Notes from Underground

Matt Blaze, a well-known and respected researcher in computer security, has a very interesting post on his “Exhaustive Search” blog, about a visit he made to the Titan Missile Museum in Sahuarita, AZ.  The museum is a decommissioned Titan II missle site, complete with missile (no longer functional!) and silo.  It is possible tp take a complete tour of the site, to get a first-hand look:

If you can climb a fifteen foot ladder and fit through a two foot diameter hole, you can, with a bit of advance planning, take an extensive “top-to-bottom” tour of a Titan II ICBM launch complex, complete with missile silo and missile.

Mr. Blaze took the tour, and his account of the visit is fascinating and a bit disturbing.  At the height of the Cold War, there were more than 1,000 ICBMs equipped with nuclear warheads, in silos scattered across sparsely-populated areas.  This included, from 1963 to 1984, 54 Titan II missiles, each with a 9-megaton warhead.

He was particularly interested in looking at the security systems used at the launch site, as an extreme example of the role of security trade-offs:

The control of strategic nuclear weapons can thus be considered an extreme case study in one of the most difficult — and in this case most dramatic — tradeoffs in designing secure systems: balancing high availability with strong access control.

The missiles must be ale to be launched on very short notice for a counter-attack, lest they be destroyed in an enemy “first strike”; yet, because the adversary’s missiles are at the same state of high alert, an accidental launch is unthinkable.

One of the interesting things that came out of the tour is the degree to which many of the security safeguards, once inside the silo, were procedural rather than technical.  One of the key policies was that, with a few exceptions, like the toilets, no crew member was allowed to be alone in any section of the silo.

No Lone Zone

Similarly, there was a safe containing the launch codes that required two keys to be opened, but the locks were just ordinary padlocks.  The launch consoles that required two keys to be turned to launch the missile did exist (just like in War Games), but the equipment itself was not especially secure physically.  It seems clear that the underlying security assumption was that the major danger was one of the crew more or less suddenly going crazy.  There were of course blast doors and the underground location to protect the crew and missile from external attack.

The security mechanisms once past the exterior blast doors appear to have been designed to deter individual malfeasance in the presence of other trusted people, not to resist a sustained military attack or sabotage effort. As with many computers and networks, the focus was on strong perimeter security, with far weaker mechanisms protecting against insider attack.

Of course, much of the original motivation for building these sites has disappeared, but there are still a  few hundred Minuteman III ICBMs in silos in the US.   Matt Blaze puts it well in his closing comment:

Looking up from the bottom of the silo at the little crack of sunlight 150 feet above, an obvious fact hit home for me. I realized at that moment that these things are actually aimed somewhere, somewhere not at all abstract.

(The image is Copyright © 2009 Matt Blaze, and licensed under a Creative Commons license.)

Browser Sizing

One of the issues that Web site designers have labored over is how to build their sites so that they appear in a desired way when viewed.  This is more tricky than it might at first seem.  The original idea of HTML, the language used to construct Web pages., was not of a page description language, like PostScript, but a content description language.  That is, HTML would identify parts of the text that were headings, or items in a list, or block quotations, for example, and the browser would determine how to display the elements most effectively.  This made a good deal of conceptual sense in the late 1980s, when a significant number of display devices had minimal or no graphics capability.  But Web designers wanted more “pizzazz” for their pages.  The leading browsers, Netscape Navigator and Microsoft Internet Explorer, implemented different and often incompatible enhanced display elements during the first “browser wars”.

Fortunately, the advent of Mozilla Firefox, Opera, and other browsers, like Google’s Chrome, have pushed the industry back toward the idea of Web standards, which reduces the need to write different versions of a site to accommodate different browsers.  But it is still a bit tricky for Web designers to lay out their pages effectively, because they don’t, in general, know how big the user’s display window is. Monitors come in different sizes, the browser may or may not be displayed full-screen, and menus and toolbars take up space.

Now Google has introduced a new tool to help with this, called Browser Size.  In the official Google Blog, they liken the idea to putting a newspaper article “above the fold”:

In a newspaper, the most important story is featured on the front page. If it’s a really important piece, then it’s placed “above the fold,” which means you can find it on the top half of the first page — the bottom half is folded behind and isn’t readily seen when you first look at the newspaper.

The tool is based on data gathered from visitors to google.com.  Data is collected on the height and width of the visitors’ browser windows, and then can be displayed as an overlay, somewhat similar to contour lines on a map, on any desired browser window.  It’s not perfect, but it’s a clever way to get at least a statistical sense of what a typical site visitor might see.  There’s a more detailed article at the Google Code Blog.