[HN Gopher] US military and intelligence computer networks (2015)
___________________________________________________________________
US military and intelligence computer networks (2015)
Author : DyslexicAtheist
Score : 84 points
Date : 2021-01-12 15:51 UTC (7 hours ago)
(HTM) web link (www.electrospaces.net)
(TXT) w3m dump (www.electrospaces.net)
| atemerev wrote:
| https://intelink.gov is a gateway to some of these.
| pdevr wrote:
| Wow.
|
| 1. The non-www version doesn't seem to work.
|
| 2. If you try https://www.intelink.gov/, the browser
| immediately warns you that the site is not secure, because of
| certificate problems.
|
| 3. If you still dare to venture ahead, you are greeted with
| this: "This is a United States Government computer system. This
| computer system, including all related equipment, networks, and
| network devices, including Internet access, are provided only
| for authorized U.S. Government use. U.S. Government computer
| systems may be monitored for all lawful purposes, including
| ensuring that their use is authorized, for management of the
| system, to facilitate protection against unauthorized access,
| and to verify security procedures, survivability, and
| operational security. Monitoring includes authorized attacks by
| authorized U.S. Government entities to test or verify the
| security of this system. During monitoring, information may be
| examined, recorded, copied, and used for authorized purposes.
| All information including personal information, placed on or
| sent over this system may be monitored."
|
| I am out of here :-)
| Pick-A-Hill2019 wrote:
| Then it's just as well you didn't scroll down to the comments
| section of tfa that links to a blog page called "Dangerous
| I.P. addresses that you should never ever scan"
| (https://dangerousip.blogspot.com/)
| AnimalMuppet wrote:
| In a previous life, I worked for a security company that
| made a "hacker in a box" - a security auditing tool that
| would scan a machine, or a range of addresses, to see what
| doors were open, and how they could be exploited, and if
| the exploits opened any new doors, and how _they_ could be
| exploited, and so on until it ran out of things to try.
| Since this was a security auditing tool rather than an
| attack tool, it left some very big, obvious, deliberate
| footprints in the scanned machine 's logs.
|
| One day someone at our company decided that it would be a
| good idea to scan whitehouse.gov. We got told to never do
| that again...
| wrkronmiller wrote:
| > 207.60.36.176 - 207.60.36.183 Chris Pet Store
|
| Peculiar on many levels...
| Pick-A-Hill2019 wrote:
| " All the below are FBI controlled Linux servers &
| IPs/IP-Ranges 207.60.0.0 - 207.60.255.0 "
|
| I have no idea how they verified it* (or perhaps inserted
| as a prank?) but almost certainly it's no longer current
| (the list is from 2016) but uhmm yeah - It makes all
| those 80's movies that had the surveilance teams in grey
| vans marked 'Joes 24 Hour Plumbers' or 'Billy-Bobs
| Flowers' kinda funny.
|
| * IIRC one of the US Three Letter Agencies set up a load
| of dummy websites but used the same html code snippet in
| all of them. Once the first one was discovered and
| exposed as being a front it was game over. (meta comment
| - I think I might have read it as a post here on HN)
| secfirstmd wrote:
| You might be talking about the way the CIA reused code to
| communicate with sources in Iran in its China operations?
| Then got a ton of people killed by being stupid/lazy -
| despite internal whistleblowers going to Congress to warn
| them it was dangerous?
|
| https://www.telegraph.co.uk/technology/2018/11/03/dozens-
| us-...
|
| Something similar happened in Lebanon IIRC. Lazy reuse of
| tradecraft - a pizzeria and some mobiles I think it was.
| DakharsBuzumCIA wrote:
| I was going to comment on 'a dozen killed.' 12 * 80 kg is
| just 960 kg , so, I guess it's either a baker's dozen,
| 13, which makes it 1040, or those people were fat as
| fuck.
|
| Learn to weigh 80 kg, or, I mean; don't join the CIA.
| Either or. Fat bastards! L O L
| secfirstmd wrote:
| I'm curious what services like Shodan deal with the legal
| aspects of things. For example they obviously scan the
| Irish governments sites but I would be afraid to do that
| even though I do legitimate research. Is there any actual
| guidance out there about how to balance these things?
| ianmf wrote:
| > 3.
|
| These banners are required on all government IT systems. The
| sole purpose of these banners is to prevent criminals from
| saying they were not aware of what they were doing,
| mistakenly accessed the site, etc. It is a legality.
| TecoAndJix wrote:
| see this STIG (NIST) requirement for network devices - http
| s://www.stigviewer.com/stig/firewall/2015-09-18/finding/...
| vonmoltke wrote:
| > 1. The non-www version doesn't seem to work.
|
| Common for "internal" USG sites. I don't know if it's
| intentional.
|
| > 2. If you try https://www.intelink.gov/, the browser
| immediately warns you that the site is not secure, because of
| certificate problems.
|
| Internal USG sites use USG-generated root certificates and
| certificate chains. These need to be installed manually from
| USG sources.
|
| > 3. If you still dare to venture ahead, you are greeted with
| this: "This is a United States Government computer system.
| This computer system, including all related equipment,
| networks, and network devices, including Internet access, are
| provided only for authorized U.S. Government use. U.S.
| Government computer systems may be monitored for all lawful
| purposes, including ensuring that their use is authorized,
| for management of the system, to facilitate protection
| against unauthorized access, and to verify security
| procedures, survivability, and operational security.
| Monitoring includes authorized attacks by authorized U.S.
| Government entities to test or verify the security of this
| system. During monitoring, information may be examined,
| recorded, copied, and used for authorized purposes. All
| information including personal information, placed on or sent
| over this system may be monitored."
|
| The standard disclaimer on all internal and classified
| systems. I'm glad I no longer have to click through that
| daily.
| ckozlowski wrote:
| You need the DoD Root CAs.
|
| You can get them from here, just follow the instructions:
| https://public.cyber.mil/pki-pke/end-users/getting-started/
|
| They're not bad to have in general.
|
| The notice you see there is standard boilerplate.
| nefitty wrote:
| This seems like it should be included in default root
| stores. I am out of my element here, but it would be cool
| if anyone can explain why or if I would need to manually
| add govt CAs.
| lostapathy wrote:
| If you allow the US gov CAs to be bundled with your
| browser, do you allow any country?
|
| How would non-US citizens feel about having US CA's in
| their browser by default?
| aksss wrote:
| Seems like most people, US or not, should not trust DoD-
| signed stuff by default.
| antiman0 wrote:
| What a great rabbit hole! It's pretty interesting to see how some
| of these sites are "protected" (big HTML warning stating "DO NOT
| ACCESS THIS") and some oldschool-IT named domains such as
| https://itdashboard.gov/ .
|
| Given the recent SolarWinds breach I wonder how these networks
| are impacted. Most of them look like from the early 90s.
| sandworm101 wrote:
| >> Given the recent SolarWinds breach I wonder how these
| networks are impacted.
|
| Classified military networks are very different than civilian
| networks. They aren't just air-gapped. Because they are not
| general purpose networks they can have lots of internal
| barriers that would not be acceptable outside of the military.
| Want to use HDMI for your new screen? Nope. VGA because it
| doesn't require compute power within the screen. Want to use a
| Bluetooth headset? Nope. You are stuck with a curly wire from
| 1972 because that wire has passed the emissions security
| inspections. Such principals extend to the internal barriers
| too. Important national security websites can look like
| personal websites from the 1990s not because they are not
| updated but because they are very restricted in how they can
| load information from other sources. The fact that these
| networks look old doesn't mean they are behind the curve on
| security.
|
| Got too many passwords to remember? Want a "password
| manager"... lol. Good luck with that in a world where computer
| A isn't even allowed to be in the same room as computer B.
| euler_angles wrote:
| We aren't allowed to use VGA because it's vulnerable to being
| sniffed. Everything has to be hdmi or display port/mini
| display port
| alksjdalkj wrote:
| Those HTML banners aren't intended to "protect" anything, they
| just indicate what classification level the content is.
| kube-system wrote:
| Sensitive networks are airgapped because vulns like solarwinds
| are not unforeseeable.
| sitzkrieg wrote:
| PKI, not username/password
| hchz wrote:
| I saw a topological diagram of how each of these systems and many
| not mentioned were connected to each other, and it raised more
| questions than it answered.
___________________________________________________________________
(page generated 2021-01-12 23:01 UTC)