return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ InfoT Public ]

NASA's Air Travel Piracy PPT: Learning good things from bad ideas


It is possible to learn good things from bad ideas. Remember DARPA's aborted futures market, Policy Analysis Market (PAM), that was going to be an absolutely great futures tool for risk analysis in the Middle East?  (Too bad that its examples ('How long with Jordan's King Hussein survive?') were a PR disaster and led to its being killed off -- along with Poindexter.)  Well, NASA was moving along another ill-fated line towards air piracy detection tools.

NASA's gaff, beyond the request for massive volumes of private consumer data, was its Air Travel Piracy PPT that NASA presented to Northwest Airlines in December 2001 for the purpose of obtaining "system-wide Northwest Airlines passenger data from July, August, and September 2001." You can read an html copy of the Air Travel Piracy FOIA Documents (also included at the end of the PPT are two assocatied documents including the written request from the Chief of NASA's Aviation Systems Division.)

NASA'a purpose was to perform a proof-of-function to use both data-mining and "brain-monitoring" technology installed at airport terminals in an effort to identify "threats." The proposed brain-monitoring technology would detect EEG and ECG signals from the brain and heart and then have that data analyzed by software, in combination with previously-floated plans to cross-reference passengers' travel history, credit history, and other information from hundreds or even thousands of databases as part of the Computer-Aided Passenger Pre-Screening (CAPPS) program.

Yes, NASA's Director of its Strategy and Analysis Division, Robert Pearce, disavowed the report in a press release, noting that "NASA does not have the capability to read minds, nor are we suggesting that would be done." Yet another NASA spokesman, Herb Schlickenmaier, confirmed that reading the brainwaves and heart rates of airline passengers was a NASA goal. The idea was that such data combined with body temperature and eye-flicker rate could make a feasible lie detector. Furthermore, the PPT NASA presented to Northwest in December 2001 did speak of "Non-invasive neuro-electric sensors under development as a collaborative venture between NASA Ames and commercial partner."

A few foils of the PPT are blacked out but it gives one a feel for the types of data and process that NASA envisioned - and now appears to have dropped.

There are some good things in the area of more prosaic detection that we can focus upon.

Gordon Housworth

InfoT Public  Infrastructure Defense Public  


  discuss this article

Feeble cure for personal/small business DDoS attacks


There is much of use In search of a cure for DDoS attacks. It starts with how vulnerable you are and how little recourse, technically or legally, that you as an individual or as a small(er) business have and what prosecution hurdles you have to jump. It points out some documentation steps such as insuring that your server can produce logs for possible forensic follow-up. It brings up the matter of which apps you connect to and how far they reveal your IP address. We use a good backbone provider which goes to reasonable lengths to keep bad things off its pipe and give away the minimum. Given that the tools are so easy to obtain, you might refrain from any "road-rage" comments that would draw an attack.

In search of a cure for DDoS attacks
By David Berlind,
Tech Update
March 18, 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

Missile defense, not terrorism, was Rice's topic for aborted 11 September speech


I like to say that the hole is as interesting as the donut, perhaps more so in intel terms. The 11 September speech that Condi Rice never gave was on missile defense as the cornerstone of a new US national security strategy.

"The text also implicitly challenged the Clinton administration's policy, saying it did not do enough about the real threat -- long-range missiles."

The mention of terrorism was one of the rubrics of the day, a WMD threat from rogue nations. It made no mention of al Qaeda, Osama bin Laden or Islamic extremist groups.

That focus was an administration constant.  Just four months earlier, in June 2001, the president's five top defense interests in his first speech to NATO heads of state in Brussels were, in order:

  1. Missile defense
  2. NATO's relationship with Russia
  3. Common US-European working relationship
  4. Increased NATO defense spending
  5. NATO's enlargement with former East European countries

Al Qaeda operatives were, at that time, in flight training and final preparations for 11 September.

Rice did give her postponed speech in April 2002, but missile defense was gone. In its place was international terrorism -- the stateless kind.

We should expect more materials to emerge and for them to figure in Rice's questioning under oath before the 9/11 Commission.  Rice is a gifted speaker.  She will need to put those skills to use.

Top Focus Before 9/11 Wasn't on Terrorism
Rice Speech Cited Missile Defense
By Robin Wright
Washington Post Staff Writer
Thursday, April 1, 2004; Page A01

Gordon Housworth

InfoT Public  Infrastructure Defense Public  Terrorism Public  


  discuss this article

Profiling the Amerithrax perpetrator(s)


The FBI linguistic and pre- and post-offense behavioral assessments of the person responsible for mailing anthrax letters on September 18 and October 9, 2001, paints a picture of a lone male domestic terrorist, a loner with a grudge, or possibly a bioevangelist ("someone with experience in the bioweapons arena who believed the U.S. government and public were oblivious to the magnitude of the potential threat from bioterrorists").

But profiling is an approximating science. I am reminded that the profile in use by the Unabomber Task Force in 1991 was substantially revised years later based on the Unabomber’s writings. While the Unabomber, Theodore Kaczynski, was said to have "startling similarities" to the FBI profile at capture (male Caucasian, highly educated, quiet, antisocial, meticulous) there were (had been) significant variances:

Much older (by more than a decade).
Quite unkempt in appearance (assumed to be very neat as well as meticulous).
Underestimated intelligence (revised sharply upwards by the Manifesto).
Modus operandi (Manifesto pointed to non-reliance on, or rejection of, technology).
Residence (Montana as opposed to assumed Northern California).

Perhaps the Amerithrax profile is spot-on this time.  It would appear that a foreign terrorist or multiple terrorists are not being considered at least in the official, unclass press. There is a blizzard of pro and con commentary on this profile, along with claims of investigative bias and discounting of Muslim-related terrorists. I admit to a great curiosity as to the justification of FBI's apparent focus on a single individual.

Renaldo A. Campana, then Unit Chief of the FBI's Weapons of Mass Destruction Countermeasures Unit, said at an emerging bio-threat seminar sponsored by GWU and the Potomac Institute on 16 June, 1998:

"The closest I've ever come to biological-chemical issues is when the toilet on the 37th floor gets backed up. So let's keep it in the right kind of perspective. The job of the FBI is really to deal with the crisis when it involves weapons of mass destruction… [What] do you consider to be… the largest and most important threat to the United States today? Please. Who do you think? Foreign-directed terrorist, individual, white extremist, black extremist?... Let me tell you. Let's get back to reality. It isn't the Middle Eastern people. It isn't white supremacists. It is the lone individual, lone unstable individual. That, statistically, from the cases that we have, is the biggest threat right now."

Leave aside how frighteningly wrong that was, even back in 1998, and how clearly unskilled that FBI agents were in dealing with bioagents during the 2001 anthrax investigations. Authorities may have valid reasons for adhering to this profile, but I am still struck by the continued attachment to the domestic loner to the exclusion of all other candidates, foreign and domestic.

And then there is the question as to where did the perp or perps go, why did they stop, and if they didn't stop, why were they deflected and when will he/they strike again?  Richard M. Smith spoke to some of the possible reasons why the anthrax attacks stopped after October 9, 2001:

Fear of capture.
Lapsed access to supply and weaponized production equipment.
Achieved goal in the 2001 attacks.
Failed to achieve goal and is seeking other means of delivery.
Dead after accidental infection.
US anti-terror operations affected ability to conduct future attacks.
Planning for a larger-scale attack.

I am struck by similarities to investigators’ theories over a six-year Unabomber silence: "He'd committed suicide, was serving time for an unrelated charge or was busy perfecting his technique."

I will be one among many following the FBI's progress between now and June/July. If a single individual -- domestic, foreign-resident, or foreigner -- did produce a genuinely world class weaponized anthrax, he will have pulled off a project worthy of a state sponsored anthrax program.

Gordon Housworth

InfoT Public  Infrastructure Defense Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Senate anthrax powder: State of the art


My 4 Dec 2003 note has renewed relevance now that Amerithrax investigators are said to be "at a "critical" and "sensitive" stage and could unearth significant leads by early July."

Gary Matsumoto's article in Science magazine,
"Anthrax Powder: State of the Art?" drew together many threads -- especially over recent months with regards to nanoglass technology used in computer chip manufacture, specialty paints and pigments -- to paint a picture of supreme skill and manufacturing prowess in the making of the anthrax used in 2001 against the Senate office building.

[Note that while the article is subscription-based, it has been mirrored at sites such as url1 and url2.  Cryptome has html text version -- smaller than the pdf but no photos.]

Even by hardened WMD standards, the Senate weaponized anthrax was off the charts in lethality. As great a master as D.A. Henderson said, "It just didn’t have to be that good" to be lethal.

The problem was not just how lethal it was, how leading edge it was, who could make it (here or offshore), but how its lethality could be obscured, even denied, for so long.

Early in the investigation, the FBI voiced the view of a consensus of military and civilian biodefense specialists that only a sophisticated lab could have produced the material, that it was "weapons-grade" of exceptionally high spore concentration, uniform particle size, contained silica to reduce clumping, and was electrostatically charged to create an "energetic" aerosol.

Then the FBI about faced to the opinion that the material could have been made by a knowledgeable person or persons with run-of-the-mill lab equipment on a modest budget. Now the anthrax contained no additives, had large particles, agglomerates (lumps), substandard milling. The prince had turned into a toad.

The Armed Forces Institute of Pathology (AFIP), however, would not back off and reported that its mass spectrometry analysis found extraordinarily high silica counts in the anthrax.

Nonetheless, the Justice Department locked onto a "person of interest": Steven J. Hatfill, a virologist and physician who conducted Ebola research at Fort Detrick, Maryland (which houses the U.S. Army Medical Research Institute of Infectious Diseases). Leaks to the media did everything but convict Hatfill as FBI and Justice pursued the idea that an individual or small group with limited means could have produced it.

One of the FBI’s most senior scientists, Dwight Adams, then makes the claim that the silica in the Senate anthrax had occurred naturally in the organism’s subsurface spore coat. That unfortunately contravenes the body of anthrax knowledge available to many microbiologists.

To support the small/rogue team hypothesis, the FBI charged a skilled team at Dugway Proving Ground, Utah, with the effort to produce a similarly high-grade anthrax without silica on a modest budget. No success as the Dugway effort only produced a coarse product that stuck together in little cakes.

The Senate anthrax is now revealed to be more advanced than any known weaponized product in US or Russian inventory -- it is the unclass, world-class state of the art in anthrax as it contains:

(1) Virulent Ames strain of anthrax

(2) Extraordinarily high spore concentration

(3) Uniform particle size

(4) Silica to reduce clumping

(5) Polymerized glass (nanoglass) coating to anchor the silica to the anthrax

(6) Electrostatic charge for "energetic" aerosol

It is now believed that this level of weaponization demands equipment worthy of a state-sponsored lab.

It is tantalizing that one of the few firms making "electrohydrodynamic" aerosols for inhalation drug therapy is BattellePharma, Battelle’s pharmaceutical division. Battelle also has a "national security division" that produces bioweapons, performs bioaerosol research, and manages certain US facilities. No "person of interest" has been found at Battelle.

There are now massive questions over the provenance of the Senate anthrax. If it was made in the US, then who, where, and why? If it was made offshore, or sanctioned from overseas, then a state of war should exist.

Gordon Housworth

InfoT Public  Infrastructure Defense Public  Weapons & Technology Public  


  discuss this article

Amerithrax investigation progress outed by Hatfill trial postponement


It would appear that the only reason that the heightened expectations of the Amerithrax investigation -- said to be "at a "critical" and "sensitive" stage and could unearth significant leads by early July," came to public notice is that authorities briefed a federal judge who then granted a six month postponement of the defamation suit brought against the Justice department and the Attorney General by Steven J. Hatfill. Heretofore the judge had been aggressive in seeing that Hatfill had his day in court.

The judge was apparently told that likely sources have been narrowed to a short list of labs, including Fort Detrick, Maryland, Dugway Proving Ground, Utah, and Louisiana State University. Results are expected in June from "a sophisticated battery of tests" that will hopefully identify the lab that produced the anthrax. I also wonder how much is test and how much is psychological warfare on the perp. I assume a mixture of both.

What I found intriguing was that some of the unnamed law enforcement sources doubted that the team will find sufficient evidence to make a case, i.e., even if the laboratory is pinpointed, it may not be clear who had access to seed material and who made the finished product -- not necessarily the same person although the feds are publicly holding out for the lone perpetrator.

Judge Delays Lawsuit To Help Anthrax Probe
By Carol D. Leonnig and Allan Lengel
Washington Post Staff Writers
Tuesday, March 30, 2004; Page B02

Gordon Housworth

InfoT Public  


  discuss this article

Clarke's vision of securing the net


It appalls me that we have overlooked Richard Clarke's recommendations in cybersecurity as we have in other areas.  I would agree with all of Vamosi's comments in Richard Clarke: He could have secured the Net save for his disagreement over the potential for a digital Pearl Harbor

I think that something with at least a small "p" is possible -- and that opinion rises if I consider a concentrated attack on one critical element, given that the 2003 Federal Computer Security Report Card (9 December, 2003) scored the critical 24 federal agencies into an overall D grade from an F -- after four years of scoring, and that the those still getting an F are the departments of Homeland Security, Energy, State, Justice, Health And Human Services, Interior, Agriculture, and Housing And Urban Development.  (Defense got itself into the D category along with Transportation, GSA, Treasury, Office Of Personnel Management, and NASA.)

"Had Clarke's proposals been taken seriously, all broadband users would have antivirus and firewall protection, and we might not have endured the MSBlast worm meltdown in August of 2003 nor be dealing with these pesky e-mail viruses right now. Microsoft might also be talking about releasing a version of Windows XP that had been independently proven to be secure (instead of us just taking the company's word that it's secure). In retrospect, we're no better off today, and perhaps we're actually worse off, than before the [National Strategy to Secure Cyberspace] existed."

Clarke further suggested that the government procure "only computer products certified by the National Intergovernmental Audit Forum (NIAF) testing program," but it was dropped as excessive regulatory intrusion.

With Clark and his former reports departed, we now have no one with the breath and vision needed to craft and lead a cybersecurity mandate.  DHS is in disarray.  As Peter G. Neumann observed:

"Technology alone does not solve management problems. Management alone does not solve technology issues. Reducing risks is a beginning-to-end, end-to-end system problem where the systems include all of the relevant technology, all of the relevant people, and all of the dependencies on and interactions with the operating environment, however flawed and complicated. But those flaws and complexities must be addressed systemically."

Not an easy thing to achieve on the best of days.

See 2003 Federal Computer Security Report Card

and IT Security Gets First Passing Grade — Barely
Published: December 15, 2003
Federal Times

Also these -- what might be called Clarke's legacy:

The National Strategy to Secure Cyberspace

National Strategy for Physical Protection of Critical Infrastructures and Key Assets

Richard Clarke: He could have secured the Net
By Robert Vamosi: Senior Associate Editor, Reviews
Friday, March 26, 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

Networked sensor cloud of trailing, ever-present data


In 2015: sensors everywhere, computers invisible describes a Gartner prediction that:

"[By] 2015, passive tags would begin to inhabit every non-trivial object, and every thing could be identifiable and located. Active, intelligent wireless networking and sensing devices will cost less than 50 cents. The sensors would run low power CPUs, have wireless and sensor chips, ad hoc networking algorithms, and gain power from the electromagnetic spectrum. In addition, the majority of computers will be invisible and disposable."

My experience with Gartner predictions, as with most predictions, is that the implementation glide slope is rarely as quick as predicted (often for societal drag in adoption as much as technology maturation) and that the development slope is not uniform across all technologies (some items hit snags, technical and regulatory, while others accelerate).

As long as one keeps this in mind and never forgets George Box's admonition that, "All models are false, but some models are useful" the prediction has merit. For my part I use a technology food chain analysis over time to see what items are advancing and which are bogging down (and where a "fix" is often in an unstudied, unrelated technology not under examination in the lagging segment).

In this case, the intelligent network tipping points are said to be "the availability of smaller, cheaper sensors, as well as two new breakthrough networking technologies: ultrawideband and WiMax (802.16). Ultrawideband creates a fast wireless connection that consumes about 10-4 the power of a cell phone, and WiMax promises 70 megabits per second across a 30-mile range."

While this article speaks to the fact that "[n]etworks have very long memories," creating a trailing cloud of data "that never gets deleted and gets backed up," it does not speak to the more malicious security aspects to which terrorism and 'garden variety' espionage can exploit the network.

Following this prediction to its conclusion makes the TSA's current CAPPS II effort seem quaint by comparison, but that is not to say that this particular level of data acquisition is acceptable as any nominally free society sanctions a certain level of approval, a willingness perhaps, to be knowingly monitored.

What I do see continuing is that commercial firms will continue to pursue data harvesting and analysis strategies that will be in turn harvested by government. Government can or will, depending upon your point of view, then integrate its own technology food chain.

In 2015: sensors everywhere, computers invisible
By Dan Farber,
Tech Update
March 30, 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

Outsourcing to increasingly IP hostile areas


If you are a producer -- or a consumer that has such a producer embedded in your supply chain -- you should hear an alarm bell warning of rising intellectual property theft in Will India price itself out of offshore market? with respect to migration of outsourcing from India to China, Romania, and Russia.

The Indians have been content with producing a more competitive product without stealing the IP itself. There will be no such compunction in the PRC and eastern Europe. Firms that use code -- and that means all the way down to embedded controllers in 'hard' industrial components and systems -- will be at risk if they do not protect themselves.

Rising Indian salaries coupled with greater US demands for cost savings will prompt US firms to evaluate other lower cost regions.  Even some Indian firms have commenced offshoring their own work to China:

"Tata Consultancy Services, one of India's four largest exporters of software, has begun to offshore its staff," the American Electronics Association says in a new report. "By 2005, TCS plans to have 3,000 software engineers in China, or 15 percent of their global work force."

While the bulk of current US offshoring is seconded to India, a spike in regional risk on the subcontinent would accelerate a shift elsewhere.  And while it is true that some US vendors will follow a risk-averse path and keep application development and data concentration within US borders, I believe that cost pressures will overcome that fear for most firms, and so continue to put their intellectual property in very poorly controlled areas.  My risk calculus for software vendors rises significantly.

Will India price itself out of offshore market?
Mike Yamamoto
March 29, 2004, 4:00 AM PT

Gordon Housworth

InfoT Public  Intellectual Property Theft Public  Strategic Risk Public  


  discuss this article

Outsourcing without thinking about risk


Unless you are of Herculean calm, the salient message of Gartner CEO to CIOs: Embrace offshoring or else is Gartner's blunt admonition that "Not only IT's rank-and-file jobs are at risk; even IT leaders could be out of their jobs if they aren't looked upon within their organizations as the go-to people on outsourcing" will most likely hurl you into outsourcing without further investigation or resistance.

Only the very few will have the presence to decide to do it in a safe(r) and productive manner so that they protect their firm's intellectual property against theft and diversion.

"Fleisher recalled how the U.S, during previous economic transitions, has embraced outsourcing in order to retain its position as an economic power and leading generator of domestic job creation. "Technology has driven massive change in how the labor force is deployed since the coming of the industrial revolution," said Fleisher. "Western economies have been uniquely successful in navigating each wave from agriculture to manufacturing and then from manufacturing to services. Millions of jobs have been altered or disappeared in the process. Yet, millions more have been created.""

True, but previous waves did not suffer an intellectual property theft posture on so grand and strategic -- and invisible -- scale.

Gartner CEO to CIOs: Embrace offshoring or else
By David Berlind,
Tech Update
March 29, 2004

Gordon Housworth

InfoT Public  Intellectual Property Theft Public  Strategic Risk Public  


  discuss this article

Prev 51  52  53  54  55  56  57  58  59  60  61  62  63  [64]  65  66  67  68  Next

You are on page 64
A total of 68 pages are available.

Items 631-640 of 673.

Pages: [1 - 25] [26 - 50] [51 - 68]

<<  |  January 2020  |  >>
view our rss feed