About Defense Tech

Defense Tech examines the intersection of technology and defense from every angle and provides analysis on what’s ahead.

Tip Us Off

Tip for Defense Tech?


It’s Confidential!

Archive for October, 2006

The Fake Boarding Pass Saga

Tuesday, October 31st, 2006

boardingpass_veganstraight.jpgLast week Christopher Soghoian, a 24 year-old Ph.D. student in information security at Indiana University, whipped together a website that allowed anyone to create a fake Northwest Airlines boarding pass. He hoped to bring attention to a security hole that allows anyone, including someone on the No-Fly list, to enter the security line with a fake document. Instead he got another kind of attention.
For those unfamiliar with the story, it’s one I’ve been following in my blog and in a proper news story forWired News since Soghoian told me about his site Wednesday night.
Soghoian, a security researcher who has done work at Google, Apple and IBM, told me the site’s purpose was to demonstrate the futility of the No-Fly list:

I want Congress to see how stupid the TSA’s watch lists are. Now even the most technically incompetent user can click and generate a boarding pass. By doing this, I’m hoping [Congress] will see how silly the security rules are. I don’t want bad guys to board airplanes but I don’t think the system we have right now works and I think it is giving us a false sense of security.

Even without his generator, the No-Fly list can be avoided:

If you can purchase a ticket over the internet with a pre-paid debit card and can fly without I.D., then for domestic flights the No-Fly list doesn’t work.

On Friday, Congressman Ed Markey (D-Mass) called for the site to be shut down and arrested, and later that day, the FBI shuttered the site and met with Soghoian. Whatever he said must not have been convincing, since the FBI raided his house with a search warrant signed by a judge at 2 a.m. Saturday morning and seized his computers, though they didn’t arrest him. Markey then retracted his call for Soghoian’s arrest on Sunday and in fact, suggested the government hire him instead (though Markey called the site a ‘lousy way’ of publicizing the problem).
Since Sunday, the story has slowed considerably. Soghoian has lawyers now and isn’t talking to reporters, though is occasionally updating his blog.
Soghoian’s site exploited a well-known security hole, one first publicized by security expert Bruce Schneier in 2003, given the full-on Slate treatment in 2005, and, according to security blogger Adam Shostack, was explained to high-level Homeland Security officials in 2004.
That doesn’t mean all security researchers applaud Soghoian’s method. Indeed, Avi Rubin, who’s best known for his voting security work, told Xeni Jardin that his former teaching assistant should have shown this to the government privately.
So what’s the upshot? Will the government ban boarding passes ticketed at home? Will they prosecute Soghoian for building this site? Won’t other hackers put their own version online? Will this prompt reconsideration of the use of notoriously ineffective watch lists for domestic travel?
The short anwsers, in my opinion, are No, No, Maybe but not as many as you’d expect, Definitely Not.
The long answers are here at 27BStroke6, which despite Noah’s dig, is a great name for a blog. (ThinkBrazil).
– Ryan Singel
Photo: VeganStraightEdge

WaPo Digs for Bombs

Tuesday, October 31st, 2006

This Washington Post Magazine story, on “The Bomb Squad,” is one of the best reads you’ll get in the mainstream press on the reality of the counter-bomb fight in Iraq.
buffalo_dust.jpgThere’s only one, teeny-tiny problem with the piece: It’s not really about a “bomb squad,” or explosive ordnance disposal (EOD) unit, at all. Nobody is asked to defuse any bombs. Instead, the story centers around what appears to be a group of combat engineers — EOD’s blood rivals. These guys go combing roads for improvised explosives and, if they have any brains at all, call in EOD once the bombs are found.
In either case, the story is well worth checking out. Here’s a snippet:

And this is where the whole expedition turns … well, into a “Wizard of Oz” moment for me. Because as I peer through the haze of the Iraqi noon, the Buffalo’s claw ponderously raking the grass beside the road, I realize that the heart of the Pentagon’s program for defeating IEDs [improvised explosive devices] is: 1) buy some armored trucks with big windows; 2) send young soldiers out to drive up next to bombs; 3) investigate with a phone truck [which is what the author says the Buffalo reminds him of].
As Tate points out later: “I’ve seen tanks destroyed. I’ve seen Bradleys destroyed … There’s only so much armor can do.“
Fortunately, this particular wired rock turns out to be an irrigation pump. After another hour or so, I’m dropped off at a nearby patrol base.
Fifteen minutes later, Tate’s RG-31 nearly runs over an IED.
McGorvin — dubbed “the Jedi master” by his fellow soldiers for his ability to, as they put it, “detect ordnance” — tells me about it the next day as he fidgets on a torn couch behind the TOC. He explains that he sensed the bomb a mile before he reached it — noticing first the grinning face of a taxi driver who squatted down behind his cab to key a Motorola phone. A few minutes later as the convoy rumbled through a small town, McGorvin felt it again outside a cluster of mud wattle shacks, their yards suspiciously empty.
Then, all at once, his RG-31 passed a mound of dirt with a cone of rusty metal showing through its side. McGorvin’s gaze locked on a sliver of blue plastic tucked behind the mound. “I got something!” he yelled. “I don’t know what it is, but it’s got a cellphone on it!“
The RG-31’s armor wouldn’t protect McGorvin standing in his gunner’s nest, so, as radios barked and the convoy scattered, he tucked his thighs against his chest and squatted.
“McGorvin — good looking,” Tate shouted as their truck finally jolted to a stop outside the bomb’s blast radius.

Rapid Fire 10/31/06 — Updated

Tuesday, October 31st, 2006

* Military Officers: Set Deadlines

* Google in Cahoots with Spooks?

* No-Fly List Snags Another Congress Critter

* Kerry: Study Hard Or End Up in Iraq

* Milbloggers Strive to Get Voice-Activated Laptops for Amputees

* General: Military Must Be Open To Press

* X-48B Ship 2 Blended Wing-Body pr0n

* Homeland Security: What Would Dems Do?

* The Italian Connection: Weldon, Daughter, Friend, Marine One, Earmarks

* Anti-IED Buffalos Charging to Iraq

* Police Stun-Gun Kills Bible-Toting Teen

(Big ups: RC, Xeni)
– Ryan Singel

Operation Vigilant Correction

Tuesday, October 31st, 2006

The Pentagon’s public affairs office admitted to reporters today that it had created the equivalent of a rapid reaction force to strike back at media coverage it considers inaccurate and to harness new technologies like “instant messaging” and “podcasting.“
The Pentagon has been punching back at reporters and columnists recently with letters to the editor which have gotten prominent treatment in Early Bird, a daily clipping service intended to keep the military and contractors intended to keep them abreast of military news.
The first item in Monday’s edition was an unpublished letter to the Washington Post, which read:

To the Editor:
Your article and the accompanying headline (“Rumsfeld Tells Iraq Critics to ‘Back Off,’” October 26, 2006) said incorrectly that the Secretarys comments in his Thursday press conference were aimed at “detractors” and “critics.” In fact, the Secretary was referring specifically to journalists seeking to create a perception of major divisions between the positions of the U.S. and Iraqi governments. Secretary Rumsfeld was not referring to critics of the administration’s Iraq policy.
Dorrance Smith, Assistant Secretary of Defense for Public Affairs

Riiiight. Well, glad that got cleared up. As Sharon Weinberger pointed out last week, this emphasis is becoming a trend.
From Agence France-Presse:

Eric Ruff, the Pentagon press secretary, insisted that the new public affairs program was not prompted by either the elections or polls showing that only about 37 percent believe the war is going well.
“What were looking at doing is, ‘How can we get better, how can we get faster, how can we transform public affairs?’,” he told reporters.
“And we’re looking at being quicker to respond to breaking news. Being quicker to respond, frankly, to inaccurate statements,” he said.
“And we’re looking at this whole issue of new media — podcasting, and IM-ing and all those kinds of things, where people are basically running circles inside us,” he said.
Ruff disclosed the expanded operations after questions were raised about a wall being built in the Pentagon press operations center that will separate the new unit from Pentagon public affairs officials who deal with the media.

Hunh, and this has nothing to do with low poll numbers at all? Sorry, Ruff’s denials don’t pass the smell test.
Combine the news of this new nitpicking operation with the Pentagon’s crackdown on milbloggers and its continued heavy-handed treatment of reporters embedded in Iraq, a death toll of 101 American soldiers so far this month, deteriorating relations with the Iraqi government, and a CNN poll registering domestic support for the war at 34%, and you have a stew with the rather unpleasant odor of desperation. Is this really what Rummy wanted when he begged public affairs to “adapt to today’s media age?“
I expect my first missive from the Delta Force-esque PR flacks will be in my inbox pronto.
– Ryan Singel

60 Minutes Covers the “Golden Hour”

Monday, October 30th, 2006

chopper60minutes.jpgIt’s no secret that the military’s trauma units have saved the lives of thousands of injured service members and Iraqi civilians whose wounds would likely have killed them in earlier conflicts.
But last night, 60 Minutes ran a powerful 13 minute piece on the doctors, nurses and medics who operate in theater and on the field helicopters. The Hueys UH-60 Blackhawks are stationed around Iraq so that no casualty is more than 25 minutes from a helicopter, helping to ensure that injured soldiers are treated in a hospital within 60 minutes, known as the “Golden Hour.“
The piece focuses on two American soliders, Kenny Lyon and Brad Fulks. Lyon was hit by a mortar while fixing his vehicle, and lost half his blood through three severed arteries before arriving the Air Force theater hospital on the Balad Air Base north of Baghdad.
Fulks was hit by a roadside bomb, which burned the skin over half his body and destroyed one of his lungs.
The Balad Air Base trauma center sees 300 trauma cases a month, but sends many via C-17s transformed into airborne medical centers to Germany. In the Vietnam war, it took an average of 40 days to get wounded soldiers back to the States; in the Iraq war, it now averages three days.
You can read a transcript of the piece here, but I highly recommend watching the video, even if you already know the extraordinary efforts of the military’s trauma teams.
– Ryan Singel

Citizen’s Guide to Getting the Goods

Monday, October 30th, 2006

The Freedom of Information Act isn’t just for journalists or activist groups — citizens (with and without blogs) can also petition the federal government to turn over documents. While it’s rather simple to file a request, it’s a bit more complicated to file one that actually gets you information.
The Electronic Frontier Foundation, which hired two of the best FOIA filers in the country this summer, just updated its legal guide for bloggers with a FOIA primer.

How do I know what to ask for?

News articles, government reports, press releases, and Congressional hearings are good starting points for thinking up FOIA request ideas.

How do I make a FOIA request?

You can make a FOIA request by mailing or faxing a letter to the agency. You may also be able to submit your request by email. Check the agency’s web site for information about how and where to send requests.

Are there any step-by-step guides for writing and submitting FOIA requests?

Yes. Reporters Committee for Freedom of the Press has published a guide called How To Use the Federal FOI Act, and also has a FOI Letter Generator. The National Security Archive also has helpful guidance for FOIA requesters.

It’s a bit simplified since government agencies vary widely in their attitude towards requests. The best advice is to make your request very narrow. Ask for a report by name (for instance, ask for the Pentagon’s Inspector General’s report on the Iraqi National Congress), instead of asking for all agency records about Chalabi and the INC. (BTW, there’s a good possibility that report exists and hasn’t been published).
Another fun place to start would be to follow on Michael Ravnitzky’s FOIA work, which unearthed the indexes to four internal NSA publications, whose articles have tantalizing titles like “Was a Cryptologic Corporal.” All you have to do is look through the indexes, find a title or two that interests you and ask for it. You just might get it.
Another place to get inspired is Russ Kick’s The Memory Hole, a collection of documents he’s built with FOIA requests he’s filed after reading news articles. For instance, he’s the one who got official pictures of the coffins of soldiers killed in Iraq when they landed at Dover Air Force base, after the photography ban was debated in the news.
You could be charged a small amount, but generally if it’s going to be more than $25 dollars or so in fees, the agency will let you know.
And if an agency stonewalls you or ignores you, well, you can either sue yourself (not a good idea and even if you win, you don’t get attorney’s fees) or ask a group like EPIC or the First Amendment Center or a public interest law clinic to help.
Think of it like a letter to the editor or your congress critter, it’s something every citizen should try at least once.
On an unrelated note, I’m pretty honored that Noah handed me the keys and I’ll likely be focusing mostly on anti-terrorism and government database stuff since that’s my normal beat.
But keep the tips and comments coming and together we’ll keep DefenseTech humming while Noah racks up speeding tickets in 10 different states.
– Ryan Singel

Rapid Fire 10/30/06

Monday, October 30th, 2006

* Airborne Anti-Missile Laser Actually a “Light Saber“
* From Barbary War II to Iraq War in 90 sec Flash
* Gov puts RFID in IDs, Despite Damning Report (shameless self-promotion)
* Letter From Iraq Goes Viral
* U.S.-provided Weapons Untraceable in Iraq
* Blair Outsourcing Iraq War?
* Ahmadinejad to Sanctions: Bring It On
* Pakistani Gunships Attack Radical Madrasa, Kill 80

– Ryan Singel
(Big ups: RC, Michael Wilde)

Singel Signs In

Monday, October 30th, 2006

Ryan Singel has broken some of the biggest privacy and security stories of the last few years — like AT&T’s cheek-to-cheek cooperation with the NSA’s domestic spying, and Jet Blue’s fishy use of customer records, to test a federal passenger-screening database. These days, he heads up Wired News’ horribly-named, must-read security blog, 27B Stroke 6. And he’s still scooping folks on the regular; check out his coverage of the roll-your-own boarding pass generator.
So I am really fired up to have someone with this strong a track record blogging for Defense Tech. He’ll be taking over the site this week, as I pack up for — and drive out to — Los Angeles, where I’ll be spending the next few months.
Be good to my whiskey buddy Ryan. Send him tips. I’ll see y’all on the other side.

Milblogger Clamp Down Blows Up (Updated)

Monday, October 30th, 2006

TOC.JPGFor the last couple of weeks, Defense Tech has been looking into the increasingly hostile atmosphere that soldier– journalists — milbloggers — have been facing. Now, a bunch of bigger outlets have picked up on the story — and advanced it several steps.
Stars & Stripes:

The [Army’s] August order [about blogs] specifically states that soldiers may not create or update their blogs during duty hours, and the sites must not ‘contain information on military activities that is not available to the general public.‘
That includes ‘comments on daily military activities and operations, unit morale, results of operations, status of equipment, and other information that may be beneficial to adversaries.‘
If soldiers are found violating those rules, both the servicemembers and their commanding officers are notified… leadership can decide what punishment, if any, the soldiers should face…
Noah Shachtman, editor of defensetech​.org, said… “The fact that soldiers want to write about their experiences is something that should be embraced by the Army… Theyre not looking to bad-mouth the military. Theyre looking to talk proudly about their experiences.”


“We are not a law enforcement or intelligence agency. Nor are we political correctness enforcers,” Lt. Col. Stephen Warnock, [head of the Virginia National Guard “Big Brother” website-monitoring unit] said. “We are simply trying to identify harmful Internet content and make the authors aware of the possible misuse of the information by groups who may want to damage United States interests.“
Some bloggers say the guidelines are too ambiguous — a sentiment that has led others to pre-emptively shut down or alter their blogs.
“It’s impossible to determine when something crosses the line from not a violation to a violation. It’s like trying to define what pornography is or bad taste in music,” said Spc. Jason Hartley, 32, who says he was demoted from sergeant and fined for reposting a blog he created while deployed to Iraq with the New York Army National Guard.
According to Hartley, the Army had forced him to stop the blog even before the oversight operation existed, citing pictures he had posted of Iraqi detainees and discussions of how he loaded a weapon and the route his unit took to get to Iraq.

Wired News’ Xeni Jardin (who has the best story of the lot):

Blackfive’s [Matt] Burden says soldiers are receiving mixed messages: some receive approval from their immediate commanders, only later to be rebuked by more senior officials. Burden says his site and another milblog, Armor Geddon, were once featured in an internal Army PowerPoint presentation which described both as serious operational security risks.
“That kind of message from the administration of the Army sends a chilling signal to a young soldier who was told by his commander that it was okay to do what he was doing,” Burden told Wired News.
He and fellow milbloggers gathered this year in April for a first ever MilBlog Conference in Washington, DC. They plan to reconvene in May, 2007. Debate over how to address authorities’ OPSEC concerns without creating a “chilling effect” among bloggers was a heated topic at the 2006 gathering.
“My advice would be to bring together active duty, reserve and veteran bloggers to take a look at this issue in a way that would help the military,” Burden says, “There’s a lot of positive information coming from these 1,200 or so military blogs, and if it’s not positive, it’s giving people a better understanding of what it’s like to be a soldier or the family of a soldier fighting this war.“
Active duty milblogger John Noonan co-edits OPFOR (military slang for “opposing force”) and posts on such topics as “foreign policy, wargaming, grand strategy and hippy bashing.“
Noonan is among those who believe the current flap is partly the result of a generation gap between younger, tech-savvy recruits for whom life online is second nature and older, more senior military officials who don’t get the net and are accustomed to the military’s long-established history of carefully monitoring release of information from the battlefield.
“They don’t want to lose the traditional control they’ve had over information released from the battlefield to the American people,” Noonan said. “It’s counterintuitive for military guys who are used to total control over what information is released and what isn’t, to all of a sudden having zero control.”

Xeni also filed a story for NPR’s Day to Day, which should air this afternoon.
UPDATE 3:01 PM: The NPR segment is up now.
UPDATE 10/31/06 4:20 PM: ABC News weighs in here, with some pretty bruising commentary from Blackfive. Note to self: Do not piss this guy off.

Iraqi Forces Don’t Suck … Entirely

Saturday, October 28th, 2006

Despite what you might have heard from other media, the Iraqi Army does not suck. In fact, by regional standards, it’s a fine little army: well-armed, well-led and capable of defeating terrorists and insurgents in a stand-up fight. It wasn’t always that way, but the coalition’s clean-sheet approach and years of hard work by training teams has really paid off.
iraqi army.jpgBut the Iraqi Army has two major weaknesses. First, its units are locally recruited, like the U.S. National Guard. This combined with Iraqis’ overriding allegiance to tribe over nation means that most of them refuse to deploy when ordered to do so by Baghdad. Those units that have agreed to deploy, such as the highly disciplined Kurdish battalon sent to the Shiite town of Balad early this year, have been besieged in their forward operation bases by xenophobic locals.
But even if they were willing to deploy, most units are incapable of sustaining themselves far from their major bases for very long. This is the second major weakness. I go into detail in a new National Defense feature:

The [Iraqi] 10th Division is capable of planning and executing its own missions, but usually operates alongside British forces. The division, a light infantry formation, has four brigades each with two line battalions of 800 troops apiece, plus engineer and bomb disposal companies. Small divisional attachments including signals troops and military police are just now standing up with foreign assistance. There are currently no organic logistics troops.
This is consistent with the overall structure of the Iraqi Army. No more than 15 percent of Iraqs 120,000 soldiers are involved in logistics, U.S. Army Maj. Gen. Gerald Ostlund told the Associated Press. By contrast, Western armies feature more logisticians than combat troops.
“What you see is what you get,” [British Army Lt. Col. Tim] Barrett says, referring to the 10th Division’s infantry-heavy structure. While the battalions are adequately equipped with light arms and machine guns, there is a “desperate need” for vehicles, Lateef says. Currently, a handful of Russian-built medium trucks comprise the divisions major motor assets.
A dearth of vehicles plus a broader lack of logistical support means the 10th Division is incapable of sustaining operations away from its bases for more than a few hours, according to Barrett. This effectively limits it to urban operations in Basra and short sorties from a handful of rural installations.

What all this means is that the Iraqi Army will, for the time being, remain a local defense force. A good local defense force, mind you, but local nonetheless. So when Baghdad goes to shit, as it did a couple months back, the national government has few options for boosting the number of troops in the city. All it can do is try to recruit more troops locally … and call for U.S. and British help.
David Axe