Grad Student's Work Reveals National Infrastructure 662
CodeHog writes "The WP reports about a student working on a PhD and how it relates to national (US) security. Very interesting that he has been able to get all this information. It raises some very challenging questions, should some of this information be classified?"
You all have to decide (Score:4, Insightful)
You're either "land of the free", or you are not. So either live up to the hype, or change the tagline. Can't have it both ways, with a closed society fueled on fear, claming to be "free".
[jole]
This guy is stoked, no more degree necessary (Score:5, Insightful)
I'd tell 'em to classify it all they want, just looks BETTER on the resume...
Finding information is not difficult... (Score:5, Insightful)
Article in Science Daily [sciencedaily.com]
Plus, someone with the same email address has posts in rec.sports.rowing...
The bottom line is that if you know where to look, you can find out lots of stuff. Classifying this guy's dissertation isn't going to prevent someone else (from anywhere on the planet) using the same tools he did to do the same things he did.
We either have to control all information (hello, Mr. Orwell!) or accept that information can't be controlled and plan accordingly. It's been said many times before, but security through obsucrity just doesn't work.
How is this.. (Score:0, Insightful)
And incidentally, this could be a good thing for Linux. An entire country operating on a single flavor of Windows, is the perfect recipe for disaster.
Information wants to be free (Score:4, Insightful)
People who claim this information is a security risk are looking at things the wrong way round.
What I REALLY want to know... (Score:5, Insightful)
On a more serious note, I think his work is great. While it certainly has serious security implications, it could also be used by ISPs, telcos, power companies, etc. to disseminate information on outages and/or find the root causes of problems.
Ah, well... I suppose we'll never see the results... but I do hope he gets his PhD.
What good would classifying this do? (Score:5, Insightful)
should some of this information be classified? (Score:5, Insightful)
Those who would exploit it for ill already have the data, or can easily obtain it. Classsifying the data now would only hide it from those with reasonable use; and would allow for mistakes or security lapses to be covered up.
If you don't think authorities - whomever they might be - won't abuse the privlege of 'classifying' data, then you have some big surprises in store...
Yes but... (Score:5, Insightful)
Same as a bomb really, component parts are pretty common; chemicals, circuitry. It's about knowing how to connect stuff together to make it a bomb. 9/11 was flying lessons, plane timetables, GPS and box cutters. Each on their own is pretty harmless until you join the dots...
Same with information, connected together in the right way, it's just as dangerous. Ask the CIA or any intelligence agency...
Sigh. (Score:5, Insightful)
Of course if we classified everything like this no one would have a road map to destruction. But they could still poison the water supply, blow up buildings and cause untold grief. They could still locate some of the bottlenecks themselves and exploit them.
Like so many things the government/corporations seek to classify, the real people they don't want to know are the ordinary people. It puts me in mind of the many "the area bombed last night is classified...we don't want to give the enemy important information" remarks we see. Like the enemy doesn't know they were bombed...
Use it, don't fear it (Score:5, Insightful)
Gorman's work and the access he used is vital - if I'm paying for two links that should be separate, I need to know that I can really check that we have separated physical facilities.
There are a lot more backhoe operators than terrorists - and historically, the chances of a backhoe impact on infrastructure are pretty high.
Guarantees of security (Score:5, Insightful)
Could you imagine if the locations of communications infrastructure were classified? Would you need clearance to set up a node? Would you need to pay to have every line technicican get a full background check? This reminds me of the reaction of "security" people when they see WHOIS entries for their companies for the first time. Their foreheads are usually bruised for weeks because of the knee jerking. The first thing they want to do is take it down. They forget that a certain level of openness is neccesary for a system that benefits everyone.
The whole point of a privatised distributed communications infrastructure is that a terrorist or enemy state cannot cripple the entire thing. Now if the people at banks and government insititutions have not done a good job of ensuring redundancy and disaster recovery then it's their own fault. The solution is to fix it, not suppress information about it.
Obviously, no one recommends mailing al-qaeda a copy of the telecom/data infrastructure, but this exposes a major flaw with what's going on and we would be foolish to ignore it or suppress it.
Re:Information wants to be free (Score:3, Insightful)
Also, the gov't witholds certain information for our own safty. You don't want people panic'd and making situations worse. It doesn't justify keeping all information classified, but it does justify keeping some of it.
Duh. (Score:5, Insightful)
"This is why CEOs of major power companies don't sleep well these days," [CEO of power co. Pepco Holdings] Derrick said, flattening the pages with his fist. "Why in the world have we been so stupid as a country to have all this information in the public domain? Does that openness still make sense? It sure as hell doesn't to me."
Because security through obscurity is just as brainless an alternative for the physical infrastructure as it is for virtual infrastructure.
Hiding things doesn't make them safe. It makes them safe until found. With the added bonus of fostering the kind of clandestine, repressive, bitter societal climate that our govnt seems bent on pursuing these days.
You want to protect something? 1) Make it less desirable as a target (i.e. take away people's reasons for attacking in the first place). 2) Build in redundancies to dilute vulnerability. 3) Monitor, patrol, survey in an open and visible manner
Re:You all have to decide (Score:5, Insightful)
Then why not classify maps, GPS and meteo data? (Score:2, Insightful)
Problem is in the "human rights" department... everybody with a brain can use it [information] to do good or to wreak havoc.
Any democracy is far more exposed to terrorist acts than any totalitarian regime, and there's a cause-and-effect link between them.
YES, you could sacrifice all possible "public information" to the altar of "national security", but then where's the all-so-praised democracy and freedom of information ???
So we end up again and again to the same dillema: what is the treshold between democracy and a police state?
That "kid" was just exposing weaknesses. IF you were to classify something, you should classify the INFORMATION that he gathered to reach a result in his research, not clasify his research's result! This is as stupid as classifying (for instance) the formula of gunpowder and leaving all other informations about chemical reactions available to everybody!
That being said, would you rather live in a "safe and steril" or in a "free but slightly dangerous" environment ?
paranoia (Score:5, Insightful)
Since 2000 about 3,000 people have died in terrorist attacks. About 175,000 have died in car accidents. About what should we be worried?
Re:You all have to decide (Score:2, Insightful)
Re:Finding information is not difficult... (Score:5, Insightful)
Security through obscurity alone doesn't work, but that doesn't mean that obscurity isn't important too. It's not like the fiber connections to the New York Stock Exchange run through a box on the street with an "off" lever. They're underground. But that doesn't mean the NYSE should put the exact location on their web site.
If you look at how the military handles classified information you'll note that in order to access information you need both the proper clearance and the "need to know". That means that just because you have a top secret clearance because you work on stealth fighters doesn't mean you get to see the top secret photos of North Korea's nuclear reactors. You have the proper clearance, but you don't have the need to know.
The main issue isn't (or shouldn't be) about classifying this guy's thesis. The issue is why all this imformation was so freely availble in the first place and whether power companies, telecoms, etc. should look at restricting access to certain types of data.
Infrastructure is made of people (Score:5, Insightful)
Killing people causes terror, because nobody wants to get killed. Cutting off infrastructure causes annoyance, because it happens regularly already. And when it happens, people will get by like they always have.
Re:No Link (Score:5, Insightful)
I think you failed to notice the joke....
Re:should some of this information be classified? (Score:4, Insightful)
Exactly. Should we make flying lessons only for military pilots? Wasn't that what Bin Laden had his militants use when they attacked us?
We are so afraid of this high level of technology being used against us yet the terrorists are using what we consider to be the lowest common denominator to hurt us.
They could have found explosives on the web, or in books, or talked to experts in person, but instead they took flying lessons...
So now we are going to ban research, prosecute those that use encryption, and FUD our children to death in schools over this crap.
Great, soon the kids will be hiding under desks because the Turtle on the DVD said it would protect them from the terrorists...
Just think about it.
Re:Not all evil (Score:5, Insightful)
Instead of hiding this info for "national security" reasons, these maps should be analyzed to death by a program to find and eliminate these kind of problems, or at the very least let companies understand and anticipate these risks.
It is not a threat (Score:4, Insightful)
For those who think this is bad, look at the old soviet union. Even for all their hard security (which seems to be the direction that we are headed), we knew most of their soft spots. So even if we truely implement the same society that Soviet Union had, we would still be a main target. Any time you have fixed assets, it is a target. period.
There's a difference... (Score:5, Insightful)
From most of the comments so far, it appears the majority of people seem to think that this guy's PhD took about as long to compile as mapping a route from coast to coast with MapQuest. Hello? I imagine there was quite a bit of work put into compiling this information, and that not just anyone would have the time, persistence or devotion to duplicate the complilation. So yes, there is a HUGE difference between the information being available scattered across the 'net and having it all compiled, cross referenced and searchable in one easily downloaded program.
And IMHO, you most definitely can had a compilation of 100% publicly available information be classified as a threat to national security.
And personally, I don't believe there is a "publicly beneficial" use for this info in its compiled form that couldn't be easily be satisfied with the publicly available pieces - if a link is severed, you only need the info for the area of the problem (where the tornado hit, for example), not for the whole country. And the utilities that would be effected and responsible for the repairs would have the info they need anyhow.
I think the biggest value to the public of this information is the fact that it exists and that this can be done. The information itself is only important to those who would protect it or exploit it.
Classified in the aggregate (Score:4, Insightful)
Yes, anyone with the time and resources can duplicate the effort, but they'd have to duplicate the effort, and expend the resources. And that's the point. It's not a guarantee that the information will not be collected by adversaries, but there's no point in making it any easier to hand it over to them either.
Too Many Secrets (Score:5, Insightful)
So what if I know where the local 500KV transformer yard is located over the 3rd hill on the left, who in their right mind would want to damage it? Then we realized how many people in the world really aren't in their right minds... I'm not complaining that this data should be bottled up again; what was really lacking was the chain of custody of who accessed the data, and for what purpose.
Re:This guy is stoked, no more degree necessary (Score:5, Insightful)
I know PLENTY of Professors that were interested in Academia because they enjoyed research and teaching not because of the "high-paying" jobs they had after getting their PhD.
He's worked hard on his research and doesn't want it to get seen by him, his professor, and a few miscellaneous others. He wants to be proud and publish his results...
You are making his work seem trivial and it's not.
Re:You all have to decide (Score:5, Insightful)
That's a huge oversimplification. I wouldn't even respond to such a troll had some ill-informed moderators not decided to mod it up to a 5 and make it the first comment on the page.
Ideally, information becomes classified when the benefits of the information being publicly available are less than the dangers of that availability. Here at the university where I work, when I need to get a list of students in my department, I can't just call up and request it. I have to be authorized to have it. In that case, the extra day it takes to get the information is justified because we don't want just anybody to have access to that sort of information.
On the flip side, we have the Freedom of Information Act. It has been decided that certain information should be available to the public without such restrictions. In this case, the public benefit outweighs the negative aspects of the FOIA.
To suggest that the "land of the free" entails zero security is simply ignorant.
My cynical nature prevents me from getting excited (Score:5, Insightful)
The smartest thing they could do, is use his information and go through each weakness and look to secure it as much as possible. Many of them may look at that as cost prohibitive and just try to obsure the information and hope no one finds it.
Why not fix our real weak spot? (Score:5, Insightful)
An open, friendly society breeds safety simply by virtue of not pissing so many people off to the point where they want to do unsafe things. On the other hand, greed, power-lust and secrecy just breeds more conflict. With less secrecy, greed and power-lust become a lot more difficult to hide, and therefore more difficult to perpetrate. This information, as well as so much more, should be out in the open.
Besides, if he got it, it already is, as has been pointed out.
Symptoms vs. Cause (Score:3, Insightful)
Re:For the record (Score:2, Insightful)
Coward.
If you have neither the courage nor the resolve to live in a free society, then leave; you have that freedom here. Move to China, or to North Korea.
Thinking like this revolves around the idea that the government is a nice warm cuddly blanket of security that will protect you from all those meanies out there. Real world? Government security blankets choke off your air supply until you're barely breathing - just enough to keep you alive. The government is either a tool of the people, or it is the Master of the people. Your choice of the latter is disturbing. The job of a free government is not to protect people, but to organize people to protect themselves.
The problem... (Score:5, Insightful)
If you've got an imagination, try thinking about what you would do if you were a terrorist. If you really wanted to create havoc, you wouldn't necessarily do it by stuff like cutting communications cables. What you would want to do is make the man on the street afraid to do basic everyday things. I've thought about it a bit (let me emphasise - just as an entertaining mental exercise!) and I think there are things that a single person or small group could do that would cause chaos in a big city. And they are things that don't require access to any particular technology. Relatively simple things. But I'm not going to post those types of ideas on a public forum like this.
If there is one thing that September 11th should have taught us it is that terrorists don't need access to fancy technology. People are maybe going to slam me down for this, but I beleive one of the main abilities of an effective terrorist is a good imagination and - to use a cliche - the ability to think "outside the box".
So what's my point? My point is that passing laws and banning things (and invading countries and dropping bombs) isn't the best way to combat terrorism.
Terrorism is a symptom of a disease. You can try to combat the symptom, but it will never be cured if the disease is not cured. I always thought that they way Tony Blair and the rest of them tackled the Northern Ireland situation was very sensible. They did not take the easy route - the easy route is to say "we will not be influenced by terrorists", and "shoot to kill" - that was Thatchers approach. It didn't work. More recently, the actual disease has been tackled rather than the symptoms, and although there isn't peace in N.Ireland yet, things are much better now than they were a decade or so ago.
I'm afraid that Bush is taking the "hard man" approach to terrorism like Thatcher did. I'm afraid that the war on terrorism is going to be a very long one.
Re:You all have to decide (Score:3, Insightful)
New tools; dangerous applications; societal costs (Score:2, Insightful)
Plastic freezes polycarbons for generations in landfills.
Internal combustion engines have shaped our landscape and controlled the structure of our society in many ways.
Power lines? deep cell protein denaturalization? Neuron deformation? who knows (nobody wants to find out-- too costly at this time)
very few swords of science have one edge.
name me one that doesn't, eh?
Any massive collection of data has this potential (Score:2, Insightful)
But if you had wide-reaching data on any system/infrastructure you could see its vulnerabilities. For example, just using Rand McNally or some equivalent you could determine what locations on what highways would need to be blocked in some way in order to completely paralyze those in a nearby area from leaving/escaping. Then from this collection choose the one with the most populated area in the center, combined with some form of attack -- voila you've just wreaked more havoc than any attack could alone with a few staged accidents, spills, etc using only Rand McNally to guide you.
Just look at your surroundings (Score:5, Insightful)
For instance, I worked in one somewhat secure facility that requires ID bages with magnetic stripes to get in and out.
Only thing is, they had one door to the facility that didn't have a card reader attached to it. It was for the union guys that worked in the shop, who according to contract, could not be required to swipe an ID badge.
Which is fine, because to get into any place but the shop you have to have a card swipe anyway.
Only thing is, the doors between the shop and the badge-secured office area were kept open more often than not. And even if they weren't there was one interior door that you could use to access the service tunnel that wasn't carded either.
So you could walk into the service tunnel. Once there, you could get into the badge-coded office area because the doors near the elevator that takes you to the office area had to be kept open for ADA compliance (a wheelchair user couldn't be expected to swipe their card and open the door, apparently)
So once in the elevator, you were free and clear. You just got in the building without a single card swipe. And though there are cameras, anyone walking around with anything that looked *close* to the visible badges around their neck/clipped to their lapel, etc. were ignored.
I simply observed my surroundings and in less than a day of working there, I knew how to get in and out of the facility without going through security. Even if I left my security pass at home, I could get in and out, no problem. I've noticed similar scenarios in hospitals or banks other places where tight security is supposed to be the rule but the people working there just don't think this stuff through.
Re:Pff... I don't know why this is so interesting. (Score:3, Insightful)
Similar things have not been done -- Mapquest doesn't offer anything like this. Sat images don't give this information, and this isn't at all about "getting from Point A to the mall". Nor does it have anything to do with business or marketing, excepting that the entirety of our economy is now dependant upon this seemingly irrelevant infrastructure.
The point is that -- it maps out the infrastructure. Are you going to want to go to the mall if it has no power? Or maybe no inventory, because the power and data lines have been cut to the suppliers? Of course, that presumes you even have gas for the car -- those gas pumps won't do much without power. And while you can still move trucks on the freeway, the supply chain is now totally dependant on computer interaction to indicate when stations need more fuel. It used to be that the data flow was via sat, but it's now done through DSL for stations in major metro areas. Of course, it may be difficult to pay for the gas -- the ATMs won't be able to dispense cash without network access. Your credit cards won't work either - that whole network thing again.
No, you don't need to know the infrastructure. That's the whole point afterall. But other people do -- either for disaster planning (and I'm not talking terrorists here... tornados, earthquakes, floods, and other natural occurances can be enough of a problem), city planning, or other uses. And, yes, there are national security concerns here, but the answer isn't to bury the research -- it's to utilize the research. Use the maps to show where the points of vulnerability are and then diversify them. Build backups and redundancy into the system. Don't ostritch on the problem. No, it's not cheap. And in many cases it's not easy, particularly when faced with natural obstacles like rivers and mountains. But it's doable and necessary.
Re:You all have to decide (Score:2, Insightful)
Re:You all have to decide (Score:5, Insightful)
Your ideal is that we classify when the benefits of information being available are less than the dangers. Who exactly makes this determination? What subject matters are subject to this?
When we deal with information that is dangerous by "hiding" it, what we really do is shift resources away from solving the underlying vulnerability. Sometimes the vulnerability isn't solvable, but much of the time it is.
With Gorman's work, he is highlighting choke points in the infrastructure. Would the rational response to this situation not be to diversify off those choke points? We should identify key weaknesses with this kind of research then solve them. We should not simply hide the information.
First principles also apply here: I find myself somewhat in agreement with one poster who indicated that we should quit "stomping" around the world creating enemies. It is far easier to defend against an enemy you do not have.
FOIA and classification are unrelated. FOIA is generally used to punch holes through government bureaucracy; to get at information that should be available to the public but is obscured by red tape. Classification contains information that should not be available to the public. Some FOIA requests come back redacted for security reasons.
It is far too easy for an administration to simply designate information as confidential. Such designations can and are used to avoid information release that would be politically senstivie. The bar is too low.
As with so many other things, it comes down to "who decides"...
Re:Classified Military info and Novels (Score:3, Insightful)
I saw Tom Clancy's interview on C-SPAN, he said he gets most of his info from the local library. He's been offered consulting jobs by the whitehouse but refuses them because if he had a secret clearance he could no longer divulge info in the public domain since it's all classified.
I had a prof. that once got in hot water because he didn't return a book to the safe at the end of the day, but left it on his desk. He said all it contained was stuff he learned in his freshman year in engineering. (Pressure tables and the like.)
Personally, I think everything should be declassified by default after 5-10 years unless a civil servant expert reads it and renews the classification. It really hinders historical research and political analysis if you don't know who knew what when, it's not like you can keep physics secret. The assasination, overthrow crap isn't really a secret once you've done it. I for one would like to know what the thought process was when we installed Pinochet or why Bush Sr. gave all those weapons to the terrorists in direct contradiction of the law. Was there something we didn't know, was it for personal financial gain, or was it political maneuvering? You could release the info but give retired assasins code names, or just blank them out if they are still in the field. Code names are better because you could see if someone had a personal agenda.
Re:Information wants to be free (Score:4, Insightful)
Citizens of the U.S. long ago learned to take freedom for granted. 9/11 was a slap in the face. Nothing upsets people more than showing them the error of their ways, in this instance complacency. The knee-jerk reaction seems to be "The government is taking care of it, and they're the United States government so I'm sure whatever they're doing must be okay
One of the great things about being a U.S. citizen is supposedly that we don't have to much care or think about our government except to bitch and complain at tax time. The current administration is using that to do what I personally consider some very unAmerican things.
Again, it's not whether things are kept secret, it's what is kept secret. As an example look at how the Bush administration is fighting any requests that they disclose how they've made use of the PATRIOT Act. Look at how the PATRIOT was pushed through Congress without having even been READ by most of those voting (some in MY name) to pass it. Look at how Ashcroft has said, regarding the Freedom Of Information Act, "Try to find a way NOT to give them anything," instead of "Try to find the least worst way to give them what they want."
The current adminstration thrives on obscurity and strongly resists any call for transparency. Apparently we, the people, the unwashed masses, either cannot handle or are too stupid to benefit from disclosure.
Ironic (Score:3, Insightful)
So it's a little bit funny that Sean Gorman has apparently compiled and mined a big database full of information on corporations and government, and that it scares the pants off them. I'd like to think that in the long run, Gorman's work might inspire some hard thinking on how and when databases can be compiled and combined, and this might eventually lead to greater protection for both our national security AND individual privacy.
Obligatory Sept. 11 quote (Score:5, Insightful)
In this post-September 11th world, I'm getting REALLY sick of that phrase.
Re:You all have to decide (Score:1, Insightful)
Re:You all have to decide (Score:3, Insightful)
You cannot be free if you do not have any security.
While we're being cliche, I might as well note that security through obscurity is no security at all.
It is an aggregation problem (Score:1, Insightful)
Actually if this gets published, everybody knows where the danger points are and some sensible work can be done in keeping them from getting bigger and in guarding them. This seems the most rational approach for the moment.
The longer term issue is to find some way to deal with info aggregation, if anyone can (it has been a research topic for decades now). I am not optimistic a solution will be forthcoming anytime soon.
BTW yes, give the guy his PhD ASAP.
Obviously he has contributed to knowledge...
Secrecy decreases security (Score:4, Insightful)
True security comes from risk reduction and mitigation. In the case of the dam (or chemical factory or other dangerous installation) the people who might be affected by a dam colapse need to know what kind of danger it is. They should have been told about the danger it posed BEFORE it way built. You can't keep the location of that dam secret so why try? And terrorist are the least likely cause of most earth dam failure.
As for the fiber optic cable, you should assume that it can fail. I don't know about terrorist, but I do know that Joe farmer is going to be digging a ditch and WILL cut through a critical cable this year. If the phone company does not have a redundent solution then the end-users need to know about it so thay can plan for that kind of failure.
Many eyes makes for quick risk reduction
Finally, lets put 9/11 in perspective. While any loss of life is tragic, we lost the equivelent of several weeks of smoking deaths to 9/11. The economic distruction was less than a few weeks of a war in the middle east. The thing to keep in mind is that this is terrorism not war. The goal of terrorism is to inflict terror not destruction. They could have done more economic damage by blowing up a few "uneffective: car bombs in front of shopping malls the day after Thanksgiving with little risk to the terrorist. Why haven't they done something like that? It's been two years and nothing happened. Something will happen again, but there is so much good we could be doing with our talents and time rather than frittering it away on tin-hat paranoia. Let's fix the few glairing problems, reduce risks from all sources (those old toxic solvent drumbs in the back of your company for example) and move on.
Miss Utility (Score:4, Insightful)
And there is no way they can classify that info, else you would have to get ALL building contractors, electricians, basically everyone who wants to do any digging or construction, clearances.
Building permits and architectural diagrams are also publically available, aerial maps are out there too.
There is just really alot of info that is freely available that must remain that way for our society to function.
Rather then shutting this poor student up, they should try to resolve the problems, not keep it quiet.
Hey, he has the same degree as Michael Jordan! (Score:2, Insightful)
That said, what is a geography degree for anyway? Security issues aside, it doesn't sound like a terribly innovative topic for a PhD. useful, interesting, and not necessarily trivial, but a doctorate?
And to the geography fans out there, I honestly don't know what goes on in university level study for it, and therefore could be completely wrong.
Re:Finding information is not difficult... (Score:3, Insightful)
Are these the same bank CIOs who are happy to use public information to learn all about my house mortgage to try and sell me crap?
Re:Why not fix our real weak spot? (Score:2, Insightful)
Re:This guy is stoked, no more degree necessary (Score:3, Insightful)
I'm sure I could find many professors who would call Slashdot tedious and unimportant. Yet here you are. Back in the early 90's, many people thought creating yet another operating system was tedious and unimportant. Yet now we have Linux.
News flash for you: professors don't have perfect knowledge. Yes, they can make mistakes. Asking if one has more knowledge is a red herring. Remember that his professor has likely spent his life studying paper maps and satellite images. Along comes this guy who maps the entire IT infrastructure and the professor says "wtf does this have to do with geography? You just took existing maps and overlaid a bunch of cable diagrams."
In your subsequent post, you write:
Oh yeah, cause the government has never classified unimportant information before.
Is this the extent of your critical thinking skills? Not all classified information is important, therefore this information must not be important either? Really, you'll have to do better than that. By your logic, nuclear launch codes aren't important either. Ask any of the CIOs at the meeting (you know, the ones who blanched and "shit their pants" when they saw his work) if it is unimportant. They might give you some insight which is more than a hand-waving argument.
Re:Obligatory Sept. 11 quote (Score:2, Insightful)
You are not the only one! I'm also getting sick and tired of the former WTC site being called Ground Zero..
Still working in NYC
Disaster recovery on a national scale... (Score:3, Insightful)
There is a lot of public information. It has lots of stuff that 99% of the population finds useless. The other 1% of the population either wants to use it for 'good' or 'evil' and thus finds it useful. Those that want to use it for 'good' are welcome to it, but because there are those that want to use it for evil, let's lock it all up and make sure no one knows it...except for those 'evil' people who can find it out anyway.
Hey while we're at it. Let's make sure that no one is allowed to see, let alone come near, critical pieces of infrastructure like bridges, power plants, or country roads that have large amounts of fiber under them. That way we'll know who the terrorists are because they'll go near those things in order to figure out how to blow them up.
Pardon? What's that? We should acknowledge the weaknesses and put people to work making them less vulnerable? Why? It's so much better to hide them and pretend they don't exist until snotty grad students point them out.
</mini-rant>
In all seriousness, I applaud Sean Gorman and Laurie Schintler. They took one step from corporate/private risk analysis and expanded the view of where risks are and how big they are. This is something that organizations should be thinking about constantly. It's not enough to say "Well in order to hurt us directly you have to go through this, that, and the other hoop." You have to say "Ok, we've dealt with the direct risks. Now how bad are the n-fold indirect risks? What happens if this, that, or the other thing is directly or indirectly damaged and how does that affect me?" Most of the time, companies limit this to power and communication lines and as a result some of them make separate locations with duplicate functionality that can start working when the primary location goes down, but that's not enough all the time.
Personally, I think the dissertation should be treated like any other dissertation. And then FEMA should hire them (and others) to figure out ways to protect the identified weak points.
The next big field will probably be risk-mitigation.
Re:Reminds me of a job I did in London (Score:5, Insightful)
A terrorist attack involves targetting civilians as your main target.
Hitting an office building with a plane == terrorist attack
Killing soldiers who are invading your country != terrorist attack
Re:Designed for this? (Score:4, Insightful)
I thought the whole point of the Internet, being a packet-switched network, was that it could survive damage... like from nuclear war.
The original research into packet switched technologies was done with nuclear survivability in mind. The folks that built the internet however just took a good idea and ran with it. Since the internet was never designed to be a critical system, very little actual redudancy was built in. As the p2p system have found, its simplier to have "supernodes" where the majority of interconnection occurs. (I believe the internet has about 15 major points, Chicago, Mae West/Mae East, Dallas, New York, etc.
As an aside, all the telecommunications for Milwaukee Wi run thru a massive phone switch in the basement of one of buildings downtown. To take advantage of this nearly every ISP or internet company is located in the same building. When power was interrupted to the building (flooding in the power transformers) nearly all of the ISP service, and a lot of phone service was interrupted.
Does it matter, probably not. You'd piss off a lot of people, make a lot of sysadmins lives difficult, and life would continue. Infrastructure is a valuable part of a society, but people working for a common benefit is the part that matters.. and shy of killing everyone the only way to bring down society is to change every person's opinion.
Resources (Score:3, Insightful)
It seems to me that this neglects a critical piece of the puzzle, namely resources involved.
I'm no general (though I *was* in the military for a bit...) but from my experience one does not win a war by killing the other soldiers, one wins a war by making it increasingly difficult for the enemy to fight, ie: hinder their ability to make war.
Yes, the information may be able to be compilied by someone else. The thing, though, is that it takes time and resources to do it, and, make no mistake, any information denied to the "enemy" that causes them to expend more time and resources has a positive effect on security.
No, it may not be ultimate. No, it may not be complete. But yes, it does help...
Just my
Re:You all have to decide (Score:5, Insightful)
Should we, then, go about the process of finding and destroying all systems similar to Gorman's? Obviously, this is unrealistic because we don't know who else has created one. We should assume others have been created, though. The only correct course of action is to use systems such as Gorman's for their intended purpose: to identify points of weakness in our infrastructure and, from there, eliminate them.
That the government and corporate America haven't jumped at this opportunity to discover and eradicate these points of weakness but instead have attempted to eradicate the system which can be used to find such weaknesses should fill one with a sharp sense of dismay. It seems incompetence and information-hiding is the way we've chosen to go about ensuring our national security; I have a strong feeling this will come back to bite us in the ass, and I've no remorse for those who stand to lose billions from such an attack yet seem to have no interest in doing anything to prevent it. I only hope the human toll of such an attack is negligible.
Secrecy = Bad Public Policy (Score:3, Insightful)
Former senator Daniel Patrick Moynihan wrote a book [amazon.com] detiling his experience with just this issue, listing many cases where cold-war over-classification lead to serious policy shortcomings. He was referring primarily to foreign policy. Adding basic domestic public services to the "classified" list will compund the problem.
One guy with a weapon.... (Score:3, Insightful)
This attack would take an hour tops to plan and execute.
My point: there is no viable active defense against terrorism.
The concept of "security through obscurity" is bogus.
Defending disserations and visionaries (Score:5, Insightful)
He's worked hard on his research and doesn't want it to get seen by him, his professor, and a few miscellaneous others. He wants to be proud and publish his results...
Why does he have to publish to be proud? I'd be pretty damn proud to have my work classified.
You are making his work seem trivial and it's not.
His own professor called the work "tedious and unimportant." Do you have more knowledge about this work than this guy's professor?
Good for you. When you come up with something that the government thinks should be classified, you be as proud as you like and keep it all to yourself. The title and subject matter of what is classified will also probably be classified because letting people know about what was classified is likely to be deemed sensitive information that should be classified. See where this is going?
Sean Gorman wants to graduate with his degree, publish and continue academic research. It's not unreasonable that he would want others to see the product of what he's been on working for years. Part of completing a PhD is to do a defense of your research, which usually is before a panel of peers and professors who have some knowledge of the area you are studying. Dissertation defenses are usually open to the public (read "other students and academics" because few people tend to be interested in specific disserations) which means that potentially anyone can sit in and learn about the subject matter. If his research is classified then none of that can take place because it would be illegal for anyone to read the paper or hear about its contents without first getting clearance from the government.
Just because his professor lacks imagination, vision and insight (not uncommon in academic circles I assure you) it doesn't mean this prof is right. Maybe his prof is tedious and unimportant. There are lots of people who said the same sort of thing about the Internet. Even "visionary" Bill Gates is on record as saying the the Internet is a fad, though he quickly changed his tune. History is full of brilliant people whose work went unrecognized because it was considered fringe, tedious and unimportant. In this case, based on the attention this research is getting, there are obviously many people who think otherwise.
His professor, John McCarthy, thought that the research was important enough to introduce Gorman to national security contacts, so the "tedious and unimportant" line smells like a red herring. The article also talks about how the university is trying to get government funding beacuse it wants to develop a ''relationship'' with the Department of Homeland Security.
From the article:
"The government uses research funding as a carrot to induce people to refrain from speech they would otherwise engage in," said Kathleen Sullivan, dean of Stanford Law School. "If it were a command, it would be unconstitutional."
The security folks are ignoring the obvious. (Score:4, Insightful)
The nth Country Expiriment [thebulletin.org] proved that once knowlege is available to the public, and similar results can be obtained without knowlege of the methods used in previous successes.
If this grad student could compile this information, then so could sombody else, and it's probable that sombody already has.
This information should be used to point out the weaknesses inherent in our infrastructure, and show where this infrastructure needs to be diversified. IMHO, attempts to improve security by centralizing comunications and power distribution are doomed to failure, and will only make us weaker. Micro supliers [go.com] and home based [slashdot.org] power generation would make terrorist attacks against the power grid inconsequential. The weaknesses in comunications infrastructure can probably only be cured by creating a third alternative (community high-band?) to the cablemodem and telephone company monopolies on delivering service.
Re:Obligatory Sept. 11 quote (Score:2, Insightful)
Richard Clarke: Idiot (Score:4, Insightful)
Another way of looking at it is that this is yet another attempt by the government to oppress us by suppressing impression. However I have a pragmatic view: all this information needs to be public anyway. (If I want to dig a ditch, wouldn't the owners of underground fiber want me to know where it is?) We can never have absolute security if we don't want to become a police state. So instead of screaming hysterically about the sky falling, why don't we think about the underlying causes of terrorism? Why would someone go to all this effort to hurt us? These are not script kiddies.
Disclaimer: I too have one of these here PhD dissertations under my belt. And I'm sure every dissertation has at some point been called tedious and uninteresting; I know mine has!
Re:Obligatory Sept. 11 quote (Score:5, Insightful)
The only way to beat the terrorists, is to show that were will not change as people despite their best efforts. But every time I read or hear that phrase -- its like we are *complicit* in wanting Al Qaeda to win.
Did you note the reaction of the gov. officials? (Score:3, Insightful)
If this reaction does not cause you as an average citizen, concern, it should.
The attitude displayed by these government officials is one of, "We do not control it, therefore we must suppress it".
How dare an elected official behave in this way. But you know what, it probably wasn't an elected official at all. It was an appointed official or it was an official hired by an appointed official.
How disgusting it is that we have individuals in positions of power with the potential for abuse, conducting themselves with this attitude, individuals which we as private citizens have no direct or immediate means of knowing, preventing, or limiting certain abusive behaviors, actions, and practices of.
The solution to terrorism is not to treat everyone as a potential terrorist.
The solution must involve the recognition that we as persons in this modern society are due certain rights to privacy, to the potential to know the world around us: the good that could be done but isn't and the bad that is done in our name, and to a government which is maximally accountable to us within reasonable and minimal constraints which are never perpetual or absolute.
Whether or not realizing these rights leaves open the door to terrorism, these rights should not be negotiable. A solution which recognizes these rights must be found, or if none can be found, then we must live with these consequences of our freedoms.
Nothing is More Important Than "Safety" (Score:3, Insightful)
> should some of this information be classified?"
Of course. And MapQuest should be shut down, and you should be required to have license to use Google. In fact, no one should be allowed to put up a Web site without a permit from the Ministry for State Security.
And, of course, libraries should be required to report attempts to check out or read books on the "sensitive" list, and bookstores should be forbidden to sell them to anyone with out a permit...
Why, there are so _many_ more things we could doing to assure our "safety"!
Re:Obligatory Sept. 11 quote (Score:5, Insightful)
No, we didn't win. Terrorists did. Terrorists' higher aims are not to kill people:
Terrorists' aims are to cause terror. We have a terror coding system for deity's sake! The terrorists won
I can't drive over the same road I used to and have to drive 30 minutes more each way because the road goes over a security sensitive dam. The terrorists won
It takes me an extra hour at the airport to get anywhere (plus an extra hour on the connection). And the security guys will look at my underwear if they feel it's a threat to natural security. And my kids will never experience the trip to the cabin while in flight, like I did. The terrorists won.
The amount that we spend on national "defense" (half way around the world) and homeland security is at an all time high. This money is being taken from me in the form of taxes. My descendents will be paying for generations. The terrorists won
Our government has become more intrusive and has taken wider powers since 9/11. Guess who's happy about this?
Meanwhile we still don't have the big guy responsible in our hands
Osama, if still alive, is sitting on a cave, looking at what we are becomming, and laughing his ass off.
I really don't see the problem (Score:3, Insightful)
First, the cat is out of the bag. If terrorists were interested then they have guys on it now collecting the same information.
Second, trying to keep information classified would be a huge undertaking. From the examples mentioned, we have to get security clearance for every trucker, technician, engineer, or architect that has access and knowledge of these key areas. I don't think the fbi is up to the challenge of doing all those background checks.
Third, I am sure that there is not one key target mentioned in that document that is this country's Archilles heel. Thus terrorist would have to be able to sustain multiple attack in short window of time to cause real trouble. They haven't demonstrated this ability to do that. Their attacks, even in the Middle East and Asia, have been isolated over a few months.
So, it would best to make it available (if not publicly) to those who could best use that information to sure up those vulnerabilities through redundacies, or contingency plans.
This is advantage of our open society. Someone can find mistakes and be able to speak up openly so someone can deal with it. Don't let fear that cut off.
Terrorism, n. (Score:2, Insightful)
E.g., the invation and occupation of Iraq by US forces.
unlawful - check (according to the international law)
use or threatened use of force or violence - check (both)
by a person or an organized group - check (US military)
against people or property - check (mostly people but some property git damaged in the process)
intimidating or coercing societies or governments - check (forced regime change)
for ideological or political reasons - big check
Thank you for clearing this up.
Silence him? Why??? (Score:3, Insightful)
Mission critical infrastructure should have a properly protected communications link, and at least some form of redundancy (wireless or satellite with ipsec encryption as a backup, perhaps?) to cope with incidents like these...
smash.
Re:Obligatory Sept. 11 quote (Score:5, Insightful)
The current level of spending on national security may be too high, but the previous level was too low. Osama did nothing but open our eyes. To remain exactly the same after such devastating attacks is tantmount to suicide.
Too low? I disagree, it was STILL too high, and its only gotten worse. It was (and mostly still is) allocated to all the wrong places. What are we doing all over the world in failed "peace" missions which only create us more enemies?
Let's get back to the ideas of the founding fathers and reduce our intervention abroad while increasing our internal defense, we'll create good will for the U.S., reduce the number of enemies and be better able to focus on the constitutional boundaries of this country.
Please take a quick peek at Washington's farewell address, a beautiful piece of work, and still valid 200 years later
To remain the same may be suicide, but to pretend to do something while forgetting the root causes of terrorism and eliminating the foundation of this country is much worse
I recently read the following:
Insightful, aint it?