Grad Student's Work Reveals National Infrastructure

CodeHog writes "The WP reports about a student working on a PhD and how it relates to national (US) security. Very interesting that he has been able to get all this information. It raises some very challenging questions, should some of this information be classified?"

Well..

[Gortbusters.org]

In the background, he plays the Beastie Boys.

He's got the right to party!

Re:Well..

[reverseengineer]

Given his research, wouldn't Sabotage be a more appropriate track?

Obligatory Sept. 11 quote

[bwhaley]

The implications, however, in the post-Sept. 11 world, were enough....

In this post-September 11th world, I'm getting REALLY sick of that phrase.

Re:Obligatory Sept. 11 quote

[Ninja Programmer]

Every time someone says or writes "post-Sept. 11 world" I am reminded that Al Qaeda's attack was more successful beyond their wildest imagination. I am reminded of our failure to acquire Osama Bin Laden, our failure to create a global unified front against terrorism, our failure to destroy Al Qaeda, and our continued reliance on the FBI, CIA and NSA, who have demonstrated an inability to do anything about these terrorist attacks.

The only way to beat the terrorists, is to show that were will not change as people despite their best efforts. But every time I read or hear that phrase -- its like we are *complicit* in wanting Al Qaeda to win.

Re:Obligatory Sept. 11 quote

[fr2asbury]

Yeah, last time I checked it was early July. I'd say this is a PRE-September 11th world.

Re:Obligatory Sept. 11 quote

[rleibman]

No, we didn't win. Terrorists did. Terrorists' higher aims are not to kill people:

Terrorists' aims are to cause terror. We have a terror coding system for deity's sake! The terrorists won

I can't drive over the same road I used to and have to drive 30 minutes more each way because the road goes over a security sensitive dam. The terrorists won

It takes me an extra hour at the airport to get anywhere (plus an extra hour on the connection). And the security guys will look at my underwear if they feel it's a threat to natural security. And my kids will never experience the trip to the cabin while in flight, like I did. The terrorists won.

The amount that we spend on national "defense" (half way around the world) and homeland security is at an all time high. This money is being taken from me in the form of taxes. My descendents will be paying for generations. The terrorists won

Our government has become more intrusive and has taken wider powers since 9/11. Guess who's happy about this?

Meanwhile we still don't have the big guy responsible in our hands

Osama, if still alive, is sitting on a cave, looking at what we are becomming, and laughing his ass off.

Re:Obligatory Sept. 11 quote

[rleibman]

The current level of spending on national security may be too high, but the previous level was too low. Osama did nothing but open our eyes. To remain exactly the same after such devastating attacks is tantmount to suicide.

Too low? I disagree, it was STILL too high, and its only gotten worse. It was (and mostly still is) allocated to all the wrong places. What are we doing all over the world in failed "peace" missions which only create us more enemies?

Let's get back to the ideas of the founding fathers and reduce our intervention abroad while increasing our internal defense, we'll create good will for the U.S., reduce the number of enemies and be better able to focus on the constitutional boundaries of this country.

Please take a quick peek at Washington's farewell address, a beautiful piece of work, and still valid 200 years later

To remain the same may be suicide, but to pretend to do something while forgetting the root causes of terrorism and eliminating the foundation of this country is much worse

I recently read the following:

After 9/11, Bush made two statements:

1. "Terrorists hate America because America is a land of freedom and opportunity."
2. "We intend to attack the root causes of terrorism."

Sounds like everything is going according to plan.

Insightful, aint it?

This should be classified

[Anonymous Coward]

This software is used in the firmware of WMDs! It should be taken of the public internet immediatley! [debian.org]

Link please!

[Jeremy Erwin]

I can't figure out how to download his dissertation. I want to judge for myself whether "tedious and unimportant" is an apt description.

Re:No Link

[elem]

I think you failed to notice the joke....

Re:No Link

[zenofjazz]

The infrastructure is all interconnected... High voltage lines and their rights of way are used for fiber optic cable runs, Oil and gas pipelines and their rights of way are used for fiber optic runs, same for railway rights of way... because they all have the same basic need, to go from point A to point B, without crossing anyone else's properties. Start correllating telco/internet outages with railroad derailings (which tend to dig up the right of way), and you'll see what I mean. I have known for 10 years, the easiest way to cripple "the typical city" (since the fire in chicago, that destroyed the phone Central Office!) -Jazz

You all have to decide

[Anonymous Coward]

You're either "land of the free", or you are not. So either live up to the hype, or change the tagline. Can't have it both ways, with a closed society fueled on fear, claming to be "free".

[jole]

Re:You all have to decide

[rose_bud4201]

Frankly, I'm on your side...keeping some of the stuff he used to generate his maps classified would knock some information which is really very handy from the public use - things like the shipping/loading dock information that he mentioned (would a prospective company have to go through clearance procedures to find out whether shipping their goods through a given area is worthwhile??), like ISP bandwidth and routing information, and the depth of cable trenches (would telephone or paving companies also have to be cleared before putting in a new pole or rebuilding a road?) "It gives us a great thrill," Young said. "If it's banned, it should be published. We like defying authority as a matter of principle." That, I think, is a little extreme, but there are some things which can't be pulled from the public domain without wreaking havoc on the people dependant on them.

Re:You all have to decide

[dboyles]

You're either "land of the free", or you are not. So either live up to the hype, or change the tagline. Can't have it both ways, with a closed society fueled on fear, claming to be "free".

That's a huge oversimplification. I wouldn't even respond to such a troll had some ill-informed moderators not decided to mod it up to a 5 and make it the first comment on the page.

Ideally, information becomes classified when the benefits of the information being publicly available are less than the dangers of that availability. Here at the university where I work, when I need to get a list of students in my department, I can't just call up and request it. I have to be authorized to have it. In that case, the extra day it takes to get the information is justified because we don't want just anybody to have access to that sort of information.

On the flip side, we have the Freedom of Information Act. It has been decided that certain information should be available to the public without such restrictions. In this case, the public benefit outweighs the negative aspects of the FOIA.

To suggest that the "land of the free" entails zero security is simply ignorant.

Re:You all have to decide

[SCHecklerX]

Indeed. You cannot be free if you do not have any security.

Re:You all have to decide

[anthony_dipierro]

You cannot be free if you do not have any security.

While we're being cliche, I might as well note that security through obscurity is no security at all.

Re:You all have to decide

[sphealey]

Ideally, information becomes classified when the benefits of the information being publicly available are less than the dangers of that availability. Here at the university where I work, when I need to get a list of students in my department, I can't just call up and request it.

A few questions:

• Who makes that determination?

• Who reviews the decisions of the determining body and enforces penalties if the decisions are not in the best interests of the citizens?

  Given Pournelle's Law of Bureaucracy ("regardless of the reasons for which they are established, the top priorities of bureaucracies are to survive and to grow") who determines what controls are placed on those doing the classifying?

Not "trolling" - just asking.

sPh

Re:You all have to decide

[rossjudson]

You have responded to an oversimplification by making another, far more dangerous simplification.

Your ideal is that we classify when the benefits of information being available are less than the dangers. Who exactly makes this determination? What subject matters are subject to this?

When we deal with information that is dangerous by "hiding" it, what we really do is shift resources away from solving the underlying vulnerability. Sometimes the vulnerability isn't solvable, but much of the time it is.

With Gorman's work, he is highlighting choke points in the infrastructure. Would the rational response to this situation not be to diversify off those choke points? We should identify key weaknesses with this kind of research then solve them. We should not simply hide the information.

First principles also apply here: I find myself somewhat in agreement with one poster who indicated that we should quit "stomping" around the world creating enemies. It is far easier to defend against an enemy you do not have.

FOIA and classification are unrelated. FOIA is generally used to punch holes through government bureaucracy; to get at information that should be available to the public but is obscured by red tape. Classification contains information that should not be available to the public. Some FOIA requests come back redacted for security reasons.

It is far too easy for an administration to simply designate information as confidential. Such designations can and are used to avoid information release that would be politically senstivie. The bar is too low.

As with so many other things, it comes down to "who decides"...

Re:You all have to decide

[Wakko Warner]

The scary/sick/sad part of all this is that Gorman got every piece of information from the Internet and other publically-available sources. The fact that a grad student working with a single research assistant was able to construct something like this should certainly ring alarm bells, but it's sheer idiocy on the part of the government and private corporations to demand he hand over his collection of information, or that it be classified. It's even more asinine that they aren't interested in the kind of insight such a system can provide. If one man working alone was able to create a system of this complexity and detail, it's logical and safe to assume that others (including scary evil people who aren't Americans) have done so, as well, and are probably using it to their advantage.

Should we, then, go about the process of finding and destroying all systems similar to Gorman's? Obviously, this is unrealistic because we don't know who else has created one. We should assume others have been created, though. The only correct course of action is to use systems such as Gorman's for their intended purpose: to identify points of weakness in our infrastructure and, from there, eliminate them.

That the government and corporate America haven't jumped at this opportunity to discover and eradicate these points of weakness but instead have attempted to eradicate the system which can be used to find such weaknesses should fill one with a sharp sense of dismay. It seems incompetence and information-hiding is the way we've chosen to go about ensuring our national security; I have a strong feeling this will come back to bite us in the ass, and I've no remorse for those who stand to lose billions from such an attack yet seem to have no interest in doing anything to prevent it. I only hope the human toll of such an attack is negligible.

Re:You all have to decide

[freuddot]

I don't usually answer people signatures. However, given that yours is :

"Complacency is a far more dangerous attitude than outrage." -Naomi Littlebear

And that your first sentence is :


That's a huge oversimplification. I wouldn't even respond to such a troll had some ill-informed moderators not decided to mod it up to a 5 and make it the first comment on the page.

I must say that this is a very nice display of consistency.

The only problem with his software...

[Stephen Samuel]

is that he has it in one convenient package... Kindof a Terrorist to-do list. When you think about it, this is really just turning the tables on the privacy debate.

Conpanies (i.e. financial institutions) don't mind compiling scads of public information on us until they can tell what brand of hemorrhoid cream you use, but when we do the same thing to them, they scream bloody murder.

Hmmm.....

If you locked up all of the infomation he's compiled, you'd shut down the Economy just as effectively as using that same infomation to blow up critical infrastructure points. The real point of his data is that he also allows the good guys to see just whwre the choke points are so that they can design backup plans and structures.

As Ghandi said (and I'd bet he'd be on the terrorist watch list if he was doing his work today).

I'd rather let my enemies know exactly what I'm doing and hope that they overreact

Now, at least, these companies are clear that they need to get their ISPs to use different fiber lines to deliver their data. It's not like they couldn't have known this before. It's just that now they have it at their fingertips.

Re:You all have to decide

[Banner]

EXACTLY.

It's not really that big a deal, people HAVE to know where the wires are, where the pipelines are, etc, so they DON'T DIG INTO THEM AND DIE!

Ever see a gas pipe explosion because someone dug in the wrong spot and the crew burned to death? Or how about a town losing all of it's emergency and other communication because a cable got accidentally cut?

We have a 2nd amendment for a reason. Try using it and stop living in fear.

Re:You all have to decide

[iiioxx]

We have a 2nd amendment for a reason. Try using it and stop living in fear.

I can't figure out if you've gotten your amendments confused or if you're advocating armed revolt..?

1st Amendment: Freedom of speech.
2nd Amendment: Right to keep and bear arms.

This guy is stoked, no more degree necessary

[kcornia]

After this kind of publicity, he'll have some job offers coming in, I guarantee it.

I'd tell 'em to classify it all they want, just looks BETTER on the resume...

Re:This guy is stoked, no more degree necessary

[garcia]

do you honestly think that EVERYONE with a PhD is in it for the job market? If you do, you're fucking crazy.

I know PLENTY of Professors that were interested in Academia because they enjoyed research and teaching not because of the "high-paying" jobs they had after getting their PhD.

He's worked hard on his research and doesn't want it to get seen by him, his professor, and a few miscellaneous others. He wants to be proud and publish his results...

You are making his work seem trivial and it's not.

Defending disserations and visionaries

[securitas]

He's worked hard on his research and doesn't want it to get seen by him, his professor, and a few miscellaneous others. He wants to be proud and publish his results...

Why does he have to publish to be proud? I'd be pretty damn proud to have my work classified.

You are making his work seem trivial and it's not.

His own professor called the work "tedious and unimportant." Do you have more knowledge about this work than this guy's professor?

Good for you. When you come up with something that the government thinks should be classified, you be as proud as you like and keep it all to yourself. The title and subject matter of what is classified will also probably be classified because letting people know about what was classified is likely to be deemed sensitive information that should be classified. See where this is going?

Sean Gorman wants to graduate with his degree, publish and continue academic research. It's not unreasonable that he would want others to see the product of what he's been on working for years. Part of completing a PhD is to do a defense of your research, which usually is before a panel of peers and professors who have some knowledge of the area you are studying. Dissertation defenses are usually open to the public (read "other students and academics" because few people tend to be interested in specific disserations) which means that potentially anyone can sit in and learn about the subject matter. If his research is classified then none of that can take place because it would be illegal for anyone to read the paper or hear about its contents without first getting clearance from the government.

Just because his professor lacks imagination, vision and insight (not uncommon in academic circles I assure you) it doesn't mean this prof is right. Maybe his prof is tedious and unimportant. There are lots of people who said the same sort of thing about the Internet. Even "visionary" Bill Gates is on record as saying the the Internet is a fad, though he quickly changed his tune. History is full of brilliant people whose work went unrecognized because it was considered fringe, tedious and unimportant. In this case, based on the attention this research is getting, there are obviously many people who think otherwise.

His professor, John McCarthy, thought that the research was important enough to introduce Gorman to national security contacts, so the "tedious and unimportant" line smells like a red herring. The article also talks about how the university is trying to get government funding beacuse it wants to develop a ''relationship'' with the Department of Homeland Security.

From the article:

"The government uses research funding as a carrot to induce people to refrain from speech they would otherwise engage in," said Kathleen Sullivan, dean of Stanford Law School. "If it were a command, it would be unconstitutional."

As he said...

[SoSueMe]

"...It's hard to put 'classified' on your list of publications on your résumé."

Actually, it would be easy for me to put "classified" on my list of publications on my résumé. It is just the "mostly as bullshit" part that wouldn't do me any good.

Finding information is not difficult...

[bc90021]

For instance, this is not the first time Sean Gorman has been talked about:

Article in Science Daily [sciencedaily.com]

Plus, someone with the same email address has posts in rec.sports.rowing...

The bottom line is that if you know where to look, you can find out lots of stuff. Classifying this guy's dissertation isn't going to prevent someone else (from anywhere on the planet) using the same tools he did to do the same things he did.

We either have to control all information (hello, Mr. Orwell!) or accept that information can't be controlled and plan accordingly. It's been said many times before, but security through obsucrity just doesn't work.

Re:Finding information is not difficult...

[TopShelf]

At least what this has prompted is a panic attack amongst some CIO's out there, who now understand that 1) too much information has long been left in the public domain, and 2) critical infrastructure security has been neglected for far too long.

Once you can shock the CEO's and CFO's into understanding that a genuine business risk exists out there, action can take place. I think far too many people assumed that the telco/networking companies had this all figured out...

My cynical nature prevents me from getting excited

[jobugeek]

While I hope the bell went off in their heads, that something needs to be done, my guess is that they will instead over-react and try to restrict the public's access to even more information.(whew, long run-on.)

The smartest thing they could do, is use his information and go through each weakness and look to secure it as much as possible. Many of them may look at that as cost prohibitive and just try to obsure the information and hope no one finds it.

Re:Finding information is not difficult...

[SirWhoopass]

We either have to control all information (hello, Mr. Orwell!) or accept that information can't be controlled and plan accordingly. It's been said many times before, but security through obsucrity just doesn't work.

Security through obscurity alone doesn't work, but that doesn't mean that obscurity isn't important too. It's not like the fiber connections to the New York Stock Exchange run through a box on the street with an "off" lever. They're underground. But that doesn't mean the NYSE should put the exact location on their web site.

If you look at how the military handles classified information you'll note that in order to access information you need both the proper clearance and the "need to know". That means that just because you have a top secret clearance because you work on stealth fighters doesn't mean you get to see the top secret photos of North Korea's nuclear reactors. You have the proper clearance, but you don't have the need to know.

The main issue isn't (or shouldn't be) about classifying this guy's thesis. The issue is why all this imformation was so freely availble in the first place and whether power companies, telecoms, etc. should look at restricting access to certain types of data.

Security through obscurity does NOT work!!

[n1ywb]

Security through obscurity is NOT "security" at all, because it's impossible to know what the other guy knows.

In fact, STO is WORSE than NO security because it leads to a FALSE sense of security.

This weekend I took a ferry to Long Island and I used my GPS to record my track. As I was doing so it occured to me that my activity could be considered suspicious, and suddenly I got very nervous about using my GPS on the ferry. What the fuck kind of country are we living in now? Why should ANYTHING _I_ do be con

Just look at your surroundings

[Surak]

You'd be surprised at how easy it is to penetrate the security of a lot of facilities.

For instance, I worked in one somewhat secure facility that requires ID bages with magnetic stripes to get in and out.

Only thing is, they had one door to the facility that didn't have a card reader attached to it. It was for the union guys that worked in the shop, who according to contract, could not be required to swipe an ID badge.

Which is fine, because to get into any place but the shop you have to have a card swipe anyway.

Only thing is, the doors between the shop and the badge-secured office area were kept open more often than not. And even if they weren't there was one interior door that you could use to access the service tunnel that wasn't carded either.

So you could walk into the service tunnel. Once there, you could get into the badge-coded office area because the doors near the elevator that takes you to the office area had to be kept open for ADA compliance (a wheelchair user couldn't be expected to swipe their card and open the door, apparently)

So once in the elevator, you were free and clear. You just got in the building without a single card swipe. And though there are cameras, anyone walking around with anything that looked *close* to the visible badges around their neck/clipped to their lapel, etc. were ignored.

I simply observed my surroundings and in less than a day of working there, I knew how to get in and out of the facility without going through security. Even if I left my security pass at home, I could get in and out, no problem. I've noticed similar scenarios in hospitals or banks other places where tight security is supposed to be the rule but the people working there just don't think this stuff through.

Re:Just look at your surroundings

[anthony_dipierro]

Of course, the government's response to your story would be to classify the information you just provided, rather than to tell the building security to close the door.

Reminds me of a job I did in London

[tiled_rainbows]

I work for Transport for London (Transport Authority in London, UK, duh), and, after 9/11 my boss asked me to print out a huge map of the city and put a little sticky label over every "potential terrorist target". Buckingham Palace, Houses of Parliament, the big wheel thing, ministry of defence, big office blocks, army barracks, more palaces....
After three hours I was running out of sticky labels and was very scared.

But hey, look on the bright side, maybe it'll never happen!!!

Re:Reminds me of a job I did in London

[Trigun]

You'd look awful suspicious if it did happen, what with that giant map with all the targets labelled and all...

Re:Reminds me of a job I did in London

[dr_dank]

Buckingham Palace, Houses of Parliament, the big wheel thing, ministry of defence, big office blocks, army barracks, more palaces...

I don't think Osama could keep a straight face if he were to declare jihad on the "big wheel thing".

Re:Reminds me of a job I did in London

[Kaa]

I work for Transport for London (Transport Authority in London, UK, duh), and, after 9/11 my boss asked me to print out a huge map of the city and put a little sticky label over every "potential terrorist target". Buckingham Palace, Houses of Parliament, the big wheel thing, ministry of defence, big office blocks, army barracks, more palaces....
After three hours I was running out of sticky labels and was very scared.

This seems like a simple exercise in paranoia to me.

A "potential terrorist target"? Hell,

Re:Reminds me of a job I did in London

[Jardine]

One thing that keeps bugging me is attacks against soldiers, military bases, and military equipment being called terrorist attacks. Wouldn't attacking military targets be the exact opposite of a terrorist attack? Terrorist groups believe they are fighting a war. In war, you attack soldiers and other military assets.

A terrorist attack involves targetting civilians as your main target.

Hitting an office building with a plane == terrorist attack
Killing soldiers who are invading your country != terrorist attack

Re:Reminds me of a job I did in London

[Suidae]

This seems like a simple exercise in paranoia to me.

I agree. Particularly since it has already been shown that terrorists can choose and utterly destroy a high-profile target.

If a terrorist wanted to really upset things now, they'd next show that Anytown, USA was also vulnerable. Three days, three teams each with a van, 500 childrens lunchboxes with a timebomb inside the thermos and a road trip past small town schools in east, west and central USA should do it.

You are not safe at work, you are not safe at school, panic.

Re:Reminds me of a job I did in London

[perly-king-69]

11/9 surely?

Information wants to be free

[albin]

You cannot keep information like this secure forever, or even very long. Someone will always have this information. The question is, will we allow the US government to to deprive us of our liberties to the extent that the gov't really can keep this information for ourselves, and only let it out when it's in their interest for a building to get bombed, or do we fight to keep information free?

People who claim this information is a security risk are looking at things the wrong way round.

Re:Information wants to be free

[sporty]

If information wanted to be free, it'd have a will or method of making itself known.

Also, the gov't witholds certain information for our own safty. You don't want people panic'd and making situations worse. It doesn't justify keeping all information classified, but it does justify keeping some of it.

Re:Information wants to be free

[pantropik]

The scary part for me is worrying that people will not get angry -- that the government can cover up any damn thing it wants and the people will just go blissfully along not giving a damn.

Citizens of the U.S. long ago learned to take freedom for granted. 9/11 was a slap in the face. Nothing upsets people more than showing them the error of their ways, in this instance complacency. The knee-jerk reaction seems to be "The government is taking care of it, and they're the United States government so I'm sure whatever they're doing must be okay ..." That reaction seems to be waning now in a few cases and Congress is asking increasingly insistentent questions of the administration. Maybe the power grab is coming to an end and the damage can be mitigated -- or shown to be not as damaging as people fear. Maybe the administration has nothing to hide, but if so why hide it? Bush and his cronies seem to want to hide EVERYthing just for the sake of hiding it.

One of the great things about being a U.S. citizen is supposedly that we don't have to much care or think about our government except to bitch and complain at tax time. The current administration is using that to do what I personally consider some very unAmerican things.

Again, it's not whether things are kept secret, it's what is kept secret. As an example look at how the Bush administration is fighting any requests that they disclose how they've made use of the PATRIOT Act. Look at how the PATRIOT was pushed through Congress without having even been READ by most of those voting (some in MY name) to pass it. Look at how Ashcroft has said, regarding the Freedom Of Information Act, "Try to find a way NOT to give them anything," instead of "Try to find the least worst way to give them what they want."

The current adminstration thrives on obscurity and strongly resists any call for transparency. Apparently we, the people, the unwashed masses, either cannot handle or are too stupid to benefit from disclosure.

What I REALLY want to know...

[Noryungi]

Is what kind of database and what kind of software he has used to create the program that is the basis of his PhD.

On a more serious note, I think his work is great. While it certainly has serious security implications, it could also be used by ISPs, telcos, power companies, etc. to disseminate information on outages and/or find the root causes of problems.

Ah, well... I suppose we'll never see the results... but I do hope he gets his PhD.

Re:What I REALLY want to know...

[robslimo]

I suspect he's using several tricks to discover correlate IP addresses to services providers, to businesses to physical locations and superimposing that data on a traditional map. The geographical info is available from many sources; the trick is tieing all that info together to form a coherent 'big picture'.

Some info on discovering the physical location of a IP address (or multiple IP's in order to form a physical route map) is available here [private.org.il]

Interesting that there is an extension to DNS as described in

Dark undertone

[Gortbusters.org]

Did anyone else think that this article had a dark undertone of government and corporerations looking to lock down information in the name of security. I mean, some of this information is important and may have benefits to the general public.

The scariest line is that they wanted to burn his research. Flash backs of 1984 flashed in my mind.

Not all evil

[Azghoul]

Some people might wonder why in the world you'd need to have maps of electrical grids and fibre lines...

I'm working on the periphery of the emergency response industry, and suffice it to say, any infrastructure data is vital as hell for responding to major natural disasters like quakes, hurricanes and tornadoes.

Tossing all this "scary" data into the classified domain will hammer on emergency responders' ability to effectively map this stuff.

It's vital, and I think the anti-"security through obscurity" comment in the article hits the nail on the head...

Re:Not all evil

[kawika]

Plus, the people who have allowed stupid things to happen (like a single choke point for the information flow of 25 companies) don't like that problem being revealed. I worked for a telecom company in the 1980s that was supposedly providing a redundant link for an AT&T leased line. One day a backhoe cut through the line and our customer found out the ugly secret--we leased OUR line from AT&T, and their "redundant link" went through the same piece of cable!

Instead of hiding this info for "national security" reasons, these maps should be analyzed to death by a program to find and eliminate these kind of problems, or at the very least let companies understand and anticipate these risks.

Re:i don't know about that...

[Azghoul]

Well, that's just it: Classifying data is different from making it sensitive and just not handing it out to anyone. Plenty of data is already designated as "sensitive" (see HAZUS at FEMA for example).

Infrastructure data is often sensitive. First responders can certainly get it. However, if DoD and/or DHS go haywire and classify it, only those with Secret (or better) clearance level can get it.

And your average "first responder" fireman isn't going to possess a secret clearance...

As for currentness, you'd be surprised. Much of the interesting infrastructure (major emergency facilities, dams, etc) doesn't change very often.

Public + Public + Public = Classified

[fuzzeli]

It's very interesting the way that an assemblage of publicly available information is suddenly a matter of national security. This must be based on the assumption that evildoers are never grad students.

Re:Public + Public + Public = Classified

[Hoho19]

I work for Sandia National Labs as a student intern. In August student interns are required to present the projects they've been working on during the summer at a symposium. Each project has to be checked because say a student is working on an airplane lets say or some sort of technology to cover the airplane...well if the student mentions in his presentation that this technology could possibly be used to make an invisible skin for airplanes that presentation all the sudden becomes a classified discussion o

What good would classifying this do?

[bdhein]

From the article, all of the data he compiled was obtained from public sources. If anybody else wanted to replicate the work, it would only take their time. I'd imagine that you could get all the information you need through public records for building permits and right of way use. I mean, squelching the person who took the time to compile it all isn't going to do much good unless you classify every public record the US has for infrastructure.

Just Like In The Movies

[Lagged2Death]

"Tedious and boring?" He's got an application that can actually do some of the stuff Hollywood hackers have been doing for years. How could anyone think that's boring?

"Tank, find a structural drawing of this building. Find it fast."

should some of this information be classified?

[hndrcks]

In a word, No.

Those who would exploit it for ill already have the data, or can easily obtain it. Classsifying the data now would only hide it from those with reasonable use; and would allow for mistakes or security lapses to be covered up.

If you don't think authorities - whomever they might be - won't abuse the privlege of 'classifying' data, then you have some big surprises in store...

Re:should some of this information be classified?

[garcia]

Those who would exploit it for ill already have the data, or can easily obtain it.

Exactly. Should we make flying lessons only for military pilots? Wasn't that what Bin Laden had his militants use when they attacked us?

We are so afraid of this high level of technology being used against us yet the terrorists are using what we consider to be the lowest common denominator to hurt us.

They could have found explosives on the web, or in books, or talked to experts in person, but instead they took flying lessons...

So now we are going to ban research, prosecute those that use encryption, and FUD our children to death in schools over this crap.

Great, soon the kids will be hiding under desks because the Turtle on the DVD said it would protect them from the terrorists...

Just think about it.

Maybe...

[vasqzr]

With all this information, maybe he can tell me when they're going install my damn DSL line...

that's classified information

[boomerny]

we could tell you but then we'd have to kill you - Verizon

Publish or Perish

[Foochar]

The other interesting thing this brings up is the student's right to earn a living and do what he enjoys vs. the national security implications of this. Like he says, putting classified down on a resume doesn't get you very far, especially outside the Military/Intelligence arena.

The other thing is that, yes, he did put all of the together, but according to the article the raw data he used is all available on the internet. Who's to day that Al Qadea hasn't hasn't already done the research to create their own version of his map. In that case this work could very well prove to be a map of what to defend.

Yes but...

[Anonymous Coward]

Correlating information is what gives you the bigger picture. Sure, it might be a secuirty threat as a whole, but it's been made up of snippets of information gleaned individually that probably aren't much use on their own.

Same as a bomb really, component parts are pretty common; chemicals, circuitry. It's about knowing how to connect stuff together to make it a bomb. 9/11 was flying lessons, plane timetables, GPS and box cutters. Each on their own is pretty harmless until you join the dots...

Same with information, connected together in the right way, it's just as dangerous. Ask the CIA or any intelligence agency...

Tom Clancy's work

[boomerny]

the same questions have been asked about some of Tom Clancy's work. I remember reading that he was paid a visit by the FBI asking where he got his classified information, only it turned out everything he used was publicly available. My thought is that suppressing information will not prevent terrorism, only when would-be terrorists change the way they think of the free world will it stop. /rant

Similar website?

[diegoq]

The article mentions an interesting website:

Toward the other end of the free speech spectrum are such people as John Young, a New York architect who created a Web site with a friend, featuring aerial pictures of nuclear weapons storage areas, military bases, ports, dams and secret government bunkers, along with driving directions from Mapquest.com. He has been contacted by the FBI, he said, but the site is still up.

But even with the wonderous google I am unable to find the website that they are talking about.
Anyone know of it?

Re:Similar website?

[kiley]

I think they are talking about the Eyeball series at http://www.cryptome.org [cryptome.org]

It seems to be down right now...but is on my daily reading list.

Re:Similar website?

[Talking Goat]

I forgot to mention this article I found, dating back to December of 2000. Article [about.com]
It explains a bit about Cryptome.

Sigh.

[Billy Bo Bob]

Is everyone forgetting that a part of the price of freedom is safety? An open society is a vulnerable society in some ways. The same vulnerability keeps society safe from itself and its own excesses.

Of course if we classified everything like this no one would have a road map to destruction. But they could still poison the water supply, blow up buildings and cause untold grief. They could still locate some of the bottlenecks themselves and exploit them.

Like so many things the government/corporations seek to classify, the real people they don't want to know are the ordinary people. It puts me in mind of the many "the area bombed last night is classified...we don't want to give the enemy important information" remarks we see. Like the enemy doesn't know they were bombed...

Classified Military info and Novels

[tigersha]

When Tom Clancy published the Hunt for Red October the US Navy wanted to nail him because they thought he stole some confidential info about their submarine ops.

It turned out that he got all his info from public domain sources. And they could not do much about it. He just knew where to search.

Re:The whole story

[benntop]

From the Clancy FAQ:
http://www.clancyfaq.com/Clancy%20contacted%20by%2 0CIA%20and%20FBI.htm [clancyfaq.com]

Re:Classified Military info and Novels

[zenyu]

It turned out that he got all his info from public domain sources.

I saw Tom Clancy's interview on C-SPAN, he said he gets most of his info from the local library. He's been offered consulting jobs by the whitehouse but refuses them because if he had a secret clearance he could no longer divulge info in the public domain since it's all classified.

I had a prof. that once got in hot water because he didn't return a book to the safe at the end of the day, but left it on his desk. He said all it contained was

Use it, don't fear it

[ab762]

As a long-time reader of comp.risks (archive here [ncl.ac.uk]) I remember a lot of problems caused by "redundant" connections that were all routed over the same fiber. I believe that this showed up in the 1999 Hinsdale fire [ncl.ac.uk] amoungst others.

Gorman's work and the access he used is vital - if I'm paying for two links that should be separate, I need to know that I can really check that we have separated physical facilities.

There are a lot more backhoe operators than terrorists - and historically, the chances of a backhoe impact on infrastructure are pretty high.

Guarantees of security

[amorico]

I do not understand why the information would be classified. Our national highways are critical infrastructure, without which we would all be brought to a standstill, yet maps of them are readily available online or at any bookstore.

Could you imagine if the locations of communications infrastructure were classified? Would you need clearance to set up a node? Would you need to pay to have every line technicican get a full background check? This reminds me of the reaction of "security" people when they see WHOIS entries for their companies for the first time. Their foreheads are usually bruised for weeks because of the knee jerking. The first thing they want to do is take it down. They forget that a certain level of openness is neccesary for a system that benefits everyone.

The whole point of a privatised distributed communications infrastructure is that a terrorist or enemy state cannot cripple the entire thing. Now if the people at banks and government insititutions have not done a good job of ensuring redundancy and disaster recovery then it's their own fault. The solution is to fix it, not suppress information about it.

Obviously, no one recommends mailing al-qaeda a copy of the telecom/data infrastructure, but this exposes a major flaw with what's going on and we would be foolish to ignore it or suppress it.

Duh.

[NoData]

From the article:

"This is why CEOs of major power companies don't sleep well these days," [CEO of power co. Pepco Holdings] Derrick said, flattening the pages with his fist. "Why in the world have we been so stupid as a country to have all this information in the public domain? Does that openness still make sense? It sure as hell doesn't to me."

Because security through obscurity is just as brainless an alternative for the physical infrastructure as it is for virtual infrastructure.

Hiding things doesn't make them safe. It makes them safe until found. With the added bonus of fostering the kind of clandestine, repressive, bitter societal climate that our govnt seems bent on pursuing these days.

You want to protect something? 1) Make it less desirable as a target (i.e. take away people's reasons for attacking in the first place). 2) Build in redundancies to dilute vulnerability. 3) Monitor, patrol, survey in an open and visible manner

The Cukoo's Egg..

[bigattichouse]

Cliff S. in "The Cukoos Egg" tails down a spy selling secrets to the russians. Most of the info he steals is *NOT* classified, but by having *ALL* the info, he can piece together something he doesn't know:

1. New fighter being developed
2. Contract awarded to company X
3. Rifle through purchase orders for titanium and other strategic parts.
4. Get shipping info on said parts
5. now you know the facility where it will be built.
6. find airline reservations from company in question
7. look for engineers and test personell.
8. find nearest test base from point of arrival.
9. Fighter X will be built in location A and tested at location B, between arrival date and departure date.


Needless to say, this is why more things have become classified since the early 80's

paranoia

[Kludge]

People are _SO_ freaking paranoid these days. Having access to a database like this could be enormously helpful to a great range of people. But all people think about is, "What will al Queda do with it?"

Since 2000 about 3,000 people have died in terrorist attacks. About 175,000 have died in car accidents. About what should we be worried?

Infrastructure is made of people

[tuffy]

I really don't see how this pile of data is going to help a terrorist. Simply cutting off one or more bits of modern conveniences isn't going to bring society to its knees. If a bridge is destroyed, people will use another 'til it's rebuilt. If phone lines are cut, people will use the post office 'til it's fixed. If the power goes out, people will catch up on some sleep. If the water is contaminated, people will switch to bottled 'til it's safe again.

Killing people causes terror, because nobody wants to get killed. Cutting off infrastructure causes annoyance, because it happens regularly already. And when it happens, people will get by like they always have.

Designed for this?

[Trurl]

I thought the whole point of the Internet, being a packet-switched network, was that it could survive damage... like from nuclear war.

So now we're worried that a terrorist with a scissors is gonna bring it down?

Re:Designed for this?

[hankaholic]

Not "the Internet" as a whole, but if a city's telecommunications access is fed through a handful of isolated fiber lines, then yes, it's quite possible, and that's the point.

My former employer owned one of the first ISPs in Pittsburgh (Pittsburgh Online/Webstation, since sold to Stargate), and once told an old friend who worked at the FBI an anecdotal story about how easily he could rob a given bank. It involved jamming the police band frequencies (easily done with equipment you could build yourself), and arranging an "accident" which knock out the telephone lines to the police station.

When the dispatchers' lines were cut, you could walk into the bank and take your time, confident in knowing that even if the bank called 911 (or their security service made the call), the police could not be notified until communications were restored. The person most aware of the coincidence of the two outages (radio and telephone) would be the dispatcher, and they wouldn't be able to coordinate anything until you were long gone.

I don't know what became of the situation, but I do know that my former employer ended up retelling his tale to some very interested higher-ups in the local FBI branch.

Re:Designed for this?

[mfarver]

I thought the whole point of the Internet, being a packet-switched network, was that it could survive damage... like from nuclear war.

The original research into packet switched technologies was done with nuclear survivability in mind. The folks that built the internet however just took a good idea and ran with it. Since the internet was never designed to be a critical system, very little actual redudancy was built in. As the p2p system have found, its simplier to have "supernodes" where the majority of interconnection occurs. (I believe the internet has about 15 major points, Chicago, Mae West/Mae East, Dallas, New York, etc.

As an aside, all the telecommunications for Milwaukee Wi run thru a massive phone switch in the basement of one of buildings downtown. To take advantage of this nearly every ISP or internet company is located in the same building. When power was interrupted to the building (flooding in the power transformers) nearly all of the ISP service, and a lot of phone service was interrupted.

Does it matter, probably not. You'd piss off a lot of people, make a lot of sysadmins lives difficult, and life would continue. Infrastructure is a valuable part of a society, but people working for a common benefit is the part that matters.. and shy of killing everyone the only way to bring down society is to change every person's opinion.

Hopefully

[stomv]

He's able to leverage the data so that he can see gains (I'm thinking an entire career) while the folks that have lots to lose (banks, utilities, transportation, US gov) pay for him to help show their achilies heels and bottlenecks.

If 25 telcos happen to be sharing the same 'pipe' of fibre, it may not be a terrorist that breaks that connection... regardless of who severs that line, it ain't good for the telcos -- and the telcos should be using his data to reduce risks.

Insurance companies and actuaries for corporations and governments love this kind of stuff, as do operations research people. Tell me how much it'll cost to reduce risk to this level, or: I have $10,000,000 -- how can I spend it to ensure that the worst case scenario isn't as bad.

Hopefully the information doesn't become classified; hopefully, it's used over the next few years to sure up the bottlenecks and other weak points, making the infrastructure far more robust in the following years.

There's a difference...

[tbase]

...between all the pieces of information being publicly available and all the information being publicly available.

From most of the comments so far, it appears the majority of people seem to think that this guy's PhD took about as long to compile as mapping a route from coast to coast with MapQuest. Hello? I imagine there was quite a bit of work put into compiling this information, and that not just anyone would have the time, persistence or devotion to duplicate the complilation. So yes, there is a HUGE difference between the information being available scattered across the 'net and having it all compiled, cross referenced and searchable in one easily downloaded program.

And IMHO, you most definitely can had a compilation of 100% publicly available information be classified as a threat to national security.

And personally, I don't believe there is a "publicly beneficial" use for this info in its compiled form that couldn't be easily be satisfied with the publicly available pieces - if a link is severed, you only need the info for the area of the problem (where the tornado hit, for example), not for the whole country. And the utilities that would be effected and responsible for the repairs would have the info they need anyhow.

I think the biggest value to the public of this information is the fact that it exists and that this can be done. The information itself is only important to those who would protect it or exploit it.

Yes, the time has come for cracking down

[Rogerborg]

After all, IGNORANCE IS STRENGTH.

And unfortunately must give up some of our rights to buy security, or the terrorists will have already won. As we know, FREEDOM IS SLAVERY.

And it goes without saying - although it's been said many, many times recently by our dear Commander In Chief - that WAR IS PEACE.

We must ignore those who would warn us against this [msn.com], and march into the brave new world of strictly one sided Total Information Awareness with flags waving and proudly chanting the pledge of subservience. As Jeb would no doubt tell us, Big Brother knows best.

Classified in the aggregate

[Ricdude]

Sometimes, small bits of information are not considered classified, when taken by themselves. However, when certain critical unclassified pieces are aggregated, the collection of information *is* considered classified. I believe this individual's work may qualify as classified information as just such an aggregate.

Yes, anyone with the time and resources can duplicate the effort, but they'd have to duplicate the effort, and expend the resources. And that's the point. It's not a guarantee that the information will not be collected by adversaries, but there's no point in making it any easier to hand it over to them either.

Too Many Secrets

[Orne]

For the right price, you can just buy the data from Platts [platts.com] - power line rights of ways, water pipes, etc. Once you have the data, you can throw it into any GIS software [esri.com] (purchased for the right price). Example: you need to get the natural gas pipline information to the road repair crews, so when they dig they're sure they won't hit anything [go.com]... all this data used to be open, because noone thought you could do anything with it.

So what if I know where the local 500KV transformer yard is located over the 3rd hill on the left, who in their right mind would want to damage it? Then we realized how many people in the world really aren't in their right minds... I'm not complaining that this data should be bottled up again; what was really lacking was the chain of custody of who accessed the data, and for what purpose.

A couple comments on this...

[stubear]

"Grad Student's Work Reveals National Infrastructure"

Oh my god, we have a national infrastructure? Quick, kill it. Get rid of it. Will somebody please think of the children?

"Grad Student's Work Reveals National Infrastructure"

It took a student earning their PhD to discover this? Should I be worried about the status of the University educational system?

Why not fix our real weak spot?

[Damek]

With all this concern over whether the "terrorists" should be allowed to know where all of our weak spots are, where is the concern for our real weak spot: creating more terrorists? If we could just figure out how to stop behaving so idiotically and stomping all over the world, we wouldn't have to worry quite so badly about being open with our information. Granted, there would still be people who want to do damage, but not nearly as many.

An open, friendly society breeds safety simply by virtue of not pissing so many people off to the point where they want to do unsafe things. On the other hand, greed, power-lust and secrecy just breeds more conflict. With less secrecy, greed and power-lust become a lot more difficult to hide, and therefore more difficult to perpetrate. This information, as well as so much more, should be out in the open.

Besides, if he got it, it already is, as has been pointed out.

Symptoms vs. Cause

[nicotinix]

It strikes me as very odd, that we are so concerned about fighting the symptoms of terrorism rather then eliminating the cause.

The problem...

[pubjames]

The problem is that terrorism is all about using simple means to get effective results. It is practically impossible to prevent all possible types of terrorist attacks.

If you've got an imagination, try thinking about what you would do if you were a terrorist. If you really wanted to create havoc, you wouldn't necessarily do it by stuff like cutting communications cables. What you would want to do is make the man on the street afraid to do basic everyday things. I've thought about it a bit (let me emphasise - just as an entertaining mental exercise!) and I think there are things that a single person or small group could do that would cause chaos in a big city. And they are things that don't require access to any particular technology. Relatively simple things. But I'm not going to post those types of ideas on a public forum like this.

If there is one thing that September 11th should have taught us it is that terrorists don't need access to fancy technology. People are maybe going to slam me down for this, but I beleive one of the main abilities of an effective terrorist is a good imagination and - to use a cliche - the ability to think "outside the box".

So what's my point? My point is that passing laws and banning things (and invading countries and dropping bombs) isn't the best way to combat terrorism.

Terrorism is a symptom of a disease. You can try to combat the symptom, but it will never be cured if the disease is not cured. I always thought that they way Tony Blair and the rest of them tackled the Northern Ireland situation was very sensible. They did not take the easy route - the easy route is to say "we will not be influenced by terrorists", and "shoot to kill" - that was Thatchers approach. It didn't work. More recently, the actual disease has been tackled rather than the symptoms, and although there isn't peace in N.Ireland yet, things are much better now than they were a decade or so ago.

I'm afraid that Bush is taking the "hard man" approach to terrorism like Thatcher did. I'm afraid that the war on terrorism is going to be a very long one.

He'll get a job

[tevenson]

They make it sound like it will be hard for him to get a job because most of his dissertation won't be published. I think that's probably completely wrong.

Even though it does suck that he can't release it in its original form; he'll have absolutely no problems finding a job. If that many large financial corporations were concerned about their communication infostructure surely one (if not all of them) are scratching to hire him.

If all he wants is money and no real academic prestige this is great. Otherwise, it wouldn't be fun to be in his position right now

It used to be

[ONU CS Geek]

public knowledge that you could find a few rogue backhoe operators in Columbus, cut some copper and fiber on Compu$erve's network, and kill every credit card transaction in the US, as they all went through CS's network.

Ask anyone who's been a phone guy. We don't fear lusers, we don't fear over-zealot bosses, we fear backhoes.

I also have a real problem with classifying/patenting things that have been funded with educational dollars. OSU has patents on what their grad students have done for their Ph.D stuff, and I'm not sure I really like that. Those students were receiving government grants to fund their research, and now, the public is 'protected' by it...even though they paid for it.

Ironic

[Anonymous Coward]

Big corporations have been compiling huge databases and mining them for interesting and very valuable information about individuals for a long time. It should not be a surprise to anyone reading slashdot that given a social security number and access to the right databases, it's not hard to discover enough about you that you'll feel that your privacy and security have both been seriously compromised.

So it's a little bit funny that Sean Gorman has apparently compiled and mined a big database full of information on corporations and government, and that it scares the pants off them. I'd like to think that in the long run, Gorman's work might inspire some hard thinking on how and when databases can be compiled and combined, and this might eventually lead to greater protection for both our national security AND individual privacy.

In Soviet Russia...

[FunkyOldD]

Sorry, couldn't resist. I grew up in the USSR where everything was classified - so here is a map story for you.

Map information was classified and map publishers were required to add deliberately inaccurate information to their maps. You would have whole cities that were not on the map or shown a couple of hundred km away from their real location. This was done in the name of national security, so the enemy (US) would not be able to use maps to plan a nuclear strike or sabotage military installations.

The enemy of course just used satellite imaging to create their own maps and ended up with better maps of Russia than the Russians had. In the 80s folks who needed maps (geologists, archeologists, hikers, ...) would try really hard to get their hands on foreign made maps, because they were so much more accurate.

Security by obscurity is counterproductive...

Traceroute as a terrorist tool?

[Mordant]

Look, I haven't seen his work, but this article and the previous one cited both seem hype-ridden and reek of cluelessness.

I mean, it's great that here in America someone can actually get a PhD by doing a lot of traceroutes and then using gnuplot of whatever to overlay the data onto scanned images of telco fiber-maps or whatever, but the whole premise of the article - including the moronic comments about how the guy shouldn't be allowed to leave the building with the laptop (maybe I have too much faith in humanity, but I can't imagine anyone making such a stupid comment other than in jest) is much ado about nothing.

This information has been available for years, and continues to be available; it's just that this guy has nothing better to do than sit around collating it and putting it into MySQL or somesuch. So what? Terrorists aren't interested in blowing up the Internet - they're interested in blowing up -you-.

So does this mean that I can now justify a PhD by sitting around correlating MapQuest thumbnails with wardriver plots open WiFi APs, or something, and then claim I'm mapping possible 'nodes of anonymous 'terrorist Internet access'? Sign me up!

Think about it.

Secrecy decreases security

[MountainLogic]

When it comes to static hazards such as infrastructure secrecy decreases security. You can't really keep the location of a dam or fiber optic line a secret. Large structure such as dams are visable from space and the phone company puts bright yellow signs every 20 feeet alerting you where to find their cable.

True security comes from risk reduction and mitigation. In the case of the dam (or chemical factory or other dangerous installation) the people who might be affected by a dam colapse need to know what kind of danger it is. They should have been told about the danger it posed BEFORE it way built. You can't keep the location of that dam secret so why try? And terrorist are the least likely cause of most earth dam failure.

As for the fiber optic cable, you should assume that it can fail. I don't know about terrorist, but I do know that Joe farmer is going to be digging a ditch and WILL cut through a critical cable this year. If the phone company does not have a redundent solution then the end-users need to know about it so thay can plan for that kind of failure.

Many eyes makes for quick risk reduction

Finally, lets put 9/11 in perspective. While any loss of life is tragic, we lost the equivelent of several weeks of smoking deaths to 9/11. The economic distruction was less than a few weeks of a war in the middle east. The thing to keep in mind is that this is terrorism not war. The goal of terrorism is to inflict terror not destruction. They could have done more economic damage by blowing up a few "uneffective: car bombs in front of shopping malls the day after Thanksgiving with little risk to the terrorist. Why haven't they done something like that? It's been two years and nothing happened. Something will happen again, but there is so much good we could be doing with our talents and time rather than frittering it away on tin-hat paranoia. Let's fix the few glairing problems, reduce risks from all sources (those old toxic solvent drumbs in the back of your company for example) and move on.

Miss Utility

[bleh-of-the-huns]

Simply calling miss utility will give you most of the information about gas lines, power lines, fibre lines etc, in fact, before you do any construction, by law you have to call Miss Utility (stupid name, and I think they are changing it now too), who then go and notify the relavant parties (power, gas, telco), who then come out to mark with chalk or paint, exactly where their lines run in that area.

And there is no way they can classify that info, else you would have to get ALL building contractors, electricians, basically everyone who wants to do any digging or construction, clearances.

Building permits and architectural diagrams are also publically available, aerial maps are out there too.

There is just really alot of info that is freely available that must remain that way for our society to function.

Rather then shutting this poor student up, they should try to resolve the problems, not keep it quiet.

a few thoughts on why classifying this is a waste

[Major Tom]

1) As many people have pointed and will continue to point out, classifying the report won't make any difference because people can re-create the work. And this wouldn't take much effort, because an attacker has no need to map the entire US, they can pick whatever area is convenient for them.

2) Slowing down internet connections doesn't scare people. Temporarily cutting corporate offices off from the grid doesn't scare anyone (save, perhaps, the CEO). Think how much more terror-bang a terrorist could get for his buck with a 9mm in mall. That would terrify people and significantly damage the economy. Attacking communications infrastructure isn't "terrorism," it's something else. It's guerilla warfare, directed against an economy rather than a person, I suppose. If our "war" descends to this point, we are totally screwed, as it is impossible to defend (or even think of) all the economically "soft" targets.

3) In the end, the security of all civillians and civillian infrastructure depends on good will. Well, that, and fear of punishment. But the latter doesn't apply to acts of international sabatoge and/or murder. I am sick of all this talk about defending our civillian infrastructure, securing the homeland, etc. It can't happen. Until there is a soldier in body armor with a rifle every few yards down every street in the USA, this goal will not be achieved. That isn't the society any of us want to live in. We haven't put any effort into civillian security up to this point, and I say: Good for us. We didn't need to, because the general good will of human beings was protecting us. Our effort would be better spent restoring *that* state of things, rather than moving toward the soldier-on-every-corner model. For those who would like to call me naive, I ask you: why has there not been an attack on soft infrastructure before? Why has there never been a wave of men with 9mms in malls? These things are undefended. The only reason it hasn't happened is that no one ever wanted to do it.

Three good reasons why it is a waste of time and effort to classify this fellow's dissertation. I'll let others cover the reasons why classifying it is damaging to security, an open society, and democracy.

Data Mining, Synergy, Unpredictability

[Badgerman]

What we see here is a combination of simple things building up. Information here, information there - but add the tools to combine it all together, and suddenly said information is a lot more meaningful and powerful.

It's not just the data. It's not just the technology. It's what you get when you combine them, mine the data, and find something that isn't there originally.

The problem of regulating this, of course, is that the various sources of information are "innocent," and that information itself can be deceptively harmless until you combine it with something else.

So what do you do? You can't control the information, you can't know what to control, you can't outlaw the process. Welcome to the 21st century, where Data Mining is our new concern.

As an IT professional, I've had to deal with much lesser concerns of the same nature - what happens when you combine and mine data. A simple-to-create synergy can reveal far more than the data sources it uses, and that synergy has to be treated as a completely different thing when it comes to concerns over access, availability, etc.

The security folks are ignoring the obvious.

[qtp]

I amazes me how often the bureaucrats in the Intelligence Comunity [intellegence.gov] ignore what they already know.

The nth Country Expiriment [thebulletin.org] proved that once knowlege is available to the public, and similar results can be obtained without knowlege of the methods used in previous successes.

If this grad student could compile this information, then so could sombody else, and it's probable that sombody already has.

This information should be used to point out the weaknesses inherent in our infrastructure, and show where this infrastructure needs to be diversified. IMHO, attempts to improve security by centralizing comunications and power distribution are doomed to failure, and will only make us weaker. Micro supliers [go.com] and home based [slashdot.org] power generation would make terrorist attacks against the power grid inconsequential. The weaknesses in comunications infrastructure can probably only be cured by creating a third alternative (community high-band?) to the cablemodem and telephone company monopolies on delivering service.

Richard Clarke: Idiot

[phliar]

Well, that's being charitable. This comment is indicative:

"He should turn it in to his professor, get his grade -- and then they both should burn it."

This is not some term paper; it's a PhD dissertation, i.e. original research. (The question about whether or not PhD dissertations are always original or are research is a separate discussion.) The whole point of research is to add to the store of knowledge we possess. Furthermore, the use of the word burn is a little too chillingly reminiscent of Fahrenheit 451.

Another way of looking at it is that this is yet another attempt by the government to oppress us by suppressing impression. However I have a pragmatic view: all this information needs to be public anyway. (If I want to dig a ditch, wouldn't the owners of underground fiber want me to know where it is?) We can never have absolute security if we don't want to become a police state. So instead of screaming hysterically about the sky falling, why don't we think about the underlying causes of terrorism? Why would someone go to all this effort to hurt us? These are not script kiddies.

Disclaimer: I too have one of these here PhD dissertations under my belt. And I'm sure every dissertation has at some point been called tedious and uninteresting; I know mine has!

Re:How is this..

[elem]

I don't think you really got the point here.

This has nothing to do with any operating systems or computers.

You can easily criple companys and national infrastructure just by knowing the few substations and fibre switchs that need to be brought down. No power, no phone, no net.... oh dear.

It is not a threat

[WindBourne]

It is easy enough for anybody to find out anything that they want about the US, but it is not due to ease of access. It is that we are a hetergenous society. Anybody can move easily here and simply look. This article, and some of people act like this info is difficult to obtain. It isn't. Want to locate fiber optics? Follow the rail system, the high tension power lines, and the highways. The installation involved obtaining ROWs which were almost always easier to follow other ROWs. As to finding out a set of central offices, simply get a job at a rboc or a power company. Once inside the company, the info is freely available.
For those who think this is bad, look at the old soviet union. Even for all their hard security (which seems to be the direction that we are headed), we knew most of their soft spots. So even if we truely implement the same society that Soviet Union had, we would still be a main target. Any time you have fixed assets, it is a target. period.

Re:Pff... I don't know why this is so interesting.

[Zathrus]

Why on earth was this modded up as insightful? It's not insightful, it's completely offtopic. It's gobbleygook that has nothing at all to do with the article.

Similar things have not been done -- Mapquest doesn't offer anything like this. Sat images don't give this information, and this isn't at all about "getting from Point A to the mall". Nor does it have anything to do with business or marketing, excepting that the entirety of our economy is now dependant upon this seemingly irrelevant infrastructure.

Th