27 comments

[ 2.4 ms ] story [ 45.9 ms ] thread
> The assessment, seen by Reuters and first reported by Breaking Defense, comes just months after defense drone and software maker Anduril was awarded a $100 million to create a prototype of NGC2 with partners including Palantir, Microsoft and several smaller contractors.

> Army chief information officer and Chiulli’s supervisor, said in a statement to Reuters that the report was part of a process that helped in “triaging cybersecurity vulnerabilities” and mitigating them.

So it's a brand new prototype and this is a run of the mill cybersecurity review while it undergoes some internal testing?

A prototype doesn't have fine-grained access control. Is that pretty much the story here?
What's the issue? Everything about this is normal and expected when prototyping new capabilities for DoD.

DoD intentionally pushes hard to get testable capabilities as early as possible to shorten feedback loops, understanding that features ancillary to the capability will be limited, stubbed out, or implemented using a stopgap that you would never use in production. This will all be cleaned up in the production implementation once everyone is happy with how the capability works. Basically an agile customer development approach, similar to what is used in startups.

In my experience, the fine-grained control and security features are never implemented in the prototypes. This can be extremely fussy and slow development that isn't needed to evaluate capability. It also requires a lot of customer involvement, so they usually aren't willing to invest the time until they are satisfied that they want to move forward with the capability. The security architecture is demonstrably the kind of thing that can be mechanically added later so DoD takes the view that there is no development risk by not implementing it in the prototype.

There may be fair criticisms of the system but it looks like the article is going out of its way to mislead and misrepresent.

I don’t agree this is normal on a DoD program. You still need to get an IATO or IATT.
"We cannot control who sees what, we cannot see what users are doing, and we cannot verify that the software itself is secure," the memo says.

This is the issue right here.

In my experience, the fine-grained control and security features are never implemented in the prototypes.

Those features are the whole system. What else is there to prototype, the ability to send and receive signals in the radio spectrum? I'm pretty sure we already have that. It's the secure features that matter to the military.

it looks like the article is going out of its way to mislead and misrepresent.

Sounds like bullshit to me, and I'd extend that to most of the comments in this subthread that are just based on tropes about the media being mean and lacking technical sophistication. This is a straightforward, soberly written article that provides a reasonable summary of the information. There's no suggestion here that the memo was leaked or is classified in any way.

Is NGC2 meant to replace JTRS? Did JTRS ever actually ship broadly and replace SINCGARS?

Wow holy calamity lol JTRS never shipped. Paid a lot of mortgages though.

If mandatory access control (MAC)is the expectation and these guys haven’t built that in from the ground up, they’re going to find it very hard to bolt on later.
These are forcememed companies, unfortunately. Neither Palantir nor Anduril make a single thing that China doesn't, and neither one makes a single thing at attractive cost that would intimidate China in a conflict. They could disappear tomorrow with no impact to US military lethality.
Whoever didn't get those contracts must be unhappy. That's how I read this type of story.
I don't think that anyone with first hand intel would be in the position to safely leak what is happening at those companies or their contractors, but I have the intuition that their founders are larping more than anything else.

Nice toys. Not sure the tech has anything substantial or innovative under the hood.

Naming military technology after things in LOTR completely misses the point of the stories. Tolkien is spinning in his grave.
Raising a PR disaster for problems with iterative prototypes is how you end up with traditional defense contractors with decade-long waterfall development cycles designed for neurotic ass-covering rather than effective feature delivery.

Please don't sabotage national defense just for cheap shots at Palantir. This is the right way to develop defense tech. Make a prototype, see what works, iterate. Come on.

I thought the Department of WAR was switching over to a hacked version of Telegram Messenger for all its secure communications. If you see someone you don't know in the chat, don't worry it's probably just a journalist. Probably... (edited to add that this is based on actual events, not snark)
This is admittedly petty, but I'm getting tired of bad actors reappropriating nerd lore (LotR) for nefarious products.
I’ve directly worked in this space. This article is pure tabloid-style reporting.

It sounds like they are testing prototypes, and it’s not ready for mass fielding. Nothing new here.

Access/permissions control in military applications is VERY different when compared to the consumer or B2B space.

It takes real field testing to figure what is best for the customer needs.

Admittedly my experience of what a battlefield comms system would look like comes only from games, but I think it needs emotes, flashy red low health indicator, and microtransactions.
Doesn't matter. Go to DC and get a tour of the Pentagon. You have a 50/50 chance of seeing Palantir/DOD counterparts physically hugging and talking about eachothers personal lives. Congratulations to them, they've won the game. And congrats SV, the rest of you hang up your phones when you might be the only plausible competitor for the next bid, because you think staying away from gov protects your values. All you're doing is letting the absolute worst of companies win.
Everything has flaws. This smells like a hit piece.
‘May have flaws’ would be the accurate title but that wouldn’t get CNBC the clicks.

Crying about being unable to audit a propriety system isn’t the same thing as demonstrating that the system itself is flawed.

I'm eager to see how Barracuda fails to make any difference in attacking Russia directly! Luckey needs to be grounded, literally - just like all arrogant assholes!
Oh this is just the Israeli back door. What did you expect really?

> "The Army should treat the NGC2 prototype version as “very high risk” because of the “likelihood of an adversary gaining persistent undetectable access," wrote Gabrielle Chiulli, the Army chief technology officer authorizing official."

(comment deleted)
just give them Teams - problems solved ! :)