Talk:Lecture 10

From CyberSecurity
Revision as of 22:06, 6 November 2005 by Marty (talk | contribs) (Chemical weapons dumped at sea off the U.S. coast)

Jump to: navigation, search

Responsible Disclosure of the security vulnerabilities

Pravin Mittal

What should be responsible way to disclose a security vulnerability for an "ethical hacker"? I am little torn if there should be full disclosure to public or limited disclosure to the software vendor and disclose it only once the patch is out as I can see the pros and cons for both of them.

Limited disclosure helps vendor to release patches for the flaws before the bad guys decide to use for nefarious activities.

But what if vendors are not responsive and "black hat" hackers are capable of finding flaws on their own? And full disclosure may also allow especailly in open-source community to react quickly and fix the problem good example such as BugTraq.

Also to quote Elias Levy who was named "one of the 10 most important people of the Decade by Netword Computing" "Back in 1993, the Internet was actually far less secure than it is today because there was little or no dissemination of information to the public about how to keep malicious users or hackers from taking advantage of vulnerabilities,"

Also, I would like to hear from public policy students, if they are stated gudilines/laws/policy from the U.S government?

I did find the comment by Richard Clarke, President Bush's special advisor for cyber space security, said security professionals have an obligation to be responsible with the disclosure of security vulnerabilities. They should first report vulnerabilities to the vendor who makes the software in which the vulnerability is found, and then tell the government if the vendor doesn't take action.

Pravin Mittal


SMM: As usual, the criterion is easy to state but hard to operationalize. We should follow whichever practice minimizes the number of malicious exploits. The twist is that Dr. Lackey can find potentially disasterous problems that, apparently, the bad hat community never gets around to noticing and/or turning into actual disasters. Dr. Pustilnik's comment that his group is much more fiendish than the guys at bad hat conventions is pretty much the same point. If we believe that Microsoft has gotten out ahead of the (quasi-open source) bad hat community, then total openness might not be the best policy.

The idea that companies will ignore defects unless you do exploits is really interesting. In fact, it screams "institutional failure" or "market imperfection." More precisely, the intuition should be that there is some discrete thing wrong that, if you could only find and fix it, would make things globally better. The current hacker/exploit system looks like a bizarre historical accident that would never evolve the same way twice. Are there other mechanisms that would work better? For example, if companies were required to carry insurance, would the insurance company start jumping up and down to get their attention faster? Maybe that won't work, but it's worth thinking about what would.

BTW, the idea that security can now push back on marketing and say "that can't be done" is a very positive sign. In the old days, companies that shipped insecure products got the revenues and shifted the losses onto consumers. Now they are seeing something closer to the net cost. Telling marketing "no" says we're getting the incentives right, that projects with net negative value for society also have net negative value for the vendor.

The question about having prizes for bugs is really interesting. You could imagine that the expected payout per bug would be smaller than the $2K/person/day that MS pays out for finding bugs Lackey's way. I was particularly puzzled by the idea that paying people prizes for finding bugs is contrary to public policy. When you get past the "giving in to terrorists" rhetoric, what you're really doing is either outsourcing your bug-hunting or persuading people that it is more profitable to turn their discoveries into money than to be malicious. (In the latter case the semi-ethical hackers get subsidized to discover more bugs than they otherwise would, so some of the bugs you buy might never have been discovered without a prize and are therefore wasted. But the same thing happens when you hire Lackey, so you can't really count it as a fundamental objection.) I suppose that there are also mechanical problems with prizes -- you don't want to pay prizes to guys who then turn around and do exploits anyway -- but one imagines that there are fixes for that. For example, you could make payment conditional on nobody exploiting the same bug for 90 days.

Finally, the continued prevalence of parsing and buffer overflow errors suggests that the industry isn't anywhere near the limits of what computer science knows how to do. Presumably, simple errors are about social institutions and incentives. The question is, what percent of the existing problem is amenable to those kinds of reforms? Using Microsoft bulletins to figure out what percent of problems are social vs. frontier CS problems would make an interesting term paper.

Geoff Voelker I found the attitude about buffer overflows from the first two speakers somewhat worrisome. Basically, they were not interested in exploits that a "trained monkey" could perform, like buffer overflows. Instead, they wanted to focus their attention on the tough, challenging cryptoanalysis problems such as finding flaws in security protocols (e.g., Kerberos or 802.11). This worries me because it falls into the classic pattern of not focusing on the easiest way to break a system (practical security), but instead on what is technically challenging or creative. (The perfect is the enemy of the good.)

Jeff Bigham

  • Prizes for Bugs. A complication with awarding prizes for finding bugs is coming up with a pricing structure that makes sense and doesn't end up making matters worse. A problem exists when hackers could get more on the open market for their exploits than they could from the prize, so, to make prizes work, businesses would always have to offer more than would be potentially offered on the open market. Given the presumed high profitability of bot nets and the like, it seems that a good exploit could potentially be worth millions. Unfortunately, the potential payoff may be much higher than what the hacker could actually get and it seems incredibly difficult to gauge that accurately. It's also not clear to me how a hacker could prove to Microsoft that they've found a legitimate exploit without giving away a huge hint to how it was accomplished (if they break into a Microsoft computer, they've probably left breadcrumbs that the smart people at Microsoft could piece together). Given the uncertainty of these new psuedo-ethical-maybe hackers at so many levels it seems like MS might be out a whole lot more money paying off a lot of threats of dubious seriousness with the side effect of enticing people into targetting their software instead of that of their competitors. Without prizes, however, MS can hire people to do the same sorts of things while under their control and without nearly as much risk of them going bad.

Geoff Voelker There are a couple of assumptions here that may not hold. First, I suspect that there are many more people willing to submit exploits for prizes than to put them on the botnet market. Prizes make the effort legitimate, and turn it into a programming activity like any other (e.g., Google giving prizes for the programming projects). Second, you do not necessarily have to exploit a computer at Microsoft -- you just need to demonstrate one in MS software.

BotNets and Windows Operating Systems

Chris Fleizach - We haven't heard a great deal of BotNets in this class, but I think their threat potential deserves attention. A few reports have come out from industries, like online gambling (usually operating outside the US and its legal protections), that have detailed either how they succumbed to or defeated a targeted DDoS attack from a BotNet. Although I couldn't find a reference, there was a Wired article about an off-shore gambling company which was the target of an attack that at its peak had 3Gb/sec directed at it. I'm assuming 100% of those hosts were compromised Windows machines (otherwise separate botnet software would have to be written for each type of OS for little gain). I was curious if Microsoft thought they should take an active role in stopping the BotNet problem, or if they were responsible at all. In one sense, the software controlling the computer for the BotNet was allowed to be installed by the user and it must do what it needs to do. The system assumes the user installed it and runs with the user's privileges. Many times, social engineering can fool a user into installing such software without exploiting vulnerabilities inherent in the OS. The first speaker mentioned that they would continue to improve their spyware and adware detectors, frequently sending updates that can find new engines. The most obvious problem with this approach, is that an entriprising hacker can write his own BotNet controller that Microsoft won't know about it.

The next obvious solution is to turn on the firewall and disallow incoming connections, which would stop a BotNet controller from accessing the computer. But currently, when software is installed as a user, there is nothing stopping that software from disabling the firewall entirely, or just for the specific port needed. Linux and MacOS both require a password to enter the control panel and change settings like the firewall, but Windows has never done this. Access is granted based on the first login. It seems, just from a cursory examination, that preventing BotNets might start by allowing access to critical system configuration through passwords. Does anyone from MS know if Vista will do more to protect against these problems? Do they have better ideas about stopping BotNets before they start? Is it their problem at all?

Geoff Voelker

We will hear more about botnets later in the quarter.

As to whether MS feels responsible, I would put it in terms of whether MS feels market pressure. And the answer is yes -- they incur a huge support cost as a result of spyware, adware, etc. Malicious code tends to cause stability problems on people's computers. The first place people blame and call is MS. Since support is costly, MS would like to eliminate the source of those calls.

I'm not entirely clear on the proposed scenario, but I don't think that firewalls are a solution here. Once malicious code is able to run on a machine, it can control the firewalls.

--Imran Ali 12:42, 4 November 2005 (PST) It looks like the FBI apprehended the 'Botmaster', see article: FBI agents bust Botmaster His sentence carries a maximum term of 50 years. It looks like the government is cracking down hard on this type of criminal activity. The article also indicates that the Botmaster was 'lured' to their FBI offices. I wonder how they actually tracked him down in the first place?

Examples of Vulnerabilities

Jeff Davis Last night people were asking for examples of security vulnerabilities that are beyond just the basic buffer overflow, things that tools like Prefix and Prefast can not detect. Internet Explorer has had plenty of these. We had an interesting vulnerability in the download dialog where the evil web site could repeatedly send an executable, causing IE to display the download prompt asking the user to Run, Save or Cancel. If the web site did it quickly enough they could create enough dialogs to run the system out of memory. When this happened, the dialog would fail to display. The developer who wrote the code never considered what would happen if DialogBoxParam() failed due to OOM and due to a quirk in the way he initialized his variables, the switch statement afterward would fall into the Run case allowing the bad guys to run arbitrary code on the machine.

In Writing Secure Code, page 54, when listing security principles to live by, Howard states clearly: "Don't mix code and data." Unfortunately for us, web pages by thier nature are mixtures of code and data. People have done all sorts of creative things with jscript. Prior to Windows XP Service Pack 2 web sites could call window.createPopup() (not the same as window.open()), creating a borderless, chromeless, topmost window with HTML content of their choosing. The function was originally intended to make scripting menus on web sites easier for developers. However, it lead to all sorts of spoofing attacks, like overlaying the Address bar with phone text, covering up the Cancel button on the ActiveX install dialog, etc. Another fun vulnerability was web sites that would wait for the mousedown event and then move the IE window out from under the mouse, creating a drag and drop event. If they were clever about how they did this, evil web sites could put links on your desktop, in your favorites folder, etc.

Obviously switching languages, from C++ to something "safer" is not a good solution, nor is relying on tools like Prefix (not to in any way disparriage the work the Prefix team does). I saw Theo de Raadt speak at an ACM conference once where he spoke about the OpenBSD three-year, line-by-line code audit. He said 90% of the vulnerabilities stemmed from people not fully understanding the APIs they called (or the documentaiton being broken, etc), and he is right.

False Postives in On-line Crash Analysis

Jeff Davis What the first speaker said about false postives is true. I debugged a lot of dumps where the stack cookie (/GS switch stuff) was clearly visible on the stack in the place it should be, only one bit had been flipped. Or it was one word away from where it should be on the stack. These are indicitive of faulty hardware (or overclocked hardware). Or the stack was just complete random garbage, which indicates a serious flaw somewhere but it is pretty difficult to debug if the stack is blown away.

In all the OCA buckets I have looked at, I only found one buffer overflow from a GS violation and it was a false postive-- the cookie was there on the stack just off by a bit. But while I was in there looking at the code, I noticed some string manipulation in a different function that looked suspect.

Single Point of Failure

--Chris DuPuis 15:15, 3 November 2005 (PST) In Brian Lopez's presentation, he described a wide variety of ways in which the details of a company's security infrastructure can become public, and the measures that he recommended to mitigate such information leakage.

However, he also mentioned the crates of security-related documents that organizations send to his team for the purpose of the intrustion test. In addition, he indicated that the clients sometimes (not always) call his team back to see how they have progressed. These two facts imply that, somewhere at Lawrence Livermore, there is a storeroom full of juicy security details for some of the most sensitive sites in the country. Also, based on the description of some number of crates per client, and the large number of clients, it seems likely that a great many of these crates are stored in some kind of offsite document storage facility.

I wonder if the clients are appraised of the risk associated with the storage area for these documents being compromised.

Chris Fleizach - In a similar vein, ChoicePoint, a company that sells reports to industries like insurance, collects, stores and analyzes sensitive consumer information. Last february there was an issue where they sold over a 150K credit reports to identity theives because they didn't have policy to do background checks on their customers. And more disturbing is that ChoicePoint has no financial incentive to keep the information secret, since they bear none of the costs of fraudelent transactions and identity theft. This seems exactly like a ploy Brian Lopez's team would go through when analyzing a company. I suspect most top-secret government institutions have policies that will usually make it too difficult for most attackers to get through, companies that hold data for consumers are more plentiful with less regulation. Information they hold is usually valuable to only one individual (like a credit report), unlike trying to protect a state secret. The result, a burgeoning atmosphere for criminals to try to exploit.

Passports and RFID

-Jessica Miller 16:10, 4 November 2005 (PST) I have come across a very relevant article in Wired [http://www.wired.com/news/privacy/0,1848,69453,00.html?tw=wn_tophead_2 Fatal Flaw Weakens RFID Passports ] and thought it would be of interest to many of us. The article is written by Bruce Schneier who wrote the pop-security book called "Secrets and Lies: Digital Security in a Networked World". In the Wired article, Schneier talks about the RFID technology and the privacy issues that come along with deploying RFID in passports. Schneier also explains how the State Department has tried to mitigate these security concerns with various "fixes". In end, though, Schneier is still dissatified and argues that this RFID passport technology should have not been designed behind closed doors and should be accessible to public scrutiny. In any case, I thought this was another excellent example of whether or not technology should be made available to the public as a security measure. (Also it is very relevant as the State Department plans to issue these RFID passports in October 2006.)

Not sure what part of the lecture discussion this fits in, but I highly Brian Lopez's talk. He did a great job of breaking down what his group does in terms of pre-assessment, assessment, and post-assessment. The fact that his group examines everything from an organzation's press releases, annual reports, firewalls, and physical compound etc. was amazing. I wondered how long this process takes?? Do you think the assessment program lasts a few months, a year, or longer? I don't know how fast his staff can accomplish certain tasks or how many people he has working for him.... Katie

Chemical weapons dumped at sea off the U.S. coast

Marty Lyons, UW -- This article from the Daily Press (Newport News, VA) details chemical weapons which were dumped at sea. They are now decaying and beginning to show up in fishing nets, marine life, and more. The effects of this short-sightedness could be long-term and influence all kinds of human usage of waterfront areas, seafood consumption, and further exploration of sea areas for other uses such as oil production. There is as yet no major public or political response, but one could imagine this will be a major news event once there is an actual public safety impact; hopefully this situation is noted and acted on by the media and Congress.

--- http://www.htdaw.blogsource.com

Weapons of Mass Destruction Found! Saturday, November 05, 2005 at 11:13 PM PST 

http://tinyurl.com/d5mr6

Decades of dumping chemical arms leave a risky legacy

BY JOHN M.R. BULL Daily Press (Newport News, Va.)

NEWPORT NEWS, Va. - In the summer of 2004, a clam-dredging operation off New Jersey pulled up an old artillery shell.

The long-submerged World War I-era explosive was filled with a black tarlike substance.

Bomb disposal technicians from Dover Air Force Base, Del., were brought in to dismantle it. Three of them were injured - one hospitalized with large pus-filled blisters on an arm and hand.

The shell was filled with mustard gas in solid form.

What was long feared by the few military officials in the know had come to pass: Chemical weapons that the Army dumped at sea decades ago finally ended up on shore in the United States.

It's long been known that some chemical weapons went into the ocean, but records obtained by the Daily Press show that the previously classified weapons-dumping program was far more extensive than ever suspected.

The Army now admits that it secretly dumped 64 million pounds of nerve and mustard agents into the sea, along with 400,000 chemical-filled bombs, land mines and rockets and more than 500 tons of radioactive waste - either tossed overboard or packed into the holds of scuttled vessels.

A Daily Press investigation also found:

These weapons of mass destruction virtually ring the country, concealed off at least 11 states - six on the East Coast, two on the Gulf Coast, California, Hawaii and Alaska. Few, if any, state officials have been informed of their existence.

The chemical agents could pose a hazard for generations. The Army has examined only a few of its 26 dump zones and none in the past 30 years.

The Army can't say exactly where all the weapons were dumped from World War II to 1970. Army records are sketchy, missing or were destroyed.

More dumpsites likely exist. The Army hasn't reviewed World War I-era records, when ocean dumping of chemical weapons was common.

"We do not claim to know where they all are," said William Brankowitz, a deputy project manager in the Army Chemical Materials Agency and a leading authority on the Army's chemical weapons dumping.

"We don't want to be cavalier at all and say this stuff was exposed to water and is OK. It can last for a very, very long time."

A drop of nerve agent can kill within a minute. When released in the ocean, it lasts up to six weeks, killing every organism it touches before breaking down into its nonlethal chemical components.

Mustard gas can be fatal. When exposed to seawater, it forms a concentrated, encrusted gel that lasts for at least five years, rolling around on the ocean floor, killing or contaminating sea life.

Sea-dumped chemical weapons might be slowly leaking from decades of saltwater corrosion, resulting in a time-delayed release of deadly chemicals over the next 100 years and an unforeseeable environmental effect. Steel corrodes at different rates, depending on the water depth, ocean temperature and thickness of the shells.

That was the conclusion of Norwegian scientists who in 2002 examined chemical weapons dumped off Norway after World War II by the U.S. and British militaries.

Overseas, more than 200 fishermen over the years have been burned by mustard gas pulled on deck. A fisherman in Hawaii was burned in 1976, when he brought up an Army-dumped mortar round full of mustard gas.

It seems unlikely that the weapons will begin to wash up on shore, but last year's discovery that a mustard-gas-filled artillery shell was dumped off New Jersey was ominous for several reasons:

It was the first ocean-dumped chemical weapon to somehow make its way to U.S. shores.

It was pulled up with clams in relatively shallow water only 20 miles off Atlantic City. The Army had no idea that chemical weapons were dumped in the area.

Most alarming: It was found intact in a residential driveway in Delaware.

It had survived, intact, after being dredged up and put through a crusher to create cheap clamshell driveway fill sold throughout the Delmarva Peninsula.

The Army's secret ocean-dumping program spanned decades, from 1944 to 1970.

The dumped weapons were deemed to be unneeded surplus. They were hazardous to transport, expensive to store, too dangerous to bury and difficult to destroy.

In the early 1970s, the Army publicly admitted it dumped some chemical weapons off the U.S. coast. Congress banned the practice in 1972. Three years later, the United States signed an international treaty prohibiting ocean disposal of chemical weapons.

Only now have Army reports come to light that show how much was dumped, what kind of chemical weapons they were, when they were thrown overboard and rough nautical coordinates of where some are.

The reports contain bits and pieces of information on the Army's long-running dumping program. The reports were released to the Daily Press - which cross-indexed them to obtain the most comprehensive, detailed picture yet of what was dumped, where and when.

To put the information in context, the newspaper also examined nautical charts, National Archive records, scientific studies and interviewed dozens of experts on unexploded ordnance and chemical warfare in the United States and overseas.

The Army's Brankowitz created the seminal report on ocean dumping. He examined classified Army records and in 1987 wrote a long report on chemical weapons movements over the decades. It included the revelation that more than a dozen shipments ended up in the ocean. The report wasn't widely disseminated.

His follow-up report in 1989 uncovered - through review of other previously classified documents - the rough nautical coordinates of some dumpsites and the existence of more dump zones. In 2001, a computer database was created to include additional dump zones that the Army found and more details on some of the dumping operations.

The database summary and the 1989 report had never been released publicly before.

"I know I didn't find everything," said Brankowitz, who's worked for more than 30 years on chemical weapons issues for the Army. "I'm very much convinced there are records at the National Archives that have been misfiled. Short of a major research effort that would cost a lot of money, we've done the best we can."

The reports reveal that the Army created at least 26 chemical weapons dumpsites off the coast of at least 11 states - but knows the rough nautical coordinates of only half.

At least 64 million pounds of liquid mustard gas and nerve agent in 1-ton steel canisters were dumped into the sea, along with a minimum of 400,000 chemical-filled bombs, grenades, landmines and rockets - as well as radioactive waste, the reports indicate.

The Army's documents are incomplete or vague. Years of records are missing or were destroyed to clear office space at the Aberdeen Proving Ground in Maryland, a longtime chemical weapon research and testing base.

And the Army hasn't reviewed its records of chemical weapons dumping before World War II, when it was common to just throw the weapons into the ocean in relatively shallow water, Brankowitz said.

As a result, more dumpsites likely exist, he conceded.

The environmental effect of chemical weapons dumpsites is unknown but potentially disastrous.

Ocean depth varies widely off the East Coast. As a rule, it gradually deepens to 600 feet before hitting the outer continental shelf, which drops into very deep water. The shelf's location can be as close as 60 miles, or as far as 200 miles, from shore.

"The perception at the time was the ocean is vast - it would absorb it," said Craig Williams, director of the Chemical Weapons Working Group in Kentucky, a grass-roots citizens group. "Certainly, it is insane in retrospect they would do it."

"It would be inevitable, I assume, all of this will be released into the ocean at some point or another," said Williams, who has fought Army plans to incinerate some of the 44 million pounds of chemical weapons the country still has stockpiled. "I don't think anyone knows for sure the true danger. It's just a matter of opinion. You can say, 'It's going to kill everyone,' or you can say, 'It's not a problem.' The truth is somewhere in between."

Based on the information available, the Army presumes that most of the weapons are in very deep water and are unlikely to jeopardize divers or commercial fishing operations that dredge the ocean bottom.

John Chatterton doesn't believe that.

"I don't think it all is where they say it is," said Chatterton, a 25-year veteran diver who searches for undiscovered shipwrecks as host of The History Channel's "Deep Sea Detectives." "I've found a lot of stuff where it's not supposed to be. Absolutely, positively, it is not a guarantee it is there (in deep water)."

Chemical weapons were dumped long before electronic navigation systems were invented. Their nautical locations are based on the words of ship captains, who surely wanted to ditch their cargo quickly and, Chatterton suspects, likely cut corners.

"The guys who were doing this were scared of this stuff. They were well motivated to get rid of this stuff as fast as they could," he said. "So they could take it all the way out there or else they could say, 'This is good enough,' and be back in port in three hours. I know what they did. It's mariner nature."

One of the first of the now-identified dump zones created at the end of World War II was also one of the largest. The Army dubbed it Disposal Site Baker.

The Army has only the vaguest idea where it is on the ocean floor - somewhere off the coast of Charleston, S.C., the most specific surviving records indicate.

"I have never had any information to suggest this was done," said Charles Farmer, a marine biologist who's worked for South Carolina's Department of Natural Resources for almost 40 years.

"I would say this is not well known to us at all. This is something that is new, at least to me. It's incredible some of the things we've managed to do."

The first documented dump near that state was in March 1946, when four railroad cars full of mustard gas bombs and mines were tossed over the side of the USS Diamond Head, an ammunition ship.

Several months later, an estimated 23 barges full of German-produced nerve gas bombs and U.S.-made Lewisite bombs were dumped in the same location. Lewisite is a blister agent akin to mustard gas. A single barge carried up to 350 tons.

"If we don't have any idea of depths of water or location, hell, they could be anywhere," Farmer said. "As we have more and more activity and more and more development off the coast, I hope this was buried in 6,000 feet of water ... or a lot of this stuff is going to come back to haunt us."

There's one indication that those weapons were dumped in relatively shallow water: Army records show many of those 23 slow-moving barges were unloaded in one-day, out-and-back operations.

The records leave no doubt that other chemical weapons were dumped close to shore:

In 1944, at least 16,000 mustard-filled 100-pound bombs were unloaded off Hawaii in deep water only five miles from shore.

Several mustard gas bombs fell into the Mississippi River near Braithwaite, La., in 1945 and have never been found.

A reported 124 leaking German mustard gas bombs were tossed in the Gulf of Mexico off Horn Island in Mississippi in 1946 from a barge that returned to port a few hours later. The island is now part of Gulf Islands National Seashore, a popular vacation and fishing destination.

A 1947 dumpsite in Alaska's Aleutian Islands is only 12 miles from a harbor.

By the 1950s, the Army shifted much of its chemical dump operations north to the Virginia-Maryland state line and into deeper water.

In 1957, the Army dumped 48 tons of Lewisite off Virginia Beach, in 12,600 feet of water.

Four more dump zones were created more than 100 miles off the coast between Chincoteague, Va., and Assateague, Md. - tourist spots known for their unsullied beaches and populations of wild horses.

Dumped there in about 2,000 feet of water were at least 77,000 mustard-filled mortar shells, 5,000 white phosphorous munitions, 1,500 1-ton canisters of Lewisite and 800 55-gallon barrels of military radioactive waste.

It couldn't be determined what kind of radioactive waste was dumped. But there's one indication that it could be highly dangerous waste with a half-life of thousands of years.

National Archive records of the Army's secretive chemical weapons escort unit, reviewed by the Daily Press, show several shipments in the 1950s between a laboratory in Oak Ridge, Tenn.; other Army bases with chemical weapons slated for sea disposal; and the Yuma Testing Station in Arizona.

Oak Ridge was where thermonuclear weapons were being developed at the time. Yuma was a military test ground for weapons in development. Records show a shipment on March 7, 1953, contained 35,000 pounds of unidentified "classified materials."

The Army apparently stopped dumping radioactive waste in the late 1960s, the records show, when chemical weapons disposal operations again headed north in the Atlantic Ocean.

Two ships full of the most potent of all nerve gases, known as VX, were scuttled in 6,000 feet of water - miles off the coast of Atlantic City, N.J., as part of Operation CHASE. "CHASE" was Pentagon shorthand for "Cut Holes and Sink 'Em."

The nerve gas was in rockets encased in concrete before the ships were scuttled. The Army desperately wanted to get rid of these particular weapons. They also contained jet fuel to propel the rockets. The fuel had a tendency to "auto-ignite," or spontaneously explode.

The ships - the S.S. Corporal Eric G. Gibson and S.S. Mormactern - remain a potential danger. Although the rockets were encased in concrete, scientists don't know how quickly concrete breaks down from water pressure at such depths.

A third ship scuttled nearby is no longer a hazard: It blew up on its way to the ocean floor Aug. 7, 1968.

That ship, the S.S. Richardson, was filled with conventional high-explosive weapons and 3,500 1-ton containers of mustard agent mixed with water. It was on its way to the 7,800-foot bottom when a chain-reaction explosion went off, presumably caused by water pressure on one of the weapons that set off the rest.

"This is really quite disturbing," said U.S. Rep. Robert Andrews, D-N.J., who's been fighting Army plans to dump chemically neutralized nerve gas in the Delaware River. "I did not know of any of this. It's a very serious problem that state officials haven't been told."

Boaters, divers, fishermen and commercial seafood trawlers have no way to steer clear of the dumpsites.

That's because the Army has put only one of its 26 known chemical weapons dumps on nautical charts, according to records kept by the National Oceanographic and Atmospheric Administration.

The federal agency in charge of undersea cable-laying operations, as well as gas and oil ventures, has only a vague idea of where chemical weapons were thrown into the ocean, spokesman Gary Strasburg said.

That agency, the Minerals Management Service, knows only what the Army has revealed to that agency: that chemical weapons were dumped at sea and that some are in the Gulf of Mexico and off South Carolina, agency records show.

The effect of the dumping operations has never been studied. Few scientists knew that it was done, so studies of the decline in sea life over the years has never focused on the possibility of leaking chemical weapons.

Commercial fishing operations, as well as scallop and clam trawlers, have been forced to go farther and farther from shore over the past 25 years because sea life has thinned for unknown reasons. Some scallopers now dredge in up to 400 feet of water, which is more than 100 miles from the shore in some East Coast locations.

The bottom-dwelling cod population in the Northern Atlantic has been decimated.

Hundreds of bottlenose dolphins mysteriously washed up on Virginia and New Jersey shores in 1987. They died with large, never-explained skin blisters that resembled mustard gas burns on humans.

Federal marine scientists ultimately attributed the unprecedented number of dolphin deaths to a combination of morbillivirus - related to distemper in dogs - and potent vibrio bacteria from industrial pollutants.

That combination has killed other marine mammals over the years. But none has ever been found with its skin partly peeling off.

One marine mammal specialist who suspects that leaking chemical weapons killed the dolphins met Army officials and was told dumping had been done. But he was assured the weapons were unloaded too deep to harm the coastal-living creatures.

"You'd see the photos and you'd say, 'Man, this animal was burned by something,'" said Bob Schoelkopf, director of the Marine Mammal Stranding Center in Brigantine, N.J. He said "it is a very good possibility" that leaking chemical weapons killed the dolphins.

"It'd be nice to see the Army go down there and investigate, but nobody wants to open that book, it seems," Schoelkopf said. "You'd think they'd want to go look at those sites and say once and for all this isn't a problem. The amazing thing is they are not being monitored."

The Army also wondered whether its chemical weapons were responsible for the dolphin deaths and was preparing to investigate some dump zones. The project was scrapped when the deaths were attributed to the virus and bacteria, the Army's Brankowitz said.

Over the decades, the Army has conducted environmental tests on only four of its dumpsites - and none since 1975.

Some of the last tests the Army conducted were on the nerve-gas-filled ships off New Jersey. They found no evidence the weapons had leaked, Brankowitz said.

He said that led the Army to presume the pressure on the weapons as they sank to the bottom crushed the shells and made them squirt their deadly contents onto the seabed, where they long ago broke down into their non-lethal chemical components.

That might be wishful thinking, some scientists said.

Shells filled with chemical weapons are more likely to slowly leak over time than to be crushed while sinking, said Peter Brewer, a marine scientist at the Monterey Bay Aquarium Research Institute in California.

Regardless, he said, he considers the dangers of leaking chemical weapons in deep-water sites to be low.

He noted that the only Army chemical weapons dumpsite on nautical charts - the wreck of the S.S. William Ralston, scuttled 117 miles off San Francisco in the 1950s - hasn't been found to be leaking, though he said scientists have monitored it only "from a distance."

Not far from that wreck, scientists have determined that drums of radioactive waste dumped by industry in the 1950s have so corroded, they're now paper-thin - with holes in some of them, said Richard Charter, a California-based environmentalist with Environmental Defense.

He said he feared that recent congressional approval for offshore gas and oil exploration off the East and West coasts - permitted through this summer's lifting of a 22-year-old moratorium on the activity - could release the chemical agents from their containers.

"It certainly is within the realm of possibility," he said. "This is an invasive activity."

Seismic exploration is conducted by setting off huge airguns on the ocean surface and measuring the blasts when they bounce off the ocean floor. Such exploration and drilling operations have been conducted for decades in the Gulf of Mexico without releasing chemical warfare agents dumped by the Army in that body of water.

Overseas, scientists who monitor chemical weapons dumpsites off other countries have identified an unmistakable problem in the Skagerrak Strait, a narrow but deep body of water that separates Norway and Denmark.

In 2002, Norwegian scientists sent a remote-controlled vehicle to investigate four ships full of captured German chemical weapons. The U.S. and British militaries scuttled them after World War II in about 2,000 feet of water.

The Norwegians found that the sunken ships remained intact. Some of the shells had leaked. Others were slowly corroding. That reveals a problem that could last hundreds of years, the scientists concluded.

Soil sediment showed high levels of arsenic, a component of some of the chemical weapons. Arsenic is bioaccumulative. This means bottom-feeding shellfish are likely to be contaminated and pass arsenic up the food chain to accumulate in humans who eat them, the scientists learned.

Also worrisome: Nets from fishing trawlers were found tangled on some of the weapons-filled wrecks.

"It might be possible to get chemical ammunition in the nets, which could then be brought up to the surface and poison fishermen," the scientists wrote in a report on the expedition.

"It is also a possibility that fishing equipment could damage the wrecks and expose the chemical ammunition to the water, increasing the release of the agents to the environment."

The Army is obliged to at least assess the danger that the dumpsites pose today, said Lenny Siegel, director of the Center for Public Environmental Oversight who specializes in chemical weapons issues.

"If no one does a study looking for three-legged fish, how do they know it's not a problem?" he wondered.

"My guess is the risks are remote in most cases, but I think you have to at least evaluate the risk. They have to take continuing responsibility.

"They need to see if there is an impact on the food chain. If there is, you have to warn people. If so, they have to do something with them."

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Talk:Lecture_10&oldid=2534"