The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle's police chief; and Daryl Pregibon, a research scientist at Google.

They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities).

But the authors conclude the type of data mining that government bureaucrats would like to do--perhaps inspired by watching too many episodes of the Fox series 24--can't work. "If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so."

A summary of the recommendations:

• U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter.

• Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase.

• To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data... At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework.

• Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to "mine the miners and track the trackers."

• Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation.

• The U.S. government should periodically review the nation's laws, policies, and procedures that protect individuals' private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism.

Here are more news articles on the report. I explained why data mining wouldn't find terrorists back in 2005.

Blogger: Dan Blum

It is no surprise for us to hear loose lips flapping in India about a capability to decrypt Blackberry and other carrier traffic.

After all, we’ve done basic threat analysis for years and it was only months ago that I was brought into a company-wide CISO meeting at a U.S. defense contractor to help them hash out their travel policy for mobile devices. Going into the meeting, I knew their policy restricted taking devices to a list of countries considered dangerous – but there was an exemption for BlackBerries.

Our research uncovered that BlackBerry is pretty secure in most respects. It has transport encryption along with optional password protection, remote kill, disk encryption, and S/MIME encryption. Viruses have not flourished on this functionally limited and closed platform. Few if any third party add on programs are required for additional protection. Nonetheless, I went into the meeting prepared to talk with the CISOs about the risks and security limitations of life on BlackBerry.

Was the BlackBerry exemption reasonable? At the time, BlackBerry transport encryption was not known to have been broken (to be fair, the article listed above still qualifies as rumor, not certainty of breakage). However, I pointed out that it is dangerous to assume well-equipped attackers like military or intelligence organizations can’t crack transport encryption. And even if they haven’t cracked the BlackBerry network and whole disk encryption features, sophisticated adversaries have other attack paths. Check out Neal Stephenson’s excellent book Cryptonomicon for a description of how a talented adversary might “see” your keystrokes and screen images through a motel room wall, for example.

If one of your employees – such as a key scientist, project manager, or executive – is targeted for surveillance and is carrying sensitive data through certain countries, one could argue that he or she had better undergo serious counter-intelligence training.  Learn to spot and shake tails, sneak into dark alleys for that BlackBerry fix. Learn to paper the closet with layers of aluminum foil and send messages in the dark. Defend that BlackBerry with encryption, long passphrases, and kung fu. But unless James Bond is running your company, I doubt this is what your executives have in mind for the next business trip!

Assuming your organization’s lower level employees are like needles in a haystack and won’t be bothered could be an exercise in wishful thinking. It is always possible that nation states are monitoring some or all of the airwaves. Not so long ago the NSA had a massive a covert surveillance program in place. Years before the government was reportedly snarfing up terabytes of emails and crunching them through a program called Carnivore. And of course, selective monitoring of people on watch lists continues on a large scale. This is just the surveillance we know about in the U.S. We suspect there’s more behind the scenes and especially in countries such as China. Even if you train your non-specifically-targeted low level employees to write and speak in search-keyword-free code, the carnivore programs of the world are pretty good at sniffing out those interesting needles – such as descriptions of your business plans, manufacturing processes, and trade secrets.

Sound paranoid? I admit that I don’t know what the probabilities of being targeted or monitored are – just that it can happen. It’s the height of arrogance to believe that a nation state can’t get your information if they’ve targeted it and you’re within their borders. And it’s dangerous to rely on security by obscurity when medium or high consequence information must be protected.

What can be done? If key personnel can't dispense with the BlackBerry (or any other email device) during international travel to those countries where information may be most at risk, they (the users) should limit communications to what they’d feel comfortable uttering over a potentially-monitored telephone call. Controlling incoming communications – messages sent by others – is a harder problem. Until data loss prevention (DLP) products become more contextually sensitive about the travel issues, it may be best not to synchronize the BlackBerry with the overseas user’s home mailbox. Instead, have the user give out a temporary address for the BlackBerry and warn senders to be discreet.

Special Session: Situation Management I

Paper: Complex Event Processing approach for strategic intelligence

Authors: Nicolas Museux, Juliette Mattioli, Claire Laudy and Helene Soubaras

Abstract: One of the key issues of strategic intelligence within a crisis situation is to build an early assessment of the situation, based on a context sensitive information interpretation and through a well constructed situation representation. Our proposal is based on the conjunction of a conceptual modelling to represent situations out of document analysis and a reactive rule-based modelling to analyse them according to a domain knowledge and a goal. This paper focuses on this Situation Analysis process. But we present our global approach and sum-up the Situation Representation and its objectives. We introduce the Complex Event Processing formalism used for the analysis and dynamic recognition of such situations. We illustrate our approach through a case study taken from what happened during the energy crisis in California in 2001.

Presenter Biography: Dr. Nicolas Museux is a research scientist in the PLATON lab, at THALES Research and Technology. He had his engineering diploma in computer science in 1998. Then he started his Ph.D. in Applied Mathematics, Computer Science Systems and Control at the Computer Science Center of e’Ecole des Mines de Paris, and THALES Research and Technology. His Ph.D. focused on the application of constraint programming in distributing low-level digital signal processing programs onto multiprocessors architectures, to optimize data management and computing duration. After he obtained his Ph.D. in 2001, he worked until the end of 2004 on several projects in the PLATON lab linked with combinatorial optimization. Since 2005, Dr. Nicolas MUSEUX works on the Situation understanding research program. Its objectives are to identify, to specify and to design tools for situation model based reasoning in order to address situation analysis, risk assessment and situation projection.

Just a few months after CEO and founder Diane Greene was ousted, it comes as no surprise that her husband and co-founder, Mendel Rosenblum, has also resigned via a company wide message last night. Turns out he’s going back to Stanford to teach. What a lovely way to get out of the political mess VMware has become. Admit it, haven’t we all had a point where we get fed up with the latest work snafu and wondered, maybe I should go back to college and teach? I had a really good time in college… Kudos to Rosenblum for doing it and doing it in style.

And if you believe Tarry Singh, the company knew this was going to happen but waited until after registrations were closed for VMworld before making it official. Hmm.

From the New York Times, more on Greene’s firing and just what kind of atmosphere is forcing executives to leave VMware:

After Ms. Greene made a special presentation to VMware’s board, Mr. Tucci, who heads VMware’s parent company, EMC, pulled her aside, according to people familiar with the events, who asked for anonymity because they were not authorized to discuss internal company decisions.

Inviting Mendel Rosenblum, Ms. Greene’s husband and the co-founder of VMware, into the room, Mr. Tucci told Ms. Greene she was fired, effective immediately. And he said the board wanted Mr. Rosenblum, VMware’s chief scientist, to take her seat on the board. Mr. Rosenblum declined the offer.

Honestly, what kind of a judgement call was made to first fire the man’s wife in front of him and then offer him her board seat? Has Tucci never seen an episode of Survivor?

(Photo Credit: Gizmodo)

You lose some. You win some: Of course as NBC’s online partner, Microsoft gets a least a cut of the $100 million dollars in online advertising spent around the Olympics. And the millions of downloads of Silverlight aren’t too shabby either.

The Internet is Falling! Arbor Networks, a security and network management company, partnered with ninety network services and content providers from around the world to publish an extensive study of IPv6 traffic on the Internet. Craig Labovitiz, Arbor Networks chief scientist, stated that only 900 days were left until the end of the Internet, or at least the exhaustion of IPv4 registry allocations. For the past year, the study shows very little IPv6 traffic – something like 1/100^th of 1% of Internet traffic. Craig credits this to money issues. “The department of commerce estimates it will cost $25 billion for ISPs to upgrade to native IPv6.”

Blogger James Urquhart created a bill of rights for cloud computing. The purpose of the bill is to “help guide would-be cloud customers to those clouds best able to guarantee their freedom.” The blogosphere is a great place to get some open debate going, and I applaud James for trying to make something yet so “cloudy” a bit more clear and concrete. But what’s up with the creating a PAC for this?? (Check out the comments.)

Trying to get by on limited resources? Need more money, staff and the freedom to focus on long-term projects? Sound familiar? Then you just might be in IT at a midsize company. (or in marketing at a young but rapidly growing IT company ) Arrow Enterprise Computing Solutions conducted a survey of 200 tech leaders at midsize companies (500 to 3000 employees). The upside: 61% of those surveyed think they’ll be spending more on IT next year – is this bullish thinking about the economy or how much their own business (rev) will be growing?

Bill Snyder calls Dell “Bozo of the Month” for trying to trademark “cloud computing”. Yikes. Maybe not a “bozo” move but certainly inadvisable given how ubiquitous the term is. Here’s our take on it.

Well, no, security dweebs, we’re on a public policy kick, probably will be until the end of the year (more on that to follow, stay tuned), so you wouldn’t be so lucky.

The Plum Book’s official title is Government Policy and Supporting Positions and basically it’s a huge staffing chart for the Senior Executive Service–the political appointees.  Congress publishes the Plum Book after each presidential election, so for those of us who remember our civics lessons in high school, that would be every 4 years, and the last one was published in 2004.

In fact, you can see the last edition here.  Caveat:  it’s dry, like the uber-trocken Franken white wine that grows in the fields around where I used to live in Germany–so dry that it sucks the moisture right out of you.

Plum Pickin photo by Secret Tenerife

Now why do we care about the Plum Book?  Well, that’s a good question.  Have a look at some of the staffing plans in the plum book, and you’ll see something missing:  Agency CISOs.

Now, I’m not a rocket scientist on org charts, but it seems to me that unless you put CISOs up to where they’re answerable to the agency head, they’re just a cost center inside the IT department with no visibility to the decision-makers.  Once again, we’ve crippled our security staffs like the old-school way of doing things.

On another note, taking a quick straw poll of the agency CISOs that I know, I think about half of them are political appointees, and half of them are GS-15s.  So what’s the difference?

Well, political appointees (SES) are appointed by the President.  They make a better target because they have much more visibility from the higher-ups they are more political in nature.

GS-scale employees are civil service careerists.  Usually these are the guys who have moved up the ranks in the various agencies and know quite a bit of things.

Which is better?  Well, if you want survivability, then GS-scale is the way to go.  If you want to make the most difference, SES is the ticket.

Most of us will never get the choice. =)

Bookmark to: