back to article China compromised F-35 subcontractor and forced expensive software system rewrite, academic tells MPs

The F-35 fighter jet programme’s costs were inflated after China compromised a software vendor in Lockheed Martin’s supply chain, forcing a ground-up rewrite of a potentially affected system, a policy wonk has claimed to UK Parliament. While giving evidence to a Defence Committee hearing on cyber threats to the British …

  1. Spacedinvader
    Holmes

    IoT

    In a fucking fighter jet. Didn't see that coming.

    1. John Smith 19 Gold badge
      FAIL

      Wasn't that how STUXNET was infected into the Iranian centrifuge programme?

      Turns out the US and Israel don't have a monopoly on such tactics.

      Better swords should suggest you need better shields.

    2. fidodogbreath
      Coat

      Re: IoT

      Didn't see that coming.

      Of course not. It has stealth.

    3. Snake Silver badge

      Re: IoT in a fighter jet

      I am actually not surprised, as "IoT" - that is, smart autonomous subsystems that intercommunicate - are the modern status quo of all avionics. Re: see Boeing 737Max and other scenarios, for example where they suspected a compromise of the inflight entertainment may affect the flight systems. This design has been ongoing for a long time, mostly due to allowing subcontractors to develop subsystems where interoperability is a given by sticking with the communications protocols.

  2. Mark192

    How fortuitous..

    How fortuitous that the only successful attempt to infiltrate the F-35 program was detected - what are the chances!?

    (this post may contain sarcasm)

    1. jason_derp

      Re: How fortuitous..

      "(this post may contain sarcasm)"

      I would just like to point out, on the record, that this post may have contained sarcasm, as admitted by the poster. The people in charge of postings have taken this into account and mitigated whatever factors might have led to compromization by sarcastic posting. We cannot reproduce the sarcasm or describe it specifically, either in public or in private to those with appropriate clearence, but rest assure it has been mitigated and postings will be back on track now. It was so expensive though. So much money.

      1. 9Rune5

        Re: How fortuitous..

        The part containing wire transfer information for further funding of uncompromising forum post operations, was missing from your post, suggesting that the post compromisation is still ongoing.

        (SHA-1 signature for this post: 0e974280d43pwn3d805727944dfdcb099d739e25)

      2. fidodogbreath

        Re: How fortuitous..

        You forgot to note that the sarcasm only affected a small number of users.

  3. Chris G

    Now I read

    The first Gen 6 successors to the F35 may be in the air by the 2030s, so maybe the the UK can get the F35 on an 'end of line' sale price to see us out to the originally projected 2070.

    1. vtcodger Silver badge

      Re: Now I read

      "The first Gen 6 successors to the F35 may be in the air by the 2030s"

      Perhaps. I'm thinking that unmanned aircraft are getting more capable by the year. Their maneuverability should not be limited by the stresses on a human pilot. They don't need Oxygen systems. Or ejection seats. Or lots of other things that are there to accommodate the human payload. I imagine that they can be as effective as manned aircraft and considerably cheaper than manned aircraft with similar capability. Enough so that suicide tactics are cost effective. Sacrificing a $35M unmanned aircraft to take out a $70M fighter is probably a victory of sorts.

      I'm guessing that the F35 may be about the last generation of manned fighter aircraft. Not that the F-35, F-22, Su-57 and J-20 won't still be around -- maintained and flown for many decades. Just that their manned "replacements" may never get beyond the prototype and single digit serial number stage.

      1. Alan Brown Silver badge

        Re: Now I read

        "Sacrificing a $35M unmanned aircraft to take out a $70M fighter is probably a victory of sorts."

        You can buy an awful lot of $700-1200 drones for $35million. This is a scenario raised by at least one military planner

        can you shoot down 1000-10,000 semi-autonomous drones swarming the approach path to a carrier? or attempting to take out your radar systems with simple thermite loads?

        1. Anonymous Coward
          Anonymous Coward

          Re: Now I read

          Can you defeat these on the way to a carrier? Yes. Drone swarms are non-trivial (they'd like to bump into each other) and carrying any sort of payload would be spotted and dealt with. Whats the drone range? Where would it be launched from? You could use GPS spoofing if autonomous or EW if semi-autonomous. Plus they'd likely be line of sight. Compared to an anti-ship missile, WSO could have a second biscuit with their tea, stroll down, boot up Phalanx, install the latest Windows 10 upgrades and still be happy.

          A terrorist attack on civilians on the other hand....

          1. TDog

            Re: Now I read

            With about 1500 rounds per magazine and an average engagement usage of 100 rounds per target this becomes problematical. Even if drones can be hit with an average expenditure of 10 rounds this is still only 150 drones per magazine. At less than 5 minutes per reload 1000 incoming drones would take over 20 minutes to reload sufficient rounds alone. You'd better hope those are slow drones.

          2. Alan Brown Silver badge

            Re: Now I read

            "approach path" == not in phalanx range - and in any case it's considered unsporting to shoot in the same direction as one of your own your aircraft approaching for a landing

            they don't need to be fast moving if they're widely spaced and can use solar power to stay aloft indefinitely

            https://ukdefencejournal.org.uk/the-rise-of-the-drone-swarm/

            https://www.popularmechanics.com/military/research/a24494/chinese-drones-swarms/

            as for colliding, you're 10 years behind the times:

            https://www.popularmechanics.co.za/tech/intels-world-record-for-most-airborne-drones/

            https://www.suasnews.com/2016/05/43890/

            https://www.popularmechanics.com/military/weapons/a18577/isis-packing-drones-with-explosives/

            Tactical drone swarms are already a "thing" and US military research on these projects mostly went "dark" in the mid 2000s

            http://www.swarm-troopers.com/ is attempting to track this, including the virtually unlimied duration aloft swarms.

            Airspace denial is relatively easy by sheer weight of numbers - quantity has a quality all of its own - and as at least one US guided missle carrier captain has pointed out, if you have to defend against a $25k drone attack by loosing $2million worth of munitions, if he was an attacker those are odds he'd take on for the simple purpose of bankrupting the defender

        2. Anonymous Coward
          Anonymous Coward

          Re: Now I read

          If it was that simple it would have been done with the type of drones the military has had since the 60s - ie guided missiles, which also have the advantge of being at least 10x faster and so 10x (or more) harder to shoot down. While swarms of drones heading for a ship is a nice sci fi imagine, a load of propeller powered essentially model helicopters doing the low side of 3 figures mph is not going to be much of a match for something like a Phalanx even if there are 10K of them since if you can fire that many bullets a second you don't need to aim accurately, but like a shotgun just put it in the general area and the odds are you'll hit something.

          1. Alan Brown Silver badge

            Re: Now I read

            http://www.swarm-troopers.com/scenarios/

            (excerpted for those who can't be bothered to follow the link. There's even more there worth reading - and this is only the first chapter of the book itself)

            "The official response was an elaborately diplomatic refusal. The British Admiral commanding the Task Force made an unofficial but widely-reported response:

            “I’m damned if we’re going to run away from some tinpot dictator with a lot of toy aircraft.”

            The first wave of Hong Jian drones attacked just after dawn. There were over two hundred of them, and they converged from all points of the compass. They flew straight at the vulnerable parts of the ships, the radar domes, radio masts and antenna arrays. The straight lines and flat planes of the ships were simple geometric patterns that made it easy for the drones’ cameras to locate their programmed point of attack.

            Although too small to be hit by anti-aircraft missiles, many of the drones fell victim to the radar-guided 30mm Oerlikon cannon and multibarrel Phalanx guns on the British destroyers, as well as the numerous rapid-fire miniguns mounted on deck rails and manned by sailors.

            Video analysis showed that about a dozen of the attackers got through. There was virtually no damage, except for an F-35 which has been preparing for take-off on the flight deck of the HMS Queen Elizabeth. A drone had skimmed over the carrier’s deck and struck one side of the plane. The subsequent fire had been quickly brought under control and there were no casualties, but the £100m aircraft would require days of repairs before it could fly again."

            .....

            "Two hours later radar detected a second force of drones assembling to the West of similar size to the first. The drones were spaced about a hundred meters apart, forming a spherical cloud almost a kilometre across.

            When an aircraft was sent up to monitor them, the entire cloud started converging on it. The pilot flew around the swarm and watched it gradually change direction to chase him. The drones could never catch the fast jet, and the pilot shot down a couple of drones with cannon fire, but he had to be wary of flying too close to the swarm."

            ....

            "A smaller cloud of several dozen drones then appeared in a loose formation between the carrier group and the airborne F-35. They had been skimming the sea at low level and had not been appeared on radar until they were a mile or two away. They were set on ambushing the pilot as he tried to return to the HMS Queen Elizabeth. When the pilot was redirected to approach from the opposite direction, half of the drones moved to block his approach.

            The F-35’s fuel was approaching a critical level. Rather than run any risk of losing a plane for no advantage, the pilot was ordered to divert away from the carrier group and land in a neighbouring African country. The plane sped away from the swarm at four hundred miles an hour while the necessary diplomatic arrangements were made.

            Running away might look bad, but losing an aircraft would be worse, and the Admiral could always say that the plane was diverted for technical reasons. The plane might be saved, but with the increasing number of Hong Jian, now forming several swarms in all directions, it was not safe to fly from the carrier.

            Bad news was to follow: several hours after the F-35 landed, twenty drones caught up with it while it was parked on the tarmac. A film crew had just arrived to shoot a wildlife documentary, and were filming the plane and trying to interview the pilot when they spotted small drones circling overhead. The drones made several passes, apparently making sure of their target before diving en masse at the F-35. After the tenth hit the plane disappeared in a massive fireball."

            The scenario might have been science fiction in 2015, but these (and many more items discussed in the book) are the subject of a lot of military discussion and sleepless nights

            As I said, you can buy a lot of drones for the price of 1 F35 - and ships only have so much defensive ammunition

        3. Anonymous Coward
          Anonymous Coward

          Re: Now I read

          Could you explain a little more, please: I'm a little slow. How would "1000-10,000 semi-autonomous drones swarming the approach path to a carrier" affect a hypersonic missile approaching at, say, Mach 8?

          Especially if it approaches straight down.

          1. Anonymous Coward
            Anonymous Coward

            Re: Now I read

            Oh, now I see! (I said I'm a bit slow). The drones are supposed to be attacking the carrier!

            I don't think that version really needs any comment. (Although I can't help wondering where they came from).

      2. Maelstorm Bronze badge

        Re: Now I read

        Depends on what the payload is. If the UAV is packed to the max with explosives, then what you have on your hands is a manually guided missile capable of taking out a ship, SAM launch site, or any other high value military target. Considering that UAVs don't have human pilots on board, they can push high-G turns up to the limit of the airframe. Imagine one of these flying bombs flying into the open hanger of an aircraft carrier and detonating inside.

        1. TDog

          Re: Now I read

          You wouldn't take out a ship. You would get a soft kill destroying and disabling sensors and transmitters. That would be a mission kill.

        2. EvilDrSmith Silver badge

          Re: Now I read

          You mean something like the Israeli IAI loiter drone? (Harup? something like that).

          UAV with a few hours endurance, and if it sees a target it can autonomously or on command suicide into it (it's fitted with a warhead), if not, it comes home to live to die another day.

        3. Martin an gof Silver badge

          Re: Now I read

          I once read a short Sci Fi story where the guidance electronics for missiles were too expensive, or perhaps too difficult to manufacture for one of the belligerents in a decades-long war, so instead they fitted manual controls and trained up men to take the place of the electronics.

          Does anyone know where I might have read this?

          M.

          1. ian 22

            Re: Now I read

            Yes, I read the same story. Isaac Asimov? At some point meatware is cheaper than software.

          2. idv

            Re: Now I read

            Asimov, 1958, "The Feeling of Power".

            (Reprinted in Robot Dreams, which you're more likely to have read...)

            https://archive.org/stream/1958-02_IF#page/n5/mode/2up

        4. Alan Brown Silver badge

          Re: Now I read

          "If the UAV is packed to the max with explosives,"

          They don't need much explosive. A precision hit on optically recognised radar antennas or a thermite charge on a munitions dump is sufficient. All you really need to do is render the defenders blind in most cases. In the case of a ship, targetting the vulnerable rotating assembly of rotating radar heads with a thermite charge will put them out of action for days

          Big explosions are for poorly targetted devices - one of the smallest explosions I know of involved less than a gram of C4 - in a booby-trapped phone(one of hundreds deployed) pressed against the ear of a Taliban commander in 2003. Once it was confirmed he was the correct target and using the phone... *pop"

          For what it's worth: The "drone dropping a grenade on a munitions dump" scenario already happened in Georgia in 2017 and the drone attacks on facilities in Saudi Arabia were using $700 commercial devices.

          As one bad guy put it in the 1980s - "You have to defend against every attack. We only have to succeed ONCE"

      3. amanfromMars 1 Silver badge

        Re: Now I read ..... Not Another Worldly Wordy Gospel Truth ‽ .

        I imagine All Air Forces and Defence Departments are Preparing for Alien Craft with Other Worldly Resources and Sources at their Pioneering Grand AI Master Pilots' Beck and Call, vtcodger.

        The Question is whether there be a Defence Mechanism to Hinder their Progress with Highly Prized Earthly Assets?

        Does UKGBNI Secure and Protect National Cyber Force Territories/Jurisdictions/Special Operations Executive Terrain? Is the Guarantee FailSafe, Almighty Fair Fareware? .... with Advanced IntelAIgent Pre-Programming?

        Such is a Current Leader in ITs Fields of Wondrous Operation/Virtual Presentations of the Creative Processes and SMARTR AIgents Galvanising ACTivIT for/in Live Operational Virtual Environments, and as may have been alluded to/outed by Ciaran Martin ......

        “To help the discussion, I want to introduce, or arguably, reintroduce, two concepts.

        The first is cyber not just as a domain, but as an environment. It is so ubiquitous in our everyday life there is a strong case for this type of analogy.”

        How very perceptive of the Chief. Whenever Check and Checkmate, the Next Logical Steps are AWEsome Pow Wows in All the Very Best of Secure Locations, are they not? :-) ..... which is proving itself to be Worthily Considered a Prize Contender for the Only Next Almighty Logical Step Award......... with Other Directions/Proposals/Operations being Almightily Exhausting Sub-Prime Ethereal Competition

        :-) Is there a Global Difficulty in Admitting that Reality Exists, and Earth is ITs Test Bed for Live Operational Virtual Environments on Special Operations with New Fangled Entanglements in NEUKlearer HyperRadioProACTive Programs/Projects/Pogroms/Presentations in ACTive Virtual Enactments? A Most Attractive Reward for IMPertinent Drivers of Worthy Success Trawling and Trading and Trailing and Trialing Future Sterling Assets?

        Who do you know who knows ? Do they know what to do next for the best? Now is their chance to lead with some New Fangled Entanglement with Special Operations for National Cyber Force Protection. I Kid U Not.

        :-) Something for the likes of a Crowd of Dominic Cummings to deny all knowledge of and ponder on before exercising and committing to any other Attractive ACTive Available Option/Future Derivative Venture?

  4. Ribfeast

    Surely the network that is used to develop these things is air gapped? I guess not...

    1. Ashentaine

      Military projects tend to have multiple subcontractors, who also have their own subcontractors, and even those sub-subcontractors can have their own subcontractors that may not even be aware that the parts and pieces they're working on is for the military. It's nearly impossible to keep every aspect of the project in a vacuum when everything is spread out that widely.

      1. uncle sjohie

        Oh they usually do. "Dual-use" is a very important concept in those area's. Governments go as far as to classify certain types of electric motors als dual-use. It might be used bij Pegatron in machines to build an iPhone, or by Boeing to maneuver a gun turret.

      2. The Oncoming Scorn Silver badge
        Pint

        International Rescue, They Only Had To Worry About Kyrano's Half Brother.

        Scott Tracy: "Well, this is the tricky part of our operation. Trying to keep everything secret."

        Jeff Tracy: "Look, Scott. We ordered each component from different aircraft corporations. None of them know what they're making. It's only when they all arrive here, that the jigsaw fits together."

        Scott Tracy: "I guess I worry too much..."

        1. Sgt_Oddball
          Trollface

          Re: International Rescue, They Only Had To Worry About Kyrano's Half Brother.

          This does work in practice and has been attempted before (only one translator was hospitalised after hearing two of the words) though obviously this requires new translation from German to Chinese..

          Not even machine translation works on it (Google translate just gives a fatal error)

          1. Fr. Ted Crilly Silver badge

            Re: International Rescue, They Only Had To Worry About Kyrano's Half Brother.

            oh yeah read this mate...

            https://www.youtube.com/watch?v=rGbe5qy5274

        2. Yet Another Anonymous coward Silver badge

          Re: International Rescue, They Only Had To Worry About Kyrano's Half Brother.

          >We ordered each component from different aircraft corporations

          Ben Rich's book on Lockheed Skunk works is full of examples of this.

          And the problems they had getting suppliers to deliver $M of parts to a PO box of an unknown company, or the times that a supplier called the FBI because some unknown company with a PO box was trying to buy cutting age aerospace components

          1. Robert Sneddon

            Repurposing medical devices

            During WWII one of the most secret weapons developed by the Allies was the proximity fuze for anti-aircraft use and, later, land bombardment. The fuzes had delicate components inside (small valves and batteries etc.) and antenna connections to the external cap. In some theatres of operation protection for these fuzes for storage and deployment was needed, basically snug-fitting tapering plastic cones. They couldn't just put out a contract for fuze protectors due to the need for secrecy so they used a "back door" connection, so to speak, with the John Hopkins hospital to order five hundred thousand rectal spreaders.

            1. Martin an gof Silver badge

              Re: Repurposing medical devices

              Repurposing unrelated equipment is a great tradition. In terms of medical equipment, the standard way of waterproofing a microphone has often been a condom.

              Didn't Trevor Baylis create the prototype of his wind-up radio from a musical box and the motor from a toy car? (I think that's what Wikipedia says).

              My boss in my first "proper" job had spent some time in his youth working at a hospital in India and one of his favourite stories was his creation of a heart rate monitor (or maybe a cardiograph?) by repurposing an electric typewriter. No idea how that worked, but if anyone could do it, it would have been he.

              M.

          2. Alan Brown Silver badge

            Re: International Rescue, They Only Had To Worry About Kyrano's Half Brother.

            "Or the times that a supplier called the FBI because some unknown company with a PO box "

            In UFO, the cover story is a movie studio. Somehow I doubt that would work in real life

      3. Anonymous Coward
        Anonymous Coward

        Ah, yes...

        "So, Nat'ralists observe, a Flea

        Hath smaller Fleas that on him prey,

        And these have smaller yet to bite 'em,

        And so proceed ad infinitum..."

        - Dr Jonathan Swift

        https://en.wikipedia.org/wiki/Siphonaptera_(poem)

    2. Chris Tierney

      Air gap

      Do politicians assume that the F35 is effectively air-gapped on takeoff?

      1. Yet Another Anonymous coward Silver badge

        Re: Air gap

        The Chinese clones will have 5G, the British ones will use ADSL - BT openreach got the contract

  5. Anonymous Coward
    Anonymous Coward

    The module needed to be scrapped and re-written anyway, this just lets them blame someone else

    The old blame the hackers and bill as damages game. Standard practice, if a bit of a joke as If your house gets robbed because you didn't have a front door, billing the burglar for installing a front door would seem ludicrous. Somehow claiming fixing a lack of it security as damages is different though?

    It's still a drop in the bucket, as most of the initial flight systems code and the ground logistics and troubleshooting software had to be scrapped and are being re-implemented. Worse, as it still can't even cover the base acceptance testing cases, the re-write may be in trouble as well.

    Slapping "Agile" on something doesn't make it agile. In this case the label is just being used to justify delay to essential systems. Funny that the article calls out MVP as "high risk" as part of that is to CONTROL risk, and prioritize delivering essential things quickly and before secondary ones. Instead the F-35 rolled out with defects in the in-flight oxygen delivery system, as yet unresolved ghosting an target duplication, and initially couldn't actually interface with most of the ordinance it was designed to fire. This is a abject failure in project management, not developer methodology.

    If we scrapped this project when it failed to meet initial acceptance testing, we'd have it's successor it trials now. Instead, we still have a plane we are doing R&D on to make minimally viable in the air. They provide no expectation that it will even meet the standards set out a decade ago, a decade down the road from now.

    Unless the brain worms in our lame duck leadership tell them to cancel it out of spite, this thing will continue to sap the military budget for decades to come, all for a unreliable air frame that delivers lackluster performance, and has stealth designed to counter 15 year old radars.

    1. Anonymous Coward
      Anonymous Coward

      Re: The module needed to be scrapped and re-written anyway, this just lets them blame someone else

      "and has stealth designed to counter 15 year old radars."

      To be fair, this is always going to be a problem. It takes 1 or more decades to design and build a new fighter (even projects that go well), somewhat less for a new radar system.

      1. Yet Another Anonymous coward Silver badge

        Re: The module needed to be scrapped and re-written anyway, this just lets them blame someone else

        Obviously you need to invest in bigger and more expensive radar projects - then these will get later and later, giving you more time to improve the aircraft's stealthiness

  6. NoneSuch Silver badge
    FAIL

    Really?

    The F-35 was a pig in a poke long before this happened. It was over-budget at the prototype stage and has set records for hemorrhaging money since.

    1. Anonymous Coward
      Anonymous Coward

      Re: Really?

      A 100% successful military procurement project then. It has fulfilled the primary objective of funneling cash to companies with the best senators/congress people money can buy.

      A functional cost effective aircraft is an optional objective.

      1. Alan Brown Silver badge

        Re: Really?

        The F35 took on board the primary lesson of the F111B - which was how to avoid getting your project cancelled

      2. Anonymous Coward
        Anonymous Coward

        Re: Really?

        For attacking more or less defenceless nations, the F-35 is good enough.

        And it would never be used against a world-class enemy unless we were on the way to a thermonuclear exchange.

        Which, IMHO, would be a Bad Thing.

        1. Alan Brown Silver badge

          Re: Really?

          "For attacking more or less defenceless nations, the F-35 is good enough."

          For that kind pf purpose a Super Tocano is more than enough and you can buy 18 of them for the price of ONE F-35

    2. Anonymous Coward
      Anonymous Coward

      Re: Really?

      "The F-35 was a pig in a poke long before this happened".

      Certainly some kind of pig.

      https://www.theamericanconservative.com/wp-content/uploads/2019/01/pork.jpg

      1. Anonymous Coward
        Anonymous Coward

        The concept scales up all the way to the top

        https://3.bp.blogspot.com/-aNMwBNFXbPA/VjvKYwpeWRI/AAAAAAAACXw/IFqXxOBJV6g/s640/CTEIc0FW4AA_dS5.jpg

  7. Brewster's Angle Grinder Silver badge
    Mushroom

    Any landing you can walk away from...

    ALL planes can come to rest on the ground. Out of the box. It doesn't need any fancy software. Getting airborne is the hard part. So clearly the MVP for avionics is the ability to take off and fly. The quality of the landing can be improved in later releases....

    1. Anonymous Coward
      Anonymous Coward

      Re: Any landing you can walk away from...

      On the other hand, as the old pilot's saying goes: "All take-offs are optional; landings are mandatory".

      1. ian 22

        Re: Any landing you can walk away from...

        However, keep in mind that any landing you can walk away from is a good landing.

  8. Sodbury2

    Anybody else read Ghost Fleet?

  9. vtcodger Silver badge

    I believe some of it.

    Do I believe the Chinese might compromise a software contractor? Why yes, of course I do. The Chinese are pretty good at a lot of stuff and I don't see any reason to believe they'd somehow not be good at spying.

    Do I believe that the US might find out about it? Sure, that's possible I suppose.

    Do I believe that the US government in the normal course of events would admit that the software was compromised? Of course not. Admit vulnerability and error? Does any bureaucracy do that unless the problem is clear to everyone in the universe? Ever?

    Do I believe that security is slack at some low level US defense contractors? No, actually I don't. I worked in the US military weapons world for three decades. That was a while ago, but I never, ever saw an operation that didn't take security pretty seriously or whose security wasn't monitored by the government. That doesn't mean that the security was perfect. That would be impossible. But that part of the story doesn't ring true.

    The software sucked and needed to be rewritten? I'd say that's pretty normal for complex systems.

    1. Anonymous Coward
      Childcatcher

      Re: I believe some of it.

      "Do I believe the Chinese might compromise a"

      lol, that's how we used to describe the US. Back in the day those bloody colonials would steal our hard won (*cough*) secrets and patent them locally as though that was reasonable.

      Depending on your poker face (Britain/UK) or sheer might (US) you can still call dibs or something on the international stage. China and Russia (int al) are quietly redefining what dibs actually means.

      The gloves are off in IT space and it needs to be fixed up. It is a shit fest of the worst order out there. I could quite happily point nmap or much worse (I'm CREST accredited) at your home connection with no holds barred for no reason and with little comeback (I might make it look like your child's school did it)

      1. Anonymous Coward
        Anonymous Coward

        Re: I believe some of it.

        The first rule about authorized hacking, is that nobody talks about authorized hacking.

      2. Alan Brown Silver badge

        Re: I believe some of it.

        "that's how we used to describe the US."

        It wasn't that long ago (50 years) that Britain was paiting japanese technology as threats to national security and forcing its trading partners to buy STC telephone exchanges instead of the far superior NEC ones they wanted to buy.

        The fact that the STCs never worked properly, took 5 years longer to deploy than the NECs and ended up costing more than 3 times as much is irrelevant, unless you work on the basis that sucking money out of your vassals makes them less independently minded (ie: economic warfare)

    2. amanfromMars 1 Silver badge
      Mushroom

      And I believe none of it.

      Do I believe that security is slack at some low level US defense contractors? No, actually I don't. I worked in the US military weapons world for three decades. That was a while ago, but I never, ever saw an operation that didn't take security pretty seriously or whose security wasn't monitored by the government. That doesn't mean that the security was perfect. That would be impossible. But that part of the story doesn't ring true. ...... vtcodger

      I cannot believe that, vtcodger, for targeting the PEBKAC is always liable to render outstanding results. Indeed, the simplicity and danger of it was very recently commented upon here on El Reg with a short video explaining/espousing the methodology effectively used .....

      amanfromMars 1 Thu 12 Nov 19:42 [2011121942] ...... being positive on https://forums.theregister.com/forum/all/2020/11/11/ciaran_martin_speech_cyber_policy/#c_4144182

      Re: Horses for Courses

      Lots of fun and games and slush funding for able intelligent players still out there, JCitizen. Indeed, some would tell you there has never ever before been as much available ..... and from sources which were not considered engaging before .......... https://govmatters.tv/trusted-capital-and-funding-technologies/

      And just like everything else ....... pay peanuts, get monkeys rules apply.

      Sub-prime humans are the weakest link attracting all manner of spooky premium attention with folding fiat aplenty to invest and disburse. And it is not as if 20/30 pieces of silver has not tempted a lost soul since money as a fake indicator of worth and wealth was invented and is anything new and not known about ...... :-) and gravely to be regarded.

      1. Alan Brown Silver badge

        Re: And I believe none of it.

        You don't even need to directly target the PEBKAC. Just track the promising academics as they go through university, then see where they go to live - you don't overly need to worry about who they're working for if they're all clustering in the same areas. Just see what their published papers were about

    3. Anonymous Coward
      Anonymous Coward

      Could be the biggest hit movie of 2021...

      "The Manchurian Subroutine".

  10. PhilipN Silver badge

    “What they were able to do we do not know”

    That’s really helpful.

    So the real news is ..... ?

    1. Anonymous Coward
      Anonymous Coward

      Re: “What they were able to do we do not know”

      The real news is:

      1. The F-35 is way late and ridiculously overpriced (which we already knew).

      2. Because CHINA.

      1. Robert Sneddon

        Re: “What they were able to do we do not know”

        The F-35 is way late.

        There are more than 500 F-35s of all variants in service with several air forces at the moment -- the USAF has about 250 of the F-35A variant alone in training, testing and operational squadrons. There are plans to build about 3,500 more F-35s over the next twenty years or so. I don't see how that makes it "late".

        1. A.P. Veening Silver badge

          Re: “What they were able to do we do not know”

          There are more than 500 F-35s of all variants in service with several air forces at the moment -- the USAF has about 250 of the F-35A variant alone in training, testing and operational squadrons. There are plans to build about 3,500 more F-35s over the next twenty years or so.

          Nice, but that describes the current and future situation.

          I don't see how that makes it "late".

          When did it enter service and when was it supposed to enter service? That difference of ten years does make it late. Add in the cost overruns and it is clear the plug should have been pulled a long time ago.

          1. Alan Brown Silver badge

            Re: “What they were able to do we do not know”

            "Add in the cost overruns and it is clear the plug should have been pulled a long time ago."

            Emphasising this: The Expensive F22 was supposed to establish air superiority and allow the Cheap and Plentiful F/A35 to go in for support work, where stealth was incidental and mainly intended to provide an element of surprise going against mopping up ground defences missed by the F22s

            The Expensive F22 got cancelled for being TOO expensive and the resulting mission creep resulted in the Cheap F35 costing more per unit than the Expensive F22 as well as being sold to allies as an air-to-air fighter it was never intended for and needed far more expensive modifications to fulfill. The airborne communications platform role came later and could be better fulfilled by a number of cheaper airframes

            http://www.mayofamily.com/RLM/txt_Clarke_Superiority.html

  11. John Smith 19 Gold badge
    Unhappy

    Letting BAe develope the radar code in C++ rather than Ada

    Cause the developers are cheaper.

    Genius plan.

    Another win from Billions Above Estimate.

    1. Anonymous Coward
      Anonymous Coward

      Re: Letting BAe develope the radar code in C++ rather than Ada

      Modern C++ (2011 onwards) is a powerful and safe (if used correctly) language so Ada doesn't quite have the advantage it used to in critical systems. Also sand boxing code safety isn't everything otherwise it would be written in Java. Sometimes tools, execution speed, library support, binary size and the ability to find experienced devs comes into play.

      1. Anonymous Coward
        Unhappy

        Re: Letting BAe develope the radar code in C++ rather than Ada

        Modern C++ (2011 onwards) is a powerful and safe (if used correctly) language so Ada doesn't quite have the advantage it used to in critical systems.

        Until you run out of heap, walk off the end of an array, call a non-static method belonging to an object that hasn't been instantiated yet etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: Letting BAe develope the radar code in C++ rather than Ada

          The point is that it is much easier to use Ada correctly, because that's what it was designed for.

          Using C++ for this kind of job is like using a racing car as a school bus.

        2. TimMaher Silver badge
          Trollface

          Re: Letting BAe develope the radar code in C++ rather than Ada

          Could always use Java.

          What’s that Skippy?

          What’s an NPE?

        3. Anonymous Coward
          Anonymous Coward

          Re: Letting BAe develope the radar code in C++ rather than Ada

          No language can solve an out of memory problem so all programs will fail in that scenario whether its a crash or just an error. C++ is no worse in that regard than any other. And bringing up walking off an array or non instantiated object shows you know nothing about modern C++. Its not 1998 anymore.

          1. This post has been deleted by its author

        4. John Smith 19 Gold badge
          Unhappy

          "Until you run out of heap, walk off the end of an array, call a non-static method..

          ..belonging to an object that hasn't been instantiated "

          But good news.

          BAE have a coding standard for C++ in the F35.

          So of course none of their devs will do such things........

      2. Anonymous Coward
        Anonymous Coward

        Re: Letting BAe develope the radar code in C++ rather than Ada

        "Modern C++ (2011 onwards) is a powerful and safe (if used correctly) language..."

        It's that bit about "if used correctly" that has the teeth. It reminds me of something... Ah, yes:

        https://4.bp.blogspot.com/-ERGJ3cHACEE/VEpYjRWbj0I/AAAAAAAAAqc/IBNkX3uryEA/s1600/Then%2Ba%2Bmiracle%2Boccurs.jpg

    2. Anonymous Coward
      Anonymous Coward

      Re: Letting BAe develope the radar code in C++ rather than Ada

      Although, as observed many many times before, none of this matters because the flying pig will never have to fight a serious enemy.

  12. Nathar Leichoz

    Interesting dilemma

    It's an interesting dilemma how much software is used to control the fighter jet. I suppose the US already includes software whereby if the fighter jet was flying near the US and the pilot tried to drop a bomb, the software would not allow them to do it. I wonder if enemy's fighter jets also include similar software to prevent bombs being dropped in their countries?

    1. A.P. Veening Silver badge

      Re: Interesting dilemma

      I wonder if enemy's fighter jets also include similar software to prevent bombs being dropped in their countries?

      The answer to that is negative as those enemies (and most allies) can still remember clearly things like being invaded and having to retake (parts of) their own countries.

    2. Paul Smith

      Re: Interesting dilemma

      Software has been a critical to performance aircraft since the F16 of the 1970's. You would think that after doing it for 50 years, they would have some re-usable components.

    3. Aitor 1

      Re: Interesting dilemma

      I would rather say backdoors on the radar and eff, etc, etc.

    4. Anonymous Coward
      Anonymous Coward

      Re: Interesting dilemma

      It's simpler, better and more cost-effective to train pilots who won't try to drop bombs on their own countries.

    5. Alan Brown Silver badge

      Re: Interesting dilemma

      believe it or not, it's not just phones that "you own the hardware, but you don't control the device" applies to

      The USA retains the "ignition keys" to every F35 sold.

      There are rolling codes required to be entered into the flight control computers in order to start the engines and operate the avionics which are keyed to every airframe/engine serial number and are obtained upon request from the Department of State. These codes are valid for a few hours each time

      The RAF (as codevelopers of the F35 via BAE) were one of the few air forces which the US was going to sell code generators to, but those plans were axed in the early 2000s in favour of the USA retaining total control over who can fly their F35s today

  13. Chris G

    ACAS

    Can we expect a ' The Chinese Did It' statement from Boeing shortly?

    "After a long investigation into our software solutions, we have discovered the office cleaning team were a hacking outfit from China......."

    1. Anonymous Coward
      Anonymous Coward

      Only needs one small edit...

      https://uploads.disquscdn.com/images/691cc0e799654c1c8adc04fda3e94c4746f9419af94eb68b4e102c26ecb31f16.jpg?w=600&h=580

  14. Steve Graham

    No shit

    "using minimum viable product (MVP) release methods for critical items such as flight controls and weapons was an inappropriate model to follow"

  15. Anonymous Coward
    Anonymous Coward

    funny

    "Earlier he had referred to the incident as a "rumour" partially explaining "why the F-35 is so expensive.""

    Quite funny how sub-contracting, which is aimed at reducing costs, actually make them sky rocket.

    I now know why I quit SW dev ... Too much money to crooks and nothing in my pocket.

  16. Anonymous Coward
    Anonymous Coward

    The code might still not be safe

    If you want to be really nefarious, you don't target the code itself, you target the compiler and other build tools. So even if they rewrite the code from the ground up there could still be an exploit injected. One would assume however being top notch military contractors they'd have considered this possibility... [crickets]

    1. Anonymous Coward
      Facepalm

      Re: The code might still not be safe

      If you want to be really nefarious, you don't target the code itself, you target the compiler and other build tools.

      And the chips that are made in China.

  17. Anonymous Coward
    WTF?

    Ground-up rewrite????

    The F-35 fighter jet programme’s costs were inflated after China compromised a software vendor in Lockheed Martin’s supply chain, forcing a ground-up rewrite of a potentially affected system, a policy wonk has claimed to UK Parliament.

    They don't own the source code?

  18. Turgut Kalfaoglu

    LOL, F-35 is a war machine, right? How come its software is so weak?

  19. John Smith 19 Gold badge
    Coat

    "How come its software is so weak?"

    Because it's software is not written by Klingons?

  20. Tempest
    FAIL

    Why Worry About the Software When . . .

    Turkey is supposedly doing hardware maintenance on any aircraft the UK might be foolish enough to purchase.

    Turkey, the same country that now has close military relations with the Russian military and ís buying Russian hardware. Ìf the US intelligence services are worried about Trump doing deals with his knowledge of US security ìnfo, just imagine what "favourable deals" the Russians would offer in return for checking out F35's in for service in Turkey!

  21. pavel.petrman

    Imagine the mayhem...

    .. in F-35's software development effort if China somehow managed to unpublish Left-Pad.

  22. martinusher Silver badge

    Breaking Rule #1 of Embedded Development

    I'm a bit of a cynic so I tend to read between the lines. This statement hits darkly of 'potentical Chinese compromising of software' but I rather suspect it was 'was found that the job was assigned to a graduate student who much to everyone's horror turned out to be Chinese'.

    I wish people would tell the truth rather than talking in spy novel terms. What this also suggests is that the F-35 has got bits of code in it that are probably about as well integrated as MCAS was in the 737-Max.

    1. Alan Brown Silver badge

      Re: Breaking Rule #1 of Embedded Development

      'was found that the job was assigned to a graduate student who much to everyone's horror turned out to be Chinese'.

      Or had a name sounding vaguely chinese, or incorporated libraries written by someone whose name sounded that way

      IIRC "chong" has been a surname in the west of the UK for at least 400 years - where those carrying it didn't look asian in the slightest

      Let's not forget the USA's policies of internment of both Japanese Americans(ww2) and German Americans (ww1) mostly based on surnames

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like