Jane's Intelligence Review Lauds Slashdot Readers as Cyberterrorism Experts

Last week the editors of the internationally respected magazine, Jane's Intelligence Review, asked Slashdot readers to preview an article on Cyberterrorism they had planned to run. But so many of you said (rightfully) that the article was lame, and so many of you had intelligent things to say on the subject, that the Jane's editors decided to trash the original piece and write a whole new one based entirely on your comments! And, in an unprecedented act of generosity, Jane's is going to *pay* those of you whose words make it into the final story, which is being written by Deputy Editor Johan J Ingles-le Nobel. Please click on the "Read More" link below to get the whole scoop directly from Jane's - including info on how to collect your money if you are one of the folks Jane's decides to quote.

Open source meets open source

What happens when you throw together open source intelligence (intelligence from non-classified sources) and the online open source movement? Jane's Intelligence Review (JIR), a leading specialist security analysis did just this, and the results were an eye-opener for all parties concerned. Writes Johan J Ingles-le Nobel, JIR Deputy Editor:

When you're confronted with a prospective article about cyberterrorism, as a journalist you know this is a massive emerging topic and that it will make a great story. After all, you've got to be both blind and deaf to have missed the unprecedented emergence of this thing known as the Internet, and that the day will come when, like anything else, it comes to be seen as a tool in the armoury of those that seek to harm and terrorise. Yet the very nature and vocabulary of the subject precludes a thorough understanding unless you're a programmer in the first place. Buffer overflows, denial of service, CGI, 128 bit encryption - such words are all anathma to the layman, yet crucial to a good article on the issue.

"JIR's choice at this point, upon receiving the article, was tough. It's great to get copy from someone you know to be very good on terrorism on this subject, but upon reading the article left me with more questions than answers - and questions that only qualified people could answer properly. I'm not referring to shallow 'such and so defaced a website' type of answers, but thoughtful responses metered with specialist knowledge. So what better way to find answers than to go online, to seek out expertise on the subject?

Unfortunately, finding good information online is not nearly as easy as it should be. Thankfully, months earlier I'd noticed a link to Slashdot posted on a web-hosting service owned by a friend of mine, and having followed the link, bookmarked it a long time ago. Thus, upon receiving the article and personally researching cyberterrorism to find out a bit more on the subject and having been alerted to the fact that a) Linux is the best 'programmer's' o/s environment, b) many webservers use Linux and c) you're looking at expertise in both these areas for sensible answers, there was really no choice but to ask the guys that actually do this stuff for advice.

In retrospect, I'm delighted that I did. 250+ comments and 35 emails from psychologists to network analysts, and from Sun engineers to Cambridge Dons later, The responses have been insightful and knowledgable, with many excellent points made. I've even had a lot of 'thank-you' type letters from computer security professionals for trying this approach. Of course, when you ask for feedback you get feedback - and since roughly 99% of the posters slammed the article, even saying things like 'we'd expect better from Jane's', I've informed the author that we're not going to run with it. Instead I'm going to cull your comments together and make a better, sharper feature out of it - I'll be getting in touch with several of you for more specific details or for more clarification. The article will thus go into December issue (published middle of November), I'll arrange to have it put onto the free section of the Jane's Intelligence Review website (yes, you do all get to see it, of course), and if you find your comments included, contact me at johan.ingles@janes.co.uk for payment at our usual lineage rates (yes, of course you get paid - after all, we are gentlemen).

In summary: wherever you may be and whatever you may do, a big 'thanks, guys' comes your way from just south of London, England.

Johan J Ingles-le Nobel,
Johan.ingles@janes.co.uk,
Jane's Intelligence Review.

um...

[j+a+w+a+d]

For those of you who don't know me, I also work under the name "Anonymous Coward". For all those constructive posts I submitted for the Jane's article, I'm willing to accept the money (that's rightfully mine, of course). :)

Re:sdfgs

[aqua]

Oh, that should definitely be cited in the article. "The difficulty with intrusion detection is the prospect of compromise to those components of the system necessary to detect the intrusion to begin with," said I.L. Milne, an expert at Purdue University's research center. Added one Slashdot reader on the topic, "First post."

Community Editing/Writing.

[Thomas+Charron]

Well, this is an interesting use of the Slashdot Community. We've taken a small step from a 'Feedback' community to actually generating stories. This could actually lead to something interesting..

Perhaps a section of slashdot for proposed stories to be discussed, with actual stories being a summary of comments, etc..

"From the Community, FOR the community"

AC $$$$

I would propose that any fees owed to the AC's of slashdot be donated to the FSF

Open source journalism

[tolldog]

I think that this is great. Having been a long time reader of /. I have begun to realize the depth and insight of the other readers/posters.

We are journalists, in a strange twisted way. We report what we know to educate others. Doing it in this sort of fashion, I beleive, is an amazing idea and concept.

I am begining to think that having this be open sourced is even more important than having open source software. Software completes tasks, but it does not shape and form our views on a subject. I t is about time that a place takes recognition of the importance of the community effort. People can not pull the wool over the eyes of many, not without a fight.

May the open source movement migrate into and improve all things.

Group Authoring

[Saraphale]

Kudos to Jane's. It's not only good that they asked for comments, and are taking note of what they received, but also that they're offering to reward those whose contributions are being published. Has anyone published an article in this way before? It's the first of its kind that I've encountered. I wonder what threshold Johan J Ingles-le Nobel had his preferences set to, or whether the comments were summarised for him.

Several points about the method come to mind. Firstly, how are they intending to honour payment to people who made particular points or comments, when their points may be rephrased (and hence made unrecognisable, even if the point is still understandable) for editorial reasons, or when several people may have made the same point?

Hmm, I remember articles a while back about how to properly distribute books, essays and monologues electronically, and still receive payment for them. It's a shame this method can't be used more frequently - it relies too much on simple honesty.

Can an article still have coherency, and a clear point, when the person collating all the points may not have as much expertise in the subject area as those that submitted the information? It's not easy to create a coherent article if the subject isn't your own, even if you have a series of excellent references. I'm not knocking the people at Jane's, I just see it as a difficult task to form the mass of /. comments into a single article that would fit in magazine format.

Good effort.

S.

Good, it's about time...

[Otto]

Too bad I was out of town when that article appeared, otherwise, I'd have thrown my $1.95 in (inflation is a bitch)..

Still, after having read the original article now, and all the comments, I'm glad someone is at least doing it right.

We read all these articles (usually by big name news sources) that get posted to /. , and the majority of them have a lot of errors, misinformation, FUD, etc.. While we can easily tear them apart here in comments, those comments are not read by the majority of the mass public who read these articles and do not read /. Therefore, they don't have the whole truth of the story, and their thinking is biased based on the crap the news media puts out.

The best thing about /. IMO, is the simple fact that you get one of the largest collection of intelligent people on the planet coming together to give you the truth behind the headlines. Sure, you get some crap thrown in there because of the open nature of it, but that's a small price to pay, isn't it? If I want to know the truth behind the latest news, I simply check /. and turn on the moderation. Even if it's not the whole truth, it sure is a bunch of interesting informed opinions.

Truly the future of journalism. :-)


---

Re:Good, it's about time...

[SolidGold]

I don't think that the articles on slashdot are the be all and end all though. I find most slashdotters are extremely biased towards open source etc.

For example, I always read at moderation level 2 just to cut down on how much there is to read. I find that about 90 percent of the comments have a very distinct slant. I attribute this to the fact that most slashdot readers have that slant and consequently most good comments are slanted.

On top of that, the moderators are also biased towards the prevailing slashdot outlook, and that means that the scarce moderation points are more likely to be spent on comments supporting the general slashdot opinion.

In short, I think that slashdot does a great job of providing the slashdot position on a subject, but does not give a complete picture of most subjects.

What about other articles?

[Capt+Dan]

Kudos to Jane's. But what about other slashdot articles? I think that in order to get a complete veiw for their article Jane's should check out the slashdot archives as well. There are a number of interesting points brought up in archived posts that were not mentioned in the "Jane's needs you help" posts from two days ago. They may have been outside Jane's questions, but they are still valid.

A quick slashdot search for cyberterrorism yields:

FIDNET, Cyberwarfare, and Reality

CIA Considering Cyberwarfare


Pentagon Cyber Wars

Hackers Against LoU Cyberwarfare


They need a nice big picture. For example, interesting information on what is going on in the hacker community could come from the "Hackers Against LoU" article.

And wasn't there an article somewhere about the US Military running a massive test crack against themselves last summer? If I remember correctly, one of their teams managed to get into the systems of a Navy Destroyer?
"You want to kiss the sky? Better learn how to kneel." - U2
"It was like trying to herd cats..." - Robert A. Heinlein

Parallel between journalism and the web?

[IIH]

In the early days of the web, there were fewer sites and finding information on the web was straightforward. Your favourite bookmarks covered what you wanted, and search engines covered the rest quickly. Now, there are a lot more sites, and a lower signal/noise ratio with a lot of irrelevent content. There are vast lists of sites covering similar topics, and search engines can't keep up. Result? People are switching to portals, or using more particular search engines.

Journalism it seems has to go down a smiliar path. Speed matters for a story, but accuracy and research count highly. Previously, you had journalists who were experts in their own field, and you had a breathing space to do research before the story went to the printing press. In this day and age, with news sites on line, stories break at "internet speed". Hence, reasearch needs to be as quick. Also, with the amount of new developments it's impossible to keep up to date with everything. Result? do an "Ask slashdot" for info, and you'll get a very quick response from several people that know what they are talking about, several revelent links to the subject matter, and a general view of how the topic is viewed on the ground.

It's an excellent method and a lot better than reissuing the same myths that seem to propagate. I think Janes should be commended on a big step in the right direction.
--

Factual Content, It's Their Style

[ronmon]

When I was in the USAF Security Command (way back, only one 4 year hitch) we had shelves full of books to help familiarize us with foreign aircraft. Nobody ever opened any of the "official" government pulp. We always reached for Jane's All The World's Aricraft. This is a class act on their part and has consistently been thier style through the years. Hats off. RonMon

Cringely

[TAiNiUM]

Good ol Bob Cringely has a few thoughts about the whole Jane's event:

"Maybe this was in the minds of the folks at Jane's, the British publisher of defense information, who this week threw their cyber terrorism research at the nerds who read Slashdot, hoping for some inexpensive proofreading to keep Jane's from making their own big mistakes. This is an interesting idea but ultimately flawed, I think. The only way to write the news is to write the news. You have to do it the best that you can then take the heat, because the censorship of the nerderati is still censorship. That's why newspapers make corrections."

Obviously he wasn't aware that Jane decided to publish the /. posts when he wrote this article, and I'm just dying to hear what he has to say about it.

Censorship? Nobody told Jane's they *couldn't* post that crap, we simply informed them of it being such a bad idea :)


http://www.pbs.org/cringely/pulpit/pulpit1999100 7.html

Re:Respect

[remande]

Consider Jane's guides to be similar to SANTA/SATAN. Both are publicly available. Both contain expertise usable to attack somebody. Because of this, both are actually more useful to defenders than attackers.

In the world of online security, it is better to have a publicly known weakness then to hide the weakness. If the weakness is hidden, then the Bad Guys share it among themselves and we don't know. If the weakness is known, we can post the moral equivalent of guards until somebody fixes the weakness.

Something like this should end up on sysadmins' desks pronto: they are our first defense against cyberterrorism. Fortunately, we here at Slashdot heard about it before publishing, and that means that a lot of sysadmins will know about this and be ready for it.

For anyone working at Jane's, I suggest that this article be target marketed to sysadmins. This would be a service to those people who keep our systems secure. This also would also increase circulation: rather than being targeted at a centralized military market, this is targeted at a decentralized computer security market. Unlike other forms of attack, this one cannot be defended by the military: cyberterrorism is best fought by a networked militia of private citizens and organizations.

HOWTO: Community Editing/Writing

[kspett]

Two nights ago (or maybe it was last night, all that caffeine blurs lines between distinct time periods) I was reading the responses to Microsoft's "Linux Myths" publication. I read the top scoring comments and found that almost all of them were based on undeniably cold, hard information. Where backing information became ambiguous, such as our "anecdotal stories" about NT's uptime, slashdot writers comprimised, even when they knew they were right, in order to keep the overall validity of their arguments strong and impenetrable. I thought to myself, "Nearly everything Microsoft claimed in their paper has been proved false or invalid by very scientific observations, and the more opinionated statements Microsoft made has been responded to intelligently. I could take this statement from this comment, and this paragraph from this one and create an entire rebuttal report by compiling snippets of these comments.". Such a "compiled" (if I may use the term in a non-technical sense (; ) paper would certaintly be considered "Community Written" and would basically take one person's additional effort to construct. If a number of these compilations could be produced, we could put the "Slashdot Community Publication Repository" online.
Few issues:
Who would do the compiling? Would lots of people make them, and then moderators (possibly those with highest scores on comments?) would vote on them? Would the moderators themselves do that? Would the slashdot admins compile them? Would each comment's outline contain an identifier for each specific point he or she makes (Slashdot HTML tags?) and then would those clearly defined points be voted on?
Lack of sources. (Not to be confused with source code.) For a formal report to be compiled, saying things like "NT only gets C2 classification when not connected to a network." require specific proofs. Where did this information come from? All that stuff needs to have links to its original source whether it be AP Newswire, a Bugtraq report, or just a few steps of math to show what 99.9% annual uptime is. Even saying that 2 GB has been the swap file size limit should have a link to a man page somewhere (so it can be immediatly victimized by The Slashdot Effect).
Time. This compiling will take time. (Until AI Beowulf clusters of a thousand Linux boxes do it for us.) Will we care about this issue by the time we have a publication. Should we vote on which issues to pubish?
Rob's Ego. Should we let him bask in his own creation's glory? Should we have him keep a skull on his desk like Shakespeare did to remind him he is only mortal? Should he be required to take psychoactive medications? Should he, like the Pope (Pontifex Maximus (; ), be required to bequeeth all his worldly possessions to his orginization to keep him humble? (Dibs on server.)
Also, no doubt this change would effect our beloved Slashdot. I can see a few possible effects:
Reduction of stupid unneccassary, unintelligent comments due to motivations to have part of his comment cited in Compilation. I'm capitalizing it now... exiting!.(i.e., the writer would know that "Micr0$oft Sucks!" wouldn't be considered for publication.).
Community recognition. If we had such Compilations with citations and such, notable media would start refering to Slashdot Compilations for information and viewpoints on topics. (More often then they are now, even.) Slashdot's notoriety would grow, and so would its user base.
Slashdot Compilation Archives cds could be sold to accomodate the larger user base and traffic. We would need Rob to make his taxes public so we could make sure he isn't spending the Compilation Archives cds on his well-known crack habit.

In closing, I believe Community Writing could really enhance Slashdot as a whole. LOTS of places would have discussions forums, and Slashdot still would be. People would still debate, flame, respond, email and DoS each other based on their posted opinions. But Slashdot being the first to actually produce such valuable publications based on the knowledge base of its user would be a very first. [It is really too damn late and I have too damn much to do for school, etc. so I have not grammar/spell/content checked this. Deal with it.]


Kspett