Britain's Newest Warship Runs Windows XP, Raising Cyber Attack Fears (telegraph.co.uk) 302
Chrisq shares a report from The Telegraph: Fears have been raised that Britain's largest ever warship could be vulnerable to cyber attacks after it emerged it appears to be running the outdated Microsoft Windows XP. A defense source told The telegraph that some of the on-board hardware and software "would have been good in 2004" when the carrier was designed, "but now seems rather antiquated." However, he added that HMS Queen Elizabeth is due to be given a computer refit within a decade. And senior officers said they will have cyber specialists on board to defend the carrier from such attacks.
Makes sense to me (Score:5, Funny)
The MoD has lied ! (Score:5, Interesting)
Back in 2015 the MoD declared that this vessel would be 'Windows-XP Free'
Read the article below if you do not believe ---
https://www.theregister.co.uk/... [theregister.co.uk]
Re: (Score:2)
However, he added that HMS Queen Elizabeth is due to be given a computer refit within a decade.
What's the fuss about? In 2027 this warship will be up-to-date with bleeding edge Windows 10. Oh wait...
Re:The MoD has lied ! (Score:4, Funny)
However, he added that HMS Queen Elizabeth is due to be given a computer refit within a decade.
What's the fuss about? In 2027 this warship will be up-to-date with bleeding edge Windows 10. Oh wait...
Until it decides to update in the middle of a battle.
Re: (Score:3)
What if you want to launch a missile strike from your phone? I saw Arnold do it in a commercial. Think about these questions before you ask them.
Re: (Score:2)
Re: (Score:3)
Why bother fussing with anything at all. The vessel has largely served it's purpose, spending 3.5 billion dollars on the military industrial complex. It was designed to be built 'out of date' so a life time of upgrade cycles will be required which will preferably eclipse the 3.5 billion spend, more profits, fuck infrastructure, fuck social services, war, war, war. It matters not one iota how well it works, just how much corporate profit it can generate. The floating version of the F35 Flying Pig, destined t
Re: (Score:3)
This is what you call a big floating disaster.
Re: (Score:2)
Just think how fucked up you have to be to pick that as your username. Man you must have had an unhappy childhood, overbearing (maybe worse) parents? Gotta love the weird hangups and kinks of people raised by conservative christians. I'm sure having a handle called 'gay boner sex' is just a part of it.
Most of the rest of us grew up and stopped finding differing sexualities interesting a looooong time ago. What a sad little prick you must be. Even if you're straight, which is probably debatable, you evidently think about men fucking a LOT.
I think the point of him picking that name seems to be getting people like you up. Who gives a shit? You claim not find differing sexualities 'interesting' yet you can't help having a go at a stranger on the internet for reminding you of it. Grow up and don't feed the trolls.
Cyber specialists (Score:5, Insightful)
they will have cyber specialists on board to defend the carrier from such attacks
They are supposed to defend unsupported proprietary software. The right name is not cyber specialist, but rather priest.
Re:Cyber specialists (Score:5, Interesting)
This is the most ridiculous part of the whole story. They think that some people at the board of the carrier can fend off attacks. They believe that it can be solved by like a local scale problem, like aircraft attacking the carrier. So they think they can solve it by people on board specialized to protect you, like they probably have someone on board to operate the anti aircraft cannon.
These attacks aren't local scale though. They are global scale. Vulnerabilities in Windows XP get discovered by someone at the other side of the globe and get used against you. Similarly, a patch to fix a vulnerability in Windows XP can be developed once and then applied locally. And in the case of a total and complete hack during the heat of a battle, even the best team on board won't help them to get the systems back up before the battle finishes.
Re:Cyber specialists (Score:4, Insightful)
Re:Cyber specialists (Score:5, Funny)
They need someone there to change the lightbulb to red, whilst a cyberattack is in progress.
Re: Cyber specialists (Score:4, Interesting)
Switching OS is nice. But the US government pays for Windows XP support and updates.
I'm far more concerned about software which actually requires XP. The entire ship should be running NSA Secure Host Baseline (https://github.com/iadgov/secure-host-baseline).
Re: (Score:3, Insightful)
The systems are very likely DoD (or at least) connected for remote maintenance. There will be a minimum of 3 encryption black boxes before satellite uplink. Switching OS is nice. But the US government pays for Windows XP support and updates. I'm far more concerned about software which actually requires XP. The entire ship should be running NSA Secure Host Baseline (https://github.com/iadgov/secure-host-baseline).
Why would we want the Americans to control the software?
Did you read the article? Do you think we trust your president?
Re: (Score:3)
Eh, who won the Falklands conflict?
Re: (Score:2)
France [wikipedia.org].
Re: (Score:3)
Switching OS is nice. But the US government pays for Windows XP support and updates.
If I recall correctly, they did it once but not nowadays.
And even if you have support and updates, a general purpose OS such as Windows has a huge surface attack.
Re: (Score:3)
"general purpose OS" - that's the nub of the issue. Why, in a multi-billion pound/dollar project would you not have your own OS?
Even a cut-down, customised version of Windows has to be better than XP+Norton antivirus (or whatever has been used). MS can do this, remember the original XBox? Wasn't it supposed to be running a cut-down version of W2K?
"Hey, Microsoft, we need a custom version of Windows. It needs printing, networking, {list of needs}, and it doesn't need {list of components that provide attack v
Re: (Score:2)
There will be a minimum of 3 encryption black boxes before satellite uplink.
Hmm, ROT39... Excellent...
Re:Cyber specialists (Score:5, Informative)
Tell that to the Iranians.
Their centrifuges were not attached to the Internet. Physical security. But Stuxnet got them anyway.
Re:Cyber specialists (Score:5, Funny)
The right name is not cyber specialist, but rather priest.
Oh please, don't be an idiot. The government isn't dumb enough to rely on just some priest. For the money they are paying out, they are going to at least demand a cyber priest. ;)
Re: (Score:2)
Amen.
I mean, Enter.
Re:Cyber specialists (Score:4, Insightful)
It's outright scary that they would consider using a Windows of any version. Can you see them on Windows 10 and just as they engage with the enemy all the computer screens say "Restarting to Install Advertising Update. Please Do Not Power Off Your Computer."
Re: (Score:2)
Re:Cyber specialists (Score:5, Informative)
They don't just take an off the shelf copy of Windows XP and install it on the ship, companies like BAE systems have agreements with Microsoft over source code access and provide hardened versions to their customers.
Thus, the unsupported and proprietary elements of consumer Windows XP are entirely irrelevant - they both pay for bespoke extended support from Microsoft, and they have source code access themselves.
Whilst there are legitimate questions about using Windows XP for a brand new ship, it's not quite as bad as "OMG they use Windows XP lol" type headlines and comments make out. The reality is that they have support for and source code access to perhaps the single most tried and tested OS in the world. Lines of communication and inputs into the systems are both limited and restricted, and thus any vulnerability discovered against XP in the real world will likely be fixed and patched on a ship well before anyone can find a way of getting the exploit onto the ship's systems.
Re: (Score:2)
Re: (Score:2)
Maybe they do have the source code to XP.
Even if they do, imagine you discover during the battle that your systems are crippled by a specialized malware. Do you have time to identify the flaws used for infection, fix them, rebuild and redeploy the OS? I bet you will be drowning before you have completed malware analysis.
Re: (Score:3)
Nah. You just have Clippy do it all for you; digital assistants finally being en vogue and all.
Re: (Score:2)
Re: (Score:2)
I think the correct term is Tech Priest.
Re: (Score:3)
And the navigation... (Score:5, Funny)
... control system is assisted by Clippy.
Armageddon Clippy (Score:5, Funny)
It looks like you are trying to turn the surface of the earth into glass. Would you like help?
Re: (Score:2)
do you want to play a game? (Score:2)
It looks like you want to play global thermonuclear war
what side do you want??
1. USA
2. Russia
3. United Kingdom
4. France
5. China
6. India
7. Pakistan
8. North Korea
9. Israel
Re: (Score:2)
I'll take France, who else on that list is even bothering to target them?
Re: (Score:2)
Please list primary targets by
CITY AND/OR COUNTY NAME:
Re: (Score:2)
Pass.
Look, I win 1 wasteland!
Re: (Score:2)
I'll take France, who else on that list is even bothering to target them?
The Brits. All their problems are Europe's fault.
Re: (Score:2)
Re: (Score:2)
Careful, everyone picks France as a target. Didn't you learn anything from your Simpsons?
Re: (Score:2)
If compromised systems had clippy enabled as a consequence then I am sure the world would take security a whole load more seriously.
Re:And the navigation... (Score:5, Funny)
... control system is assisted by Clippy.
Imagine the timers.
Missile incoming! Impact in:
5 seconds.
2 seconds.
132 seconds.
1 second.
Re: (Score:3)
...
* * * No Carrier * * *
(pun intended)
Windows for warships (Score:2)
that crash's when you enter zero into the data field for the Remote Data Base Manager
Re:Windows for warships (Score:4, Informative)
It makes sense when the divide by 0 error in userland takes down the entire ship.
"On 21 September 1997, a division by zero error on board the USS Yorktown (CG-48) Remote Data Base Manager brought down all the machines on the network, causing the ship's propulsion system to fail."
https://en.wikipedia.org/wiki/USS_Yorktown_(CG-48)
Holding a Warship Ransom (Score:2)
Ransomware writers around the world are salivating.
Seriously who would make such a boneheaded decision?
Re: (Score:2)
Re: (Score:3)
You're right. After all, when Windows XP came out Microsoft had a pristine security history from MS-DOS 3 to Windows 98.
Re: (Score:2)
You're right. After all, when Windows XP came out Microsoft had a pristine security history from MS-DOS 3 to Windows 98.
That does not really count as XP is based on NT, not DOS as win-98 was. But still, Microsoft.
Such a choice does not inspire confidence in the technical competence of the decision makers. Are they really using Windows for the combat systems?
Re: (Score:2)
Well of course, we know those are insecure. But Windows 10 is perfect! It will stay perfect until there's a later release. But wait, they'll never have another Windows version, ever, so it should stay perfect forever!
You can run your coffee makers on Windows, but if it's mission critical you don't want to go anywhere near Microsoft software.
Re: (Score:2)
HMS Brixit (Score:3, Funny)
"And senior officers said they will have cyber specialists on board to defend the carrier from such attacks."
ALL UNPLUG FULL!
Answering all unplug full aye!
This is crazy (Score:5, Interesting)
Every military appears subject to the same idiocy. Seriously, you are spending literally billions of USD, GBP, or EUR (I tried to use the actual symbols for GBP and EUR, but I forgot about Slashdot and unicode). You can't spring a few million for a custom built or customized (e.g., based on OS/2, QNX, VXWorks, Linux, etc.) OS that has all the networking and other non-essential components removed? Then you can allow network access via a very tightly controlled and well audited interface.
The main reason, I think, for this conundrum is that there are two competing objectives: 1) extremely rigorous system engineering processes with the attendant configuration control; 2) use more COTS and fewer custom components. For instance, those decisions were definitely made over a decade ago and any change to them would require tons of paperwork, additional certification, and also add to the cost and delay the schedule. It's no wonder they just stuck with what was already approved.
That said, I simply cannot believe that one or more of the big defense firms (e.g., BAE, Lockheed-Martin, Boeing) has not come up with something better than slapping Windows on it.
Now, I know (or rather, I truly hope) that things like navigation, fire control, and other critical ship functions are not dependent on any Windows (or other consumer OS). However, I know that some years ago the US Navy had a "Windows-power ship" end up dead in the water and had to have it towed back to port. That was the result of a divide by zero bug in some piece of software but Windows did not handle it gracefully, if I recall correctly.
Either way, they will be lucky if they don't end up with some very serious problems along the way. It seems like it is just not possible to keep ransomware out of any decently sized network. And I can imagine a major world power's flag ship being a tempting target.
Re: (Score:2)
Re: (Score:2)
$ € £ What's the issue?
I think you need to use the HTML entities: £ € ¥
Because otherwise they turn out like this: £ â Â¥
With HTML you get: £ € ¥
No, I didn't use HTML entitles. I'm on a Mac. I just used the 'Show Emoji & Symbols' pulldown menu to enter them.
/. likes some things, e.g. £ € ¥ é ü ñ. Most of the other things I might use – degree sign, thorn, eth, certain accented characters – don't work whether I enter them directly, from Show Emoji & Symbols, or as HTML entities.
Re: (Score:2)
The buddy system always ensures nobody can use their own computer from home they took with them.
What could another nation or faith group do?
Sign up an unexpected person to go for ship education, become a sailor and then rise up the ranks for years?
One spy on a ship? The buddy system would totally prevent that. Two spies on average would not get to work alone together given the crew size so
Re: (Score:2)
As opposed to... (Score:5, Insightful)
Re: (Score:3)
... Windows for Warships?
(Seriously, that exists)
Anyway: despite windows XP's age Microsoft will still actively support it for organizations willing to send them a boatload of money, and the rates only go up the more time passes. But when you're talking about the operating costs of a large warship, the cost for continued xp support is only a rounding error in the total.
I LOL'd We have an aircraft carrier running NT.
"The data contained a zero where it shouldn't have, and when the software attempted to divide by zero, a buffer overrun occurred – crashing the entire network and causing the ship to lose control of its propulsion
system. https://www.wired.com/1998/07/... [wired.com]
That's depressing, it's such old news (Score:4, Interesting)
The last time I recall the Navy being concerned about running Windows was maybe 15 years ago. The LinuxBIOS project attracted a lot of attention from some Navy guys because of its rapid reboot capability.
At LANL, LinuxBIOS researchers could reboot a small (1K diskless compute nodes connected via Myrinet) scientific computing cluster in 3 seconds, ready for work. So, theoretically, one could change from a Linux cluster to a Windows cluster, but no one ever wanted to.
Whatever became of that technology?
Is there even a word for this level of stupidity? (Score:5, Insightful)
The die-cision to use anything from Microsoft in a mission-critical environment, let alone a 16+ year old OS with a giant list of known exploits goes so far beyond amazingly stupid I can't even find the words.
Re: (Score:3)
Is there even a word for this level of stupidity? The die-cision to use anything from Microsoft in a mission-critical environment, let alone a 16+ year old OS with a giant list of known exploits...
I believe the word you're looking for is "congressional". ;)
Re: (Score:2)
The die-cision to use anything from Microsoft in a mission-critical environment, let alone a 16+ year old OS with a giant list of known exploits goes so far beyond amazingly stupid I can't even find the words.
Can you name a single known exploit that applies to this ships XP systems as deployed?
Re: (Score:2)
Just fucking google it. There are large numbers of unpatched XP exploits. Microsoft themselves even admit the entire OS is fundamentally insecure and will never be fixed. They even said the same thing about Win 7 as soon as they wanted you to buy Win 8.
Re: (Score:2)
Here's a start:
https://www.cvedetails.com/vul... [cvedetails.com]
Re: (Score:2)
Just fucking google it. There are large numbers of unpatched XP exploits. Microsoft themselves even admit the entire OS is fundamentally insecure and will never be fixed. They even said the same thing about Win 7 as soon as they wanted you to buy Win 8.
The existence of exploits is different from question of which exploits are applicable to XP systems as actually deployed on this ship.
Re: (Score:2)
Re: (Score:2)
They have to find people to use the computer GUI. Make a bespoke UK OS? Thats a lot of new computer tasks to learn and teach to average people new to the navy.
Trying to keep people in the navy is not helped by some strange, new, expensive, complex new UK mil OS.
No need to teach the users how to write code in something like a new Ada to do GUI things.
That keeps teaching costs lower and makes teaching methods for new crews more easy. Just like a really big hom
Re: (Score:2)
Now, you might ask, why would I do something like that at all. And the answer is that the nameless industrial controls vendors Allen-Bradley and National Instruments explicitly marketed a WinXP/LabView solution for HMI as an alternative (not ev
Re: (Score:2)
"Margaret Thatcher ordered troops to shoot intruders on sight after protesters boarded nuclear-armed Navy sub
The PM was livid when three demonstrators broke into the control room of vessel carrying Polaris missiles, newly released files show"
http://www.mirror.co.uk/news/u... [mirror.co.uk]
Anyone over there watch the IT crowd? (Score:2)
Anyone over there watch the IT crowd?
Moss: "What kind of operating system does it use?"
Bomb squad: "Vista!"
Moss: "We're going to die!"
Almost every luxury vehicle manufacturer... (Score:2)
... has managed to develop their own QNX based base operating system to ensure safety & security. They've also been doing it for a couple decades.
It seems insane that the Royal Navy & BAE systems couldn't figure this out themselves. This has the smell of a kickback based sales agreement to me. Almost any other operating system is a better choice simply because they are smaller attack targets than any version of Windows.
Re: (Score:2)
It seems insane that the Royal Navy & BAE systems couldn't figure this out themselves. This has the smell of a kickback based sales agreement to me. Almost any other operating system is a better choice simply because they are smaller attack targets than any version of Windows.
When your adversaries are other nations security by obscurity is especially inoperative.
Re: (Score:2)
It seems insane that the Royal Navy & BAE systems couldn't figure this out themselves. This has the smell of a kickback based sales agreement to me. Almost any other operating system is a better choice simply because they are smaller attack targets than any version of Windows.
When your adversaries are other nations security by obscurity is especially inoperative.
Security by installing a system designed to be secure is the idea - there are many. Even MS had one with WinCE that is far more up to date than WinXP.
That's not all. (Score:5, Interesting)
The Register in 2009 [theregister.co.uk]
According to the Ministry of Defence (MoD), HMS Montrose has now entered a planned docking and refit period during which BAE Systems plc will replace her original DNA(1) gear with DNA(2), said to be "based on the system being fitted to the Royal Navy's powerful new Type 45 Destroyers". This means it will be based on fairly everyday hardware running legacy Windows OSes - people who have worked on these programmes inform us that both Win2k and XP will be in use across the fleet.
At least they upgraded. (Score:2)
The U.S. nuclear fleet still runs on Microsoft Bob.
On boar (Score:2)
Re: (Score:2)
Boars with lasers, I hope?
Heh, thanks to me (Score:2)
That said, I don't get the thinking here. WinXP is old, outdated, and insecure. If you don't want Win10 or whatever you've got linux, along with several modern RTOS's. Hell, rolling your own is probably better than WinXP.
If you've got a CNC machine, or bioassay device, or whatever, it's fine. As long as the internet can't find it. Soon as the $bad_guys find it, game over.
Comment removed (Score:5, Informative)
Man the Brits are LUCKY (Score:2)
Mind you, this is from the same country that bought you flammable warships during the Falklands war.
Navel Warfare (Score:2)
The last thing you want to see in naval warfare:
Your cruise misses have been encrypted. Do not bother trying to decrypt your cruise missles as they can only be decrypted by us. Send ${YOOGE_BITCOIN_MONIES} to our friendly decryption service to decrypt your cruise missles.
Experts, all of them. (Score:2)
"senior officers said they will have cyber specialists on board to defend the carrier from such attacks" translates to "they have the original installation floppies standing by".
Can't wait for the headlines (Score:5, Funny)
"Warship sunk by fat Russian boy on the couch of his mother's basement."
Re: (Score:3)
"Warship sunk by fat Russian boy on the couch of his mother's basement."
You forgot to end it with, "Sad!"
What happened to the promises of 2015? (Score:2)
Article is here: https://www.theregister.co.uk/... [theregister.co.uk]
Never mind XP, it's connected to the INTERNET? (Score:2)
On a lighter note... (Score:2)
Old joke: What does a navy pilot have in common with an internet junkie?
Both break out in cold sweat if their display shows NO CARRIER
One country's bug is another country's feature (Score:3)
Pretty simple (Score:3)
A lot of people keep calling this stupid, but it's actually pretty simple. The design started back in 2004. When you're working a rigid project like this, things get locked in once approved, like design and technology. If you postponed even whenever a new Windows came out, you'd have to go back, have a new CONOPS, new requirements, and start all over again and the project would never finish. Yes you'd get to reuse a lot of the previous architecture, but just think about it. If you're running the program, and software people tell you they're going to just use a new OS, you have a whole host of new things to think about.
And in the government, hardware tends to drive software, so software is constantly trying to keep to the same milestones. And believe me, once you've tested, NOBODY wants to think about switching OS and libraries now. Throw in a few of the typical delays that come in the government, (funding/changing of the guard, etc...) and this all makes sense.
So stupid? That's not really the issue here. It's choosing between a rigid process, that can't afford to do things quickly and is very risk averse...or finishing quickly. The most common mitigation to this issue is to include an update later, with newer Windows and some regression testing. You can't really win with the public these days anyway...imagine if they pushed it out quickly and the report instead said that there was a malfunction because it was a rush job. These days, you're damned if you do (spend a lot of money but this is what we get) and damned if you don't (rush job leads to malfunction leads to public embarrassment).
Re: (Score:3)
Yes, the Royal Marines like their meat fresh.
Re: (Score:2)
Damn. What's sodomy good for if you can't get whipped and drunk?
Re: (Score:3)
Boar does not mean wild pig. It means male pig with his balls intact. (/syntaxrant)
Re: (Score:2)
I think that probably the whole "you're being updated by forced and shoved ads up your ass" thing have a bit to do with it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It doesn't matter if they never go to war with it, you mean?
Because that's basically the game BAE is in. Making weapon system that are peace-compatible. Not really battle worthy, but also not as expensive as they'd have to be to be battle-worthy.
Re: (Score:2)
The UK did not expect anyone to work out how to use that French systems in the time allowed.
It was an export grade weapons system and was expected to stay on an internal surrender setting.
Crews worked very hard and very quickly to discover full French access to the very complex system.
Most nations now know that have to fully trust who they buy from or what systems they use.