Grad Student's Work Reveals National Infrastructure 662
CodeHog writes "The WP reports about a student working on a PhD and how it relates to national (US) security. Very interesting that he has been able to get all this information. It raises some very challenging questions, should some of this information be classified?"
Reminds me of a job I did in London (Score:5, Interesting)
After three hours I was running out of sticky labels and was very scared.
But hey, look on the bright side, maybe it'll never happen!!!
Dark undertone (Score:5, Interesting)
The scariest line is that they wanted to burn his research. Flash backs of 1984 flashed in my mind.
Not all evil (Score:5, Interesting)
I'm working on the periphery of the emergency response industry, and suffice it to say, any infrastructure data is vital as hell for responding to major natural disasters like quakes, hurricanes and tornadoes.
Tossing all this "scary" data into the classified domain will hammer on emergency responders' ability to effectively map this stuff.
It's vital, and I think the anti-"security through obscurity" comment in the article hits the nail on the head...
Not the first or last time (Score:2, Interesting)
He said okay and now he's ABD but pretty high up in the CIA/NSA (yeah, they work together now).
Publish or Perish (Score:5, Interesting)
The other thing is that, yes, he did put all of the together, but according to the article the raw data he used is all available on the internet. Who's to day that Al Qadea hasn't hasn't already done the research to create their own version of his map. In that case this work could very well prove to be a map of what to defend.
Tom Clancy's work (Score:5, Interesting)
Re:Finding information is not difficult... (Score:5, Interesting)
Once you can shock the CEO's and CFO's into understanding that a genuine business risk exists out there, action can take place. I think far too many people assumed that the telco/networking companies had this all figured out...
Similar website? (Score:3, Interesting)
The article mentions an interesting website: But even with the wonderous google I am unable to find the website that they are talking about.
Anyone know of it?
Internet design (Score:1, Interesting)
Classified Military info and Novels (Score:5, Interesting)
It turned out that he got all his info from public domain sources. And they could not do much about it. He just knew where to search.
Re:How is this.. (Score:3, Interesting)
I don't think you really got the point here.
This has nothing to do with any operating systems or computers.
You can easily criple companys and national infrastructure just by knowing the few substations and fibre switchs that need to be brought down. No power, no phone, no net.... oh dear.
The Cukoo's Egg.. (Score:5, Interesting)
1. New fighter being developed
2. Contract awarded to company X
3. Rifle through purchase orders for titanium and other strategic parts.
4. Get shipping info on said parts
5. now you know the facility where it will be built.
6. find airline reservations from company in question
7. look for engineers and test personell.
8. find nearest test base from point of arrival.
9. Fighter X will be built in location A and tested at location B, between arrival date and departure date.
Needless to say, this is why more things have become classified since the early 80's
Re:It's not the information, but the presentaiton. (Score:2, Interesting)
Re:i don't know about that... (Score:5, Interesting)
Infrastructure data is often sensitive. First responders can certainly get it. However, if DoD and/or DHS go haywire and classify it, only those with Secret (or better) clearance level can get it.
And your average "first responder" fireman isn't going to possess a secret clearance...
As for currentness, you'd be surprised. Much of the interesting infrastructure (major emergency facilities, dams, etc) doesn't change very often.
Designed for this? (Score:4, Interesting)
So now we're worried that a terrorist with a scissors is gonna bring it down?
Hopefully (Score:5, Interesting)
If 25 telcos happen to be sharing the same 'pipe' of fibre, it may not be a terrorist that breaks that connection... regardless of who severs that line, it ain't good for the telcos -- and the telcos should be using his data to reduce risks.
Insurance companies and actuaries for corporations and governments love this kind of stuff, as do operations research people. Tell me how much it'll cost to reduce risk to this level, or: I have $10,000,000 -- how can I spend it to ensure that the worst case scenario isn't as bad.
Hopefully the information doesn't become classified; hopefully, it's used over the next few years to sure up the bottlenecks and other weak points, making the infrastructure far more robust in the following years.
Yes, the time has come for cracking down (Score:3, Interesting)
After all, IGNORANCE IS STRENGTH.
And unfortunately must give up some of our rights to buy security, or the terrorists will have already won. As we know, FREEDOM IS SLAVERY.
And it goes without saying - although it's been said many, many times recently by our dear Commander In Chief - that WAR IS PEACE.
We must ignore those who would warn us against this [msn.com], and march into the brave new world of strictly one sided Total Information Awareness with flags waving and proudly chanting the pledge of subservience. As Jeb would no doubt tell us, Big Brother knows best.
Re:No Link (Score:5, Interesting)
Re:You all have to decide (Score:5, Interesting)
- Who makes that determination?
Not "trolling" - just asking.Who reviews the decisions of the determining body and enforces penalties if the decisions are not in the best interests of the citizens?
Given Pournelle's Law of Bureaucracy ("regardless of the reasons for which they are established, the top priorities of bureaucracies are to survive and to grow") who determines what controls are placed on those doing the classifying?
sPh
He'll get a job (Score:3, Interesting)
Even though it does suck that he can't release it in its original form; he'll have absolutely no problems finding a job. If that many large financial corporations were concerned about their communication infostructure surely one (if not all of them) are scratching to hire him.
If all he wants is money and no real academic prestige this is great. Otherwise, it wouldn't be fun to be in his position right now
Re:The whole story (Score:5, Interesting)
http://www.clancyfaq.com/Clancy%20contacted%20by%
Re:Designed for this? (Score:5, Interesting)
My former employer owned one of the first ISPs in Pittsburgh (Pittsburgh Online/Webstation, since sold to Stargate), and once told an old friend who worked at the FBI an anecdotal story about how easily he could rob a given bank. It involved jamming the police band frequencies (easily done with equipment you could build yourself), and arranging an "accident" which knock out the telephone lines to the police station.
When the dispatchers' lines were cut, you could walk into the bank and take your time, confident in knowing that even if the bank called 911 (or their security service made the call), the police could not be notified until communications were restored. The person most aware of the coincidence of the two outages (radio and telephone) would be the dispatcher, and they wouldn't be able to coordinate anything until you were long gone.
I don't know what became of the situation, but I do know that my former employer ended up retelling his tale to some very interested higher-ups in the local FBI branch.
Hypocrisy? (Score:2, Interesting)
And whenever there is a talk about spam or privacy the whole slashdot community cant stop hanging or shooting the "defaulters"....
Strange?
Nandz.
In Soviet Russia... (Score:5, Interesting)
Sorry, couldn't resist. I grew up in the USSR where everything was classified - so here is a map story for you.
Map information was classified and map publishers were required to add deliberately inaccurate information to their maps. You would have whole cities that were not on the map or shown a couple of hundred km away from their real location. This was done in the name of national security, so the enemy (US) would not be able to use maps to plan a nuclear strike or sabotage military installations.
The enemy of course just used satellite imaging to create their own maps and ended up with better maps of Russia than the Russians had. In the 80s folks who needed maps (geologists, archeologists, hikers, ...) would try really hard to get their hands on foreign made maps, because they were so much more accurate.
Security by obscurity is counterproductive...
Re:No Link (Score:2, Interesting)
That information wasn't readily available when I was interested in that back before 2000 and I assume it's even harder to come by now.
I suspect that we are a lot more vulnerable than we suspect. And considering a power outage in Northern Mexico affected parts of the U.S. I wonder if someone could successfully attack our infrastructure without even attacking a physical point in the U.S., but in Mexico or Canada.
Security through obscurity does NOT work!! (Score:3, Interesting)
In fact, STO is WORSE than NO security because it leads to a FALSE sense of security.
This weekend I took a ferry to Long Island and I used my GPS to record my track. As I was doing so it occured to me that my activity could be considered suspicious, and suddenly I got very nervous about using my GPS on the ferry. What the fuck kind of country are we living in now? Why should ANYTHING _I_ do be considered suspicious? I am an upstanding tax paying public serving ham radio operating red blooded patriotic citizen of the USA. If I really WAS planning some kind of attack on the ferry, why would I bother with GPSing it? Why would I bother to pull it out of my pocket in public in the first place? Am I wearing a towel? NO!
Knowledge is power and if EVERYBODY knew EVERYTHING then the world would be in perfect balance. That was the idea that brought about the Internet as we know it today, a medium for the free exchange of information. Open the fucking floodgates!
KNOWLEDGE IS POWER!
Traceroute as a terrorist tool? (Score:3, Interesting)
I mean, it's great that here in America someone can actually get a PhD by doing a lot of traceroutes and then using gnuplot of whatever to overlay the data onto scanned images of telco fiber-maps or whatever, but the whole premise of the article - including the moronic comments about how the guy shouldn't be allowed to leave the building with the laptop (maybe I have too much faith in humanity, but I can't imagine anyone making such a stupid comment other than in jest) is much ado about nothing.
This information has been available for years, and continues to be available; it's just that this guy has nothing better to do than sit around collating it and putting it into MySQL or somesuch. So what? Terrorists aren't interested in blowing up the Internet - they're interested in blowing up -you-.
So does this mean that I can now justify a PhD by sitting around correlating MapQuest thumbnails with wardriver plots open WiFi APs, or something, and then claim I'm mapping possible 'nodes of anonymous 'terrorist Internet access'? Sign me up!
Think about it.
The only problem with his software... (Score:5, Interesting)
Conpanies (i.e. financial institutions) don't mind compiling scads of public information on us until they can tell what brand of hemorrhoid cream you use, but when we do the same thing to them, they scream bloody murder.
Hmmm.....
If you locked up all of the infomation he's compiled, you'd shut down the Economy just as effectively as using that same infomation to blow up critical infrastructure points. The real point of his data is that he also allows the good guys to see just whwre the choke points are so that they can design backup plans and structures.
As Ghandi said (and I'd bet he'd be on the terrorist watch list if he was doing his work today).
Now, at least, these companies are clear that they need to get their ISPs to use different fiber lines to deliver their data. It's not like they couldn't have known this before. It's just that now they have it at their fingertips.
Re:Public + Public + Public = Classified (Score:3, Interesting)
Remember "The Pelican Brief"? (Score:2, Interesting)
It would seem that life is imitating art here.
a few thoughts on why classifying this is a waste (Score:4, Interesting)
2) Slowing down internet connections doesn't scare people. Temporarily cutting corporate offices off from the grid doesn't scare anyone (save, perhaps, the CEO). Think how much more terror-bang a terrorist could get for his buck with a 9mm in mall. That would terrify people and significantly damage the economy. Attacking communications infrastructure isn't "terrorism," it's something else. It's guerilla warfare, directed against an economy rather than a person, I suppose. If our "war" descends to this point, we are totally screwed, as it is impossible to defend (or even think of) all the economically "soft" targets.
3) In the end, the security of all civillians and civillian infrastructure depends on good will. Well, that, and fear of punishment. But the latter doesn't apply to acts of international sabatoge and/or murder. I am sick of all this talk about defending our civillian infrastructure, securing the homeland, etc. It can't happen. Until there is a soldier in body armor with a rifle every few yards down every street in the USA, this goal will not be achieved. That isn't the society any of us want to live in. We haven't put any effort into civillian security up to this point, and I say: Good for us. We didn't need to, because the general good will of human beings was protecting us. Our effort would be better spent restoring *that* state of things, rather than moving toward the soldier-on-every-corner model. For those who would like to call me naive, I ask you: why has there not been an attack on soft infrastructure before? Why has there never been a wave of men with 9mms in malls? These things are undefended. The only reason it hasn't happened is that no one ever wanted to do it.
Three good reasons why it is a waste of time and effort to classify this fellow's dissertation. I'll let others cover the reasons why classifying it is damaging to security, an open society, and democracy.
How Terrorists Could Defeat the U.S. (Score:3, Interesting)
www.cryptogon.com/docs/cryptogon_cyberwar.pdf
This brief essay explains how vulnerable information infrastructures are to very simple attacks. I intentionally removed all company names and locations of the critical assets, not because I was afraid my written-in-one-evening essay would be used by terrorists, but because I was afraid the FBI would think I was a terrorist.
After reading about the pressure that Sean Gorman is under, I am convinced that I would have had a (probably not pleasant) sit down with federal agents if I hadn't sanitized my essay.
Data Mining, Synergy, Unpredictability (Score:4, Interesting)
It's not just the data. It's not just the technology. It's what you get when you combine them, mine the data, and find something that isn't there originally.
The problem of regulating this, of course, is that the various sources of information are "innocent," and that information itself can be deceptively harmless until you combine it with something else.
So what do you do? You can't control the information, you can't know what to control, you can't outlaw the process. Welcome to the 21st century, where Data Mining is our new concern.
As an IT professional, I've had to deal with much lesser concerns of the same nature - what happens when you combine and mine data. A simple-to-create synergy can reveal far more than the data sources it uses, and that synergy has to be treated as a completely different thing when it comes to concerns over access, availability, etc.
Re:This guy is stoked, no more degree necessary (Score:3, Interesting)
Well, this guy apparently _would_ like to get his degree, at least. As it says in the article, he's worried that if his dissertation gets classified, he may have problems graduating. This way, even if it does get classified, at least he'll be able to eat.
Re:This guy is stoked, no more degree necessary (Score:2, Interesting)
High paying jobs post-PhD? Depends on the area perhaps. CS/Engineering maybe but taking academia as a whole, doing a PhD nearly always loses you money if you take working life as a whole (one never makes up for the 3+ poorly paid years spent doing it).
Hype will certainly not help him in the academic job market; possibly it may even work against him knowing what academic snobbery is like. Academic hiring, apart from the usual political or turf issues, is these days on the basis of two strict criteria: success in publishing and success in aquiring funding. If you can't translate it into published pages of text and regular funding cheques, it doesn't really matter how clever/famous/whatever you are. There isn't room for you. Its a terrible way to run things perhaps, but there is a bottom line basically.
The elephant in the corner... (Score:3, Interesting)
Would anyone here be willing to have their usage fees for their net connection go up by %50 to cover the cost of installing and maintaining this additional redundant infrastructure? (Bear in mind that if you say "Stick it to big businesses!", they will indirectly stick it back to you.)
The NRA...? (Score:3, Interesting)
GIS & Terrorism (Score:3, Interesting)
Jaysyn
Re:Reminds me of a job I did in London (Score:5, Interesting)
I agree. Particularly since it has already been shown that terrorists can choose and utterly destroy a high-profile target.
If a terrorist wanted to really upset things now, they'd next show that Anytown, USA was also vulnerable. Three days, three teams each with a van, 500 childrens lunchboxes with a timebomb inside the thermos and a road trip past small town schools in east, west and central USA should do it.
You are not safe at work, you are not safe at school, panic.
Re:Dark undertone (Score:3, Interesting)
Oceania was missing one crucial ingredient; the shopping mall!
----------
Re:Well.. (Score:3, Interesting)
The reason te CIOs and CEOs where worried about their reputations is that in general physical security has and still is as badly neglected as computer security. Their pants are around their ankles. All Gorman has done is taken a photograph.
That being said a terrorist only needs a "single" target. Which means information control must be total, since a single leak or oversight would provide a target.
Take a moment to think about vuranbilities that you know of at your company, town, etc...
You will realize it is impossible to secure all
information or access to sites.
Now you have a choice: Keep everyone (including the customer) in the dark (read -> closed source) except the service provider and trust them to provide security (which interestingly enough their reaction to Gorman's data suggests they haven't).
Or: have aware customers that are aware and have access to information who can help fix problems and as needed put pressure on their providers to make them accountable for security (read -> open source).
I prefer the latter. Given that examples exist already where open source (Linux or BSD as examples) are considered more secure than closed source alternatives.
Full disclosure has always been unpleasant. But problems can only be fixed when identified.
Re:You all have to decide (Score:3, Interesting)
All they need to do is write up a quick 2-3 page government contract with a SOW (scope of work) to produce what he's already done. It would be an FFP (firm fixed price). $100-250K/yr would be a bargain. Once the government owns it they classify it and make extracts available to the involved companies to allow them to fix the problems. This would not be something new. An abstract can remain unclassified that he can include in his resume. The best idea would be to get him a job in either NIMA or CIA doing exactly what he's doing now.
The comment attributed to Richard Clarke -- "burn it" seems very unwise. Mr. Gorman has done an excellent job of intelligence fusion and synthesized a very useful body of information from a large collection of seemingly unrelated data. This is the holy grail of the intelligence community.