TMI

From today's DoD contract announcements.

PAE Government Services, Inc., Arlington, Va., is being awarded an $87,621,822 modification under a previously awarded cost-plus-award fee, indefinite-delivery/indefinite-quantity contract (N33191-07-D-0207) to exercise option four, which provides for base operating support services at Camp Lemonnierand forwarding operating locations, i.e., Camp Simba, Manda Bay, Kenya. The work to be performed provides for general management and administration services; public safety (harbor security, security operations and emergency management program); ordnance; air operations (airfield facilities and passenger terminal and cargo handling); supply; morale, welfare and recreation; galley; housing (bachelor quarters and laundry); facility support (facilities investment, janitorial, pest control services and refuse services); utilities (water, waste water and electrical); base support vehicle and equipment; and environmental. The total contract amount after exercise of this option will be $379,157,194. Work will be performed in Djibouti, Manda Bay, and Kenya, Africa, and is expected to be completed by March 2012. Contract funds will expire at the end of the current fiscal year. The Naval Facilities Engineering Command, Europe Africa Southwest Asia, Naples, Italy, is the contracting activity.

A few rules. First, I don't want to hear about your sex life, it's just too much information. Second, I don't want to read about contracts for forward operating bases used by special forces near Somalia in the contract announcements.

Less is more people, less is more. Carry on.

White House Learns The Risks Of The New Media

From Politico:

A photograph posted by the White House to the photo sharing website Flickr includes an image of a document with the letters CIA printed beneath what appears to be the word "secret."

The photograph by White House photographer Pete Souza is one of 301 pictures currently in the White House's Flickr pool, and depicts President Obama and six of his top advisors in the Red Room before Wednesday's prime time news conference. In the picture, foreign policy advisor Denis McDonough holds a binder, a legal pad, and some loose paper, with the top sheet bearing the acronym for the Central Intelligence Agency, which is clearly visible in an enlarged, 3500-pixel wide image available on Flickr.

The other words on the visible portion of the document aren't easily legible, and a White House spokesman, Bill Burton, dismissed it as innocuous in an email.

"Uh oh. Please don't tell me that the enemy is now going to know what our fax coversheets look like. (That is indeed what it is.)," he emailed.

I think maybe now they'll start to understand just how hard immediate transparency can be. Of course, carrying exposed documents of any kind around areas with cameras is risky. Oh, and there are even instances where a fax cover sheet may carry classified info, so the explanation offered by the White House doesn't necessarily address the concern.

Loose Lips Sink Ships, or Ruin Policy

This is the type of fallout to expect when Senators like Dianne Feinstein talk about UAVs flying out of air bases in Pakistan.

Iraq was often called Bush's war, but Iraq is won. Afghanistan is now being shaped to become Obama's war, and it will be a difficult and unpopular war under Obama just like Iraq was under Bush. I don't think our nation or military is served effectively when Senators do not uphold their obligations to keep classified information secret.

This type of open source intelligence that results from slips like the Senator's recent slip only compounds the problem of finding effective air fields to operate our aviation assets from.

Don't be the person making excuses for representatives who attempt to intentionally make executive level policy decisions. The Senator was asserting her power over the President, a selfish game with selfish ends, and not something to casually dismiss when lives are at stake.

Unmanned aircraft or not, there are Americans on those bases whose lives have been put in even more danger than they already were.

So Much For OPSEC

Wow:

A senior U.S. lawmaker said Thursday that unmanned CIA Predator aircraft operating in Pakistan are flown from an airbase inside that country, a revelation likely to embarrass the Pakistani government and complicate its counterterrorism collaboration with the United States.

The disclosure by Sen. Dianne Feinstein (D-Calif.), the chairwoman of the Senate Intelligence Committee, marked the first time a U.S. official had publicly commented on where the Predator aircraft patrolling Pakistan take off and land.

Just, wow.

Russia's OPSEC Problem - LiveJournal

Russia has realized OPSEC has gone out the window with LiveJournal, and there may be a purge coming. A lot of rumors in Russia are discussing the possibility that SUP Fabrik is under pressure to delete several LiveJournal diaries. If you are a LiveJournal user, you may want to get a back up in case the purge goes wild.

Is it a legitimate problem? It is unclear, the Russian LiveJournal community appears to be very popular among soldiers, and for some reason, there appears to be plenty of bandwidth for updating diaries during the military conflict. Apparently, there is a lot of downtime.

I can say that most Russian language readers we know are spending a lot of time looking through the Russian LiveJournal entries. At worst, one finds links to the better media coverage quicker. At best, you get an inside look at events on the ground.

Regardless, with detailed entries by non soldiers regarding unit movements coming from what may be Georgian LiveJournal entries, Russia clearly has an OPSEC problem, and a lot of rumors suggest a purge is coming.

Thoughts on Navy Approved Messages

The Navy's website has put up a web page regarding the PBS documentary special "Carrier." The Navy has recruited a panel for discussion following each episode to get reactions. The panel consists of:

RDML Ted Branch,
former commanding officer of
USS Nimitz (CVN 68)

MCPON Joe Campa Jr,
Master Chief Petty Officer of the Navy

YN1 (SW/AW) Jennifer Brown,
carrier tours include USS John C. Stennis
(CVN 74) and USS Harry S. Truman (CVN 75)

MM3 (SW) Ernest Ackerman,
served five years aboard USS Boxer (LHD 4)

We will not be giving a review of the series until it is completed, however for those fans the Navy's web page does offer some commentary. My take on the commentary is this, once you watch the Navy production, you will have a ton of appreciation what PBS has done with the series. That web page is embarrassing, a marketing blunder at a time they have a good thing going. If they are smart, it would quietly disappear. It's like comparing the Navy official website with Destroyermen. While I'm sure the Navy website gets a lot of hits, I'd bet money the number of daily visits on Destroyermen has the Navy's attention.

On the subject of Destroyermen let me suggest something to those who play overseer. That last post was one of the best yet, good enough to get you a headline in fact, it makes no sense at all the Navy would ask that post to be taken down. Here is my advice, quit worrying about the messages you don't approve and start worrying about the ones you do, because that stupid shit someone published on the "Carrier" series on the official web page is washing away the good the Navy is earning with the Carrier series on PBS. The problem isn't the unofficial, non sanctioned messages, the problem including the OPSEC issues that allow us to track your fleet over cup of morning brew are so obviously what is approved. The Navy as a whole needs an education on the information age.

Open Source, Professionals, Military Content, and the Future

David Axe has an excellent contribution to Wired's Danger Room on the military struggles to leverage open source medium for networking ideas and discussion. His suggestion caught my attention.

I'm not saying that Army forums should be totally unprotected from insurgent snoopers. But they should be expanded, and loosened, to allow students, academics, journalists and, yes, even members of the general public to participate on some level. That's risky, sure, but worth it.

If you are reading this blog, according to our research of incoming hits, and we do this type of thing for a living so we have a pretty good handle who hits the blog, there is an 85% chance you fall into one of the following categories.

1. Retired/Active - Military/Government
2. Academic/Author
3. Student
4. Industry Related Professional
5. Relative of Active Navy Personal

We welcome anyone to the blog of to comment, but that is our core audience, and we list it in order regarding most common to least common. David is a smart guy, I link to his blog because I read his blog every day, and anything else he writes. He may not know as much about the Navy as he thinks he does, but he knows a hell of a lot more about the Air Force than he lets on.

The problem facing the Army, in fact facing much of new media, is that the tools are still not well developed. Lets be honest, Wikipedia is neat but I only link there when I'm talking about something for general discussion, not technical detail. It simply isn't that great of a source and isn't a popular interactive tool for discussions. Blogs, Messageboards, and many other interactive new media content driven tools fall into a similar category, credentials are mostly anonymous and too often theories get accepted as reality based on brief, incomplete professional research.

I see the concern about security as a paper tiger though, if Proceedings, the Small War Journal, NPS, NWC, and the Strategic Studies Institute at the Army War College can produce professional content for public dissemination, the challenge isn't a matter of security, it is a matter of leveraging the method. Of those only the Small Wars Journal has created interactive discussion, and while the tools are lacking, they have still managed to produce excellent discussions among field commanders.

SteelJaw Scribe and I have discussed the possibility of creating a Maritime Strategy blog network, perhaps a maritime security blog specifically. The problem there is getting people to contribute, and who moderates. The way I look at it, the idea only works if the moderators are unbiased, the contributors are well known and credentialed, and the naval new media community (naval centric bloggers and other naval centric sites) supports the blog. In other words, run it similar to how they run Milblogs at Mudville Gazette except pull more professional contributions than blog contributions.

Honestly, I don't expect the Navy or any other service to engage interactive open source discussion anytime soon. They will come out with too many rules to make it useful, as they already have with previous attempts, and there is too much potential to control the message for it to be effective. For now, Sailorbob will be the present and future. I still believe the answer will come from the grass roots outside the DoD, because if you observe the way insurgents and terrorists leverage the open source, that is exactly how their system developed.

A Word on OPSEC

I have waited long enough for any news reports regarding Adm. Vladimir Masorin, commander in chief of the Russian Navy, visit to Norfolk. It does not appear any media coverage of the event is forthcoming. I've been waiting for a few weeks for someone to talk about it in the media, I assumed somewhat like the naive fool I sometimes am that everyone has been waiting for this, that someone would ask any number of questions of the dear Russian Admiral regarding his statements on Russia Navy day, or perhaps about the 6 aircraft carriers he wants to build. Apparently, the visit is EMCON Alpha.

But it really wasn't, the Navy told me he was coming everyday for a week, despite no pictures or any word that I can find online until this weekend.

I've avoided personal stuff in this blog, and will be generic on purpose for a paragraph. I own an IT company, I have worked in IT security for 12 years, and I have spent time in the dark corners of the internet from time to time when payed appropriately for my services. I used to be a programmer, but when someone asks me what I do now, I tell them I'm in the information business. My primary business is to gather relevant information, store information in a flexible way, and securely present the useful information. Like I said, this is generic on purpose.

In this regard I have several side projects that I sometimes revisit in hopes of one day selling. One of those projects is an information gathering tool, multi-language, that basically gathers information, similar to the function of an RSS reader for RSS feeds, except much broader in scope. It is actually better described as an open source data phishing tool.

When I read this story posted on Wired, then the follow on by Greyhawk, I decided to test some theories on blogs and OPSEC by adding additional layers into my software using open sources of information, and see if I can find any evidence of OPSEC problems outside blogs.

For years, members of the military brass have been warning that soldiers' blogs could pose a security threat by leaking sensitive wartime information. But a series of online audits, conducted by the Army, suggests that official Defense Department websites post far more potentially-harmful than blogs do.

The audits, performed by the Army Web Risk Assessment Cell between January 2006 and January 2007, found at least 1,813 violations of operational security policy on 878 official military websites. In contrast, the 10-man, Manassas, Virginia, unit discovered 28 breaches, at most, on 594 individual blogs during the same period.

The results were obtained by the Electronic Frontier Foundation, after the digital rights group filed a lawsuit under the Freedom of Information Act.

"It's clear that official Army websites are the real security problem, not blogs," said EFF staff attorney Marcia Hofmann. "Bloggers, on the whole, have been very careful and conscientious. It's a pretty major disparity." The findings stand in stark contrast to Army statements about the risks that blogs pose.

Noah and Greyhawk are both right to be skeptical. A few points to ponder.

The weekend of the 18th and 19th I decided to write in additional functionality into my tool. Specifically, I started looking into search engine search strings based on some stuff discussed at a recent white hat conference, and began my little search by also including some simple blogs I made on a variety of sites, all of them free hosted. I noticed the script kiddies are doing their phishing by using specific ship names and by targeting geographic places (port and country) to generate hits, so I decided to mimic script kiddie techniques mostly and make only a few customizations, then added in a number of common naval terms and names as well, and added more throughout the week as news changed.

It seems pretty clear to me that internet search strings alone by .mil sites is a security problem in the DoD, if not the government at large. I'm willing to bet milbloggers who generate a bunch of hits and have monitored stats on blogs much longer than I have seen evidence of this. Starting on Monday the 20th I captured dozens of hits from several government sites searching for terms like: Admiral, Vladimir, Masorin, Norfolk, Washington, Visit, and Mullen. As a side note, it is noteworthy the Russians made the same mistakes from Moscow against Russian language blogs. At this point I am debating whether to conduct the test again in the future and actually produce the data as a paper, if I do I'll post it here.

This isn't a big deal though right? I got a bit concerned when on the 19th I have hits that include terms like Marmaris + Turkey + USS Kearsarge, which wouldn't be a big deal except the Kearsarge didn't arrive in Turkey until the 20th, and I couldn't find any English language website stating the ship would be in Turkey after Malta at the time. Maybe this was announced ahead of time overseas and I was simply unaware, but it seemed a bit odd.

Is this an OPSEC problem? I don't know, but this type of phishing took about 3 hours to set up and uses mostly very old hit generation techniques on free sites to track search strings from government sources, predicting data using special terms, then organizing the data. I could go into further detail, but I think to anyone with a lick of tech knowledge the point is clear.

You mil folks at work need to be careful what you put into your search engines, example don't use ship names and locations of current ops, and be mindful that everything you put into the web gets stored somewhere for output, and in many places stored publicly.

I have no idea what happened with the USS Hue City (danger circle), but I figure a story will pop up over the next few days. I'm also more interested in "Varuna 2007" than I previously was, because I can't explain why I saw so many hits with that search term came from Saudi Arabia.

When I saw this post by the CDR Salamander Saturday, I added a few terms to my phishing, and if the CDR calls his office (assuming he saves daily logs) I bet he had another visit sometime between 2:10pm and 2:15pm eastern on Monday afternoon, I did in 4 places and he ranked higher in me on the search string response list. Technology is moving fast, if the DoD is looking outside the bubble to blame bloggers I don't think they have a grip on their OPSEC issues.