Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
- Subject: Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
- From: "Villano, Paul Mr CIV USA TRADOC" <email@hidden>
- Date: Thu, 21 Feb 2013 11:26:56 -0500
Thomas
If you reread my note you'll note that I put it in context and talked about the form factor of Ipads. The videos will probably be posted here http://www.emc.army.mil/AUSA/Default.aspx when they're done so we can all listen for ourselves. That said, the paragraph you quote was directly after the paragraph where he did mention Ipads per se. Check out the video when it's posted.
I've also requested slides but have yet to receive them or see them posted.
-----Original Message-----
From: fed-talk-bounces+paul.villano=email@hidden [mailto:fed-talk-bounces+paul.villano=email@hidden] On Behalf Of Coradeschi, Thomas J CIV USARMY PEO AMMO (US)
Sent: Thursday, February 21, 2013 11:15 AM
To: Fed-talk (email@hidden)
Subject: Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
Following-up to myself, GEN Cone's comments are excerpted at the link below, it's important to note the context of his comments - it's not about buying iPads, at least not here. Can't find the full text of his talk online at this time.
“I don’t understand why everything I buy and bring into my house got smaller and less complicated but everything I use for Army training is bigger and more complicated,” he said. “We need to get to an ‘ipad-approach’ to things—things that are more intuitive.”
http://www.ausa.org/meetings/2013/Symposia/Pages/story1.aspx
Thomas Coradeschi
Chief, Systems Engineering & Technology Integration Div PM Maneuver Ammunition Systems
NIPR: email@hidden SIPR: email@hidden
973-724-4344 (ofc) 862-251-3089 (cell)
-----Original Message-----
From: Coradeschi, Thomas J CIV USARMY PEO AMMO (US)
Sent: Thursday, February 21, 2013 11:06 AM
To: Fed-talk (email@hidden)
Subject: RE: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
Understand the acronym (sometimes written DOTLMPF) - it is an Army FM 1-01 construct for how to develop warfighting capabilities.
Doctrine
Organization
Training
Materiel
Leader and Education
Personnel
Facilities
The iPad discussion would fall under the 4th item on the list. How the Requirement for that would be (or has been?) crafted is a TRADOC thing do, no idea who the actual proponent would be or what C4's staff has going on in that regard.
Thomas Coradeschi
Chief, Systems Engineering & Technology Integration Div PM Maneuver Ammunition Systems
NIPR: email@hidden SIPR: email@hidden
973-724-4344 (ofc) 862-251-3089 (cell)
-----Original Message-----
From: fed-talk-bounces+thomas.j.coradeschi.civ=email@hidden [mailto:fed-talk-bounces+thomas.j.coradeschi.civ=email@hidden] On Behalf Of Link, Peter R.
Sent: Thursday, February 21, 2013 10:42 AM
To: Villano, Paul A CIV USARMY TRADOC (US)
Cc: email@hidden
Subject: Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in "In - Review"(CMVP))
Paul,
Does DOTMLPF have documented configuration requirements available for Apple/Shawn to address? Apple devices can be extensively configured by software. If the Army demands hardware configuration/disablement, that's another story but one the Army needs to do some soul searching on since even though you get rid of the camera, someone will figure out how to attach an external one. Lock down the hardware using software controls and it's much harder to bypass the ability to even use a camera. Of course, I'm sure the Army wants a camera, microphone, wireless, and cellular at least some of the time or there's no reason to get an iPhone or iPad in the first place.
As for initiative, Shawn has continued to state "specialized" configurations are done by third-party vendors and not by Apple. I've beaten that dead horse more times than most. Someone also told me months ago that if someone actually wants something changed (e.g., policies), they will change them. BYOD is a perfect example. Five years ago nobody in their right mind would have thought any government installation would even be thinking about BYOD and now they are not only thinking about it, they are changing the policies to implement it (same with personal cell phones and computers allowed on site). I talked to a Navy friend and they do all sorts of things I don't agree with because they have to--end of story. The Army might be led to changes kicking and screaming (like me) but change is guaranteed sooner or later.
btw: it's iPad and I find it funny that it took the simplest Apple device to get government IT people to want Apple devices again. Go figure.
On Feb 21, 2013, at 5:29 AM, "Villano, Paul A CIV USARMY TRADOC (US)" <email@hidden> wrote:
> FWIW, GEN Cone said again at AUSA yesterday that he wants Ipads for Soldiers (though he probably meant Ipad-like devices). He's meaning form factor and intuitive function. So that should give someone somewhere more initiative to fix things and make that possible, hopefully. But he also mentioned it must fit into DOTMLPF and the Army must be able to configure it as needed, which we all know is against Apple culture. So...
>
> -----Original Message-----
> From: fed-talk-bounces+paul.villano=email@hidden
> [mailto:fed-talk-bounces+paul.villano=email@hidden] On
> Behalf Of Shawn Geddis
> Sent: Wednesday, February 20, 2013 5:09 PM
> To: Link, Peter R.
> Cc: email@hidden
> Subject: Re: [Fed-Talk] …. (was: CoreCrypto / CoreCrypto Kernel now in
> "In - Review"(CMVP))
>
> Peter,
>
> Comments inline...
>
> On Feb 20, 2013, at 3:37 PM, "Link, Peter R." <email@hidden> wrote:
>
> Shawn,
> We know that Apple only supplies COTS devices, that's one of the problems we've had justifying any Apple device for some time. With BYOD being in vogue (and not something I personally agree with), more Apple COTS devices will be coming into government and enterprise installations. We are still required to figure out ways to properly protect them. As for laptops, we still require FDE for any device leaving our site. I don't see this changing any time soon.
>
>
> iOS Devices actually have two layers of encryption - meeting your stated requirement of FDE.
>
> - 1st Layer: Hardware Encryption (Full storage) of the device - "FDE"
> - 2nd Layer: File System Layer Encryption - "Data Protection"
>
>
> As for a perceived protection (or lack there of), we deal with perception all the time when dealing with auditors and DAAs. Allan is attempting to go beyond the hyperbole of false protection methods, like overwritten security plans that don't protect anything, to provide the best security he can implement. I know you understand the government installation problems so this shouldn't come as a surprise to you.
>
>
> Yes, I understand the challenges you face. Hopefully, even better
> than you think I do. :-)
>
>
> Will Apple actually provide a custom iPhone or desktop for those installations who actually need one?
>
>
> Apple provides a single platform which directly meets the needs of millions/billions and works hard to enable third-parties to augment that with solutions that provide extra capabilities to go beyond the needs of the masses. History has shown that Apple does not make custom iPhones for a particular vertical market, but rather strives to provide a balanced platform to meet the broadest needs of all customers. The challenging and successful part is making that a truly usable system by all.
>
> The rapidly changing landscape of mobile computing, especially in the federal space, has shown that the custom/one-off solutions no longer meet the needs of organizations such as yours.
>
> The epiphany comes when organizations realize it all comes down to risk management. For example, some may now have decided that it is no longer an acceptable risk to use Java, while others feel there is a higher payback than the risk. There is no 100% guarantee, but rather managing the risk to achieve a given capability is at the core of IT's responsibility.
>
>
> Will they leave that to third-party vendors who will either have to break half the devices it tries to secure because of Apple's latest consumer COTS designs?
>
>
> I know and understand you are just trying to prove a point, but why would third-party vendors have to break devices ? Policies are based on perceived risk and the organization's choice in how they mitigate that perceived risk. The unfortunate state of many in the IT Community is taking the same approach, requiring the same tools / approaches and expecting to both enable new capabilities while protecting against issues of the past. Case in point is what was noted about the NYT Attacks and the tools used:
>
>
> http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all
> ...
> Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
>
>
> They were following traditional belief in requiring certain security tools. Do you think it was successful ? The computing landscape today is requiring IT Security individuals take a new look at their approach to protecting their data.
>
>
> Why use third-party vendors to do what Apple should include in their OS in the first place (CAC/PKI drivers to start with)?
>
> I know you've fought to include many of these things but you understand Apple's direction and are complying with it.
>
>
> Not meant as an excuse, but a statement of reality. There are always going to be times / cases where third-party solutions will be needed to add functionality that does not come with the platform from the original vendor. That is the case on all systems from servers, to desktops, to laptops to various mobile devices. That is reality. I would love to be able to offer you and every other customer support for your Smart Cards on iOS. Right now, there are players in this space that are providing you with what you need on all platforms from all vendors. You aren't getting all device capabilities from a single source - it simply isn't the case.
>
> The future can hold all kinds of opportunities, but I need to be realistic and speak with you on what is available today that you can use today to help your staff / end users meet your agency's mission. That is the most important thing that any of us can do.
>
>
> To answer your question below; yes, I am serious about Apple providing an iPhone/iPad with pre-boot authentication if that would protect all data until a user is properly logged on.
>
>
> Rather than destroy the user experience on mobile devices (phones/tablets) with pre-boot authentication, it is far superior to help developers do exactly what Allan was asking for early on -- App Developers should leverage the built-in services (available since iOS 4.0) to protect sensitive data at higher classifications. It becomes a Win-Win-Win situation without forcing old approaches to old problems on new devices with new users. :-) We are constantly noodling on how to help accelerate developers in that direction combined with approaches we can take as well. We are very much a part of that solution.
>
>
> My Mac is so messed up with all the extra "security" software DOE/NNSA requires that having an iPhone work the same way would at least mean I would be used to it.
>
>
> You're asking for a bad experience so that it is just as bad like you have on your desktop/laptop due to extra software required ? I point you back to lessons being actively learned by people from events as recent as the NYT situation. If there are risks (perceived or actual) on a given platform, it is paramount to taking the right approaches and using the right tools. Forcing old ways on new architectures does not solve the problem.
>
>
> Do I see Apple building an iPhone one way so everyone would have to
> have pre-boot authentication? Unfortunately, right now I do see them
> only building an iPhone one way and that's always going to be a
> problem we're going to have to figure out how to overcome while
> justifying mitigations to continue using Apple products. I still
> prefer Apple products over any other computer product but Apple could
> make my job a lot easier if they bent a little and helped us out
>
>
> If Apple is not meeting your needs or those of others then Apple will need to noodle on how to do that more effectively without destroying the user experience. Solving the difficult problems in new and innovative ways is at the core of our DNA.
>
>
> The dialogue like this is important to have.
>
> - Shawn
> ________________________________________
> Shawn Geddis T (703) 264-5103
> Security Consulting Engineer C (703) 623-9329
> Apple Enterprise Division email@hidden
>
> 11921 Freedom Drive, Suite 600, Reston VA 20190-5634
>
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94551-0808
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden