$400 million network upgrade for the Pentagon
Before now, I haven't seen any verifiable statements about how the networking infrastructure in the Pentagon was affected by the attacks last year. Not to diminish the loss of life, which was tragic, but networking people might be interested in this. Building a surviable network in such a small area, relatively speaking the Pentagon is small, is a much harder problem than diversity on a regional or even national network. http://www.fcw.com/fcw/articles/2002/0812/news-dod-08-12-02.asp "Among the problems DOD encountered Sept. 11 was a computing environment with many points of failure -- applications or databases that, if removed, could not be recovered and critical network links that, if down, could not be worked around. DOD officials have said that the terrorist attacks were a dramatic wake-up call. The attacks severed one of the Pentagon's main communications lines and destroyed some Army and Navy servers."
At 12:44 PM -0400 2002/08/12, Sean Donelan wrote:
Building a surviable network in such a small area, relatively speaking the Pentagon is small, is a much harder problem than diversity on a regional or even national network.
Keep in mind that it was DARPA that funded the original research on what we now call the Internet. There are plenty of clueless morons in the building (the one with four sides and a spare), but there are also some exceptionally sharp people.
http://www.fcw.com/fcw/articles/2002/0812/news-dod-08-12-02.asp
"Among the problems DOD encountered Sept. 11 was a computing environment with many points of failure -- applications or databases that, if removed, could not be recovered and critical network links that, if down, could not be worked around.
Perhaps true for the unclassified systems. But then they're not really that critical to the real day-to-day operations. Moreover, where the plane struck is not the side where the majority of this kind of networking is done. I worked there for about five years. I know where a lot of the unclassified networking was done, and I know where a fair amount of the classified processing was done. The classified areas were not in any danger from the airplane attack. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
The Department of Defense does posses allot of "network disorganization" mostly on the NIPERNET side. Allot of the NIPERNET "unclassified" network is just plain unruly at it's best (I left the military in 2000, so maybe things have changed). Any shop with their ADP or IT staff can practically get a server up and running, build intranets, databases, etc. without practically anyone raising an eyebrow, this is at the command level. Allot of these systems are non-redundant, and pose single points of failures, etc, but again this is at the command level. After moving along the ranks, from a lowly seaman recruit running AUI, cat V, and fiber cabling on an aircraft carrier, to a Third Class Petty Officer stationed at The Unified Atlantic Region Network Operations Center in Norfolk, VA. I learned that this is not the case for Mission Critical systems, or for the SIPERNET "classified network". As Brad also stated the same. All I can say is this, and any ex-RM can say the same (Well RM's are extint now they are IT), I never worked in a building that had any windows, and that could not stand a very good shaking, that is, if it wasnt underground in the first place. Gerardo ----- Original Message ----- From: "Brad Knowles" <brad.knowles@skynet.be> To: "Sean Donelan" <sean@donelan.com>; <nanog@merit.edu> Sent: Monday, August 12, 2002 3:54 PM Subject: Re: $400 million network upgrade for the Pentagon
At 12:44 PM -0400 2002/08/12, Sean Donelan wrote:
Building a surviable network in such a small area, relatively speaking
the
Pentagon is small, is a much harder problem than diversity on a regional or even national network.
Keep in mind that it was DARPA that funded the original research on what we now call the Internet. There are plenty of clueless morons in the building (the one with four sides and a spare), but there are also some exceptionally sharp people.
http://www.fcw.com/fcw/articles/2002/0812/news-dod-08-12-02.asp
"Among the problems DOD encountered Sept. 11 was a computing environment with many points of failure -- applications or databases that, if removed, could not be recovered and critical network links that, if down, could not be worked around.
Perhaps true for the unclassified systems. But then they're not really that critical to the real day-to-day operations. Moreover, where the plane struck is not the side where the majority of this kind of networking is done.
I worked there for about five years. I know where a lot of the unclassified networking was done, and I know where a fair amount of the classified processing was done. The classified areas were not in any danger from the airplane attack.
-- Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
At 6:21 PM -0500 2002/08/12, gg wrote:
The Department of Defense does posses allot of "network disorganization" mostly on the NIPERNET side.
You mean NIPRnet, right?
Allot of the NIPERNET "unclassified" network is just plain unruly at it's best (I left the military in 2000, so maybe things have changed).
I was the DISA.MIL Technical POC until I left in 1995, and I am the guy who convinced the SIPRnet and NIPRnet administrators to go with DNS for doing hostname resolution (instead of HOSTS.TXT files), as well as using real IP address space issued by ARIN, instead of just randomly fabricating some network space (in the event that the networks were ever connected to the live Internet, some point in the distant future). I'm also the guy who turned back to ARIN a few Class A, B, and a number of Class C network ranges that we were no longer using.
Any shop with their ADP or IT staff can practically get a server up and running, build intranets, databases, etc. without practically anyone raising an eyebrow, this is at the command level.
Yup.
Allot of these systems are non-redundant, and pose single points of failures, etc, but again this is at the command level.
True enough. But then these aren't mission-critical systems like WWMCCS or GCCS.
After moving along the ranks, from a lowly seaman recruit running AUI, cat V, and fiber cabling on an aircraft carrier, to a Third Class Petty Officer stationed at The Unified Atlantic Region Network Operations Center in Norfolk, VA. I learned that this is not the case for Mission Critical systems, or for the SIPERNET "classified network".
Yup.
As Brad also stated the same. All I can say is this, and any ex-RM can say the same (Well RM's are extint now they are IT), I never worked in a building that had any windows, and that could not stand a very good shaking, that is, if it wasnt underground in the first place.
The Pentagon has windows. It also has an ancient system of air pipes aimed at all of the windows, where at a central location they play a radio or otherwise generate sound waves that are then distributed via the air pipes, thus preventing anyone from aiming a laser at the window and being able to bug the office. Of course, if you're not a flag officer (or equivalent), or you don't work for a flag officer (or equivalent), you won't get any windows. Myself, I worked in the basement, and I walked over a mile each way to go from where I got off the metro, past the concourse between corridors 1 & 10, down to my office on the mezzanine level, on the F ring, between corridors 6 & 7. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
Brad Knowles: The Pentagon has windows. It also has an ancient system of air pipes aimed at all of the windows...
<paranoia> Is this sensitive info? Couldn't someone (theoretically) aim a "beam" at an unoccupied office and another at their objective office then filter out the 'noise'? </paranoia> Sorry for the O.T. -- blake
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
At 5:13 PM -0500 2002/08/13, Blake Fithen wrote:
Is this sensitive info? Couldn't someone (theoretically) aim a "beam" at an unoccupied office and another at their objective office then filter out the 'noise'?
Actually, I don't know for sure how it's implemented. They may have separate sound streams for each window. Moreover, this was a few years ago (I left in 1995), and there may have been changes since then. It would certainly be a lot easier to use individual speakers fed by electrical wiring, than pumping a lot of air around from a central location. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Wed, 14 Aug 2002, Brad Knowles wrote:
At 5:13 PM -0500 2002/08/13, Blake Fithen wrote:
Is this sensitive info? Couldn't someone (theoretically) aim a "beam" at an unoccupied office and another at their objective office then filter out the 'noise'?
Actually, I don't know for sure how it's implemented. They may have separate sound streams for each window. Moreover, this was a few years ago (I left in 1995), and there may have been changes since then. It would certainly be a lot easier to use individual speakers fed by electrical wiring, than pumping a lot of air around from a central location.
Even easier is to glue a piezoelectric transducer to the glass and feed it some noise modulated to look like speech from a gadget which may cost entire $30 in parts. Detecting IR laser emissions and sounding alarm is also a good idea :) --vadim
Blake Fithen wrote:
Brad Knowles: The Pentagon has windows. It also has an ancient system of air pipes aimed at all of the windows...
<paranoia>
Is this sensitive info?
Given that I saw this on the history channel the other night, I'd say no. :) -- Doug Barton, Yahoo! DNS Administration and Development You can have it done fast, done cheap, or done right. Pick two. Do YOU Yahoo!?
At 6:02 PM -0700 2002/08/13, Doug Barton wrote:
Is this sensitive info?
Given that I saw this on the history channel the other night, I'd say no. :)
One of the lessons we were taught in our security briefings was that just because something was publicly discussed somewhere (e.g., on a television show or in the newspaper) does not automatically make the information unclassified. I personally know of classified data that has been leaked and published in print, and that's about all I'll say on that particular subject. However, with respect to the windows and the masking system, I have not been told that this information is classified or sensitive. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Thu, 15 Aug 2002, Brad Knowles wrote:
One of the lessons we were taught in our security briefings was that just because something was publicly discussed somewhere (e.g., on a television show or in the newspaper) does not automatically make the information unclassified.
It works the other way too. I've found things I write in public about Internet outages have a habit of ending up in places you need clearence. Someday it would be nice if I could read what I wrote. Scroll down this page: http://www.ncs.gov/n5_hp/Customer_Service/XAffairs/NewService/2000-063.htm The NCS gets the information the same way as everyone else. They subscribe to NANOG. To bring this on topic: How would ISPs feel about officially contributing to NCS's efforts on tracking Internet outages? Would you be willing to subscribe the NCS to your customer outage notification lists?
I personally know of classified data that has been leaked and published in print, and that's about all I'll say on that particular subject.
Last I heard, the Department of Energy library still considers the February 1979 issue of "The Progressive" magazine classified. You might find it in some public libraries. http://www.law.umkc.edu/faculty/projects/ftrials/conlaw/progressive.html
On Wed, 14 Aug 2002, Sean Donelan wrote:
On Thu, 15 Aug 2002, Brad Knowles wrote:
I personally know of classified data that has been leaked and published in print, and that's about all I'll say on that particular subject.
Last I heard, the Department of Energy library still considers the February 1979 issue of "The Progressive" magazine classified. You might find it in some public libraries.
Which begs the question, does it being classified still matter if has been openly published? And can you get in trouble for distributing it further? "The Progressive" didn't think so. While the DOE successfully got an injunction forbidding them from publishing "The H-Bomb Secret: How we got it- why whe're telling it", the information was printed elsewhere later in the year, so The Progressive went to press with the article in their November 1979 edition. See: http://www.progressive.org/pdf/1179.pdf http://www.shepherd-express.com/shepherd/20/09/headlines/cover_story.html Temporarily mirrored at: https://www.die.net/tmp/9c88d4cc4922f7b5f2da46a30aabdcd8.pdf/1179.pdf -- Aaron
Better than this:) Does anyone remember when a diligent tech at Sprint sent an fcc notification about an outage in the fine state of NV when a certain set of ds3's and oc3's went ofOfline from a circuit braker trip. I wish I could find it to quote but it went somet ing like... AA faulty braker caused several ds3's to go off line including service to the military installation area51 and s4. This was posted on the fcc.gov site for at least 2 or three days that I can recall.:):) n Wed, 14 Aug 2002, Sean Donelan wrote:
On Thu, 15 Aug 2002, Brad Knowles wrote:
One of the lessons we were taught in our security briefings was that just because something was publicly discussed somewhere (e.g., on a television show or in the newspaper) does not automatically make the information unclassified.
It works the other way too. I've found things I write in public about Internet outages have a habit of ending up in places you need clearence. Someday it would be nice if I could read what I wrote.
Scroll down this page: http://www.ncs.gov/n5_hp/Customer_Service/XAffairs/NewService/2000-063.htm
The NCS gets the information the same way as everyone else. They subscribe to NANOG.
To bring this on topic:
How would ISPs feel about officially contributing to NCS's efforts on tracking Internet outages? Would you be willing to subscribe the NCS to your customer outage notification lists?
I personally know of classified data that has been leaked and published in print, and that's about all I'll say on that particular subject.
Last I heard, the Department of Energy library still considers the February 1979 issue of "The Progressive" magazine classified. You might find it in some public libraries. http://www.law.umkc.edu/faculty/projects/ftrials/conlaw/progressive.html
On Wed, 14 Aug 2002, Scott Granados wrote:
Better than this:) Does anyone remember when a diligent tech at Sprint sent an fcc notification about an outage in the fine state of NV when a certain set of ds3's and oc3's went ofOfline from a circuit braker trip. I wish I could find it to quote but it went somet ing like...
AA faulty braker caused several ds3's to go off line including service to the military installation area51 and s4.
This was posted on the fcc.gov site for at least 2 or three days that I can recall.:):)
http://www.fcc.gov/Bureaus/Engineering_Technology/Filings/Network_Outage/199...
"fold back" systems like Bose noise cancelling headsets depend on the microphones being adjacent to each other. The further apart they are the more difficult it becomes to "sync" the noise. A digital delay helps but at some point of source divergence even it won't help. Of course these measures are designed for inadvertent release of information. Anyone with a window shouldn't be discussing things worth eavesdropping on anyway. But in the real world...hence the air pipes. Not that I would know anything about this sort of thing... ;0 Best regards, _________________________ Alan Rowland -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Blake Fithen Sent: Tuesday, August 13, 2002 3:13 PM To: 'Brad Knowles'; 'gg'; 'Sean Donelan'; nanog@merit.edu Subject: RE: $400 million network upgrade for the Pentagon
Brad Knowles: The Pentagon has windows. It also has an ancient system of air pipes aimed at all of the windows...
<paranoia> Is this sensitive info? Couldn't someone (theoretically) aim a "beam" at an unoccupied office and another at their objective office then filter out the 'noise'? </paranoia> Sorry for the O.T. -- blake
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
In general: Things work far better on TV than in real life. This includes James Bond toys. Standoff distance is your friend; for both electromagnetic radiation and 0.5mv^2 from fertilizer and fuel oil. The second is so much the case that I knew of a major secure installation that had a blanket TEMPEST waiver; i.e. machines radiating were not a threat. Why? They had a minimum one mile standoff distance between the outer fence{s} from public roads/land and the inner buildings where the classified work took place. And the few visitors inside the compound were controlled such that there was no chance they'd wander in with a van of receivers. I think it safe to say the Pentagon has many precautions of this nature in place. Tried to park next to the building recently ;-? -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
As I recall and definitely don't quote me on this:) but there are also grids of wires in the walls which release broadspectrum noise electronic noise for jamming small transmitters. But only in certain rooms. It also strikes me that the pentagon is not going to have many interesting conversations in there not nearly as interesting as some other locations I won't list here. Scott On Wed, 14 Aug 2002, Al Rowland wrote:
"fold back" systems like Bose noise cancelling headsets depend on the microphones being adjacent to each other. The further apart they are the more difficult it becomes to "sync" the noise. A digital delay helps but at some point of source divergence even it won't help.
Of course these measures are designed for inadvertent release of information. Anyone with a window shouldn't be discussing things worth eavesdropping on anyway. But in the real world...hence the air pipes.
Not that I would know anything about this sort of thing... ;0
Best regards, _________________________ Alan Rowland
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Blake Fithen Sent: Tuesday, August 13, 2002 3:13 PM To: 'Brad Knowles'; 'gg'; 'Sean Donelan'; nanog@merit.edu Subject: RE: $400 million network upgrade for the Pentagon
Brad Knowles: The Pentagon has windows. It also has an ancient system of air pipes aimed at all of the windows...
<paranoia>
Is this sensitive info? Couldn't someone (theoretically) aim a "beam" at an unoccupied office and another at their objective office then filter out the 'noise'?
</paranoia>
Sorry for the O.T.
-- blake
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
Perhaps they have perfected the Cone of Silence? http://www.cinerhama.com/getsmart/innovations.html - Dan
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Scott Granados Sent: Wednesday, August 14, 2002 4:09 PM To: Al Rowland Cc: nanog@merit.edu Subject: RE: $400 million network upgrade for the Pentagon
As I recall and definitely don't quote me on this:) but there are also grids of wires in the walls which release broadspectrum noise electronic noise for jamming small transmitters. But only in certain rooms. It also strikes me that the pentagon is not going to have many interesting conversations in there not nearly as interesting as some other locations I won't list here.
Scott On Wed, 14 Aug 2002, Al Rowland wrote:
"fold back" systems like Bose noise cancelling headsets depend on the microphones being adjacent to each other. The further apart they are the more difficult it becomes to "sync" the noise. A digital delay helps but at some point of source divergence even it won't help.
Of course these measures are designed for inadvertent release of information. Anyone with a window shouldn't be discussing things worth eavesdropping on anyway. But in the real world...hence the air pipes.
Not that I would know anything about this sort of thing... ;0
Best regards, _________________________ Alan Rowland
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Blake Fithen Sent: Tuesday, August 13, 2002 3:13 PM To: 'Brad Knowles'; 'gg'; 'Sean Donelan'; nanog@merit.edu Subject: RE: $400 million network upgrade for the Pentagon
Brad Knowles: The Pentagon has windows. It also has an ancient system of air pipes aimed at all of the windows...
<paranoia>
Is this sensitive info? Couldn't someone (theoretically) aim a "beam" at an unoccupied office and another at their objective office then filter out the 'noise'?
</paranoia>
Sorry for the O.T.
-- blake
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
At 1:09 PM -0700 2002/08/14, Scott Granados wrote:
As I recall and definitely don't quote me on this:) but there are also grids of wires in the walls which release broadspectrum noise electronic noise for jamming small transmitters.
I'm sure that they have all sorts of methods. On the other hand, cellphones make devilishly difficult "bugs" to eliminate, especially the ones that are capable of automatically answering the call and activating the microphone without any audible ring. You can't just block all cellphones, because many people carry pagers that work on the same frequencies, and many people carry cellphones that they depend on.
It also strikes me that the pentagon is not going to have many interesting conversations in there not nearly as interesting as some other locations I won't list here.
Oh, I don't know. There are the briefing rooms with direct links to the whitehouse and other facilities. There's the NMCC itself, as well as the OSD-CC (which had even tighter security than I ever saw in the NMCC). During Desert Shield/Desert Storm, the Chairman of the Joint Chiefs had a regularly scheduled morning briefing every day, and it always started right on time and occasionally ran a little over. Since I'm sure that the Chairman still has an office in the building, there are probably similar things that continue to occur today. OTOH, there are definitely other places that probably have much more sensitive conversations that frequently go on. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
Actually, yes you do block all cell phones and transmissions in these facilities. I'm not sure if you have ever been in one but having cell phone access is simply not a concern. Neither is much open comunication. They are however smaller locked down rooms you would never lock down the entire pentagon that way. I read earlier a point about buffer zones or distance between the building and outside world and this quite common. Many times as well these external areas contain electronic counter measures. Classified environments are very different and have an entirely different set of requirements. On Thu, 15 Aug 2002, Brad Knowles wrote:
At 1:09 PM -0700 2002/08/14, Scott Granados wrote:
As I recall and definitely don't quote me on this:) but there are also grids of wires in the walls which release broadspectrum noise electronic noise for jamming small transmitters.
I'm sure that they have all sorts of methods. On the other hand, cellphones make devilishly difficult "bugs" to eliminate, especially the ones that are capable of automatically answering the call and activating the microphone without any audible ring. You can't just block all cellphones, because many people carry pagers that work on the same frequencies, and many people carry cellphones that they depend on.
It also strikes me that the pentagon is not going to have many interesting conversations in there not nearly as interesting as some other locations I won't list here.
Oh, I don't know. There are the briefing rooms with direct links to the whitehouse and other facilities. There's the NMCC itself, as well as the OSD-CC (which had even tighter security than I ever saw in the NMCC).
During Desert Shield/Desert Storm, the Chairman of the Joint Chiefs had a regularly scheduled morning briefing every day, and it always started right on time and occasionally ran a little over.
Since I'm sure that the Chairman still has an office in the building, there are probably similar things that continue to occur today.
OTOH, there are definitely other places that probably have much more sensitive conversations that frequently go on.
At 7:10 PM -0700 2002/08/14, Scott Granados wrote:
Actually, yes you do block all cell phones and transmissions in these facilities.
Are you talking about a SCIF -- Secure Compartmented Information Facility? The sort of place where they basically Tempest-shield the entire building? Yes, those are huge Faraday cages, and they do completely block all signals going in and coming out. However, while there are SCIFs inside the Pentagon (including the National Military Command Center, or NMCC), the entire Pentagon itself is not a SCIF.
Classified environments are very different and have an entirely different set of requirements.
Indeed. The scariest thing I saw inside the NMCC was their complete lack of regard for internal security. They assumed that if you made it past the guards, you obviously had clearance, so they didn't bother locking up classified material when they were done with it (just at the end of the day), they didn't bother covering classified material while it was on their desk but they weren't using it precisely at that moment, etc.... It's pretty damned entertaining to take your parents through the NMCC on a private tour, and watch everyone scramble like hell when they figure out that these two middle-aged tourists don't have a lick of clearance. ;-) Oh, and yes -- I did take them to see the Crisis Action Center, including the DEFCON board. However, the DEFCON status for the Unified & Specified Commands had been blanked, because I told the officer on duty that I wanted to show them the room from the viewing balcony above. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
Unnamed Administration sources reported that Brad Knowles said:
I'm sure that they have all sorts of methods. On the other hand, cellphones make devilishly difficult "bugs" to eliminate,
Not at all. The entry guard says "No Cell Phones".. and [s]he has the gun. You can whine and pout but [s]he still has the gun. THAT is how you solve that issue. No shield rooms needed. I had some bozo try to bring his pagers into my [1] SCIF once. "But Man, I NEED my pagers.." {"I am SO important, in my eyes at least, that you can not strip me of my status symbols.."} I offered that he could keep the pager-pieces after I smashed them.... and he decided he did not NEED them after all. They stayed in the unclass area on someone's desk, someone who could call me if they went off. They did not. [1] I was the SCIF Security Officer; what a thankless role.. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
Ok, let's make this operation l for one second. This is something I've always wondered and I have an idea but... What is the real possibility that there is some sort of structured monitoring system in place say on the backbone level. Bad fbi meat eating programs asside I mean really something useful. Can the nsa for example listen in somehow to eering points or other such common areas and observe things that interest them? I know the answer in the voice network is yes but that's technically easier. On the ip network that would seem to be m uch more difficult. On Wed, 14 Aug 2002, David Lesher wrote:
Unnamed Administration sources reported that Brad Knowles said:
I'm sure that they have all sorts of methods. On the other hand, cellphones make devilishly difficult "bugs" to eliminate,
Not at all.
The entry guard says "No Cell Phones".. and [s]he has the gun. You can whine and pout but [s]he still has the gun.
THAT is how you solve that issue. No shield rooms needed.
I had some bozo try to bring his pagers into my [1] SCIF once. "But Man, I NEED my pagers.." {"I am SO important, in my eyes at least, that you can not strip me of my status symbols.."}
I offered that he could keep the pager-pieces after I smashed them.... and he decided he did not NEED them after all. They stayed in the unclass area on someone's desk, someone who could call me if they went off. They did not.
[1] I was the SCIF Security Officer; what a thankless role..
Well, what's a "peering point"? Most traffic does not traverse public peering points, domestically. So, in order to look at enough traffic to make it worthwhile, the .gov would have to optically tap all the private peering x-connects between major carriers. That is a major endevour, and would surely be eventually discovered (probably sooner, rather than later). And, of course, the equipment needed to actually look at that data, at line rate, would be difficult to conceal. There are also numerous rules against doing this sort of thing domestically. Sniffing peering traffic internationally would actually be much easier, for both legal and technical reasons. Linx is the largest public exchange in the world, by traffic, for example. However, I doubt that equipment to sniff 17gb/sec of data actually exists at the moment. It's much easier to get this sort of data, closer to the endpoints - the subject's mail server, keyboard, monitor, a dialup RAS, or a span port off of the provider's ethernet switch. The closer you get to the hypothetical "center" of the internet, the more data there is to sort through, complicating the task. On the other hand, tapping undersea optical fibers is appearently no problem, currently, and will get easier when the USS Jimmy Carter (SSN23), a specially modified Seawolf sub, comes on line in a bit. It is alleged to have a removable module that is specifically designed for tapping undersea fiber optic cables without any interuption of current or light level. - Daniel Golding
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Scott Granados Sent: Wednesday, August 14, 2002 11:36 PM To: David Lesher Cc: nanog list Subject: Re: $400 million network upgrade for the Pentagon
Ok, let's make this operation l for one second. This is something I've always wondered and I have an idea but...
What is the real possibility that there is some sort of structured monitoring system in place say on the backbone level. Bad fbi meat eating programs asside I mean really something useful. Can the nsa for example listen in somehow to eering points or other such common areas and observe things that interest them? I know the answer in the voice network is yes but that's technically easier. On the ip network that would seem to be m uch more difficult.
On Wed, 14 Aug 2002, David Lesher wrote:
Unnamed Administration sources reported that Brad Knowles said:
I'm sure that they have all sorts of methods. On the other hand, cellphones make devilishly difficult "bugs" to eliminate,
Not at all.
The entry guard says "No Cell Phones".. and [s]he has the gun. You can whine and pout but [s]he still has the gun.
THAT is how you solve that issue. No shield rooms needed.
I had some bozo try to bring his pagers into my [1] SCIF once. "But Man, I NEED my pagers.." {"I am SO important, in my eyes at least, that you can not strip me of my status symbols.."}
I offered that he could keep the pager-pieces after I smashed them.... and he decided he did not NEED them after all. They stayed in the unclass area on someone's desk, someone who could call me if they went off. They did not.
[1] I was the SCIF Security Officer; what a thankless role..
Unnamed Administration sources reported that Daniel Golding said:
Well, what's a "peering point"? Most traffic does not traverse public peering points, domestically. So, in order to look at enough traffic to make it worthwhile, the .gov would have to optically tap all the private peering x-connects between major carriers. That is a major endevour, and would surely be eventually discovered (probably sooner, rather than later). And, of course, the equipment needed to actually look at that data, at line rate, would be difficult to conceal.
There are also numerous rules against doing this sort of thing domestically.
a) I commented on the Pentagon zone-of-control issue, and don't feel competent to speak on most aspects of backbone sniffing. Ask folks who run backbones and peering points. b) That said: There WERE also numerous rules against doing.... Spend some time reading about both the so-called Patriot Act <http://www.aclu.org/congress/l110101a.html> and Ashcroft policy of late. See EPIC, EFF, and ACLU's pages on same, for starters. When the best-protected personal data you have is your Blockbuster account, and your public library & medical records are open to any knuckle-dragger WITHOUT a warrant.... ...and protesting same can make you too an enemy-combatant; detained without charge in a brig... You may wish to review your thinking. This is way OT for NANOG. If you want to come back on topic; what's your own NOC's SOP for when the G-men knock on the door at midnight waving paper & steel? -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
what's your own NOC's SOP for when the G-men knock on the door at midnight waving paper & steel?
Yes sir, the servers are over there and here's the root password. Oh wait, unless somethings broke or I'm breaking it I'm not at work at midnight. At my last place of employment, we would grant whatever a government official asked for in a properly formatted subpoena for information. That being said, most of the subpoena's we received were a joke. "Give me everything you have on this customer who connected to your service 3 years ago for 2 minutes. Here's his name." or "Here's a forward of the e-mail from your service." (with no headers included or hint of an IP address.) "Give us everything you have about that customer." My old bosses favorite in a phone conversation with someone from the government (I don't remember who): "What information can I ask you for?" I'm sure there are people in the know that make these kinds of requests, but I've never seen them. G
At 9:52 AM -0400 2002/08/15, Daniel Golding wrote:
Well, what's a "peering point"? Most traffic does not traverse public peering points, domestically. So, in order to look at enough traffic to make it worthwhile, the .gov would have to optically tap all the private peering x-connects between major carriers.
Nope. Just have them do the work for them. If they want to be more covert, they can just sniff the massive amounts of EMI that is radiated for miles around any major facility.
There are also numerous rules against doing this sort of thing domestically.
Google for "ECHELON" and read the lengthy report that was prepared for the EU. They don't do this domestically -- they ask the GCHQ to do it for them via the ECHELON network, and then pass them the data. They return the favour when the GCHQ wants data on some person in the UK.
Sniffing peering traffic internationally would actually be much easier, for both legal and technical reasons. Linx is the largest public exchange in the world, by traffic, for example. However, I doubt that equipment to sniff 17gb/sec of data actually exists at the moment.
You have no concept of the kind of systems that the NSA uses. First off, they use massive numbers of rather less powerful machines with a "watchlist". Each machine sniffs it's small part of the overall network, and anything matching the watchlist gets saved and sent up for further processing, collation, data reduction, etc.... Then things start to get interesting. ;-) -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
At 8:36 PM -0700 2002/08/14, Scott Granados wrote:
Can the nsa for example listen in somehow to eering points or other such common areas and observe things that interest them?
Yup. Google for "ECHELON" and read the lengthy report that was prepared for the government of the European Union.
I know the answer in the voice network is yes but that's technically easier. On the ip network that would seem to be m uch more difficult.
Not for the NSA. Indeed, voice has to be converted to data in order to go through the search algorithms, so it's actually a lot easier to just search data that doesn't have to first be converted. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
At 10:37 PM -0400 2002/08/14, David Lesher wrote:
Not at all.
The entry guard says "No Cell Phones".. and [s]he has the gun. You can whine and pout but [s]he still has the gun.
When I was there, they never searched anyone's purse, bag, or briefcase. So, just leave it inside while you briefly wave your badge at the guard while you walk briskly through, right along with the tens of thousands of other people doing the same. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
I'm sure that they have all sorts of methods. On the other hand, cellphones make devilishly difficult "bugs" to eliminate, especially the ones that are capable of automatically answering the call and activating the microphone without any audible ring. You can't just block all cellphones, because many people carry pagers that work on the same frequencies, and many people carry cellphones that they depend on.
You can, and they do. Most of the secure government facilities I've been into have a strict policy that absolutely nothing that can or does output a signal is permitted into the building. That means cellphones, two-way pagers, you name it. The official reason I was told was that such a device may 'accidentally' transmit classified information out of the facility. But I suspect the real reason is so that any signal they detect that they don't know about can be treated as hostile. DS
On Mon, 12 Aug 2002, Brad Knowles wrote:
Building a surviable network in such a small area, relatively speaking the Pentagon is small, is a much harder problem than diversity on a regional or even national network.
Keep in mind that it was DARPA that funded the original research on what we now call the Internet. There are plenty of clueless morons in the building (the one with four sides and a spare), but there are also some exceptionally sharp people.
Its not a matter of having smart people. Distance offers protection against many risks. The closer you put two critical systems to each other (e.g. in the same building) the higher the risk a single catastrophe (or system engineer) will impact both of them. Of course there are limits to diversity, earth is a single point of failure for the foreseeable future.
Perhaps true for the unclassified systems. But then they're not really that critical to the real day-to-day operations. Moreover, where the plane struck is not the side where the majority of this kind of networking is done.
I have no idea how many or where the cable entrance facilities are located or how major cables are routed through the Pentagon. Demarcs are sometimes located in the darndest places a long way away from where you might do your work. It might even make sense to put an alternate building entrance facility not on the side where the majority of the networking was done. In any case, classification level is orthogonal to quality.
At 12:38 PM -0400 2002/08/13, Sean Donelan wrote:
I have no idea how many or where the cable entrance facilities are located or how major cables are routed through the Pentagon.
True enough. Neither do I.
It might even make sense to put an alternate building entrance facility not on the side where the majority of the networking was done.
In terms of primary human entrances, they are found on four of the five sides of the building. The fifth side is where the helipad is located. Moreover, the networking is done all over the building, although I presume that there are some areas of concentration around the NMCC, and certain other facilities. In terms of network facilities, I'm sure that they have multiple redundant entrances all around the building. The question is how far away from the building do they then converge, so that you once again have a SPOF. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
participants (14)
-
Aaron Hopkins
-
Al Rowland
-
Avleen Vig
-
Blake Fithen
-
Brad Knowles
-
Daniel Golding
-
David Lesher
-
David Schwartz
-
Doug Barton
-
Gerald
-
gg
-
Scott Granados
-
Sean Donelan
-
Vadim Antonov