Predator Software Pirated?

This isn't good:

Intelligent Integration Systems (IISi), a small Boston-based software development firm, alleges that their Geospatial Toolkit and Extended SQL Toolkit were pirated by Massachusetts-based Netezza for use by a government client. Subsequent evidence and court proceedings revealed that the "government client" seeking assistance with Predator drones was none other than the Central Intelligence Agency.

IISi is seeking an injunction that would halt the use of their two toolkits by Netezza for three years. Most importantly, IISi alleges in court papers that Netezza used a "hack" version of their software with incomplete targeting functionality in response to rushed CIA deadlines. As a result, Predator drones could be missing their targets by as much as 40 feet.

The obvious joke is that this is what you get when you go with the low bidder, but it doesn't have to be that way. And there's nothing special about this being a government procurement; any bespoke IT procurement needs good contractual oversight.

EDITED TO ADD (11/10): Another article.

Posted on October 20, 2010 at 7:21 AM • 40 Comments

Comments

unknownOctober 20, 2010 8:32 AM

40 feet is a lot to miss. Maybe that explains the lost of civilian lives in the current war inflicted by drones that are supposed to hunt hidden talibans.

checcoOctober 20, 2010 8:52 AM

What scares me more than anything is the fact that developers of this system (in a rush to meet deadlines) used a "hack" version. Imagine the serious implications if that "hack" version really contained malware used to re-adjust geospatial coordinates to U.S. targets?

GarrettOctober 20, 2010 8:55 AM

It begs the question: Will those affected by civilian casualties caused by predator drones have have legal recourse against the CIA and Netezza?

MikeOctober 20, 2010 9:35 AM

I generally try to stay more than 40 feet away from enemy targets, but that's just me.

Petréa MitchellOctober 20, 2010 9:39 AM

unknown:

It depends on what the drone is armed with. If it's the sort of munition that takes out everything in the same postal code, 40 ft is no big deal and the mistake is choosing to fire when there are noncombatants in the vicinity at all.

BillOctober 20, 2010 9:46 AM

@Petréa Mitchell

The postal code* targeting feature is in the next release, but requires an Internet connection. It includes a 'track my predator' function, accessible via the Web UI, or handy iPhone/Android app.

*ZIP Codes excluded to avoid own goals.

aOctober 20, 2010 10:39 AM

@Petréa Mitchell

Armed Predator drones are generally firing the Hellfire II missile, which is relatively small. 40 feet off-target is, well, bad.

BF SkinnerOctober 20, 2010 10:57 AM

@Garrett "Will those affected by civilian casualties caused by predator drones have have legal recourse against the CIA and Netezza?"

I'm told the rules of remedy are different in a war zone than in a non-war zone. A tank that shells a school in the US mid-west would get a judgement (more likely a settlement). A tank shelling a school outside of Khandhar is 'minimized collateral damage'. This is the genius behind declaring a Global war.

@Mongo
35 U.S.C. 181 also give's the US Government the power to squash inventions

"Whenever the publication or disclosure of an invention by the publication of an application or by the granting of a patent, in which the Government _DOES NOT HAVE_ a property interest, might, in the opinion of the Commissioner of Patents, be detrimental to the national security, he shall make the application for patent in which such invention is disclosed available for inspection to ...(various people) ... of the Government designated by the President as a defense agency of the United States.

If, in the opinion of ...(various people) ... the publication or disclosure of the invention by the publication of an application or by the granting of a patent therefor would be detrimental to the national security, ...(various people) ... shall notify the Commissioner of Patents and the Commissioner of Patents _SHALL ORDER THAT THE INVENTION BE KEPT SECRET_ and shall withhold the publication of the application or the grant of a patent for such period as the national interest requires, and notify the applicant thereof."

Emphasis mine. I'm surprised they didn't attempt this argument with Zimmerman in the 90s.

Trichinosis USAOctober 20, 2010 11:28 AM

Business as usual indeed. When you miss a lot, it means you have to keep firing until you hit. Which makes those selling the weapons a lot more money.

They're not off by 40 feet. They're off by the distance from the CIA's bank account to Netezza's wallets. With death merchants like this contriving to live large at the American taxpayer's expense, who even NEEDS the Taliban?

Davi OttenheimerOctober 20, 2010 12:04 PM

Yeah, not good. I remember the Register article in Sept; something about "patriotic duty" to rush software development. Hard to forget a quote like this:

"My reaction was one of stun, amazement that they want to kill people with my software that doesn't work"

Nick POctober 20, 2010 2:42 PM

@ BF Skinner

It's good that Zimmerman accomplished what he did. Don't be giving them any ideas. One of us might have to use the Zimmerman defense one day, ya know?

@ J. Brad Hicks

Yeah, trusting the government to act nobly isn't very smart. From a business perspective, the government is dirtier and more conniving than most clients. I recall a guy in the Air Force who wanted to improve the personnel database using some good ideas he had. They told him no. He learned some programming on his own time and built a new database anyway. He tested it, it got a great reception, and he intended to license it to the Air Force. They stole it, he sued, and he lost. Big defense contractors make a ton of money on their work for the government, but this guy just had his stolen and the court didn't care.

To ye who shall innovate for US government: consider yourself warned.

hereOctober 20, 2010 3:29 PM

@Nick P

A long time ago, in a classroom far-far away, our instructor gave us some advice.

He said that if you are developing an application/system for a client that you suspect may not pay you when the project is completed, that you should plant a "bug" in the code. It should be set to disable the application about 6 months after deployment.

If the client pays you promptly, you can tell them you found a bug, and offer to repair it under the "warranty" you gave them.

If they don't pay you, let the bug disable their system, and wait until they offer you your initial payment to come and fix it.

Rob SheinOctober 20, 2010 3:45 PM

@Mike:
Yes, but the real question is this: do the bad guys try to stay more than 40 feet away from you (and other innocents)? They actually tend to do the opposite, for obvious reasons.

What's really interesting to me is that IBM is currently in the process of acquiring Netezza. I wonder if that will continue, with such a high-profile (and liability-prone) situation now in play.

Richard Steven HackOctober 20, 2010 3:54 PM

Someone beat me to the Inslaw reference.

The PROMIS software was not only stolen by the US government, it was then RE-STOLEN by the Israelis who modified it and then allegedly RE-STOLEN AGAIN by people like Saddam Hussein and Osama bin Laden.

The less than amusing thing for me is that I was at one time sentenced to Federal prison by a judge who got his appointment from Ed Meese after participating in the theft of the PROMIS software. Nice knowing your sentencing judge himself belongs in prison.

Your tax dollars at work.

Back on topic, not only is the CIA using busted software, it's just been revealed that their "rules of engagement" have been loosened so that they basically can shoot anyone they want in Afghanistan and Pakistan if they THINK there is "a link" to the Taliban or Al Qaeda. In one case, some Taliban troops forced some guy to get them food and water from his place. Next day his place gets blown up by a drone, killing his son.

From a recent report by Gareth Porter:

Quote

The CIVIC researcher, Christopher Rogers, investigated nine of the 139 drone strikes carried out since the beginning of 2009 and found that a total of 30 civilians had been killed in those strikes, including 14 women and children.

If that average rate of 3.33 civilian casualties for each drone bombing is typical of all the strikes since the rules for the strikes were loosened in early 2008, it would suggest that roughly 460 civilians have been killed in the drone campaign during that period.

The total number of deaths from the drone war in Pakistan since early 2008 is unknown, but has been estimated by Peter Bergen and Katherine Tiedemann of the New America Foundation at between 1,109 and 1,734.

Only 66 leading officials in al Qaeda or other anti-U.S. groups have been killed in the bombings. Reports on the bombings have listed the vast majority of the victims as "militants", without further explanation.

End Quote

Richard Steven HackOctober 20, 2010 3:56 PM

Oh, and via a report yesterday, the US has massively increased the number of air strikes recently in Afghanistan and just delivered another aircraft carrier to the Arabian Sea to support a further increase.

Expect the civilian body count to rise dramatically since air strikes are even less precise than drone attacks.

Eric HOctober 20, 2010 4:55 PM

"When will we begin to see drones over civilian airspace in the U.S.A.?"

About 4 years ago.

http://news.bbc.co.uk/2/hi/americas/5051142.stm

It is my understanding that LAPD or CHIPS has something larger coming online, and there are conflicts with FAA, FCC, and possibly DoD (because there is a lot of testing just beyond the borders of the San Angeles metropolitan area).

Nick POctober 20, 2010 5:43 PM

@ Eric H

Thanks for the link. My natural response was "that's... just... great..." Fortunately, I don't live in LA and I can always move to a town near a big city whose police force is ill-equipped to use, much less abuse, such technology.

Another tidbit of fortune: most confidential things I do happen in buildings with no strangers allowed. For those that need privacy, they can build a SCIF in their facility and ensure that unauthorized access is prevented with 24/7 guards. Only very trustworthy and cleared personnel should do the maintenance and their actions closely monitored and recorded. Everything that comes in should be bug swept for both active and reactive (EMF-injectable) bugs. Ban all electronics from entering it for best results.

With all this, you have privacy. If you didn't know the cost of privacy, now you do. ;)

edOctober 20, 2010 6:29 PM

@ Richard Steven Hack
... if they THINK there is "a link" to the Taliban or Al Qaeda. In one case, some Taliban troops forced some guy to get them food and water from his place. Next day his place gets blown up by a drone, killing his son.

When the drone's remote pilot was questioned, he said "I saw the underlined blue name and pointing-finger cursor, recognized it as a link to http://www.alqaeda.org/, and clicked it. Boom."

Petréa MitchellOctober 20, 2010 8:28 PM

Nick P:

Unfortunately, the drones get used more in less-inhabited areas of the US.

This has been a big deal in the general-aviation world the last couple years-- specifically that one is more likely to encounter a drone where there's no air traffic control, and the drones (at least the earlier models) can't see and thus can't dodge other aircraft. It's assumed to be only a matter of time before some small private plane gets taken out by a collision with a drone.

Clive RobinsonOctober 20, 2010 10:03 PM

@ Here,

"He said that if you are developing an application system for a client that you suspect may not pay you when the project is completed, that you should plant a "bug" in the code. It should be se to disable the application about 6 months after deployment."

In the UK this (if it can be proved) is a criminal offence under the Computer Missuse Act, and yes a one man developer was convicted in the UK (IIRC six month suspended sentance) for doing just this.

The correct way to do this sort of thing (so I'm led to believe) is for a developer to own the code and only licence it's use subject to various provisions (one being payment). What the actual legality of this in the UK is as as far as I'm aware there is no case law...

I once had a contract to supply a company with code and I wrote a preprocessor that stripped all comments and replaced meaningfull names with random hashed strings of a long length, I also but a big chunk of functionality into library code that they did not get.

They tried to get cute with paying untill they realised the code did not give them what they wanted. There was a little argument but as I pointed out to them they where "a bad debt" and it was "cash in advance" from then onwards. For some strange reason they accepted and gave me further work (go figure)...

Clive RobinsonOctober 20, 2010 11:03 PM

@ BF Skinner,

"35 U.S.C. 181 also give's the US Government the power to squash invention"

There is a solution to this that has been used for a number of years...

Get yourself a "Swiss Office" and apply for patent to both Switzerland and then the US.

The Swiss are known to be fairly accomodating to business and have been for a century or so (one of the reasons Crypto AG set up there).

The down side is as with nearly all countries patent systems outside of the US is no software or business methods patents alowed.

Also bear in mind the US patent system and the judicial processes surrounding it are also reputed to be the most dishonest one in the world for various reasons (submarine patents amongst other reasons). Which is why it saddens me that the European Patent Office under the pressure of the likes of Microsoft lobbyists is going that way and may actually end up worse (if that's actually possible).

@ Nick P,

"I recall a guy in the Air Force who wanted to improve the personnel database using some good ideas he had. They told him no"

As far as I'm aware (IANAL etc) in most parts of the world if you are waged or salaried then there is an implicit caveat that any inovation you come up with belongs to your employer, unless it is explicitly negated in your employment contract, likewise any benifits arising. Worse in some parts of the world you can be compelled legaly to attend at your own expense to sign any licencing or other agreament arising from the patent within the life of the patent and several years thereafter if the patent becomes part of a legal dispute etc etc (I'm not sure if you can be compelled to pay for your own exhumation if you have the misfortune to be in that position ;)

The argument is generaly that the employer facilitated the environment from which your ideas spring forth... However as some people have found even ideas that have absolutly nothing to do with a business can still be stolen by an employer.

An exception apears to be Japan where an employee successfully won a court case (design of blue LEDs IIRC) against their employer for the right to be compensated with a % of the profit of the business arising from the design ("pinch of salt" time the exact details are subject to the usual "Lost in Translation" etc).

The simple fact is patents originaly thought up under Queen Elizabeth the First Of England (etc) where designed to protect the inventor but in the hands of the legal bretherin have become a tool of unwarented persecution and extortion that now stifle inovation not encorage it.

My advice to any employee is keep quite and forget any bright ideas they are only going to hurt...

Nick POctober 21, 2010 1:09 AM

@ Clive Robinson

Good points. AFAIK, there is no implicit agreement to give up intellectual property in the United States. Like you said, we have a unique system of patents. The important thing here is actually copyright law. If it's my idea or original artistic work, they can't have it unless I explicitly give permission. This is why, in the US, tech companies often force their employees to sign agreements that say any idea the employee comes up with belongs to the employer. NDA's are also common and the two are a lethal combination to would-be inventors. Patents do trump copyrights, but you have to patent something first: copyright is free and instant.

The biggest threat for American workers who haven't signed these agreements is having their idea stolen by upper management. The company might claim that they came up with the idea, rather than the employee. Your implicit agreement argument might also be applied by the companies defense attorneys and could sway over a jury of non-experts. In any case, your advice to "keep quiet" is very good advice.

Concerned HumanOctober 21, 2010 1:49 AM

@checco "Imagine the serious implications if that "hack" version really contained malware used to re-adjust geospatial coordinates to U.S. targets?"

And the innocent civilians mistakenly targetted by these drones as a result of the "hack" is not a serious enough implication to you?

sooth sayerOctober 21, 2010 6:30 AM

Yup .. worrying about 40 feet miss is noble .. dropping bombs from the sky is just a job!

Get real .. we need to dropping nukes with about 10 mile radius of destruction not these flower petals.. innocent civilians -- really .. I love the concern for undead.

uk visaOctober 21, 2010 6:41 AM

This is the shocking element of the story:
'Critics correctly find many problems with this program, most of all the number of civilian casualties the strikes have incurred. Sourcing on civilian deaths is weak and the numbers are often exaggerated, but more than 600 civilians are likely to have died from the attacks. That number suggests that for every militant killed, 10 or so civilians also died.'

http://www.brookings.edu/opinions/2009/...

BF SkinnerOctober 21, 2010 6:51 AM

@Skip "When will we begin to see drones over civilian airspace in the U.S.A.?"

Odd you should mention that. Drones are of course in use on the Us Mexico border. But I was walking from my car in DC and was overflown by what looked to be a drone. It wasn't a predator of course being propeller driven and looked more like a IAI Pioneer. Later the newscast said that drones are being deployed for 'traffic control'.

@Nick P "learned some programming on his own time and built a new database anyway. He tested it, it got a great reception,...,They stole it"

I've heard similar stories from other branches and here's the thing, he may have learned the skills on his own time but if he developed the application using AF licensed tools and time (say on a boring midwatch in a midwest winter) then arguably the output of his labor belongs to his service not him. My current contract with my company says essentially the same thing. I can get my name on the patent but essentially sell it to the company for a 'nominal' fee.

mooOctober 22, 2010 7:32 AM

@BF Skinner:

"Later the newscast said that drones are being deployed for 'traffic control'."


That is code for "issuing speeding tickets". They do the same thing with helicopters and small planes, but those require human crew and are much bigger and heavier, so I guess the drones are cheaper.

vanillaOctober 24, 2010 1:16 PM

@ BF Skinner ...

@Mongo
35 U.S.C. 181 also give's the US Government the power to squash inventions

... Tesla's face immediately sprang to my internal vidscreen ... however, in his case, perhaps there was ample reason for 'sequestering' his technology ... don't know if your Code reference was in force back then, but I have read that 'they' swooped in and gathered up his stuff ...

@ Skip ...

When will we begin to see drones over civilian airspace in the U.S.A.?

I have seen a drone twice, flying right over my head at a very low altitude while I was sitting in traffic, down here on the very edge of the Gulf of Mexico ...

@ BF Skinner ...

@Skip "When will we begin to see drones over civilian airspace in the U.S.A.?"

Odd you should mention that. Drones are of course in use on the Us Mexico border. But I was walking from my car in DC and was overflown by what looked to be a drone. It wasn't a predator of course being propeller driven and looked more like a IAI Pioneer. Later the newscast said that drones are being deployed for 'traffic control'.

... hmmm ... I didn't see any propeller ... but I don't recall turning around and looking out the back windshield at the drone's behind, so, it is possible that this was a 'speeder troller' and not border protection. If that is the case, I am suddenly frowning and not feeling all warm and protected ... (g)

van

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..