March 25, 2013

If we don’t want to be like the Iranians and get Stuxnetted, take these 4 steps

Thanks to Tom Ricks for allowing me to post on his blog a short piece:

If we don’t want to be like the Iranians and get Stuxnetted, take these 4 steps

It's Wednesday, and that means another story about the looming threat of cyberattack, how vulnerable the United States and its infrastructure is, how bad the Chinese are, how to retaliate, etc. But what seems to be left out of the discussion is what can practically be done about it (beyond scolding bad people). 

The first thing that should be done is to shrink surface area for attack. What does this mean? Right now the U.S. government and industry runs a pretty homogenous set of operating systems and applications that have shown to be a big part of the problem; specifically, Microsoft and Adobe are two companies whose wares have become amazing attack vectors. Why? For a few reasons: 1) if you want to create a virus/exploit weapon you tailor one for largest adoption, 2) attack large morphing code bases that give rise to known-unknown software vulnerabilities, and 3) updates don't always filter out in time once new vulnerabilities are detected and patched.

A great example is how Stuxnet is reported to have entered the Iranian nuclear program: 

The main (and initial) infection vector is the transmission of the Stuxnet malware via USB devices: if an infected USB device is inserted into a clean PC and later accessed with the Windows Explorer, then the infection of that PC is triggered. This is due to either a malicious ‘Autorun.inf' file present on the USB device (for the oldest variants of Stuxnet) or to the usage of the ‘LNK' Windows vulnerability (MS10-046,CERT-IST/AV-2010.313 advisory) for the variants found in June 2010.

The Iranians were probably running older versions of Microsoft operating system software that wasn't updated (and was probably pirated to boot). Further, the Iranians were a victim of Microsoft's business model of stitching together source code to lock-in users and conversely lock-out other software, which allowed the virus carte blanche access to anything. 

So what should we, the government, or private companies for that matter, do? First thing, we've got to get our own house in order to limit our vulnerabilities (or "know thyself," to paraphrase Sun Tzu).

  • First, get rid of software for which we have to continually make excuses. Just as the U.S. military doesn't promote smugglers (Han Solo) and farm boys (Luke Skywalker) to general, stop deploying software that requires additional fixes and comes stitched together. Microsoft and Adobe might be less expensive software, but if it leaves a backdoor open, is it really "cheaper"?
  • Second, only install operating systems and applications where the source code is available for widespread public inspection. Keeping source code secret increases its widespread vulnerability to exploitation when a defect is detected.
  • Third, increase heterogeneity of operating systems and applications to create gaps so that a virus/exploit can't transverse between different systems.
  • Fourth, fund research into more secure operating systems and make the fruits of that investment public: A rising tide lifts all (security) boats. A small investment in maturing source code can have a large impact. 

 

 

 

Mar 25, 2013 10:17:02 AM | Acquisitions, Current Affairs, Design, DOD, mil-oss, Military, OpenSource

November 26, 2007

medical Imaging Open source

Good call for Springer to keep the content open to all!!

Journal of Digital Imaging: Open Source Articles

all the content is open to all...

Linux Medical News: "The Society of Imaging Informatics in Medicine recently released a special edition of the Journal of Digital Imaging focused on open source. While they are published in Springer, all the
articles on major open source packages in imaging informatics are open access. SIIM saw it fitting that open source articles shouldn't be locked into a proprietary publisher."

interesting, the first abstract:

Abstract  The open source community within radiology is a vibrant collection of developers and users working on scores of collaborative projects with the goal of promoting the use of information technology within radiology for education, clinical, and research purposes. This community, which includes many commercial partners, has a rich history in supporting the success of the digital imaging and communication in medicine (DICOM) standard and today is pioneering interoperability limits by embracing the Integrating the Healthcare Enterprise. This article describes only a small portion of the more successful open source applications and is written to help end users see these projects as practical aids for the imaging informaticist and picture archiving and communication system (PACS) administrator.

Nov 26, 2007 5:39:55 PM | Design, OpenSource, Technology

October 29, 2007

US Tax Dollars at Work & Wasted

incredible, when will people be fired?

 “In addition, GSA told
Devis at its debriefing that contractor risk was not a determining
factor in the award decision, despite the fact that a majority of the
evaluation panel found the Symplicity proposal to be

 “unacceptable” and
offering “little confidence” of successful performance,” he added.

wow fully insane, why have technical committees if you are just going to give them to dumb companies

Oct 29, 2007 9:29:23 PM | Design, Technology, Web/Tech

October 09, 2007

Engineering Complex Systems is a Crock

I've just been digging into the design of engineering systems which when those systems when viewed from a distance are very complex. Digging into the research papers i keep coming across terms like 'complexity and engineering' or 'complexity engineering.'

No sane engineer sits down to design systems where they can't predict the outcome. Further the term comes up that the system will spawn emergent behavior we can't understand. That's the last thing you want with an engineered system, things not happening.

we want complex ecosystems not complexity engineering. True complexity and emergence only occurs when you add people, not more machines.

Oct 9, 2007 3:42:12 PM | Design

August 28, 2006

Modelica

Interesting open source project, much large in Europe than the US:
Modelica and the Modelica Association
The object-oriented modeling language
Modelica is designed to allow convenient,
component-oriented modeling of complex physical systems, e.g., systems containing
mechanical, electrical, electronic, hydraulic, thermal, control, electric power
or process-oriented subcomponents. The free Modelica language, free Modelica
libraries and Modelica simulation tools are available,
ready-to-use and have been utilized in demanding industrial applications,
including hardware-in-the-loop simulations. The development
and promotion of Modelica is organized by the non-profit
Modelica Association.

Aug 28, 2006 7:48:10 PM | Design, OpenSource

November 10, 2005

Engineerign & Design

2 interesting article about the interplay between good design, engineering, complexity and simplicity. One from IEEE Computer Journal Complexity in Design and the other in Fast Company Simplicity + Technology = Sweet Success.  Both discuss the engineering discipline of application of technology and how sometimes, technology becomes too much.

From Fast Company: "The old design mantra "Less is more" has never been truer than in the world of technological gadgetry, Lovelady says. As consumers balk at the steep learning curve attached to each software upgrade and "time-saving" appliance, manufacturers and engineers are ceding power to designers who insist on simplicity, elegance, and user friendliness, even if it means sacrificing some technological wizardry."

From Computer: "Have you ever taken a close look at an acoustic grand piano? The complicated mechanism in which the player’s fingers cause hammers to fall on strings, which are damped to varying degrees and at varying times, is exquisitely subtle and quite involved. Perhaps there’s a way to simplify that mechanism without sacrificing the combination of tone and playability that has selectively evolved over hundreds of years. But it seems likely that most of a piano’s complexity is necessary because of how our fingers, feet, and ears work. A skilled performer can coax thunderous waves of sound or delicate susurrations; the mechanics of the keys have the requisite dynamic range. This complexity works."

Strive to avoid creeping complexity, the kind that arises from unintended interactions among multiple unrelated design decisions. Eschew complicated machinery that isn’t clearly and provably necessary to attain one or more of the major project goals. If you aren’t sure you need some logic in your design, keep asking questions until someone either justifies it or agrees to toss it overboard.

Entropy always drags a project in the direction of increasing complexity; things never get simpler on their own. Except for bad wine. On Tuesdays."

Nov 10, 2005 11:18:30 AM | Design

October 18, 2005

New DOD Agency to Centralize Business Processes

Article: New Agency to Centralize management of Defense Business Programs, I would like to think this would decrease costs and increase capabilites, but I have my doubts.

Oct 18, 2005 11:03:43 AM | Design, Military

October 12, 2005

Crooked Corp Gets Nuke Controls

From Defense Tech. Story:

"Companies found to be crooked one day are given giant contracts the next. Sometimes this is unavoidable -- like when there's only one firm with has the expertise to tackle a particular task. But more often, it seems, the Pentagon goes out of its way to reward business that screw them over.

Take this story from Defense Industry Daily, for example: In April 2005, L-3 Communications subsidiary Interstate Electronics Corp. in Anaheim, CA was placed under criminal investigation for providing faulty parts to the CSEL [Combat Survivor/Evader Locator] search and rescue GPS/ beacon/ communicators used by US aviators, special forces teams, et. al. - and concealing test failures. So, naturally, they've just been awarded a contract to support the test; instrumentation hardware for most of America's nuclear missile fleet; and all of Britain's."

Now why is the procurement system not broken? There is no real concept of a reputation system (and no impact or effect if you screw somethign up) mainly a fine and 'time-out'. Transparency doesn't exist. What is needed is a rated reputation system that impacts a company if they do wrong otherwise it's just business as usual and the soldier (and taxpayer) gets the short end.

See Link

Del.icio.us Tags: military, reputation, procurement

Oct 12, 2005 12:31:01 PM | Design, Military, Technology

Body Monitoring

Very interesting company, BodyMedia. They build monitoring devices for the body. Pretty cool, now if someone could just hack my Shuffle to it...

Del.icio.us Tags: body monitoring technology wearable

Oct 12, 2005 10:44:07 AM | Design, Internet, Science, Technology

September 20, 2005

O'Reilly Article, Katrina and Maps

Great article about soem friends of mine who have been able to pull off some great stuff using open-source GIS for Katrina relief effort:
Katrina maps and photos via open source tools

by Tyler Mitchel @ O'Reilly Net

Sep 20, 2005 3:20:51 PM | Design, Internet, Technology
»

John Scott

powder monkey: NOUN: Slang, One who carries or sets explosives.

Berger Russell
The Typepad Team

Search

My Other Accounts

Recent Comments