Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT

NSA Wages Cyberwar Against US Armed Forces Teams 219

Hugh Pickens writes "A team of Army cadets spent four days at West Point last week struggling around the clock to keep a computer network operating while hackers from the National Security Agency tried to infiltrate it with methods that an enemy might use. The NSA made the cadets' task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world. The competition was a final exam for computer science and information technology majors, who competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Ideally, the teams would be allowed to attack other schools' networks while also defending their own but only the NSA, with its arsenal of waivers, loopholes, and special authorizations is allowed to take down a US network. NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.' The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems."
This discussion has been archived. No new comments can be posted.

NSA Wages Cyberwar Against US Armed Forces Teams

Comments Filter:
  • Linux (Score:5, Insightful)

    by sleekware ( 1109351 ) * on Monday May 11, 2009 @04:24PM (#27913439)
    Anyone surprised by the OS choice of the winner? It was going to be either that or BSD.
    • Re: (Score:2, Informative)

      by sleekware ( 1109351 ) *
      I see this was marked as a trolling comment, but I meant with respect of the ability to really harden the security (and great security that is usually comes with a Linux or BSD package by default).
      • Re: (Score:2, Insightful)

        by ouimetch ( 1433125 )
        Great security comes by keeping yourself off the grid of would be attackers. Even the most secure systems can be tapped if somebody wants to bad enough and knows where to find it.
        • That is exactly why motivated NSA professionals were easily able to penetrate the Linux system of the winning team. Wait, what?

        • Re: (Score:2, Insightful)

          by socceroos ( 1374367 )
          That, my friend, is a dangerously shallow explanation of security.
        • Re:Linux (Score:5, Insightful)

          by ArcherB ( 796902 ) on Monday May 11, 2009 @08:41PM (#27916537) Journal

          Great security comes by keeping yourself off the grid of would be attackers. Even the most secure systems can be tapped if somebody wants to bad enough and knows where to find it.

          For a Soldier/Marine/Sailor/Airman, the ability to communicate is just as important as the ability to shoot. The greatest marksman in the world is worthless when he is cut off from his unit and surrounded by enemies that are in constant contact with each other.

          So to unplug the network cable from these machines kinda makes them worthless.

    • Re: (Score:3, Funny)

      Anyone surprised by the OS choice of the winner?

      No. The NSA doesn't run Linux so they don't know how to attack it. You have to log in with that text thingy and then type some stuff to get it to do what you want. The other kind of OS with the pictures of things works much better. You can point at the pictures and click them and it does what you want. If no one at the NSA runs Linux, how do you expect them to write a virus for it? It's obvious why it won because it is an underrepresented OS that no one uses anyway.

      • Re:Linux (Score:5, Informative)

        by Bellegante ( 1519683 ) on Monday May 11, 2009 @04:55PM (#27913943)
      • Comment removed (Score:5, Interesting)

        by account_deleted ( 4530225 ) on Monday May 11, 2009 @06:54PM (#27915633)
        Comment removed based on user account deletion
        • Re:Linux (Score:4, Insightful)

          by EEDAm ( 808004 ) on Monday May 11, 2009 @08:41PM (#27916547)
          You were surprised how confident and competent the NSA seems here? Honestly that got me scratching my head hugely. Not because I have some god given insight into the strength of the NSA but simply because this was an *under-grad* evaluation where they pitched the task as slightly too hard for the best under-grad team. Nuff respect to under-grads who study hard, but being an under-grad is just part of the journey and you have so much more you can develop when you finish that phase of your life. You really think it's surprising the NSA (or for that any fact any corporation / organisation / entity) is fairly or in fact let's make that *hugely* more advanced than the undergrads entering it? For every genius entrepreneur who comes out of college with a hot idea, there's a million who are just beginning their development. The world would be f$cked if we stoppped at that point...
        • Re:Linux (Score:4, Interesting)

          by Bombula ( 670389 ) on Monday May 11, 2009 @09:26PM (#27916929)

          I'm actually surprised at how confident and competent the NSA seem here

          No offense to West Point and the other military academies, but I'd like to see NSA take on the top team from MIT, Cal Tech, etc and see how they fare before putting total confidence in the NSA.

        • Re: (Score:3, Insightful)

          The competence of the NSA or the cadets has nothing to do with it. At the moment, the attacker simply has a huge advantage over the defender, no matter who the attacker and defender are. The defender must deploy a host of applications whose primary development goal was time to market, and security is still somewhere near the bottom of the todo list. The defender must rely on the discipline of end users with no interest or understanding of network security. The attacker can download all kinds of prepackag

        • Re:Linux (Score:5, Informative)

          by Tom ( 822 ) on Tuesday May 12, 2009 @04:57AM (#27919457) Homepage Journal

          I'd be interested to see how a team harvested from the basements of MIT or Caltech would stack up in a challenge like this, actually.

          Get their asses handed to them, essentially.

          We all laugh about the military and the secret services, but we forget what an impressive amount of things they do that we do not hear about. Sure, you learn about that double-agent fuckup in the middle east and think "how could anyone be that stupid?" - but you never learn about the other 20 agents that never get caught or uncovered.

          MIT is an impressive university, and they can floor Vegas with card counting. But the NSA is the largest employer of mathematicians in the world, and is still several years ahead of the world-wide scientific community in some areas of math research, especially cryptography.

          They have their share of fuckups, like every organisation of that size. Wouldn't underestimate them, though.

    • by davidsyes ( 765062 ) on Monday May 11, 2009 @04:55PM (#27913947) Homepage Journal

      Cadets trade trenches for firewalls
      http://news.cnet.com/2100-7350_3-6249633.html [cnet.com]

      (if you don't have nor want a subscription to the NYT....)

      This part probably is getting lots of attention here in /.:

      Cadet Brian McCord, part of the team that installed the operating system, said he was chosen because his senior project was deeply reliant on Linux. The West Point team used this open-source operating system, freely available on the Internet, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems.

      But this part probably says it all:

      ""It seems weird for the Army with its large contracts to be using Linux, but it's very cheap and very customizable," McCord said. It is also much easier to secure because "you can tweak it for everything you need" and there are not as many known ways to attack it, he said."

    • Re:Linux (Score:5, Interesting)

      by gravesb ( 967413 ) on Monday May 11, 2009 @05:40PM (#27914647) Homepage
      I participated in this as a Cadet in 2001. We used a variety of operating systems, including Windows 2000, Solaris, Linux, and Mac OS9. Even back then, the Linux server and desktop client had by far the greatest uptime. Well, except for me, as I was attempting to rebuild the Windows server after they had taken it down, yet again.
      • Re: (Score:3, Interesting)

        by mikek2 ( 562884 ) *

        As a CGA cadet back in the day, I would've LOVED to have done this. Alas, this was in the early 90's before this competition became reality.

        Alas, the Coast Guard has since completely eliminated the academy's CS major altogether (instead replacing it with some bullshit Op Analysis degree). Talk about being told your services aren't wanted anymore!

        But screw 'em and their horrible decision; I make more than an admiral now, anyway.

    • Re: (Score:3, Interesting)

      by Windrip ( 303053 )
      I wonder if VMS was even allowed in the competition. [defcon.org] Yeah, I know: "It wasn't banned, the rules were changed!"
    • Re:Linux (Score:5, Informative)

      by Anonymous Coward on Monday May 11, 2009 @05:54PM (#27914857)

      I was involved in the exercise. We used FreeBSD and Fedora Core 10 as our base server platforms. We'd used FreeBSD last year, so we were confident that it would give us a solid base to work from.

      According to the exercise directive, we had to run several windows workstations. We used Window2008 as the Active Directory and Domain Controller. We didn't go so far as try the "read only" mode, but W2k8 seemed solid enough for the duration of the exercise. Wasn't easy to get set up and locked down, however.

  • NCCDC (Score:5, Informative)

    by Anonymous Coward on Monday May 11, 2009 @04:25PM (#27913455)

    Looks a lot like the National Collegiate Cyber Defense Competition [nationalccdc.org]. Any college student team can participate in that one, however, and the NSA or Secret Service have participated in past events iirc.

    The competition is a lot of fun, 64 teams last year.

    • Re:NCCDC (Score:4, Insightful)

      by nametaken ( 610866 ) on Monday May 11, 2009 @04:28PM (#27913497)

      How bad-ass must one be to withstand concerted hack attempts by the NSA? I'd think that would look really, really impressive on a resume. Especially for someone applying for a .gov job!

      • Re: (Score:3, Interesting)

        by Burkin ( 1534829 )
        Except as the story says this wasn't even the worse they could do. They tamed down their attacks to the level of the undergraduates.
        • Re:NCCDC (Score:5, Insightful)

          by Atlantis-Rising ( 857278 ) on Monday May 11, 2009 @04:40PM (#27913691) Homepage

          The fact that the NSA was willing to participate at all strongly suggests to me that the NSA was just playing games, and was not in fact utilizing anywhere near their full capabilities in this exercise. Which says something pretty impressive about the NSA.

          • The NSA basically scanned their network for known vulnerabilities and took advantage of them. I hardly call flooding someones email a sophisticated attack either. The NSA has a much bigger toolbox than we give them credit for. I'm sure there is a classified file somewhere with a list of zero-day exploits waiting for that "special occassion" when they'll be needed. Open source makes this much easier, btw.
            • Re: (Score:3, Funny)

              by Anonymous Coward

              The NSA has a much bigger toolbox than we give them credit for.

              No, we don't. I work for the NSA, and I promise, you've seen it all. Move along here, nothing else to see. These aren't the droids you're looking for...

              • Re:NCCDC (Score:4, Interesting)

                by fluffy99 ( 870997 ) on Monday May 11, 2009 @06:32PM (#27915397)

                I've seen to many examples of the NSA having insider information to believe that. We get told to change some obscure registry setting or files and then a month later MS quietly announces an update that fixes the problem. For example, we were had to go into the registry and gut the autorun function entirely instead of just using the GPO. At the time I thought it was a f'd up mandate, but alas 6 weeks later MS admits that disabling autorun via the normal policy did not disable it in certain situations. Think the NSA knew ahead of time?

                Or how about their partnership with Symantec? Where the detections for some zero-day exploits are present in the symantec definitions files long before the zero-day exploit shows up in the wild?

                No, NSA isn't ahed of the game at all....

                • Re: (Score:3, Insightful)

                  by Artemis3 ( 85734 )

                  Did you forget "KEY" "NSAKEY" found when someone let windows slip with debug symbols and variable names on? This is the reason you don't trust black boxes known as proprietary software.

                  • Re: (Score:3, Interesting)

                    by fluffy99 ( 870997 )

                    Certainly with closed software, its easier to lean on the company to get a backdoor inserted without anyone noticing. You still can't rule this out with open-source.

                    You think the NSA hasn't been trying to weasel a backdoor into Firefox? I'm willing to bet the NSA (or another foreign intelligence agency) has done their own review of the code, and they are saving a few exploitable bugs for future use.

                    Sorry open source fans. The cold hard reality is that once open source code is written and accepted into a p

            • Re: (Score:3, Interesting)

              by Torvaun ( 1040898 )

              You really think that if the NSA went to Microsoft and asked for source code, that Microsoft would say no?

              • Re:NCCDC (Score:5, Funny)

                by c_forq ( 924234 ) <forquerc+slash@gmail.com> on Monday May 11, 2009 @06:01PM (#27914955)
                You really think the NSA bothers to ask?
              • Re:NCCDC (Score:5, Informative)

                by Jah-Wren Ryel ( 80510 ) on Monday May 11, 2009 @06:05PM (#27915029)

                You really think that if the NSA went to Microsoft and asked for source code, that Microsoft would say no?

                Hell, MS even said yes when China asked. [cnet.com]

                Open-source just levels the playing field for the rest of us.

                • Yup. MS shared the Win2k code with China. It is a coincidence that most of the zero-day exploits we find in Chinese network attacks exploit holes dating back to the Win2k code? Doubt it.

                  Having your code out in the open makes you more vulnerable to exploitation of software bugs because they're easier to find. I don't buy the BS argument that open source code is more vetted either. Go sift through any Linux bugzilla sight and see all the glaring bug reports. When basic features have serious unpatched hole

          • The fact that the NSA was willing to participate at all strongly suggests to me that the NSA was just playing games, and was not in fact utilizing anywhere near their full capabilities in this exercise. Which says something pretty impressive about the NSA.

            That's just what they want you to think.

          • The fact that the NSA was willing to participate at all strongly suggests to me that the NSA was just playing games, and was not in fact utilizing anywhere near their full capabilities in this exercise. Which says something pretty impressive about the NSA.

            That's circular reasoning. You are impressed by the NSA because they are so awesome they wouldn't normally play these reindeer games.

        • Re: (Score:3, Funny)

          by Chris Burke ( 6130 )

          Except as the story says this wasn't even the worse they could do. They tamed down their attacks to the level of the undergraduates.

          Exactly. Which is why Linux and Open Source won.

          You see, it's true that Open Source is superior and more potent at staving off cyber attacks than Closed Source. However, to defeat the next level of tests you need Secret Reverse Unclosed Source (of Ineffable Primes, +3). However the big boys aren't exactly going to be giving that away, what with it defeating the purpose and a

  • I'd feel a lot more positive about the NSA's capabilities, if they didn't have a track record of illegal wiretaps.

    • Re: (Score:3, Interesting)

      by mrmeval ( 662166 )

      I don't think the classified portion of the Executive Order that created them has been released. For all we know it contains a classified pardon.

  • Not as many? (Score:3, Interesting)

    by Twillerror ( 536681 ) on Monday May 11, 2009 @04:29PM (#27913515) Homepage Journal

    "It is also much easier to secure because "you can tweak it for everything you need" and there are not as many known ways to attack it, he said."

    I'm not sure I agree with this. There are plenty of ways to hack all OSs. Maybe a generic underhardened Windows install has more know ways...but how would one even quantify what is know and not know. Public is one thing, but given that Linux is open source and even compiled code can be broken down there is likely many known ways to hack products that are not public yet.

    I'd be more interested in the permiter defenses they used. Like what kind of IDS/IPS did they use? Where they using email firewalls to prevent floods of emails or just blocking. I think you also have to harden your servers, but I'd rather have something protecting my email server and have more layers to dig thru..and to alert you.

    • Re: (Score:3, Interesting)

      by ross.w ( 87751 )

      With Windows, you have to just trust Microsoft. With Linux or BSD, you don't have to trust anyone.

      It is even more of an issue for a non-US military. If you have the source code, you can vet it and make sure no one has planted back doors that the US Govt has insisted on.

      With Windows, you have to trust Microsoft when they tell you there are no backdoors. If you were the Chinese, would you believe them?

      • Re:Not as many? (Score:4, Interesting)

        by jjohnson ( 62583 ) on Monday May 11, 2009 @04:44PM (#27913757) Homepage

        How many people actually vet the Linux source code, or would recognize various weaknesses and backdoors if they were staring at them?

    • Not sure what they used, but I like the trusty "Unplug the router from the internets" to ward off an attack.
      • by iphayd ( 170761 )

        Except I already turned on the 3G network adapter that is embedded in the laptops.

        Bwahahahaha

    • I'm not sure I agree with this. There are plenty of ways to hack all OSs. Maybe a generic underhardened Windows install has more know ways...but how would one even quantify what is know and not know. Public is one thing, but given that Linux is open source and even compiled code can be broken down there is likely many known ways to hack products that are not public yet.

      Ummm...The code is public and it's known but not to the public...hmmm...yeah, makes perfect sense.

    • Re:Not as many? (Score:5, Informative)

      by blitzkrieg3 ( 995849 ) on Monday May 11, 2009 @05:04PM (#27914093)

      There are plenty of ways to hack all OSs. Maybe a generic underhardened Windows install has more know ways...but how would one even quantify what is know and not know.

      When getting attacked by the NSA, I'd prefer to use something that they developed [nsa.gov] to stem such an attack. And I don't want to hear, "well they developed it, so they probably have a backdoor." The many eyes argument definitely applies, since patches from the NSA would undoubtedly come under much more scrutiny. Espeically since this has yet to be proven for other operating systems [wikipedia.org].

      Anyway, the winning team was using Fedora 8, which has SELinux on by default.

    • but how would one even quantify what is know and not know.

      You could start here: http://en.wikipedia.org/wiki/List_of_computer_viruses [wikipedia.org] That is certainly not all-inclusive, but it's a decent start. I'll leave you to google for the host of Linux exploits.

    • Re: (Score:3, Informative)

      by TED Vinson ( 576153 )

      I'd be more interested in the permiter defenses they used. Like what kind of IDS/IPS did they use?

      The rules require the teams to construct the network within the constraints of a notional budget. This forces the teams to make choices about what infrastructure and security measures to deploy. They cannot have everything they might want; this is a taste of the risk-benefit decisions managers and admins have to make. It is also intended to make it feasible for the Red Team to penetrate a well-watched network, having only a minimal user-base, in only four days.

      IPS and other automated response systems are pr

  • Kobayashi Maru? (Score:5, Insightful)

    by HaeMaker ( 221642 ) on Monday May 11, 2009 @04:35PM (#27913615) Homepage

    NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.'

    Nobody wins, but lets see how long you hold out.

    • by oGMo ( 379 )

      It's like any benchmark though ... if the samples are all clipping, you can't compare it. Finding the maximum is the point. If your code runtime tests finish in 0.00s (or within the margin of error), you can't tell which is fastest. If all the graphics cards render at maximum FPS, you can't tell which is best. Likewise, if a team "wins", you can't really tell how good they are: "win" is not a useful metric, because you can't tell how far beyond "win" they went.

    • Re:Kobayashi Maru? (Score:5, Insightful)

      by Johnny Mnemonic ( 176043 ) <mdinsmore@@@gmail...com> on Monday May 11, 2009 @06:59PM (#27915677) Homepage Journal

      Also, note that the NSA isn't saying that they used the full force of their power and creativity. This is probably for several reasons:

      -it's not worthwhile to simply crater all of the teams. You want to see who's the best graduates and the most receptive to a couple of years of schooling, even if they need 25 years worth of real world experience to stand up to a real world exercise.

      -You don't want to reveal your whole strategy just for a graduation exam.

      -Even if you do reveal your whole strategy, you don't want your opposition to know that you did.

      I would be tempted to use something pretty rare, and mask the id strings--I would think that it would take so long to understand what OS I was really using to serve, and to research and characterize it's failures, that I would win. Like use BeOS and make it look like OS X as much as possible.

  • This appears like a modern day Kobayashi Maru exercise. And instead of it being designed and executed by a single Vulcan whom we all know, it was done by the best and brightest of our 'No Such Agency'. I say congratulations to both parties, the NSA and the winning West Point Team.
    • by jdgeorge ( 18767 ) on Monday May 11, 2009 @04:53PM (#27913905)

      This appears like a modern day Kobayashi Maru exercise. And instead of it being designed and executed by a single Vulcan whom we all know, it was done by the best and brightest of our 'No Such Agency'. I say congratulations to both parties, the NSA and the winning West Point Team.

      Man, do I ever long for the good old days of the Victorian era Kobayashi Maru.

  • The year of the Linux... undergraduate military PC?
  • OpenBSD? (Score:5, Insightful)

    by wandazulu ( 265281 ) on Monday May 11, 2009 @04:46PM (#27913791)

    When it comes to stories like this, or the one about the Dali Lama's computers being compromised, etc., I'm always surprised that no one considers using OpenBSD as their operating system; it's the only one that I know of that is specifically, purposely built, for security. Because it's Unix, it can still run pretty much everything (though you want to use the OpenBSD version because it's been reviewed for security holes, etc.).

    Seriously, if I wanted to keep my battle plans, aircraft designs, etc. out of the hands of the "enemy", I'd lock them up in an OpenBSD server, preferably on some less-common architecture like the Alpha, so that anyone trying to hack my system would have an enormously hard time.

    Yes I understand this doesn't take into consideration social networking. So I'd take a page from the elevated privilege playbook and say that in my organization, no one trusts the person below him/her so as secrets can never flow downhill. Going back to the operating system, this would presumably be handled by ACLs.

    Of course, no system is immune from the booze-n-hookers style of temptation, but that's someone else's job; I'm just here to install and configure software. :)

    • by debrain ( 29228 )

      I whole-heartedly agree. OpenBSD is an answer to many-a-question of security, in my humble opinion. Using off-mainstream platforms (like Alpha) is also valuable against those pesky low level vectors.

      Parent should be modded up.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Yep. That or if OpenVMS if you have Alpha or Itanium hardware. OpenVMS was banned from some of those hack-or-be-hacked competitions, because no one could ever get into them. :)

      • OpenVMS has had its security flaws (and patches) over the years, I get e-mailed on them, last "update kit" put out for 8.2 on ia-64 was 10/19/2006

    • by Chirs ( 87576 )

      Odd architectures are an interesting option. Not a surefire guarantee of safety, but can be a useful delaying tactic.

      I once was visiting with a friend when a mutual friend at defcon contacted him asking if he had a C compiler for an old mips-based Irix box.

    • People keep telling me security by obfuiscation doesn't work. I can buy a working Alpha server this afternoon for $70, and it is already running Red Hat 7.x. I can steal one faster and cheaper.

      Blockbuster was running Alphas a few years ago. Those may be traded out, but thinking your CPU will confuse your attacker is rather pointless.

      • Re:OpenBSD? (Score:4, Informative)

        by wandazulu ( 265281 ) on Monday May 11, 2009 @09:04PM (#27916753)

        I mentioned this in another post, but the point of using an Alpha, or a MIPS, or Itanium, or whatever, is not meant to be a cure-all, it's meant to present yet-another-barrier to entry. Since malware typically relies on being pre-compiled, your x86-based exploit isn't going to work. Somehow you find out I'm running OpenBSD on an Itanium. Okay, you have that information, but I've still made your job harder, now you have to go out and get an Itanium to build your malware on before you try to hack my box because you can't assume I'll have a compiler on it (and I would never have a compiler on it).

        Using a OS like OpenBSD and a different chip architecture will not guarantee a hack-proof box, but it's going to make it that much harder; if you're just looking for a box to turn into a zombie, it won't be worth it. If you're a foreign government trying to get at my battle plans, the booze-n-hookers method is likely going to be easier and faster.

    • Re: (Score:2, Insightful)

      I keep hearing that BSD is sooo much safer than linux, but isn't it all about the userspace, which is pretty much the same? For there to be much of a difference between linux & BSD you'd have to get to the point where you can make nasty system calls first, which provided your using SELINUX/apparmour/bsd equivalent is pretty hard.

      I also fail to see how using a less thoroughly tested platform like alpha is better than using an x86 processor (specifically an x86 that has all the security enhancements)?

      Desp

      • by 680x0 ( 467210 )

        but isn't it all about the userspace, which is pretty much the same?

        In general, you're correct. Apache (on, say, NetBSD)is generally as secure as Apache (on Linux). However, OpenBSD has reviewed a lot of the ported applications, and so Apache (on OpenBSD) should be better than other versions of Apache. That review may be done by other operating systems (e.g. the RedHat/Fedora version of Apache, if you get the RPM), but OpenBSD is famous for it.

    • by bobbuck ( 675253 )
      Does OpenBSD have any of the SELinux type security features?
    • Re:OpenBSD? (Score:5, Funny)

      by commodoresloat ( 172735 ) on Monday May 11, 2009 @05:23PM (#27914397)

      Yes I understand this doesn't take into consideration social networking.

      Exactly. OpenBSD lacks the kind of application client support for Facebook and Twitter that the NSA has come to expect.

    • by Isao ( 153092 )

      Going back to the operating system, this would presumably be handled by ACLs.

      Actually, you'll probably want to employ some type of multi-level security [wikipedia.org], something that provide mandatory access controls [wikipedia.org] via security labels. This generally provides a model more robust than ACLs.

    • Re: (Score:3, Informative)

      by drinkypoo ( 153816 )

      I'm always surprised that no one considers using OpenBSD as their operating system; it's the only one that I know of that is specifically, purposely built, for security.

      What? OpenBSD was forked from netbsd, it's not specifically built for security. It's specifically forked from netbsd, and since then the focus has been on security. Arguably the approach is no more or less valid than using a security layer like selinux. The two have certain parallels; getting some software to run on OpenBSD is a bitch, and getting selinux configured and useful is a bitch :)

    • Re: (Score:3, Interesting)

      by Corbets ( 169101 )

      Actually, we had a similar - but much less involved - exercise in one of my senior classes at Purdue University back in 2002. I *did* use OpenBSD. I'm pretty sure the instructor didn't even understand that was an operating system.... but it was an easy A, because pf is a great little firewall.

    • Re: (Score:3, Interesting)

      by Tom ( 822 )

      The NSA decided, many years ago, that hardening Linux would be the better route, and they released SELinux to the world.

      You can read up their reasoning, history, etc. on nsa.gov/selinux, at least you could last time I checked. Otherwise, ask Google.

  • There is no "Naval Postgraduate Academy," it's the "Naval Postgraduate School [nps.edu]". If the authors of the article couldn't be bothered to take 15 seconds to confirm that with Google, it makes me wonder what else is incorrect in their writeup.
  • That said, the assumption that the NSA are up to the off-the-reservation methods that true Black Hats would use may not be a correct assumption.

    What we anticipate and plan for frequently is not what is used against us by someone who truly is our enemy.

    • off-the-reservation methods

      I've never heard this phrase before in my life, and now I've heard it twice in a month or two, both times on slashdot. To what do you attribute its resurgence in popularity? Is someone out there astroturfing against indian casinos?

  • by malevolentjelly ( 1057140 ) on Monday May 11, 2009 @05:08PM (#27914169) Journal

    They weren't testing the operating systems, they were testing the cadets. A linux system is a sieve for the NSA-- I think this simply demonstrates that the team using the Linux boxes knew their system better than the teams on Windows or Solaris respectively. It's clear that a group of passionate linux admins can maintain an acceptably secure system at this level of expertise.

    However, actually infiltrating the systems would have proven nothing. I guarantee the *level of difficulty* the NSA used in order to properly test the undergrads is beneath what the Chinese government would use if trying to infiltrate a U.S. site.

    The reality is that none of these three systems are acceptably secure for government networks one their... if you're relying on just the Unix security model or Windows security model, you're basically wide opened to a dedicated and well-funded attack. It's situations like these where you need to keep your systems well behind a decent level of virtualization like secure separation kernels with more than competent internal security policies. The operating system like Windows, Linux, or Solaris, is really just the "interface" to the system for the users, so to speak.

    • by Burkin ( 1534829 )
      Unless they had it disabled the Red Hat systems they used would have had SELinux enabled by default so if their linux systems really were a sieve then that doesn't speak to highly of SELinux and the NSA.
      • by malevolentjelly ( 1057140 ) on Monday May 11, 2009 @05:38PM (#27914639) Journal

        Unless they had it disabled the Red Hat systems they used would have had SELinux enabled by default so if their linux systems really were a sieve then that doesn't speak to highly of SELinux and the NSA.

        SELinux merely brings linux up to par with other popular commercial systems in security, not beyond them. It brings Linux to the level where it may receive a government EAL 4+ certification, which certifies that the system is safe from casual or inadvertent attacks. These systems do not reflect the level of security necessary to defend government networks.

        • Re: (Score:3, Interesting)

          by Nursie ( 632944 )

          CCEAL 4+ is the highest level one can attain without designing for CC from the ground up.

          SELinux presents much tougher security than is commonly available on commercial systems.

          There are hardened variants of others (solaris, for instance), but none of the vanilla, commonly available OS variants come close to SELinux.

    • Re: (Score:3, Insightful)

      by mikek2 ( 562884 ) *

      They weren't testing the operating systems, they were testing the cadets.

      Agreed 100%. While supposedly the country's best & brightest, Cadets truly aren't more than horny 21 year-olds (I was a cadet... trust me I know! ;).

      Yes, the NSA could've SMASHED them in minutes. But the bigger concept here is to get the cadets to wrap their brains around the idea of a Pearl Harbor on the US' IT infrastructure & how to protect against it.

      Assuming this exercise started this year (it didn't... just saying), we'll start to benefit in ~5 yrs, as these horn-dogs assume senior roles.

  • by rickb928 ( 945187 ) on Monday May 11, 2009 @05:20PM (#27914361) Homepage Journal

    Is that if your system is attached to a publicly-available network, you cannot be curtain of a secure system. Don't even try to tell me you can secure your network against all network-based attacks, current and future.

    All you can do is raise the bar sufficiently to deter and defeat the lam0rs, and be able to focus your attention on detection, remediation, and retribution - if that's your style.

    Having been rooted a few times, I would have loved to slip a little Ex-Lax into their Dew, but my boss said leave them alone. Just as well, they always come back for revenge. Our government may think differently.

    But if it's hooked up to the Internet, count on it being compromised. Encrypt your data separately. Make backups and disaster recovery plans. Pray for this to happen on an otherwise quiet weekend, not the day before the quarterlies go out. And have an alternative. Anything is better than nothing.

    In case you're wondering, I am a fatalist when it comes to network security. I see little hope.

  • In other words, grasshopper, nice work -- but the NSA is capable of much craftier network take-downs.

    Thank you Mario! But our princess is in another castle!

  • "The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems."

    2009 will be the Year of the Linux MBT!

  • Nothing new here (Score:5, Informative)

    by ronmon ( 95471 ) on Monday May 11, 2009 @05:50PM (#27914795)

    I was in the AF from 1977-1981 and worked directly for the NSA when they still had some scruples. In fact, my last posting was at Fort Meade after several years in the far east.

    As a '202xxA'(Radio Communications Analyst), that focused on foreign military communications, I could have been reassigned at any time as a 202xxB (Radio Communications Security Specialist) with no retraining. The B job just meant we were testing our own weaknesses instead of exploiting those of our opponents. It is important to look inward, find your flaws, and fix them. Kind of like debugging open source code, huh?

    That's what they were doing. Good job.

  • Why would talented hackers want to expose themselves like this to NSA? That's what I don't get. It's like submitting freaking fingerprints to the police before you rob a store.

  • by WindBourne ( 631190 ) on Monday May 11, 2009 @09:04PM (#27916749) Journal
    Up until 9/11, the nation's top computer security ppl were NSA. They had responsibility for it, which is why they created and pushed SEL. In addion, they insisted on running SECURED *NIX on all of their important systems. But then W and his staff created DHS and put them in charge of computer security. So far, that group has been a total set of f-ups. I used to work with several of those guys, and they were worthless back in 2000. Absolutely little to no real knowledge.

    It is time to put the NSA back in charge of this.

news: gotcha

Working...