GAO - Maritime Critical Infrastructure Protection

http://www.gao.gov/products/GAO-14-459

I recently skimmed this GAO report on maritime security.  I have to conclude that it totally misses the mark.  But that didn't surprise me in the least.  I would have been surprised by an insightful and intelligently written document that prioritized the real issues and strategies that will make a big difference.

There is a list of threats in the document that seems totally out of line: "Table 1: Sources of Cyber-based Threats"  Their threats are:

• Bot-network operators 
• Business competitors 
• Criminal groups 
• Hackers 
• Insiders
• Nations
• Phishers 
• Spammers 
• Spyware or malware authors 
• Terrorists

Why all of those groups are real, their categories are somewhat nonsensical.  I can't figure out what they use as a criteria for the categories.  For example, a nation (e.g. North Korea) may imploy or buy from an author of malicious software (The Hacking Team), but does that make two sources of threats?

And without trying to figure out the ontology issues, there are a couple changes to that list that I would make right off.  First, my number one source for threats is software developers.  I've been working on auditing and fixing the Generic Sensor Format (GSF) that is used for sonar mapping and I'll use that as an example.  This is C code developed by professional programmers at SAIC for the US Navy and has been around since the early 1990's.  I took the code (not that it is open sourced under the LGPL 2.1 license) and threw it in Coverity.  Right off the bad, I got a whole pile of coding issues that include multiple buffer overflows and all sorts of use of unsanitized data from files.  Many of these issues have been in the code for > 25 years.  If this is in open code that has been used by many companies for ages, what is hiding in all the closed source code in the maritime industry?   There wasn't a good testing strategy for the GSF C code.  Does your ECDIS have decent automated testing?  This situation is likely way worse.  I talked to a maritime professor teaching ECDIS about 10 years ago.  His number one lesson to students was to make sure that the ECDIS computer had not stopped updating by watching the seconds of the on screen clock.  And the students were supposed to do this in every sweep of their watch (so multiple times per minute).  In addition to bad code, there is also bad design.  These are things like inventing your own encryption or not validating data or patches that go into a system.  A nice example of this is with digital charts.  The rules say that a US chart (e.g. an S-57 file) is valid only if you got it directly from NOAA or an authorized retailer.  That really doesn't mean anything.  What if someone man-in-the-middled the download or it got corrupted somewhere along the way.  I'd take a cryptographically signed file is worth more than the source.

The next change is with hacking.  I'd call this category cracking.  And I'd split it up into two groups.  The first are the smart ones doing things themselves.  They are doing real work and really discovering things.  The next category are "script kiddies".  These folks really have no idea what they are doing and just blindly apply tools that are available on the internet.  They often have no idea what they are breaking into and what the consequences are.

Another change to that list would be to add a lack of reasonable support to mariners from the world's "competent authorities".  If the Hydrographic Offices (HOs) and Coast Guards (CGs) around the world, can't give reasonable guidance to software developers and mariners using the gear, then all it lost.  This boils down to people making decisions they shouldn't (e.g. they are not trained for - electrical engineers and lawyers defining software) and/or closed specs that don't have a way to get audited by professionals.  This IEC specs for AIS gear.

August challenge to my self - blog at least 1x per day on average for the month

I used to blog at least once per day pretty much every day.  I amassed > 3000 posts using nanoblogger and posting to schwehr.org.  I haven't gotten around to getting schwehr.org set back up in the last year, so I might as well just try to use the blogger interface and get back into it.  My son is close to 1 year old and he has dominated everything this last year.  And then I lost my father when he was hit in a crosswalk by a driver who didn't see him.  I'm not so sure I will be able to pull this off, but it would be nice to get back into it.  I've had lots and lots of ideas in the last year that have never made it anywhere concrete (not even my private logs).

I do have to say that I really think my blogger account is really really ugly, but in my typical minimalist strategy, I'm just not going to worry about it.

AIS VHF Data Exchange System (VDES) looks like yet more of the same AIS frustration

If you are going to get a new higher bandwidth set of channels to pass marine data around, choosing AIS encoding (binary as over the VDL [VHF Data Link] or NMEA VDM/VDO) is just a terrible idea.  We have so many better serialization formats (Protobuf, MessagePack, https://github.com/grpc, etc.).

240 kbps or 307.2 kbps at what freq?  Details are very thin.

http://www.rtcm.org/mej.pdf
http://blog.canpan.info/oprf_en/img/VDES-Data20Exchange20System20Overview.pdf
http://blog.canpan.info/oprf_en/img/Development20of20VDES20in20IALA.pdf
http://www.ntia.doc.gov/files/ntia/rtcm_tf.pdf
http://www.iala-aism.org/files/conference/18th_iala_conference_2014_report_final.pdf

From the RTCM comes this fairly empty statement:

SC-123 Chairman Norsworthy is very familiar with both programs.
“I believe that AIS opensthe door for efficient communication, navigation
and operation in the maritime services,” he says. “AIS is the essential core
for e-navigation, the harmonized collection, integration, exchange, presentation
and analysis of marine information onboard and ashore by electronic
means to enhance berth to berth navigation and related services
for safety and security at sea and protection of the marine environment.
“The next development is the VDES, which contains integral AIS,
and is ‘AIS on steroids.’ VDES will be to AIS as 4G is to cellphones. VDES
is designed to support all the apps needed for e-navigation and GMDSS
(Global Maritime Distress and Safety System) modernization. VDES provides
all the functionality, bandwidth and linkages for the efficient exchange
of information with ships, shore stations and satellites.”

William D. Kautz, USCG says:

VDES uses Recommendation ITU-RM.1842-1 techniques to solve the limitation of AIS data exchange

I've got little hope for anything other than an endless need for grunt coding contracts to come out of the e-Navigation world.

Oh the acronyms and buzz phrases...

E-Navigation Strategic Implementation Plan (SIP)

elog feature requests

elog is pretty cool and is used on the US Coast Guard ice breaker Healy.  My feature requests...

• The ability to track the location of the server and/or user for mobile usage.  e.g.  the U.S. Coast Guard ice breaker Healy uses elog.  The ability to export with gdal to KML/Shapefiles/etc would allow logs to be on maps.  e.g. Be able to use gpsd NMEA GPS location on servers.
• Ability to submit from Android devices with Open Data Kit (ODK).
• Simile Timeline view of logs
• Export to msgpack and/or protobuf 3 for ease of writing add ons
• Integration with flowdock
• Integration with github for issue tracking and travis-ci for software build/test status
• Ability to sync multiple servers that are not always connected

Weather stations

This looks like fun!  http://www.instructables.com/id/Weather-Station/

Generic Sensor Format (gsf) on github

I'm finally to a point where this is worth talking about.  I started with GSF version 03.06 downloaded from the Leidos website (Leidos split off from SAIC last year).  I used that to start my gsf github repo.  I've given it a really simple GNU Makefile build system and added some basic read testing using Google's gunit/gmock testing suite.  I've setup travis-ci to run the tests every time I push changes.  I even setup Coverity Scan to do static analysis.  I started doing some initial cleanup (spelling, consistently capitalizing GSF in comments), but I need to flush out the unit tests before I start working on the 46 Coverity issues and working on making GSF compile without warnings.  To help with creating tests, I've started writing a pure Python GSF reader so that I can pick packets out of test files and assemble minimally sized test files from real data.  I also need to use the C GSF library to write out some small test cases that cover all the key corner cases.

My original starting point of gsf from Leidos.  It's a shame that they don't have a public repo that I could have cloned with the whole history.

A list of things I'd like to do for GSF:

First green build with Travis-CI:

Coverity summary:

My new ais stream processing code for libais

For a long time, I've had the not so great ais_normalize.py in noaadata to manage multi-line NMEA AIS VDM messages.  It worked for the old USCG format, but it was brittle and cruft code.  Egil added aisdecode to libais based on ais_normalize, but that was building on a terrible foundation.  Today, I pushed the final patch for my nmea_queue module that can handle text, bare NMEA, TAG Block (including Orbcomm extensions), and USCG old CSV metadata.  I still need to add a couple non-VDM messages to the system to work out how to parse those cleanly.  With the new gpsd_format library (led by SkyTruth), libais and gpsd are starting to really play well together.  The design goals of the two are extremely different, so think carefully which you want to use.  In my case, I use both.

Overall, I'm much happier with the state of libais and excited to talk to many folks in the AIS community at the AISSummit 2015 conference in Hamburg next month.  Paul Woods of SkyTruth and I will be giving a pair of talks that will go over how to use "Big Data" techniques and technologies to tackle larger AIS databases with ease.  We will talk about many of the specifics of what has gone into Global Fishing Watch.

I've also been putting work into gpsd, BitVector, and ais-areanotice with a little bit on noaadata (noadata is a mess).  More to come.