State Department Developing Cyber Toolkit

An anonymous reader writes "The U.S. State Department, known for its recent RFID passport embarassment, seems to have developed a key tool in the Department of Homeland Security's cyber toolkit for federal agencies. There's not much out there on it other than mention of a tool called SandStorm in a recent press release from State's Bureau of Diplomatic Security. According to the site, "SandStorm simultaneously collects, correlates, and analyzes data on multiple computer systems and departs, leaving no trace of its activities. The White House is championing this cyber tool and the Department of Homeland Security has selected it as a cornerstone application for a cyber toolkit being made available to all Federal agencies." Sounds scary to me, but may be a step in the right direction."

False positives or no matches at all

[UR30]

It would be nice to know how they are going to solve the problem of coincidents. Any large dataset will have false positives due to the massive amount of possible cross-correlations is such data. The problem of information extraction is a hard one, especially if the different datasets are going to be used together. The Data Mining and Domestic Security: Connecting the Dots to Make Sense of Data by K. A. Taipale is a good review of this from the law perspective.

We have heard of such backdoors before...

[NZheretic]

From the "Transcript of Internet Caucus Panel Discussion. Re: Administration's new encryption policy.
Date: September 28, 1999.
Source: Tech Law Journal recorded the event, transcribed the audio recording, and then converted it into HTML.
Weldon statement:

Schwartz: Congressman Weldon, thank you very much for being here. Do you have any questions.

Rep. Curt Weldon: Thank you. Let me see if I can liven things up here in the last couple of minutes of the luncheon. First of all, I apologize for being late. And I thank Bob and the members of the caucus for inviting me here.

Pardon me if I seem a little bit confused to our panel, but, I am, and have been, with the change in direction which has occurred. But before I begin, let me say at the outset one of my biggest projects for the past four years has been to build what is becoming the first smart region in America, linking up all of the institutions within a four state region -- Pennsylvania, Delaware, New Jersey, and Maryland -- _____. In fact, over the weekend, I hosted the Minister _____, who is the Minister of Information Technology for Malaysia. As we signed an ____ with them for uplink downlink ties between our hub initiative in the four states, and the new Malaysian super-computing corridor project that they are building in Malaysia. So, I am a strong advocate for the use of information technology.

But my other hat is to chair the Research Committee for National Security. And when Bob introduced his bill three years ago, my door was pounded incessantly by the Defense Secretary and his staff, by the Director of the CIA, and by the head of the NSA, and I would note for the record neither the CIA nor the NSA is here today.

Who is actually speaking for them today, I might add? OK.

NSA and CIA came in, and in a very intense way, lobbied me personally, and I am not a computer expert, nor am I a lawyer, and they asked me to give access to my subcommittee and the full Armed Services Committee to look at the security implications of the change in Bob's legislation. I respect Bob. I think that he is an outstanding member. But I felt that I owed it to my committee, and my responsibility to Congress to listen to what the administration was going to tell me.

We arranged a series of classified hearings and briefings. And, as with any Member of Congress expressing concern about the ability for our forces involved in a hostile environment to be able to respond quickly, ____ back to 1991 in Desert Storm where my understanding is that our commanders in the field had Saddam Hussein's commands before his own command officers had them, because of our ability to intercept and break the codes of Saddam's military. I want to make sure that we have that capability in the future. I responded in a very positive way to the argument that was being made by the CIA, by the NSA, and by DOD. And we took some very tough positions.

In fact, Ron Dellums and I offered the amendment last year that had only one dissenting vote in the House, and this year passed by a vote of 48 to 6.

In the past year none of those briefings have changed. And the people who have come to me as a Member of the National Security Committee, there has been no lessening of their impression of the threat. Yet all of a sudden I am told, and John Hamre, I think, he made the courtesy of calling me in advance, that there was a change.

Now, I agree with the gentleman from the White House, for the administration, that it was coincidence that this happened the day before Vice President Gore went to Silicon Valley. I agree that that was just a coincidence.

But the point is that when John Hamre briefed me, and gave me the three key points of this change, there are a lot of unanswered questions. He assured me that in discussions that he had had with people like Bill G

Re:Definitely Beneficial

it has something to do with the constitution...

...but not what you think it does.

The Supreme Court has held the Fourth Amendment does not require law enforcement to give immediate notice of the execution of a search warrant. The Supreme Court emphasized "that covert entries are constitutional in some circumstances, at least if they are made pursuant to a warrant." In fact, the Court stated that an argument to the contrary was "frivolous." Dalia v. U.S., 441 U.S. 238 (1979).

It's been like this for almost 25 years.

Re:Definitely Beneficial

[Master+of+Transhuman]

"Let's make sure no one even thinks anything bad against the government."

I think that's the aim of Bush's plan to require psychiatric examination of anybody and everybody who might be the least bit "other" than him (excluding Karl Rove, of course, who IS him.)

Ah, here it is: http://www.worldnetdaily.com/news/article.asp?ARTI CLE_ID=39078/

A quote for those too lazy to click on the link:

The president's commission found that "despite their prevalence, mental disorders often go undiagnosed" and recommended comprehensive mental health screening for "consumers of all ages," including preschool children.

The commission also recommended "Linkage [of screening] with treatment and supports" including "state-of-the-art treatments" using "specific medications for specific conditions." The commission commended the Texas Medication Algorithm Project (TMAP) as a "model" medication treatment plan that "illustrates an evidence-based practice that results in better consumer outcomes..."

But the Texas project, which promotes the use of newer, more expensive antidepressants and antipsychotic drugs, sparked off controversy when Allen Jones, an employee of the Pennsylvania Office of the Inspector General, revealed that key officials with influence over the medication plan in his state received money and perks from drug companies with a stake in the medication algorithm (15 May, p1153). He was sacked this week for speaking to the BMJ and the New York Times.

Re:heres a link to the software

[Master+of+Transhuman]

No, the Sandstorm Enterprises NetIntercept product has been around for the last four years. It's hardly new and hardly something somebody would get an award for just buying (at $20,000, by the way.) The company started with PhoneSweep, a wardialing detector.

"No trace", eh?

[SuperBanana]

SandStorm simultaneously collects, correlates, and analyzes data on multiple computer systems and departs, leaving no trace of its activities.

So that includes taking whatever data it has supposedly collected/correlated/analyzed, and somehow uploading it somewhere, without my firewall noticing? And it somehow collects this data without my noticing CPU usage, disk IO, and so on?

Everything leaves traces. It has to. If it is clever about how it goes about its work, that is one thing...but to say it "leaves no trace" isn't even "spin"- it's bullshit.

Re:"Sandstorm" is a commercial product

[Helevius]

Wrong -- RTFA and check out the capabilities listed in the two presentations:

Free to DHS & federal government
From Dept. of State [and DHS US-CERT]
Like EnCase Enterprise edition
Network forensics "grep"
Examine system state
Remotely search multiple systems - files, ports, processes, file headers, hashes, MACs, ADS
Search all files changed in this time frame
Search all files with this hash regardless of name
155KB agent runs, then deletes itself
Windows only
Fairly forensically safe - does not change file MACs
Root kit detection to come later

The key points are "155KB agent runs, then deletes itself" and "Windows only". SandStorm Enterprises did not create this product.

Helevius

Re:Internet Security?

[jbvb]

"Secured OS" and "good firewall" are OK, if there isn't a backdoor a' la' what the CIA got the Swiss crypto company to provide after WWII. If you're trusting software to keep you out of jail, you need to be working from source, and to have read key parts.

But the other guy who said it would be visible on the wire is 95% right; you can hide low-bandwidth flows fairly well, but hardly anyone has the patience. Of course, few people have time to watch their wire either.

jbvb