|
T ECHNOLOGY |
|
|
CIA 'data mining' technology to find nuggets 3.2.01 Tabassum Zakaria Reuters
Langley VA. The CIA, faced with a daily avalanche of information, is using new "data mining''
technology to find useful nuggets within thousands of documents and broadcasts in different languages. The spy
agency must sift through a barrage of information from both classified and unclassified sources in varied formats
such as hard text, digital text, imagery, and audio in more than 35 languages. The Office of Advanced
Information Technology (AIT), part of the CIA's Directorate of Science & Technology, is focused on finding
solutions to the "volume
challenge.''
One computer tool called "Oasis'' can convert audio signals from tv & radio broadcasts into text. It can
distinguish accented English for greater accuracy in the transcription, whether the speaker is male or female, and
whether one male or female voice is different from another of the same gender. At the left of the screen of a
transcribed broadcast are labels "Male 1,'' "Female 1,'' "Male 2,'' next to sentences. If one voice is labeled with a
name, the computer from then on will put that name on anything else with that same voice.
The CIA is planning to have Oasis developed for different languages such as Arabic & Chinese. It also finds
similar meanings of words being searched, for example a broadcast might not mention "terrorism'' but might say
''car bombing,'' which the computer would tag as "terrorism'' so that anyone searching for that category would find
it. Currently the CIA's Foreign Broadcast Information Service is using it in one Asian city and intends to have it in
other regions such as the Middle East this year.
"Data mining'' tools are used to extract key pieces of information from a variety of intelligence traffic such as on the
flow of illegal drugs and also to keep track of illicit financial transactions. Tools were developed to help CIA analysts
on Iraq, who were asked to analyze the agency's holdings on Iraqi war crime violations, about 1.2 million
documents going back to 1979. The Text Data Mining tool extracted and indexed all words in the data so for
example if an analyst was asked whether Iraq ever used anthrax as a weapon, the analyst could open the tool and
find anthrax in the automatically generated index. That tool also counts the frequency of word use and can handle
various spellings of the same Iraqi names or locations.
Pentagon to dig into marketing data on citizens
Type of information that can be legally obtained for a new federal govt computer program ranges from political
& religious contributions to magazine subscriptions, clothing sizes and even data about prostate problems.
Pentagon's Terrorism Information Awareness program is being designed to track terrorists, but privacy advocates
say it could be misused.
Almost every conceivable tidbit of personal information is collected & sold by private firms to create behavioral
dossiers on millions of consumers so marketers can pitch products to them. Loophole created for the data-
gathering computer program, dubbed by critics a "supersleuth" system, makes that same information fair game for
the govt. Civil-liberty advocates say that because there are no laws to govern this relatively new method of data
mining, it leaves people vulnerable to gross invasions of privacy & due-process violations.
In congressionally mandated report, Pentagon's TIA program officials said it will only collect data for its
database that are "legally obtained & usable by the federal govt under existing law." Sen. Ron
Wyden D-OR, leading program critic, called the language a major loophole to data mine "everything
under the sun."
Electronic Privacy Information Ctr deputy counsel Chris Hoofnagle said information legally obtainable includes:
current & past addresses, number of bathrooms & bedrooms in a house, what utilities are consumed,
phone numbers, smoking habits, Social Security numbers, hobbies, income, automobiles, shopping preferences,
height, weight, race, clothing size, magazine subscriptions, purchases through book, music & video clubs, and
whether the family pet is a "Fido" or a "Fluffy." This information, he said, can be bought for pennies per
person.
Commercial data problem is its reliability. Because it was not collected for law-enforcement purposes,
"the accuracy standards may not be as high as they should have been," Flint said. An important
distinction should be made, she said, between govt searches for a specific suspect versus the govt
looking for patterns on a computer and "looking through everyone's information, including those they
know have not been doing anything." "It's an entirely new way to look for suspects: backwards,"
Miss Flint said. Congress has passed legislation requiring oversight of the TIA technology before implementation, but critics say updated privacy laws are needed to address the fast-moving technology of data mining. "Pattern analysis is a new technique that allows uniquely intrusive govt searches not previously possible or even imaginable, and we really need our laws to catch up with our technology," Flint said. |
9.20.01 Wm J. Broad NY Times News Service
But their targets are vanishing. Relay stations on the ground for commercial communication satellites
&
terrestrial microwave links have increasingly been replaced by fiber-optic lines, which are impossible to tap without
a physical linkup. Commercially available cryptography software often makes obtainable signals unreadable, or
greatly increases the time it takes to decipher them. For a time, Washington fought the spread of such technology,
refusing to grant export licenses. But in 1999, as companies abroad made cryptography strides and American
industry pressured Washington, the Clinton administration announced plans to relax restrictions on exports of data-
scrambling software.
Ft Belvoir is only the beginning for CTS. Its Pentagon architects say it will help protect our troops in cities
like Baghdad, where for the past few weeks fleeting attackers have been picking off American fighters in
ones & twos. But defense experts believe the surveillance effort has a second, more sinister,
purpose: to keep entire cities under an omnipresent, unblinking eye.
CTS would coordinate the cameras, gathering their views in a single information storehouse. The goal,
according to a recent Pentagon presentation to defense contractors, is to "track everything that moves." "This gives
the U.S. govt capabilities Big Brother only pretended to have," said defense think tank
Globalsecurity.org dir. John Pike. "Before,
we said Big Brother's watching. But he really wasn't, because there was too much to watch."
Traditionally, authorities have collected information only on people who might be connected to a crime. If there was
a murder in the East Village, the cops didn't bring in all of St. Mark's Place; they interrogated only the people who
might have information about the killer. Even the most extreme abuses of law enforcement power, like J. Edgar
Hoover's domestic spying on political activists, homed in on very specific individuals, or groups, that he imagined as
threats to the state. He didn't put the whole state under watch. 9.11.01 changed that. Now, the idea is to find out as
much as possible about as many people as possible. After all, the logic goes, the country can't afford to sit back
and wait to be attacked. Almost anyone could play a part in a terrorist plot. So the govt has to keep tabs on almost
everyone.
CTS, a $12 million, 3 year program, is emerging as a potential centerpiece of that initiative. "Before, it was 'let's catch
the bad guys and bring them to trial after stuff happens,' " Lewis said. "Now it's 'let's look for patterns and
stop [an attack] before it happens.' " That's why Atty Gen. Ashcroft pushed for a program to turn a million
civilians into citizen-spies, snooping on their neighbors. That's why the USA Patriot Act now allows for
wiretaps without warrants. And it's why the Pentagon has begun researching an array of high-tech tools to
pry into average people's lives.
"LifeLog," currently in the early planning stage at DARPA, would twist all these bits into narrative "threads," giving
officials a chance to watch events develop. Along the way, LifeLog's developers would like to capture the name of
every TV show you watch, every magazine you read. Still, watching your data trail just isn't the same as actually
watching your physical tail. You can change your e-mail address, and start paying cash. But you can't run away
from yourself. That's the missing piece CTS could provide, an almost instant ability to track, moment by moment,
where you are and what you're doing.
"Before, there was a reasonable expectation of privacy when you were walking down the street," Lewis said. "Now
that's something that will have to be adjusted."
In 1791, English philosopher Jeremy Bentham proposed a
jail, circular in shape. The warden would sit in a dark observation booth in the middle; the prisoners would sit in
well-lit, inward-facing cells along the circumference. Under constant threat of being watched, the jailed would
change their behavior, Bentham theorized, bending their activities to the warden's rules. Two centuries later,
England has 2.5 million security cameras spread throughout the country, by some estimates. Several cities, like the
port town of King's Lynn, are covered by the lenses. Putting people under electronic watch induces a kind of split personality, said Bill Brown, who leads tours of Manhattan's spy cams as part of his duties with the Surveillance Camera Players. The authorities want people to obey the law, to behave rationally. But video surveillance does the exact opposite. It makes people feel, correctly, like they're constantly being watched, like they're paranoid. "And that's not a rational state at all," Brown said. "It's a mental condition." Stalin & Saddam tried hard to keep under surveillance as many of their citizens as they could. But these efforts could never succeed completely. There was always a "fundamental barrier, the ratio of watchers to the watched," said John Pike of Globalsecurity.org. |
CTS will keep watch by equipping each camera with a processor, like the one in your computer. The
chips will have programmed into them "video understanding algorithms" that can distinguish one car from
another. At each checkpoint, the car's speed, time of arrival, color, size, license plate, and shape are all
instantly passed on to a central server. If the early tests identifying cars go well, software that recognizes
a person's face and style of walk could also be added.
By sharing only this refined data, instead of the raw video itself, CTS should keep fragile computer networks from
becoming overloaded with hours & hours of meaningless footage. CTS would help govt networks avoid that
burden, with each camera transmitting a mere 8 kilobits per second, instead of the 200 or so kilobits needed for
high-resolution video. CTS would also keep the snoops who stare at the monitors from being overwhelmed. "We
have enough cameras, but not enough people to watch the video feeds," said CTS head Tom Strat for DARPA's
Information Exploitation Office.
CTS cameras might send back to headquarters only basic data or the occasional low-resolution image.
But when there's something fishy going down, like a car speeding away unexpectedly, or a briefcase left
in a train station, the images could come sharper, and more quickly. Proto-CTS programs from
contractors Northrop Grumman & Sarnoff Corp. would interrupt monotony of surveillance footage,
setting red boxes aflash around the suspect person or object. "It focuses your attention right there," said
Bruce De Witte of Northrop.
CTS would do more than change what investigators see. It would also give them a record of everything that
happens in a city's public places, potential evidence for prosecutors and terrorist hunters. In its presentation to
industry, DARPA said it wanted CTS to be able to find the common threads between a shooting at a bus stop one
month and a bombing at a disco the next. In theory, CTS could take an inventory of all of the cars around the bus
stop and near the disco immediately before and after the incidents. Then it could examine where those cars went,
to see if there were any vehicles in common or if a car acted as a sort of messenger between two others.
The forensic process could be further enhanced by one of DARPA's analysis programs, like LifeLog or
Total Information Awareness. After mining license plate numbers from the footage, investigators could
identify the car owners, then dig into the owners' Web-surfing trails, to see if there were any visits to
explosive-making sites and scan e-mail accounts for virulent language and plumb credit card receipts for
big fertilizer purchases.
To the uninitiated, storing & sharing all this information might seem like insurmountably complex tasks.
According to CTS manager Strat, the ability to network surveillance cameras over a wide area is "not right around
the corner." Defense and technology analysts have a different view. "(CTS) is pretty creepy. And the creepiest part
about it is that it's not all that sophisticated," said privacy-rights proponent Electronic Frontier Foundation sr staff
atty Lee Tien.
DARPA has mandated that the CTS demonstrations be done only with readily available, "off the shelf"
equipt What may be harder is handing off information, a description of a suspicious vehicle, from one
camera to the next. These lenses will be separated by hundreds, even thousands, of meters. And
"appearances can change dramatically" in those distances, Johns Hopkins Univ. sr research scientist
Chris Diehl said. Slight variations in light or in the camera's angle can make a car look very different to a
mechanical eye. "If you read the literature, there really isn't a proven method" for solving this problem, he
said.
Yet this obstacle seems surmountable. In a CTS simulation conducted by software developer Alphatech, a car
could be tracked over 10 kilometers with accuracy of 90% or better with cameras placed 400m apart. The
percentage went up, of course, as the cameras moved closer together.
CTS is but one of an array of private & public sector programs to sort through the ever expanding amount of
surveillance imagery. UCSD Computer Vision & Robotics Research lab just received a $600,000 grant from a
Defense Dept counterterror group for a CTS-like project. At Los Alamos National Laboratory, Stephen Brumby is
using genetic algorithms, programs that are bred from smaller components of code, to automatically analyze
satellite pictures. At the Sarnoff Corporation, a project dubbed Video Flashlight would morph cameras' views into a
single 3D model. Using a joystick, a security officer could maneuver through this simulated world as though playing
a game.
In order for Video Flashlight to work, however, it would have to use stationary cameras. CTS doesn't have
that limitation; it's supposed to function with drones & other battlefield sensors. That's one of the
reasons Globalsecurity.org's John Pike thinks the program could have a legitimate military function, "to
the extent that it is relevant to urban operations, as opposed to the running of a well-oiled police state."
Combat in cities "tends to quickly degenerate into small firefights," Pike explained. It's a lot harder to know what's
happening in a crowded city than it is in an open desert. Radios cut out quicker; drones & satellites have a
harder time peering through the concrete canyons and narrow passageways of urban life. CTS could restore some
of that sight, giving U.S. generals a "broader situational awareness."
This assumes CTS has anything to do with urban combat. If it does, it'd be a surprise to some of the
businesses bidding for the CTS contract. "The primary application is for homeland security," said Sarnoff
Corp. spokesman Tom Lento. "The whole theme here is homeland security," added Northrop Grumman's
De Witte. Strat disagreed. "DARPA's mission is not to do homeland security," he said.
In a presentation to industry, DARPA noted, "CTS technology will be demonstrated only within the observable
boundaries of govt installations where video surveillance is expressly permitted, and operational deployment areas
outside U.S. where it is consistent with all local laws." But in an interview, Strat did admit that "there's a chance that
some of this technology might work its way" into domestic surveillance programs.
In the test at Ft Belvoir this year the aim is to track 90% of all of cars within the target area for any
given 30-minute period. The paths of 1 million vehicles should be stored and retrievable within 3 seconds.
A year after that, CTS is supposed to move on to testing in an urban combat setting, where it will gather
information from 100 mobile sensors, like drone spy planes and "video ropes" containing dozens of tiny
cameras.
"This is coming whether we like it or not," said CSIS Jim Lewis. "It's not how do we stop the tidal wave. It's
how do we manage it."
|
Cyber national guard Defense Dept for controversial AZ cybersecurity plan 4.18.01 Kevin Poulsen SecurityFocus
Pentagon cyber security wonks are looking to the Grand Canyon State for the future of information
warfare defense, thanks to a bill in the Arizona legislature that would create the country's first
State Infrastructure Protection Center (SIPC). Like its national namesake, the FBI-housed NIPC,
the Arizona SIPC would be poised to respond to physical cyber attacks on 7 critical
infrastructures: telecommunications, energy, banking, finance, transportation, water and
emergency services. But it would be overseen by the state's emergency management department,
and be comprised primarily of state agencies. It would also maintain close ties to the Pentagon,
which has endorsed the proposal. Under the plan, the Defense Dept would provide the SIPC with
up-to-date, sanitized information on network vulnerabilities and ongoing attacks through a new
Computer Emergency Response Team (CERT) established within the Arizona National Guard.
"The National Guard is the perfect conduit between the [Defense Dept] & the state," says
James Christy, law enforcement & counterintelligence coordinator for the Pentagon's
Defense-wide Information Assurance Program, who helped draft the proposal. "The National
Guard works for the state governor most of the time, but they can be federalized in times of
crisis."
But the SIPC bill is not without critics, and an earlier version passed Arizona's House of
Representatives only to be shot down in the Senate. At issue: The legislation foresees crafting the
SIPC out of existing hardware & personnel, at no cost to taxpayers, a proposition Arizona
governor Jane Hull says is unrealistic. Moreover, the bill would require the state's technology
managers to promulgate a series of cyber security plans including use of intrusion detection
systems in every govt agency, but doesn't offer any money for that effort. "The governor has
concerns because it's not funded, and it calls for the creation of 15 different plans with no
implementation strategy or funding," says Susan Patrick, strategic communications manager with
Arizona's Govt Information Technology Agency, the group that would be responsible for pushing
the reforms. "It also calls for us to use existing resources, and we have no statewide information
security specialists in our agency." |
E-Bomb more
In an eye blink, electromagnetic bombs can put civilization back 200 years. Terrorists' building cost is $400.
9.01 Jim Wilson Popular Mechanics
high-power microwave pulses
1925 by physicist Arthur H. Compton,
the Compton Effect
first major test of an American electromagnetic bomb is scheduled for next year.
In the 1980s, the
Air Force tested E-bombs that used cruise-missile delivery systems.
idea the U.S. studied but discarded,
the Flux Compression Generator (FCG).
Somehow I found the right paper. It was 1 a.m. and hope lived. The machine accepted the long list of
numbers and letters from the authentication document but then shocked me by stopping to announce that
what I had was a Windows 98 upgrade. The upgrade demanded to be installed on top of Windows 95. I
had the Windows 95 disk handy and popped it in but was stopped again. The screen asked me to type in
the Windows 95 authentication code. Chen wins round six. I had the code six years ago, probably had it
still, but where? I should have kept it in a fireproof lockbox with my birth certificate and marriage license,
but in fact I had lost it in some pile of computer stuff somewhere. Finally I found it and got things almost
right. I went straight on the Internet to download a better, newer virus program. Round seven to the home
team. After I paid $25 via credit card, it told me to print out the screen as a receipt. Oops, the printer
wasn't reinstalled yet, so the computer froze. When I got it going again, the virus Web site wouldn't talk to
me unless I first typed in my code name and password, which it had sent by e-mail. Trouble was, my
Roadrunner e-mail program was gone. Round eight to Chen. I began setting it up again, and it refused to accept my sign-on name and password. I tried every password I've ever used and none worked. So early one Sunday morning, a Roadrunner worker got a call from a very grouchy customer. I convinced him I was not an identity thief and he confirmed my sign-on name & password, exactly what I had typed in, almost. The name needed to start with a lower-case letter, not an upper-case one. Around 2 a.m. I was able to get the e-mail, download the virus-fighting info and declare my computer safe and germ-free. Round nine and Chen finally went down for the count. But I didn't celebrate, just went to bed. If another virus strikes my household, I hope I catch it instead of my computer. Anything short of Ebola would cause less misery than Win95.CIH. | |
|
Weapons of the secret war
¹
²
³
£
Drug war signals honed intelligence for terrorism fight Nov. 2001 Paul Kaihla Business 2.0
The target never had a clue that he was in imminent danger. A high-ranking member of a Kashmiri terrorist group
implicated in the World Trade Center attack, he had every reason to believe he had eluded the manhunt. He was
lying low in a nondescript safe house on the outskirts of Peshawar in Pakistan's Khyber Pass region. He steered
clear of phones and kept to himself. His sole contact with his global ring was through wireless e-mail transmitted by a high-frequency radio running on only eight flashlight batteries.
His communications network relied on a base station hundreds of miles away in the Afghan desert; that device had been spotted by a robotic USAF Predator spy plane mapping radio traffic along mountainous Afghan-Pakistani border from an altitude of 25K ft. |
Listening posts in worldwide surveillance network range from simple radio antennas wired into sophisticated
receivers to P-3 Orion spy planes operated by the U.S. Navy & Customs Service to nuclear submarines like
the USS Jimmy Carter , which can sit on the ocean floor for weeks at a time tapping undersea fiber-optic cables.
The network even extends into space, where at least 8 geosynchronous spy satellites vacuum up radio and other
waves emanating from earth, beam the captured data to receivers on various continents, and then relay them to
Fort Meade, MD NSA HQ. Some listening points feed data computers of Cold War-inspired intelligence
cooperative called Echelon, maintained by U.S., Canada, Britain, Australia, and New Zealand. Spectrum analyzers,
like MRI-scanners for all electromagnetic signals in an area find radio transmitter in mountains & tell its
energy source. Data-mining software combs hundreds of millions of intercepted e-mail msgs, faxes, and phone
calls in minutes to find a single flagged sequence. System can pick single voice from thousands of cell-phone
conversations in area, even if speaker is constantly switching phones to avoid interception.
At the controls are specialists who number only a few hundred in U.S. and perhaps 2,000 in the entire world. One
of handful of private contractors told Business 2.0 he was hired by 3 letter govt agency 9.11.01 and has worked
practically around the clock since. Steve Uhrig is another private sigint contractor, onetime "spook" with U.S. Naval
Intelligence now one of most respected surveillance & technical countermeasure specialists in world. He
installs bugs & wiretaps, sweeps for them, and designs "black boxes". Colombian army is by far his largest
customer. Among surveillance systems he set up in Colombia is 100 "beeper busters" network, computer-driven
receivers with decoders that filter both pager numbers & content of interest to authorities in real time. The
instant suspect receive pager message, Colombian army intelligence has a copy.
In 1993 the CIA & covert U.S. Army unit called Centra Spike spent months in Colombia monitoring Escobar's
communications from both ground & air, finally pinpointing his location when he made a cell phone call.
Colombian special forces commandos killed him as he ran barefoot across apt bldg rooftop. Escobar's death taught
traffickers cell phones vulnerability. Cartel countermeasure is to "roll" cell phones to confuse wiretappers. Using
scanners, they steal identities of innocent bystanders' mobile phones and program the "cloned" numbers into their
own handsets for a few days at a time. Authorities can't keep track of what phone numbers they should be tapping.
In response, authorities deployed surveillance techy that operates over Colombia from spy planes. It uses a series
of intermediate frequency-to-tape converters with directional antennas, receivers, and wide-band recorders, to
scoop major bands across entire cellular spectrum. Loaded with the proper gear, one aircraft can record all cell
traffic in major city by circling at high altitude exploiting microwave signals that form handshake between cell sites
in wireless networks. At plane's base, computer extracts audio files of conversations from captured signals. Audio
files then filtered with voice recognition software, allowing identification by suspect's voice.
According to Uhrig, those vacuum cleaner technologies will not be as effective against Middle Eastern terrorists.
Afghanistan has no cellular service. This year's successful prosecution of 4 terrorists implicated in 1998 African
embassy bombings relied heavily on NSA intercepts of cellular & satellite phone calls between terrorist leader
Osama bin Laden & his al Qaeda network. All too aware its phones were compromised, al Qaeda reportedly
curtailed its use of phones. Task is the forte of unacknowledged U.S. intelligence agency named of
Special Collections Service (SCS) in Beltsville, MD, short freeway ride from NSA HQ, jointly staffed by
NSA & CIA. Operating under U.S. embassy cover around world, agency known for hiding bugs on pigeons on
windowsills of Soviet embassy in WashD.C.
SCS currently eavesdropping on govt communications in MidEast capitals and, where possible, setting up listening
posts around figures close to bin Laden's network. "They'll be trying to build a case to show the Taliban's support
for al Qaeda," says retired U.S. special ops colonel still involved with military. Suspects try to blend into densely
populated city talk on a radio freq they "snuggle" next to powerful signal like local tv transmitter. "Sweeping area for
a radio, you'll miss it unless you know exactly what you're looking for," says Uhrig, technical consultant for film
Enemy of the State. "Receiver will lock on to the big transmitter." In that case, hunt with spectrum analyzer for
picture monitoring all signals big & small, and break them down into parts.
In mountains, Uhrig surmises low-powered high-freq radio network, whose signals drowned in background noise emitted by electronic car ignitions. In a manhunt, ascertain coordinates of a target. Modern direction finders get bearing on radio or a cell phone even if they capture as little as 20msec signal. Put Tomahawk into cave with laser detonator." Anything that creates RF signal,
If you suspect you have been improperly checked through the Law Enforcement Information Network, or
LEIN, write to Kathy Rector, exec. dir.,
Criminal Justice Information Services Policy Council
c/o Michigan State Police 7150 Harris, Lansing MI 48913
Include your name, dob, driver's license number, license plate number and any details that caused you to
suspect a LEIN abuse. Also include the date you suspect the violation occurred, who may have misused the LEIN
and your phone number.
|
Confounding Carnivore How to protect your online privacy 11.29.01 Omar J. Pahati AlterNet
U.S. backs radio technology that sees through walls
WASHINGTON U.S. regulators approved a new technology that lets law enforcement find objects
buried in rubble, helps drivers avoid accidents and may give consumers options for high-speed communications in
their homes and offices. The Federal Communications Commission said it took a
cautious approach to so-called ultra-wideband, adopting strict guidelines for services using the system of wireless
transmission. The rules will prevent the system from interfering with air traffic control operations and global
positioning satellites that track military troops, hikers and other people. Ultra-wideband, developed by companies
such as closely held Time Domain Corp. of Huntsville, Alabama, operates over a wide slice of airwaves using
bursts of radio signals. Opponents, such as the Pentagon, mobile-phone carriers and other U.S. agencies, feared
the service might interfere with equipt.
'Big Deal'
Pop star Britney Spears is offering her fans smart cards that will give them exclusive access to behind-the-scenes videos & photos, as well as to promotional offers. The singer's Web site is offering 5 versions of the multicolored SmartFlash Collectible Card, each bearing an image of Britney and carrying a different feature in its chip. Fans will plug in smart card readers to their personal computers and insert the cards, which will take them to restricted sections of the Web site to find back-stage concert photos, rehearsal videos, samples of new music & other content not available to others. The Web site says the cards will be available soon. Spear's representatives did not respond to requests for comment, but sources say the Britney Spears card is the first in a series of smart cards featuring sports, music & film celebrities. Meanwhile, another company has launched a smart card aimed at video game enthusiasts. Norwalk, CT based StatCard Entertainment Inc. began selling its XAction Skate chip card at the Toys 'R Us store in midtown Manhattan last month, and the toy retailer will offer the cards nationwide in March, says Art Swanberg, StatCard's president & CEO. Once kids plug a smart card reader into a PC, they can insert cards featuring likenesses of skateboarding stars that take them to a StatCard Web site. There, they can earn points & add features to their cards by playing a skateboarding video game. They can also play against other kids on the Internet, winning or losing points based on the results. Swanberg says the company plans to introduce a snowboarding game card in the fall, and has plans for sports & music cards, a well. He projects selling 3 million to 5 million smart cards this year. The cards, which sell for $7.99, carry an 8-kilobyte chip from Germany's Zeitcontrol Cardsystems GmbH and are manufactured by Versatile Card Technology Inc. of Downers Grove, IL (2.6.02)
Feb.2002 Card Technology.com How easy is it to clone one of France's current banking smart cards? "Click, click," responds computer expert Michaël Pagis, who demonstrated the clone in the Paris office of the newly formed European Institute for Information System Security. Would-be counterfeiters do have to have some technical savvy. Even then, the cloned cards will only work when the transaction stays offline, which it usually does for low-value purchases. If the terminal calls the bank for approval, as it will for higher-value purchases & withdrawals from automated teller machines, the bank will reject the transaction. The chief option is for banks to use the other main authentication method available under EMV, which changes the digital signature with each transaction. But this requires the chip to pack more processing power, which will raise the price of cards by 50% to 100%. For French banks, which last fall finished a 2 year swap-out of cards that had been compromised by hackers, that price is too high for the time being. They plan to start rolling out EMV this year, but will put off issuing the more sophisticated EMV cards until late 2003. The extra time will also be needed to complete tests of the more secure cards, says Cartes Bancaires' Randoux. (2.15.02) |
Proxies
These are your first line of defense, so let's start with them. Proxies provide a useful layer of mediation between
your machine and the Internet. There are several types, but Web proxies and Socks proxies are the two most
relevant to our purposes. Grossly oversimplified, a proxy is a remote machine which you connect through to the
Net, which forwards your IP traffic, and which you then appear to be originating from. When you contact a Web site
via an anonymous proxy, it's the proxy's IP which shows in their logs. You can use either Web or Socks proxies
with your browser, and Socks proxies with other Net clients to obscure your IP from prying eyes. But you do have
to choose them with care.
Socks proxies are the best, general-purpose proxies. This is so because Socks are non-caching, which means, for
example, that there won't be a record of the Web pages you fetched while connecting through one, except on your
own machine, and this you can fix rather easily (more on that in 'Browser Settings'). It also means they're slow,
but if you want anonymity, you shouldn't quibble. But older versions of Internet Explorer and Netscape don't support
Socks. What to do? You can upgrade, but I prefer an older browser with fewer 'features', which I equate with fewer
security leaks (though these should be patched regularly, of course). Rather than upgrade, you can download an
application called SocksCap,
and use it to 'socksify' any IP client you use. It will work with browsers, e-mail clients, telnet, SSH, chat clients, even
your l4me e-mail bomber. Test it; socksify your e-mail client and send a message from one of your accounts to
another. Check the header. Is the originating IP your proxy? If so, your e-mail now appears to originate from the
proxy's IP. This can be extremely useful, as we'll see below.
Useful but not foolproof. Of course the proxy machine's admin can easily learn that you connected to it after
perusing his logs, so a proxy doesn't actually conceal you; it just adds a layer between you and whatever you're
contacting on the Net. This layer can be thick or thin, depending on where the proxy machine is physically located.
If your proxy is located in a country unlikely to cooperate with requests for their logs from foreign officials, or a
country where your mother tongue is rarely spoken, it can be, in practical terms if not theoretical terms, quite an
effective layer of protection.
It's easy to determine a proxy's country of origin with the $20.00 Patrick Project DNS utility, which will resolve IPs to
addresses and vice versa, and a good deal more to boot. You cheapskates out there can go to SamSpade.org and
do it all for free. Now you know how to determine your proxy's location. The more exotic the better: Korea is better
than Japan; Thailand is better than Korea; Indonesia is better than Thailand; Papua New Guinea is pure gold.
Kenya is better than Morocco; Ghana is better than Kenya; Guinea is better than Ghana; Burkina Faso is pure gold.
You get the picture. Now you need to test the proxy for anonymity. Some of them can leak appalling amounts of
information, like your true IP, for example. There are several environmental variables checkers on line which will tell
you just what information your proxy is leaking to the world, and a nice links page to a heap of them is located at
Proxys4all.com.
And what do env checkers tell you? The chief variables you need to know about are:
REMOTE_ADDR: Your apparent IP, which should be the proxy. If not, use another proxy.
REMOTE_HOST: Your apparent address, which should resolve to the proxy IP. or better yet not be resolvable at
all. If it resolves to you, use another proxy.
HTTP_X_FORWARDED_FOR: Sometimes your true IP is revealed -- get another proxy.
HTTP_USER_AGENT: Your browser type -- unimportant.
FORWARDED: Reveals the fact that you're using a proxy; not fatal, but better if blank.
VIA: Reveals the fact that you're using a proxy; not fatal, but better if blank.
CLIENT_IP: Sometimes your IP is revealed -- use another proxy.
HTTP_FROM: Sometimes your IP is revealed -- use another proxy.
You can use a free application called ProxyHunter to scan ranges of IPs and find your own proxies. These you can evaluate,
determining location and anonymity according to the guidelines above. A scan such as this is non-invasive and
non-destructive, but it's still possible one may get a nastygram from one's ISP for performing them.
Socks proxies are located on port 1080, so you'll want to use that in most searches with ProxyHunter. HTTP
proxies on ports 80, 3128 and 8080 are useful, and can be loaded directly into your browser, but they're not quite
as secure. You can load a good Socks in your chat clients like IRC and ICQ; and with SocksCap you can run your
telnet and e-mail clients and browser through one as well.
For even more anonymous surfing, you can give yourself an added measure of security by connecting to a Web
proxy like Anonymizer through a Socks (or even a
decent HTTP proxy). Feel free to e-mail me if you can't figure all this stuff out, but please, I beg you, give it a fair go
on your own first. I'm a humble news reporter, not a help desk. When you find a Socks proxy with ProxyHunter, or
by perusing the many public Web sites where they're listed, and you get satisfactory results from the env check, and your proxy is
located on some God-forsaken corner of the Earth, then you've acquired a decent layer of protection.
Congratulations. But that's far from the whole shebang.
Anonymous dialups
Whenever you dial in to an Internet connection, your ISP can determine your phone number with caller ID. This
information is recorded, and can be turned over to nosy Feds on request with an administrative subpoena, which
doesn't require a judge's approval. If you've got a regular ISP account billed to a credit card, your ISP knows
perfectly well who and where you are, so concealing your phone number from them is hardly an obstacle to
associating you with your Net activity. In much of Europe, the telco is the ISP, so the possibility of making
anonymous dial-ups is remote. In that case, all I can suggest is trying to find a data-capable pay-as-you-go mobile
phone, and of course paying cash for it. If you're asked your name, lie. If you're asked for ID, leave.
However, there are free ISPs like NetZero on which you can register with totally fictitious personal information, and
to which you can connect with caller ID disabled. This isn't a solution in itself, but combined with the judicious use
of good proxies, it can add a second layer of anonymity to your comings and goings. It can make you a bit more
difficult to identify. These ISPs don't allow you much free surfing time, usually something like ten hours a month;
and they feed adverts to you and they're slow (made slower still by proxy use); but they can be a superb means of
connecting when you need to be even more anonymous than usual, such as when you make a controversial post
to a newsgroup or BBS, or send a sensitive e-mail.
Get your ducks in a row: first, go to an Internet cafe or a library. If they require identification, go elsewhere. When
you find a public place where you can surf anonymously, set up an account with NetZero using fictitious personal
information. Even better, go through a Web proxy while you're at it. Record your login, password, and a dialup
number convenient for your home location. Now go home, and disable caller ID (contact your phone company for
instructions), and dial in to your new fictitious account. And always dial in with caller ID disabled.
Finally, use an anonymous Socks proxy with your e-mail client for newsgroups, and a Socks along with a Web
proxy for BBS posts. Theoretically, you can still be traced because the phone company knows what you're up to;
but unless you're under active surveillance by the Feds, you can safely gamble that no one from NetZero is ever
going to peg you. You're getting very close to effective anonymity, and you still haven't gone beyond what our
friend Harry Homeowner can handle.
There are other things you can do with this caller-ID-off+Netzero+Socks+Web-proxy setup. You can, for example,
open a Web-based e-mail account with fictitious personal information and send and receive anonymously, so long
as you set up your NetZero account properly, and always connect to it with caller ID disabled, always use a Socks
with your browser, and/or always use a Web proxy. You've got ten hours a month. Spend them wisely, and you
can surf almost anywhere or post almost anything on line with no repercussions.
But what if your e-mail is intercepted by something hideous like the FBI's packet sniffer Carnivore? Unless you
stupidly identify yourself in your mail, you're almost certain not to be identified, but you still may not want the
contents read by anyone but the intended recipient. You don't have to be a criminal to desire privacy, much as the
Feds like to pretend otherwise.
|
Crypto Now this is funny. If you use a nice, free crypto program like PGP, you can easily encrypt your e-mail. Just follow the instructions, there's really nothing to it. The problem here is that the Feds, if they happen to be watching, can gather that you sent an encrypted message to Recipient X, a fact which you may not wish them to know. If you follow the scheme above, you can send a message anonymously via a Web-based account. But unless I'm missing something, you can't use PGP to encrypt Web-based e-mail messages. So how do you have your cake and eat it too? It's quite simple: you create an encrypted text file and attach it to your Web-based anonymous e-mail, or copy it into the message body. Now all the Feds can determine is that Recipient X got an e-mail message with an encrypted body or an attachment from Monica_Lewinski666@hotmail.com or whatever.
Browser settings
Now go to Tools/Internet Options/Advanced and clear 'Enable Profile Assistant', select 'Do not save encrypted
pages to disk', clear 'Enable page hit counting', and select 'Empty Temporary Internet Files folder when browser is
closed'. That should about do it. While you're about it, pop over to Control Panel/Network and ensure that File and
Printer sharing are disabled.
Spyware
PC Hygiene This is how I do it, and I do it frequently: I have two HDDs in my Windows box. When I get ready to wipe my primary, I've already done an fdisk and format /u and a thorough 'govt wipe' on the secondary using Norton Wipeinfo. I simply copy all the files and progies I wish to preserve onto that thoroughly-wiped secondary disk. I then switch the primary and secondary, and install Windows from original media onto the wiped disk, from which I'll boot. I install Norton Utilities, naturally. I then fdisk and format /u the former primary and do a thorough 'govt wipe' using Norton Wipeinfo. |
To hell with proprietary encryption algorithms 8.27.01 Winn Schwartau Network World
I sat in the front seat of a Mustang convertible, next to the driver. In the back seat sat The Third Man, who was
demonstrating how easy it is to break into a wireless network using a laptop, Global
Positioning System, wireless LAN card and free downloadable software. We drove around Las Vegas the day
before DefCon and found an endless supply of wireless networks. How do you break in? Reboot your computer,
the wireless access point sees you, Dynamic Host Configuration Protocol assigns you an IP number, and you're a
remote wireless node on the net.
In only 2 cases did we find networks that use the Wired Equivalent Privacy (WEP) algorithm. WEP is fundamentally
useless because the 26-bit algorithm can be routinely cracked in less than 4 hours, again using downloadable
tools. Why anyone would use wireless nets is beyond me, esp. knowing that break & enter is as simple as
firing up Windows from a car or the nearest McDonald's.
It turns out that major mission-critical, enterprisewide software packages are just as vulnerable to crypto-""hacks.
Imagine if you found that your entire database was not really protected by "strong proprietary encryption
algorithms," as the vendor claimed; or that your payroll system's password security was similarly vulnerable
because the vendor figured it could out-design the best cryptographers in the world. I don't get it. As an industry, we have some pretty good cryptography out there. Whence comes the arrogance that applications vendors can do a better job than the best mathematicians and trained cryptographers the National Security Agency, Govt Communications HQ and academia can muster? We have the Data Encryption Standard (DES), which still provides a free & reasonably good, well-tested means of protection. Triple-DES, which is good enough for the banking community, is also free & thoroughly understood. The new Advanced Encryption Standard will take us a "guesstimated" 20 years forward, |