Slashdot Mirror
Rand Report Says Geospatial Data Not Big Threat
scupper writes "An article in Federal Computer Week came out Monday that announced The Rand Corporation has published a report (sponsored by the National Geospatial-Intelligence Agency) concerning the threat that publicly available geospatial data on US Government web sites might pose in the hands of terrorists that 'found that less than one percent of the 629 federal data sets they studied appeared to have notable value to would-be attackers', according to the report titled: Mapping the Risks:Assessing the Homeland Security Implications of Publicly Available Geospatial Information. A curious 'finding' from page xxv of the summary not mentioned in the article states: 'However, we cannot conclude that publicly accessible federal geospatial information provides no special benefit to the attacker. Neither can we conclude that it would benefit the attacker.' The release of this report reminded me strangly of the Washington Post news story about a George Mason University graduate student, whose dissertation mapped critical fiber optic network infrastructure."
Just wanted to say "Hi".
fuck slashdot and IP bans.
As in: the Rand Corporation, in conjunction with with the saucer people, under the supervision of reverse vampires, are forcing our parents to go to bed early in a fiendish plot to eliminate the meal of dinner.
Holy Shit!!! We're through the looking glass here, people..
The big problem with terrorists is that they cause terror.
In this case, we're falling for it. We're having an unrational fear of the unknown. We're worried that in everything we publish, there's a terrorist reading it and trying to use it to their advantage.
On 9-11-01, they did something we didn't expect. They hijacked planes and brought their on minimally trained pilots to fly them into buildings. We didn't think that was likely to happen... at that time, standard policy during a hijacking was to let the hijacker into the cockpit. We're never going to make that mistake again.
But think about that, in all of our past dealings with hijackers, we assumed the hijackers wanted to live, and therefore would not crash the plane, nevermind know how to crash the plane into something else. In every case prior to 9-11-01, that was a correct decision. In most cases, we were able to get a majority of the passengers and crew members off the plane alive.
If a hijacker were to take over a plane today, there'd be much more opposition given to them by the passengers and flight crews. However, if a hijacking team were ever to succeed... now the default response would not be to attempt to reason with them but instead shoot the plane down. 100% of the innocent passengers would be lost, but we would be relieved that the plane didn't crash into a building.
Hey, wait a second... we're playing the game not to get the maximum lives returned, but instead to avoid the worst-case senario that has only struck once. That's somewhat a broken logic.
And that's really the culture that's taking over the nation. We've gotten so risk-adverse at doing things that when there's a possiblity of information being used negatively, we're ignoring all of the more-likely probablities that the infromation could also be used for good causes that we'd want to support. It's easier to point at the fear of what could go wrong than the dream of what could go right.
When a player is at a casino, the lure of the possibilty of a big jackpot convinces them to play games where the probabity of coming out positive just isn't there. Again, it's a case of possibility of an positve extreme case causing the ignorance of a probablity of a negative result.
Somehow, the concept of multiplying odds by result values is something average people just can't comprehend because emotions get in the way of cold logic... we act based on the possible emotional outcome rather than more likely outcome that logic would lead us to look for.
It's true, Netcraft confirms it. GNAA accounts for less than 1/2 of 1% of all gay niggers in the whole world.
FACT: GNAA IS DYING
Government announced that the FBI is no longer issuing a warning to watch out for people with almanacs.
.
Read my journal and s
What kind of mumbo jumbo is that? Are they trying to hide something? How the hell am I going to find page xxv?
but not one that is easily addressed. There's a balance that has to be maintained, and hopefully we're going in the right direction.
HOW'S MY POSTING? CALL 1-800-POSTING
Donald Duck is having a SCREAMING ORGASM right now as he maps whether or not his massive collection of Daisy Duck pr0n is a threat to national security. OMG OMG OMG>
Can we really trust anything that RAND (FAR right think tank) says? They advocate privatizing our EDUCATION system, for chrissakes.
HOW'S MY POSTING? CALL 1-800-POSTING
found that less than one percent of the 629 federal data sets they studied appeared to have notable value to would-be attackers
Less than one percent of 629 is still 6. Granted, six isn't a large number when one considers it's relative relation, but it's still a number greater than zero.
(I'm not being paranoid, right?)
An effective signature identifies a particular user amongst a base of thousands.
But it has become a public interest problem.
Not long ago, you could finally get information from the government without spending several days and gobs of cash. It was brought to you via an innovative system called the Internet. If you were living next to a toxic waste dump, you could do a search on the 'web' and literally dozens of published reports were at your finger tips. At long last, public interest groups and individuals could see the reports the government was publishing about these sites, but were largely unavailable unless you lived near a library that qualified as a federal repository.
In short, there were damn few access points for information about what the government was doing with your money and the Internet made the barriers disappear.
Along came 911 and now everything is back to the old days. I publish scads of documents about cleaning up nuclear waste dumps and no one will see them unless they can convince the government that they are not a threat. You can pump your arms all over the place and tell me how "newclear stuff should be off the web 'cause its dangerous", but I'm not buying it. The stuff we are not allowed to discuss is so difficult to extract that even the US government is wondering what they are going to do with it. How the hell do you clean tritium out of groundwater?
What my colleages and I report on is soooo not a terrorist target that it is laughable. But the information is in geospatial coverages that are now considered off-limits (official use only) to the public. The 911 tragedy has been a coup for those who want to obstruct the public's access to information related to their own health and safety.
The government just uses terrorism as an excuse.
"Rocky Rococo, at your cervix!"
Buy Steampunk Clothing Online!
Sean Gorman mapped and correlated data about a whole lot more than just fiber optic lines. Data, electric, transportation and god knows what more, wrapped up in a nice little program that makes the data quite easy to get at. Incredibly useful, but quite potentially dangerous in the wrong hands. Now what I wouldn't give to have that thing in MY hands...pretty...
If we spread our attention and resources too thinly, though, any target becomes accessible.
Terrorists have to have large-scale loss of life to generate the headlines they need for fundraising. I wouldn't worry about infrastructure (even vital infrastructure), since it's too hard to explain to uneducated fundamentalists why snarling up internet traffic is a victory for Allah.
What lenghths have they gone through to hide their IP addresses to thwart would-be terrorists from performing dDOS attacks?
RAND hasa bit of an uneven history. I wouldn't even call the right wing so much as establishment/pol/mil/industrial complex wing. This is probably on honest report on the part of the person who made it, but it does smell odd from this distance.
:), the targets terrorists want to and may actually try to hit are pretty well known and not at all hard to find. Stuff in the middle of nowhere is pretty low on their list.
Fundamentally, I think they're right on this (and privatizing schools
It's also pretty unlikely that the punks will get their hands on a launchable ICBM or suchlike.
That being said, I'm trying to think of why I would need GPS coords for cabinet offices or suchlike. It's a pretty limited use, I'm not sure it would be worth doing, especially with My Tax Dollars (I know, pennies, but it's the principle).
Obviously if you have a sensitive (NSA, Weather mountain, Federal Brocolli Pricing Board, etc) site, don't put GPS coords on your website. Duh.
Wow you mods totally dropped the ball on this nice Simpsons quote. The episode is at http://www.snpp.com/episodes/2F07.html. The quote is right near the end.
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
it's too hard to explain to uneducated fundamentalists why snarling up internet traffic is a victory for Allah.
As difficult as explaining to the equally uneducated fundamentalist Americans that bombing the fuck out of people then complaining when some of them retaliate is hypocritical?
Milhouse: [steps up to blackboard] Ahem. OK, here's what we've got: the Rand Corporation, in conjunction with the saucer people --
Bart: Thank you.
Milhouse: -- under the supervision of the reverse vampires --
Lisa: [sighs]
Milhouse: -- are forcing our parents to go to bed early in a fiendish plot to eliminate the meal of dinner. [sotto voce] We're through the looking glass, here, people...
My first knee-jerk reaction upon reading the Slashdot summary was:
"We find that this information isn't really important to terrorists"
>boom
"oops. uh... guess we were wrong..."
But after reading the article it sounds like they're making a perfectly valid statement. Sure, some information like large military bases off the beaten path shouldn't have their details published. But it makes no sense to remove maps of public utility Nuclear Reactors because that information is commonly available from about a dozen other sources. Like, street maps! So removing it from the federal records doesn't make it "secure". Or from the example in the article where the feds removed offshore oil sites from their public records. Turns out Scuba diving maps sold to divers were showing where those were ANYWAY. Rand is calling for the government to redefine what needs to be "secret" and it it does, work with local companies to have all sources removed.
Where is planet Kamino, anyway?
I mean... I'm still getting my brain up to the proper caffiene levels, so maybe this will make sense to me later. But that hell is this article even about? Geospatial time continuum anamoly. Am I in the Expanse or something? Where is Archer... wait.. to hell with him.. where is T'Pol???
What is their definition of a data set? A data set for the NSA/CIA/FBI may have attributes for military locations, population density, etc.
Now, if they get their hands on a data set by the Parks Commisioner, indicating locations of forests with attributes relating to the trees, I highly doubt that would be threatening.
So a 1% possibility that a data set may be useful to terrorists is subjective, as it depends on their objective.
In the right hands, any data set can potentialy enhance the ability of terrorists. And of course, don't forget. Private companies are the ones that sell most of the data to the government (see US Census for example). Why bother going after government publication of data and not control to whom a company sells the data?
As for the fiber optic map... It was useful not because you can cut cables (redundancy does exist), but because you know the ends of cables are to where corporations are (that is why the dissertation did get credit in the first place). Also, you know that where the biggest bandwidth cable go to is a prime target, as it promises a network depended coproration/entity that could be damaged by loss of communications.
I don't care if it was Confucius, it's still a frickin' retarded quote.
Parent doesn't believe anything he types. He's just a troll out to get karma. Later we'll see peoples primary links, goatse, last measure and all sorts of degenerate filth. DON'T GIVE HIM THE TIME OF DAY, MODS!
The above post, while the truth, is basically a summary of the first few chapters of Bruce Schneier's book, "Beyond Fear".
The Internet's nature is peer to peer - 20050301_cs_profs.pdf
I remember when the story about mapping the fibreoptic infrastructure broke.
I also remember several months later, massive power grid failures in the US and UK among others, all within a reasonably short timeframe.
I thought even back then, while the two aren't directly related, that there was a possibility that someone had figured out the electrical grid chokepoints sufficiently to do a test run of sorts, to see if it worked or not, possibly inspired by the fibreoptic story.
My point is this - if you were a terrorist and wanted to hit hard again, why not follow standard military doctrine and cut off the enemy's power grid first? After all, we do it, so why wouldn't they do it as well? In all the confusion, that's when you conduct your real strike.
Thankfully, since the information is public, we too can look for potential chokepoints and demand of governments that they fix them or mitigate the risk by building in redundancy. If we don't keep this information public, we will not be able to hold governments accountable when they don't make the effort and the system fails when it's most needed. And if you can no longer hold your government accountable when they screw up, because you don't have access to the information you need to do it, then you are no longer in control, and they are ruling you, not governing on behalf of you.
Visceral Psyche Films
Of a similar report compliled by the RAND Co's subsidiary the BLAND Corporation, completely discounting the efficacy of a doomsday device in the war on terror.
Christ! Will someone just mod this fucker to -1 so we don't have to see his anti-American propaganda. The link is totally distateful. Look at his history, he's just a karma whore.
Any information is really only valuable when you have enough creativity and common sense to make something of it. People aren't trained to think "outside of the box", but given enough time and motivation, things will happen.
I'm not saying that we should keep all of this info under lock and key(among dozens of other safeguards), but we should at least make a few more independent analysies(sp?) of the threat the data poses.
The thing that I think would be alot more interesting is to take the layouts of some of these buildings; turn them into maps for some FPS games (UT2k4 is my fav) and figure out the best way to attack/defend them. (I've been wanting to do this for my college campus for awhile now.... let players spawn in their dorm rooms... consider it preparation for the giant paintball war we're planning for halloween)
yeah, just my 2 cents..
"Operating systems suck: you're better off using only the BIOS" --trainsaw.com
battled in court, be 0n a wrong first organization Whether to repeat out of bed in the Is the worst off
BOO!
Terrorists are everywhere!!
BOO!
If I want to calculate exact location of the white house, I don't need any goverment spatial data. I just calculate 3 different points in Washington DC using pocket GPS device and from that values and city-plan I can find exact coordinates. This whole thing is really yet another way to keep various informations away from peaople, while hiding behind "war on terrorism". Also, today on CNN.com: all Iraqee prison pictures wan't be released. Never.
http://www2.jpl.nasa.gov/srtm/
http://grass.ibiblio.org
STRM is new, so get the CVS version if you want access to the latest auto-load & clean scripts. View with NVIZ.
cool stuff.
~.~
I'm a peripheral visionary.
Speaking as a GIS tech/programmer, and geologist ... holding back geospatial data from free public use will hurt the enonomy far more than any of those imagined threats. If a terrorist really wants to know where a target is, he can just wander on past with a GPS.
If the US government really cared, they wouldn't have turned of the 'selective availability' distortion that used to reduce the accuracy of common GPS units from a nice 10m accuracy down to an annoying 100m.
I think history has proven that at least so far terrorists attacking the US have preferred large symbolic targets, the kind that you can't hide, where openly available geospatial data is irrelevant.
And consider that having as much data available as possible to the public enables all kinds of value added / data mining uses to crop up that the data owners might never think of themselves. There are many business models out there working right now, feeding families.
Open free exchange and full interoperability if geospatial data is the future. It is happening now through the Open GIS Consortium, GML, and through free open source programs such as Grass, and MapServer. Good things happen when the right people have easy access to your spatial data.
Do your part! set up a MapServer WMS server today, make your spatial data available to the world yet still maintain control (the server passes out raster map layers that become part of a user's raster map, no one gets your valuable vectors)
George Bush + Linux = "I will not let information get in the way of the fight against Windows"
A subsequent Rand Report found that information available in the Yellow pages posed a potential security threat. In an attempt to staunch the flow of information to would be terrorists, all people in or arriving in the United States will soon be fitted with a mask that covers eyes, ears, and mouth... so that we might hear no evil, speak no evil, and say no evil...
Your tax dollars ar work...
Genda
Maybe they don't think the data is a threat because they've already had their way with it before it's made publicly available. Take this TerraServer shot of of the US Capital using the new .25 meters / pixel USGS natural color data set. The Capital and Senate / Congressional office buildings are mosaic'd out!
I mean, seriously... call these terrorists what you want, they're definitely smart and resourceful. They knew enough about American society and culture to select very traumatizing targets.
We should assume that they will find whatever is of interest to them, and that security through obscurity is bound to fail. Given that, geospatial information should be free so citizens can point out weaknesses to the government.
In terms of cost for security... I recently asked for geospatial information from my city, and they would not give it to me for free (councillor district maps- not exactly a privacy or terrorism risk!). States where they have a more liberal policy towards sharing this information have often developed thriving GIS sectors. The cost of secrecy will be reduced competitiveness, as another country could take over in the lucrative GIS market.
Information: "I want to be anthropomorphized"
Does anybody remember the story of the GPS units and how the 9/11 terrorists used them? To summarize, they drove to NYC on September 10th with their GPS units. They stood b/t the 2 WTC towers and marked a waypoint. The next day, they flew airplanes towards this waypoint.
OK, OK, So what??? Well, they could have just read a USGS topo sheet to get those Lat/Long coordinates. Or they could have used any GIS package.
This is really scary to think about b/c almost every county has GIS data on their website, including land ownership, soil type, lat/long, impervious surfaces, building outlines, drainage, and more.
This is all free, easily accessible, and pretty accurate.
Being early in the morning and only on my second cup of coffee, I threw my slashdot goggles on and in my quick skimming thought it said "sponsored by the National Gestapo-Intelligence Agency". I saw the .mil link, and began pondering a DHS conspiracy.
But seriously, the (US) governments totally gets the mind-set of these people wrong. They don't download multi-gigabyte maps from the net before they attack, they simply and effectively pick so-called postcard targets, because they seek to attract media attention and these targets stand for what they resent.
Most terrorists are surprisingly low-tech, but that's actually why they can be difficult to track down: if you never use Web browsers, phones and credit cards you leave few traces.
If you read the recent intelligence 'success story' where they tracked some people because they used a Swiss pre-paid mobile phone SIM-card from somewhere in Pakistan, apparently swapping mobile phones and not SIM-cards instead of the other way round, this gives you an idea of what to expect.
Why is this scary?
So getting coordinates from some GIS software will be easier...yet I'm somehow forced to think that if someone is really determined to make an event happen, taking away that simple convenience won't stop them.
Terrorists hope to induce shock and fear in as many people as possible...I really doubt that this is going to occur by driving a bus into your Town Hall or Baptist Church.
The reason geospacial data is no threat is because nobody can make GRASS work. The data is easy to get, but GRASS won't show you any of it.
Really, if you and a buddy put on orange vests and hard hats, and spent your days peering through survey instruments and jotting notes, how many weeks would you have to do this before anyone bothered to speak to you at all? Okay, you'd be nabbed quickly if you surveyed the Pentagon or ORNL, but there are *supposed* to be people checking over those thousands of bridges and dams and whatnot -- who would stop you?
Apparently, GDT Inc. is the provider of street network for all major GIS Software corporations (including MapInfo, Intergraph and others) and government entities. Perhaps the most important information on this company is the Department of Commerce publication CB96-194 of 1996, which announces that the US Census Bureau would acquire data from GDT Inc. in a long term cooperation effort to have an up-to-date TIGER database.
o po.html), therefore the original sponsor of the data was the US Government itself.
The question from where GDT Inc. acquired their data is further hidden, appart from the fact that the used USGS data. A hint towards the answer is found in meta data from the USGS (specifically http://minerals.usgs.gov/sddp/doc/roads.txt), clearly indicating that the data were derived from TIGER/Line files. This means that GDT Inc. did not provide the data for the US Census, rather, it provided updates to the existing data. Therefore the source goes back to the US Census Bureau, that actually provides information on their data in a more straightforward way.
To compile the TIGER data, 1:100,000 USGS topographic maps were digitized by USGS on behalf of the Census Bureau. For urban regions, GBF/DIME files created in the 70's were used, that were updated in 1981 and 1985. Therefore one of the originating sources has been traced back to the Census Bureau (the urban area data). The other originator, USGS has a longer history. The attempts to map the USA started in 1879, on a scale of 1:24,000. Therefore the 1:100,000 maps used to create the US Census maps are derivations of 1:24,000 maps that started being compiled in 1879 and update since then by planetable surveying. After the 1930's, aerial photographs were used. The original purpose on creating these very first maps was a mandate by Congress to "classify public lands" (http://mac.usgs.gov/mac/isb/pubs/booklets/topo/t
I feel safer now...
The Keyhole viewer is very impressive. They have the whole planet available. Resolution varies; for much of the world it's low-res satellite imagery. But for most urban areas in the developed world, the imagery is quite good. The imagery is overlaid on height data, so you can get a 3D view from any angle. The height data is too coarse to show buildings.
Or at least the current crop of terrorists don't. This is information that would be useful when waging war against the US. ie. In an attempt to cause massive damage and disruption through strategic strikes. One could argue that terrorism has the same goals and in some cases it might, but I don't think that's what interests the current crop of middle-eastern terrorists. To them it's about making bold political and moral statements.
The strike on the WTC was a strike against the symbol of American prosperity. That it caused as much damage as it did was an accident. And I suppose there's some irony in the fact that the WTC was a hub for tourism and international business. The collapse of the towers probably killed as many foreigners as it did US citizens. And as many poor folks as rich ones. The underside of the WTC contained a shopping mall and was a large subway transport hub, after all. Not to mention the daycare service(s) based there, so more than a few small children were killed as well.
But it should be pointed out that the current crop of terrorists have not proven themselves to be nearly as capable as we seem to think they someday will be. The WTC attack was a hack job done by a few fanatics with box cutters. It required no resources and almost no skill to execute. But since 9/11 the government has been mostly talking about organized attacks. BioChem and atomic devices, etc. I won't deny that such things are definately within the reach of some, but this remains pure speculation.
As a recently graduated, and thankfully, gainfully employed GIS type I suppose I can answer your questions:
1. Continue with the GIS/Remote Sensing classes. Learn to program C++ or Java.
Also learn SQL and at least one major datbase (SQL Server, ORACLE, or one of the OSS ones).
Then start in on PHP, and especially PYTHON (ESRI is including Python as a scripting language in ArcGIS 9.0, and I believe there is a PYTHON Mapscript for Mapserver.
The GIS basics will get you in the door. The ability to tie a companies GIS data to their existing coorperate databases and spit it all out in a inter/intranet web application will make you priceless.
2. There are a few books on GRASS, but not much on Mapserver, its all in the mailing list archives. Check out www.openosx.com for the name of the GRASS book.
3. The job market has been pretty steady. The bubble burst didn't really effect the geo-spatial world too much. If anything there is a lack of good talent right now because many GIS folks are Guard/Reserve that have been called up, or are being lured away by defence contractors trying to sort through a mountain of geospatial intelligence.
-btw don't ever stop asking "may I help you". GIS is a customer service driven profession. If people don't use your services there is no reason for your existance. Your bosses boss will never understand what you do and you will constantly have to remind them why you are there.
You have the nut of an important point. This study merely looked at data sources and considered "could this be useful to an attacker". But that is a poor measure of vulnerability, because it doesn't theorize what an attacker would do. A better measure would be, once you've identified some allegedly exploitable geospatial information, to go back out the front door and try to come up with a credible plan of attack - credible in terms of goals, resources, methods, and available skillsets - that uses this piece of information. But the alarmist thinking in this report results in bad security.
For example: who can get on planes without being searched? Airline pilots. So we should search the airplane pilots being searched for weapons. I saw this happen this week, and it's retarded fake-ass security: if you can't trust the pilots, with or without weapons, you are already fucked, and searching them just diverts resources from real risks. Thinking from the point of view of the attacker can come up with more interesting hypotheses like "professional sports venues are well protected, but college venues may be poorly protected with targets of comparable size and impact".
Speaking of which, in today's climate, I wouldn't be caught analyzing good ways to attack campus buildings if I were you.
Expanding a vast wasteland since 1996.
Hi, I thought in the context of the thread that folks might find our new website on mapping infrastructure with publicly available data interesting: http://policy.gmu.edu/imp The gallery has some low res macro images of our analysis of the data the Post article talks about. Also the research page has some of papers avaialable for download. I think the one big thing the RAND report misses is that it looks at geospatial databases in isolation. It is only when that information is combined with other data and intel that it becomes dangerous. It is in the aggregation, integration and analysis that valuable information comes to light. best, sean GMU school of public policy
Seems pretty strang to me... [typo in original story] G
oregonnerd...a nerd in Oregon, of course