SoylentNews is people
SoylentNews
Recently launched and not yet operational, the HMS Queen Elizabeth's computers are running Windows XP.
The ship's officers defend this, claiming that the ship is secure, but the phrasing of their comments suggests that they really don't have a clue:
"It's not the system itself, of course, that's vulnerable, it's the security that surrounds it.
So the security is vulnerable?
"I want to reassure you about Queen Elizabeth, the security around its computer system is properly protected and we don't have any vulnerability on that particular score."
Apparently, where you buy your computers makes Windows XP more secure:
"The ship is well designed and there has been a very, very stringent procurement train that has ensured we are less susceptible to cyber than most."
He added: "We are a very sanitised procurement train. I would say, compared to the NHS buying computers off the shelf, we are probably better than that. If you think more Nasa and less NHS you are probably in the right place."
Didn't they learn from recent events how even air-gapped computers can be compromised?
Also covered at The Register, The Times, and The Guardian.
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 28 2017, @01:20PM (11 children)
What could go wrong?
I realize that for some reason (cough *kickbacks* cough) they chose Windows, but couldn't they use something that was a little more current? Windows 7 was released eight years ago. Surely they had enough time during the years of planning and construction of this ship to figure out how to use an OS released within the last decade.
(Score: 4, Informative) by KGIII on Wednesday June 28 2017, @02:57PM (10 children)
Security is a process, not an application.
XP can be kept in a secure(ish) condition, like any other OS. No OS is completely secure. No computer is completely secure - assuming it can be powered on.
I have minimal skills but, if allowed physical access - for example, I own your system, unless you've taken rather robust precautions.
With security, there's a trade-off between it and usability. I used to take a subset of my employees to Defcon. It's absolutely amazing to see how little security is in place and how trivial it is to bypass many of the things they have in place. There's no such thing as a secure system. However, there are some that are really, really close to it. I have no idea if this is one such case, but it isn't impossible to make XP as secure as any other OS. You control ingress and egress on the network, you control physical access, and you give limited permissions.
"So long and thanks for all the fish."
(Score: 2) by ikanreed on Wednesday June 28 2017, @03:49PM (1 child)
I mean, let's be honest, the computer systems are probably all hard airgapped, from basically any attack vector that doesn't have direct physical access to the hardware. Military contractors might be corrupt shitbags, but they probably still have engineers somewhere in their orgs.
(Score: 1, Informative) by Anonymous Coward on Thursday June 29 2017, @02:05AM
Doesn't help when there is a keyboard.
The US Navy's "Smart Ship" program used Windoze last century.
They had ridiculous failures.
Testbed Gets An F-Minus [googleusercontent.com] (orig) [wired.com]
N.B. "stalled in port" is not the story that is typically told.
"system failures had required Yorktown to be towed back to port several times" is the usual narrative.
A guy typed in a bad number on ONE MACHINE and it TOOK DOWN THE WHOLE NETWORK.
"Dead in the water" [googleusercontent.com] (orig) [wikipedia.org]
The Royal Navy could have decided to use FOSS back in 2004 when this choice was being made--after USA's humiliating failures.
...but Noooo.
Windows for Warships [google.com]
...and as c0lo notes below, this isn't even the software that will be running on the thing when it becomes operational.
(I also read that, days ago, at El Reg.)
So, they're wasting time and money testing something that won't even be used.
...and MICROS~1 junk at that.
...and OBSOLETE MICROS~1 junk on top of that.
What a complete farce.
-- OriginalOwner_ [soylentnews.org]
(Score: 5, Insightful) by i286NiNJA on Wednesday June 28 2017, @04:00PM
This a long argument in defense of a statement that uses "our cyber". You can safely assume that everyone involved in this project is a fucking moron.
The cooler someone feels about the word "cyber" the more of a fraud and outsider they are. It's a good quick and effective rule of thumb.
(Score: 0) by Anonymous Coward on Wednesday June 28 2017, @04:57PM
It should simply be illegal for the government to use proprietary software. It's extremely bad for the government to be dependent upon a particular entity to develop a piece of software that they rely on; they should be able to hire anyone to develop it, and only free software gives them that option. Governments should also encourage education and self-reliance, and clearly depending on the goodwill of proprietary slavers does neither of those things.
(Score: 2) by NewNic on Wednesday June 28 2017, @07:27PM (3 children)
This is false. Newer OSes have protection against attacks that will minimize or prevent an intrusion through a vulnerability. DEP, ASLR, SEHOP, etc..
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by KGIII on Wednesday June 28 2017, @08:25PM (2 children)
Not an issue so long as you control it. The same methods apply to all of them.
One exception, user access control. Pre-XP Windows will be less secure by default, as everyone is an administrator.
It all boils down to access, physical and networked.
"So long and thanks for all the fish."
(Score: 2) by NewNic on Wednesday June 28 2017, @08:56PM (1 child)
No, the same kernel-level protections do not apply to XP.
Someone once said something about this:
I wonder who?
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 3, Interesting) by KGIII on Wednesday June 28 2017, @11:23PM
Me. You're overlooking the basics. You can make XP as secure as any other OS. It even has the built in mechanisms.
This means controlling who has physical access and ensuring the data in and out are controlled. You may think that a more modern OS is somehow more secure but it really isn't. The biggest security risks are in the chair.
Yes, newer OSes have greater protection. No, that doesn't matter - if your goal is security. If you want secure, the user can't install anything. If you want secure, every packet is inspected and routed to only specific addresses. If you want secure, the actual computer is behind a locked door. If you want secure, the user can neither plug in anything nor change a single setting.
Anything less, is not secure. The root OS is insignificant, provided it has user access controls. A newer OS will provide you with greater security without doing those things. That is irrelevant. Without doing those things, you are inherently insecure.
Thus, as I have said; security is a process, not an application.
If you're curious, I used to employ people who gave talks at Defcon and have worked in secure environments with clearance. You can make XP as secure as you can 7, 8.1, 10, or even any flavor of Linux. If I can physically access your system, I own it - and you will not be any wiser for it. Do not let that happen, of security is your goal. If I have time to send malformed packets, I'm going to smash my way out of your virtualization and have escalated privileges. ASR? Chances are, your RAM is pretty well occupied, all I need to do is hop the stack and I now have access to control the memory.
And I'm not even a security professional. However, I've employed a whole lot of them. I've also dabbled quite a bit, but have no formal training.
Once again, control access and you can make XP as secure as 10. By thinking that 10 is more secure than it is, you open yourself up to a world of hurt. It is not if, but when, your data will leave your control. If you want secure, control access - physically and via the network, preferably air gapped. Anything less and you're largely playing a game of chance.
"So long and thanks for all the fish."
(Score: 0) by Anonymous Coward on Wednesday June 28 2017, @08:33PM (1 child)
Parent post describes the situation exactly. Unfortunately, que the drooling security blanket hugging consumertards who only believe what Twitter tells them to believe. "Oh noes, Windoze XP is insecure because an advertisement told me so! And it's oooooollld, and anything old must die! Because they said so on TV!"
Anyone who thinks it is impossible to secure older systems needs to go stare at some bright blue LEDs until their heads melt, assuming they aren't already.
(Score: 2) by HiThere on Wednesday June 28 2017, @09:12PM
E.g., the most secure system I know of in current use runs a copy of MSWindows 95A without the extensions. Of course, it has no network access...
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.