(foreign) intel inside?

[David Farber <dave () farber net>]

Begin forwarded message:

From: Ross Stapleton-Gray <ross () stapleton-gray com>
Date: August 17, 2005 4:56:49 PM EDT
To: dave () farber net
Subject: (foreign) intel inside?


A forecast that within a decade, we'll be riddled by foreign-supplied  
vulnerabilities; comment most worth noting: "He also said that the  
Defense Department should stop funding university research conducted  
by foreign nationals. Hamilton added that this is not a xenophobic  
reaction, but a reasonable response to a potential threat."  Hmmmm...  
I think that if we rely on noting if the foreign/domestic bit is set,  
and not on systems designed from the ground up for security, we're  
going to unnecessarily inconvenience lots of people, for little or no  
gain, and further isolate ourselves in the world of technology...   Ross


http://www.gcn.com/vol1_no1/daily-updates/36688-1.html

IT infrastructures could be battlefields of future wars

08/17/05
By Patience Wait,
GCN Staff

HUNTSVILLE, Ala.  A professor from Auburn University has made the  
case that the United States may face a war in the future in which not  
a single shot is fired, but yet America loses.

There could be “pre-emptive achievement of military objectives  
strictly by information warfare techniques,” said John “Drew”  
Hamilton, associate professor of engineering and director of the  
Information Assurance Laboratory at the university.

Hamilton projected that such a conflict could take place by 2015­the  
time it would take to infiltrate computer development programs and  
insert malware into operating systems, applications software,  
firmware and hardware.

Acquisition trends in the military actually facilitate the  
possibility of such a scenario, Hamilton added. “You don’t expect the  
military to go to Home Depot to buy a [rocket launcher], but we  
expect them to go to Staples to buy software,” he said.

Software developers have always written back doors into their code,  
and even secure, partitioned systems such as the Secret IP Router  
Network have them.

“I learned that when I got e-mail from Joint Forces Command to scan  
their attachments” for viruses, Hamilton said.

The risk in pushing the use of commercial, off-the-shelf software is  
compounded by private-sector outsourcing, he said. Microsoft Corp.,  
for instance, has outsourced some programming tasks to China and Russia.

Hamilton said that Dan Wolf, information assurance director of the  
National Security Agency, told an academic group in June that “DOD  
agencies have been outsourcing IT services to [Section] 8a firms that  
are fronts for foreign intelligence agencies.”

Nor is the problem limited to the Microsoft environment. Linux,  
touted by open-source proponents, has its own vulnerabilities. “NSA  
[National Security Agency] recompiled the kernel so you can’t turn  
off [key] logging, which is good for forensics,” figuring out what  
happened after the fact, Hamilton said.

Finally, the military has not made software a “core competency,”  
according to Hamilton. “Some government agencies have contracted for  
software code they don’t own the rights for.”

Hamilton suggested several steps that could be taken to pre-empt and  
prepare for this kind of warfare, including reverse-engineering  
software architecture to find weaknesses, identifying sensitive  
parameters that can be exploited and looking for undocumented  
functionality.

He also said that the Defense Department should stop funding  
university research conducted by foreign nationals. Hamilton added  
that this is not a xenophobic reaction, but a reasonable response to  
a potential threat.

© 1996-2005 Post-Newsweek Media, Inc. All Rights Reserved.


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/