun will attempt to run it, but when it tries to write to the machine registry and to c:\windows then its just going to fail.

>here are bright Comp Sci guys in the military and DOD.

They might have bright coders but if their sysadmins are letting them run as local adm

./configure

[robo_mojo]

make war

Re:

[genner]

Failed dependency: UN approval missing.

Re:

[supernova_hq]

Loading deprecated library: Democracy Exporter

Re:

[jmyers]

# make clean
# ./configure --force
# make war
# make install
boom copied to /usr/local/bin
please edit /usr/local/etc/war.conf and set COUNTRY
#

Re:./configure

[genner]

# make clean # ./configure --force # make war # make install boom copied to /usr/local/bin please edit /usr/local/etc/war.conf and set COUNTRY #

vi /usr/local/etc/war.conf
COUNTRY="TERROR"
:w
:q
/bin/war
Starting war on TERROR...
Error: TERROR is not a valid COUNTRY.

Re:

[bigredradio]

I think you misinterpret the needs of the DOD. In cases where important systems are in place they use UNIX. It's all the systems running outlook, MSWord, visio and other office products that are to blame. Tough part is, (even I have used it for years) OpenOffice is just not ready for the common user. Or better yet, the common user is not ready for OO or any OS other than Windows. Just transitioning them to [ add flavor of ubuntu here ] is not that easy.

Re:

[Marc Desrochers]

Why does it have to be an easy transition? They're in the military, give them OpenOffice on *nix, and tell them that's what they use now.

Re:

[ZackZero]

Disclaimer: IAAS (I Am A Sailor)

Windows does NOT run a ship of war; I cannot say exactly what operating systems are used on the critical components (i.e. NOT shipboard LAN)but can say that they are a derivative of Unix. They are always kept in secured spaces and cannot simply be infected with a worm or virus. They're not even connected to the Internet.

The issue affects workstations kept on-land, and is likely covering those that are marked unclassified. Those are the ones running Windows - and I'll sa

Re:

[ZackZero]

When I said "Windows does NOT run a ship of war", I referred to active ships. The USS Yorktown (CG 48) was decommissioned, and therefore is no longer an active ship of war. We evolved past using NT4.0.

Re:

[SubmersibleJester]

Windows doesn't run a ship of war. Some flavor of Unix (Solaris, HP-UX) or Linux (custom or RedHat) are used for all Command and Control computers. Windows is just used for office work and such. So logistics and paperwork are suffering, but thats it

Re:

[Naturalis Philosopho]

Oh, just logistics... I feel much better now. ;)

Re:

[at_slashdot]

What problems should GPL pose to DOD? I mean even it they modify the code they don't even have to release the modification unless they distribute the code, but if they only use it in DOD they are covered they don't have to release any modification.

Re:

[BlackSnake112]

Only using one OS would be a bad idea. One OS == only one thing to crack. Better off using a mix of a few operating systems. harder to take down all of them with one single hack.

Re:

[link-error]

You mean like the version developed by the NSA? http://en.wikipedia.org/wiki/Selinux [wikipedia.org]

Re:

[Bobb Sledd]

You don't understand the scope of what you're suggesting.

Let's take just one job -- a DoD web developer for example. You have an internally secure web site used for data collection that (we'll say) runs on IIS, PHP, MSSQL and is developed using an IDE such as DreamWeaver (and probably PS is involved too), and is developed specifically for the DoD version of Internet Explorer. It's already been run through testing and received certification for security and all.

To move to a non-Windows based platform, you

Re:

[Thaelon]

IDWFTDOD (I Did Work For the Department of Defense), so FYI: DoD has been using !Windows since before Windows existed on their ships/planes etc. That is, the ships and planes don't run on windows and never have. Note that I didn't say what they do run.

You're right there are bright Comp Sci guys in the DoD. They're way ahead of you on this one.

Better ban email to

[Synn]

Because a virus can come from there as well. Along with web access, usenet access, ftp access.... might just as well unplug the network cable just to be safe.

Or they could install an OS that wasn't insecure by design.

Re:

[rrohbeck]

Only if your email client allows it.
Who needs anything beyond plain text in an email?

All email IS plain text

[mangu]

Who needs anything beyond plain text in an email?

The SMTP standard used for sending email does not support anything but plain text. What you see as binary attachments are actually encoded as plain text.

The problem with email executable attachments is not in the email itself, but in the piss-poor operating system most people use, which runs with superuser rights most of the time. In a superior OS, like Linux for instance, a virus in an email attachment wouldn't have privileges to infect anything but the user

Re:

[Hucko]

I love linux, but Id much prefer my military to be running open-bsd, plan 9, or a mix of all three.

Re:

[phantomcircuit]

All access across the Internet can be filtered and scanned.

The security risk here is that there is no way to scan external media until it is already plugged in, and no matter what the anti virus vendors say even malware that they detect will often manage to execute before the file is flagged.

commercial malware?

[bl8n8r]

ftfa: "Due to the presence of commercial malware.."
So.. this was malware someone purchased?

Re:

[Hognoxious]

this was malware someone purchased?

Yes. Not necessarily the person who runs it, but being the DoD you can't rule that out.

Re:

[supernova_hq]

Until Windows is free, yes it is commercial malware.

Does it really need to be said?

[NoobixCube]

I'm very surprised it hasn't been already. It probably will have been by the time this gets posted though. "This wouldn't be happening if they were using Linux!"

An actual case where Linux solved this problem

[TheModelEskimo]

Dave Richards, the administrator of the Largo, Florida computer network, came up against this problem. He made the system mount USB disks as FTP shares, and made the file browser hide any executable files on the share so they couldn't be transferred.http://davelargo.blogspot.com/2008/02/hp-thin-clients-and-usb-access-for.html [blogspot.com]

I'm not surprised the DoD just completely shut the door on these things, but I think that for most admins, a solution like Dave's would be a really good compromise.

Re:

[Marc Desrochers]

The next day, userx who has a little bit of know-how has gone home renamed said .exe file to .ex!, comes into work the next day, copies it to his desktop, renames it again, runs it and infects himself.

Re:

[TheModelEskimo]

That's worth considering. I wonder what sort of protections could be put in place to make it less viable. Of course, once you've done something that devious on your work computer network, I'd say you pretty much better assume that if caught you would be fired.

Re:

[Todd Knarr]

I know how I'd handle it on Unix. Removeable drives get mounted with the noexec option (or an equivalent set of permissions for filesystem types that don't have the concept of an execute bit). If users aren't allowed to install software on their own, then /home gets mounted that way too. Then it doesn't matter what tricks the user plays or what they rename the file to, the filesystem won't permit the execute permission bit to be set and without that bit the system won't treat the file as executable. You can

Windows....

[mlwmohawk]

Mark my words, it is because of Windows. If Linux or BSD based systems were predominant in the Pentagon, this would not be an issue.

The world, the U.S.A. is so screwed up. We all know what the problems are, but we can't address them because no one in position of power will discuss them.

Re:Windows....

[negRo_slim]

Mark my words, it is because of Windows. If Linux or BSD based systems were predominant in the Pentagon, this would not be an issue.

The world, the U.S.A. is so screwed up. We all know what the problems are, but we can't address them because no one in position of power will discuss them.

Let me play the troll here... and agree with you, how absurd it would be for our own military to purchase software from one of our premier software companies. A company that provides a consistent tax revenue and employment opportunities. and as others have pointed out, no malicious agents would dare sully the name of the *nix by writing custom software to go after a high profile target like the US military and it's related assets.

Re:

[Todd Knarr]

And if they did write such software, they'd surely not survive the ridicule and public humiliation of having their efforts graded against standards developed over 30 years of malicious pranksters with Computer Science degrees and way too much time on their hands trying to get access to the system to guarantee themselves an A (or at least get copies of the professor's answer sheet for the final). Which is in the end the reason Unix is more resistant to attack than Windows: Windows attempts to add security to

Re:

[mlwmohawk]

how absurd it would be for our own military to purchase software from one of our premier software companies.

Who has a world famous reputation for poor performance, reliability, and security.

A company that provides a consistent tax revenue and employment opportunities.

Security != Money. Damn it! Just because a company is profitable does not mean it has a good product.

no malicious agents would dare sully the name of the *nix by writing custom software to go after a high profile target like the US military an

Re:

[Jamie's Nightmare]

Get real. Security all comes down to the person who's task it is to implement it. Running Unix (or any compatible rip off) only gives you an additional layer of security through obscurity . Sorry fanboys, it's true. It's not a end all solution, and you would still need someone to take the time to plan for any possible security breach. Obviously, that includes any media (CDs, FlashDrives, Floppies) attached to the system. This isn't the first military fuckup, now you want to blame Microsoft instead of t

Bingo!

[snspdaarf]

Get real. Security all comes down to the person who's task it is to implement it.

Years ago, I was on a DoD facility where scheduling was being done on a UNIX box. Everyone there used the console for their work, everyone used the root account to do their work, and the password was written in on the first page of the book marked "Procedures" that was beside the console.

Re:

[mlwmohawk]

Years ago, I was on a DoD facility where scheduling was being done on a UNIX box. Everyone there used the console for their work, everyone used the root account to do their work, and the password was written in on the first page of the book marked "Procedures" that was beside the console.

I call this a lie. There is no way this would happen in a DoD shop.

Re:

[mlwmohawk]

Security all comes down to the person who's task it is to implement it.

To a point this is true, however, Windows is far more insecure to begin with.

Running Unix (or any compatible rip off) only gives you an additional layer of security through obscurity .

Not true at all. It gives you an over-all more secure base from which to begin.

Sorry fanboys, it's true.

No it isn't.

Obviously, that includes any media (CDs, FlashDrives, Floppies) attached to the system.

Why? Why would those devices be a security breach unl

Re:

[ShadowRangerRIT]

I worked for DoD. I ran Solaris Unix, and every other machine in the office ran that or Linux. Every machine is vulnerable to someone with physical access; blaming this on Windows is stupid and pointless.

Re:

[mlwmohawk]

blaming this on Windows is stupid and pointless.

Yes, of course, how many Solaris or Linux viruses are there?

I do not buy the hogwash equivocation argument that all security vulnerabilities are the same. There are degrees and there are levels of ease of deployment.

If a 12 year old script kiddie can exploit a windows system easily, but it takes a 20 year software security expert to exploit a UNIX system, I'd call that different.

The debilitating virus is Windows!

[David Gerard]

Yesterday, a terrorist attack on the NHS [today.com] brought three London hospitals to a halt.

The terrorists, representing an organisation calling itself "Microsoft," apparently used insecure third-party contractors to put a virus-running platform called "Windows" into critical systems in the hospitals, in order to extort money from them on an annual basis.

It is understood that a large percentage of all businesses are infected with the virus, wasting up to 25% of employees' working time and opening the companies to further attacks from related criminal organisations demanding to see all their licenses.

The virus in question, W32.SHILL/ZDNET, takes over the host's IT systems, leading to aches, pains, nausea, vomiting, pumping out prodigious quantities of faeces and a terrible compulsion to spread the infection to others. The patient also walks with a shuddering stumble and asks for their hospital meal to include tasty, tasty brains. Recovery has commenced when they have an overwhelming urge to throw their computer out of the window. "Getting this stuff out of the system makes MRSA look like a walk in the park," said one cleaner, waving his shit-encrusted hands about for emphasis.

When the infection became known, ambulances were diverted to other hospitals. "We have maintained a safe environment for our patients throughout the incident," said a spokesman for Barts NHS Trust, "keeping them in the Clostridium difficile culturing lab rather than risking exposing them to 'Windows.'"

Skynet

[GottliebPins]

Skynet became self-aware at 2:14am EDT. By the time Skynet became self-aware, it had spread into millions of computer servers across the planet. Ordinary computers in office buildings, dorm rooms, everywhere. It was software in cyberspace. There was no system core. It could not be shut down.

Re:

[psnyder]

The pieces are finally starting to come together...

• Skynet [wikipedia.org] was first introduced in a film staring Arnold Schwarzenegger [wikipedia.org].
• Arnold Schwarzenegger was born on July 30th.
• On July 30th, 2007 (10 years after Skynet became aware), CrunchGear runs an article [crunchgear.com] about MojoPac, a program that "Puts Your Desktop On A USB Drive". The very type of interface the DoD now sees as a threat. In the article they state that when you use MojoPac, "...the host computer is oblivious to anything going on."
• Foxnews reported the D [foxnews.com]

The V.A. is ahead of DOD

[602]

The V.A.--at least the healthcare part of it-- banned these months ago to prevent data from wandering away..

DoD needs a security nazi ( soup nazi style )

[unix_geek_512]

DoD needs a security nazi ( soup nazi style ).

Since I am the 2nd most paranoid person on earth I hereby nominate myself.

Semper Fi, carry on.

Insider perspective...

[soulsteal]

I work as an IT contractor for the USAF and what it boils down to is muddied interpretations and lack of discipline. They already have regulations stating what you can and cannot do with data coming in and out of the work place. No, you're not allowed to bring a floppy in from home. No, you're not allowed to take a government floppy home with you. The same regulations should, by default, extend to CD/DVD/USB/any and all media but since they're not specifically written that way, people could quote the AFI back and say it was allowed. This new ban is merely a clarification to close the loophole.

Did they swat a fly with a nuclear bomb? Sure.
Has it worked? So far.

Re:

[jdoverholt]

As an end user in the USAF I'd like to offer a bit more perspective on how exactly this filtered down.

The official policy, as it has been preached to us for quite awhile, is that you're not allowed to use personally-owned removable media. If the government issues you a thumb drive, you're good to use it all over the place, so long as you scan it for viruses before accessing on a government PC. This latest policy change had a bit of wording that struck me as... well, dumb.

Starting this week, upon logon

Oh crap...

[DoofusOfDeath]

I think "All your bases are belong to us" just got a little more frightening.

Signed Executables

[Detritus]

Why isn't the federal government using an operating system that refuses to load or execute any programs that do not have an authorized digital signature from an agency security officer? Anything that hasn't been tested and approved, no matter where it came from, never gets the chance to run.

When will this finally be a headline...

[db32]

Slashdot bans vague sensationalist stories from Wired and Fox.

There is nothing about this story that is really news. Viruses and the like are always a problem. Bad user behavior is always a problem. And this "unprecedented ban" is nonsense. Now, maybe actually enforcing it for the Army may be news, but external media on government networks has been a big nono for a long time unless it was purchased by the government for government use. That whole bring your own crap from home has always been somethin

Re:

[the_pooh_experience]

Speaking from within the Air Force, "external" media has a different definition than you think. For example, an Air Force purchased USB drive (FIPS certified hardware encryption), only plugged into Air Force owned and maintained computers, is forbidden under this directive.

Re:They're just ignoring the real problem

[idiotwithastick]

Do you honestly think that foreign intelligence agencies won't write Linux or Macintosh viruses if it would get them into the DoD network? The OS might be part of the problem, but users are the much bigger one.

When you put something in a locked box

[Ungrounded Lightning]

Do you honestly think that foreign intelligence agencies won't write Linux or Macintosh viruses if it would get them into the DoD network?

When you try to protect a secret by putting in in a locked box, do you put it in a steel box with a good combination lock? Or do you put it in a cheap transparent plastic box with a lock that can be picked by a safety pin and hundreds of holes and little doors that can be opened even more easily?

Yes Linux, MacOS, and even OpenBSD aren't absolutely impregnable. But Windows has a decades long track record of holes (some unfixable) and a multibillion dollar malware industry built on exploiting them. The fewer holes you start with the easier it is to close them.

Essentially ANY military function is a security issue. For a person with any level of IT expertise to put such functions on Windows platforms is, IMHO, either a level of incompetence suitable for dishonorable discharge or of malice meeting the definition of treason.

Re:

[KillerBob]

When you try to protect a secret by putting in in a locked box, do you put it in a steel box with a good combination lock? Or do you put it in a cheap transparent plastic box with a lock that can be picked by a safety pin and hundreds of holes and little doors that can be opened even more easily?

The answer really depends on what kind of other security measures you're placing on the box, and how accessible it is. If the transparent plastic box with a lock that can be picked with a safety pin is floating on a

Re:

[BlackSnake112]

Do you actually think the DOD only uses windows?

On an interview (so nothing was signed) we talked about having 6 different computer systems that needed the info from each simulation. The data had to be in 6 completely different formats after each run. None of the systems were windows.

In the DOD offices maybe there are windows machines. In the research/test areas I'd be surprised if there were windows based machines.

Re:

[Ungrounded Lightning]

Do you actually think the DOD only uses windows?

Of course not.

But I think that the machines affected by THIS WORM use Windows.

Do you know of any "commercial malware" worms that self-spread on any other OS?

Re:

[Hucko]

There is a worm that can infect Windows, random OS and Unix-based systems all equally effectively?

Im going to flip a coin to decide if it was Windows that got infected, or other OS. Head for Windows, Tails for other OS....

Re:They're just ignoring the real problem

[diegocgteleline.es]

There's no way you can automatically run code on a Linux computer by inserting a USB flash drive. It's just not possible. Those virus happen only because of Yet Another Windows Design Mistake - autorun.inf files that run executables.

This has been a problem for years. Make a program that deletes all the files in a system. Put it into a CD along with a autorun.inf file. Burn the CD, don't write anything on it, and leave it near the office of someone you hate. At some point the guy will insert the CD just to check what's there. Boom. The virus will run automatically as soon as the CD is inserted.

And there're more posibilities, like making a virus executable have a carpet icon. Since Windows hides extensions by default, people will double click the virus because they will think it's a carpet.

These things can't happen in Linux (well, not really true, they can happen thanks to the shitty .desktop files that get "interpreted" by file managers even if they don't have execution +x permissions)

Re:They're just ignoring the real problem

[diegocgteleline.es]

d'oh, were I write "carpet" I obviously wanted to say "folder". "Folder" is translated to spanish as "carpeta", and I always confuse them.

Re:

[seeker_1us]

Do you honestly think that foreign intelligence agencies won't write Linux or Macintosh viruses if it would get them into the DoD network? The OS might be part of the problem, but users are the much bigger one.

Oh they would write the viruses, but there are things like SELinux that protects against them even if installed at root.

And Linux can be a hell of a lot more secure than windows because you control what is running (you want no services? No problem). You can control the firewall rules completely. The list goes on.

Re:Not News

[Ungrounded Lightning]

Intelligence agencies did it to eliminate data paths out of the agency. DoD is doing it to eliminate malware paths into and within the agency.

Re:try this..

[Cajun Hell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer] "NoDriveTypeAutoRun"=dword:000000ff

That's the whole problem with you Linux dorks! People shouldn't have to get down to that level and do such obscure things, just to be able to safely use their computer. And what you don't understand is that most people just plain won't do it! Your post is exactly why Linux will never be ready for the desktop!