Windows XP is a HUGE security risk

[CriticalThought]

Well, this is the end user system on which some firmware is running. Do you know how many layers of hardware and software firewalls, VPNs, TOR tunnels in front of this particular machine? Such systems can be compromised only if there is a traitor among PAF else it is next to impossible to penetrate military grade networks. You are assuming things by looking one terminal only. Heck, we don't even now if this system is even online or a part of some DMZ of a sub-net of entire PAF network.

No amount of hardware and software firewalls is enough, because this system in the end gets information from all over Pakistan. Once the kernel of the OS your are running is compromised, you can do effectively anything to it. I raised the question previously on the thread: where did they get this software from? Imagine I am an NSA analyst tasked by CIA to put holes into WindowsXP which is going to be sold to PAF. I have access to the entire source code, including the graphics driver. I can control exactly what gets displayed and doesn't get displayed. Combine this with the fact that your are using their routers and their firewalls as well. Combine that with a traitor who can tap into some network line. Or, as a different threat, you are using their power supply. Every single time someone starts up a device, the device causes micro-fluctuations in the input power to all other devices. If the power supply can read these micro-fluctuations, the traitor has to connect a custom device that causes a known set of fluctuations. The possibilities are endless.

Or, consider the fact that the Sep 2019 program showed the monitor displaying a Windows Desktop that shows WinZip software being used on computers in the Pilot Situation Room, the place where on duty pilots sit ready to react. WinZip is made by a regular organization. RAW can pay this organization to silently take over. It can now make sure that a compromised version of WinZip ends up on PAF computers. This is amateurishness. I have known this since Sep 2019 and I have kept quiet on this till now. But seeing how people are trivializing these concerns, I have to share them here.

Don't try to hide the ineptness and cluelessness of the people responsible for PAF's cyber security.

 

[PakShaheen79]

No amount of hardware and software firewalls is enough, because this system in the end gets information from all over Pakistan. Once the kernel of the OS your are running is compromised, you can do effectively anything to it. I raised the question previously on the thread: where did they get this software from? Imagine I am an NSA analyst tasked by CIA to put holes into WindowsXP which is going to be sold to PAF. I have access to the entire source code, including the graphics driver. I can control exactly what gets displayed and doesn't get displayed. Combine this with the fact that your are using their routers and their firewalls as well. Combine that with a traitor who can tap into some network line. Or, as a different threat, you are using their power supply. Every single time someone starts up a device, the device causes micro-fluctuations in the input power to all other devices. If the power supply can read these micro-fluctuations, the traitor has to connect a custom device that causes a known set of fluctuations. The possibilities are endless.

Or, consider the fact that the Sep 2019 program showed the monitor displaying a Windows Desktop that shows WinZip software being used on computers in the Pilot Situation Room, the place where on duty pilots sit ready to react. WinZip is made by a regular organization. RAW can pay this organization to silently take over. It can now make sure that a compromised version of WinZip ends up on PAF computers. This is amateurishness. I have known this since Sep 2019 and I have kept quiet on this till now. But seeing how people are trivializing these concerns, I have to share them here.

Don't try to hide the ineptness and cluelessness of the people responsible for PAF's cyber security.

Clearly you didn't try to understand my post. In cyber security there are tens of other things which comes before Kernal (Presentation Layer) and any applications like WinZip (Application layer). In order to understand how security is ensured across the networks you must understand the entire OSI model and protocols running on each of 7 layers in it.

To give you an idea about it look at this picture

Now you put a scenario, in that sort of scenario, no system will be safe as I also highlighted in my post. An insider attack is the most dangerous one. Not even ada based Unix system will be save against an insider attack. To overcome such problems organizations implement key logging /scanning software. You will operate only part of the system that is allowed as per your designated job. If you press any key, launch any application or attach any device (say USB) which is not related to your work, your terminal will be halted and an inquiry will be called. In NADRA, v strict key logging is enabled despite the fact that it is based on DB2 and TeraData (2 of most secured Databases Management Systems). A friend on mine was DB admin at regional HQin Lhr, I visited him in his office and asked him to show my family tree. He looked at me perplexed and then laughed very loudly.I still remember his words, "Kiyo! Yeh tumhra PC hai jo aesay hi query run kar don?" I was dumbfounded by his reply but he continued "Meri job chali jaye gi, Main sirf wo query run kar sakta hoon jis ki request mujhe official channels se ati hai". Then he told me everything he does on his terminal is being monitored in ISB. So, point is, reaching to Kernal is not that easy and when the vulnerabilities are known then it can be taken care of .

Now, if you bring CIA, NSA and RAW with kind of money that have at their disposal, They can compromise a TOR Tunneled Linux, Unix and everything. SO, what is the point of this whole discussion. In that scenario only your own developed OS and applications will be secure and everything else is a threat.

 

[CriticalThought]

Clearly you didn't try to understand my post. In cyber security there are tens of other things which comes before Kernal (Presentation Layer) and any applications like WinZip (Application layer). In order to understand how security is ensured across the networks you must understand the entire OSI model and protocols running on each of 7 layers in it.

To give you an idea about it look at this picture

View attachment 674558Now you put a scenario, in that sort of scenario, no system will be safe as I also highlighted in my post. An insider attack is the most dangerous one. Not even ada based Unix system will be save against an insider attack. To overcome such problems organizations implement key logging /scanning software. You will operate only part of the system that is allowed as per your designated job. If you press any key, launch any application or attach any device (say USB) which is not related to your work, your terminal will be halted and an inquiry will be called. In NADRA, v strict key logging is enabled despite the fact that it is based on DB2 and TeraData (2 of most secured Databases Management Systems). A friend on mine was DB admin at regional HQin Lhr, I visited him in his office and asked him to show my family tree. He looked at me perplexed and then laughed very loudly.I still remember his words, "Kiyo! Yeh tumhra PC hai jo aesay hi query run kar don?" I was dumbfounded by his reply but he continued "Meri job chali jaye gi, Main sirf wo query run kar sakta hoon jis ki request mujhe official channels se ati hai". Then he told me everything he does on his terminal is being monitored in ISB. So, point is, reaching to Kernal is not that easy and when the vulnerabilities are known then it can be taken care of .

Now, if you bring CIA, NSA and RAW with kind of money that have at their disposal, They can compromise a TOR Tunneled Linux, Unix and everything. SO, what is the point of this whole discussion. In that scenario only your own developed OS and applications will be secure and everything else is a threat.

This is nothing but self-delusion. There is now enough technical content in the thread for anyone to understand the nature of the threat. What I want? Yes, I want Pakistan armed forces to have their custom OS, custom compiler, custom hardware, developed with security in mind.

 

[PakShaheen79]

This is nothing but self-delusion. There is now enough technical content in the thread for anyone to understand the nature of the threat. What I want? Yes, I want Pakistan armed forces to have their custom OS, custom compiler, custom hardware, developed with security in mind.

We can agree to disagree and that's ok with me. For custom OS and complilers, ... Recently PAF has ventured into that territory. Center for AI and Computing has been established. Proprietary systems will be designed and that's only reliable solution but insider attack will always a possibility. One can degrade its probability but cannot eliminate it completely.

 

[S A L M A N.]

The one key takeaway I have from my work experience is that there is an extreme lack of general understanding and technical competence regarding cyber threats among military circles.
All precautions taken are just surface level jobs (not having USB ports on PCs, firewalls, etc)
There is no understanding whatsoever about the underlying complexity of the problem and the vulnerability posed by using third-party, COTS network and computing hardware. Sure enough, we can not manufacture our own motherboards, hard drives, microprocessors. But we can venture into the manufacturing of custom, secure network hardware such as routers, switches, etc etc.

 

[Ahmet Pasha]

Except if they are using a custom build created after a thorough review of source code provided by Microsoft, I cannot believe Pakistan's main defence system has this junk operating system as even a tiny component:

View attachment 454596

Our armed forces should invest in creating a custom Linux distribution, where every line of source code in the kernel is thoroughly reviewed and use that as the base for all critical systems, AT LEAST.

@Horus @WebMaster @The Eagle

 

[SQ8]

The one key takeaway I have from my work experience is that there is an extreme lack of general understanding and technical competence regarding cyber threats among military circles.
All precautions taken are just surface level jobs (not having USB ports on PCs, firewalls, etc)
There is no understanding whatsoever about the underlying complexity of the problem and the vulnerability posed by using third-party, COTS network and computing hardware. Sure enough, we can not manufacture our own motherboards, hard drives, microprocessors. But we can venture into the manufacturing of custom, secure network hardware such as routers, switches, etc etc.

That’s because more often than not - in charge khakis or blues or whities seem to have a general problem of thinking everyone else inferior or have overblown confidence in their own abilities when it comes to these subjects. Unless you have SMEs in charge instead of some person who spent most of his life either managing troops or in subjects that have little or no relevance to the problem at hand, you will have these issues.
The SME doesn’t have to be a civilian or military man, just needs to be an SME which is only recently being understood a little bit by the institutions.


The US struggled with the same all the way until the 1970’s.

 

[S A L M A N.]

That’s because more often than not - in charge khakis or blues or whities seem to have a general problem of thinking everyone else inferior or have overblown confidence in their own abilities when it comes to these subjects. Unless you have SMEs in charge instead of some person who spent most of his life either managing troops or in subjects that have little or no relevance to the problem at hand, you will have these issues.
The SME doesn’t have to be a civilian or military man, just needs to be an SME which is only recently being understood a little bit by the institutions.


The US struggled with the same all the way until the 1970’s.

Even the recent understanding and consequent inclusion of SMEs in the defence establishment is merely a cosmetic move.
Real administrative, financial and technical decision-making authority still remains with the uniformed overlords. This is a seriously demotivating factor for the professional SMEs (specially for civilians). Civilians are also provided contractual positions with no security of tenure beyond a specified period and the organizations adopt a very condescending and degrading attitude towards them - treating them like lowly labourers and security threats. This results in a very poor work ethic displayed by the civilian professionals who have no incentive to work with devotion or professionalism.
Our defence establishment does not have the luxury of time to mend its ways. The longer this situation drags on, the more our security will be threatened.
On the cyber security front, Pakistan is waiting for a massive disaster to happen.

 

[SQ8]

Even the recent understanding and consequent inclusion of SMEs in the defence establishment is merely a cosmetic move.
Real administrative, financial and technical decision-making authority still remains with the uniformed overlords. This is a seriously demotivating factor for the professional SMEs (specially for civilians). Civilians are also provided contractual positions with no security of tenure beyond a specified period and the organizations adopt a very condescending and degrading attitude towards them - treating them like lowly labourers and security threats. This results in a very poor work ethic displayed by the civilian professionals who have no incentive to work with devotion or professionalism.
Our defence establishment does not have the luxury of time to mend its ways. The longer this situation drags on, the more our security will be threatened.
On the cyber security front, Pakistan is waiting for a massive disaster to happen.

Preaching to the choir here.. too many egos and commissions will have to be sacrificed to get actual change in Pakistan.

 

[nahtanbob]

We can agree to disagree and that's ok with me. For custom OS and complilers, ... Recently PAF has ventured into that territory. Center for AI and Computing has been established. Proprietary systems will be designed and that's only reliable solution but insider attack will always a possibility. One can degrade its probability but cannot eliminate it completely.

Proprietary systems do not have to be secure