Meant, ages ago, to put up links to these. Some interesting work that actually deserves more detail, but… For me, the best presentations of both events were:

- the guys that hacked the RDS-TMC feeds to car GPS systems, showing these systems can be used to reroute traffic at will

- the building access control hack by Zac Franken, which showed that no matter how fancy your new biometric system is, if it relies on an aging clear-text protocol it’s no more secure than the old one

- the car hacking that makes it possible to falsify emissions reports

All seem to me to revolve around the same Blindside issue: how to ensure that the output of a computer system can be trusted. In a physical system, you have to trust the inspector. There are many more failure points in a computer system.

The links:
Black Hat day 1

Black Hat day 2

Defcon day 1

Defcon days 2-3

wg

They opened the State of Play V conference last night (on virtual worlds) with the rough cut of a new documentary about Second Life called Ideal World, produced and directed by Glen Thomas. It was pretty interesting as a primer on virtual worlds and what might be possible with them, told as a story about a couple who were early adopters and now finance their lives on a remote farm in Georgia with their SL earnings.

The one thing the movie really lacks is any skepticism about all this; it’s so relentlessly upbeat it could have been produced by Linden Labs’ PR department. Much of what’s going on in virtual worlds isn’t really *new* - many of the same issues and opportunities were talked about in the early days of the Internet itself, but also in previous virtual worlds (Worlds Away, The Palace, CompuServe…). I don’t find the let’s-trash-anything-popular school of journalism at all interesting, but I do think that presuming that anyone and everyone can benefit from having the fantasy world of their dreams is well…a bit fatuous. Quite apart from whether everyone can afford sufficiently high-powered technology, the big issue is TIME. A single mother with more jobs than children would probably absolutely love to have a fantasy life in which she hung out with adult friends, drove cools cars, wore fashionable clothes, and behaved irresponsibly - but exactly when is she supposed to be able to do this? And will her online friends help with child care?

The one downside issue the movie touches on is network lag, which is, genuinely, the bane of every SLer’s second existence. With businesses interested in SL as a platform, it’s a problem that Linden Labs has a lot of motivation to solve, but I’m not sure it *can* be solved unless someone comes up with a P2P way of spreading the load; AIUI Linden’s design relies on central servers, and I think there’s a built-in limit there in terms of what one company can provide.

If there’s a Blindside issue there, I guess it’s scalability: over and over again on the history of the Net we’ve seen that things that work fabulously well when they’re small and their membership is restricted and/or homogeneous (Usenet, email, blog communities, CompuServe forums) do not scale to large numbers. Usually spam and other forms of network abuse are the problem.

wg

Robots developed for war look set to move over to civilian police duties soon. We’d better get the rules of engagement straight, fast. From Wired

Armed robots — similar to the ones now on patrol in Iraq — are being marketed to domestic police forces, according to the machines’ manufacturer and law enforcement officers. None of the gun-toting ‘bots appear to have been deployed domestically, yet. Both cops and company officials say it’s only a matter of time, however.

“Other than some R&D with the shotgun mount, we haven’t used it operationally,” Massachusetts State Police Trooper Mike Rogowski tells DANGER ROOM. “But they’re on the way. They’re coming,”

Foster-Miller, maker of the armed SWORDS robot for military use, is also actively promoting a similar model to domestic, civilian police forces. The Talon SWAT/MP is a “robot specifically equipped for scenarios
frequently encountered by police SWAT [special weapon and tactics] units and MPs [military police],” a company fact sheet announces. It “can be configured with the following equipment:

• Multi-shot TASER electronic control device with laser-dot aiming.
• Loudspeaker and audio receiver for negotiations.
• Night vision and thermal cameras.
• Choice of weapons for lethal or less-than-lethal responses
- 40 mm grenade launcher - 2 rounds
- 12-gage shotgun - 5 rounds
- FN303 less-lethal launcher - 15 rounds.

See also this from Wired: the “surge” plus increasing military shortfall means war-robot procurement is being fast-tracked. I suspect anyone who thinks killing machines can win hearts and minds is going to be seriously blindsided. No doubt the technology is fantastic. We need to get our heads around the design and social aspects of this fast.

I have in my hot sweaty hands the newsletter from NATO’s Research and Technology Organisation. I’ll bullet the key points here and perhaps explore them in more detail later.

Another acronym I’ll have to remember: HPM (High Powered Microwave) “Studies indicate that while High Power Microwave ( HPM ) sources are becoming more powerful, electronic equipment is becoming more susceptible to HPM attacks. With HPM research being conducted worldwide; there is an increasing threat to NATO military equipment and critical infrastructure. Damaging
terrorist attacks by low-cost, low-tech devices could disrupt or destroy the electronic circuitry
of key nodes in an IT network, with potentially catastrophic effects.

Sensors & Electronics Technology
The SET Panel has undertaken a leading role in topics on CBRNE Detection, IED, Prediction Navigation and CID Technologies. In particular, during the SET-117 Specialist Meeting on “Prediction and Detection of Improvised Explosive Devices ( IED ) ” ( May 2007 ) , 25 Papers on prediction of IED intent as well as detection of the devices from a safe distance and in real-time showed how the RTO is able to assist the NATO Warfighter to reach these high payoff challenges. Ten new long term activities on Advanced Radar Systems, Navigation, EW Systems, Nanomaterials, ThZ Technology and Power System Optimization are currently planned for 2008. In particular, the SET-123 Task Group on Nanotechnologies shows promise for improving efficiencies and/or adding functionality to future electronic and sensor systems, and SET-124 on THz radiation has tremendous DAT potential.

The NATO Modelling and Simulation Group
In June the NMSG held MSG-059: 5th Workshop on “ Exploiting Commercial Games Technology
” in Brisbane, Australia. The event was hosted by the Australian Defence Simulation Organisation ( ADSO ) and was held in conjunction with SimTecT 2007 where the NMSG/
RTO was represented by the MSCO presenting a paper and exhibition. There was considerable
interest in the RTO and NMSG activities from conference delegates and, the following week,
we again saw the continuing and increasing demand for information exchange, technical
developments and acquisition models in the gaming world. Many challenges remain to fully
exploit this technology that is rapidly having a significant impact in all areas of defence training,
education, decision support, predeployment and mission rehearsal

From Computer Weekly,

“Kent Police are pursuing a number of leads following a burglary at Sevenoaks-based Forensic Telecommunications Services (FTS) in which a server containing data on suspicious telephone calls over the past two years was stolen.

A police spokeswoman said, “The computer equipment contained evidence relating to telephone use linked to around 250 cases from police forces and law enforcement agencies across the UK, covering the last two years.

She declined to say whether the data was encrypted.

…A spokesman for FTS declined to provide any details beyond a prepared statement.

However, a Mail on Sunday report said the cases were related to counter-terrorism investigations.”

If it weren’t so important I would file this under some category like Toys for Boys, but when Chris (who sits across from me at Kable) tossed me his copy of Jane’s Defence Weekly, it fell open to a page with two stories, headlined ‘US Army Ground Robots See Exponential Growth’ and ‘SWORDS Armed Robots Join Combat Team in Iraq.’ I think this technology has emerged…

Highlights of the articles:

The U.S. Army has more than 5,000 unmanned ground vehicles operating in Iraq and Afghanistan (up from 163 in 2004)

The Special Weapons Observation Remote reconnaisance Direct action System (SWORDS), an armed robotic system, is currently deployed with the 3rd Brigade Combat Team, 3rd Infantry Division in Iraq.

Sadly, the operating constraint so familiar to all of us is the low battery life–four hours.

For UAVs (Unmanned Aerial Vehicles), flight time has gone up from 100 hours per day (for the fleet) in 2005 to 500 hours per day in 2007.

The principle operating constraint for UAVs is their bandwidth requirements. “One Global Hawk UAV consumes about 500 Mbits/s of satellite-provided bandwidth, more than five times the total bandwidth consumed by the entire US military during Operation ‘Desert Storm.’ ” Now you know why the US DoD bankrolled the Internet in the first place…

500 Mbits/s? What information is that? Live video of the cockpit view, thermal imaging, what else? And who’s evaluating this? What decisions do you make from this? Perhaps more importantly, why are deaths by friendly fire still so prevalent?

Jane’s Defence Weekly, 15 August 2007

Okay, stay with me here. Lotta concern about open documents–being able to get content out of old formats no longer supported by vendors. Lotta concern about legacy applications and hardware–some of it mission critical. How are you going to get info off your floppy disk in five years?

The National Archives could have a digital division dedicated to supporting both issues, right? Their website has a section already about electronic records management, saying “The National Archives is looking to improve its processes and procedures with regard to appraisal, selection, transfer, storage, sustainability and delivery. It has instigated a programme of work under the Seamless Flow banner to bring increased automation to these areas.”

Would this be a viable solution to a pressing problem? It’d be nice to be talking about solutions instead of problems for a change.

This story received a lot of coverage; the Boston Herald has a representative version. In brief: the immigration service computers crashed in the early afternoon so that incoming international passengers could not be processed - or at least, couldn’t be matched against the computerised lists of people with outstanding warrants for their arrest, known criminals and terrorists, and all those other weary, unwanted huddled masses. “You can’t just tell by looking at them,” says an immigration official quoted in the story. Yet, for many years until fairly recently that’s precisely how entry decisions were made.

There are a couple of big things here:
- a major airport’s complete inability to handle a computer crash (by all accounts, thousands of people spent 10-12 hours sitting on planes on runways waiting to be able to disembark, although as they had access to food, water, and bathrooms they may in fact have been better off than the unfortunates stuck in the crowded terminal). No back-up, no alternative.

- the cure may be worse than the disease. Some reports say that they are now considering issuing immigration personnel with laptops they can work with offline to process people if the system goes down. With, presumably, all the synchronization and other security issues involved in deploying thousands of laptops.

- the computer glitch arguably caused greater disruption than some terrorist threats.

- immigration officials are now taught to rely on the computer system and do not learn whatever skills their predecessors had. (I note however that tests at the time suggested that immigration officials were not particularly good at picking out the undesirables - or at least, no better than the college student control group ISTR they were tested against.)

- on the other hand, in the interests of controlling climate change, making flying as miserable an experience as possible might just be a very good strategy.

wg

There’s an interesting discussion going on at Slashdot about this story in the Independent that large ISPs such as Tiscali, BT, and Carphone Warehouse want the BBC to pay up or face traffic shaping to limit the amount of bandwidth consumed by people using the iPlayer to stream video. Of course, network neutrality has already been a big issue in the US, but the issue there has been different for several reasons: 1) instead of one target there are many (Google, AOL, MSN); 2) some of those most in favour of being allowed to create priority traffic and additional charges are aiming to hurt competitors (for telcos, VOIP providers; for Comcast (cable operator supplying both Internet access and TV), other providers of streaming video). In this country, for the moment, we’re looking at a single large target that is not in competition with ISPs.

However, the essential argument remains the same: all users, including the BBC, are already paying for bandwidth. Aren’t we being asked to pay twice? I’m sure ISPs would love to have done this before wrt bandwidth-sapping stuff such as P2P and VOIP (and it seems as though at least some ability to differentiate among services will be built into BT’s 21CN), but there wasn’t a single large target they could shape or bill. My impression from ISPs of my acquaintance is also that much of the industry is in fact built on uneconomic, wafer-thin margins; but whose fault is that? We’ve seen over and over again that “unlimited usage” is not in fact unlimited.

But the bigger issue than money is control. This piece was about coffee machines, but it was a great illustration of network non-neutrality in action (unfortunately, the subs cut the line I originally had in it that “This is a matter of network neutrality” - damn it, because it was the best line I’ve written all year).

I think people will always protest change, no matter what it is, especially if it’s going to cost them money. (Though they often forget afterwards- who remembers now the giant protests when domain names stopped being free?). But network neutrality has done very well as a way of inspiring experimentation and development. The House of Lords report on personal Internet security (which deserves its own post) seems willing to dent network neutrality just a bit if it means greater safety. (Cue Benjamin Franklin.)

wg

Well, they’ve published the tender for the The Identity and Passport Service to set up a framework of suppliers to develop the National Identity Card Programme.

Preface: We at Blindside are independent researchers and writers. We don’t speak for HM Government, or for any department therein. We’ve been asked to help government where we can by independently identifying areas where government can be blindsided by technology. Please assimilate that before continuing.

I cannot in all honest say I believe that the UK Government is ready to begin this work. I do not believe they will invite the right people to the party, nor will they write the correct tender specifications, nor will they police the conversations of those they do (and do not) invite into the framework. As shown below, I don’t believe UK Government has widely published or absorbed internally commonly accepted best practice in the set-up and administration of information gathering and dissemination. This is not about philosophy. It is about basic hygiene.

See here. “Millions of homeowners are being left wide open to identity theft because their personal details are being made available on a Government website, campaigners warned yesterday. Details of their mortgage lender, mortgage value and even a copy of their signature can be found on the Land Registry site for just £3.”

See here. Key quote: “As a result, as Channel 4 revealed earlier this evening, all the details of final year medical students applying for hospital jobs were accessible by the general public. We are not just talking names and address. We are talking everything.”

And then see here. Again, key quote: “Given that Sanjib did the right thing, a year ago, and reported the problem to VFS as well as the British High Commission, why am I bothering to write about it now?

Mainly, it has to be said, because after a year that security hole was gaping as wide open as ever. Although I will refrain from posting precise details here, yesterday afternoon I was able to manipulate the data URL simply by changing what appears to be the date on which the application was made along with a sequence number. Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it.”

But there’s more:

“Well after a year of being told about the thing privately and ignoring it the FCO and its outsourcers did, sort of, fix the issue by closing the website and an independent inquiry was launched. The investigator’s report has now been produced and no punches are pulled. Here are some of the relevant paragraphs:

108.
UKvisas recently obtained an expert assessment of the basic data security provided by the VFS online website. The findings were that the site had many security weaknesses, and that many of these weaknesses were amongst the most understood and documented security concerns in the computing industry. The expert view was that none should be present within a securely designed website.
109.
I note that during the technical investigations, several screenshots provided by VFS highlighted wider security concerns. These screenshots of the management console used to access and configure the firewalls also showed users actively engaged in Skype3 conversations and logged onto webmail4 packages. These entities are considered to have poor security when used in isolation. Using them whilst accessing security device management consoles shows that standard acceptable usage policies are either not in place or not followed.”

I cannot in all honesty say I believe that the UK Government is ready to commission a framework agreement to begin work on the National Identity Programme.