tag:blogger.com,1999:blog-5579907756656776056.post1900906186865847103..comments2024-03-28T07:56:09.239-07:00Comments on Navy Matters: The Navy CloudComNavOpshttp://www.blogger.com/profile/09669644332369727431noreply@blogger.comBlogger47125tag:blogger.com,1999:blog-5579907756656776056.post-3171844081422358472020-11-26T06:30:59.336-08:002020-11-26T06:30:59.336-08:00In the latest example, Amazon Web Services was aga...In the latest example, Amazon Web Services was again hacked and taken down on or about 25-Nov-2020. Here's a link: <b><a href="https://www.newsmax.com/newsfront/amazon-cloud-back-up/2020/11/26/id/998878/" rel="nofollow">AWS Hack</a></b>ComNavOpshttps://www.blogger.com/profile/09669644332369727431noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-45634740905776366702019-09-06T08:12:40.321-07:002019-09-06T08:12:40.321-07:00Hmm … The AWS power failure and lost data that j...Hmm … The AWS power failure and lost data that just occurred is yet another example that the AWS is just a server - no better or worse than any other.ComNavOpshttps://www.blogger.com/profile/09669644332369727431noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-52621399758522966492019-09-06T01:29:46.454-07:002019-09-06T01:29:46.454-07:00FYI -- Amazon AWS service went down on Aug. 31, 20...FYI -- Amazon AWS service went down on Aug. 31, 2019, with the resulting loss of customer data. Author/programmer Andy Hunt said "Reminder: The cloud is just a computer in Reston with a bad power supply." This wasn't a hack, but our adversaries could similarly disrupt service and destroy data.<br /><br />https://acquisitiontalk.com/2019/09/whats-the-rush-with-the-jedi-defense-cloud-contract/Eric Lofgrenhttps://www.blogger.com/profile/03581615825177326351noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-56813967949111549262019-08-31T10:35:01.262-07:002019-08-31T10:35:01.262-07:00Not that tough if you can demonstrate both the sho...Not that tough if you can demonstrate both the short term and long term value add.<br /><br />I worked for Citrix as Director of WorldWide Production Services (internal business computing including using early versions of our products in production) and Telecom for a while. Part of that job was supporting the national sales team selling Citrix solutions to Russell 2000 C-Suite and VPs of IT. It was particularly interesting looking at financial institutions. I'm not quite as negative about security as some, because in general there has been a lot of work done in the last ten years to improve things. That said, small companies can have some of the worst problems because they simply don't have the bench strength, but they are also low value targets so the risk matrix is better.<br /><br />For something like the Navy, I would prefer to see more compartmentalization so an exploit doesn't risk access to everything. That goes quadruple for Alis which appears to be a horror show that is just begging to get worse.Georgehttps://www.blogger.com/profile/17731178888696691472noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-60949827554684722372019-08-31T06:48:27.226-07:002019-08-31T06:48:27.226-07:00The major problem I've seen in industry, that ...The major problem I've seen in industry, that ties in with you comment, is that our market system is focused on short term profits instead of long term profitability and sustainability. Shareholders demand quarterly profits, not decades profits. Thus, the CEOs and corporate leaders are forced to act in the best interest of short term profits which is rarely in the best interest of long term financial health. Unsurprisingly, this leads to a lot of unwise short term thinking and planning. No CEO could survive long by sacrificing short term profits for long term stability.<br /><br />I remember one company (Fortune 50? or so) I worked at that was looking at a down quarter and issued a memo asking all employees to reduce their use of pencils for the quarter as part of the quarterly profit effort. Tough to get support for long term efforts in that kind of climate!ComNavOpshttps://www.blogger.com/profile/09669644332369727431noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-58728302715335235462019-08-30T15:18:17.539-07:002019-08-30T15:18:17.539-07:00"You're sounding like a true believer.&qu..."You're sounding like a true believer." <br />Heh, if I communicated with him across your domaine Skipper, I'd have to ask who in Tyson's Corner does he work for. But that's outside my pay grade. As for the Cloud, starting off, that was a way for them to monetize the higher-bandwidth WWW as it grew. And like everything else in these businesses, they attempt to "Fake It Til They Make It". They string us along with buzzwords as they mop up cash. They go in and out of business handing it off to whomever they contracted the storage of your data to. Study the contracts if you're doing a deal for your small business. They subcontract storage space all over Europe and Asia. Some of your data with this one, some with another. Some of the small clouds around New England as recently as five years back didn't even have storage, they had their own contracted cloud that they dumped your stuff into after you signed. All it takes is for one of the providers to that cloud your stuff is tied up with to go under and that group of your data is gone. I was astounded to see how many of my phone customers in DC and up here took up Cloud storage and a couple of them, lost EVERYTHING, a mortgage company compromised thousands of customers' info and was sued out of existence. For what, to save a few hundred thousand a year in a company doing a billion or even $500,000,000? I ain't risking it, but then there are the bean counters EVERY engineer has to deal with. Anyone that doesn't keep a good IT guy on staff that speaks English and has clearances and provide the infrastructure, on-site storage and logistical support (meaning: money) to protect their data is nuts. Opening your data up to the Cloud is also allowing Hillary to look up your skirts at night. <br /><br />Hey Skipper, ever duke it out with a Bean Counter? The 737MAX was brought to us by bean counters over the objections of the engineers. All such failures are. But the Fake It Til You make It crowd, these start-up outfits, don't they just have the most ADORABLE buzz-words? The Dot.Bomb was built on buzzwords. Great topic, skip. Sometimes I need a shower just thinking of the customers I used to do business with, now that I know. Theranos, AOL, Time-Warner, massive, thieving entities that cost millions their retirements. Fake it til you make it. A6NimitzGuyhttps://www.blogger.com/profile/10772584303915855942noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-72736140803484014432019-08-30T14:21:52.662-07:002019-08-30T14:21:52.662-07:00You're sounding like a true believer. That be...You're sounding like a true believer. That being the case, there is, literally, nothing that could persuade otherwise! It's kind of like Hillary supporters. Despite scandal after scandal, her supporters excuse away every incident.<br /><br />Well, since you choose to ignore the evidence, there's nothing more to say. I'll leave you with the last word, if you wish. By the way, I really hope you're right and I'm wrong but history is screaming that isn't so! We'll see ...ComNavOpshttps://www.blogger.com/profile/09669644332369727431noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-80662288187107054642019-08-30T13:27:22.991-07:002019-08-30T13:27:22.991-07:00The first wasn't a hack. It was bad software ...The first wasn't a hack. It was bad software deployed by Amazon (not AWS).<br /><br />Everything else isn't Amazon AWS, they are gross incompetence in configuring an S3 bucket. Capital One was also gross incompetence of Capital One, and not an AWS breach: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/<br /><br />Literally, nothing you have provided shows any issues with AWS. They are all people basically making their data publicly accessible as a configuration option. AKA gross incompetence. <br /><br />My experience with IT across multiple companies of various scale from local to ultra global is that most IT groups are just about useless and security is at best a tertiary issue for them and if they have security practices at all, they are almost always bad practices. Simple examples are things like requiring password expiration (one of the worst security practices possible) and not having a full time red team AND hiring additional outside red teams routinely. atshttps://www.blogger.com/profile/11410880091736531848noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-46292648492297297302019-08-30T13:18:47.349-07:002019-08-30T13:18:47.349-07:00"I think your view of the quality of IT/Secur..."I think your view of the quality of IT/Security practices is far too generous to the majority of the companies out there. One of the major reasons that cloud has seen such large scale growth is people knowing that AWS/Azure/GCP offer a much better base level of management and security than they could do internally. It allows them to only worry about the security of their application instead of for everything including the network."<br /><br />I agree with you about financial institutions. In general IT doesn't get the right priorities.<br /><br />But I disagree somewhat about only having to worry about the application if you're in a private AWS cloud. You still have all the user network and all those potential avenues of attack to worry about, not just the application. <br /><br />I do agree that AWS is likely to be the least of your problems.Georgehttps://www.blogger.com/profile/17731178888696691472noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-26895380032276988612019-08-29T16:00:31.501-07:002019-08-29T16:00:31.501-07:00Yes, actually, I worked for many years in industri...Yes, actually, I worked for many years in industrial computing and am intimately familiar with networks, data storage, and IT groups. The vast majority of IT groups I've encountered and worked with were highly skilled, professional, and employed state of the art methods and protections. Despite this, breaches still happen. To believe Amazon is magically immune is just wishful thinking.<br /><br />Here's a link to a reported Amazon data breach from Nov 2018, <b><a href="https://www.theguardian.com/technology/2018/nov/21/amazon-hit-with-major-data-breach-days-before-black-friday" rel="nofollow">Amazon Data Breach</a></b><br /><br />and, <b><a href="https://businessinsights.bitdefender.com/worst-amazon-breaches" rel="nofollow">Amazon S3 Breaches</a></b><br /><br />Capital One, who uses Amazon AWS, recently suffered a major data breach with the two companies blaming each other.<br /><br />And, here's a report about Amazon AWS data breaches in 2017. <b><a href="https://www.sumologic.com/blog/aws-security-breaches-2017/" rel="nofollow">2017 AWS Data Breaches</a></b> These cases are attributed to various causes and illustrate that there is nothing magic about AWS data systems. They're as good or bad as the company using them wants to make them. Given the Navy's less than stellar record, there is no reason to believe that the Navy's AWS system will be any better secured than any of their other systems.ComNavOpshttps://www.blogger.com/profile/09669644332369727431noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-17976114848006005502019-08-29T13:49:57.103-07:002019-08-29T13:49:57.103-07:00Do you actually work in the industry and go over t...Do you actually work in the industry and go over the breakdowns of how the hacks occurred? <br /><br />And no, most places are in the dark ages wrt security. A perfect example is Equifax. They were hacked because of basically gross incompetence. gross incompetence is at the root of most actual data exploits. Equifax is a major financial company who's business should be 90% security for their data. They failed miserably. They should be non-existent at this point for the levels of gross negligence they displayed in computer security. Financial companies are some of the worst because they don't in general view IT as part of their business but a an impediment to it. <br /><br />For most companies, IT is at best an after thought and security is the lowest man on that list. <br /><br />Almost all hacks/data exploits happen well after things should of been patched or are the result of gross incompetence in policies/configurations and a complete lack of security review and intrusion testing. <br /><br />I think your view of the quality of IT/Security practices is far too generous to the majority of the companies out there. One of the major reasons that cloud has seen such large scale growth is people knowing that AWS/Azure/GCP offer a much better base level of management and security than they could do internally. It allows them to only worry about the security of their application instead of for everything including the network.<br />atshttps://www.blogger.com/profile/11410880091736531848noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-72204575252706342072019-08-29T12:36:32.288-07:002019-08-29T12:36:32.288-07:00Really? No other company in the world that has be...Really? No other company in the world that has been hacked had good people and good practices? Only Amazon has the good stuff?<br /><br />Are you actually aware of the seemingly endless list of major companies that have been compromised? Many of them are financial institutions with the highest level of data security possible. I think you're seeing what you want to see, here.<br />ComNavOpshttps://www.blogger.com/profile/09669644332369727431noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-89440725124809160062019-08-29T11:10:00.946-07:002019-08-29T11:10:00.946-07:00If there is a connection point, it won't be wi...If there is a connection point, it won't be within the private cloud and will be on another DOD network and therefore would exist regardless. The private cloud will be designed and monitored from the ground up to a level that none of the existing networks are. <br /><br />I think that companies who's primary business is networks and computer access that have a demonstrated track record tends to be better than companies who's IT divisions tend to be the whipping group. <br /><br />How do I explain how defense contractors with bad security practices have been hacked? Almost all these cases are a result of horrid IT practices and zero security reviews with threat models that haven't been valid for decades. AWS, Azure, and GCP are not defense contractors. Their entire business is dependent on their computer systems and networks. They do continuous security reviews and intrusion testing (both digital and physical). <br /><br />Pretty much every major hack that has occurred both within defense and without is due to horrid security practices. They are not at all comparable with what GCP/Azure/AWS do/provide. The number of breaches that have occurred on systems following proper security practices is minuscule and minor (they get detected almost immediately and/or honey potted). <br /><br />So yes, AWS does have something that dozens of other companies that were hacked didn't have: competent IT and security people, systems, procedures and policies.atshttps://www.blogger.com/profile/11410880091736531848noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-82564004769882604562019-08-29T10:19:58.903-07:002019-08-29T10:19:58.903-07:00"This whole infrastructure will only be acces..."This whole infrastructure will only be accessible via DOD networks and won't be connected to the larger internet in any way."<br /><br />Maybe not by design but there are a thousand points of contact. You'll recall the example of the US injected virus into the Iranian centrifuge software, supposedly via a printer? There's ALWAYS points of access.<br /><br />Your faith in this system is staggeringly impressive. Of course, the history of data breaches on all kinds of massively isolated and protected systems is also staggeringly depressing. You seem to think that none of the other dozens of data breaches of major companies with the best IT people protecting them were real? Or, do you think that only Amazon has good IT people? The Chinese have hacked many major defense industry companies with highly isolated and protected data systems. How do you explain that? <br /><br />I'm sorry but history says that you're 100% dead wrong. Amazon server systems offer nothing that dozens of other companies that were hacked didn't have.<br /><br />ComNavOpshttps://www.blogger.com/profile/09669644332369727431noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-55811107360790076302019-08-29T09:37:06.242-07:002019-08-29T09:37:06.242-07:00Um? There is no effective difference between host...Um? There is no effective difference between hosting ALIS on the proposed DOD cloud and doing it on a dedicated system/network from a vulnerability perspective except that the cloud based system likely will have more competent IT.<br /><br />Remember, none of this has anything to do with a public cloud. This whole infrastructure will only be accessible via DOD networks and won't be connected to the larger internet in any way. <br /><br />The whole point of having a Tier 1 cloud management infrastructure is they are already intimately aware of isolation of systems required. Part of there whole business pitch is that they can provide nearly infinite resources that are also effectively isolated from any other system running in the same rack/row/DC.atshttps://www.blogger.com/profile/11410880091736531848noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-22400160654871572772019-08-29T08:49:48.179-07:002019-08-29T08:49:48.179-07:00I am nervous about ALIS in the cloud. I'm also...I am nervous about ALIS in the cloud. I'm also nervous about ALIS period.<br /><br />To have a system that does vital things regarding mission planning and execution for 2000+ F-35s vulnerable to interference is a frightening though.<br /><br />As you know risk management is all about the frequency of the risk being undertaken x the consequences of the risk happening.<br /><br />I agree that the Tier 1 cloud providers are the best you can get so the likelyhood of a breach is relatively small, but the consequences of a single breach that then possibly introduces a trojan are staggering.Georgehttps://www.blogger.com/profile/17731178888696691472noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-70229101456097825992019-08-28T23:45:14.378-07:002019-08-28T23:45:14.378-07:00Cause people would notice rather quickly since all...Cause people would notice rather quickly since all the hardware orders will be shared with the much larger public cloud run and managed by the same company that has 10s of thousands of security researchers constantly trying to break into it and monitoring it for anything out of bounds. <br /><br />If you care about security at this point. Having a T1 cloud provider run things is about as secure as you can get. What's the holy grail for hackers these days? It is FB, Amazon, Google, and Microsoft's cloud infrastructure. AWS has more security research eyes on it than any other system in the world. atshttps://www.blogger.com/profile/11410880091736531848noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-22506609788166681252019-08-28T23:36:54.581-07:002019-08-28T23:36:54.581-07:00Um, they are getting MORE redundancy, not less. M...Um, they are getting MORE redundancy, not less. Many of the existing DOD networks and systems have effectively zero redundancy currently. They will be transitioning to multiple datacenters that are fully redundant with full network, storage, and application level redundancy built in. <br /><br />It will be much more hardened to compromise than existing systems. Not only will it be run by a company that deal with thwarting compromise on a daily basis, it will be on systems that are actually updated and maintained in real time. <br /><br />Its not like this is some pie in the sky thing. This is an outgrowth of the same style of deployment within the intelligence community that has been very successful and running for years now. Everyone here does realize that the intelligence community has been running off a private cloud managed by AWS for years now right? atshttps://www.blogger.com/profile/11410880091736531848noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-31027195292983288842019-08-28T23:29:34.736-07:002019-08-28T23:29:34.736-07:001) the navy won't be running the systems. Tha...1) the navy won't be running the systems. That's the entire point of the contract. To get the navy out of the bulk day to day IT work for which they are under qualified and not competitive for. They will contract it out to a T1 cloud provider to run a private DOD cloud. That T1 cloud provider lives and breathes IT as their core business and are on the absolute cutting edge of security and vulnerability issues. <br /><br />2) this will take massive amounts of poorly managed individual networks and replace them with a single management point run by a professional company that literally does this as their core mission. <br /><br />Also, USB isn't at all secure. It is an entire computer sitting on that stick and they can and have regularly been hacked and trojaned. USB is inherently insecure. There is a reason that they epoxy any USB ports at anyplace that cares about security. atshttps://www.blogger.com/profile/11410880091736531848noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-3753084502010790782019-08-28T23:23:01.060-07:002019-08-28T23:23:01.060-07:00Actually, the vast majority of data breaches aren&...Actually, the vast majority of data breaches aren't cloud based and cloud has basically nothing to do with security in general. <br /><br />The US military IT issues, largely stem from having 10k+ different environments and systems with cut rate IT running things. <br /><br />That's not what is being considered here. This would be a private cloud system administrated and run by AWS in the same vein as the AWS cloud that is run for the intelligence services. It would be top notch physical and digital security practices along with top end operations and operations people. atshttps://www.blogger.com/profile/11410880091736531848noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-69561316394127379472019-08-28T15:34:12.904-07:002019-08-28T15:34:12.904-07:00It'd almost certainly be a mixture.
Most compa...It'd almost certainly be a mixture.<br />Most companies are still transitioning their legacy systems to AWS or Google cloud networks.<br />The reality is that any network is inherently vulnerable.<br />Cloud networks are just vulnerable in different ways. It's as secure as you make it. Same thing applies to older networks.<br />The biggest single danger of cloud networks is actually insider hacks.<br />But overall, implemented correctly, cloud networks can become much more difficult to penetrate and when access is gained, the information exposed can be more easily isolated.<br />But, like I said, its only as secure as it's architecture and the ability for the peolle using it not to allow unintended access.Jonnoreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-38051044692634292782019-08-28T10:06:29.229-07:002019-08-28T10:06:29.229-07:00Another possible avenue in hacking, I remember an ...Another possible avenue in hacking, I remember an article a few ago about US military finding parts that weren't OEM or from real spare part manufacturers, they were black market fake parts, just like fake Rolexs, fake smartphones or fake whatever China produces....why couldn't a country like China not just hack into the system and mess with parts needed AND introduce into the system fake parts?!?<br /><br /> Wow, now you're really messing with confidence of the system...so not only the mechanic doesn't trust the system, ordering the parts needed or not, bad deliveries or absence of parts really needed now installing fake parts so the pilots now are left to wonder about their jets...this is super cheap and easy way to sap moral and fighting edge.NICOhttps://www.blogger.com/profile/14567491909555759918noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-72678691011370867932019-08-28T09:46:11.611-07:002019-08-28T09:46:11.611-07:00Would these be the same IT people who worked at an...Would these be the same IT people who worked at any of the dozens of major companies that have suffered data breaches over the last few years? I'm guessing that most of these companies had cloud-based data systems.ComNavOpshttps://www.blogger.com/profile/09669644332369727431noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-71226951543081098482019-08-28T08:09:38.774-07:002019-08-28T08:09:38.774-07:00I think the public consensus is, yes, the Chinese ...I think the public consensus is, yes, the Chinese have pretty much free access to everything we have or know. Consider the multitude of avenues available for acquiring information. The universities, where so much of our fundamental technology is developed is an open book to the hordes of Chinese 'students' attending them. Our patent system is an open book. Our scientific literature, reports, and papers are public knowledge. China has bought many of our technology companies and appropriated the tech. China requires companies doing business in China to share their tech info. And then there's the unending stream of public reports of Chinese hacking of our industrial and military networks and that's only the public reports. I'm sure there are many more serious cyber attacks that the military/govt doesn't report.<br /><br />So, add it up. Do you think there's the slightest chance the Chinese don't have all our information? For confirmation, all you have to do is look at all the cloned technology in their military programs. That's not coincidence, that's exact copying.<br /><br />Yes, they have everything.ComNavOpshttps://www.blogger.com/profile/09669644332369727431noreply@blogger.comtag:blogger.com,1999:blog-5579907756656776056.post-53628920421049493942019-08-28T05:14:09.918-07:002019-08-28T05:14:09.918-07:00So Nico is saying the Chinese compromised the LCS ...So Nico is saying the Chinese compromised the LCS and Zumwalt programs years ago ? ;-)Chinese Gordonhttp://www.naa.orgnoreply@blogger.com