A Safer Form of Fertilizer?

April 28, 2013

A tragic accident, perhaps compounded by carelessness, led to a fire and explosion in a fertilizer plant in West TX on April 17.   (Just to clarify a point which was slightly confusing in the initial reports, ‘West’ is the actual name of the town.)  The news was somewhat overshadowed by the bombings at the Boston Marathon on April 15, but the disaster killed 14 people, injured many more,  and devastated the small town.  The plant apparently had stores of anhydrous ammonia (NH3), a gas, and ammonium nitrate (NH4NO3), a solid.  Both are very commonly used as components of fertilizers.  Ammonia is a strong irritant, and a health hazard, but doesn’t burn in air except in very high concentrations (roughly 15-25%).  Ammonium nitrate is also an irritant; however, it is also a powerful oxidizing agent, and can form explosive mixtures with many organic compounds.

In fact, ammonium nitrate has been used, mixed with fuel oil, to make bulk industrial explosives for routine use, because of its low cost.  It has also been a popular ingredient for improvised explosive devices (IEDs) and vehicle bombs, such as the one set off at the Murrah Federal Building in Oklahoma City in 1995.  Because of its potential for misuse, there are regulations concerning its storage and use, but these are apparently not always followed.  (It appears that the plant in West did not report its February inventory of 270 tons to the Department of Homeland Security, as the law requires.)

An article at the Gizmag site reports that Kevin Fleming, an engineer from Sandia National Laboratory, has developed a technique for compounding ammonium nitrate so that it can’t be used to make fuel-based explosives.

Knowing that in ammonium nitrate the ammonium ion is weakly attracted to the nitrate ion, and that the right chemical reaction can pull them apart, Fleming decided to look for a compound they would rather cling to that could be added to the ammonium nitrate. He tried several materials, including iron sulfate, a readily available compound discarded by the ton from steel foundries.

If someone attempts to mix fuel into the ammonium nitrate / iron sulfate mixture, they will end up with ammonium sulfate and iron nitrate, neither of which will form an explosive mixture.

The addition of iron sulfate does not degrade the usefulness of the fertilizer; in fact, it probably makes it slightly better for environments with alkaline soils.  Adding iron to the soil may also incrementally improve the iron content of vegetable crops.

Since iron sulfate is cheap — it’s a waste product from steel production — this technique might be an economical way to reduce the risk of explosions, accidental or otherwise.

Update Monday, 29 April, 22:16 EDT

Here is the original Sandia Labs information release.  Their server appears to have been down last  night.


Microsoft, Verizon Release Security Reports

April 23, 2013

Two new reports have just been released dealing with the state of Internet security; one is from Microsoft, and the other from Verizon.  If you are interested in security, I recommend both reports as interesting, if sometimes rather depressing, reading.

Since 2008, Verizon’s RISK Team has published an annual report summarizing security and data breach incidents, and categorizing them on various criteria (e.g., who did it?  how was it done?).  The 2013 Data Breach Investigations Report [PDF] analyzes data from more than 47,000 security incidents, and 621 confirmed data breaches.  This year, the report attempts to assess the prevalence and origins of “espionage” attacks: those whose primary motivation was not mischief, or financial gain, but theft of trade secrets and other intellectual property.  There is also an Executive Summary [PDF] available.

Microsoft’s Security Intelligence Report (Vol. 14) [PDF], which covers the period July through December, 2012, is (as you might expect) more focused on software security issues.  The report looks at the software security vulnerabilities that have been disclosed, and the exploits that have been detected, and attempts to identify particular problem areas and trends.  As has been true for some time, the most common type of exploit is one involving HTML and JavaScript; document-based and Java-based exploits, two other hardy perennials, showed a significant increase in the second half of 2012.   There is also a Key Findings [PDF] summary of this report.

I have not had a chance to read these reports yet, but will post further comments here when I have.   An essential part of any sensible security analysis is an evaluation of the threats one is guarding against.  These reports should provide some information useful in that exercise.


Boston Bombings, Take 2

April 17, 2013

As the investigation into Monday’s bombings at the Boston Marathon continued, today was a day with more wildly conflicting news stories.  Early this afternoon, there were reports, notably by the Boston Globe, CNN, and the Associated Press, that a suspect had been arrested (or was in custody — I heard both expressions used).  At the same time, the TV network news from ABC and NBC was reporting that there had been no arrest.  Some of the reports said that the suspect would be taken to the US Federal Court House in Boston, resulting in a large influx of reporters and the curious.   This was probably not a big help when, as The Washington Post reported, the courthouse had to be evacuated because of a bomb scare:

Boston’s federal courthouse, where hundreds had gathered in response to false reports of an arrest, was briefly evacuated because of a bomb threat.

It seems that the networks got it right: the FBI issued a press release stating that no arrest had been made.  It also made a request to media organizations:

Over the past day and a half, there have been a number of press reports based on information from unofficial sources that has been inaccurate. Since these stories often have unintended consequences, we ask the media, particularly at this early stage of the investigation, to exercise caution and attempt to verify information through appropriate official channels before reporting.

Didn’t they mention anything about this sort of thing in journalism school?

There were other reports that were merely silly.  One TV report showed an image of investigators searching the crime scene along Boylston Street in what it described as “white HazMat suits”.  The white fabric garments were obviously not HazMat suits; they were very probably coveralls worn by crime scene investigators so that fibers, hair, and so on from the investigators do not contaminate any evidence.  Does the mistake matter?  Maybe not, but it might spark a rumor that there was some sort of toxic or infectious residue left by the explosions.

Perhaps to compensate for some of its earlier (excessive) enthusiasm, the Associated Press (via Yahoo! News) has a new report on the media frenzy.


Boston Marathon Bombings

April 16, 2013

I’m sure that I’m like most other Americans in reacting with a mixture of sorrow, disgust, and anger to the horrible bomb attacks in Boston yesterday.   Of course, we all extend our sympathies, thoughts, and prayers to the victims and their families, too.  The story of what happened is still unfolding: physical and other evidence is still being analyzed, and no one, so far, has claimed responsibility for this crime.  I think it is not only foolish, but also counter-productive, to jump to conclusions based on incomplete facts or speculation.  I expect this will be the first in a number of posts on this incident.

I was able to keep current with the press coverage of the story through most of yesterday afternoon.  (The incident probably struck home for me a bit more than average, since I lived in Boston for about ten years, within a few blocks of Copley Square, and worked nearby as well.)  When the prospect of an inch or two of snow gets reporters hyper-ventilating, I guess it is not too surprising that this incident really got them going.  It was clear that someone in the newsroom was trying to rein in the more extreme speculation, but some fairly obvious products of someone’s imagination made it through anyway.

One early report showed a very jerky video of one of the explosions (it later became clear it was the first), with breathless commentary about “an enormous bomb”.  Now, “enormous” is one of those words that, to paraphrase Mark Twain, allows a considerable return in speculation for a trifling investment of fact.  I am certainly not an explosives expert, but I have seen the immediate aftermath of a couple of large explosions in similar environments.  For example, I was perhaps half a mile away in the City of London when the Provisional IRA detonated a bomb at the Baltic Exchange in St Mary Axe on April 10, 1992.  That was a large bomb,  estimated to contain 45 kg (100 lb.) of Semtex, plus about a ton of fertilizer based explosive.  I have never seen so much broken glass in my life; it was impossible to walk without stepping on it.

In that early video, there was no noticeable glass on the pavement, and there were a couple of large plate glass windows visible, intact, within a few yards of the explosion site.  I remarked at the time that the bomb, if that’s what it was, could not have been very big — probably something in a backpack or briefcase.  (I do have a little background knowledge on this point.  As part of my job, I had some security responsibilities for our operations in the City, and got periodic briefings from the security services.)  That the devices were small, perhaps 2-3 pounds of explosive, seems to be the current consensus from authorities today.

The Associated Press [AP] initially made a rather strange report yesterday afternoon, saying that cellular telephone service was being shut down.

A law enforcement official, citing an intelligence briefing, said cellphone service had been shut down Monday in the Boston area to prevent any potential remote detonations of explosives.

The TV reporter presenting this suggested that this was being done to prevent further bombs from being detonated by cellphones, and that, for the same reason, people should not use their landline phones, either.  Now this last bit is just complete nonsense; my avoiding use of my phone does not prevent a Bad Guy from using his; in fact, if anything, his call will be completed more expeditiously.  AP later retracted the story, having checked with the cellular carriers.  I suspect the original story was based on a garbled request to avoid unnecessary phone usage; it is almost a given that networks will be stressed by heavy usage following any sort of man-made or natural disaster.

I know that the media have a difficult job, and that trying to piece together a narrative from fragments of information is especially tricky.  I’d hope, though, that everyone, reporters and audience alike, would try to maintain a rational view of the situation, and not let their emotions run amok.  Terrorism is, after all, a tactic that is intended to produce fear, fear out of proportion to the actual damage done.  As I’ve written before, we need to take care not to let terrorists win “on the cheap”.

Over at The Atlantic‘s site, Bruce Schneier has a revised version of an earlier essay, focusing on this same point.

As the details about the bombings in Boston unfold, it’d be easy to be scared. It’d be easy to feel powerless and demand that our elected leaders do something — anything — to keep us safe.

It’d be easy, but it’d be wrong.  We need to be angry and empathize with the victims without being scared.

He also has an interview with Ezra Klein of The Washington Post on the paper’s “WonkBlog”.

Contrary to what our instincts and emotions may be screaming, terrorism is a rare event, and mounting a successful terrorist attack is not easy.  Evil geniuses, like Professor Moriarty or the Joker, are denizens of fiction, not reality.  And, no matter how draconian our security response is, there is no way to guarantee perfect safety.  We need to remain as level-headed as we can.

Refuse to be terrorized.


The Internet Surveillance State

March 30, 2013

One of the hardy perennial issues that comes up in discussions of our ever more wired (and wireless) lives is personal privacy.  Technology in general has invalidated some traditional assumptions about privacy.  For example, at the time the US Constitution was being written, I doubt that anyone worried much about the possibility of having a private conversation.  All anyone had to do, in an age before electronic eavesdropping, parabolic microphones, and the like, was to go indoors and shut the door, or walk to the center of a large open space.  It might be somewhat more difficult to conceal the fact that some conversation took place, but it was relatively easy to ensure that the actual words spoken were private.

Similarly, before the advent of computer data  bases, getting together a comprehensive set of information about an individual took a good deal of work.  Even records that were legally public (e.g., wills, land records) took some effort to obtain, since they existed only on paper, probably moldering away in some obscure courthouse annex.  Even if you collected a bunch of this data, putting it all together was a job in itself.

People whose attitudes date back to those days often say something like, “I have nothing to hide; why should I care?”  They are often surprised at the amount of personal information that can be assembled via technical means.  The development of the Internet and network connectivity in general has made it easy to access enormous amounts of data, and to categorize and correlate it automatically.  Even supposedly “anonymized” data is not all that secure.

Bruce Schneier, security guru and author of several excellent books on security (including Applied Cryptography,  Secrets and Lies, Beyond Fear, and his latest book, Liars and Outliers), as well as the Schneier on Security blog, has posted an excellent, thought provoking article on “Our Internet Surveillance State”.  He begins the article, which appeared originally on the CNN site, with “three data points”: the identification of some Chinese military hackers, the identification (and subsequent arrest) of Hector Monsegur. a leader of the LulzSec hacker movement, and the disclosure of the affair between Paula Broadwell and former CIA Director Gen. David Petraeus.  All three of these incidents were the direct result of Internet surveillance.

Schneier’s basic thesis is that we have arrived at a situation where Internet-based surveillance is nearly ubiquitous and almost impossible to evade.

This is ubiquitous surveillance: All of us being watched, all the time, and that data being stored forever. This is what a surveillance state looks like, and it’s efficient beyond the wildest dreams of George Orwell.

Many people are aware that their Internet activity can be tracked by using browser cookies, and I’ve written about the possibility of identifying individuals by the characteristics of their Web browser.  And many sites that people routinely visit have links, not always obvious, to other sites.  Those Facebook “Like” buttons that you see everywhere load data and scripts from Facebook’s servers, and provide a mechanism to track you — you don’t even need to click on the button.  There are many methods by which you can be watched, and it is practically impossible to avoid them all, all of the time.

If you forget even once to enable your protections, or click on the wrong link, or type the wrong thing, and you’ve permanently attached your name to whatever anonymous service you’re using. Monsegur slipped up once, and the FBI got him. If the director of the CIA can’t maintain his privacy on the Internet, we’ve got no hope.

As Schneier also points out, this is not a problem that is likely to be solved by market forces.  None of the collectors and users of surveillance data has any incentive, economic or otherwise, to change things.

Governments are happy to use the data corporations collect — occasionally demanding that they collect more and save it longer — to spy on us. And corporations are happy to buy data from governments.

Although there are some organizations, such as the Electronic Privacy Information Center [EPIC]  and the Electronic Frontier Foundation [EFF], that try to increase awareness of privacy issues, there is no well-organized constituency for privacy.  The result of all this, as Schneier says, is an Internet without privacy.


Bletchley Park Trust Joins Google Cultural Institute

March 25, 2013

I’ve written here previously about Bletchley Park, the home during World War II of the UK Government Code and Cipher School, also known as Station X.  The work of the cryptanalysts at Bletchley Park was responsible for the breaking of the German Enigma machine encryption on a large-scale basis, as well as the more difficult Lorenz cipher, used by Hitler to communicate with his field commanders.   Some historians estimate that this work shortened the war in Europe by two or more years.  The site is now run by the Bletchley Park Trust, and also houses the UK National Museum of Computing.

A project to restore the Bletchley Park facility, along with some of its specialized equipment, was launched a couple of years ago.  I noted then that Google had taken an active role in supporting the project.

A recent post on the Official Google Blog describes some further developments in this relationship.  The Bletchley Park Trust has become a member of the Google Cultural Institute, which features an online gallery of exhibits dealing with (relatively) recent history.  The Bletchley Park exhibit has an overview of the work that was done at Station X.  It includes images of the Bombe machines that were used to break the Enigma cipher on a production basis, and of Colossus, the electronic computer used, along with the Tunny Machine, in breaking the Lorenz cipher.

The blog post also has an interesting short video presentation by Ms. Jean Valentine, one of the original Bombe operators.

In her role operating the Bombe, Jean directly helped to decipher messages encoded by Enigma. In this film Jean gives us a firsthand account of life at Bletchley Park during the war, and demonstrates how the Bombe worked using a replica machine now on show at the museum.

Much of this history remained a closely-guarded secret for many years after the end of WWII.  It’s fascinating to see how much truly creative work was done under very difficult conditions.


Security Snake Oil, Squared

March 24, 2013

Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.
— Albert Einstein

I’ve written here from time to time about some of the questionable expenditures made in the name of security; in one case, the US government paid several million dollars for software that, if it ever existed at all, did not produce anything like the promised results.  In some cases, I think that the buyers are so focused on the security outcomes that they want that they lose sight of the need to verify extravagant claims for a product, or at least to ensure that the claimed performance is realistically plausible.

I’ve just been reminded of another instance of a large purchase of security snake oil.  According to the C-Net news site, a British businessman named James McCormick is on trial at the Old Bailey (the Central Criminal Court) in London, on charges of fraud connected to the sale of supposed bomb-detecting equipment to a variety of government agencies.  The prosecution alleges that McCormick sold a large number of his ADE detection devices for use in Iraq, at a price of approximately £ 27,000 [about $41,000] each.  Units were also allegedly sold to the governments of Niger and Georgia, the former Soviet republic.

The claims that McCormick is alleged to have made for the devices, which supposedly worked by static electricity, are close to miraculous.  According to an article in the Daily Mail,

He produced glossy brochures to trick potential investors into believing the devices could detect tiny amounts of explosive from three miles away, the Old Bailey heard.

He claimed they could detect explosives, drugs and ivory through walls, up to 30ft underground and 100ft underwater, jurors were told. They could also detect fluids and human beings.

Some skepticism has been expressed about these devices before.  A 2009 article in the New York Times discusses the use by Iraqi forces of bomb detectors described by the US military as “useless”.  According to the article, at least some parts of the Iraqi government paid considerably more than the going rate for these gadgets.

Mr. Turaihi [Inspector General of the Interior Ministry] said Iraqi officials paid up to $60,000 apiece, when the wands could be purchased for as little as $18,500. He said he had begun an investigation into the no-bid contracts with ATSC.

Jim McCormick, the head of ATSC, based in London, did not return calls for comment.

That these devices did not entirely live up the the claims made for them will probably not surprise too many readers.  But the aspect of this story that I find really remarkable is the original source of the devices.   It appears that they are a slightly modified, and re-badged, version of a product sold in the US as a golf ball finder.

Mr Whittam [Prosecutor Richard Whittam, QC] showed the jury pictures of a golf ball finder and one of the devices the defendant allegedly sold. He told jurors they were practically identical ‘in terms of shape, size, weight and construction’.

He said: ‘In reality, save for the stickers, they were indistinguishable. What that means is that they came from the same mould. The golf ball finder had been rebadged as an ADE 101.’

Now you may well ask yourself how experienced military and security personnel could be taken in by this sort of (seemingly) obvious scam.  I’m afraid I don’t have a good answer.

However, I think the most darkly amusing part of the whole story is this: the device, in its original incarnation as a golf ball finder, was pure snake oil.  It was, apparently, sold on the Web at mnglobal.com. That site is no longer around, but the Internet Archive‘s Wayback Machine has a version of the page from 2006.  The claims for its abilities in this sphere are also fairly extravagant (the UPPER CASE and spelling is from the original):

IT IS NOT COMUPTER DRIVEN, CONTAINS NO CHIPS OR ELECTRONICS. IT USES YOUR NATIVE ENERGY TO ENERGIZE ITS ACTION. PLEASE DON’T ASK US FOR THE THEORY OF ITS OPERATION THAT’S OUR BUSINESS AND THE MAIN REASON WE HAVE NOT APPLIED FOR PATENTS WHICH WOULD EXPOSE THE TECHNOLOGY.

The page also assures the prospective purchaser that the finder has “no moving parts to wear out”.  And (I particularly like this), it “can be used by right or left-handed people.”  After all, you wouldn’t want something that could just find right-handed golf balls.

Obviously, P.T. Barnum’s Law of Applied Economics is still in effect.  I guess it’s good to know there are some things you can depend on.


%d bloggers like this: