
Pentagon Now Sees Big Data as 'National Security Threat' - boh
http://killerapps.foreignpolicy.com/posts/2013/08/12/irony_alert_pentagon_now_fears_a_big_data_national_security_threat
======
cinquemb
" _The doomsday thinkers over at DARPA are looking for researchers to
"investigate the national security threat posed by public data available
either for purchase or through open sources." The question is, could a
determined data miner use only publicly available information -- culled from
Web pages and social media or from a consumer data broker -- to cause "nation-
state type effects." Forget identify theft. DARPA appears to be talking about
outing undercover intelligence officers; revealing military war plans; giving
hackers a playbook for taking down a bank; or creating maps of sensitive
government facilities._

I'll save them some time and say its possible, and if they are just inquiring
into this, they are already behind the game… Using wikipedia, one can get a
list most of the oil refineries in the united states (for the world for that
matter), and from some api queries using either popular or open-source
map/geocoding services, obtain gps coordinates within 100's of feet of those
locations, within a matter of seconds.

If you scrape cryptome/other places every so often of the lists uncovered
(often with contact info[numbers|emails|names|addresses]) of people, map them
against other lists to find connections (this takes a matter of seconds as
well), it is not unheard of that one could automate emails/calls/send mail to
people to uncover attack surfaces to exploit.

And even until more recently, one could access public all posts on facebook
via [https://graph.facebook.com/search](https://graph.facebook.com/search)
without authentication, and with some well crafted queries, one was able to
get specific information about people that one wouldn't think would be
possible to obtain.

The list goes on.

------
w_t_payne
Here is the source document outlining the scope of the study:

[http://www.zyn.com/sbir/sbres/sbir/dod/darpa/darpasb133-002....](http://www.zyn.com/sbir/sbres/sbir/dod/darpa/darpasb133-002.htm)

They are right to be worried about the attack surface presented by the mobile
& display ad ecosystem.

The key to any attack, of course, is de-anonymizing the data, in the sense of
being able to identify corresponding entities across disparate sources of
data. This is the technical challenge that a large chunk of the ad-tech
industry has been working on.

This is difficult to do reliably --- but the reliability (or otherwise) of a
particular technique may be moot if you have a population of several thousands
of individuals that you can target -- sooner or later somebody will carry out
the actions that your attack assumes, and you will be able to make the
connections that you need. The attacker needs only think of the problem in
terms of "matched filters" to make headway -- just discard anything that does
not match.

Of course, characterising the target is only part of the story -- exploiting
the information advantage comes next.

Funnily enough, the proliferation of open communications channels also offers
a potential attack vector - the use of individually crafted messages and
disinformation to direct attention and manipulate behaviour of the target --
similar in concept to the social engineering techniques that are used in spear
phishing attacks.

~~~
BWStearns
If your goal was to cause mayhem/reveal war plans/take down a bank, wouldn't
just hacking it be easier than advertising an AQ Data Scientist job posting?
This attack vector is the obfuscated c contest of skullduggery.

~~~
w_t_payne
Yeah, perhaps I am over thinking it. Mind you -- the study is purposefully
looking for vulnerabilities that arise from open source data, so my brain did
not head off in that direction entirely of it's own accord.

~~~
BWStearns
Oh of course. It should be investigated (if only to see what crazy red team
shit one could come up with). I may be wrong, there may be a brilliant Rube
Goldberg of big data terror hammering out some kickass python number that will
rain misinformation and chaos down on the world. This would in fact be a
better Bond villain than the Quantum of Solace bad guy. However given the way
the Pentagon overreacts to shit they don't understand I really hope that they
don't start REALLY worrying about this.

~~~
w_t_payne
Just like everybody else, it is all about job security.

------
lutusp
There's no publicly accessible article at this link -- it's a paywall.

~~~
uncoder0
[http://pastebin.com/raw.php?i=0yBtLNS8](http://pastebin.com/raw.php?i=0yBtLNS8)

Paste of text.

~~~
lutusp
1\. Technically, a copyright violation.

2\. Hey, thanks!

:)

~~~
uncoder0
I certainly didn't paste it.

------
lifeisstillgood
This, like PRISM, is governments having to adjust to the loss of privacy as
well. The 16 year old girl whom Wal-Mart knows is pregnant because of her
loyalty card purchases thought she could keep it "secret". But secret is not
what you don't tell people, it's what you don't reveal.

Governments the world over are finding out that their secret airbases, their
secret flights, their buildings and purchases are just "private".

You really have to work at keeping secrets. So instead of pretending you can
keep everything secret, try being open by default. You will find it a lot
easier to concentrate on the things you want to keep secret then. Oh - and
never ever let your secret near anything digital

------
gigamike
Ok, enough with the foreignpolicy.com links. That is now a blacklisted domain
for me.

------
RRRA
Am I the only who get a greyed-out overlay layer because I'm guessing some
anti-spam-security-and-whatnot plugin interferes with their page? In any case
-> inspect -> delete node!

------
sk5t
Two frontpage articles from foreignpolicy.com? Seems a little strange...

~~~
dictum
1\. Someone goes to the first link that was posted

2\. They see links to other articles from that site (e.g. "Most Popular on
FP")

3\. They decide to post that article to HN

