Slashdot Mirror
Grad Student's Work Reveals National Infrastructure
CodeHog writes "The WP reports about a student working on a PhD and how it relates to national (US) security. Very interesting that he has been able to get all this information. It raises some very challenging questions, should some of this information be classified?"
You're either "land of the free", or you are not. So either live up to the hype, or change the tagline. Can't have it both ways, with a closed society fueled on fear, claming to be "free".
[jole]
After this kind of publicity, he'll have some job offers coming in, I guarantee it.
I'd tell 'em to classify it all they want, just looks BETTER on the resume...
For instance, this is not the first time Sean Gorman has been talked about:
Article in Science Daily
Plus, someone with the same email address has posts in rec.sports.rowing...
The bottom line is that if you know where to look, you can find out lots of stuff. Classifying this guy's dissertation isn't going to prevent someone else (from anywhere on the planet) using the same tools he did to do the same things he did.
We either have to control all information (hello, Mr. Orwell!) or accept that information can't be controlled and plan accordingly. It's been said many times before, but security through obsucrity just doesn't work.
libertarianswag.com
You cannot keep information like this secure forever, or even very long. Someone will always have this information. The question is, will we allow the US government to to deprive us of our liberties to the extent that the gov't really can keep this information for ourselves, and only let it out when it's in their interest for a building to get bombed, or do we fight to keep information free?
People who claim this information is a security risk are looking at things the wrong way round.
A hen is only an egg's way of making another egg. -- Samuel Butler
Is what kind of database and what kind of software he has used to create the program that is the basis of his PhD.
On a more serious note, I think his work is great. While it certainly has serious security implications, it could also be used by ISPs, telcos, power companies, etc. to disseminate information on outages and/or find the root causes of problems.
Ah, well... I suppose we'll never see the results... but I do hope he gets his PhD.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
From the article, all of the data he compiled was obtained from public sources. If anybody else wanted to replicate the work, it would only take their time. I'd imagine that you could get all the information you need through public records for building permits and right of way use. I mean, squelching the person who took the time to compile it all isn't going to do much good unless you classify every public record the US has for infrastructure.
In a word, No.
Those who would exploit it for ill already have the data, or can easily obtain it. Classsifying the data now would only hide it from those with reasonable use; and would allow for mistakes or security lapses to be covered up.
If you don't think authorities - whomever they might be - won't abuse the privlege of 'classifying' data, then you have some big surprises in store...
Everyone will start to cheer when you put on your sailin' shoes.
Correlating information is what gives you the bigger picture. Sure, it might be a secuirty threat as a whole, but it's been made up of snippets of information gleaned individually that probably aren't much use on their own.
Same as a bomb really, component parts are pretty common; chemicals, circuitry. It's about knowing how to connect stuff together to make it a bomb. 9/11 was flying lessons, plane timetables, GPS and box cutters. Each on their own is pretty harmless until you join the dots...
Same with information, connected together in the right way, it's just as dangerous. Ask the CIA or any intelligence agency...
Is everyone forgetting that a part of the price of freedom is safety? An open society is a vulnerable society in some ways. The same vulnerability keeps society safe from itself and its own excesses.
Of course if we classified everything like this no one would have a road map to destruction. But they could still poison the water supply, blow up buildings and cause untold grief. They could still locate some of the bottlenecks themselves and exploit them.
Like so many things the government/corporations seek to classify, the real people they don't want to know are the ordinary people. It puts me in mind of the many "the area bombed last night is classified...we don't want to give the enemy important information" remarks we see. Like the enemy doesn't know they were bombed...
Gorman's work and the access he used is vital - if I'm paying for two links that should be separate, I need to know that I can really check that we have separated physical facilities.
There are a lot more backhoe operators than terrorists - and historically, the chances of a backhoe impact on infrastructure are pretty high.
I do not understand why the information would be classified. Our national highways are critical infrastructure, without which we would all be brought to a standstill, yet maps of them are readily available online or at any bookstore.
Could you imagine if the locations of communications infrastructure were classified? Would you need clearance to set up a node? Would you need to pay to have every line technicican get a full background check? This reminds me of the reaction of "security" people when they see WHOIS entries for their companies for the first time. Their foreheads are usually bruised for weeks because of the knee jerking. The first thing they want to do is take it down. They forget that a certain level of openness is neccesary for a system that benefits everyone.
The whole point of a privatised distributed communications infrastructure is that a terrorist or enemy state cannot cripple the entire thing. Now if the people at banks and government insititutions have not done a good job of ensuring redundancy and disaster recovery then it's their own fault. The solution is to fix it, not suppress information about it.
Obviously, no one recommends mailing al-qaeda a copy of the telecom/data infrastructure, but this exposes a major flaw with what's going on and we would be foolish to ignore it or suppress it.
"The plural of anecdote is not data." -- Roger Brinner
From the article:
"This is why CEOs of major power companies don't sleep well these days," [CEO of power co. Pepco Holdings] Derrick said, flattening the pages with his fist. "Why in the world have we been so stupid as a country to have all this information in the public domain? Does that openness still make sense? It sure as hell doesn't to me."
Because security through obscurity is just as brainless an alternative for the physical infrastructure as it is for virtual infrastructure.
Hiding things doesn't make them safe. It makes them safe until found. With the added bonus of fostering the kind of clandestine, repressive, bitter societal climate that our govnt seems bent on pursuing these days.
You want to protect something? 1) Make it less desirable as a target (i.e. take away people's reasons for attacking in the first place). 2) Build in redundancies to dilute vulnerability. 3) Monitor, patrol, survey in an open and visible manner
People are _SO_ freaking paranoid these days. Having access to a database like this could be enormously helpful to a great range of people. But all people think about is, "What will al Queda do with it?"
Since 2000 about 3,000 people have died in terrorist attacks. About 175,000 have died in car accidents. About what should we be worried?
Killing people causes terror, because nobody wants to get killed. Cutting off infrastructure causes annoyance, because it happens regularly already. And when it happens, people will get by like they always have.
Ita erat quando hic adveni.
I think you failed to notice the joke....
Plus, the people who have allowed stupid things to happen (like a single choke point for the information flow of 25 companies) don't like that problem being revealed. I worked for a telecom company in the 1980s that was supposedly providing a redundant link for an AT&T leased line. One day a backhoe cut through the line and our customer found out the ugly secret--we leased OUR line from AT&T, and their "redundant link" went through the same piece of cable!
Instead of hiding this info for "national security" reasons, these maps should be analyzed to death by a program to find and eliminate these kind of problems, or at the very least let companies understand and anticipate these risks.
...between all the pieces of information being publicly available and all the information being publicly available.
From most of the comments so far, it appears the majority of people seem to think that this guy's PhD took about as long to compile as mapping a route from coast to coast with MapQuest. Hello? I imagine there was quite a bit of work put into compiling this information, and that not just anyone would have the time, persistence or devotion to duplicate the complilation. So yes, there is a HUGE difference between the information being available scattered across the 'net and having it all compiled, cross referenced and searchable in one easily downloaded program.
And IMHO, you most definitely can had a compilation of 100% publicly available information be classified as a threat to national security.
And personally, I don't believe there is a "publicly beneficial" use for this info in its compiled form that couldn't be easily be satisfied with the publicly available pieces - if a link is severed, you only need the info for the area of the problem (where the tornado hit, for example), not for the whole country. And the utilities that would be effected and responsible for the repairs would have the info they need anyhow.
I think the biggest value to the public of this information is the fact that it exists and that this can be done. The information itself is only important to those who would protect it or exploit it.
666-607: 6th floor apartment of the beast
For the right price, you can just buy the data from Platts - power line rights of ways, water pipes, etc. Once you have the data, you can throw it into any GIS software (purchased for the right price). Example: you need to get the natural gas pipline information to the road repair crews, so when they dig they're sure they won't hit anything... all this data used to be open, because noone thought you could do anything with it.
So what if I know where the local 500KV transformer yard is located over the 3rd hill on the left, who in their right mind would want to damage it? Then we realized how many people in the world really aren't in their right minds... I'm not complaining that this data should be bottled up again; what was really lacking was the chain of custody of who accessed the data, and for what purpose.
The smartest thing they could do, is use his information and go through each weakness and look to secure it as much as possible. Many of them may look at that as cost prohibitive and just try to obsure the information and hope no one finds it.
I'm not drunk, I just have a speech impediment. And a stomach virus. And an inner ear infection.
With all this concern over whether the "terrorists" should be allowed to know where all of our weak spots are, where is the concern for our real weak spot: creating more terrorists? If we could just figure out how to stop behaving so idiotically and stomping all over the world, we wouldn't have to worry quite so badly about being open with our information. Granted, there would still be people who want to do damage, but not nearly as many.
An open, friendly society breeds safety simply by virtue of not pissing so many people off to the point where they want to do unsafe things. On the other hand, greed, power-lust and secrecy just breeds more conflict. With less secrecy, greed and power-lust become a lot more difficult to hide, and therefore more difficult to perpetrate. This information, as well as so much more, should be out in the open.
Besides, if he got it, it already is, as has been pointed out.
The problem is that terrorism is all about using simple means to get effective results. It is practically impossible to prevent all possible types of terrorist attacks.
If you've got an imagination, try thinking about what you would do if you were a terrorist. If you really wanted to create havoc, you wouldn't necessarily do it by stuff like cutting communications cables. What you would want to do is make the man on the street afraid to do basic everyday things. I've thought about it a bit (let me emphasise - just as an entertaining mental exercise!) and I think there are things that a single person or small group could do that would cause chaos in a big city. And they are things that don't require access to any particular technology. Relatively simple things. But I'm not going to post those types of ideas on a public forum like this.
If there is one thing that September 11th should have taught us it is that terrorists don't need access to fancy technology. People are maybe going to slam me down for this, but I beleive one of the main abilities of an effective terrorist is a good imagination and - to use a cliche - the ability to think "outside the box".
So what's my point? My point is that passing laws and banning things (and invading countries and dropping bombs) isn't the best way to combat terrorism.
Terrorism is a symptom of a disease. You can try to combat the symptom, but it will never be cured if the disease is not cured. I always thought that they way Tony Blair and the rest of them tackled the Northern Ireland situation was very sensible. They did not take the easy route - the easy route is to say "we will not be influenced by terrorists", and "shoot to kill" - that was Thatchers approach. It didn't work. More recently, the actual disease has been tackled rather than the symptoms, and although there isn't peace in N.Ireland yet, things are much better now than they were a decade or so ago.
I'm afraid that Bush is taking the "hard man" approach to terrorism like Thatcher did. I'm afraid that the war on terrorism is going to be a very long one.
You'd be surprised at how easy it is to penetrate the security of a lot of facilities.
For instance, I worked in one somewhat secure facility that requires ID bages with magnetic stripes to get in and out.
Only thing is, they had one door to the facility that didn't have a card reader attached to it. It was for the union guys that worked in the shop, who according to contract, could not be required to swipe an ID badge.
Which is fine, because to get into any place but the shop you have to have a card swipe anyway.
Only thing is, the doors between the shop and the badge-secured office area were kept open more often than not. And even if they weren't there was one interior door that you could use to access the service tunnel that wasn't carded either.
So you could walk into the service tunnel. Once there, you could get into the badge-coded office area because the doors near the elevator that takes you to the office area had to be kept open for ADA compliance (a wheelchair user couldn't be expected to swipe their card and open the door, apparently)
So once in the elevator, you were free and clear. You just got in the building without a single card swipe. And though there are cameras, anyone walking around with anything that looked *close* to the visible badges around their neck/clipped to their lapel, etc. were ignored.
I simply observed my surroundings and in less than a day of working there, I knew how to get in and out of the facility without going through security. Even if I left my security pass at home, I could get in and out, no problem. I've noticed similar scenarios in hospitals or banks other places where tight security is supposed to be the rule but the people working there just don't think this stuff through.
My journal has hot
The implications, however, in the post-Sept. 11 world, were enough....
In this post-September 11th world, I'm getting REALLY sick of that phrase.
"I either want less corruption, or more chance
to participate in it." -- Ashleigh Brilliant
One thing that keeps bugging me is attacks against soldiers, military bases, and military equipment being called terrorist attacks. Wouldn't attacking military targets be the exact opposite of a terrorist attack? Terrorist groups believe they are fighting a war. In war, you attack soldiers and other military assets.
A terrorist attack involves targetting civilians as your main target.
Hitting an office building with a plane == terrorist attack
Killing soldiers who are invading your country != terrorist attack
He's worked hard on his research and doesn't want it to get seen by him, his professor, and a few miscellaneous others. He wants to be proud and publish his results...
Why does he have to publish to be proud? I'd be pretty damn proud to have my work classified.
You are making his work seem trivial and it's not.
His own professor called the work "tedious and unimportant." Do you have more knowledge about this work than this guy's professor?
Good for you. When you come up with something that the government thinks should be classified, you be as proud as you like and keep it all to yourself. The title and subject matter of what is classified will also probably be classified because letting people know about what was classified is likely to be deemed sensitive information that should be classified. See where this is going?
Sean Gorman wants to graduate with his degree, publish and continue academic research. It's not unreasonable that he would want others to see the product of what he's been on working for years. Part of completing a PhD is to do a defense of your research, which usually is before a panel of peers and professors who have some knowledge of the area you are studying. Dissertation defenses are usually open to the public (read "other students and academics" because few people tend to be interested in specific disserations) which means that potentially anyone can sit in and learn about the subject matter. If his research is classified then none of that can take place because it would be illegal for anyone to read the paper or hear about its contents without first getting clearance from the government.
Just because his professor lacks imagination, vision and insight (not uncommon in academic circles I assure you) it doesn't mean this prof is right. Maybe his prof is tedious and unimportant. There are lots of people who said the same sort of thing about the Internet. Even "visionary" Bill Gates is on record as saying the the Internet is a fad, though he quickly changed his tune. History is full of brilliant people whose work went unrecognized because it was considered fringe, tedious and unimportant. In this case, based on the attention this research is getting, there are obviously many people who think otherwise.
His professor, John McCarthy, thought that the research was important enough to introduce Gorman to national security contacts, so the "tedious and unimportant" line smells like a red herring. The article also talks about how the university is trying to get government funding beacuse it wants to develop a ''relationship'' with the Department of Homeland Security.
From the article:
"The government uses research funding as a carrot to induce people to refrain from speech they would otherwise engage in," said Kathleen Sullivan, dean of Stanford Law School. "If it were a command, it would be unconstitutional."
I amazes me how often the bureaucrats in the Intelligence Comunity ignore what they already know.
The nth Country Expiriment proved that once knowlege is available to the public, and similar results can be obtained without knowlege of the methods used in previous successes.
If this grad student could compile this information, then so could sombody else, and it's probable that sombody already has.
This information should be used to point out the weaknesses inherent in our infrastructure, and show where this infrastructure needs to be diversified. IMHO, attempts to improve security by centralizing comunications and power distribution are doomed to failure, and will only make us weaker. Micro supliers and home based power generation would make terrorist attacks against the power grid inconsequential. The weaknesses in comunications infrastructure can probably only be cured by creating a third alternative (community high-band?) to the cablemodem and telephone company monopolies on delivering service.
Read, L