Apparently the drones that the US has been using in Iraq and Afghanistan have no encrypted their video feeds, and pentagon officials have revealed that insurgents have been eavesdropping on the video transmissions. According to the WSJ:

Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.

U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.

Think that’s astounding? Wait till you see this:

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.

They’ve known about this for nearly two decades and haven’t done anything? C’mon guys – encryption isn’t exactly a new technology. As for assuming that insurgents wouldn’t know how to take advantage of the flaw, don’t even get me started. You should never underestimate your adversary, especially in war. In the modern information age knowledge is easy to come by, so assuming any large group of people will not have certain knowledge is a perilous assumption.

A few weeks ago Bruce Schneier wrote an article entitled “memo to the next president“. In it he has several pieces of advice, including asking the president to use the government’s immense buying power to increase the security of products. The government’s buying power has been used before to influence products, whether deliberately or accidentally, and Schneier wants to see the government weild this power for the greater good. This is logical – after all the government exists to provide for the greater good where no other actor is able to do it.

On the same theme, OMB recently announced that it was requiring all government agencies to start deploying DNSSEC, and then gave them a deadline of January 2009. (See the wikipedia page on DNSSEC if you don’t know what it is). While it will almost assuredly be completed behind schedule (it is government after all), it is great news. Simply put, DNS is inherently flawed. As was pointed out by commenters in a previous post, assuming that the first response is the correct one is just a bad idea. DNSSEC fixes all of that by enforcing digital signatures. Most commercial enterprises right now are simply applying the newest patch and leaving it at that. As everyone knows though, continuing to try and patch over breaches in the dike will only work so long – eventually you have to build a whole new dike (In this case DNS). Hopefully with such a large entity getting behind DNSSEC, we’ll see a large movement to it, and we can avoid the next DNS cache poisoning attack before it ever comes, because we all know it will.

The DoJ wants private corporations to more openly disclose cybercrime when it occurs. This is one of the major differences between the way government works and the way private industry works. (I’ve got information security in both, and it’s something I’d noticed a long time ago). In government, there is a strict procedure and a chain of reporting for everything, and one of the main focuses is openness. Individuals in government are rarely accountable as long as they follow the correct procedures. (In other words, the “I was just following orders” argument has worked countless times inside the beltway). In the private sector, the main focus is profit, and people are held accountable for what occurs, even if they feel they did nothing wrong. Reputation loss is a serious concern, and corporations are loath to report information breaches. This is one of the reasons data breach laws have been necessary – without them private entities would rarely disclose when something bad happened. Now the DoJ and FBI want corporations to disclose even more so that it can allocate it’s crime fighting abilities correctly. While this is clearly a laudable goal (and crime fighting is one of the major responsibilities of a modern government), private entities will not comply unless they are either required to by law (like the breach notification laws), or have a compelling financial interest (as in the case where they believe the authorities can help recover lost assets).