This week brought some bad news for mobile phone users. German security expert Karsten Nohl showed how easy it is to eavesdrop on GSM-based (Global System for Mobile Communications) cell phones, including those used by AT&T and T-Mobile customers in the U.S.
Nohl, who has a doctorate in computer engineering from the University of Virginia, made headlines last year publicizing weaknesses in wireless smart card chips used in transit systems around the globe.
Karsten Nohl
(Credit: Kingsley Liu)CNET interviewed Nohl via e-mail on Thursday about his latest work and what the implications are for the more than 3 billion GSM mobile phones worldwide, representing about 80 percent of the market, according to the GSM Alliance.
Q: You made quite a splash at the Chaos Communication Congress hacker conference in Berlin this week. What happened?
Nohl: We showed that GSM, the widely used cell phone standard, is insecure, and explained how your neighbor might already be listening in on your calls. After GSM's security was declared outdated several times before, we were the first to make tools available for people to verify its insecurities.
Q: In August you launched an open-source, distributed computing project designed to crack GSM encryption and compile it into a code book that can be used to eavesdrop on calls. Is this week's announcement related to that?
Nohl: Yes, at the conference a code book was released--a data set previously only available to well-funded organizations. This code book has been computed in just a few months thanks to many volunteers on the Internet.
Q: And this is to determine the key used to encrypt GSM communications, right?
Nohl: That's correct. The code book reveals the encryption key of a call.
Q: What is the problem with the GSM encryption technology exactly?
Nohl: GSM's A5/1 encryption function uses a 64-bit key that is too short to withstand the computing power available today. When the algorithm was designed 20 years ago when CPU [central processing unit] cycles and storage were much more expensive, it must have seemed a lot more secure. However, the A5/1 function should have been replaced years ago when researchers first discussed practical attacks.
Q: What does this mean for users of GSM phones? What is the real-world threat?
Nohl: Cell phone calls can be intercepted--not just since this week, but more cheaply every month. Sensitive information, say, from politicians, can be overheard from, say, foreign embassies. Others willing to cross the line into illegality and listen in on a call could be industry spies or even private snoops.
Q: Exactly how would someone use this technology to spy on mobile phone conversations?
Nohl: You record a call and then decrypt it. Recording requires some advanced radio equipment, which can be as cheap as the $1,500 suggested retail price [Universal Software Radio Peripheral] device. One direction of a call can potentially be intercepted from a kilometer away while catching both directions requires the eavesdropper to be in the vicinity of the victim. Decryption is then done using the code book the community produced.
Q: What should people do to protect themselves against this?
Nohl: In the short-term, there is not much users can do to protect themselves other than being aware of the threat and keeping their most confidential calls and text messages off the GSM network. To improve GSM security in the long run, customers should go to their operators and create demand for improvements.
Q: What are the practical implications of your work? In other words, does your research make it cheaper and easier to eavesdrop and if so, how much cheaper and how much faster to crack the encryption? (One expert had estimated that the code book would let someone crack the code in hours now instead of taking weeks.)
Nohl: Our results don't necessarily make decryption faster; current commercial interceptors decrypt within seconds, often faster than the time a user takes to answer the call. Our project makes the technical background of these systems more accessible and aims to inform about the fact that GSM intercept is widespread. As a side effect, interception might become cheaper, too.
Q: What exactly does someone need to eavesdrop? (In other words, the code book/tables, antennas, special software, and $30,000 worth of hardware?)
Nohl: The more you spend on hardware, the faster you can decrypt calls. Two USRP radios, a beefy gaming computer, and a handful of USB sticks can already decrypt many calls. For $30,000 you can build a sub-minute decryptor.
Q: I understand it is illegal to intercept mobile phone calls in the U.S. and many other countries. Is what you did legal?
Nohl: Intercepting the phone calls of others should be illegal everywhere, and we do not plan to do that. Our research instead exposes that nothing in GSM is keeping criminals away from doing illegal intercepts. Fortunately, such security research is still legal.
Q: What did you do to make sure you have good legal standing? Did you consult with the Electronic Frontier Foundation?
Nohl: The EFF indeed helped us understand the legal implications of researching GSM technology.
Q: Have you been in touch with the GSM Alliance or any other pertinent entities?
Nohl: We have not yet been able to start a discourse with the GSMA. Through the press, though, we hear that a GSMA meeting in February might decide to ramp up upgrade efforts toward A5/3, the better encryption function. That would be great!
Q: Why did you do this research and public disclosure?
Nohl: We aim to make users of GSM aware that the GSM cannot be fully trusted. After other researchers have called a hack [questioned the security] of GSM for many years, we thought it was time to go one step further and provide tools for customers to "try at home" how insecure GSM's current encryption function is.
Q: Can the tables be used against the A5/3, the successor to A5/1? What is the difference between the two crypto standards?
Nohl: Fortunately, we cannot crack A5/3. This newer encryption is used in 3G networks and is currently considered a security patch for GSM networks. So there is [hope].
Q: What should mobile phone operators or carriers do about this?
Nohl: Carriers should now do the security patch that is overdue 15 years by upgrading to a new encryption function. I suspect they will only do so if customer demand is significant. Hopefully the customers will make it clear to their provider that they want 21st century security for their phone calls.
The MQ-1 Predator.
(Credit: U.S. Air Force)Iraqi insurgents have reportedly intercepted live video feeds from the U.S. military's Predator drones using a $25.95 Windows application that allows them to track the pilotless aircraft undetected.
Hackers working with Iraqi militants were able to determine which areas of the country were under surveillance by the U.S. military, The Wall Street Journal reported Thursday, adding that video feeds from drones in Afghanistan also appear to have been compromised.
Meanwhile, a senior Air Force officer said Wednesday that a wave of new surveillance aircraft, both manned and unmanned, were being deployed to Afghanistan to bolster "eyes in the sky" protection for the influx of American troops ordered by President Obama.
This apparent security breach, which had been known in military and intelligence circles to be possible, arose because the Predator unmanned aerial vehicles do not use encryption in the final link to their operators on the ground.
Read more of "U.S. was Warned of Predator Drone Hacking" at CBSNews.com.
A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt Web pages, has been made public.
Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for Web transactions.
Ray, who works with Dispensa at two-factor authentication company PhoneFactor, explained in a blog post this week that he had initially discovered the flaw in August and demonstrated a working exploit to Dispensa at the beginning of September.
Read more of "Zero-day flaw found in web encryption" at ZDNet UK.
If you are using a GSM phone (AT&T or T-Mobile in the U.S.), you likely have a few more months before it will be easy for practically anyone to spy on your communications.
Security researcher Karsten Nohl is launching an open-source, distributed computing project designed to crack the encryption used on GSM phones and compile it into a code book that can be used to decode conversations and any data that gets sent to and from the phone.
Karsten Nohl talks about his distributed computing, open-source AE/1 cracking project at the Hacking at Random conference.
(Credit: Hacking at Random)He hopes that by doing this it will spur cellular providers into improving the security of their services and fix a weakness that has been around for 15 years and affects about 3 billion mobile users.
"We're not creating a vulnerability but publicizing a flaw that's already being exploited very widely," he said in a phone interview Monday.
"Clearly we are making the attack more practical and much cheaper, and of course there's a moral question of whether we should do that," he said. "But more importantly, we are informing (people) about a longstanding vulnerability and hopefully preventing more systems from adopting this."
This weakness in the encryption used on the phones, A5/1, has been known about for years. There are at least four commercial tools that allow for decrypting GSM communications that range in price from $100,000 to $250,000 depending on how fast you want the software to work, said Nohl, who previously has publicized weaknesses with wireless smart card chips used in transit systems.
It will take 80 high-performance computers about three months to do a brute force attack on A5/1 and create a large look-up table that will serve as the code book, said Nohl, who announced the project at the Hacking at Random conference in the Netherlands 10 days ago.
Using the code book, anyone could get the encryption key for any GSM call, SMS message, or other communication encrypted with A5/1 and listen to the call or read the data in the clear. If 160 people donate their computing resources to the project, it should only take one and a half months to complete, he said.
Participants download the software and three months later they share the files created with others, via BitTorrent, for instance, Nohl said. "We have no connection to them," he added.
Once the look-up table is created it would be available for anyone to use.
Distributed computing, which has long been used for research and academic purposes, like SETI@home, and which companies have built businesses around, not only solves the technical hurdle to cracking the A5/1 code, but it could solve the legal ones too.
A few years ago a similar GSM cracking project was embarked upon but was halted before it was completed after researchers were intimidated, possibly by a cellular provider, Nohl said. By distributing the effort among participants and not having it centralized, the new effort will be less vulnerable to outside interference, he said.
Nohl wasn't certain of the legal ramifications of the project but said it's likely that using such a look-up table is illegal but possession is legal because of the companies that openly advertise their tables for sale.
A T-Mobile spokeswoman said the company had no comment on the matter.
AT&T spokesman Mark Siegel said, "We take extraordinary care to protect the privacy of our customers and use a variety of tools, many technical and some human approaches. I can't go into the details for security reasons." He declined to elaborate or comment further.
Taking precautions
Carriers should upgrade the encryption or move voice services to 3G, which has much stronger encryption, Nohl said.
In the meantime, people can use separate encryption products on the phone, like Cellcrypt, or handsets with their own encryption, Nohl said. Amnesty International and Greenpeace are using phones with stronger encryption, for example, but it only works if both parties to a conversation are using the same technology, he said.
For data encryption there is Pretty Good Privacy (PGP) for e-mail and virtual private network (VPN) software for connecting to a corporate network, he said.
The encryption problem is particularly serious for people doing online banking, where banks are using text messages as authentication tokens. Banks should instead offer RSA SecurID tokens or send one-time pass phrases through regular mail, Nohl said.
"I think, potentially, this could have as much impact as the breaking of WEP (Wired Equivalent Privacy) had a few years ago," said Stan Schatt, security practice director at ABI Research. "That shook up the industry quite a bit."
As a result of breaking that encryption, enterprises were reluctant to rely on wireless LANs so the Wi-Fi Alliance pushed through an interim standard that strengthened the encryption scheme, he said.
"Vendors will jump in with interim solutions, like Cellcrypt," Schatt said. "Mobile operators themselves will have to jump in and offer additional levels of encryption as part of a managed service offering for people who want a higher level of encryption."
However, consumers aren't likely to want to pay extra for the boosted encryption strength, he said.
To snoop on someone's phone, a would-be spy would need to be within eyesight of the target, Schatt said. Or, spies could point a recording device in the direction of a building and grab whatever conversations were nearby, he said.
"If you stand outside a building of a competitor you could get conversations between product managers and about sensitive corporation information, like acquisitions," he said. "Corporations put even more sensitive information over their phones, in general, than they do over their e-mail."
Update Wednesday August 26 8:01 a.m. PDT: The project web page is here and the the talk with slides is here.
The encryption functionality of the iPhone 3GS is so easy to crack that it is essentially "broken" as far as protecting sensitive personal data like credit card and social security numbers, according to a forensics expert and iPhone developer.
"I don't think any of us [developers] have ever seen encryption implemented so poorly before, which is why it's hard to describe why it's such a big threat to security," Jonathan Zdziarski told Wired.
With physical access to a 3GS iPhone and some free software data can be extracted within two minutes and an image of the entire raw disk in about 45 minutes, he said. The iPhone decrypts the data on its own once the extraction has begun, he explains in a video demonstration.
Apple has been touting the encryption and other features to entice corporate users to the device. And it seems to be working. Nearly 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones per company, the company said on its financial results conference call on Tuesday.
Updated at 4:45 p.m. PST to clarify that Gmail data has always been encrypted by default when a user types in https:// and that last year they offered the ability to set https:// as the default.
More than three dozen security and privacy advocates and researchers are asking Google to offer better data protection for users of Gmail and other Google apps and Google said on Tuesday that it is considering doing that, if it doesn't slow down the apps too much.
You may not know this but you can set Gmail to encrypt your session data by default to protect it from being sniffed over the network. However, Google doesn't offer the ability to encrypt potentially sensitive data created in other Google apps like Docs or Calendar by default, which means the communications could be stolen or snooped on by someone using a packet sniffer on public Internet connections, such as open wireless networks, according to the letter addressed to Google Chief Executive Eric Schmidt and signed by a who's who of 38 experts in the security industry.
Granted, users of other free e-mail services, social networks, and many other sites are vulnerable to data theft and account hijacking, the letter notes. But Google is in a position to set a standard for others to follow, it says.
Google should enable HTTPS (Hypertext Transfer Protocol Secure), a technology used by banks and e-commerce sites, by default for Gmail, Docs and Calendar, or at least do more to educate users about the privacy risks and make it easy to turn on the HTTPS by default, the letter urges.
Not only do many people not understand the privacy risks in using unencrypted services, but they don't know that they have the HTTPS default option and finding the settings to change isn't that easy, the letter says. Users can access Gmail, Docs, Calendar and other apps via HTTPS by simply changing the "http://" in the URL address to "https://," but many don't know about that option, either.
"As a market leader in providing cloud services, Google has an opportunity to engage in genuine privacy and security leadership, and to set a standard for the industry," the letter says. "If Google believes that encryption and protection from hackers is a choice that should be left up to users, the company must do a better job of informing them of the risks so that they are equipped to make this choice."
Some of the security experts endorsing the document include Bruce Schneier, chief security technology officer of BT Group; Peter Neumann, principal scientist at SRI International; encryption pioneer Ron Rivest of MIT; Steve Bellovin of Columbia University; Eugene Spafford at Purdue University; and Defcon founder Jeff Moss, who recently joined the Homeland Security Advisory Council.
In response, Alma Whitten, a software engineer on Google's security and privacy teams, wrote in a blog post that Google has been "looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.
"But we want to more completely understand the impact on people's experience, analyze the data, and make sure there are no negative effects," she wrote. "Ideally we'd like this to be on by default for all connections, and we're investigating the trade-offs, since there are some downsides to HTTPS--in some cases it makes certain actions slower."
Google is planning to test the use of HTTPS with "small samples of different types of Gmail users" to see whether it affects the performance of their e-mail, the blog post says.
"Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by default more broadly, hopefully for all Gmail users," the post says. "We're also considering how to make this work best for other apps including Google Docs and Google Calendar."
The letter addresses the performance trade-off argument, noting that Google seems to have solved the issue because it provides access to its advertising systems and several other services only via HTTPS sessions.
"Google's engineers have created a low-latency, enjoyable experience for users of Health, Voice, AdWords and AdSense--we are confident that these same skilled engineers can make any necessary tweaks to make Gmail, Docs, and Calendar work equally well in order to enable encryption by default," the letter says.
Correction at 5:50 a.m. PDT May 20: The spelling of Kenny Paterson's last name has been corrected.
An underlying flaw in the widely used encryption protocol Open Secure Shell (OpenSSH) has been made public by researchers from the Royal Holloway, University of London.
The flaw, which lies in version 4.7 of OpenSSH on Debian/GNU Linux, allows 32 bits of encrypted text to be rendered in plaintext, according to a research team from the Royal Holloway Information Security Group (ISG).
An attacker has a one in 262,144 chance of success. ISG lead professor Kenny Paterson told CNET News sister site ZDNet UK last Monday that the flaw is more significant than
"This is a design flaw in OpenSSH," said Paterson. "The other vulnerabilities have been more about coding errors."
According to Paterson, a man-in-the-middle attacker could sit on a network and grab blocks of encrypted text as they are sent from client to server. By retransmitting the blocks to the server, an attacker can work out the first four bytes of corresponding plaintext. The attacker can do this by counting how many bytes the attacker sends until the server generates an error message and tears down the connection, then working backward to deduce what was in the OpenSSH encryption field before encryption.
The attack relies on flaws in the RFC (Request for Comments) Internet standards that define SSH, said Paterson.
Paterson gave a talk on Monday at the IEEE Symposium on Security and Privacy in Oakland, Calif., to explain his group's research findings. The three ISG academics involved in the research were Paterson, Martin Albrecht, and Gaven Watson.
This vulnerability was first made public in November 2008 by the UK Centre for the Protection of National Infrastructure (CPNI), though full details of the flaw were not then given. According to the CPNI advisory, the OpenSSH flaw could be mitigated by IT professionals using AES (advanced encryption standard) in counter mode (CTR) to encrypt, instead of cipher-block chaining mode (CBC).
Paterson said his group had worked with OpenSSH developers to mitigate the flaw, and that OpenSSH version 5.2 contained countermeasures.
"They've fixed (OpenSSH); they've put countermeasures in place to stop our attack," said Paterson. "But the standard has not changed."
Paterson said that he did not believe this flaw had been exploited in the wild, and that to deduce a message of appreciable length could take days. In addition, proprietary SSH vendors had been informed of the issue in advance, and had put countermeasures in their code. However, Paterson added that it always takes time for system administrators to apply patches to servers and clients, no matter whether the software is open source or proprietary.
Tom Espiner of ZDNet UK reported from London.
The list of PC security products never ends. For every name that drops off, two more jump on. In fact, determining the best security hardware and software is a full-time job. Sometimes, you just want to throw up your hands and take your chances.
Maybe I'm just a cockeyed optimist, but I think you can stay safe without spending all your spare time doing research, installing updates, and generally becoming a PC-security expert. Here are five relatively easy ways to improve your security.
Use the firewall that's closest at hand
In the computer industry, the reputation of a product, service, or Web site is just about worthless. Yesterday's best firewall, ad blocker, spam buster, virus spotter, or spyware cleaner is today's bust.
Maybe the product got bought and the new owners aren't as conscientious about updates as the previous ones. Or the service's management team decides to go for profits and skimp on support, updates, and enhancements. There are lots of reasons why a good product goes sour, and the computer industry has seen nearly all of them.
So if you can't go by reputation, how do you choose a security product? One way is to go with the tools you've already got. Windows' security is roundly criticized, but the fact is, it's better than it used to be, and third-party security products have their own shortcomings.
Last February, I recommended that you use a third-party firewall rather than the one built into Windows. Six months earlier, I suggested that you pass on the third-party tools and stick with the Windows Firewall despite its shortcomings.
So which side of the fence am I on now? The simple side. The fact is, any third-party security tool complicates your setup. It's not difficult to find weaknesses in the Windows Firewall, but it's safe enough for most PC users, and it's much better than using no software firewall at all.
My previous post included links to information on Microsoft's TechNet site providing technical details of the Windows Firewall, tips for customizing the Windows Firewall, and help troubleshooting the firewall in XP and Vista.
Don't hesitate to try another free antivirus program
Just last week, I switched antivirus programs on my XP test system--for the umpteenth time. Something was slowing the system down, and after defragging the hard drive and doing other standard maintenance tasks, the machine's performance didn't improve as I expected it to.
Rather than go through a bunch of diagnostic tests, I simply uninstalled the system's antivirus tool and downloaded a competing package. The old and new programs were both free, and the switch didn't take much time to complete. The topper? The XP machine's performance perked up immediately.
Two antivirus programs that are free for home use and that are currently highly rated are Avast Home Edition and Avira AntiVir. You'll find a list of dozens of antivirus programs for Windows on this Download.com page.
Change your password...again
I hate those "your password will expire in x days" warnings as much as you do, but one of the simplest ways to protect yourself is by keeping your passwords fresh. Last year, I described the Ten Password Commandments, one of which was to devise a password-creation strategy that's all your own.
Just two months ago, I complained about the shortcomings of passwords as our primary security option, though I concluded that there's nothing better, for now. Lots of people swear by password managers such as RoboForm, but then you have yet another third-party app complicating matters.
For me, it's simpler just to devise a new password based on my unique, inimitable password-creation system, which I share with no one. No need to write it down, enter it in an online form, or encrypt it in a master-password file. Temporary amnesia, well, that's another matter.
For secure e-mail, use encryption
You would think that encrypting e-mail would be a breeze, but doing so is anything but. You and the recipient have to deal with digital certificates, public and private keys, and any number of other time-eating preparations and precautions.
The simplest way I know of to encrypt your e-mail is by using the Mozilla Foundation's Thunderbird with the Enigmail extension. Jason Thomas provides step-by-step instructions in this tutorial on the Lifehacker site.
Gmail users can secure their e-mail communications by enabling the service's built-in encryption. To do so, click the Settings button at the top-right of the main Gmail screen, scroll to the bottom of the General tab, select "Always use https," and click Save Changes.
Select "Always use https" under the General tab in Gmail's Settings to encrypt your messages.
(Credit: Google)
Keep your browser up-to-date
Most people will tell you that the Mozilla Foundation's Firefox browser is the safest way to surf, but a recent report from Google Switzerland and the Swiss Federal Institute of Technology found that "(u)sing the most recent version of a browser will lower the risk associated with drive-by-downloads and other Web-based attacks, which start by targeting the browser."
The report cites Google Chrome's silent updates as the best way to ensure that your browser is protected. The researchers also laud Chrome's lack of a way for users to disable its silent-update feature. Some people will object to software being downloaded to and installed on their system without their knowledge, but the fact is, these behind-the-scenes updates are the best way to keep you safe from the Internet bad guys.
Personally, I'm starting to rethink my choice of default browser. But as I mentioned earlier, you can't put any faith in a computer security product's reputation. And you can't be afraid to switch.
Goodmail Systems unveiled on Thursday its CertifiedVideo, which offers streaming video capabilities within e-mail.
Goodmail, which provides companies and nonprofits with encrypted e-mail, is adding embedded streaming video capabilities to its service.
"Americans watched more than 14 billion online videos this past January alone. With CertifiedVideo, consumers can now watch videos within their e-mail in-box without having to click to an external Web site, and brands can tap into shifting media consumption habits and craft truly interactive, e-mail 3.0 marketing campaigns," Peter Horan, Goodmail CEO, said in a statement.
AOL is the first e-mail provider to offer Certified Video. Among the companies sending footage over the e-mail service are Country Music TV, LiveNation, The New York Times, and Target.
With its CertifiedVideo service, Goodmail first analyzes a prospective sender's video player for code stability and platform compatibility, with the aim of ensuring the video can be delivered and viewed. After it's been approved, a sender can use Goodmail's CertifiedEmail system to add encrypted video tokens to outbound messages.
The outbound messages are designed to notify the recipient's e-mail provider to deliver the message directly to the recipient with the video content enabled, according to Goodmail.
I've recently written about a new standard published by the Trusted Computing Group (TCG) for self-encrypting drives. With this standard, Fujitsu, Hitachi, Seagate, Toshiba, and Western Digital are shipping or will soon ship self-encrypting hard drives for laptop computers. This in turn should prompt a transition, where users will opt for systems with self-encrypting drives rather than install encryption software utilities.
To me, this conversion is inevitable since hardware-based cryptographic processing tends to lead to superior security and performance while eliminating the muss and fuss around software procurement, installation, and maintenance.
Given these benefits, I believe that the U.S. federal government should make self-encrypting drives a new standard for all federal system purchases. This would not only enhance the security of private data on federal systems but also help jump-start this tech industry transition. This is a perfect opportunity for the federal government to take the lead because:
Demand for encryption remains high. In 2006, the Office of Management and Budget instructed civilian agencies to put a plan together for laptop security within 45 days. Subsequent to this plan, agencies were supposed to encrypt all laptops. According to several estimates, somewhere between 50 percent and 60 percent of these laptops remain unprotected. If all new systems contain self-encrypting drives, federal agencies can focus their attention on a stop-gap plan for aging systems in the field.
The federal government has programs and people in place. The Department of Defense and General Services Administration have already established a "Data at rest Tiger Team" to address this problem in the defense community. It is safe to assume that this team knows what's out there, which systems are still vulnerable, and which ones are up for replacement. Adding systems with self-encrypting drives could provide this team with a new tool to accelerate this effort.
Self-encrypting drives could help secure the new Federal Desktop Core Configuration (FDCC). To improve security, federal officials are in the process of defining a set of FDCC guidelines for laptops and desktops. With self-encrypting drives, these systems will be secure upon delivery.
The Defense Department is slim on procurement people. Just last week, a team of experts told a Senate committee that the Defense Department is constrained by a lack of procurement people. OK, so here's a thought. Wouldn't it be more efficient to purchase systems with self-encrypting drives once rather than purchase systems and then purchase software? Oh, and self-encrypting drives would also eliminate the systems integration burden as well.
I could go on and on, but I think I've made my point. The federal government could improve security, lead the industry, and lower costs by embracing self-encrypting drives for all new systems. This should be plenty of motivation for federal agencies such as the General Services Administration, the Department of Defense, and others in the Beltway to get busy.
