Hacker News new | past | comments | ask | show | jobs | submit login

The UAV itself will have a computer running a commercial RTOS. The computer on the ground which the operator sits and and uses to interact with the UAV is almost certainly a Windows box. And as someone else said, the military's way of securing Windows machines like those has traditionally been not to hook them up to a network in the first place, instead of installing anti-virus software. That actually worked really well until portable USB devices came along. The result is that the military is only now getting up to speed on securing these types of computers; it's not that they're dumb about computers, it's that in the past they dealt with the threat operationally rather than technically.



USB flash drives are banned DOD-wide. Most DOD computers are setup up to not even mount them when they are plugged in.


Unless policy has changed dramatically since I was in USB drives can be used after they have been classified, properly marked, and scanned. That being said policy and reality are very different beasts. While deployed we had exactly 0 instances of malware/virus on our unclassified NIPRNet devices and at least 2 dozen malware/virus outbreaks on our SIPRNet machines. Usually these came about from the fact that those on SIPRNet tend to be of higher ranks and "above the rules" just like in a corporate structure. The other common offenders where MI and Signal geeks who "knew" better and assumed that their stuff couldn't possibly be infected.


I was told recently by someone working with DoD equipment that although USB flash drives were banned, certain USB hard drives were still OK. He was telling me this because it was so hilarious and alarming.


I was talking to a guy who makes "encrypted" USB drives at the NSA TCC recently. It sounded scarily hand wavy to me. I was asking, "but where is the key stored" and he tells me with a straight face, "right on the drive".


Couldn't it work so that the key used to encrypt the files is stored on the disk, encrypted using a password as a key?


No, it was just "plug and play" not auth necessary as far as I could extract from him. Plain "check box" encryption.


My experience with these is that you must either use your PKI certificate or a password as the key to decrypt the drive. The default configuration is generally to use the PKI certificate on the chip embedded in your ID card. Since you have to have that card in your computer to be logged in to begin with, using it to access other stuff is essentially effortless.


The hard drive has to be scanned by an administrator before you're allowed to use it (not sure what this process entails). It also has to be encrypted, and won't mount unless it is encrypted with the proper DOD-approved software.

As far as I know, SSDs are not allowed, only magnetic drives.


Unfortunately, most cell phones charge from a USB port.


You can actually still do that: drawing 5V doesn't require the phone to mount as a drive.


So, what happens when a virus on the phone tells it to pose as a CD drive, and install a keylogger?


I'm pretty sure it won't mount that, either. The only external storage they'll mount are external hard drives that have been encrypted with their approved software.


The Social Engineering Toolkit's keyboard based malware deployment engine for Teensy could be repurposed for use on other USB devices.


I thought that was only common among smartphones.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: