TheTh NNationali l SSecurity Agency’s Review of Emerging Technologies 6œÊ£ÇÊ œÊÎÊUÊÓään

The Myth of Revolutionary Technologies

NetTop Eight Years Later

Text Extraction from Color Images

Web 3.0 — “Are we there yet?” The Next Wave

Letter from the Editor

How does a new technology—hardware or software—make it onto the shelves at your local WalMart or Best Buy? Where does it start? Who first thought of it? Who first created it? Some commercial technology starts right here at the National Security Agency (NSA).

When I began working at NSA two years ago, I was thrilled to learn about some of the amazing technology that happens here. As I settle into my job as Managing Editor of TNW, the thrills remain as I continue to learn about new technology, new software, and new research. Much of the amazing technology is classified, of course. But a surprising amount is not.

Of the unclassified technology, a small percentage is patented and can then be licensed for use by the commercial sector. This issue contains articles about several patented technologies now commercially available from NSA. Additionally, we have a thought-provoking commentary on the origins of technology from a senior scientist at the Defense Intelligence Agency (DIA).

I hope you enjoy your peek behind the curtain and find learning about NSA’s technologies just as thrilling as I have.

This cover of TNW shows a drawing of the Atanasoff-Berry Computer. The image, courtesy of Iowa State University, can be found at http://www.cs.iastate.edu/jva/images/abc-artists-concept.gif About the Atanasoff-Berry Computer: John Vincent Atanasoff, an electrical engineering professor at Iowa State College (now Iowa State University), along with graduate assistant Clifford E. Berry built the Atanasoff-Berry Computer (ABC) in 1937-1942. It wasn’t until 1973 that the ABC was officially recognized as the first electronic digital computer, when Federal Judge Earl R. Larson ruled that patents for the better-known ENIAC were invalid. A full-scale replica of the ABC is on display in Durham Hall on the Iowa State University campus. For more information about the Atanasoff-Berry Computer, read Atanasoff, Forgotten Father of the Computer, by Clark R. Mollenhoff.

The Next Wave is published to disseminate significant technical advancements and research activities in telecommunications and information technologies. Mentions of company names or commercial products do not imply endorsement by the U.S. Government. Articles present views of the authors and not necessarily those of NSA or TNW staff.

For more information, please contact us at [email protected]

CONTENTS

FEATURES 4 The Myth of Revolutionary Technologies

10 NetTop Eight Years Later

22 Text Extraction from Color Images

FOCUS 26 Web 3.0 – “Are we there yet?” The Myth of Revolutionary Technologies If you build it they will come, eventually!

ompared with past populations, minds that have come before us. exception, each discovery and advance we can consider ourselves the Advancing at an exponential pace, was nurtured by numerous parallel and Cmost fortunate humans to have we have come to expect revolutionary often unrelated societal and technologi- ever lived. People in developed nations technology to appear at any moment out cal developments. Ultimately, limita- today experience the inverse of Malthu- of intellectual ether. In the span of fifty tions of existing technologies and their sian subsistence. With nearly all physi- years we have leapt from the Atomic Age, inabilities to meet a pressing need drove cal needs met relatively easily, we have to the Space Age, to the Information Age, these advances. At the same time, new devoted enormous amounts of time and and now verge upon the Biological Age, technologies had to fulfill these societal effort to intellectual pursuits and leisure. an Age of willful genetic manipulation and economic imperatives. Essentially, to We can attribute this existence for the most and affordable designer genes. To most it become revolutionary, technologies had to part to the amazing evolution of science might seem that the technological advanc- emerge from inventive minds, and then lay and technology and its ready application es which brought about these revolution- in wait for the proper niche, fertile envi- to human needs. Society today is the bene- ary Ages immediately resulted from revo- ronment, and an imperative for change. ficiary of an evolution of science and tech- lutionary discovery. Today’s technologies developed by what nology stretching as far back into history This misperception persists even in paleobiologists have come to call punctu- as records of discovery exist. From fire the face of vast amounts of evidence to the ated evolution. to file servers, surfing on an ever advanc- contrary. Punctuated evolution, or “the theory ing wave of technology, we have ridden Revolutionary scientific discover- of punctuated equilibrium in evolutionary the shoulders and often the backs of many ies and technical advances foreshadowed processes,” explains the mechanism by generations of inventive giants and fertile the Ages of the 20th century. But, without which genetic mutations within a species the first operating gas turbine engine was demonstrated in 1903, Orville and Wilbur opted for the more conventional and reli- able piston-driven internal combustion engine attached to a propeller to provide thrust at Kill Devil Hills. But in 1939 an evolutionary punc- tuation occurred with the confluence of aluminum airframes; precision engineer- ing technologies; and inherent speed, alti- tude, thrust, and complexity limitations of the piston engine for aviation. These factors combined with the imperative of global warfare to drive the turbine engine to the aviation forefront. In the postwar Photo of Trimetric view of modern jet engine (GE90-115B) world, the market for high-altitude, high- Image courtesy of General Electric Company, ©2009 speed commercial flight above the tropo- sphere’s weather, made commercial jet come to rapidly dominate the entire case stretches back to the last ice age. flight the dominant means of global trans- genus. It also explains how one species By any measure, the gas turbine engine, portation and gave the general population becomes dominant, replacing the older nuclear energy sources, the laser, digital revolutionary access to the world. and previously more prevalent form of electronic computing, and genetic design Nuclear Power life. Punctuated evolution holds that the and manipulation have caused a revolution On December 2, 1942, in Chicago, biosphere consists of a pool of mutations in the way we travel, conduct war, commu- Enrico Fermi and his team of scientists that constantly emerge to test the environ- nicate, and ultimately view and manipulate and engineers achieved the first self-sus- ourselves and our environment. mental waters. If a mutation loses viabil- taining nuclear chain reaction.Two-and-a- ity, it dies out. If it remains viable, it may Jet Engines half years and several billions of dollars survive for a time. But if a confluence Sir Frank Whittle in England and later, on July 16, 1945, the world’s first of mutations, environmental change, the Hans von Ohain in Germany indepen- intentional runaway chain reaction took appearance of a unique niche, or the loss dently developed and introduced the place on the desert of New Mexico. In of an old niche occurs, the new mutations gas turbine engine to aviation in 1939. several microseconds, that chain reaction will rapidly replace the current dominant Ohain developed the world’s first jet yielded a detonation energy equivalent to species or genus and expand to dominate powered airplane when he fit his engine approximately 38 million pounds of high the biosphere until another punctuation to an airplane, the Heinkel He 178, in explosive. The concept of global war had event occurs. In other words, had earth’s August 1939. The British Gloster E28/39 changed forever. Nuclear power, the E environment stayed hospitable for dino- followed the Heinkel in 1941. The world’s in E=mc2, had in a matter of three years saurs or even had it changed at a geologi- first commercial jet airliner, the De Havil- come under human control, ushering in a cally slower pace, they’d still be here and land Comet, flew ten years later in July revolutionary era in the concept of warfare we would not. Though, most likely, a 1949. But nearly another two decades and power generation. polyglot of differentiated mice and mole passed before intercontinental propeller- But in 1945, what appeared to take species would exist as dino-food. Simi- driven air service departed the commercial place almost overnight had in reality taken larly, for a technology to become a revo- aviation scene. 50 years of research and development. In lution, a confluence of technological We can trace the entire history of 1896, the theory of the atom, which dates concepts, environments, and events must turbine powered aviation to well before back to ancient Greece, still remained in exist that bring it to the forefront, render- Frank Whittle, attributing the first working question. That year, Henri Becquerel, ing the older capability obsolete. gas turbine to Hero of Alexandria in the while studying phosphorescence, discov- To demonstrate the confluence of 1st century AD. Little more than a steam- ered spontaneous radiation in uranium conditions that must occur to result in driven sphere, it remained unready for salts. Spontaneous emission of particles technological revolution, let us trace the adaptation to supersonic flight. Issued in from certain minerals indicated that a new development of five technologies that 1791, the first patent for a turbine engine source of energy was somehow entrapped came of age in the 20th century. Each of emerged too early for the nascent avia- within these radioactive materials. Thir- these technological revolutions emerged tion industry. Montgolfier balloons and jet teen years later, Earnest Rutherford and from an evolutionary process that in one engines were not a proper mix! And, while Hans Geiger proved that atoms consisted

The Next Wave n Vol 17 No 3 n 2008 5 of a positively charged nucleus, which in and that matter would only absorb or emit the onset of European war in 1939, Fermi the case of a radioactive material sponta- light of specific energies. This “photo- moved from Italy to the United States and neously ejected positively charged alpha electric” theory would win Einstein the continued his work at Columbia Univer- particles, negatively charged beta particles, 1922 Nobel and foreshadow the develop- sity in New York and at the University of and neutral gamma rays. The emission of ment of the laser forty years later. Chicago. alpha particles transmuted the original One key particle remained missing On Saturday December 6, 1941, element into an entirely different element. from the nuclear energy equation. In Vannevar Bush, science advisor to Frank- This transmutation resulted in a net gain of 1932, James Chadwick identified the lin Delano Roosevelt, convened a meeting energy and loss of mass. Thus, in terms of stealthy charge-free neutron as a compo- of preeminent US nuclear scientists at mass the sum of the parts equaled less than nent of the atomic nucleus. With nearly the Cosmos Club in Washington, DC. He the whole. identical mass to the proton, the neutron aimed to focus the structure and direction In 1905, a young examiner in the became identified as the missing key to of nuclear research in the United States on Zurich patent office proposed two revo- nuclear fission. Electrically neutral and development of an atomic fission bomb. lutionary scientific theories. One theory yet massive, it served as an energetic Forty-five years of basic research and suggested that space and time were not probe that could penetrate deeply into the development had established the scientific absolute quantities to any observer, but atomic nucleus to investigate its properties basis for such a device. A letter from Albert that the quadratic sum of these four dimen- and ultimately split the atom. Einstein to President Roosevelt primed the sions (three space dimensions plus time) Nuclear fission of a heavy element, fiscal environment. The punctuation to this remained constant to all observers. Matter with a resulting emission of lighter nuclei scientific evolution came the next day at (m) and energy (E) became interchange- and slow neutrons, became the key to 07:48 Pacific time in Hawaii. able and the constant of proportionality harnessing atomic energy. In 1934, Fermi between these two quantities evolved as experimented on the neutron bombard- The Laser c2, the square of the speed of light. This ment of uranium but either failed to detect In 1959, Gordon Gould filed a patent proportionality is mathematically repre- or failed to report on fission. So in 1939, application for a device he called the laser. sented by the familiar E=mc2. When Otto Hahn and Fritz Strassmann, working Named for its mechanism of operation, applied to radioactivity, Einstein’s theory in Nazi Germany, reported to Lise light amplification by the stimulated emis- uncovered that the huge energy gained Meitner, a German émigré physicist living sion of radiation now commonly seen as in radiation equaled the nearly impercep- in Sweden, on the production of a barium “laser”—his patent suggested he could use tible missing mass. Enormous amounts of isotope from the neutron bombardment of the laser for spectrometry, interferometry, energy lay available and untapped in the uranium. Meitner recognized this as the radar, and nuclear fusion. Gould failed to atomic nucleus. Einstein’s second revolu- fissioning of the uranium nucleus. Based predict the two most prolific applications tionary theory that year held that matter on this work, Fermi predicted that he of lasers today. Since fiber optic commu- interacted with radiant energy (light) as if could create and sustain a chain reaction in nication and high density data storage and the light came in discreet bundles (quanta), uranium enriched in the isotope U235. With retrieval had not yet come onstage, we can excuse his oversight. Yet, today, due to serendipitous and parallel technological developments, the speed of fiber optical cable laying approaches the speed of light and the Blu-ray DVD has grown into a multi-billion dollar industry. Theodore Miaman, working at Hughes Labs, produced the world’s first laser in 1960. An awkward device, it consisted of a ruby crystal pumped by white-light flash tubes. The lineage from that first device to blue laser diodes has taken many paths simultaneously. Government and industry have made enormous investments in laser development, and the paths of develop- ment have diverged wildly. Imagine a modern world without laser communica-

Photo of Trinity site explosion, .016 seconds after explosion, July 16, 1945 tions, manufacturing, scanning, measur- Photo credit: Los Alamos National Laboratory ing, and computing. Current military navi-

6 The Myth of Revolutionary Technologies gation, guidance, and tracking and target- lations.) These calculating devices gener- tion, and reliability of the computer out ing technologies largely depend on lasers. ally consisted of wheels and slides operat- of reach for most users. The computing High-power chemical lasers have emerged ed by cranks, thumb wheels, or push rods. market thus stayed relatively small, with to shoot down missiles in flight. And at the Until the 1970s, one of these devices, the these factors combining to limit the use of Department of Energy’s National Ignition slide rule, dominated the scene, dangling electronic computers to governments and Facility (NIF) the hope of inertial confined from the belt of almost every engineering large corporations. nuclear fusion may eventually be realized. student worldwide. Electrical semi-conductive proper- The investments in laser technology have In addition to one-time calculations, ties of solid-state materials became the paid off smartly and caused a revolution repetitive sub-routines, introduced in the key to making the computer available to in business, industry, and warfare, though early 19th century in the form of coded, a new generation of engineers, scientists, it first entered the lexicon of modern tech- wooden, card-like devices or paper rolls, and businessmen. For decades, the unique nology and language 47 years ago. automatically controlled repetitive tasks properties of silicon and germanium crys- Einstein’s 1905 and 1917 papers on performed by manufacturing machinery tals had been exploited to demodulate AM the photoelectric effect and the quantum and beer-hall musical instruments. By the radio frequency signals into acoustic elec- th theory of radiation laid the theoretical early 20 century, electric motors joined tric signals. Crystal sets, which preceded foundation for the laser. But 43 years of the ever more complex wheels, slides, the vacuum radio, employed these crystals to drive an earphone and create sound. research, development, and investment and keys to turn cranks faster and more continuously. They enabled the mechani- Though a patent for the point-contact had to take place before a practical laser cal calculator to address difficult problems crystal diode was filed in 1906, it wasn’t came to fruition. created by numerically solving complex until 1947 that Bardeen, Brattain, and In the 40 years following that first laser, differential equations. Specialized prob- Shockley at Bell Laboratories developed parallel technologies were developed that lems such as flight simulation prompted the first practical point-contact triode could employ the new technology, making the genesis of electrical analog models. employable as a switch or amplifier—the way for the current revolution in its use. In the later part of the 19th century, transistor. Eight years later, the Tokyo The Digital Electronic Computer two technologies critical to the operation Tsushin Kogyo Corporation paid a $50,000 The use of a counting machine to aid of a digital electronic computer dawned: license fee to use the Bell Lab transistor tedious numerical calculation has roots to the vacuum tube and Boolean algebra. design to build radios. In the same year, the abacus, which existed over a thousand But not until 1943 did Colossus, the first the Tokyo Tsushin Kogyo Corporation years ago. Even the term “computer” orig- fully electronic, partially programmable, decided to use the name “Sony” to better inated in the 17th century when individu- digital computer, begin operation. It was market the new transistor radio to the als named for their profession, computed sited at Bletchley Park, England, and was West. logarithmic, ballistic, and astronomi- designed to address the complex task of Besides amplification and rectification cal tables for ships and guns of Britan- breaking German military codes. Electron- for radios, the new transistor could act as nia’s Royal Navy. By the 18th century, ic computers evolved rapidly after the war. a switch, the fundamental device inherent analog mechanical devices for numerical By the 1950s, a census-taking company in all computer components from memory calculations were in development to aid converted itself into International Busi- to processors. This new switch could these computers. (Recent archeological ness Machines, IBM, and came to domi- convert the computer from a room-sized, evidence suggests that the ancient Greeks nate the computer field. But the vacuum unreliable, power-consuming behemoth to used such devices for astronomical calcu- tube kept the cost, size, power consump- a comfortable, wall-cabinet sized device

Photo of helium neon laser. Photo courtesy of NSF - Center for Biophotonics

The Next Wave n Vol 17 No 3 n 2008 7 that both universities and small businesses the science fiction nuclear holocaust genre biochemistry, Gregor Mendel’s empiri- could afford. In 1957, Olsen and Anderson in 1966 in the novel Colossus, the first of cally derived seminal paper on plant formed the Digital Equipment Corporation this ilk. On January 14, 1969, research- hybridization in 1865 showed that inheri- (DEC) and by 1964 had produced the first ers at Stanford Research Institute and tance properties had a scientific basis and practical solid-state “minicomputer,” the UCLA established the first ARPANET could be described and manipulated with programmable digital processor (PDP-8). link between computers. By 1983, newly mathematical precision. This work was the The PDP-8 sold for $16,000, equaling created computer networking protocols foundation of modern genetic theory. $200,000 today. allowed a wide variety of computers to Born in 1877, Oswald Avery, a physi- Despite the revolution in computers interconnect and ARPANET became the cian and molecular biologist, spent most instigated by the transistor, the combina- initial backbone of the Internet. The ubiq- of his career at the Rockefeller Institute in tion of two old and one new technology uitous use of the Internet and its compo- New York City. In 1918, Avery became into an application actually started the nents continued to develop in parallel with a key researcher in uncovering the nature personal computer revolution. Photolithog- market driven priorities and an exponen- of the Great Influenza Pandemic that raphy, acidic etching, and vapor deposition tially expanding set of global users. decimated populations globally. Avery allowed for the design of integrated elec- The revolution in computation and was constantly on the verge of a break- tronic circuits with hundreds to millions of communications, from cell phone to wire- through in the field of highly infectious transistors. These circuits have the capa- less internet, has reached its current state bacterial and viral disease, but it was not bility of performing billions of operations through a process of continuous evolu- until 1944 that he discovered DNA as the per second on silicon wafers no larger than tion from basic technologies to advanced stuff of genes and chromosomes. Since a postage stamp. These integrated circuits capabilities. None of today’s revolution- genes and chromosomes serve as critical constitute the guts of all digital electronic ary computer/communications products protagonists of heredity, as described by systems, replacing vacuum tubes, discreet emerged overnight. Slow progression of Mendel, it followed that the DNA mole- transistor components, and magnetic core research enabled the rapid proliferation cule would somehow determine inherited memory. of technologies. In communications and characteristics. While minicomputers proliferated, computers, the ever increasing consumer In 1953, Francis Crick and James the means by which humans could inter- demand and associated enormous profit Watson identified the now familiar double act with them and they, in turn, could potential serves as the most recent cata- helix and paired base structure of the DNA interact with one another paralleled the lyst. These punctuations in a technologi- molecule. The unique structure and chem- pace of hardware production. The devel- cal evolution began with the code-break- ical makeup of the DNA molecule provid- opment of one of the first interactive and ing applications of a world at war. ed them with the clues to its function as inter-networked computer systems began Genetic Manipulation life’s information storage device. at MIT’s Lincoln Laboratory in 1958. Genetic manipulation, which is at the DNA is a long polymer comprised of The Air Force’s Semi Automatic Ground core of the emerging Biological Age, is simple units called nucleotides. Its back- Environment (SAGE) system consisted of arguably also the oldest of the new tech- bone consists of sugars and phosphate redundant AN/FSQ-7 computers intercon- nologies. Attempts to alter genetic traits groups joined by ester bonds. Each sugar nected with distributed radars and operated may have started after the last ice age. in the backbone has one of four unique from radar consoles with light pen desig- The symbiosis that developed between base molecules attached. The directions for nators. Operators guided fighter-intercep- human and canine hunters led to the selec- constructing an organism are encoded in tor aircraft to targets by designating the tive breeding of wolves for hundreds of the sequence of these four bases arranged target with the light pen. The information purposes. Over thousands of years of along the backbone. DNA is organized up-linked to the airborne aircraft directed genetic modification, our carnivorous into structures called chromosomes, and the intercept. Data communicated between competitors came to be called “man’s best the complete set of chromosomes within remote radars and their local comput- friend.” a cell make up a genome. DNA replica- ers traveled digitally to the main SAGE For millennia, humans have known tion duplicates chromosomes before a cell system over standard telephone lines. that animal temperament and the physi- divides. The genetic information from one As SAGE operations began, an even cal characteristics of plants and animals generation of cells is thereby transferred to more ambitious concept unfolded at MIT transfer by some means from one genera- the next. and subsequently at the Advanced Research tion to another. By selective breeding for With this knowledge and the associ- Projects Agency (ARPA). This idea of a desired characteristics, we have empiri- ated biochemical tools at hand, it became “galactic network” incorporated hundreds cally created all kinds of domestic animals possible to map and to modify genomes. of interconnected computers around the and agriculture that would not have existed Thus genetically modifying an existing nation. First conceived in 1962, a network without human intervention. organism at the molecular level became a of military computers became the topic of Although it had little basis in reality. This new capability revolutionized

8 The Myth of Revolutionary Technologies genetics and enabled geneticists to change expect them. Even in directed research, the characteristics of an organism in one serendipity will often occur if the environ- generation rather than in hundreds. ment supports diverse investigations and By 1990, sufficient understanding interactions. Future technological advanc- of the critical role of DNA in human es that change our ways of doing business development, disease, and characteristics will come about only if we plant the seeds warranted an attempt by the government of innovation and nurture the crop of ideas. to begin the gargantuan task of mapping With this consideration, we must remem- the entire human genome in a project ber that failure to seed the future ensures named the Human Genome Project (HGP). that we will harvest the past. The Department of Energy, which led the project and invested three billion dollars over 13 years, released its report on the human genome in 2003—50 years after the Watson and Crick discovery of the structure of DNA. As we can see from these few simpli- fied examples, revolutionary discover- ies and technologies need time and trial before society embraces the revolution. I do not need or intend to detract from the tremendous scientific and technologi- cal contribution of 21st century research- ers to appreciate that underlying evolu- tion enables revolutionary technologies. Rather, I hope these examples convey a better understanding of the processes inherent in research. A scientific discovery or a technical breakthrough does not make a revolution. Chasms in time and technol- ogy generally exist between discovery and application. As evident from these five examples, fundamentally new discover- ies disrupt the status quo. This is seldom popular. Therefore, revolutionary shifts will occur only when the technical and societal environment can accept the new paradigms. We cannot bypass the slow process of transitioning discovery to appli- cation. Final application so often depends on key interrelated factors that remain irresolvable at the time of discovery. I hope these examples clearly illus- trate that the original intent of research very often does not relate to its final appli- cation. Because of parallel yet interrelated technical advancements in diverse fields, or because of unforeseen societal devel- opments, a technology created to effect change in one application will cross from one field of endeavor to revolutionize yet another. We can seldom predict serendipitous results from research but we should always

The Next Wave n Vol 17 No 3 n 2008 9 NetTop Eight Years Later

n the summer of 1999, NSA’s most NSA’s Information Assurance challenge to NSA’s Information Assurance senior Advisory Board issued a report Directorate (IAD) responded to the Research Group to launch a new effort to Iwarning of a serious and growing growing use of commercial technology deal with this problem. To ensure that their problem in the protection of government’s with a number of new initiatives. Some challenge was handled with appropriate most sensitive information systems. The attempted to raise the level of security urgency the Board insisted that a solution Board’s concerns acknowledged the provided by commercial products, but be developed within one year! The dramatic decline in information assurance the government market was far too small challenge was accepted, and the result was that many professionals had observed to have any real influence with successful NetTop. over the previous decade. Surprisingly, commercial vendors. The much-publicized NetTop was originally described in this decline occurred in spite of major and valiant Multilevel Information System the Fall 2000 issue of Tech Trend Notes advances in computer security spurred Security Initiative (MISSI) with its flagship (predecessor to The Next Wave). At that by the establishment of the National Fortezza encryption card attempted to time the project had just started and we Computer Security Center (NCSC) in provide a high assurance overlay to bolster were developing many new ideas for 1981 expressly for the purpose of securing the security of commercial products, but it potential applications of the technology. We critical information systems. Numerous too lost the battle of cost, convenience, and optimistically thought that within three to high-assurance computing platforms were interoperability in the desktop space. As five years we could get the technology into produced as a result of the NCSC’s efforts, the 90s drew to a close, NSA’s approach to our customer’s hands. Today, eight years but none seemed capable of coping with information assurance shifted to emphasize have passed and NetTop has yet to achieve the impact of the decade’s technological perimeter defense, intrusion monitoring, widespread use. So what happened? The phenomenon—the Internet. The 90s pro- and risk management. This situation editors of The Next Wave thought that a duced an explosion of new networking prompted NSA’s Advisory Board to sound retrospective look at NetTop’s history systems and services, and the widespread an alarm. The Board saw the government’s might be both interesting and informative. availability of powerful and inexpensive most sensitive information systems being This article describes the evolution of our commodity workstations powered by dominated by COTS technology incapable research and some of the novel approaches Microsoft’s ubiquitous Windows operating of providing the necessary levels of security, we attempted in order to deal with the system. Not even the national security and a government market insufficient to perennial problem of technology transfer. community could resist the functionality influence vendors to provide the requisite and cost savings this technology delivered, protection. The Advisory Board called Early R&D despite numerous assessments of its for a new strategy to be developed that NetTop began as a research initiative negative impact on security. Commercial- could leverage the commercial technology responding to a challenge of NSA’s off-the-shelf (COTS) information that users wanted but still provide the Scientific Advisory Board. The intent of technology had established a permanent higher levels of assurance they needed. the project was to explore new concepts for foothold within government. The Board’s report included a specific security architectures. It was not envisioned

10 NetTop Eight Years Later as the first stage of a new but traditional brought to market by a start-up company Our experiences as we attempted to product development. Historically, NSA’s known as VMware. The second ingredient answer these questions are the real story product developments have mainly focused was an NSA prototype operating system— behind NetTop. on link encryption solutions, many fielded Security Enhanced Linux (SELinux)—that Can we do it? in excess of 20 years but still capable of was gaining traction in the Open Source providing protection from cryptographic community. The combination of these After developing a crude first attacks even years after being removed technologies seemed to offer interesting prototype of NetTop, most of our time was spent trying to determine if virtualized from service. This approach to system possibilities for combining the COTS components were practical for use in security had worked well for decades, but hardware and software that users wanted systems that solved important user security it wasn’t delivering the kinds of solutions with the transparent security controls they problems. Although we encountered needed to protect modern information needed. systems against the new, active threats many technical challenges as we tried to Because of the unusual events that integrate SELinux and VMware into a encountered in networking environments. unfolded during the course of our work A new model for Information Assurance secure configuration, this portion of the on NetTop, it became necessary for us to (IA) solutions was being sought—one project proved to be the shortest phase of take our concept demonstration to a much better suited to today’s IT environment and the overall effort. more advanced stage of development capable of providing incremental security than usual, and we found ourselves in the improvements over time. uncomfortable driver’s seat of product The IA Research Group accepted developers. As we worked through the the Advisory Board’s challenge and issues associated with developing NetTop established a senior-level tiger team to for operational use, we had to answer a respond. To meet the one-year deadline, number of important questions: the group quickly focused its attention “Can we do this?” – Will the on some relatively well-understood technology work for the kind of technologies rather than defining a totally applications that users want? new research activity. Within several months we identified an approach using “Should we do this?” – Does the an interesting “technology cocktail” technology protect against expected that looked very promising. The first attacks without introducing new and more component of the cocktail was a refreshed serious problems? version of 1960s era virtual machine “Will we do this?” – Can we deploy (VM) technology that had emerged from this new solution and sustain it in the NetTop protype DARPA-sponsored research, and was field?

The Next Wave n Vol 17 No 3 n 2008 11 Does virtualization help to solve installed within a Windows OS can as encryptors could be limited to real problems? only be as trusted as Windows itself. processing data at one security level, One of the fi rst uses for NetTop that But installing the same IPSec stack in thereby reducing their complexity we considered was as a Remote Access its own container and linking it by a compared to devices that manage solution that would allow users to connect network connection to the Windows data and keys at multiple security to a secure enclave remotely using a container provides an Inline Network levels. Another approach that used the commercial laptop computer. Within Encryptor (INE) architecture that concept of isolated containers known several months we had a rudimentary limits the avenues of attack to just the as MILS (Multiple Independent prototype demonstrating this capability, network interfaces. See Figures 1a Levels of Security) was promoted and we soon realized that we should be able and 1b. for use in embedded systems. While to do much more with system architectures Providing multiple virtual machines MILS technology provided very using virtualized components. If we for a user gave us an opportunity to high assurance isolation, it didn’t could effi ciently support multiple virtual create multiple single security level have NetTop’s capability of hosting machines running concurrently on a single environments running simultaneously. Windows or other legacy operating workstation, then numerous other types of This capability was sometimes systems and applications, and so solutions would be possible. The NetTop confused with the traditional notion it wasn’t as useful for typical user prototype we constructed turned out to be of Multi-level Security (MLS) in needs. just one instance of a general architectural which a single environment protects Using partitions to separate approach to building solutions that could information objects with multiple information based upon integrity be used to solve many different security security levels. To help avoid this levels provided another capability problems. confusion we coined the term “Multiple that was useful in some applications. Remote Access Solution Lessons Single Level” (MSL) to describe the One such solution we developed— Learned capability that the NetTop architecture provided. See Figures 2a and 2b for BoxTop—permitted the execution of Working with our fi rst NetTop suspicious, and potentially malicious, prototype helped us to distill a number of a side-by-side comparison of MLS and MSL architectures. Using an programs in a confi ned space and important characteristics and benefi ts of MSL approach to architect a solution ensured that any harmful activity virtualization as an isolation mechanism. would involve using a collection of within that space could not spread Isolating a security critical component single security level VM’s that could further. We used one-way network like an IPSec encryptor in a separate communicate with each other using connections to transfer content into container shielded from the behavior network connections. This approach the container, but no connection was (or misbehavior) of the user’s to designing solutions gave rise to provided for transferring data out commodity operating system and the name NetTop—a Network on a of the container. This “virtual blast applications was helpful in restricting deskTop. Each of the individual VMs cage” could fall victim to an attack, the impact of software attacks. For would contain only data at one security but the damage was blocked from example, an IPSec encryption stack level. Even security critical VMs such propagating further.

IPSEC and IP represent vIPSEC and IP represent the the network stacks virtual network stacks Attacks App App Attacks Bypass

INE Router Operating Kernel Kernel m Operating Syste System IPSEC IP Kernel vIP vIP vIPSEC vIP Net Kernel Virtualization Layer

Hardware Hardware

Figure 1a: No virtualization layer. Attacks against the Figure 1b: With a virtualization layer. IPSEC can come from an application or through the OS. An Attacks from the OS and application can bypass the IPSEC and attack the IP directly. application are confi ned.

12 NetTop Eight Years Later Virtual Machine Container Virtual Machine Container

Net A WS A Net A INE A WS A

MLS Net B WS B INE Net B INE B WS B

Net C WS C Net C INE C WS C

Requires Multiple Multi-Level Single Level Support INEs

Figure 2b: Graphic of Multiple Single Figure 2a: Graphic of traditional Level” (MSL), a capability that the Multi-level Security (MLS) NetTop architecture provided

The isolation provided by the use of Should we do it? with VMware through a Cooperative separate virtual machines ensured that Research and Development Agreement Study 1: Does NetTop introduce (CRADA) to facilitate further NetTop changes to system components that more problems than it solves? development. were not security critical would not We soon convinced ourselves that impact security-critical components, a variety of useful solutions could be Study 2: What kinds of network and should reduce, if not eliminate, designed using the NetTop architecture. attacks does NetTop prevent? the need for lengthy re-evaluation The next important question that we had Our fi rst NetTop study investigated of the overall system. This use of to answer was whether our approach the security robustness of a standalone isolation improved NetTop’s agility would introduce more problems than it workstation, but we still needed to address by allowing it to quickly incorporate was solving. To answer this question we issues that might arise when network new commercial capabilities sponsored a workshop using some of connections were allowed. So the next without disturbing security-critical NSA’s best security evaluators to assess our question we wanted to answer was whether there might be any unique remote attacks components. We were able to quickly prototype. Using seven analysts over a ten- week period and with some limited input against a NetTop virtual machine solution create versions of NetTop that used from VMware developers, we explored the that didn’t exist in an identical system direct ethernet connections, modems, ability of the core NetTop technologies— using real machines. This was the focus of or wireless network adapters since no VMware running on a Linux host—to our next experiment. changes were required to the encryptor maintain isolation among virtual machines In the summer of 2001 we were able VM. and to maintain isolation of the Linux host to take advantage of a high profi le NSA On July 13, 2000, two months earlier from the virtual machines. intern program established to develop than requested, we met with the Advisory The results of this fi rst study were network security experts. As the fi nal Board to describe the architecture and encouraging—no apparent show-stopping project for the graduating class we devised fl aws were identifi ed. The analysts were an exercise to study network attacks demonstrate the prototype we developed given full access to a VM and were able against the NetTop virtual platform. The in response to their challenge. At the end to write any program they wished in intern group was composed of fi fteen of the briefi ng the Board surprised us with an attempt to crash another VM or the network security specialists who worked an unprecedented round of applause for host OS. VMware workstation reliably over a period of twelve weeks and were what they saw as a creative and useful withstood the attacks that were attempted led by one of NSA’s most talented and fi rst step to dealing with security in COTS and although a VMware virtual machine respected evaluators. Motivation in the technology. Subsequent phases of the could be crashed, the host OS and other group was high. They were eager to show project would prove to be much more VMs were unaffected. Following these that our solution was fl awed. Some of diffi cult. experiments, we expanded our relationship the bolder analysts were confi dent that

The Next Wave n Vol 17 No 3 n 2008 13 they would uncover “holes big enough to clear that users were simply not willing One of our fi rst steps after drive a truck through.” The class project to pay a premium for higher assurance. demonstrating our prototype in March was scheduled to run through the end of Our previous experiences with MISSI 2001 was to fi le a patent application to September 2001. and Fortezza were lingering reminders of gain control of the intellectual property For this exercise we created a specifi c this. It seemed to us that the most direct (IP) embodied in NetTop. In a somewhat NetTop confi guration that used two virtual approach for dealing with this problem unusual move for NSA, we also decided to machines running simultaneously, with was to develop technology that was useful seek a trademark for the name “NetTop,” each VM attached to a different network— for government applications but that also since it had gained a fair amount of in other words we created a “virtual KVM had broad appeal outside of government. recognition and therefore seemed useful to switch.” The user interface experience We believe that if we could stimulate the control. We wanted to avoid the unfortunate was one familiar to VMware users— development of a large commercial market situation encountered in the MISSI program two different desktops in two separate for this technology, the government could when their fl agship Fortezza token had to windows. We used SELinux as the host OS benefi t from the cost advantages of large- change its name from Tessera because of with a security policy crafted to provide scale COTS production. In effect we a trademark-fi ling oversight. The NetTop maximum protection for the host. The were conducting research in market trademark proved to be very useful in later sole function of the SELinux host was to development as much as in new security phases of the marketing program. Having provide an execution environment for the technology. protected NetTop’s IP and name, we began virtual machines. No user a search for industry partners accounts or user applications capable of commercializing were allowed on SELinux. It it. was a very tightly controlled While our main confi guration. In fact it effort was to transfer our was so tightly controlled technology to a commercial that the interns requested a partner, we knew that relaxation in the SELinux an NSA support group policy in order to allow for NetTop was needed an initial toehold for their outside of the research attacks. organization. We believed The group identifi ed a that NetTop’s long-term number of areas that could be success and its commercial improved and they pointed development strategy need- out some lifecycle issues ed a program offi ce within that should be considered in the IAD—NSA’s arm future deployments. But in responsible for developing the end this study reached security solutions. Unfor- NetTop and SELinux conclusions very similar to the fi rst, and tunately there wasn’t any pull from no show-stopping problems were found. We used a relatively new NSA the IAD for NetTop or its component program—the Domestic Technology technologies—SELinux and VMware. Will we do it? Transfer Program (DTTP)—to help us NetTop was seen as lower assurance From the outset our goal for with our attempts at market development. than the solutions that the IAD normally NetTop was as much about developing This program had been established in produced or endorsed. From our point new technology transfer approaches response to US Code Title 15, Chapter of view, NetTop offered an approach as it was about developing new 63, Section 3710, “Utilization of Federal that could deliver “high impact” to the technology. The motivation behind the technology,” to promote the transfer of assurance of customer missions rather NSA Advisory Board’s challenge was government sponsored research to the than just “high assurance.” Our belief that government needed more innovative public sector. The DTTP provided experts was that it provided a mix of functionality approaches for leveraging commercial to assist us in numerous areas related and value that users would embrace, technology so that it could be used for to tech transfer including identifying rather than the high assurance products sensitive applications. Government-unique candidate technologies, technology that were often developed but not widely IT developments (government off-the-shelf valuation, acquisition of ownership rights, used. We also believed that NetTop or GOTS) were far too costly to create and fi nding transfer partners, establishing provided much better assurance than the maintain, and frequently lacked capability partnering agreements, negotiating transfer COTS alternatives that customers were compared with COTS offerings. It was agreements, and overseeing relationships. adopting. Furthermore we saw a migration

14 NetTop Eight Years Later path for NetTop to even higher assurance experience, the class was viewed as a redesigned from the top down to give it solutions in the future. NSA’s Advisory useful sounding board, so they were the familiar look and feel of a standard Board seemed to agree, and in a July 2001 polled regarding NetTop’s suitability for Windows workstation. meeting they recommended that the IAD use at CENTCOM. The consensus was Other design changes targeted establish a program offi ce to manage the that NetTop was suffi cient for separating to CENTCOM’s operational needs development of NetTop solutions. adjacent security levels (TS and S for included an ability to access six networks The IAD approached the establishment example), but the group was reluctant simultaneously, dual monitor support for of a NetTop program offi ce very cautiously. to give an unqualifi ed recommendation more desktop workspace, and the ability A number of studies were undertaken to for its use to simultaneously access to run CENTCOM’s standard Windows suggest a product roadmap, an assurance Unclassifi ed networks. This endorsement software load in each VM. improvement roadmap, a business plan, was a signifi cant milestone for the project, By the end of December 2001 a small and an assessment of NetTop’s Total NetTop had been able to transform a team had been assembled to help the NetTop Cost of Ownership. The outline that highly motivated group of skeptics into PM manage the myriad activities required was developed for productizing NetTop supporters, albeit cautious ones. to advance NetTop’s development. Most focused on the simple virtual-KVM IAD management agreed that NetTop important was the transition of NetTop to confi guration that was built for our could improve CENTCOM’s operations, CENTCOM, which required the initiation ongoing security evaluation, with the and that it should be quickly retooled of a security evaluation and generation added restriction that only of the large body of adjacent security levels be documentation required by permitted (e.g. Top Secret the accreditation process. to Secret) and that cross Other important activities domain data movement be included establishing a prohibited. A management small NSA NetTop pilot, meeting to decide on the collecting feedback on way forward was held on user and administrator September 10, 2001— acceptability, and pro- but no decision could viding support to be reached. Ironically, NetTop developers. the terrorist attacks of The eventual tran- the following day— sition of NetTop to September 11, 2001—and CENTCOM was well the US military response intentioned but, unfortu- did determine the course nately, not well executed. of the program. While the technology The US Central Command CenTop Workstation was well received by us- (CENTCOM), headquartered in Tampa, ers, the various support groups that had Florida, led the US military response to the for use in an operational environment. A to administer it were not equally enthusi- terrorist attacks along with a large collection NetTop Program Manager (PM) was named astic. A number of operational diffi culties of coalition partners. IT support for this within the IAD’s product development were encountered, and while most weren’t immense operation was a daunting task, and organization, but because of the urgency due to design problems they nevertheless the crush of equipment required to access of the CENTCOM requirement, the contributed to an overall negative initial numerous coalition networks strained research group was given responsibility impression of the technology. One of our available space and power. On a visit to for developing and fi elding the production major oversights was not having 24/7 Net- CENTCOM shortly after 9/11 an IAD equipment. Top support available from the outset. representative noted this problem and The NetTop prototype needed This problem was eventually corrected, wondered if NetTop might offer relief as a extensive hardening and refi nement to but the delay proved to be a costly misstep desktop reduction solution. This idea was make it suitable for use by typical military in NetTop’s fi rst high-profi le deployment. suggested to IAD management as a unique operators who weren’t hard-core system In retrospect, we should have ensured that opportunity for technology insertion. developers. To accomplish this, NetTop NetTop had a high-level CENTCOM ad- The intern class that was evaluating received a complete face-lift to remove the vocate as well as buy-in from the IT sup- NetTop was still working when the idea most visible signs of its Linux heritage. The port groups. of using it at CENTCOM surfaced. user interface for CenTop—CENTCOM’s After the initial intensity of the Because of their recent security evaluation custom NetTop implementation—was coalition military effort subsided, the

The Next Wave n Vol 17 No 3 n 2008 15 urgency to fi eld NetTop at CENTCOM fi nd use in various deployments. Although a competitive market would be even better diminished as well, and with it the pace painfully slow at the outset, NetTop has for the government. After two more years of the evaluation activities. Even with the continued to gain acceptance as a security of discussions with other potential partners urging of the NetTop project management solution within the IC and the DoD. we negotiated a second NetTop license offi ce, it took over 18 months before formal with Trusted Computer Solutions (TCS). Finding Tech Transfer decisions were reached about appropriate TCS was much smaller than HP but very uses for the technology. Based upon a Partners well established in the government market growing body of technical evidence, Shortly after our decision to pursue for security products, and they were highly including the results of the two earlier a tech transfer path for NetTop through experienced at working with the security evaluations and another evaluation on the the licensing of intellectual property, the accreditation process. TCS’s strengths CENTCOM-specifi c NetTop solution, the research team initiated a series of meetings seemed like an excellent complement to IAD Director fi nally approved NetTop with potential commercial partners. The HP’s for developing a signifi cant market for classifi ed applications, but its use most promising partner initially was the for NetTop. Federal Division of Compaq Computers. was limited to applications needing to Several months after licensing NetTop, Compaq management saw potential in separate Top Secret and Secret networks. HP was able to generate some interest in NetTop to help them build a market in Having taken over three and a half years the technology from their government to reach this point was customers, and they disappointing, but the have continued to research team was steadily grow their never the less euphoric sales. Ironically, NSA at reaching this did not become a strong important milestone. customer because IT Unfortunately the support at NSA had feeling was short lived been outsourced to an as we came to the industry consortium, realization that the use and NetTop’s approach of NetTop throughout wasn’t consistent with the Intelligence the terms they had bid Community (IC) would in their contract. TCS require yet another also began to see some extensive, bureaucratic interest in their NetTop accreditation process – offering shortly DCID 6/3. This meant after they licensed we had to socialize HP and TCS NetTop marketing material the technology. NetTop’s concepts Unfortunately we to yet another group of accreditors security-related IT. Our discussions with didn’t see the dramatic uptake of the and Designated Approving Authorities Compaq were very positive, but they were technology that we expected. After several (DAAs) that had never before seen this soon interrupted because of the prospects years refl ecting on this situation we began type of solution. Furthermore, the DCID of a merger with Hewlett-Packard. After to understand why our expectations 6/3 evaluation criteria used by the DAAs completion of the merger in September weren’t being met. Both of our NetTop were not designed to address solutions like 2001, discussions resumed with the partners drew their customers from the NetTop that had multiple operating sys- new Federal Division of HP. But it was high assurance DoD and IC market tems running con-currently. DAAs rare- not until November 2002, almost two space rather than the broader commercial ly decide issues concerning operational years after the start of discussions, that a market, and their revenues were heavily use of security solutions without involving NetTop license was fi nally negotiated. We dependent upon selling services rather their peers, since individual decisions viewed this milestone as a tremendous than products. There was little incentive often create shared security risk across accomplishment and were certain that we for them to drive product costs down since the community. So we once again found would soon see a large commercial market they weren’t anticipating a mass consumer ourselves having to educate numerous for NetTop that the government could market for NetTop. In the high assurance decision makers about why NetTop leverage. We were only partially correct. government market, NetTop sales may should be approved for operational use. While we worked with HP to help them grow but probably only at the pace of IT Eventually our efforts succeeded, and in refi ne NetTop, we continued to seek other infrastructures replacement; so while we the following fi ve years NetTop began to commercial partners, since we believed that may eventually see increased deployments,

16 NetTop Eight Years Later they are likely to be over a much longer Virtual Workstation period of time than we expected. It’s also unlikely that we will see costs drop as Token Reader signifi cantly as we had hoped. Virtual Workstation Checking Our Projections Workstation

In our Fall 2000 NetTop article, Biometric COI 3 Input “NetTop—A Network on Your Desktop,” VPN Physical we speculated about the potential of COI 2 VPN Network virtualized architectures to deliver many (IC TestNet) COI 1 more capabilities than the remote access VPN solution we started with. Two of the solutions we described included a multi- domain access system and a coalition Figure 3: Intelligent Infrastructure support system that provided dynamic Demonstration (IID) communities collaboration environments. In the years of interest (COI) since our original prototype, we went on to develop systems very similar to tual components including workstations, operation we used the Internet USENET those we described. The workstation that encryptors, fi rewalls, servers, etc., and system, which allowed individuals to eas- we developed for CENTCOM, in fact, then interconnect them to form private, ily create news groups for information ex- implemented our concept of a multi- collaborative workgroups or communities- change. domain access solution. We later developed of-interest (COI). In our prototype each IID workstation a proof-of-concept system called the Our goals for the IID were to demon- was a NetTop that implemented a multi- Intelligent Infrastructure Demonstration strate how secure, collaborative environ- factor (e.g. fi ngerprint, password, token, (IID) that showed how dynamic, private ments could be set up easily and quickly etc.) user authentication system and a collaboration environments could be to support the type of multi-party activi- special virtual machine dedicated to COI created rapidly to support mission needs ties being performed at CENTCOM and establishment and management functions. for information sharing. In the following other government organizations support- If a new COI were needed, a user could years, we created several other security ing the war effort. We wanted a capability specify the members of the COI, the COI solutions that we had never imagined, but that would enable the average analyst to security level, the operating system to be which helped solve some of NSA’s unique set up a COI within minutes, tailor it to the used, and the set of application programs IT problems. These solutions further needs of a particular group, and require no to be included. The management service proved the adaptability and fl exibility of administrative support. As a model for IID would establish network servers to sup- NetTop’s architecture. Collaboration on Demand – Intelligent Infrastructure Demonstration The original NetTop prototype was developed with a very tightly controlled confi guration and lacked the fl exibility to respond quickly to changing user needs. In short, it had the same limitations as the physical systems that it replaced. But in our Tech Trend Notes article we suggest- ed the possibility of using virtualization technology to rapidly create new systems of various types and distribute them elec- tronically wherever they might be needed. In 2003 we developed a demonstration of this concept in the Intelligent Infrastruc- ture Demonstration (IID) system, shown in Figure 3. This system used a centralized server that could provision and deploy vir- BoxTop interface

The Next Wave n Vol 17 No 3 n 2008 17 port the COI and invitations would be sent was questionable. The normal software Application Partitioning to the participants to join the COI. When review and approval process was far too a user accepted the invitation his worksta- slow to meet mission needs, so managers Mission Critical Non-Critical tion would receive software to confi gure were considering just installing the software (Personnel Database) (Email, Web) itself to participate in the COI. IID users and accepting the risk. We felt that we could participate in multiple COIs simul- could leverage the fl exibility of NetTop’s taneously and move easily among them architecture to quickly develop a solution via window selection. that would allow the needed software Routing VM Malware Protection: BoxTop to be used safely. In our ClearRealm A different problem came to the design we encapsulated the questionable NetTop research team from analysts who software as a web service and sandwiched Network dealt regularly with documents, emails, it between two virtual fi rewalls to protect and multimedia fi les that might contain the integrity of the operational network. The fi rewalls were confi gured to ensure Figure 4: Using NetTop to isolate malicious code such as viruses, worms, mission critical programs or other malware. Their management’s that the web service could not access the security policy wisely required them to operational network and that it responded move any potentially dangerous content appropriately to user queries. ClearRealm Other Interesting Applications to a standalone system in order to ensure proved to be very successful at meeting an Isolating Mission Critical Software the integrity of enterprise operations. urgent operational need. During the course of our work we met Unfortunately, the inconvenience of ClarifyMind: Wireless NetTop with many different users to try to under- transferring data and the time-consuming stand their operational IT needs, and we One of the signifi cant benefi ts of cleanup process following an infection spotted several additional usage scenarios NetTop’s architecture is that it allows made the analysts’ jobs unworkable. To for NetTop architectures that hadn’t origi- communication interfaces to be decoupled deal with this problem we developed nally occurred to us. One scenario involved and isolated from components that provide a NetTop spin-off called BoxTop that a need to protect the integrity of mission security functionality such as fi rewalls, could safely and easily handle malicious critical applications from the potential guards, encryptors, etc. Changes in network content. misbehavior of non-critical Internet appli- interfaces can then be made simply since BoxTop used two virtual machines— cation programs. The prototype solution they do not involve changes to security- we developed used one virtual machine to one to replace the analyst’s normal critical code. We used this architectural run important mission applications (in our workstation and a second that operated as approach in our original remote access case a program to track troop deployment) a sacrifi cial quarantine zone for processing solution to switch it between ethernet and and a separate virtual machine to run non- malicious data. Analysts used a simple modem connections, and we used it several critical programs such as web browsers. one-way data pump to move fi les into the years later in a wireless mobile solution By separating applications in this way we quarantine zone and a special printing called ClarifyMind. The prohibitive cost mechanism that allowed information to of new, wired connections to the desktop be exported safely for reports. To further had denied Internet access to many Legacy Migration improve analyst ef ciency, we provided fi analysts, so we proposed using NetTop a mechanism to restore the quarantine to provide trusted wireless connections zone to a sanitized state with the push MS Word MS Word instead. To replace the security and access 2000 2007 of a button. SELinux provided us with control of a wired connection we proposed an extensive set of security controls that Windows Windows using encryption of the wireless link. we used throughout BoxTop’s design to XP Vista ClarifyMind’s architecture combined a guarantee that it operated safely. COTS laptop, an 802.11x card, MobileIP Protecting the Enterprise: functionality, and an IP encryptor VM to Routing VM ClearRealm deliver cost effective Internet access for Following our work on BoxTop we analysts with the added benefi t of allowing discovered another enterprise IT problem them to roam wirelessly. NetTop’s that required a quick and innovative architecture allowed us to isolate and Network security solution. Unlike the case with protect the security-critical IP encryptor BoxTop, where we were dealing with from other COTS components, and to malicious data, this problem involved the ensure that all network traffi c passed Figure 5: Using NetTop for incremental upgrade of new applications use of enterprise software whose pedigree through the encryptor.

18 NetTop Eight Years Later showed that we could enhance mission in- provide tailored protection for the host such as Microsoft Windows, fell short tegrity without losing desirable function- OS. We were also looking ahead to the in security, and the several systems that ality. (See Figure 4). protection that SELinux’ mandatory offered very high assurance were lacking Dealing with Software Migration access controls could provide. To deal in functionality and interoperability. The A second IT problem we discovered with potential vulnerabilities in Linux NSA Advisory Board recognized that involved delays in deployment of current we used a number of design principles NSA’s arguments for using the highest assurance technologies had long since software versions across an enterprise. to minimize its risk of being exploited. ceased to be effective in the face of the Users were often frustrated that they First, we treated SELinux as an embedded COTS revolution, and users had opted had to continue using outdated program OS and prohibited the use of any native for functionality over security. The Board versions until their entire suite of programs user applications. VMware was the only was seeking a way to accomodate users’ was updated to the latest operating application permitted. Our next step in desire for fully COTS platforms while system. This problem seemed like an reducing NetTop’s attack surface, was to providing adequate assurance for sensitive ideal application for a NetTop solution configure the system to make the SELinux applications, and they saw in NetTop a that could provide multiple OS versions host unreachable from any network path for re-establishing a market for more running simultaneously. This approach connection. Since the time of the original secure products. would permit applications to migrate NetTop evaluations SELinux has earned individually and give users immediate the same certification level (Common Prior to our work on NetTop, access to the latest software versions. (See Criteria EAL 4+ LSPP, CAPP, and RBAC) others had suggested a number of Figure 5). as most of the host operating systems used technical approaches to marry Microsoft in approved cross-domain solutions. applications with high assurance operating Criticisms and Concerns The environments originally intended systems such as Trusted Solaris, but none A healthy dose of criticism is not for NetTop deployment only allowed of these products delivered acceptable uncommon with any new technology, access to users having the highest level performance and usability. Within NSA and it is par for the course with new of clearance of all connected networks in a high-assurance, thin-client architecture security technology. But NetTop attracted order to help deal with physical attacks. was developed as one possible way to give a particularly broad set of vocal critics NetTop was often used in sensitive users a multiple security level capability, inside and outside of government. In part compartmented information facilities but it too had similar performance and we believe this was because it represented (SCIF) where all personnel were cleared usability problems. NetTop’s architecture a fairly radical paradigm change in its to the highest level. Thus the environments provided users with good performance technical approach and also in its strategic intended for NetTop use were considered from their Microsoft applications while approach to delivering security solutions low risk. at the same time keeping them isolated and protected in virtual containers. By via commercial partnerships. Despite concerns expressed over the interconnecting single-security-level The changes represented by NetTop years about NetTop’s security, it has held containers, we could create solutions were particularly uncomfortable for the IA up well so far against sponsored evaluations tailored to meet different users’ needs. community’s traditional culture. NetTop as well as attempts to exploit weaknesses attempted to strike a balance between the found in VMware’s virtualization We also saw in the NetTop architecture low assurance COTS technology being software. The combination of SELinux’ the potential to increase assurance over time by improving the security of its component widely adopted by users and the very high mandatory access controls, VMware’s parts. One way to increase assurance was assurance security solutions traditionally isolation capabilities, and NetTop’s tightly by improving the host OS and virtualization developed by government. It should not controlled architecture have proven environment that comprised NetTop’s be surprising that neither community effective at blocking attacks. While this is isolation infrastructure. A second way was was totally satisfied with the result—but no guarantee that future problems won’t to improve the assurance of individual we believe that NetTop delivers a useful emerge, continuing reviews by government virtual components. This second approach and credible blend of functionality and analysts help to ensure that serious user seemed to be particularly useful for creating security. problems are avoided. specialized components that were hidden Does NetTop Lower the Bar for Does NetTop Diminish the Market from users such as routers, firewalls, and Security? for High Assurance Technology? encryptors. We had discussions with One of the first criticisms of NetTop In 1999 at the start of the NetTop several high assurance OS vendors about concerned its use of Linux as the host project, users seeking trusted operating migrating the NetTop architecture to their operating system. Linux was selected systems with a robust set of applications products, but concerns about the impact to (actually SELinux) because we were able software faced a bleak situation. Those their own products proved too difficult to to customize it and rebuild the kernel to systems that offered the most functionality, overcome.

The Next Wave n Vol 17 No 3 n 2008 19 Does Virtualization Create a and a committed NSA program to deliver cultural changes often require a very long Security Problem? an operational system from a research period of time. One of the problems NetTop faced prototype. Over the course of several Unfortunately for us, the cultural shortly after it was prototyped was that years, these events led us to some unique changes associated with NetTop involved neither users nor system accreditors had opportunities and to some useful insights changing not just one culture but two. The a good understanding of the virtualization into the business of research. first was the crypto-centric, high-assurance technology it was using. Although One of the unexpected benefits of our product culture that was responsible NSA’s virtualization technology was originally NetTop work was that it generated interest long-standing reputation in security. developed in the 1960s, primarily for in partnering with research groups from NetTop used technologies unfamiliar and use with large-scale computers, its re- a number of prominent IT companies. unproven to this culture, so they were emergence on desktop computers in the They sought to use our security expertise considered unacceptable. NetTop was also late 1990s made it a novelty once again. in operating systems and virtualization built from COTS components incapable of Lack of understanding led to suspicion as a way to help them with their own delivering the assurance levels of GOTS and fear about problems that might be technology developments. We saw an products. It took years of experience with lurking, but over a period of several years opportunity to use cooperative research NetTop to build confidence to the point the issues associated with virtualization as a way to gain significant leverage where it was accepted, at least for some became better understood within NSA’s from our limited resources. We also saw applications. IA community. Designing NetTop with potential in using cooperative research as The second culture that NetTop had security as a primary concern taught a general technique for raising the bar in to deal with was in the IAD’s business all of us a great deal about how to use the assurance of commercial technologies. community. In many ways this business virtualization prudently. In effect we were developing a new COTS culture was more difficult to influence The commercial IT benefits Security strategy based upon IA research than the high-assurance product culture. of virtualization have been amply collaboration. The bedrock of the business culture was demonstrated by the dramatic growth of A second benefit we derived from our the traditional, large-scale, FAR (Federal VMware over the past several years. But work on NetTop and its spin-offs was that it Acquisition Regulation) contract typically as the technology has become mainstream, served as a breeding ground for new areas used for developing security products the same security concerns that we of research. One interesting example was for customers in the national security encountered years ago re-emerged—this our early investigation of integrity checking community. Getting technologies like time from security professionals outside of for NetTop. This activity eventually NetTop to customers involved a different government. Some of the recent security blossomed into an important new area approach, one similar to what industry concerns with virtualization have been used known as Measurement & Attestation, would use. The new approach required as justi cation for dismissing NetTop’s fi which deals with assured techniques for aggressive practices in the creation ability to provide robust protection. What measuring the integrity of a computing and control of intellectual property, many critics fail to appreciate is that most platform and conveying this information in marketing, and in developing and powerful tools can be used wisely or blindly to an enterprise health authority. This work managing partnering relationships. We with respect to security. We believe that could have future widespread use in the found little appreciation within IAD’s NetTop’s design offers a good example of management of enterprise security, as well business culture for the value of patents, how to use virtualization wisely. as more general application in developing trademarks, licenses, or open source Could We Do It Again? trust among systems connected across developments because the use of these The circumstances surrounding cyberspace. techniques were not deep-seated in the the development of NetTop were NetTop’s developers had high government business psyche. Contending unprecedented for a research project. NSA’s expectations that the product’s COTS- with the business culture issues associated most senior Advisory Board identified a based blend of security, functionality, and with NetTop required a major effort on our major security challenge and four of the flexibility would quickly generate a large part, and added further delay to transfer of Agency’s most senior IA researchers, market in public and private organizations the technology. While we were somewhat with over 80 years combined experience, that valued information assurance— successful in handling NetTop’s unique were called upon to craft a solution. They, unfortunately this didn’t happen, and business issues, to the IAD’s business in turn, leveraged two of NSA’s premier has been a major disappointment. What community it remains somewhat of an analyst development programs to perform we came to realize was that sometimes aberration rather than a useful, alternative in-depth security evaluations. The terrorist technology changes are so dramatic that business strategy. attacks of 9/11 were the catalyst that they require changes in organizational We learned from experience that there created a high priority military customer culture in order to succeed, and that is often a critical relationship between IA

20 NetTop Eight Years Later technology and IT infrastructure, and that if worth our investment. Through our work a security technology isn’t friendly to both on NetTop we gained valuable expertise users and to the infrastructure in which in an important, new technology area it operates, it just won’t be accepted. We that allowed us to significantly advance learned some hard lessons about this in our NSA’s acceptance of the technology and first NetTop deployment at CENTCOM. introduce new business strategies for One unfortunate lesson occurred when product development. Another important one of the Windows VMs encountered the consequence of our work was the ability infamous Microsoft Windows “blue screen to attract major industrial partners in of death.” The veteran operator reacted collaborative research. These relationships instinctively by hitting the machine’s reset have been very helpful in our research and button. Unfortunately, this rebooted the particularly in developing next generation entire set of virtual machines that were versions of NetTop through NSA’s High running and created a messy cleanup Assurance Platform (HAP) project and our situation. We should have anticipated Secure Virtual Platform (SVP) research this would happen and ensured that only program. the crashed VM was rebooted. Other Several thousands of NetTops have infrastructure management issues such as been fielded across elements of the IC centralized auditing and remote platform and are being used operationally every configuration were also handled poorly in day. Encouragingly, we have recently seen the original NetTop deployment. While indications that NSA’s own infrastructure these issues and many more have been upgrade initiatives are considering large- addressed over time in improvements scale deployment of NetTop technology. made to commercial NetTop products, While eight years is a long time to wait for they resulted setbacks for NetTop early in this development, it is gratifying that our its development. perseverance may finally be rewarded. But—Would We Do It Again? NetTop has not yet found widespread use outside of government, and this is a disappointment because we believed it would have many commercial uses. More importantly we hoped that commercialization would drive down the cost of the technology for government use, but this hasn’t happened either. It isn’t clear if a commercial market failed to materialize because of lack of user interest or because of inadequate marketing. Today NetTop is only available from vendors that focus on technology services for government rather than equipment sales. It remains to be seen if this will change in the future. Although it would be impossible to recreate the extraordinary circumstances surrounding our work on NetTop, we have thought about whether we would undertake a similar effort in the future if we knew it would have a similar outcome. In short the answer is yes. The potential to have a major impact on customer mission assurance would still make such an effort

The Next Wave n Vol 17 No 3 n 2008 223 Text Extraction From Color Images

1. Introduction

Color images mixing text and graphics offer an effective and popular method of information sharing. The Internet explosion bears full testimony to the imaginative ways vendors and communicators exploit the medium to flood the bandwidth with their chosen material. Automobile license plates are becoming yet another source of textual graphics, as states increasingly display color alphanumerics overlaid on various backgrounds or logos. In addition, magazine covers and video screen captures of broadcast news banners provide potentially huge databases to users interested in content retrieval using commercial search engines.

The mathematical complexity of multichannel information images—collections of shapes and colors arranged in unpredictable ways—has made automated text segmentation a difficult task. Most graphic designers do follow sensible guidelines so the characters stand out in some way, facilitating legibility. Such disparities will be exploited here to automatically determine the presence of text in a color image.

22 Text Extractions From Color Images 2. The Method Text extraction from color images in- volves three proposed steps: a contrasting RGB CONTRAST operation that converts the tri-chromatic GRAYSCALE (RGB) original to a grayscale version high- COLOR IMAGE lighting the text, thresholding the resulting image to bi-level black-or-white, followed by image character recognition (ICR) in any commercial software. The process is COTS depicted schematically in Figure 1. ICR BILEVEL THRESHOLD The key operation—contrasting— does not convert the color original to gray- scale luminance by averaging, but instead combines the three RGB channels into B&W text one in which the text is enhanced. Un- fortunately, no single such operation has Figure 1: Color text extraction process been found to work in all cases; a paral- Logarithmic separators, e.g., where C is the contrasted image whose lel approach is therefore recommended to r values are restricted to the lowest quarter yield successful results for the wide class C5 = Max(log(R),log(G),log(B)) of the pel range, and Ʊ denotes the stan- of candidate images expected in practice. and dard deviation (or dispersion) of the image The thresholding component of the pro- C6 = Min(log(R),log(G),log(B)) C . Pel values inside interval T are then posed process also involves a multitude of r 1 also offer powerful contrasting opportuni- set to zero (black), and all others to one (straightforward) operations. ties. (white), producing an image ready for au- tomated ICR processing. 2a) Contrasting Operations C1 – C6 (and many others) Alternatively, since successful con- Given a tri-chromatic RGB image, generate grayscale images from the color trasting relegates textual pels to values many operations are available to separate original, each of which may (or may not) well below the mid-range, histogram- text from its color background; the really contain unique text, or in fact any text at based thresholding also generates a useful successful ones tend to concentrate textual all; however, in view of the parallel ap- B&W image. Indeed, when restricted to picture elements (pels) to the lower (or proach advocated here, selected contrast- this lower range, the most frequently oc- darker) end of the bit-level range, while ing output must be thresholded and passed through the ICR software for fi nal text curring pel value—or histogram mode background pels are shifted to the upper extraction. Alternatively, bi-level results M —generates a threshold interval as (for range. For example r could be combined into one fi nal image example) C1 = Min(R,G,B)/Mean(R,G,B) prior to ICR processing; however, this ap- T2 = [.5Mr , 1.5Mr] and proach may risk mixing textual and non- The corresponding contrasted im- textual output, thus obscuring character C = Min(R,G,B)/Max(R,G,B) age range C(T ) restricted to this interval 2 structure. 2 exploit the fact that color text overlaid on is then set to zero, while its complement a complex background is typically satu- 2b) Thresholding containing background components is set rated to enhance legibility; after all, the Once contrasted grayscale images to one. Of course, many color images are goal of the graphic designer is to use color have been obtained from various op- multi-modal in each channel—let alone as to please the eye, not conceal content. A erations, interval thresholding operations contrasted versions—so that their histo- set of transformations that separate textual convert these images to bi-level [i.e., grams show several strong peaks. In such foreground from a more uniform back- (0,1)] B&W. Once again, it is perhaps less cases interval thresholding around each ground is: than satisfying that no single operation has maximum would generate a set of candi- been found to work in all cases. For truly dates for ICR processing. C = {R/G, R/B, G/R, G/R, B/R, B/G} 3 complex mixtures of text and graphics, For images with less complex back- Other useful transformations of the RGB one threshold estimate is grounds, practical threshold intervals are tri-chromatic channels include T1 = [mean(Cr) - Ʊ(Cr) , mean(Cr) + T3 = [min(C) , min(C) + Ʊ(C)] C4 = {R/Max(R,G,B) G/Max(R,G,B) Ʊ(Cr)] T4 = [min(C) , max(C) - Ʊ(C)] B/Max(R,G,B)} T5 = [min(C) , mean(C)]

The Next Wave n Vol 17 No 3 n 2008 23 3. Examples has on textual content. greater the contribution in the color image Text colors were picked at random of a given character string, the higher the The process of contrasting, thresh- but character placement was intention- intensity of that string in a particular chan- olding, and B&W reduction of an image ally chosen to provide a (perhaps unnec- nel. containing color text will fi rst be carried essarily) complex background and pose Thus the word ‘BEFORE’ has high out for the RGB image in Figure 2 (left a realistic challenge to the proposed ex- intensity in the Green channel, while panel) below; the right panel displays the traction method. Figure 3 below displays ‘MATCHES’ is strong in Blue; however, destructive effect that simple averaging the three RGB channels in grayscale; the color purity is not required, and, in fact, the word ‘PLEASE’, a mixture of Red and Blue, is also readily extracted by the pro- posed method. Now, to give a quantitative idea of the character ‘blending’ produced by channel averaging, Figure 4 below (left panel) displays a histogram counter for the averaged image; the right panel shows the histogram resulting from contrasting oper-

ation C1. The averaging procedure spread out the pel values and produced useless maxima below the desired mid-range lev- Figure 2 el; contrasting, on the other hand, yielded an image with a clear maximum, so modal thresholding would retain textual content. The result of applying contrasting

operation C1 to the tri-chromatic image is shown in Figure 5 below (left panel).

Thresholding results from type T1 and T2 are displayed in the adjoining panels, the output completely processable by ICR en- Figure 3 gines. As emphasized above, it is not usu- ally known beforehand which contrasting operation or thresholding type will produce textual separation; a parallel approach is generally necessary to successfully pro- cess a color text image for content. More practical sources of color text images that should also benefi t from au- tomated extraction are automobile license plates. In recent years, such initially bland black-on-white metal tags have been adorned not only with color text but Figure 4 various logos and complex backgrounds, presumably for various promotional pur- poses. The family of contrasting opera- tions detailed above produced successful reductions of these color plates to gray- scale preparatory to thresholding and bi- level imaging. The fi nal example, involving a screen- captured news banner image, presents a

Figure 5 signifi cant processing challenge because

24 Text Extractions From Color Images the text is in fact colorless white—see Fig- ages, but only the highest mode led to re- color images by channel operations that ure 6; the right panel shows the channel tention of textual image content (Figure (mostly) reduce only alphanumeric char- average. 8), along with some artifacts that most acters in the image to black, and then rely A histogram of the grayscale reduc- ICR engines typically ignore. on actual recognition by commercially tion (Figure 7) shows multi-modality, with 4. Conclusion available ICR software. Although a par- peaks at pel values of 63, 100, and 248. allel approach is advocated to handle the Interval thresholding around each The processing methods presented wide class of images expected in practice, maximum then produced three B&W im- here allow automatic recovery of text from the mathematical simplicity of the opera- tions should pose no implementation prob- lems. ICR engines could in fact execute several contrast-then-threshold computa- tions opaquely to the user, collate results internally, and then display unique textual output. This approach seems ideal for Figure 6 search engine or database matching appli- cations. For example, automated license plate readouts leading to vehicle identifi - cation would allow more rapid detection of traffi c infractions, either for automated ticketing or potential interdiction by the au- thorities. On the other hand, power users may instead wish to gain insight from each specifi c operation and then tailor compos- ite processing to the particular family of target images encountered most frequent- Figure 7 ly. A graphic user interface module within any commercial ICR engine would clearly facilitate such exploration. The notion of feature extraction through channel operations need not be restricted to text detection applications. As medical imaging, airport screenings, and cargo inspections increasingly gener- ate true color images, empirical channel combinations may indeed highlight tell- tale signs of diseased tissue, concealed weapons, or illegal materials not otherwise readily visible.

Figure 8

The Next Wave n Vol 17 No 3 n 2008 25 Web 3.0 “Are we there yet?”

The family road trip was a highlight of my childhood. My brother Harry and I would pile into the back of the old Dodge station wagon as the family headed out from Kansas on month-long treks across the country. Between rounds of 20 Questions—and the occasional squabble—we would ask with predictable frequency, “Are we there yet?”

26 Web 3.0 “Are we there yet?” or destinations such as the Ozarks or Wide Web had provided access to vast Badlands or Everglades, the answer amounts of data, Web 2.0 took on a more Fwas never certain. Even a Welcome personal tone. During the aught years, sign posted to announce an official bound- Web-based communities have coalesced ary seemed somehow arbitrary. The terrain around social networking sites, and youth always looked much the same through everywhere turn to blogging and file shar- the windshield as it did from the tailgate ing as their social lifeblood. window. Contemplating the next generation of the Internet, popularly referred to as Web In the Web that is 3.0, I think back on those family road trips. We have maps to show us where we are to come, the virtual and how far we’ve come. We read glowing and the real will accounts of what things will be like when we arrive. But when, exactly, are we there seamlessly interact, yet? Web 3.0. There are numerous views informing each other of the coming Web era, depending on your across a shrinking vantage point. It has been described as implicit, mobile, 3D, distributed, person- digital divide. alized—the metaverse. Some critics argue that the name Web 3.0 is nothing more than a marketing term. But whatever name While “Netheads” began download- the next-generation Web eventually goes ing podcasts and mySpace pages, industry by, the change will transform the ways we leaders were already busy mapping out the experience life every day. route to the next-generation Web. In 2001, Reaching the next-generation anything Tim Berners-Lee proposed a Semantic is more often a journey than a destination. Web, where machines not only find what Along the road to Web 3.0 stand numerous we’re looking for, but they also understand milestones—Mosaic, XML, FaceBook. what we want. On the horizon lie OWL and SPARQL and For many people, Web 3.0 and the Se- Twine. These technologies serve more as mantic Web are nearly synonymous. But a filling stations than rest stops, fueling the broader vision for the next-generation Web journey along the Internet highway. foresees our virtual and offline worlds in- When Tim Berners-Lee (now Sir creasingly merge—virtual environments, Berners-Lee) inaugurated the World Wide virtual markets, virtual experiences, and Web, in 1991, his aim was “to allow links even virtual selves paralleling those in the to be made to any information anywhere.” real world. In the Web that is to come, the The marriage of hypertext with the Inter- virtual and the real will seamlessly inter- net made the original version of the Web a act, informing each other across a shrink- reality. Web sites and HTML pages began ing digital divide. popping up like aspens along a mountain Even though the age of Web 2.0 only stream. now is starting to mature, we are already The Web’s phenomenal growth in catching our first glimpses of the digital popularity during the 1990s—hosting landscape we will next inhabit. Over the more than 20 million websites by the end next few years, people in many parts of the of the decade—fueled the dot.com boom world will be entering the foothills of what that closed out the last century. When the inevitably will be called Web 3.0. If the technology bubble burst in 2001, pundits timeline for the first iterations of the Web called for a reinvention of the Web—a is an indicator for the future, we will have Web 2.0—to carry the world into the new scaled the summit of Web 3.0 by the end millennium. of the next decade. What will we see when While the first generation of the World we look back over the road we traveled to Illustration by The Next Wave n Vol 17 No 3 n 2008 27 Russell Sutcliffe get there? And what will we see when we The Semantic Web the Semantic Web is to make our online look forward to the digital mountain range For the next generation of the Web, experience “more relevant, useful, and that lies ahead? Tim Berners-Lee envisions a Seman- enjoyable.” As Josh Catone, lead writer Web 2.0 provided a two-dimension- tic Web, a model for the evolution of his for ReadWriteWeb blog put it, “When ma- al platform for creating and exchanging original Web design. Interoperability is chines understand things in human terms, information. A more three-dimensional the backbone of the Semantic Web, where and can apply that knowledge to your at- Web 3.0 weaves straight-forward trans- independent applications can access the tention data, we’ll have a web that knows actions into intricate patterns of relation- same data and reuse it in “unexpected what we want and when we want it.” ships. The 3D Web provides for complex ways.” The Semantic Web benefits cyber APIs and Web Services interactions among people, systems, and citizens—or netizens, by unobtrusively The implementation of the Semantic information in a do-se-do like dance of carrying out imaginative and sophisticated Web depends on the extent to which au- communication. tasks. thors metatag information. But a more The emergence of Web 3.0 is being For the Semantic Web to work, data immediate way to extend flexibility to the propelled by the evolution of technologi- has to carry metatags that compose a de- Web is through the use of APIs and Web cal, market, and social systems. Its use scription of a variety of characteristics. services. An API (application program- will be characterized by the integration of These metatags are expressed by RDF ming interface) is a source code interface all three. (Resource Description Framework) and that supports requests made by computer • New technologies are driving the OWL (Web Ontology Language)—formal programs. Closely related to APIs are Web development the Semantic Web, APIs and languages endorsed as Semantic Web services, which provide ways for different Web services, and rich applications. specifications by the World Wide Web software applications to work together, Consortium (W3C). • A changing market model is placing even when they are running on a variety of The Semantic Web uses metatags to more emphasis on an implicit Web—one platforms. APIs and Web services make it define the semantics of data structures, that is able to grab and hold our possible for developers to integrate popu- map between them, and publish data re- attention. lar online services such as YouTube and cords. SPARQL, a new query language, Google Maps with their websites. • Social networking has already changed can then be used to search across the re- Web services join up to create a com- how we view ourselves and interact with cords to deliver what Berners-Lee calls the puting cloud—the term applied to nearly other people and the world at large. intelligent web. limitless high-speed Internet access to a Although these systems are interre- The Semantic Web goes beyond con- variety of Web applications. Web services lated and they reinforce each other in a necting information and people. The Se- often generate more traffic than the web variety of ways, each provides a unique mantic Wave 2008 Report, published by site itself. For example, the API for Twit- perspective for conceiving of Web 3.0. Project10X, concludes that the goal of ter has 10 times more traffic than the web site. Open-source proponents foresee Web 3.0 being ushered in on a wave of public Web services and mashups that are used to create novel Web applications. Mobile Access Netizens increasingly expect to have Internet access from any device in any place at any time. Although the desktop computer may be a mainstay for accessing the Web well into the foreseeable future, people around the globe are demanding greater flexibility. Logging onto the Internet through a computer modem is already an anach- ronism. Wireless access to the Web has moved beyond office and home networks to include mobile phones, pagers, tablet Within two years after Amazon introduced Web Services, in 2006, consumer demand for PCs, location devices, and even game sys- Amazon Web services significantly outstripped demand for the Amazon website. Source: tems. As the number of options for how Amazon Web Services, 2008 we communicate has increased, so has

28 Web 3.0 “Are we there yet?” the demand for a single mobile device to ted by Robert O’Brien, who proposed that handle them all. Web 3.0 is “A decentralized asynchronous WiFi and satellite Internet have ef- The Web experience me.” fectively cut the tether that bound Web will be so customized O’Brien went on to characterize the browsing to the personal computer. Nu- evolution of the Web in this way: merous coffee shops, restaurants, hotels, that distinctions Web 1.0 was a centralized them. airports, and even entire communities are Web 2.0 is a distributed us. joining the ranks of Internet cafés to pro- among pages, posts, Web 3.0 will be a decentralized me. vide Web access to anyone within range, SMSs, maps, and often for free. The coming Web is emerging as Web access is even being extended graphs will become highly personalized. The intimacy of each to world travelers. In the spring of 2008, irrelevant. These user’s Web experience has led to what has Thalys International began providing been described as an attention economy. broadband Internet access for passengers elements and more Attention economy theory is attributed to onboard its high-speed trains on routes will be integrated US economist Michael H. Goldhaber, who, across Europe—the first service of its kind and arranged into in 1997, proposed that the currency in the for international travel. Net access has also new Web economy is human attention. taken to the skies. Lufthansa and Singa- a personalized Web Getting and holding people’s attention is pore Airlines have been offering passen- design. the aim of every enterprise, marketer, and gers broadband Internet access on some blogger. routes since 2005, and airlines in the US The economic and social forces vy- introduced in-flight Internet in the summer a user-createddd content revenue model.l Theh ing for our attention have contributed to of 2008. strategy is to empower entrepreneurs and the emergence of what has been called an Future generations will expect con- subject matter experts with tools to build implicit web. Our attention has become tinuous connection to the IT cloud. In Web global e-businesses and communities like an increasingly scarce commodity. With 3.0, each netizen will expect constant and Facebook and sell their intellectual prop- burgeoning amounts of emails—spammed total immersion in a variety of social net- erty content while being linked through a and otherwise—we have been forced to be works. The idea of “logging on to the Net” portal like Amazon. The goal is to launch more selective about where our attention will seem as quaint as using a payphone is thousands of subject-specific communities is directed. The things we pay attention to today. to meet the demands of growing user-cre- are those we consider to be of the highest User-created Content ated content industries. value to us. We attend to them naturally, User-created content is the hallmark While users are creating and adopt- subconsciously—implicitly. of Web 2.0. Millions of Internet users ing a rapidly growing number of Web Many web sites determine the val- today regularly contribute to blogs to ex- apps, they are also responsible for much ue of a product, comment, or service by press their opinions, vote on the quality of their propagation. Email, social net- the amount of attention it receives. Most of products and comments, build personal works, blogs, and other personal outlets search results are ranked based on how profiles that reveal their hopes and de- serve as hosts for virally distributing these frequently items are viewed. Products are sires, and produce videos to share with the applications. rated by the number of purchases made. world. Development tools and bandwidth Personalization Blogs are promoted and demoted accord- are becoming more readily available to The Web is becoming less an online ing to popular vote. provide every nethead with an outlet for resource and more a digital extension of Methods for tracking attention will their digital creations. each user. New York Times journalist John become increasingly sophisticated in Web The trend for self expression is sure to Markoff suggests that Web 3.0 will do 3.0. Each Web experience will be ac- carry on into Web 3.0. The difference will away with the notion of pages altogether. companied by a personal history of who be in how intellectual property is created The Web experience will be so custom- we contact, where we click, and what we and distributed, with authors having the ized that distinctions among pages, posts, copy. A complex log of how we have spent option to control what they create or open SMSs, maps, and graphs will become ir- our attention in the past will guide where up their work for collaboration. Web 3.0 relevant. These elements and more will be we are directed in the future. An Implicit will provide the tools to turn every Web integrated and arranged into a personal- Web will operate in the background as a contributor into an entrepreneur. ized Web design. kind of digital subconscience. Products such as the Geenius entrepre- ReadWriteWeb, in 2007, sponsored Virtual Environments neurial portal already are showing up that a contest to define Web 3.0. The winning Web 3.0 will likely take advantage of combine a social networking platform with entry in the Serious category was submit- the visual metaphors afforded by increas-

The Next Wave n Vol 17 No 3 n 2008 29 shopping or information searches, clicking Persistent Avatars links to open Web pages will evolve into Citizens of Second Life are able to teleporting to different rooms and islands. customize their avatars to generally re- Items will be selected from virtual shelves semble themselves. As character fidelity instead of from lists. Your shopping cart increases in Web 3.0, virtual experiences will be just that—a virtual basket loaded will become more authentic. Clothing with the items you have selected. retailers already let avatars try on cloth- Numerous universities, businesses, ing so shoppers can visualize how outfits and government organizations have es- might look on them. With more precise tablished a presence in Second Life. Some body measurements, avatars can serve as residents painstakingly replicate their models for custom tailored clothing that is existing brick-and-mortar infrastructures shipped to your home. to provide a real sense of presence. More The avatar of the future could also pos- recently, the trend has been to create fan- sess a physiological profile that parallels DeaconD LLunasea iis theh author’h ’s personall ciful spaces that take advantage of the real-world characteristics. Burn patients in avatar in Second Life. freedom from the constraints of mechani- some hospitals are now being treated ef- cal systems, structural integrity, and even fectively for pain simply by interacting in gravity. a virtual arctic setting. For future avatars These virtual communities in Second that more accurately represent their own- Life serve as shopping centers, lecture ers, virtual medical check-ups could lead halls, dance clubs, conference rooms, and to real-world treatments. experimental labs. In Web 3.0, MUVEs Some psychologists have set up their could bring about the redefining of tele virtual couches in Second Life. They get in teleconference, telecommute, and to know their patients through the alter- telecourse to mean teleport rather than nate personae of their avatars. MUVEs televise. are also being used to create environments In addition to teleporting from place for clients to develop social interaction Second Life avatars tour Victoria Crater, a to place, avatars will be able to walk, skills and work through traumatic expe- Martian landscape created above. NASA’s swim, and fly, providing users with a sense riences. As artificial intelligence grows CoLab Island. of continuity of space and time. More im- more sophisticated in Web 3.0, non-player portantly, in Web 3.0 your avatar can sup- characters—the autonomously intelligent ingly realistic virtual worlds. Dramatic ply a sense of continuity of self, bridging agents in a virtual world—will know an gains in computer processor and graph- the real and virtual worlds we will increas- avatar’s personal history and be able to ics card speeds have yielded amazingly ingly divide our time between. probe for greater understanding, so it can authentic looking 3D environments for the PlayStation and Xbox entertainment systems. As even handheld devices move into Terahertz territory, virtual worlds will become ubiquitous in Web 3.0. The generation that grew up play- ing World of Warcraft is accustomed to following visual cues to guide an avatar— the digital character that represents the gamer—to explore a virtual world. Navi- gating the Web using mouse pointers and buttons could easily give way to wander- ing through a virtual landscape and “pick- ing up” the things you want to have or examine. MUVEs (multiuser virtual environ- ments) such as Second Life are likely to be The productivity of the Web is expected to rise steeply as the semantic Web gains the forerunners of the type of user inter- a foothold and we enter the era of Web 4.0. Source: Radar Networks & Nova face that will replace the countless pages Spivack, 2007 www.radarnetworks.com that clutter the current Web. Whether for

30 Web 3.0 “Are we there yet?” model preferable behaviors. Virtual world This “really smart” Web will serve as Living in Web 3.0 experiences can then transfer to real world a personal assistant. Web 4.0 agents will Web 3.0. “Are we there yet?” gains. be able to reason and make decisions. The Some pundits will argue that we barely Web 3.0 will accommodate persistent future Web will automatically filter our have a foothold in a Web 2.0 world. Others avatars. Just as phone number portability email, file documents, tag information, blister at the very idea of trying to erect makes it possible to keep the same contact and dispatch with a host of other bother- arbitrary boundaries by ascribing versions information for life, avatars will represent some tasks that plague us today. But Web to our collective cyber experience. their real-life owners across various plat- 4.0 will do more than menial chores. A But our cyber experience has already forms. The customizable character that Web that can access data from a multitude transformed the world in a matter of only represents you in one MUVE will possess of sources and evaluate the information a few brief decades—a transformation we the same attributes and experiences in oth- it finds will be able to help us choose the ers. Persistent avatars can build on prior have passionately embraced, despite its cars we buy, the medical procedures we conditions and events. As an avatar gains negative consequences. By imagining in undergo, and even the people we date. experience, the beefier database capabili- the virtual world of our minds what lies Nova Spivack, founder and CEO of ties of the next-generation Web will be ahead, we stand a better change to prepare able to store and retrieve that information Radar Networks and developer of the se- for the coming generation of experiences. for future encounters. mantic Web service Twine, foresees the Like the family vacation, it’s time to emergence of Web 4.0 as early as 2020. In pack up the station wagon with the gear Beyond Web 3.0 a 2008 interview for the video documen- we think we might need as we set off for a The semantic Web can lay the ground- tary series Learning from the Future, Spi- new and exotic destination. It might be an- work for a truly intelligent Web. Whereas other decade before we can look back and Web 3.0 links massive amounts of infor- vack says we will have left Web 3.0 when realize that we aren’t in Kansas anymore. mation to create a single, worldwide data- “…the web moves from just a knowledge And from the mountaintops of that new base, Web 4.0 will change how we access base to a kind of global mind, an intelli- and process that information. In Web 4.0, gent entity comprised of billions of pieces world, we’ll look to the next horizon and desktop computing will give way to Webt- of software and billions of people working try to imagine what life will be like as we op computing. A host of Web services will together to make some new form of intel- set off for Web 4.0. be available through a Web-based operat- ligence that transcends human or machine ing system, or WebOS. intelligence on its own.”

The Next Wave n Vol 17 No 3 n 2008 31 TIMING CONTROL CONTACr5

reMPORARV OVE-CrCJ.£ SW'l1'CH

( ( ( ~ <;

FILA.VENT TRANSFORMER

i42394