More Fun

by Bryan

29 comments

1 Badtux { 04.08.14 at 11:49 pm }

Actually the article is mostly bullshit.

The Heartbleed bug is a stack leak attack. Up to 64K of stack memory can be leaked. Unfortunately, that 64K of stack memory generally includes the private key part of the RSA public key certificate that identifies the web site. If you have that private key you can reassemble the certificate then perform a man-in-the-middle attack, which will require a DNS redirect hack or physical access to the network. Or you’ll need to be able to sniff traffic to the web site whose certificate you’ve stolen. Then, and only then, can passwords be sniffed in transit — but only under those conditions, which are harder than they sound. The NSA could do it, easily. J. Random Script Kiddie? Nope.

So the password thing isn’t the real issue. The real issue is that basically every certificate for every web site on the Internet is going to have to be revoked and re-issued because it’s been corrupted and thus is useless for authentication and encryption. Including my own employer’s certificates. We thought we had made ourselves safe by putting Amazon’s load balancers in front of our web sites. Nope. Amazon’s load balancers turn out to include the broken OpenSSL library as part of their code. Sigh!

– Badtux the Geeky Penguin

2 Kryten42 { 04.09.14 at 5:46 pm }

Agree Badtux. 🙂

Here’s a free SSL Cert authority that is charging it’s clients to revoke the vulnerable certs! Or, “How to seriously piss off your customer base without even trying!” They even got snarky at thier clients for questioning it. 😉 😀

Shameful Security: StartCom Charges People To Revoke SSL Certs Vulnerable To Heartbleed

And *shock*, Holder tells (part of) the truth for a change! 😉 LOL

Eric Holder Admits That, If It Wanted, NSA Could Collect Internet Searches & Emails Just Like Phone Metadata

And Snowden testified via video (of course) for the Council of Europe. 😀

Ed Snowden testified (via video, of course) for the Council of Europe, the “top human rights body” of Europe, and told them that the NSA spied on various human rights groups, including Human Rights Watch and Amnesty International.

He told council members: “The NSA has specifically targeted either leaders or staff members in a number of civil and non-governmental organisations … including domestically within the borders of the United States.” Snowden did not reveal which groups the NSA had bugged.

The assembly asked Snowden if the US spied on the “highly sensitive and confidential communications” of major rights bodies such as Amnesty and Human Rights Watch, as well as on similar smaller regional and national groups. He replied: “The answer is, without question, yes. Absolutely.”

Of course, one of the things that’s bugged me most of all about the response from NSA defenders is the typical line: “we’re not listening to you talk to your grandmother” or whatever similar line may be. But, as more and more revelations have come out, they get closer and closer to the kinds of communications I actually do have on a regular basis. Talking to sources working on interesting technology projects, talking to human rights and civil society groups around the globe. Spying on journalists. Each day there’s more and more evidence that while the NSA might not care about some mythical person talking to his or her mythical grandmother, it is very much collecting all sorts of information that those very same people thought were private — and which clearly have nothing to do with national security.

Geeee… what a surprise!! 😈

Good thing I no longer work for Amnesty (though I do miss that, we did some good work! And even managed to really annoy the CIA! Bonus!) Then again… I coulda had some fun with the NSA! 😉 LOL

3 Kryten42 { 04.09.14 at 5:55 pm }

Ohh, speaking of fun… One more from Snowden. 🙂 He’s doing a great job of making the NSA look like the fools they are! 😀

In a new interview with Vanity Fair magazine, Ed Snowden seems to be hitting back at nearly every bogus claim made by his critics. He kicks it off by responding to the claims that if he were a real whistleblower, he should have just gone through “official channels.” He claims that he did that and nothing happened. In fact, he suggests that Congress ought to ask the NSA about that.

The N.S.A. at this point not only knows I raised complaints, but that there is evidence that I made my concerns known to the N.S.A.’s lawyers, because I did some of it through e-mail. I directly challenge the N.S.A. to deny that I contacted N.S.A. oversight and compliance bodies directly via e-mail and that I specifically expressed concerns about their suspect interpretation of the law, and I welcome members of Congress to request a written answer to this question [from the N.S.A.].

How about the silly claim that he took 1.7 million documents? As we’ve mentioned this number keeps going up. First it was 50,000 documents. Then 70,000. Then 1.5 million. And the latest is 1.7 million. And all of it seems based on a faulty assumption that every document Snowden has ever “touched” he took with him. That is almost certainly false. And, as we’ve also noted in the past, Snowden has made it clear that he no longer has any of the documents. He reiterated that to Vanity Fair:

Snowden cautions about some of the numbers that investigators have publicized, especially the 1.7 million figure, which, he tells Vanity Fair, is “simply a scare number based on an intentionally crude metric: everything that I ever digitally interacted with in my career.” He adds, “Look at the language officials use in sworn testimony about these records: ‘could have,’ ‘may have,’ ‘potentially.’ They’re prevaricating. Every single one of those officials knows I don’t have 1.7 million files, but what are they going to say? What senior official is going to go in front of Congress and say, ‘We have no idea what he has, because the N.S.A.’s auditing of systems holding hundreds of millions of Americans’ data is so negligent that any high-school dropout can walk out the door with it?’ ”

“I know exactly how many documents I have,” Snowden continues. “Zero.”

There’s more in the publicly released summary, and apparently the full story (not yet released) will have even more. Of course, it won’t stop the NSA’s defenders from making the same old claims again and again without proof.

Snowden Says NSA Is Lying When It Claims He Didn’t Raise Concerns Through The Proper Channels

Way to go Ed! 😀 I think the NSA has a Tiger by the tail, and the Tiger is seriously annoyed! 😆

And fools like this are only helping Snowden! LOL

Mike Rogers Still Pushing His ‘Snowden Is A Russian Spy’ Delusion, Citing Every Single ‘Counterintelligence Official’ In Support

All too funny! 😈

4 Bryan { 04.09.14 at 9:53 pm }

Thanks, Badtux. I assumed it was something for crackers, not script-kiddies, or most hackers. The Russians, East Euros, and intel outfits are the real threat.

I see calls for people to change their passwords, which they should be doing on a regular basis anyway, but if the sites they visit haven’t updated their server software and them obtained a new certificate, there isn’t much point, because it still isn’t secured.

My version of Linux updated OpenSSL yesterday, so the fix is out there.

Actually, Kryten, I understand about the charges. Those guys are going to have to update their software and then regenerated all of their certificates which is a lot of unanticipated expense. They are going to need to get the money from somewhere to stay in operation and complete the process in a reasonable time period. Every CA on the planet is about to have a really bad quarter.

Mike Rogers is a former FBI agent, so don’t expect logic from him. He’s still fighting the Cold War as well as The War on Terror™, so common sense is not part of the discussion.

They have no idea what Snowden took with him, so they can only assume ‘everything’, which scares the hell out of them, as it should. Anyone who thought they wouldn’t abuse the power they had was kidding themselves. You appoint political officers to command positions, you are going to get political actions. For years politics has trumped proficiency at the Pentagon and the military is paying the price.

5 Steve Bates { 04.09.14 at 11:25 pm }

“I see calls for people to change their passwords, which they should be doing on a regular basis anyway”

Never underestimate the psychological value of giving users/clients/members/etc. something specific to do in the face of trouble, even if what you have them do does not address the trouble in real life. All the letter-writing Amnesty has people do, including letters handwritten during f2f meetings of the society… you think they often affect outcomes of international conflicts, or make foreign leaders truly aware of their vulnerabilities? Amnesty has members write letters because it gives members a sense of real participation… and maybe one time in 10k campaigns it actually influences an outcome. Still useful in its own way.

6 Steve Bates { 04.09.14 at 11:35 pm }

On a related subject, who will tell this Ubuntu-Linux-user-still-newbie-after-five-years how to view the log of recent changes applied by the Update Manager? I’ve never had occasion to do that before now; I’m pretty sure I saw the Heartbleed-related changes go through yesterday or day before (I am religious about applying all updates in less than a day), but all things considered it would be good to confirm this one. Thanks in advance. (Version is Precise, 12.04 LTS.)

7 Steve Bates { 04.09.14 at 11:51 pm }

Never mind; found it in yesterday’s log. Thanks anyway.

8 Bryan { 04.10.14 at 12:14 am }

People need to change their passwords after the site fixes its problem, Doing it before the fix just gives the ‘bad guys’ more data.

We are using the same version of Ubuntu, and I manually download updates, so I went looking for it yesterday and found it. Between M$ and Linux, I spent a huge chunk of time updating yesterday and today.

Writing actual real letters that are obviously individual, does make a difference to Congressional offices. It is the unelected officials who can safely ignore them. I’ve gotten constituent services at some of the offices of real whackoes, like Duke Cunningham, on behave of clients in SoCal. Congressional staff know what’s important even if the Congresscritter can’t be trusted to know what shoelaces are for.

9 Kryten42 { 04.11.14 at 12:20 am }

It isn’t that they are charging for fixing a serious bug which affects everyone and not just their clients, so much as they way they are doing it by making their clients seem to be the ones in the wrong. But they are paying for that, since many clients have closed their accounts and gone elsewhere.

I just closed my DropBox account. I haven’t used it since they were linked as NSA friends and was going to close it anyway. But this made it even more imperative. Talk about the Fox & the Henhouse! LOL
Adding Condoleezza Rice To Dropbox’s Board Seems Incredibly Tone Deaf Following NSA Concerns

…
Those were all good moves, that should have calmed many people’s fears — but to then appoint Rice to the board, and have her handling “privacy” issues basically blasts a major hole in that. I’m less inclined than some to simply assume this means bad things for Dropbox’s privacy efforts in general. But from a public perception standpoint, this move does come across as exceptionally tone deaf by Dropbox. People are already raising concerns, and a basic Twitter search shows a bunch of people both raising concerns and looking for alternatives to Dropbox. And, of course, someone has already set up an entire website about why people should drop Dropbox over this move.

This is interesting. A couple *coincidences*. And I don’t like these kinds of coincidences! 😉

The Big Question: When Did The NSA Know About Heartbleed?

10 Bryan { 04.11.14 at 9:42 pm }

Ah, Kryten, that puts a whole different spin on it. Screw them if they don’t want to accept their responsibility for maintaining their servers. With a mild amount of marketing and PR they could have been paid and not pissed off their customers. It doesn’t take much searching to find out what the real problem is, so lying about it is flat stupid.

The only reason to put Rice on your board is to signify your politics, as that is all she brings to the corporation. Putting the National Security Advisor in office when all this crap started, is not a sign that you are trying to stop it.

In the old, all military, days, NSA would have known almost immediately through the ‘old school ties’ of the mathematicians on staff, but given the overwhelming presence of contractors, they were probably late to the game. I can’t believe that the old informal channels into academia still exist under the current system.

11 Kryten42 { 04.12.14 at 8:23 am }

I have to say I am impressed with Namecheap (who manage my domains and SSL Cirts from Commodo) & Commodo. There was no fuss, my cirt’s were reissued and the originals revoked, all within a couple minutes and with no charge (I have 2 free cirt’s, and 1 commercial cirt)! It was all proactive on their part and done even if it wasn’t necessary, just to be safe. 🙂

There is quite a good writeup about exactly what the problem is here:
The Heartbleed Bug
Plus there is a good list of references.

Here’s a few snippets:

Should heartbeat be removed to aid in detection of vulnerable services?

Recovery from this bug could benefit if the new version of the OpenSSL would both fix the bug and disable heartbeat temporarily until some future version. It appears that majority if not almost all TLS implementations that respond to the heartbeat request today are vulnerable versions of OpenSSL. If only vulnerable versions of OpenSSL would continue to respond to the heartbeat for next few months then large scale coordinated response to reach owners of vulnerable services would become more feasible.

Can I detect if someone has exploited this against me?

Exploitation of this bug leaves no traces of anything abnormal happening to the logs.

Is this a MITM bug like Apple’s goto fail bug was?

No this doesn’t require a man in the middle attack (MITM). Attacker can directly contact the vulnerable service or attack any user connecting to a malicious service. However in addition to direct threat the theft of the key material allows man in the middle attackers to impersonate compromised services.

Does TLS client certificate authentication mitigate this?

No, heartbeat request can be sent and is replied to during the handshake phase of the protocol. This occurs prior to client certificate authentication.

Does OpenSSL’s FIPS mode mitigate this?

No, OpenSSL Federal Information Processing Standard (FIPS) mode has no effect on the vulnerable heartbeat functionality.

Does Perfect Forward Secrecy (PFS) mitigate this?

Use of Perfect Forward Secrecy (PFS), which is unfortunately rare but powerful, should protect past communications from retrospective decryption. Please see https://twitter.com/ivanristic/status/453280081897467905 how leaked tickets may affect this.

Can heartbeat extension be disabled during the TLS handshake?

No, vulnerable heartbeat extension code is activated regardless of the results of the handshake phase negotiations. Only way to protect yourself is to upgrade

On a LOL topic… 😉

The responce from DropBox about the concern’s many members have relating to Condo Rice is:
“Dropbox commitment to privacy and transparency won’t change with Condoleezza Rice on board.”

Which, given both Dropbox and Rice’s history, is hilarious on two levels!

So, I decided to make a simple tweet about Rice joining the board of DropBox to make it simple. It’s been re-tweeted over 200 times so far, and I have 38 new followers! LOL I also posted a comment on TNW (The Next Web).

Fox –> Hen-house = Blood & Feathers!
Condoleezza Rice + DropBox –> Privacy = Hilarious + ‘Fox –> Hen-house’!

KISS, right? 😉 😀

12 Bryan { 04.13.14 at 12:20 am }

If you are an established company who has been in the field for a while, you are set up to deal with issues like this and what customers to stay with you. This is an obvious point at which people might change vendors, so taking care of the problem ASAP is smart business.

When I have found time I’ve looked at the problem. It gives me flashbacks to programming in ADA and especially PostScript. I can see the utility of Heartbeat, but I wonder how many people really use it.

KISS is what Twitter is all about 😉

13 Kryten42 { 04.13.14 at 6:52 am }

LOL @ Ada & PS! 😀 Two languages I haven’t used since around ’88-’90. Curiously, I was looking for a book in my boxes a few months ago, and found my red, green & blue PS books that I’d thought I’d given away many years ago! They were still in near perfect condition too. 🙂 Wonder if they are worth anything to a collector? 😉 😀

Hey… Have you heard about the Navy’s big win? They successfully (at least, it seems so so far) launched the first of the new Zumwalt Destroyer’s (was originally DDG 21, now DDG 1000). The 2nd is 75% complete. I think I mentioned the Zumwalt project here several years ago. The christening ceremony is this weekend. It’s a very impressive ship! All electric, which is great as it’s sure to annoy the Big Oil boy’s! LOL

The Navy’s new high tech electric destroyer DDG 1000

It apparently runs 7 million lines of code on thousands of blade servers (in some 3,760 electronics cabinets distributed around the ship) which could be a big problem, given the Military’s success (or lack thereof) at writing working code in recent years!

It uses the guns, munitions and some of the control s/w developed for the defunct Crusader SPH project that a good friend at GD was working on. up to 6 Zumwalt destroyers can deliver a 12 round (two guns / ship) time-on-target guided or ballistic munitions salvo every 5 seconds @ up to 100 NM away (for guided munitions, officially 64 NM, but I know for a fact it was greater than that, though may possibly have been reduced for some reason, perhaps less propellant / greater payload.) Warheads can be either unitary or sub-munition (with a payload of 72 EX-1 sub-munitions, each of which has a shaped charge that can penetrate 1″+ RHS armor and a fragmenting steel case). Talk about firestorm! Very nasty!

It also has some 80 vertical launch tubes distributed around the hull. It will also carry UAV’s & UUV’s.

The USAF could learn a thing or three! 😉 😀

14 Bryan { 04.13.14 at 8:14 pm }

Because of the weapons development work locally, ADA is in common use here for the embedded systems on the weapons, but almost no one actually hand codes PostScript anymore, I didn’t for typesetting clients who needed things done is a very specific way and couldn’t get it done with their software. The software has gotten a lot better and eliminated the free-lancers.

All christening means is that the vessel has an official name. The Littoral Combat Ship was the Navy’s last new type, and it isn’t exactly a rousing success. Only time and sea trials will tell if these destroyers are worth the money. They have a lot of bells and whistles, but can they defend themselves from 17th century boarding techniques and 19th century mines?

All of this hardware that all of the services buy are built by a small number of corporations, and their track record is not exactly stellar.

15 Kryten42 { 04.14.14 at 12:30 pm }

LOL Well, I did say that it seems to be successful, so far 😉

I know the gun system works. GD proved that in several trials before the Crusader project was cancelled by the Politicians (until the Navy stepped in and said “are you insane??! Hate to break it to you, but that’s an integral part of new Navy weapons systems!” (or words to that effect!) 😉 LOL So, they cancelled Crusader to save money, except that it didn’t! LOL

Anyway, the Military has several problems on it’s hands these days. Mostly of the legal kind! 🙂 Case in point (there are two just in this one instance):

New Manning lawyer hits Espionage Act charges

the 2nd one is that the Military are denying Manning the hormone therapy treatment to treat her medically diagnosed gender dysphoria. Litigation is forthcoming, and rightly so. 🙂 The Military must have shares in a lot of legal firms, because there are an awful lot of law suits in process or pending that could easily have been avoided. *shrug*

The more I read news about the USA lately, the more convinced I am becoming that Obama is either a complete ignoramus, or batshit crazy! More-so than GW Bush in fact!

Yet one more example: Sebelius: Hands off HHS seal

Good luck with that! NSA & DHS both got sued and had to settle for doing the same thing, so I have no idea why HHS think they can get away with it! No wonder Sebelius is leaving! It won’t be her problem to clean up. Crazy.

16 Bryan { 04.14.14 at 9:33 pm }

We keep buying all of super, gee-whiz stuff at a time when we face enemies using ancient tactics and relatively primitive weaponry. The system is broken, and there is no sign of anyone making a real effort to fix it.

I wish the Navy well with their new ship, but experience says the new vessels will have to be significantly modified to be functional, and may never be efficient or effective. I certainly hope that it isn’t the Navy’s version of the F-35.

Obama is a Republican who calls himself a Democrat, and has no intention of ever acting reasonable on ‘national security’ issues. He cares more about the opinions of the Republicans, than Democrats, even though a major segment of the Republican elected officials are known whackoes. He has pretty much destroyed the possibility of another member of a minority group being given a shot at running for President any time soon. Manning should have been discharged, not sent to a war zone. It was the fault of the military that there was a major leak.

You can’t prohibit the use of US government logos for any reason except fraud. They are public property in the public domain, and can not be copyrighted. That is settled law backed by a warehouse full of court decisions. No way of knowing why they are attempting it, but it is a waste of resources.

17 Kryten42 { 04.14.14 at 9:46 pm }

Oh, I meant to mention also that the Navy’s other new toy has started 2 years of sea trials. The USS Gerald R. Ford Supercarrier. It looks quite different to the aging Nimitz. 🙂

US Navy’s Next-Generation Aircraft Carrier Begins Testing Phase

The U.S. Navy’s newest aircraft carrier — a massive warship outfitted with the latest radar technology and sophisticated systems to accommodate unmanned, carrier-launched drones — is set to undergo more than two years of rigorous testing.

The USS Gerald R. Ford is the first of what will eventually be the Navy’s fleet of next-generation Ford-class aircraft carriers. The upgraded ships are the first new designs of aircraft carriers since the USS Nimitz was built in the late 1960s.

The USS Ford was christened during a special ceremony in November in Newport News, Va. The massive warship is slated to officially enter service in the Navy in 2016. But first, shipbuilders will spend 26 months meticulously testing the aircraft carrier’s various systems.

“We’re kind of in the infancy stage of the test program, and the early returns are good,” Rear Adm. Thomas Moore, program executive officer for aircraft carriers, told the Daily Press. “We have a long way to go.”

The USS Ford’s testing phase is longer and more labor intensive than normal because the next-generation warship incorporates many new technologies, including upgraded radar systems, more efficient nuclear power plants and electromagnetic launchers designed to more effectively propel aircraft off the carrier’s deck.

The mammoth USS Ford weighs nearly 100,000 tons, and will eventually be home to more than 4,600 service people and up to 75 aircraft, according to Newport News Shipbuilding, which constructed the aircraft carrier.

The Ford-class carriers are designed to replace the Navy’s existing Nimitz-class warships, which have been in operation since the 1970s. The upgraded designs feature larger flight decks, three aircraft elevators and the new ships also replace steam-powered systems with more efficient onboard electrical power.

Some lawmakers and industry officials have criticized the USS Ford — particularly for its $12.8 billion price tag — but the Navy is staunchly defending the warship and its new technologies, according to the Daily Press.

The Ford-class ships are expected to usher in a new era of American naval power, and are designed to operate for 50 years. Construction is already beginning on the next aircraft carrier in the fleet, the USS John F. Kennedy.

18 Badtux { 04.14.14 at 10:05 pm }

The Ford-class ships are basically Nimitz-class hulls with electromagnetic catapults rather than steam ones, some modifications of the flight deck to reflect the new catapults plus take advantage of experience to rearrange flight operations slightly, and a re-working of ships’ systems around a newer better class of nuclear reactors. The most important improvement is getting rid of all the steam pipes that travel all over the Nimitz. Live steam in a battle is well known for roasting sailors and modern bus-type systems plus batteries in strategic locations can provide better redundancy for critical control systems. I’m a bit baffled by the notion that they’re putting blade servers all over the place though. Most of what you need from control systems is available via off the shelf CAN bus parts.

Existing Nimitz class hulls can’t be reconfigured around the new reactor design so I suppose it’s appropriate to call them a “new” class in much the same way that the USS Ticonderoga is considered to be a “new” class compared to the USS Essex upon which it was a slightly extended version. But I don’t think the US is capable of designing an all-new aircraft carrier anymore. Reshuffling the deck chairs on the Titanic or re-shuffling the systems inside an existing carrier design is all we’re capable of, it seems.

19 Kryten42 { 04.15.14 at 10:04 am }

Hi Badtux. 🙂

Apparently, the blades and 7 mill lines of code are because the Zumwalt is semi-automated. the crew compliment is roughly halved, and most of the 90-95 remaining are probably h/w & s/w tech’s! 😉 😀 Also, the h/w is massivly redundant. the ship can *suposedly* survive several hits and continue functioning. That’s the theory anyway! 😉 The weapons system is automated with the blades managing all “call for fire” tasking via a mission control & planning system which will (supposedly) destroys the right target, with the right weapon, at the right time. 😉 The 2 guns are fed by two heavily armored below decks magazines with 750 rounds each. It can carry up to 300 missiles of several types, ALAM (Advanced Land Attack Missile) with up to a 1,500 nm range, a new loitering missile which can be reprogrammed in-flight to strike higher priority, emergent, or mobile targets, and new versions of air, surface and submarine defense missiles. Since the whole design of the ship is highly modular, the number of missiles carried can be changed as needed. The blades are part of what the Navy calls “TSC” (Total Ship Computing) and run a militarized variant of Unix and the software is said to be based upon “Open-system” standards. To quote the brief:

TSC is a commercially based, open-system computing environment distributed shipwide for both tactical and non-tactical use. TSC takes advantage of commercial advances in computer processing power, distributed/integrated data networks, and software development to provide a “plug and play” interface for all internal and external user systems. The TSC ship control architecture will also enable rapid and cost-effective software development, upgrade, integration, test, certification, and delivery.

The specially designed LM 2500 generator set produces 21 MW @ 4,160 volts.

I guess we’ll find out if it all works. 🙂 If the DDG 1000 does perform well, there are plans to produce a big brother CG 21 that will use most of the same modular components, with extras required by a Cruiser class ship, which would be 2 of the 4 ship types originally planned for the “Twenty-First Century Surface Combatant System” (SC-21). The other two that were planned, were the LH(X) (Amphibious Assault Ship) and the JCC (Joint Command Ship) to replace the current 4 aging Command Ships. The plan was to position several SC-21 battle groups around the globe as rapid response battle groups.

There was a plan for a 5th ship called the “Arsenal Ship”. It basically was a mobile weapons platform! The plan was for a 500-cell VLS (Vertical Launch System), a battery of 4-6 guns (same type as the Zumwalt), and 4-6 air-sea-sub defense multiple-missile launchers. It would have had 2 major roles, Land Attack and Theater Ballistic Missile Defense (TBMD) + Air Supremacy Defense (ASD). Curiously, the cost was estimated to be between $500-800 million, with the missile payload costing about $500 million (in 1996 dollars). It was supposed to be highly automated and have a crew of 50 or less! It was cancelled early, and probably a good thing too! LOL

It would have made for a very nasty battle group & quite a deterrent (1x JCC, 2x CG. 4-6 DDG, 1 AS, 1-2 LH(X)). Assuming it all worked, of course. 🙂

Alright then! 😉 Here’s another Obama moment for you all!

Obama Tells NSA To Reveal, Not Exploit, Flaws… Except All The Times It Wants To Do The Opposite

The money quote:

Except, it’s meaningless that no one expects the Chinese (or the Russians or anyone else) to give up zero days. The simple fact is that if the NSA were helping to stop zero days that would better protect everyone against anyone else using those zero days. In fact, closing zero days is just like disarming both sides, because it takes the vulnerability out of service. It’s not about us giving up our “weapons,” it’s about building a better defense for the world. And yet the NSA isn’t willing to do that. Because they’re not about protecting anyone — other than themselves.

A couple comments I liked:
Not buying it
There is no conceivable way the NSA didn’t know of this vulnerability. None. Zero. Follow the logic.

The error itself is pretty standard. Blame C and buffer handling. The NSA geeks are fully aware of the buffer problems associated with C. They have TEAMS dedicated to finding and exploiting these errors.

The OpenSSL library would be a major target for NSA hackers. The Open Source community audits software. The NSA REALLY audits software, especially an encryption library used by huge numbers of folks.

My conclusion? The NSA knew about this bug within days of its release. It is impossible to come to any other conclusion. You may have issue about the technical competence of the federal government, but the NSA is the cream of the crop. There is no way they didn’t know about this, with hundreds of devs combing through every line of this code.

And speaking of Snowden documents, expect one that details their experience with this exploit. Remember BULLRUN? “Do not ask or speculate on sources or methods underpinning BULLRUN successes.” We don’t have to speculate anymore.

And:
It doesn’t even require that basic level of human decency. Even the poorest, most inept warmonger should be able to recognize “make our side immune to enemy attacks” as an extremely good thing. If the NSA had even the slightest shred of competence, they’d be making the country more secure, not less.

Funny, that. Everyone seems to assume that the NSA and other agencies and this administration care about other countries. they only care about controlling the US citizens, and eventually making them do what they are told by their corporate masters. 😉 😀

20 Badtux { 04.15.14 at 10:38 am }

An ex-Navy friend of me merely laughs at the notion that 90 people are going to be able to handle all the tasks of running a Zumwalt-class destroyer. She notes that the sea is continually attempting to turn any ship into a pile of rust and corrosion. Paint and lubrication do not apply themselves. The removal of the steam pipes does remove one huge maintenance task, but there are way too many systems even with the steam pipes gone for all the maintenance tasks on the similar-sized ships she served on be successfully accomplished by 90 people. She also notes that all systems will need at least two people capable of repairing them in the event of battle damage, and given the number of systems, 90 won’t do.

She served in a ship, I haven’t, so I assume she has a good handle on the maintenance required to keep a ship in service. She seems to think 90 people would be overtasked and that they’re going to end up needing roughly 140 people to actually keep it going, especially with the need for redundancy in the event of combat losses (redundancy in *people*, I mean). After all, you don’t want to be dead in the water because your one and only expert in engine management system control module repair managed to be in exactly the right spot to be pranged by a Silkworm that the fire control computer missed because it was overwhelmed by a simultaneous launch of 1,000 Silkworms!

Of course, the problem is that they aren’t going to have *berths* for 140 people. I expect that each Zumwalt thus will have to be accompanied by a tugboat. The tugboat will be what actually provides it with its propulsive power :).

21 Kryten42 { 04.15.14 at 11:34 am }

LOL And your friend is quite right! 🙂 It’s one of the reason’s I’ve been amused for about a decade by the whole thing (I have a friend also who is a retired Navy Captain, and an Uncle who was a Lt.)

What the hell… it’s only money, right? 😉 And it all goes to the MIC corp’s, and they don’t give a rat’s about anything except the money. I worked for GD, so I know. *shrug*

I was also a Jnr. project manager for part of our Collins Sub project, & another Navy project here.

22 Kryten42 { 04.15.14 at 11:46 am }

Just noticed an error above:

JCC (Joint Command Ship) –> JCC (Joint Command-Control Ship). 😉 LOL

From the scuttlebutt I’ve heard the past decade… most of the 90 crew will be *highly educated* engineer types (which, given what passes for *higher education* in the USA these days, I suspect they plan to fix any problems with rosary beads, a gold cross, a photo of Jesus they can kiss, and a prayer)! LMAO

Forget spare parts! Given the highly modularized systems, they will need a quarter of the ship just for spare modules once testing shows a high failure rate! I suspect that the missile count will be quite overrated! Be lucky to get 80 in the tubes IMHO, let alone reloads! LOL

I doubt there will be many *swabbies*, if any! Heck, wouldn’t surprise me if the kitchen was a big automated vending machine! LOL

23 Badtux { 04.15.14 at 5:46 pm }

Kryten, the Navy actually has a very well thought of educational system. An officer graduating from the Nuclear Power School, for example, will automatically be granted graduate credit towards an advanced degree in nuclear physics at many U.S. universities. I have no doubt that the Navy would be capable of training 90 highly-trained technical types to man a Zumwalt. The big problem would be that a lot of the jobs needed to keep a ship going are scuttwork type jobs, like the continual job of going around with grease and oil to keep the various valves, hinges, etc. from freezing shut, or of keeping ahead of the rust that’s trying to demolish the ship via application of rust inhibitors and paint before the ship can turn into crumbles, a job where they start at the stern and work their way forward until they hit the bow, then turn around and go back to the stern and start again. Unless they’ve somehow developed robots to do all this, they’re going to need people. People *without* an advanced engineering degree, but with the ability to chip paint and sling a paintbrush.

24 Bryan { 04.15.14 at 11:45 pm }

There is no way in hell 90 people can keep that ship at sea.

I don’t deal with ships, but I live surrounded by 20 to 40-foot boats owned by friends and neighbors. They can take them out with only one person on board, but I would guess that every 24 hours of run time, they require some type of skilled maintenance. It doesn’t make any difference if they are wood, metal, or plastic, whether they sit in the water, or are hauled out and rinsed after use – you have to spend an amazing amount of time and money to keep them running.

The charter fishing boats have larger crews and better maintenance programs, but they still show up in the drydock with problems.

Salt air is not a good environment for copper. While they are scrapping and painting the ship, you are going to have intermittent problems with equipment because of the corrosive effect of sea air on boards and connectors. When we were flying off Shemya, there was a regular process of pulling gear when we were in a stand-down and cleaning the connectors.

There have been a lot of improvements in coatings, but the sea is a tough environment that requires constant attention to maintenance, which is why I consider boats to be a hole in the water into which you pour money.

25 Badtux { 04.16.14 at 1:12 am }

The first tests of the Zumwalt’s electronics weren’t very promising — the USS Yorktown, which was being used to prototype an early version of the “smart ship” system, had to be towed back to port multiple times when the computers controlling its propulsion system crashed. Yay. Just what we need — a ship that’s dead in the water when its computer crashes.

26 Kryten42 { 04.16.14 at 6:28 am }

That’s part of what I was referring to Badtux. Also, remember that my Engineering degree was specializing in automation. I’ve seen first hand what happens when a system 1/10th as complex as the Zumwalt goes wrong. There is no such thing as a perfect system. And as you increase the complexity, and the size of the system, you increase the chances of things going wrong significantly. Personally, I believe the Zumwalt is a major accident waiting to happen.

When I was recuperating in Italy with an Uncles family in the early 90’s, I was invited to go out on a Tuna boat (a big longliner) another uncle owned for a month tuna fishing. That boat had a crew of 34, and we all had to do maintenance on the boat, even the Captain. It was very hard work, but the crew were like a huge family. We had some great down time usually after supper, lot’s of music (many played an instrument), games, stories… lot of laughter! I helped with engine maintenance, though working on two big 12 cylinder diesels with a generator set (the ship needed a lot of power, especially for the big freezers below deck) was a bit different from the car’s I used to fix! I even went overboard to clear crap off the underside and check the screws & rudders (scuba was part of my Mil training, demolitions etc.) I became one of the two cooks once they discovered I was a good cook, as well as their traditional meals, I added a few they hadn’t had, and the liked them. 🙂 I learned a lot about maintaining a ship at sea. it was a wonderful experience, and I loved it. 🙂 PS. There are few things better than fresh caught tuna for supper! 😉 I was offered a job (actually, everyone on the ship is an equal partner, it’s why they all work equally hard). In hindsight… I should have taken it. One of my few regrets. *shrug*

Quite frankly, the USA is incapable of doing anything right in the current environment. In part because no decisions are made for the *right* reasons! If something does go right, it’s usually by accident. Not planning.

And the rest of the World is heading the same way. I know we are.

27 Kryten42 { 04.16.14 at 6:48 am }

BTW, Calling the Zumwalt a *Destroyer* is, I think, somewhat misleading (intentionally m sure). it’s actually a Battlecruiser class ship, weighing some 15,000t. There were originally supposed to be 32 ships, with massive cost overruns (what a surprise!) the number was cut to 10, and now to 3. In fact, the cost increase caused the U.S. Navy to identify the program as being in breach of the Nunn–McCurdy Amendment on 1 February 2010. In 2009, the Gov gave the contract back to GD who are actually one of the most experienced and successful ship builders and who had originally offered a fixed-price contract. For some stupid (no doubt financial) reason, the contract had been awarded to Northrop Grumman, who know sweat FA about building big Navy ships on a lower cost-plus-fee contract. I guess they discovered that saving money is not always a good idea, especially when it actually costs lot more than it originally would have! However, short of starting from scratch, I don’t see how even GD can fix this.

DDG-1000 and SM-2

Still wondering how the hell the DDG-1000 can’t support SM-2s? Me too, which is why I find this little tidbit interesting.

To suggest in a Congressional hearing “it cannot successfully employ the Standard Missile-2 (SM-2), SM-3 or SM-6, and is incapable of conducting Ballistic Missile Defense” doesn’t appear to match the acquisition strategy of the DDG-1000 as stated in the Navy’s own budget.

I think the only reason GD accepted the contract now, is because they know there will be no consequences, and they could do with the money.

Here’s a fun tidbit! Raytheon & GD selected Fanuc for the controllers. In the 80’s & 90’s, my job was designing *award winning* control systems (still in use today) to replace Fanuc systems, because they were overpriced crap!! And that’s a fact! Morons.

28 Kryten42 { 04.16.14 at 6:56 am }

Drat! Meant to add this. I’m annoyed.

This has some good pic’s and info.

The Navy’s newest warship is powered by Linux

I did have to laugh at the irony of this though! The CO of the first Zumwalt will be… Captain James Kirk! LOL

Given the Star Trek Enterprise was plagued with problems… It’s appropriate! LOL

The article also suggests that given the nature of the ship, they should appoint Vint Cerf as Chief Engineer! LOL

29 Bryan { 04.16.14 at 10:40 pm }

The Navy has a PR video out on the Zumwalt. They are putting out a big PR effort so they must suspect problems.

This is one of the reasons all-new ships are rare – there are too many problems, and Congress ‘becomes concerned over the cost’. Basing new ships on older models is an easier sell to Congress than a brand new design, unless you can arrange to have bits manufactured in a majority of House districts, in a majority of states.

With the Congress, MIC, and services all involved, it’s rather amazing that we have anything that works in the military.