Navy hacked by Air Force?
Following is the actual text extracted from iw@all.net - I doubt if the U.S. DoD will want to release all the details, but we can ask!
From: iw@all.net Subject: IW Mailing List iw/951221
Moderator's Note: Subject: Navy hacked by Air Force I talked to some people I know about the perported IW attack on a battleship by the Air Force, and I thought I would help debunk this story, which my contacts tell me is "wildly inaccurate", but looking at a few facts. Let's start with the title:
War of the microchips: the day a hacker seized control of a US battleship
There are NO active US battleships!!! And there weren't any last September. So, at a minimum, there are factual errors. ...
BY SIMPLY dialing the Internet and entering some well-judged keystrokes, a young US air force captain opened a potentially devastating new era in warfare in a secret experiment conducted late last September. His target was no less than gaining unauthorised control of the US Navy's Atlantic Fleet.
According to my sources this was not "SIMPLY dialing the Internet and entering some well-judged keystrokes". It was a controlled experiment with participation of both Navy and Air Force, and involved a great deal of planning by a large number of people. It was performed using DoD owned and properly keyed cryptographic devices designed to be allowed to communicate with the systems being attacked. ...
He was armed with nothing other than a shop-bought computer and modem. He had no special insider knowledge but was known to be a computer whizzkid, just like the people the Pentagon most want to keep out.
100% wrong - he was an insider, he had a great deal of assitance, he had cryptographic devices and keys, and he had special insider knowledge. If he was an Air Force captain, he could not have been all that young. Whizzkids are usually considered teenagers. Anyone know of any teenaged AF captains these days? ...
A few clicks and whirrs were the only signs of activity. And then a seemingly simple e-mail message entered the target ship's computer system. ... targeted ships surrendered control as the codes buried in the e-mail message multiplied inside the ships' computers. A whole naval battle group was, in effect, being run down a phone-line. Fortunately, this
Not quite. This was not an email sent from some Internet site and email messages did not multiply inside the ships' computers. Furthermore, the total bandwidth of a phone line is nowhere near enough to "run" a naval battle group, or probably even a naval kitchen for that matter.
The exact method of entry remains a classified secret.
The first (only?) really true part of the story. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
On Cypherpunks, fc@all.net (Dr. Frederick B. Cohen) said: FBC> Following is the actual text extracted from iw@all.net - I doubt if FBC> the U.S. DoD will want to release all the details, but we can ask! Strange, Dr Fred, this isn't the 'actual text' I saw quoted in RISKS Digest - did you 'fix' it so that it was a bit more credible? Dr Fred's paragraph: FBC> 100% wrong - he was an insider, he had a great deal of assitance, FBC> he had cryptographic devices and keys, and he had special insider FBC> knowledge. If he was an Air Force captain, he could not have been FBC> all that young. Whizzkids are usually considered teenagers. FBC> Anyone know of any teenaged AF captains these days? RISKS Digest's paragraph: RISKS> 100% wrong - he was an insider, he had a great deal of RISKS> assistance, he had cryptographic devices and keys, and he had RISKS> special insider knowledge. If he was a Navy captain, he could RISKS> not have been all that young. Whizzkids are usually considered RISKS> teenagers. Anyone know of any teenaged Navy captains? Has anyone seen the REAL IW article, so we can tell what was really said? The age difference between an AF captain and a Navy captain is enough that one could be considered a 'whizzkid' in the military, while the other could not. -- #include <disclaimer.h> /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you.
On Cypherpunks, fc@all.net (Dr. Frederick B. Cohen) said:
...
Strange, Dr Fred, this isn't the 'actual text' I saw quoted in RISKS Digest - did you 'fix' it so that it was a bit more credible?
Dr Fred's paragraph:
FBC> 100% wrong - he was an insider, he had a great deal of assitance, FBC> he had cryptographic devices and keys, and he had special insider FBC> knowledge. If he was an Air Force captain, he could not have been FBC> all that young. Whizzkids are usually considered teenagers. FBC> Anyone know of any teenaged AF captains these days?
RISKS Digest's paragraph:
RISKS> 100% wrong - he was an insider, he had a great deal of RISKS> assistance, he had cryptographic devices and keys, and he had RISKS> special insider knowledge. If he was a Navy captain, he could RISKS> not have been all that young. Whizzkids are usually considered RISKS> teenagers. Anyone know of any teenaged Navy captains?
Credible? No. Accurate? Yes. We all make mistakes, and whenever I find one that I've made, I try to admit it and fix it ASAP. What's not credible is people who don't correct mistakes when they find them. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
fc@all.net (Fred Cohen) said: FC> Credible? No. Accurate? Yes. We all make mistakes, and whenever I FC> find one that I've made, I try to admit it and fix it ASAP. What's FC> not credible is people who don't correct mistakes when they find FC> them. Well, you corrected it, but you didn't admit it, at least not here, and it makes people who made comments on the _original_ version look like fools. Next time when you quote a corrected article, please note that it's been corrected. The difference between an AF captain (4 years of service) and a Navy captain (17-ish years of service) is substantial when when judging whether they could be considered 'whizzkids' in this environment. -- #include <disclaimer.h> /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you.
fc@all.net (Fred Cohen) said:
FC> Credible? No. Accurate? Yes. We all make mistakes, and whenever I FC> find one that I've made, I try to admit it and fix it ASAP. What's FC> not credible is people who don't correct mistakes when they find FC> them.
Well, you corrected it, but you didn't admit it, at least not here, and it makes people who made comments on the _original_ version look like fools. Next time when you quote a corrected article, please note that it's been corrected. The difference between an AF captain (4 years of service) and a Navy captain (17-ish years of service) is substantial when when judging whether they could be considered 'whizzkids' in this environment.
Not my mistake - iw@all.net's mistake - only my correction. And it wasn't a correction to an error in this forum - the error appeared in the Risks forum - the Cypherpunks posting (which I posted) was the corrected one. Am I supposed to correct mistakes in other forums made by other people when I post to Cypherpunks? (let me see... in 1928, a mistake was made on page 73 of the New York Times related to cryptography, ...) Even with only 4 years of service (after graduating from College), 25-27 years old is no longer whizzkid age in my book. But even more importantly, the readers who commented on this one error ignored the main body of facts in the posting in favor of creating a conspiracy theory. Next we find out from yet another story that at least part of the original story posted to Risks was in error. According to the second independent source, the Captain was working with the Navy's support and knowledge. How much do you want to bet that the story changes again by Tuesday? -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
fc@all.net (Fred Cohen) said: FC> Not my mistake - iw@all.net's mistake - only my correction. And it FC> wasn't a correction to an error in this forum - the error appeared FC> in the Risks forum - the Cypherpunks posting (which I posted) was FC> the corrected one. Am I supposed to correct mistakes in other FC> forums made by other people when I post to Cypherpunks? (let me FC> see... in 1928, a mistake was made on page 73 of the New York Times FC> related to cryptography, ...) 1) The correction makes a difference in the credibility of the statement, as you must have felt, since you made the change. Saying that a reporter called a 40-ish Navy captain a 'whizzkid' is foolish, while questioning the reasonableness of a reporter calling a 20-ish Air Force captain a 'whizzkid' is a difference of opinion (see below). Since you said it was the 'actual text', you should have posted the actual text, not your correction of it. If they sent out two messages, one correcting the other, I find it somewhat difficult to believe that they didn't at least preface it with a "sorry, we goofed" tag. FC> Even with only 4 years of service (after graduating from College), FC> 25-27 years old is no longer whizzkid age in my book. 2) As I said before, had I remained in ROTC, I would have been 24 when I was eligible to make captain. 3) At 26, I was still being referred to, by non computer-savvy people, in terms comprable to 'whizzkid'. FC> But even more FC> importantly, the readers who commented on this one error ignored the FC> main body of facts in the posting in favor of creating a conspiracy FC> theory. Next we find out from yet another story that at least part FC> of the original story posted to Risks was in error. According to FC> the second independent source, the Captain was working with the FC> Navy's support and knowledge. How much do you want to bet that the FC> story changes again by Tuesday? 4) The original story said that it was a "secret experiment" conducted in front of "Pentagon VIPs" "at the Electronic Systems Centre at Hanscom Air Force Base". Saying that the Navy was informed that this test would be made, or that Navy personnel were among the watching VIPs, is unremarkable, and does not call into question the original report. There were many security 'surveys' conducted against my systems by AFIWC (sorry, I don't remember the name of the specific group that does the surveys, but it's part of AFCERT) which I was unaware of which were authorized by the Air Force - in fact, I wouldn't be surprised if the "young Air Force captain" was from that group. 5) The second independent source backs up the report that the connection was made through the Internet, involving email connectivity, and with a personal computer and modem, all of which were specifically denied in the message from IW. Now that I've addressed ALL of the points in the 'denial' from IW, do you see why I characterized it as a military smokescreen? The only thing in it which remains unchallenged is that the original report is inaccurate in detail, and that there is a question as to whether someone in their mid-20s is a 'whizzkid'. -- #include <disclaimer.h> /* Sten Drescher */ To get my PGP public key, send me email with your public key and Subject: PGP key exchange Key fingerprint = 90 5F 1D FD A6 7C 84 5E A9 D3 90 16 B2 44 C4 F3 Junk email is NOT appreciated. If I want to buy something, I'll find you.
... Not to be picky, but...
1) The correction makes a difference in the credibility of the statement, as you must have felt, since you made the change.
I agree that the change was important, but...
Saying that a reporter called a 40-ish Navy captain a 'whizzkid' is foolish, while questioning the reasonableness of a reporter calling a 20-ish Air Force captain a 'whizzkid' is a difference of opinion (see below).
We don't yet know how old he or she was - let's wait and see before we jump the gun.
Since you said it was the 'actual text', you should have posted the actual text, not your correction of it.
My text was the one published in the IW forum - Risks published first, the error was apparently found and corrected, and thus the IW forum had the corrected text. I will ask iw to inform Risks of the correction - however, I did post the actual text that I got from IW! This IT is so complex, isn't it?
If they sent out two messages, one correcting the other, I find it somewhat difficult to believe that they didn't at least preface it with a "sorry, we goofed" tag.
They were to different forums, hence the "I goofed" tag would seem inappropriate in IW. Perhaps the next risks will include an 'I goofed' let's wait and see.
FC> Even with only 4 years of service (after graduating from College), FC> 25-27 years old is no longer whizzkid age in my book.
2) As I said before, had I remained in ROTC, I would have been 24 when I was eligible to make captain.
3) At 26, I was still being referred to, by non computer-savvy people, in terms comprable to 'whizzkid'.
I must be getting old. When I was growing up, all Wiz kids had to be 21 or less. I guess the media is running out of 18-year olds making a big splash. ...
5) The second independent source backs up the report that the connection was made through the Internet, involving email connectivity, and with a personal computer and modem, all of which were specifically denied in the message from IW.
I must have read it differently. I thought that IW said something like not all email messages, and email messages did not reproduce, not that there were no email messages involved. I guess we both have to start reading more carefully.
Now that I've addressed ALL of the points in the 'denial' from IW, do you see why I characterized it as a military smokescreen? The only thing in it which remains unchallenged is that the original report is inaccurate in detail, and that there is a question as to whether someone in their mid-20s is a 'whizzkid'.
I think that the whole issue is still pretty questionable - whether the experiment was authorized - whether it was a wiz kid - whether they actually took control - whether it came from the Internet or a Mil net - whether there was insider knowledge - etc. One thing I am becoming more certain of though - that there are no active battleships. -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Dr. Frederick B. Cohen writes: | > The exact method of entry remains a classified secret. | | The first (only?) really true part of the story. To combine two favourite threads - it's that sendmail 8.7.3 hole *they* don't want you to know about...! Cheerio, (and Merry Xmas :-) Martin
participants (3)
-
fc@all.net -
Martin Hamilton -
Sten Drescher