Tuesday, December 14, 2010

DARPA makes Lockheed Martin sit for three months on one of 2010's most important military technology stories


Posted by John Keller

Here's the good news: military electro-optical systems designers at the Lockheed Martin Mission Systems & Sensors (MS2) segment in Akron, Ohio, announced today that they are building several One Shot laser-based military sniper fire-control systems that improve accuracy and reduce the possibility of detection under terms of a $6.9 million contract from One Shot program sponsor, the U.S. Defense Advanced Research Projects Agency (DARPA) in Arlington, Va.

Here's the bad news: Lockheed Martin won that contract at the end of September, and had to sit on an official announcement for nearly three months because the public affairs folks at DARPA wouldn't give permission to announce the follow-on contract for the One Shot fiber optic laser-based system that is designed to help military snipers compensate for cross winds to hit their targets with their first shots.

The One Shot program, and Lockheed Martin's latest contract, haven't been a secret over the past quarter, however, while DARPA dithered on authorizing an announcement. We here at Military & Aerospace Electronics had been covering the story from the beginning.

Our original story, Lockheed Martin to continue One Shot program electro-optics work to help snipers hit targets in crosswinds, which ran on 1 Oct., also received considerable attention in other media -- most notably Fox News and Popular Science.

Fox News picked up the story a couple of days after we broke it, and posted a well-read story online entitled Self-Aiming Sniper Rifles Coming Next Year. Popular Science, meanwhile, posted a story entitled Darpa's Self-Aiming "One Shot" Sniper Rifle Scheduled for Next Year.

Fox News and Popular Science very graciously posted links back to the original story in Military & Aerospace Electronics, which as of today has received 10,591 page views and has been our most-read online story of 2010 -- by far.

It's too bad the public affairs folks at DARPA didn't place the same level of importance on this military technology story that the reading public of Military & Aerospace Electronics and other major online media did ... and kudos to the public relations shop at Lockheed Martin MS2 for showing such patience.

Monday, December 6, 2010

Security holes are everywhere even in secure virtualization systems, says Green Hills Software CEO


Posted by John McHale
If the Wikileaks scandal shows anything it proves that no system is secure as people may think it is -- especially software virtualization systems, said Dan O'Dowd, chief executive officer of Green Hills Software during the company’s Software Elite Users Technology Summit. "Virtualization adds nothing to security," he added.

O'Dowd pointed out that virtualization systems have less code, "but that just means they are less bad, not more secure. Running bug-ridden operating systems in virtual machines does not solve the security issue unless the virtualization system itself is secure."

He then made a point that I think resonates well beyond virtualization systems. "The security claims of popular virtualization systems are just marketing fluff to exploit the desperate need of all computer users for security," O'Dowd says. These systems have only been evaluated to the National Security Agency's (NSA's) Common Criteria EAL4+.

According to the Common criteria EAL4+ "makes them appropriate for protecting against 'inadvertent or casual attempts to breach system security,'" O’Dowd said. It's as if they have five doors to their house but only locked four, he added.

O'Dowd was working up to making the case for his company's EAL6+ secure virtualization software, but, I think he's also right on that this is not just a virtualization security phenomenon.

People are lazy when it comes to securing their computers. They all want their systems to be secure, but typically buy into the marketing fluff of certain technology because they like the convenience it provides. However, in the long run they are setting themselves up for security breaches.

It reminded me of something an export compliance officer at a major aerospace company once told me that he tells his employees who travel overseas. He says they need to assume that their emails are being read and their phone conversations are being listened to. It doesn't make you paranoid, it makes you vigilant, he said.

Speaking of vigilance, let's get back to the secure virtualization discussion.

During their work in this area O'Dowd's engineers found security vulnerabilities in standard device drivers in virtual machines. He said they attempted to use I/O memory management units (MMUs) to improve the security of virtual machines, but found that "it doesn't work.

"We weren't looking for vulnerabilities, we were just trying to make the device drivers work," O'Dowd said. "Modern I/O devices often contain huge software control programs consisting of hundreds of thousands lines of code and they have just as many security vulnerabilities as traditional operating systems."

He made the case that if users want to be vigilant with their virtualization systems they need to use an EAL6+ secure system like that offered by Green Hills. Makes sense but with that vigilance also comes cost.

Systems like Green Hills do not come cheap, so it becomes a matter of managing risk. Military and avionics systems cannot take that chance, but companies in less mission/life critical applications may be able to get away with it.

What's more expensive paying for the security ahead of time or not paying and hoping nothing happens? I guess it depends on whether or not you think you, your company, or your technology is actually a target.

Security holes are everywhere even in secure virtualization systems, says Green Hills Software CEO


Posted by John McHale
If the Wikileaks scandal shows anything it proves that no system is secure as people may think it is -- especially software virtualization systems, said Dan O'Dowd, chief executive officer of Green Hills Software during the company’s Software Elite Users Technology Summit. "Virtualization adds nothing to security," he added.

O'Dowd pointed out that virtualization systems have less code, "but that just means they are less bad, not more secure. Running bug-ridden operating systems in virtual machines does not solve the security issue unless the virtualization system itself is secure."

He then made a point that I think resonates well beyond virtualization systems. "The security claims of popular virtualization systems are just marketing fluff to exploit the desperate need of all computer users for security," O'Dowd says. These systems have only been evaluated to the National Security Agency's (NSA's) Common Criteria EAL4+.

According to the Common criteria EAL4+ "makes them appropriate for protecting against 'inadvertent or casual attempts to breach system security,'" O’Dowd said. It's as if they have five doors to their house but only locked four, he added.

O'Dowd was working up to making the case for his company's EAL6+ secure virtualization software, but, I think he's also right on that this is not just a virtualization security phenomenon.

People are lazy when it comes to securing their computers. They all want their systems to be secure, but typically buy into the marketing fluff of certain technology because they like the convenience it provides. However, in the long run they are setting themselves up for security breaches.

It reminded me of something an export compliance officer at a major aerospace company once told me that he tells his employees who travel overseas. He says they need to assume that their emails are being read and their phone conversations are being listened to. It doesn't make you paranoid, it makes you vigilant, he said.

Speaking of vigilance, let's get back to the secure virtualization discussion.

During their work in this area O'Dowd's engineers found security vulnerabilities in standard device drivers in virtual machines. He said they attempted to use I/O memory management units (MMUs) to improve the security of virtual machines, but found that "it doesn't work.

"We weren't looking for vulnerabilities, we were just trying to make the device drivers work," O'Dowd said. "Modern I/O devices often contain huge software control programs consisting of hundreds of thousands lines of code and they have just as many security vulnerabilities as traditional operating systems."

He made the case that if users want to be vigilant with their virtualization systems they need to use an EAL6+ secure system like that offered by Green Hills. Makes sense but with that vigilance also comes cost.

Systems like Green Hills do not come cheap, so it becomes a matter of managing risk. Military and avionics systems cannot take that chance, but companies in less mission/life critical applications may be able to get away with it.

What's more expensive paying for the security ahead of time or not paying and hoping nothing happens? I guess it depends on whether or not you think you, your company, or your technology is actually a target.

Wednesday, December 1, 2010

Revealing the flight plan of Santa; what else are we giving potential terrorists?


Posted by John Keller

On the heels of devastating WikiLeaks revelations of U.S. State Department secrets, causing irreparable damage to U.S. diplomacy around the world, comes news that the U.S. government itself is about to publicize detailed movements and locations of one of the most important Christmas icons of Western Civilization -- Santa Claus.

The North American Aerospace Defense Command (NORAD) at Peterson Air Force Base, Colo., announced plans today not only to track the movements of Santa Claus during his Christmas Eve rounds, but also to report his every location on a public Website, www.noradsanta.org.

We live in dangerous times; no one at NORAD needs to be told that. This is an organization that regularly scrambles jet fighters to intercept any aircraft in violation of U.S. controlled airspace, yet these people are about to put a holiday symbol of the magnitude of Santa Claus in jeopardy by revealing his whereabouts to the potential terrorists and other adversaries.

Think about what could result from this ill-advised scheme. The hooves of those eight tiny reindeer are more than enough to set off a well-placed improvised explosive device (IED). That sleigh laden with gifts would be a fat target for any nefarious character with a shoulder-fired missile. I won't even mention the damage that a suicide bomber could wreak.

To be sure, we're not just talking about the possibility of some disappointed good little girls and boys here; this could shake Western culture to its core. Think of the disruptions to national economies. It could spell an end to Christmas as we know it.

NORAD simply must rethink such a cavalier plan that puts so much in danger. If nothing changes, we risk a Christmas Eve disaster more profound than any other in memory of this or past generations, and I'm appalled.