Re: Michael Riconosciuto, PROMIS
Steve Thompson: If that's true, then the government couldn't have stolen it. However, I suspect that mainfraim code of any sophistication is rarely released into the public domain. I imagine the author would be able to clear that up, assuming he has no financial reason to falsify its history. The page clearly states that the enhanced version was not in the public domain or owned by the government, it was a completely new version and the development was not funded by the government. The old one was for 16 bit architecture whereas the new one was for 32 bit. http://www.wired.com/wired/archive/1.01/inslaw.html Perhaps I am stupid. I don't know how one would go about modifying application software to include a 'back door' that would presumably enhance its suceptibility to TEMPEST attacks. Isn't tempest all about EM spectrum signal detection and capture? ALL electronic devices emits signals that you can intercept and obtain information from. Whether or not you can extract much useful data or not depends, but generally you can always extract something. This is a vast field and it's hard to generalize. I have personally attended tests at a firm working for the military in a western European country and I've seen how extremely easy it is to do remote classic tempest-reading of the screen of a lap-top, to name only one example. The equipment easily fits in only a station wagon. Generally this is really hard to protect yourself from. Let's say you build yourself a bunker and put your computer inside it but you forget to run it on batteries, then you'll find out that signals will be carried out on the electric cord entering your bunker and they'll be readily readable outside anyway. You can't have any kind of opening in and out of that bunker, not even for ventilation, so you see this is hard to do. Maybe they built in other forms of remotely usable back-doors too, just in case there were able to make contact with the computer remotely over some network. This makes sense too, since one or two or those computers surely were less protected. Some people falsely believe that only CRT screens can be read remotely using TEMPEST techniques, this couldn't be more false, in fact one of the test managers I spoke to said he thought it was easier with TFT type monitors. Also remeber that we're not just talking about monitors, many other devices emits interesting and potential useful informaation: faxes, printers, networking hardware etc. Those PROMIS people built in hardware on the motherboards that emitted signals using a kind of jumping frequency technique. If you have the key giving you he answer to how the frequencies are changed you can easily intercept the data otherwise it becomes really hard to do and esp hard to find out that there's anything emitting in the first place - it looks like noise. The purpose of this was so that they could sell the whole package, the PC with the software pre-installed to customers and then they could sit in their wan down the street and record. It's no only happening in the movies you know :) BTW: I would also be interested in some more comments on Michael Riconosciuto as a person, doesn't anyone have an opinion or know of interesting info in this regard? Are there any books written by him or by people on his side of the story?
Re: Michael Riconosciuto, PROMIS
--- privacy.at Anonymous Remailer [EMAIL PROTECTED] wrote: Steve Thompson: If that's true, then the government couldn't have stolen it. However, I suspect that mainfraim code of any sophistication is rarely released into the public domain. I imagine the author would be able to clear that up, assuming he has no financial reason to falsify its history. The page clearly states that the enhanced version was not in the public domain or owned by the government, it was a completely new version and the development was not funded by the government. The old one was for 16 bit architecture whereas the new one was for 32 bit. Excuse me; I only skimmed the article and missed the part that described the original funding arrangements supporting the development of the initial version. You'd think that the development of software intended to be used by the Justice Department, for an application of non-trivial sensitivity, would be contracted out to a firm with existing connections to the government law enforcement community. But at that time, I suppose it could be said that computer security and trust issues would have little chance of being understood by largely computer-illiterate prosecutors and administrative personnel. Presumably today the award of software development contracts follows a rigid and formal protocol -- for the protection of both parties. http://www.wired.com/wired/archive/1.01/inslaw.html Perhaps I am stupid. I don't know how one would go about modifying application software to include a 'back door' that would presumably enhance its susceptibility to TEMPEST attacks. Isn't tempest all about EM spectrum signal detection and capture? ALL electronic devices emits signals that you can intercept and obtain information from. Whether or not you can extract much useful data or not depends, but generally you can always extract something. There are more general principles of information theory that apparently apply to any instance in which code and a dictionary are used to process information. I believe that the extraction of information from such processes at arbitrary points of access is something of a black art. This is a vast field and it's hard to generalize. I have personally attended tests at a firm working for the military in a western European country and I've seen how extremely easy it is to do remote classic tempest-reading of the screen of a lap-top, to name only one example. The equipment easily fits in only a station wagon. Generally So goes the contemporary non-specialist understanding of the field. this is really hard to protect yourself from. Let's say you build yourself a bunker and put your computer inside it but you forget to run it on batteries, then you'll find out that signals will be carried out on the electric cord entering your bunker and they'll be readily readable outside anyway. You can't have any kind of opening in and out of that bunker, not even for ventilation, so you see this is hard to do. Quite. If you want to get any actual work done, the process exposes you to the risk of leaking information to third-parties. Assuming that is not what is intended, I suppose you can spend a metric shitload of money on measures designed to mitigate against specific risks, without any guarantee of success. Maybe they built in other forms of remotely usable back-doors too, just in case there were able to make contact with the computer remotely over some network. This makes sense too, since one or two or those computers surely were less protected. In .5M LOC, just about anything is possible. However, I don't believe that back-door code would have had anything to do with enhancing the vulnerability of the system to TEMPEST attacks. Some people falsely believe that only CRT screens can be read remotely using TEMPEST techniques, this couldn't be more false, in fact one of the test managers I spoke to said he thought it was easier with TFT type monitors. Also remeber that we're not just talking about monitors, many other devices emits interesting and potential useful informaation: faxes, printers, networking hardware etc. Indeed. I've heard rumours suggesting that arbitrary bus signals (SCSI, PCI, FSB) are radiated with the same promiscuity as are monitor signals. IIRC, a sharp right-angle trace on a circuit board will allow the emmission a detectable RF signal, contingent only on the sensitivity and proximity of a suitably configured receiver. Presumably the expense of designing digital electronics with the criterion of minimising radiated signals is not worth the bother for the vast majority of devices. The status quo of the commodity consumer market for computers and peripherals suggests that the primary design criterion is the minimisation of manufacturing cost. Function and security criterion are necessarily compromised. Those PROMIS people built in hardware on the motherboards that
Re: Michael Riconosciuto, PROMIS
On Sun, 2004-12-05 at 20:58 -0500, Steve Thompson wrote: I've only read vague hints and rumours concerning its implicit design philosophy and architecture from the rare instances where it is mentioned at all. Yes, he code is probably classified (blah, blah, blah), but its actual use must reveal its purpose and function to some degree. And sure, we know that feds and other ne'er-do-wells have a bug up their ass about revealing sources and methods (unlike the public, who have no practical option in that regard) so any information that does leak is bound to be sketchy, but surely there must be _some_ accurate data available concerning its nature, especially considering the fact that it has been under development for two or three decades. Yes, I have found that puzzling too. Articles I have read refer to the original version being in the public domain. You'd think the source code would be out there somewhere. The least Tin Foil Hat (TM) version of the story I found is at Wired http://www.wired.com/wired/archive/1.01/inslaw.html Which gives this description: Designed as case-management software for federal prosecutors, PROMIS has the ability to combine disparate databases, and to track people by their involvement with the legal system. Hamilton and others now claim that the DOJ has modified PROMIS to monitor intelligence operations, agents and targets, instead of legal cases. I find the claims made about this software (it's ability to reconcile data from many different sources automagically ) pretty vague and frankly, a little far fetched, based on what I know about software, databases, etc. (And that's not even including the modifications supposedly made to install a TEMPEST back door in later versions). -Neil
Re: Michael Riconosciuto, PROMIS
On Sun, 5 Dec 2004, Steve Thompson wrote: Does anyone here have a good idea of what the PROMIS code actuall does; what its characteristics and capabilities are in terms of its function as an aid to intellegence analysts, logistics technicians, or consultants? At 07:16 PM 12/5/2004, J.A. Terranson wrote: We had a PROMIS system on our 370 something (168?) back in '81 - ran under SPF/TSO [MVS] IIRC? I always assumed the two were loosely related - I believe it was an early and crude relational DB implementation. But who the hell really knows? There are several different issues related to PROMIS 0 - What size tinfoil hat do you need? (It's probably still worth being paranoid about Echelon, but PROMIS is old hat...) 1 - Feds or somebody basically pirated their copy of the software, back when most mainframe software was expensive, and drove the company into bankruptcy rather than pay up, and they spent a lot of effort covering up their ripoff, possibly including the murder of a journalist. 2 - What are the basic capabilities of the software? I think Alif's got it about right, and remember that back in the early 80s, Codd Date had written some really cool theory about how relational databases could and should work, but most computers didn't have the horsepower for them and the early implementations were mostly either crude or bloated. Also, mainframe software tended to be very customized, particularly if it had to interconnect with other mainframe software like somebody else's non-relational database with a different schema. 3 - What sets of data were the various spooks, feds, and staties _keeping_ in their databases, and how much of it did they share with each other or get from various other sources? If you worked with databases back in the early 80s, remember that a gigabyte of disk used to be pretty big, rather than wristwatch-sized, and a megabyte of RAM was big and cost non-trivial amounts of money, and magnetic tapes held less than 200MB and took tens of minutes to read, and big database projects typically required departments of dozens or hundreds of workers to spend months of budgeting and planning to design schemas and processes that could take months to run, instead of being ad-hoc queries any random employee can run on their desktop over lunchtime if they feel like it, and might be able to run on their pocket computer when riding home on the subway. My department's ~1983 VAX had a 1 MIPS CPU, a gig of removable disk, 4MB RAM, and two tape drives, and cost about $400K. It wasn't big iron - that was typically an order of magnitude bigger. These days, $400 will get you a 3000 MIPS CPU, a gig of RAM, and 100-200GB disk, and database software is free. It's about a million times more cost-effective, depending on whether you care more about CPU, disk, or RAM, and there's an Internet hanging out the back side that will let you use Google's farm of ~100K computers for free.
Re: Michael Riconosciuto, PROMIS
At 6:20 PM +0100 12/5/04, Nomen Nescio wrote: PROMIS Beat that horse, scraped it off the floor, sent it to the glue factory. Seven or Eight times. Musta had kin. However, all you have to do is drop that acronym around here, and, sooner or later, like buzzards to a shitwagon, all the usual suspects will come home to roost. To beat a metaphor like a, heh, dead horse... Cheers, RAH Who goes to Eliot Richardson's old church. When he ran for governor on the republican ticket, the boys from Southie made up a bumpersticker that said Vote for Eliot, he's better than you. :-) -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Michael Riconosciuto, PROMIS
On Sun, 5 Dec 2004, Steve Thompson wrote: Does anyone here have a good idea of what the PROMIS code actuall does; what its characteristics and capabilities are in terms of its function as an aid to intellegence analysts, logistics technicians, or consultants? We had a PROMIS system on our 370 something (168?) back in '81 - ran under SPF/TSO [MVS] IIRC? I always assumed the two were loosely related - I believe it was an early and crude relational DB implementation. But who the hell really knows? -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Civilization is in a tailspin - everything is backwards, everything is upside down- doctors destroy health, psychiatrists destroy minds, lawyers destroy justice, the major media destroy information, governments destroy freedom and religions destroy spirituality - yet it is claimed to be healthy, just, informed, free and spiritual. We live in a social system whose community, wealth, love and life is derived from alienation, poverty, self-hate and medical murder - yet we tell ourselves that it is biologically and ecologically sustainable. The Bush plan to screen whole US population for mental illness clearly indicates that mental illness starts at the top. Rev Dr Michael Ellner
Re: Michael Riconosciuto, PROMIS
--- Nomen Nescio [EMAIL PROTECTED] wrote: I read a few old email messages I had and stumbled over some interesting material relating to NSA, CIA and one Michael Riconosciuto among other things. [PROMIS] Does anyone here have a good idea of what the PROMIS code actuall does; what its characteristics and capabilities are in terms of its function as an aid to intellegence analysts, logistics technicians, or consultants? I've only read vague hints and rumours concerning its implicit design philosophy and architecture from the rare instances where it is mentioned at all. Yes, he code is probably classified (blah, blah, blah), but its actual use must reveal its purpose and function to some degree. And sure, we know that feds and other ne'er-do-wells have a bug up their ass about revealing sources and methods (unlike the public, who have no practical option in that regard) so any information that does leak is bound to be sketchy, but surely there must be _some_ accurate data available concerning its nature, especially considering the fact that it has been under development for two or three decades. Regards, Steve __ Post your free ad now! http://personals.yahoo.ca
Re: Michael Riconosciuto, PROMIS
Bill Stewart shrieb: There are several different issues related to PROMIS Thanks for your comments. But what about the person Michael Riconosciuto? I did some searches online and I got the feeling that a lot people see him as an extremely intelligent person, a one-in-a-million type of person, being involved and on the front line with such diverse areas as human intelligence, weapons, electronics, computers, cryptography, bio-warfare etc. It's stated online that he has warned US about several terrorist attacks before they ocurred, including but not limited to the al-qaeda attacks. Is this somewhat related to him being jailed? Can he verify that US didn't act on alerts in ways so sensitive that the government simply cannot afford to let him speak up? Does he know things relating to US wanting some wars that the public simply cannot be told? I think I read somewhere that people from NSA or CIA thought of him as simply put a genius. Is it likely that he as such a genius is simply too dangerous for his own good when he decided to speak the truth and that the government is actively trying to shut him down and indirectly speed up his death by denying him medical care for his illness? Why did he come clean and sign the affidavit? He himself stated that he though he risked being killed or harmed in various ways if he went through with it. And indeed, just a week or two afterwards he got arrested! Smells like a government retaliation, set-up and cover-up if I ever saw one! This is almost to good for even Hollywood! There are many interesting questions here. Keep in mind that not all of us were around and active with intelligence/computers/cryptography 10-20 years ago. John Young: Does Cryptome hold any interesting documents involving this case?
Re: Michael Riconosciuto, PROMIS
At 9:57 PM -0600 12/5/04, Neil Johnson wrote: is that with a staggering 570,000 lines of computer code, Oh, please... Try googling the line-count of any major piece of software, particularly in an age of object-oriented code... Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: Michael Riconosciuto, PROMIS
One the claims I have problems with (from the WIRED article): But the real power of PROMIS, according to Hamilton, is that with a staggering 570,000 lines of computer code, PROMIS can integrate innumerable databases without requiring any reprogramming. If this were true, I can guarantee that there would lots of companies clamoring for it. -Neil
Re: Michael Riconosciuto, PROMIS
On Sun, 5 Dec 2004, R.A. Hettinga wrote: At 9:57 PM -0600 12/5/04, Neil Johnson wrote: is that with a staggering 570,000 lines of computer code, Oh, please... Try googling the line-count of any major piece of software, particularly in an age of object-oriented code... OOP is a fairly recent phenomena when we are talking about code from the '70s you know ;-) In 1980, a half million lines of code was pretty hefty. Cheers, RAH -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Civilization is in a tailspin - everything is backwards, everything is upside down- doctors destroy health, psychiatrists destroy minds, lawyers destroy justice, the major media destroy information, governments destroy freedom and religions destroy spirituality - yet it is claimed to be healthy, just, informed, free and spiritual. We live in a social system whose community, wealth, love and life is derived from alienation, poverty, self-hate and medical murder - yet we tell ourselves that it is biologically and ecologically sustainable. The Bush plan to screen whole US population for mental illness clearly indicates that mental illness starts at the top. Rev Dr Michael Ellner
Re: Michael Riconosciuto, PROMIS
--- Neil Johnson [EMAIL PROTECTED] wrote: On Sun, 2004-12-05 at 20:58 -0500, Steve Thompson wrote: [PROMIS] Yes, I have found that puzzling too. Articles I have read refer to the original version being in the public domain. You'd think the source code would be out there somewhere. If that's true, then the government couldn't have stolen it. However, I suspect that mainfraim code of any sophistication is rarely released into the public domain. I imagine the author would be able to clear that up, assuming he has no financial reason to falsify its history. The least Tin Foil Hat (TM) version of the story I found is at Wired http://www.wired.com/wired/archive/1.01/inslaw.html Which gives this description: Designed as case-management software for federal prosecutors, PROMIS has the ability to combine disparate databases, and to track people by their involvement with the legal system. Hamilton and others now claim that the DOJ has modified PROMIS to monitor intelligence operations, agents and targets, instead of legal cases. Interesting. I find the claims made about this software (it's ability to reconcile data from many different sources automagically ) pretty vague and frankly, a little far fetched, based on what I know about software, databases, etc. No kidding. Databases are _hard_ to write efficiently, let alone to arbitrarily integrate. (And that's not even including the modifications supposedly made to install a TEMPEST back door in later versions). Perhaps I am stupid. I don't know how one would go about modifying application software to include a 'back door' that would presumably enhance its suceptibility to TEMPEST attacks. Isn't tempest all about EM spectrum signal detection and capture? Regards, Steve __ Post your free ad now! http://personals.yahoo.ca