Slashdot Mirror
Fighting Terrorists Through Software, Anonymously?
Silwenae writes "MSNBC has a story online from this week's Newsweek about Jeff Jonas, founder of System Research and Development. SRD's software attempts to verify a person is who he says he is, and then tries to determine who that person may be connected with. Originally used in casinos, the CIA has invested in SRD for use in the war against terrorism. Apparently, Jonas has developed a system that can anonymize the data being analyzed through hashing, so the government can share this information with the private sector to look for hits, without the private sector seeing the specific data."
then tries to determine who that person may be connected with.
Does this software detect siamese twins?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I.e. so the state can put people it doesn't like on the list of people to be tracked with less risk that that person, or the rest of us, can know who is on the list.
Yeah, that's really reassuring.
Big brother may be watching you, but you have no way of knowing...
_O_
.|< The named which can be named is not the true named
His response was to invent ANNA ("NORA's little sister," he explains), a system that "anonymizes" data by an encryption technique called hashing. Because the data are scrambled, private records can be shared with the government and secret watch lists can be distributed to private entities, all without fear--because they can't be read
Although this is a step in the right direction, hashing algorithms can be brute forced right ?
I mean, this information may be valid for years, a thing you did when you where 18 may still be there when you are 50. I don't think this data should be distributed much at all, even though it's encrypted.
Great. While there are definite positive privacy things they _could_ accomplish with this, it's also open to lots of possible problems like "The computer said you matched a terrorist's name, no we don't know why, or where the list came from, we just have to cancel your account and call the police on you" which are as hard to defend against as being on the "No-Fly List" of Americans whose rights to travel are arbitrarily and unconstitutionally limited, or the "Strip-Search-Before-Flying" list, or the "Hollywood Suspected Commies Blacklist".
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Still don't like it.
:)
:)
Just because they are searching for hash matches instead of plaintext doesn't mean profiling en-mass is right. It just means nosey companys who are being 'asked' won't know WHAT they are being 'asked' about.
Gee, bob the builder knowns mahek alzis. Mahek is a suspected link betwene so and so, and then he works for this manager, and then these people. Hmm, we better start asking alot of questions..see who else matches our '(personal network) search criteria'
What, you think i'm kidding?
(And yes, some of you are going to explode that this sort of search-and-peck is not profiling, when it really is. Look it up. Searching through personal *profiles* and *information* to find any people who match enough of the criteria = profiling.)
This sort of thing is bull, It really is. Instead of doing real investigative work, they can just whip up a list of 'possible hits',snatch them all up, and then queston and otherwise probably scare the shit out of all of them - hoping their deeper searches find a hit in the crowd.
Welcome to the nightmare, please don't choke on the red pill while the door is hitting you in the ass.
[/tinfoil-hat]
My new top secret key -> C>N|KB
There is really nothing new to this technology. It does not do what it claims. Hashing has been around for while, and so have techniques to defeat the attempted security of this type of system. Interestingly, I have seen around five stories from various forums reporting on SRD in the past week or so. It seems like some marketing department is working pretty hard.
The credit card companies, for example, have access to a LOT of data. People seem to be content with that.
And it is ridiculous how much information about your activities are already out there, though not publicly accessible, accessible to certain organisations.
I think the scariest bit about this article is that casinos have access to your, YES YOUR, data. And if casinos can do that, so can the mafia.
The government having access to all this information is only a part of the problem. The real problem is, how much of it is available to bad guys, like telemarketeers and the Russian Mafia.
Indefinitely Detained US Citizen
Can anybody help me and define the limits of the problem "the war against terrorism"?
It strikes much of the issue is defining the problem, hey we're geeks right, give us a spec to build to, yup? This seems to be the chief concern of slashdot posters so far, that the problem has not been bounded and there are varying interpretations being made on what the problem is. How can we define the problem? Or are we accepting that the term is a worthless media and political construct to sell newspapers and justify military/ intelligence spending? Can we frame this fuzzy problem in a more meaningful way?
Obligatory quote:
"Those willing to give up a little liberty for a little security deserve neither security nor liberty." - Benjamin Franklin
My personal opinion on the matter is that you can't fight a war against terrorism without looking at what the root causes of that terrorism are. The fact is, that at the moment the west is seemingly willing to just overlook what the causes of terrorism are, and are trying to just blow the terrorists to smithereens.
When will people learn that labelling people "terrorists" and killing them just creates new "terrorists" at an exponential rate? As far as these "terrorists" are concerned, America and the UK are "terrorists" too.
Clever tracking software or not, "terrorists" are not going to go away until we start looking at why they are "terrorists" in the first place.
Just because a government chooses to carry out military activities, doesn't make them any less terroristic or any more legitimate.
Perhaps those doubting the terrorism carried out by the US and allies in Iraq should check this page for help in visualising the numbers.
Organic free-range music... yum!
I thought the whole point of hash encryption was that it's not able to ever be unencrypted, even by the legitimate users?
In order to check if there is a matching telephone number, you would first have to run the encryption algorithm on the number and then match this against every encrypted number you have in your data store. So if the two encrypted strings are equal, you have a match. But there is no way to know what the encrypted number is unless you have something to test for in the first place.
But I'm not sure how much use that is. Wouldn't you then need to be able to see who's number that is, i.e. decrypt the person's personal data?
Also, it would be interesting to see what the reaction to this software would be in the EU what with its Data Protection directive. Storing personal details about someone is prohibited except for certain circumstances... long term storage of someone's personal data for distribution to companies is not one of them. Whether the encryption of the data would make this acceptable or not would make for an interesting argument.
Patriotism - the last resort of scoundrels.
everyone will be connected with Bush andBin Laden....
...and he grinned, like a fox eating shit out of a wire brush.
And then there's the problem of extra data hidden in the hashes - some of the signature algorithms, for instance, can carry a bunch of hidden "subliminal" bits, like the one that says you're a Jew or black or Dues-Paying Republican or a Federal Agent or a Known Troublemaker.
Spelling is a real problem. I have enough trouble because my ancestors or their relatives were either illiterate or at least using names like "Stewart" "Stuart" "Steward" and "Steuart" before English spelling became relatively standardized. But Americans munging the names of people who use other alphabets, like Arabs, or who don't use alphabets at all, like Chinese, can't just use simple hashes, because any misspelling can either let somebody whose name is the same as a Real Suspect not get flagged, or let some non-suspect whose name is close to a Real Suspect get flagged, and any terrorist smarter than the Shoe-Bomber knows to use an alternative spelling of his name or get some fake ID. You probably know Chinese people who use different names in English and Chinese, either as immigrants or kids of immigrants; I knew a Hakka Chinese family from Vietnam who also had Vietnamese names, and in at least one of their languages, they had an alternate set of names for use within the family (approximately "Number One Son" etc.) And then there's the problem of exactly which name parts to use if you've got more than three, and nicknames, etc.
And then there's the problem of people whose names are the same as Real Suspects' names, and people who ever had their wallet stolen. Just spend a day in traffic court listening to DMV-screwed-up-and-I-got-arrested-by-mistake cases some time if you weren't already worried, or read any news article about identity theft.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Zero problems, but how many innocent people wrongly flagged as being unsavory?
How does this SRD system measure the accuracy of its conclusions?
The peoples of democratic countries need to wake up to the fact that terrorism represents less of a threat than their own governments' response to it. Even 9/11, the worst terrorist attack in history, did not do much to increase the annual rate of homicides in the US. It remains much more dangerous to cross the street, drive to the supermarket, walk in the hills, or go for a drink on a weekend night (let alone smoking or eating burgers). We need to accept, and insist our governments accept, that there are risks involved in the world, of which terrorism is by no means the greatest, and that these cannot be eliminated while maintining a reasonable quality of life.
...does this work? I mean, the theory goes that we're all connected by 6 degrees of seperation. How do they define a connection? Depending on these factors, anyone could be condemned as connected somehow with undesirables.
Hashing != encryption.
Encryption is intended to be unencrypted.
Hashing is one way because it involves information loss. It is not encryption: there is nothing secret. For example simple hashing algorithm might be "take the ascii value for each character in string and add them all up, rolling over each time you reach 10,000". The result will be a hash. Which is dependent on the data you put in- is impossible to *directly* extract the original data (you could use a lookup table to do it). As I said though, this is NOT encryption.
Bad analogies are like waxing a monkey with a rainbow.
It's also kinda sad that the voting public has the feeling that they can't do anything about it. You can say "well, that's what happens when you give up your rights.
I can understand the angle of not wanting to lose your property and thus, being more willing to deal with crap (as most people are, if we got uppity at every turn in the road, the road would be jagged, torn, and probably wouldn't work that well). The past 6 or so presidencies have been really shitty IMO,; with each passing administration corruption increases; money is stolen, rights are taken away, and our country is torn apart brick by brick. Nixon, Bush Sr., Clinton, and now Bush Jr, all slowly taking away our rights accept for Bush Jr, who is putting a new definition to the term of "rocking the boat".
Eventually something's gotta give. My prediction is that people are going to begin losing their incomes, and with those their livings. It was the robber-barons that caused the great depression, and eventually the stock market will collapse. I don't see buisness law becoming regulated any time soon like it was in the 50'a or 60's. Couple this with tremendous debt to other nations, a whole lotta weapons, a whole lotta enemies, devaluing currency, and corruption widespread in the high level goverment and in most lower level goverments and you've got a powder keg waiting to blow.
Simply put, people will lose their patience. And with that loss of patience we'll see a revolution. The guys with the guns are already on the brink of it themselves.
Candy-Coated Knowledge
It is not sensible to publish this data - even in "anonymous form." Use of hashing will only prevent a party with access to the hash from directly reverse engineering the hashed data to arrive at a list of suspect names - however this completely misses the mark.
If I were a terrorist organisation planning something like 9/11 and I knew many of my lemming-recruits would be identified by airport security as risks, I would process my terrorist volunteers myself and only send those who would not raise any eyebrows. This information (anonymous though it is) would be of great value as it would eliminate another uncertainty from the evil plan.
If I were a private individual with interest in knowing the identities of all suspects then I would be able to mount a dictionary attack using, say, the electoral role or census data - with only a few billion people worldwide, a modest cluster of PCs would be able to exhaustively search for matches in reasonable time.
Finally - if this anonymous data were to be available only to authorities to whom the raw information would otherwise have been available then this approach is still a disadvantage. Without access to the reason for someone matching, it will make it much harder for authorities to make appropriate judgement calls based upon a match. The mere possibility that a match might be due to a hashing collision or data- entry errors prior to hashing could result in the wrong decisions being taken. There is certainly a risk that without information on why someone is a suspected risk that related vital clues may be missed - possibly resulting in an otherwise preventable disaster.
About a year ago I came up with this song.
Now I'm going to sing it.
Puff the Nuclear Weapon
Puff the Nuclear Weapon was pointed at Iraq,
and waited in his submarine for the signal to attack.
Little George Bush Junior, he loved that rascal puff,
and all those days, he nightly prayed for the UN to get tough.
oh
Puff the Nuclear Weapon lived in the sea,
protecting all our freedoms to
a brand new SUV.
Puff the Nuclear Weapon lived in the sea,
protecting all our freedoms to
a brand new SUV.
Now Puff he liked to travel, so he wore travelling clothes
While Bush was home and on the phone, from locations undisclosed.
Presidents and Princes, they bowed when'ere he came,
and Nation States lowered their flags when Puff roared out his name.
oh
Puff the Nuclear Weapon defender of the peace,
securing the world's oil supply
and the occasional golden fleece.
Puff the Nuclear Weapon defender of the peace,
securing the world's oil supply
and hte occasional golden fleece.
Plutonium lasts for ever, but not so little boys.
ICBMs and M-16s give way to... other toys.
And one grey day it happened: The traders broke the Dow.
So Puff the Nuclear Weapon's on the open market now.
His warhead packed in plastic, green crates that bore his name.
Poor Puff would not intimidate for the Stars and Stripes again.
Without his life long friend, poor puff could not be brave,
so al-Qaida hid that that weapon in a deep, dark, man-made cave.
oh
Puff the Nuclear Weapon lived in the sea,
but now he's in a backpack
some where close to you and me.
Puff the Nuclear Weapon defender of the free,
and you can blame it all upon
Bush fiscal policy.
Sorry if I've just raised your subversion quotient for having read this. but hey, we're slashdotters so that means we're all pretty much under suspicion of being a little odd anyway.