Readaloo

I got to sit down with O'Reilly earlier this week, just before the start of his big open source conference OSCON. We talked about a number of things, but it was the discussion of digital privacy that stood out the most. O'Reilly's may be the most intelligent argument in favor of sacrificing some privacy that I've seen yet.

O'Reilly argues that the world is changing dramatically and so our decades-old policies, preferences and beliefs about personal privacy need to change, too. By loosening our privacy requirements, changing the consequences of disclosure of personal information where we can and considering the trade-offs, we could capture an incredible bounty of innovation for social good. And at a time of great peril, when such social innovation will be sorely needed.

What Are the Upsides?

What kinds of services could be built using the kind of data that public and other large institutions hold? O'Reilly offered a related example of innovation built on top of previously unutilized data. Passur Aerospace is a company that wanted to do predictive analytics on air traffic data. "The airlines had the data, but they were throwing it away," O'Reilly says.

"So they set up their own network of radar stations. Now they sell predictive services to airports. Continental Airlines flights into New York that were running late went from 25 flights a day to none, because of these complex models the company was able to construct. If we had open data today, the FAA wouldn't be throwing it away and somebody would have figured that out faster and cheaper."

A lot of that data that developers will analyze and build on top of in the future will be data about us, collectively and as individuals, O'Reilly says.

"Technology is taking us a direction where more and more is known about us. I refer a lot to Jeff Jonas on this. It's hard to be completely anonymized. I think we need a complete fresh look at what trade offs we're making and why. A good example is health care privacy. It's true that there are some diseases that still have stigmas around them, but our need for privacy is mostly about adverse selection from insurance companies. The problem we need to solve is adverse selection due to pre-existing conditions, not to treat the info like it's toxic waste. If we look at the benefits of using the information - they are incredible.

"One thing we can do is look at places where people have given up a fair amount of privacy and feel ok about it. The financial arena is one of those places - it's ok to do data mining for fraud prevention.

"It's clear we're in the middle of an incredible revolution in what technology enables. In the private sector we're getting further and further ahead of government. We collaborate, get information on demand, our augmented reality is the military's wet dream from a few years ago - and it's fricking free. It's all about access to massive cloud data at any time, when and where we need it.

"In the face of that world, our policies are so hopelessly outdated. I don't know what the right policies are going to be, but I do know they won't be the same policies as 10 years ago, 50 years ago. They need a deep rethinking. We need to ask, what kind of outcomes do we want and how do we get there? And assume that you're not going to stop that more and more is known about us."

"It's easy to say that this should always be the user's choice," O'Reilly wrote in a blog post about Facebook privacy this Spring, "but entrepreneurs from Steve Jobs to Mark Zuckerberg are in the business of discovering things that users don't already know that they will want, and sometimes we only find the right balance by pushing too far, and then recovering."

O'Reilly's Gov 2.0 conference in September will put an emphasis on bringing together leaders of industry, including finance, and government, in order to share lessons learned from working with data.

When Bad Things Happen

I asked Tim what this inevitable march away from anonymity means to monks in Burma or student protesters in Iran, whose safety and ability to use technology to effect social change depends on anonymity.

"I don't really have a good answer to that," he said.

"Flickr and Youtube killed people in those places. We have to acknowledge that. People have to be aware and we could build more technology for places where you do need to be anonymous. If you're dealing with those kinds of dangerous situations, if you're risking your life, then you act differently than a normal person. Ultimately it is hard to remain anonymous. There are pro-privacy projects, like Tor, and it's worth putting in place as much as possible the infrastructure for anonymity before it's needed."

Across technology innovation and tech-facilitated social change, O'Reilly thinks there's a big picture: the human condition is a social one and our technologies should help us build a response to oncoming crisis that's based in that humanity.

"In open source, the government space, and social media for good: we are building mechanisms for us to save ourselves, for us to work together, to remember what society is. Institutions are things we build to save ourselves. There is some bad shit coming down in our future: global warming, peak oil, wars, pandemics. It's not always going to be happy-happy. All the stuff we're building is going to be stuff that can help us be more adaptable, that will help us respond as a society. As Harlan Ellison wrote, 'why else did we come all this way? To be alone?'"

"We do all of this to do it together, to be together, society is a coping mechanism. Everything we do that's good is to make easy things easier and hard things possible. That was the original Perl slogan, to make easy things easier and hard things possible, and this was originally the Perl conference.

"We need to adopt that strategy in government. Right now we make easy things hard and hard things impossible."

Privacy is Up For Debate

O'Reilly's is certainly a compelling position on the relationship between privacy and innovation, but it's not the only one. For general counterpoints, see danah boyd's SXSW 2010 talk, Making Sense of Privacy and Publicity.

Traditionally, a higher price has been paid for lost privacy by society's most marginalized people. Will that be the case here as well?

What do you think? Is privacy something that technologists ought to push against the boundaries of and try to change the consequences of, for the sake of innovation and the betterment of society? Or is it realistic to expect tech companies to prioritize the protection of personal control over information, even while building out innovative services, including those built on top of personal information?

Can the science of deception detection help to catch terrorists? Sharon Weinberger takes a close look at the evidence for it.

In August 2009, Nicholas George, a 22-year-old student at Pomona College in Claremont, California, was going through a checkpoint at Philadelphia International Airport when he was pulled aside for questioning. As the Transportation Security Administration (TSA) employees searched his hand luggage, they chatted with him about innocuous subjects, such as whether he'd watched a recent game.

Inside George's bag, however, the screeners found flash cards with Arabic words — he was studying Arabic at Pomona — and a book they considered to be critical of US foreign policy. That led to more questioning, this time by a TSA supervisor, about George's views on the terrorist attacks on 11 September 2001. Eventually, and seemingly without cause, he was handcuffed by Philadelphia police, detained for four hours, and questioned by Federal Bureau of Investigation agents before being released without charge.

George had been singled out by behaviour-detection officers: TSA screeners trained to pick out suspicious or anomalous behaviour in passengers. There are about 3,000 of these officers working at some 161 airports across the United States, all part of a four-year-old programme called Screening Passengers by Observation Technique (SPOT), which is designed to identify people who could pose a threat to airline passengers.

It remains unclear what the officers found anomalous about George's behaviour, and why he was detained. The TSA's parent agency, the Department of Homeland Security (DHS), has declined to comment on his case because it is the subject of a federal lawsuit that was filed on George's behalf in February by the American Civil Liberties Union. But the incident has brought renewed attention to a burgeoning controversy: is it possible to know whether people are being deceptive, or planning hostile acts, just by observing them?

Some people seem to think so. At London's Heathrow Airport, for example, the UK government is deploying behaviour-detection officers in a trial modelled in part on SPOT. And in the United States, the DHS is pursuing a programme that would use sensors to look at nonverbal behaviours, and thereby spot terrorists as they walk through a corridor. The US Department of Defense and intelligence agencies have expressed interest in similar ideas.

Yet a growing number of researchers are dubious — not just about the projects themselves, but about the science on which they are based. "Simply put, people (including professional lie-catchers with extensive experience of assessing veracity) would achieve similar hit rates if they flipped a coin," noted a 2007 report from a committee of credibility-assessment experts who reviewed research on portal screening.

"No scientific evidence exists to support the detection or inference of future behaviour, including intent," declares a 2008 report prepared by the JASON defence advisory group. And the TSA had no business deploying SPOT across the nation's airports "without first validating the scientific basis for identifying suspicious passengers in an airport environment", stated a two-year review of the programme released on 20 May by the Government Accountability Office (GAO), the investigative arm of the US Congress.

In response to such concerns, the TSA has commissioned an independent study that it hopes will produce evidence to show that SPOT works, and the DHS is promising rigorous peer review of its technology programme. For critics, however, this is too little, too late.

The writing's on the face

Most credibility-assessment researchers agree that humans are demonstrably poor at face-to-face lie detection. SPOT traces its intellectual roots to the small group of researchers who disagree — perhaps the most notable being Paul Ekman, now an emeritus professor of psychology at the University of California Medical School in San Francisco. In the 1970s, Ekman co-developed the 'facial action coding system' for analysing human facial expressions, and has since turned it into a methodology for teaching people how to link those expressions to a variety of hidden emotions, including an intent to deceive. He puts particular emphasis on 'microfacial' expressions such as a tensing of the lips or the raising of the brow — movements that might last just a fraction of a second, but which might represent attempts to hide a subject's true feelings. Ekman claims that a properly trained observer using these facial cues alone can detect deception with 70% accuracy — and can raise that figure to almost 100% accuracy by also taking into account gestures and body movements. Ekman says he has taught about one thousand TSA screeners and continues to consult on the programme.

Ekman's work has brought him cultural acclaim, ranging from a profile in bestselling book Blink — by Malcolm Gladwell, a staff writer for The New Yorker magazine — to a fictionalized TV show based on his work, called Lie to Me. But scientists have generally given him a chillier reception. His critics argue that most of his peer-reviewed studies on microexpressions were published decades ago, and much of his more recent writing on the subject has not been peer reviewed. Ekman maintains that this publishing strategy is deliberate — that he no longer publishes all of the details of his work in the peer-reviewed literature because, he says, those papers are closely followed by scientists in countries such as Syria, Iran and China, which the United States views as a potential threat.

The data that Ekman has made available have not persuaded Charles Honts, a psychologist at Boise State University in Idaho who is an expert in the polygraph or 'lie detector'. Although he was trained on Ekman's coding system in the 1980s, Honts says, he has been unable to replicate Ekman's results on facial coding. David Raskin, a professor emeritus of psychology at the University of Utah in Salt Lake City, says he has had similar problems replicating Ekman's findings. "I have yet to see a comprehensive evaluation" of Ekman's work, he says.

Ekman counters that a big part of the replication problem is that polygraph experts, such as Honts and Raskin, don't follow the right protocol. "One of the things I teach is never ask a question that can be answered yes or no," Ekman says. "In a polygraph, that's the way you must ask questions." Raskin and Honts disagree with Ekman's criticism, saying that Ekman himself provided the materials and training in the facial-coding technique.

Yet another objection to Ekman's theory of deception detection is his idea of people who are naturally gifted at reading facial expressions. These "wizards", Ekman argues<bibr rid='b2 b3'/>, are proof that humans have the capability to spot deception, and that by studying those abilities, others can be taught to look for the same cues. But in a critique of Ekman's work, Charles Bond, a psychologist retired from Texas Christian University in Forth Worth, argues that Ekman's wizard theory has a number of flaws — perhaps the most crucial being that the most successful individuals were drawn out of a sample pool in the thousands. Rather than proving these people are human lie detectors, Bond maintains, the wizardry was merely due to random chance. "If enough people play the lottery, someone wins," says Bond.

Ekman says that Bond's criticism is a "ridiculous quibble" and that the statistics speak for themselves. The wizards' scores were based on three different tests, he says, making it impossible to assign their high success rate to chance. Bond replies that he took the three tests into account, and that doing so doesn't change his conclusion.

Leap of logic

But there is yet another problem, says Honts. Ekman's findings are "incongruent with all the rest of the data on detecting deception from observation". The human face very obviously displays emotion, says Maria Hartwig, a psychology professor at the City University of New York's John Jay College of Criminal Justice. But linking those displays to deception is "a leap of gargantuan dimensions not supported by scientific evidence", she says.

This point is disputed by one of Ekman's collaborators, Mark Frank, a psychologist at the University at Buffalo in New York. Although Frank acknowledges that many peer-reviewed studies seem to show that people are not better than chance when it comes to picking up signs of deception, he argues that much of the research is skewed because it disproportionately involves young college students as test subjects, as opposed to police officers and others who might be older, more motivated and more experienced in detecting lies. Moreover, he says, when law-enforcement officials are tested, the stakes are often too low, and thus don't mimic a real-world setting. "I think a lot of the published material is still important, good work about human nature," says Frank. "But if you want to look at the total literature, and say, let's go apply it to counter-terrorism, it's a huge mistake."

A confounding problem is that the methodology used in SPOT, which is only partially based on Ekman's work, has never been subjected to controlled scientific tests. Nor is there much agreement as to what a fair test should entail. Controlled tests of deception detection typically involve people posing as would-be terrorists and attempting to make it through airport security. Yet Ekman calls this approach "totally bogus", because those playing the parts of 'terrorists' don't face the same stakes as a real terrorist — and so are unlikely to show the same emotions. "I'm on the record opposed to that sort of testing," he says.

But without such data, how is anyone supposed to evaluate SPOT — or its training programmes? Those programmes are "not in the public scientific domain", says Bella DePaulo, a social psychologist at the University of California, Santa Barbara. "As a scientist, I want to see peer-reviewed journal articles, so I can look at procedures and data and know what the training procedures involve, and what the results do show."

Carl Maccario, a TSA analyst who helped to create SPOT, defends the science of the programme, saying that the agency has drawn on a number of scientists who study behavioural cues. One he mentions is David Givens, director of the nonprofit Center for Nonverbal Studies in Spokane, Washington. Givens published a number of scholarly articles on nonverbal communications in the 1970s and 1980s, although by his own account he is no longer involved in academic research. His more recent publications include books such as Your Body at Work: A Guide to Sight-Reading the Body Language of Business, Bosses, and Boardrooms (2010). But Givens says that he has no idea which nonverbal indicators have been selected by the TSA for use in SPOT, nor has he ever been asked by the TSA to review their choices.

In the absence of testing, Maccario points to anecdotal incidents, such as the 2008 case of Kevin Brown, a Jamaican national who was picked out by behaviour-detection officers at Orlando International Airport in Florida and arrested with what they took to be the makings of a pipe bomb. Witnesses said that Brown was rocking back and forth and acting strangely, so it is hard to say whether specialized training was needed to spot his unusual behaviour. In any case, Brown successfully claimed that the 'pipe bomb' materials were actually fuel bottles, pleaded guilty to bringing a flammable substance onto an aircraft, and was released on three years' probation.

Arrest record

The TSA does track statistics. From the SPOT programme's first phase, from January 2006 through to November 2009, according to the agency, behaviour-detection officers referred more than 232,000 people for secondary screening, which involves closer inspection of bags and testing for explosives. The agency notes that the vast majority of those subjected to that extra inspection continued on their travels with no further delays. But 1,710 were arrested, which the TSA cites as evidence for the programme's effectiveness. Critics, however, note that these statistics mean that fewer than 1% of the referrals actually lead to an arrest, and those arrests are overwhelmingly for criminal activities, such as outstanding warrants, completely unrelated to terrorism.

According to the GAO, TSA officials are unsure whether "the SPOT program has ever resulted in the arrest of anyone who is a terrorist, or who was planning to engage in terrorist-related activity". The TSA has hired an independent contractor to assess SPOT. Ekman says he has been apprised of the initial findings, and that they look promising. But the results aren't expected until next year. "It'll be monumental either way," says Maccario.

SPOT was in its first full year of operation when the DHS science and technology directorate began to look at ways to move people through the screening points faster. One was Future Attribute Screening Technology (FAST), which is now being funded at around US$10 million a year. The idea is to have passengers walk through a portal as sensors remotely monitor their vital signs for 'malintent': a neologism meaning the intent or desire to cause harm.

Cameras (above) and sensors (inset) can measure subtle physiological changes to eye movement, pupil dilation, heart rate and respiration, among other things. 

FAST operates on much the same physical principle as the century-old polygraph, which seeks to reveal lies by measuring psychophysiological responses such as respiration, cardiac rate and electrical resistance of the skin while a subject is being asked a series of questions. The FAST portal would also look at visual signals such as blink rate and body movement — and would give up the polygraph's contact sensors in favour of stand-off sensors such as thermal cameras, which can measure subtle changes in facial temperature, and BioLIDAR, a laser radar that can measure heart rate and respiration.

Most of the FAST work, particularly the sensors, is contracted out to the Charles Stark Draper Laboratory, an independent, not-for-profit, research centre in Cambridge, Massachusetts, which has the goal of producing a prototype portal next year. The project is then scheduled to enter a second phase that will remove the questioning process altogether and instead try to induce a response in the subjects by using various stimuli such as sounds or pictures, possibly of a known terrorist. "In the laboratory now, we have a success detection rate [percentage] of malintent or not malintent, in the mid-70s," says Robert Burns, the DHS programme manager for FAST. "That's significantly better than chance or what the trained people can do."

Robert Burns explaining the Future Attribute Screening Technology, which measures nonverbal cues. 

Those results have not yet been published, but Burns says that the FAST programme sets great store on peer review and publication, and that three papers are currently in the process of review. But FAST's critics maintain that the malintent theory and FAST both suffer from some of the same scientific flaws as SPOT. Flying is stressful: people worry about missing flights, they fight with their spouses and they worry about terrorism. All of these stresses heighten the emotions that would be monitored by the FAST sensors, but may have nothing to do with deception, let alone malintent. "To say that the observation is due to intent to do something wrong, illegal or cause harm, is leaping at the Moon," says Raskin.

The malintent theory underlying FAST is the creation of Daniel Martin, who is the director of research for FAST, and his wife, Jennifer Martin. Both are psychologists, and Daniel Martin, who is on the faculty of Yale University in New Haven, Connecticut, has in the past focused primarily on the area of substance abuse. Daniel Martin says that at the time he and his wife developed the malintent theory, "there was minimal published work available that specifically tested whether physiological, behavioural, and paralinguistic cues could detect malintent in a realistic applied research study". He says that they have had to develop their own laboratory protocols to carry out those tests. Martin and his colleagues have just published what they say is the first peer-reviewed study to look specifically at the links between psychophysiological indicators and intent. The study looks at 40 native Arabic-speaking men and finds a connection between intent to deceive and a heart-rate variation known as respiratory sinus arrhythmia.

"I have not come out and said, 'We have found the answer'," Martin adds. "We are pursuing the answer, we're not sure yet. We have years yet to go."

The lack of answers has not stopped aviation-security programmes from moving forwards with deception detection. Maccario points to the UK pilot scheme, now in its first year at Heathrow Airport. He says that the programme, like SPOT, uses specially trained behaviour-detection officers, and "their initial results are very successful". Earlier this year, the US Intelligence Advanced Research Projects Activity announced its own plans to study "defining, understanding, and ultimately detecting valid, reliable signatures of trust in humans". And about two years ago, the Pentagon asked JASON to look at the field.

"As we dug in, we found it was very hard to subject the research to the kinds of standard we're used to in the physical sciences," says JASON head Roy Schwitters, a physics professor at the University of Texas at Austin. In fact, the executive summary of the JASON report, The Quest for Truth: Deception and Intent Detection, which was provided to Nature by the Pentagon, criticizes many of the allegedly successful results from deception-detection techniques as being post-hoc identifications. One problem, the study found, was that the reported success rates often included drug smugglers, warrant violators and other criminals, not covert combatants or suicide bombers who might not have the same motivations or emotional responses.

Sallie Keller, dean of engineering at Rice University in Houston, Texas, and the head of the JASON study, said that it seemed that those involved in the field were trying to get their work peer reviewed. But doing research — even if it is properly peer reviewed — doesn't mean the technology is ready to be used in an airport. "The scientific community thinks that it is extremely important to go through the process of scientific verification, before rolling something out as a practice that people trust," she says.

 

news@nature.com/;sz=300x250;ord=' + ord + '?">'); document.write('news@nature.com/;sz=300x250;ord=' + ord + '?" border="0" height="250" width="300" />'); } //

Researchers involved in the field suggest a number of research avenues that could be more fruitful for counter-terrorism. Aldert Vrij, a social psychologist at the University of Portsmouth, UK, says that structured interviews may offer the best credibility-assessment research. Nonverbal cues might play a part in this process, he says, but you need to actively interview a person. For example, his work shows that subjects were able to give more reasons for supporting an opinion that they believed than if they were acting as a devil's advocate and feigning support. He suggests that such an approach could have helped to determine the beliefs of the Jordanian suicide bomber who killed seven CIA employees in Afghanistan after being taken into their confidence.

Although Israeli aviation security uses interview-intensive screening, it's not clear how practical such an interview method would be at busy airport checkpoints, which have to screen hundreds or thousands of passengers every hour. The guards would still need some way to choose who to interview, or no one would ever get on a plane. This is the seductive appeal of programmes such as SPOT and FAST.

But, to Honts, the decade since the 11 September attacks has been one of lost opportunity. Calling SPOT an "abject failure", he says that the government would have done better to invest first in basic science, experimentally establishing how people with malintent think and respond during screenings. That work, in turn, could have laid a more solid foundation for effective detection methods.

Granted, Honts says, that measured approach would have been slow, but it would have been a better investment than rushing to build hardware first, or implementing programmes before they have been tested. "We spent all this time, and all this money," he says, "and nothing has been accomplished."

via:wired

Several influential entertainment industry trade groups, including the Motion Picture Association of America, the Recording Industry Association of America and the Screen Actors Guild, seem to think that the nation's security is at risk because of DVD and CD piracy.

In a plea to the U.S. Intellectual Property Enforcement Coordinator, the group pitched some seemingly odd ideas about how they think the government should prevent piracy. Among their proposals are calls for the Department of Homeland Security and the Department of Justice to arrange preventative measures to combat piracy before major motion pictures are released.

"The planned release of a blockbuster motion picture should be acknowledged as an event that attracts the focused efforts of copyright thieves, who will seek to obtain and distribute pre-release versions and/or to undermine legitimate release by unauthorized distribution through other channels," the document says. "Enforcement agencies (notably within DOJ and DHS) should plan a similarly focused preventive and responsive strategy."

Keeping America Safe . . . From Pirates?

But does piracy really fall under the Department of Homeland Security's mission? The agency, founded in 2002, aims to "keep America safe," primarily by preventing terrorist attacks within the U.S. and assisting in the recovery from terrorist attacks "that occur within the United States." Based on its mission alone, one might assume that piracy falls under the domain of domestic law enforcement.

Not so, says Pat Reilly, spokeswoman for the U.S. Immigration and Customs Enforcement, a department within the Department of Homeland Security.

"We definitely go after pirates," Reilly says. "We're constantly picking up pirated CDs and DVDs. People often ask, 'Why are you picking up counterfeit t-shirts when you should be looking for terrorists?' But the Department of Homeland Security is made up of 22 components. Ours is the traditional customs service, and we're the largest investigative arm of the DHS."

Pirated DVD Sales and Terrorism

This isn't the first time the MPAA has tried to link film piracy with national security, though. In a 2009 study funded by the MPAA, the RAND group concluded that organized crime and terrorism are funded by pirated DVD sales. The report argued that countless mobsters around the world, from Russia to Malaysia, and in a variety of gangs including the Big Circle Boys in Canada and the Camorra Mafia in Italy, have relied upon pirated goods to fund illegal activities.

Critics argue that relying upon the Department of Homeland Security to organize pirated DVD busts is not the most efficient use of government funds. Among the most notable busts listed on the ICE site over the last two years, is a seizure of approximately 1,500 pirated DVDs at a convenience store in Bakersfield, Calif.

To be fair, that's only one of the most recent busts -- there certainly are bigger, more brag-worthy: Six years ago, for example, ICE seized 210,000 pirated DVDs in China as part of an ongoing investigation. And in 2007, ICE seized 90,000 pirated CDs and DVDs at a flea market in Puerto Rico.

Illegal Legal Tactics?

Still, there's a question of whether the MPAA and RIAA are hogging up government resources for their own interests. The RIAA, has filed thousands of lawsuits against John Does, which often amount to woefully tiny settlements, if the lawsuits aren't ignored altogether. Further, some question the legality of the RIAA's legal tactics. In one complaint filed against music labels Sony, Electra, BMG and Motown, Shahanda Noelle Moursy argued that the record companies are "abusing the federal court judicial system for the purpose of waging a public relations and public threat campaign targeting digital file sharing activities."

Her complaint argued that the damages sought by the labels -- at $750 per song -- are unconstitutional, representing roughly 974 times the actual damages, assuming the market value of each song is 99 cents, and the labels' profits on the sale of a single track are typically about 77 cents per song.

Americans do not often hear that someone has found a way to overcome U.S. defenses, but military and intelligence officials have been sounding downright alarmist lately with their warnings that the country is ill-prepared to deal with a cyberattack.

Director of National Intelligence Dennis Blair opened his annual survey of security threats in February by advising Congress that "malicious cyberactivity is growing at an unprecedented rate," and that the country's efforts to defend against cyberattacks "are not strong enough."

Blair's predecessor as intelligence chief, Mike McConnell, was even more candid in a Washington Post commentary later that month.

"The United States is fighting a cyberwar today," McConnell wrote, "and we are losing."

No country in the world is more dependent on its computers than the United States. Data networks now underlie the U.S. power grid, its military operations and the telecommunications, banking and transportation systems. That means the U.S. is uniquely vulnerable to sophisticated computer hackers.

'Explosion' Of Computer Attacks

The Pentagon's Quadrennial Defense Review, released in February, reported that the department's computer networks "are infiltrated daily by myriad of sources, ranging from small groups of individuals to some of the largest countries in the world." A senior defense official who follows the cyberthreat closely tells NPR that in the past two years, the Pentagon has experienced an "explosion" of computer attacks, currently averaging about 5,000 each day.

One of the biggest was in 2007, when hackers targeted the Pentagon, NASA and the departments of Energy, Commerce and State. The origin of the attack was unknown, but U.S. officials suspect it came from China. Among the victims was Defense Secretary Robert Gates, whose unclassified e-mail account was penetrated.

James Lewis, a cyber-expert at the Center for Strategic and International Studies, says the 2007 hackers gained access to massive amounts of U.S. government data — some of it important, some of it worthless.

"In fact, I felt sorry [for them]," Lewis says. "Some guy, probably in Beijing, is having to sit there and translate state dinner menus from 1994. He's probably going nuts."

A 2003 computer attack so impressed the FBI that agents gave it a code name: Titan Rain. The hackers managed to penetrate a variety of military networks without being detected.

"There's still some debate about who did it and why they did it," says Richard Clarke, who was a top cybersecurity adviser to Presidents Bill Clinton and George W. Bush. "But it proved that it is possible to get into even well-defended networks and exfiltrate terabytes of information — and nothing can be done about it."

U.S. officials estimate that the 2007 attacks and Titan Rain each resulted in the loss of as much as 10 terabytes of data, an amount roughly comparable to the contents of the entire Library of Congress. There have been other large, and possibly related, attacks as well.

"Some people say there's really been only one event, ongoing for years, and it's just that we occasionally stumble on it," says Lewis, who served as the project director of the center's Commission on Cybersecurity for the 44th Presidency.

A New Crime Category Emerging?

The cyberattacks are also becoming more sophisticated and harder to trace. Hackers in China, for example, are now able to take control of thousands of personal computers in the United States simultaneously, and remotely command them to send out bogus e-mails or viruses. Such robot computer networks, called Bot Nets, can do great damage when directed by malicious hackers.

"People who have computers and no [anti-virus] protection are susceptible to being captured, unknown to them," says Harry Raduege, a retired Air Force lieutenant general and former commander of the Pentagon's Joint Task Force for Global Network Operations. "They could then become part of a Bot Net army that could be used to attack an organization, a nation or an industry."

Up to now, most computer attacks have fallen under the category "cybercrime." There have not yet been any significant acts of cyberterrorism, though U.S. intelligence officials say al-Qaida and other terrorist groups are committed to developing a cyber capability.

Goals Change, Threat Stays The Same

Attacks traceable to foreign governments and corporations, according to cyber-experts, have largely been for espionage purposes — at least until now. The December 2009 attack on Google and other companies operating in China was apparently an effort to steal industrial secrets, according to U.S. and company officials.

Still, the danger of an all-out cyberwar remains pressing.

"The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes," says Clarke, who authored a forthcoming book on cyberthreats. "The same technique that gets you in to steal money, patented blueprint information or chemical formulas is the same technique that a nation-state would use to get in and destroy things."

The big fear is that an adversary, in the heat of a cyberwar, might try to take down the U.S. power grid, telephone network or transportation system.

"My guess is that it's only a few advanced militaries that could damage the electrical grid or damage some other networks," Lewis says. "But they have that capability. They have probably done the reconnaissance necessary to use it, and if we got into a fight, we could expect some kind of cyberattack."

Covering A Vast Space

Asked about the U.S. capability to defend itself from such an attack, Lewis, the cyber-expert with CSIS, feigns a shocked look.

"I didn't realize we had defensive capabilities," he says.

He adds, laughing, "No, that's not fair. How can I say that?"

Raduege, who is now directing the Deloitte Center for Cyber Innovation, argues that some attacks on the Pentagon have been countered relatively well, such as the 2007 incident that resulted in the penetration of Gates' personal e-mail account.

"When the secretary was attacked, of course someone got in. But somebody also noticed it right away, was able to isolate those attackers, clean up the system, and then put the users back online immediately," Raduege says. "So I think that's a real tribute to the people who are really fighting the network, as we say. It's a real battle space."

The problem for U.S. cyberwarriors is that the "battle space" is so vast.

"The government has its hands full defending the Defense Department and the intelligence community," says Clarke. "And, really, about the only parts of the U.S. government that are moderately well-defended [are] the Pentagon and the CIA."

Improving Overall Quality

Cyberdefense efforts at other government departments are spotty at best. The Treasury Department is doing "a relatively good job," Lewis says. But he adds that other agencies are doing "a relatively dreadful job."

"They may as well just change their passwords to 'Welcome, Chinese Friends,' " he says.

As for the critical civilian infrastructure, including the power, telecommunication and transportation grids, it is largely in private hands, meaning the U.S. military is not authorized to protect it.

In recognition of the country's vulnerability to computer attacks, the Pentagon has established a new U.S. Cyber Command, due to be directed by a four-star general, and the Obama administration has designated a cybersecurity coordinator, with responsibilities that extend across all U.S. government agencies. Still, critics say more must be done.

"Right now, the government is saying that Cyber Command will defend the military and the intelligence community. Homeland Security Department will defend the rest of the federal government," says Clarke. "The rest of us are on our own."

Miller applied NSA skills to exposing Apple's Swiss-cheese security.

Charlie A. Miller loves his Macbook Pro laptop. And his four other Apple PCs, the iPhone he uses daily and two older iPhones he keeps for tinkering. But his relationship with the company that created those gadgets is somewhat more complicated.

In March, for instance, the 36-year-old security researcher publicized his discovery of 20 security vulnerabilities in Apple's software. Each would allow a cybercriminal to take over the computer of a user who's tricked into opening a certain PDF attachment or who simply visits an infected Web page using Apple's Safari browser.

That haul of bugs is a record even for Miller, who over the last four years has become perhaps the world's most prominent Mac hacker. It may also be definitive proof that Apple devices aren't safe "right out of the box," as the company has claimed for years. "When I first began saying that Macs were less secure than Windows, everyone thought I was an idiot," says Miller. "So I had to prove it again and again and again."

In 2007 Miller became the first to hack the iPhone, using a flaw in its Safari browser to remotely gain control of the not-so-smart phone. Six months later he hacked a Macbook Air in two minutes at a competition in Vancouver. Last summer he revealed a method that allowed him to virally hijack the iPhone using text messages spread via a user's contact list.

Miller says his latest research doesn't aim to show off his elite hacking skills,most of which he learned over five years as a global network exploitation analyst for the National Security Agency. Instead, he wants to show just how easy it is to find chinks in the armor of commonly used software. Miller used a technique known as "dumb fuzzing" to find flaws in PDF and PowerPoint programs. With a simple five-line algorithm, he repeatedly changed one bit of a file at random and checked to see if the file crashed an application, automatically tweaking and testing again and again. He ran the procedure more persistently than most hackers, leaving his fuzzing program to throw junk information at each target for three weeks before mining the data for exploitable flaws.

The results don't look good for Apple: 20 bugs in its Preview application--all of which apply to Safari as well--compared with only 3 or 4 each in Adobe Reader and Microsoft's PowerPoint. "It's shocking that Apple didn't do this first," says Miller. "The only skill I've used here is patience."

Apple didn't respond to requests for comment. The company's defenders have long insisted that even if their devices are less secure, they're still safer than other PCs. The reasoning: Cybercriminals don't bother to target Macs because their 8% U.S. market share is too low to make them profitable targets.

Still, Macs are being hacked. The risk of targeted cyberespionage attacks aimed at stealing patents, source code or other highly specific data means that market share is only part of the equation. Adriel Desautels, the chief executive of cybersecurity firm Snosoft, buys and sells software-vulnerability data in a growing gray market and says the demand for critical Apple bugs has steadily increased. He's now willing to spend anywhere from $15,000 to $115,000 on information about the right Mac security flaw. Desautels declines to reveal much about his customers but says he screens them to avoid selling vulnerability data to cybercriminals. "In some cases [our buyers] explicitly ask for certain kinds of Mac bugs."

Miller has sold bugs, too. In 2005, after he left the NSA, he pawned a Linux vulnerability to a government agency for $50,000. "It's safe to say that when someone pays that much for a bug, they're not going to tell the vendor to patch it," he says. In recent years he has stuck with pro bono public research, which he argues makes software more secure.

Miller joined a Baltimore company called Independent Security Evaluators in 2007, and his contract hasn't allowed him to sell bugs independently. The 12-person company pulls in $2.5 million a year testing the security of custom-made software. So Miller says his focus has shifted to hacking whatever he likes to use and "whatever gets people ticked off."

As for Apple, Miller says the company has learned to accept, if not appreciate, his work. He usually gives Apple weeks of notice before publicly describing its bugs. "They're always very polite," he says. "But I suspect they wish I didn't exist."

Self-destructing email is electronic mail that vanishes or becomes unreadable after a certain length of time or upon the request of the sender. Although self-destructing email technologies has existed for years, none has been very effective. Several new programs are said to offer better performance as well as email security and privacy enhancements.

Here are a few self destructing email providers that you might find useful for sending emails. Some even provide free plug-ins for sending emails through a desktop based email client such as Outlook or Thunderbird.

+ Self-Destructing-Email.com: Allows you to send email from webmail by adding .self-destructing-email.com to the end of the recipient’ email address. They also provide a free plug-in called ActiveTracker for desktop email clients such as Outlook, Thunderbird, Opera Mail, Outlook Express and even Webmail [link]

+ KickNotes: Allows you to create an email message that will self destruct based on how many times the message is read or the age of the message.

+ BigString: BigString is a free service allows a user to easily send, recall, erase, self-destruct and modify an email after it has been sent. BigString users have unprecedented control over all of their email, whether they choose to send it through the BigString.com website or an email client such as Outlook.

+ ZMail Basic: Allows you to specify a Release Time wherein a message cannot be read before the time you define, Expiration Time wherein an email cannot be read after the time you define and Delivery reciept which shows When, Where, How and by Whom your message was decrypted

+ StealthMessage: Stealth Message allows encryption of email mesages, stores encrypted messsages anonymously, set self-destructing options, prevent forwarding and copying of messages

+ SD Message: Web based service that allows you to send messages that will self destruct within 60 seconds of viewing

+ DestructingMessage: Online service that generated a link which contains your message and can be self destroyed after the timer expires.

+ VaporStream: VaporStream is a paid service that separates the header of the message, the who, what and where, from the body of the message. They never exist together and can never be seen together; there is no record connecting the VaporStream subscriber with the content of the message. You also cannot print, cut and paste, forward or save a stream. You can trust that once you read a message it is gone.

"They're innovative, these people," says Mexican Col. Ricardo Álvarez.

Álvarez was at the Culiacán airport looking over one of the most curious air forces ever assembled: scores of planes confiscated from drug runners resting wing-to-wing on the tarmac.

The planes are among the 400 aircraft that Mexico has seized in the past five years: a fleet bigger than the Mexican Air Force. They are a virtual case study on how smugglers have been adapting their fleets to counter President Felipe Calderón's crackdown on the drug cartels, say Mexico authorities.

Álvarez says the planes are a window into how traffickers are always finding ways around the crackdown, from ultralights that can skim across the U.S. border to satellite-driven tracking equipment that helps smugglers locate drug shipments.

"They'll try anything," he says.

Gone are the days when twin-engine planes could fly drugs directly from the fields of Colombia to northern Mexico for delivery across the border via couriers. Those long-range flights raise too much suspicion on radar.

Now cocaine shipments arrive in Guatemala and are brought into Mexico by land or boat, the Mexican Attorney General's Office says. Small planes move the drugs northward to avoid the army checkpoints that have sprouted on Mexico's highways.

Drug pilots are having to land in more rugged areas because the government has destroyed 2,086 unregistered airfields since 2006. As a result almost all of the seized planes at the Culiacán airport are single-engine Cessnas that can haul a lot of weight and have high wings ideal for landing on dirt roads or desert washes.

"They're like a Volkswagen Beetle — they take a lot of abuse," Álvarez says.

Many planes have modified wings so they can take off from short strips, or metal plates attached under the nose to protect the engine from gravel. Some have homemade extra fuel tanks behind the seats or extra-big tires for landing on rocky terrain.

One homemade plane with folding wings is painted to look like a Federal Police aircraft, with blue-and-white markings and the Mexican government crest on the sides.

Most of the planes were caught bringing drugs to the border in Mexico for eventual shipment to the United States. At any given time, the army has about 100 seized planes at the airport that are auctioned off or given to government agencies to use.

Smugglers have also begun using ultralights, simple aircraft made from aluminum tubes and fabric to carry drugs directly across the border. Ultralights are harder to detect on radar and can land and take off on strips of land as short as 100 feet.

Three ultralights have crashed in Arizona since late 2008. On Oct. 6, a Border Patrol agent spotted an ultralight fly over the border near San Luis, Ariz., drop 176 pounds of drugs, then fly back into Mexico. It was not caught.

The USA has pledged millions of dollars to help Mexico better track drug flights as part of the Mérida Initiative anti-drug package. It's upgrading Mexico's Cessna Citation chase planes with better sensors, buying four CASA 235 patrol planes for the Mexican navy, and giving as many as 16 helicopters to the Mexican army and Federal Police.

The Mexican government claimed a key victory against drug planes in February with the arrest of José "Wild Boar" Vázquez Villagrán, who police say was the main dispatcher for the airplanes of the Sinaloa Cartel.

"We've cut a lot of their capacity to move around," Álvarez says.

Market expands overseas

Even as authorities claim progress in grounding drug planes in Mexico, the cartels are using aircraft to exploit new routes.

Drug flights between South America and the Caribbean nations of Haiti and the Dominican Republic have been rising since 2006, the U.S. State Department says. And smugglers from South America are now crossing the width of the Atlantic Ocean to move cocaine into Europe by flying it into West Africa first. The market for cocaine in Europe has been expanding at the same time that cocaine use in the United States has declined from its peak in the 1980s, according to the U.N. Office of Drugs and Crime.

"For a while they've been pushing small amounts (across the Atlantic) to test the system and see how it works. But they seem to have reached a breakthrough," says Douglas Farah, an expert on drug trafficking at the International Assessment and Strategy Center, a Washington think tank.

In September, U.S. prosecutors said they had uncovered a smuggling ring dubbed "The Organization," that was flying cocaine from Venezuela to countries in West Africa. There is no radar over the ocean so such flights are virtually undetectable. Pilots were paid up to $300,000 per trip, the Department of Drug Enforcement said in an affidavit, citing informants and agents.

On Nov. 2, tribesmen found the burned-out hulk of a Boeing 727 in the sand in the Gao region of Mali. Investigators believed the plane came from Venezuela and was used to smuggle drugs, Alexandre Schmidt of the U.N. Office on Drugs and Crime told reporters.

In December, Antonio Maria Costa, the head of the U.N. office, called the 727 discovery "a new example of the links between drugs, crime and terrorism."

"Drug trafficking in the region is taking on a whole new dimension," Costa told members of the U.N. Security Council.