| Su | Mo | Tu | We | Th | Fr | Sa |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 |
Browse archives
Syndicate
Untitled
Submitted by reeses on Tue, 2003-07-15 01:06.
I find this article quite eye-opening for a few reasons. I'll give a little summary:
Consolidating publicly- and openly-available data, a grad student at GMU has built a GIS database containing all (or at least a very large quantity) of the communications links in the US. Various people are in a tizzy because this information could be terribly useful to black hats interested in taking out our communications infrastructure.
One of my favorite quotes in the article:
�This is why CEOs of major power companies don�t sleep well these days,� Derrick said, flattening the pages with his fist. �Why in the world have we been so stupid as a country to have all this information in the public domain? Does that openness still make sense? It sure as hell doesn�t to me.�
I know that the computer security industry went through something like this back in the dark ages, and it has a name: Security Through Obscurity. The idea is that, sure, you may have a backdoor exploit that would allow people to get into your "secure" system, but if they never find out about it, who cares? This idea is especially attractive when you realise that, even if you release a patchkit, and send it to all of your customers in a bright red envelope with bright orange lettering reading,"INSTALL THIS NOW OR YOU'LL BE IN THE HORSE COSTUME ON GAY DAY AT THE PETTING ZOO, AND YOUR MOM WILL GET THE PICTURES," they still won't install it. Ever.
So, not only haven't you solved the problem, you've made it public knowledge, and bad kids or bad men will take advantage of this knowledge and the reluctance to fix it, and walk through your system like drippy poo through goose's guts.
Anyway, Security Through Obscurity actually 'worked' in the computer industry for a long time. Until people started looking for these holes in the castle wall, and they were surprisingly easy to find. Heck, in my first week of using Unix, back in 1990, I discovered an exploit that allowed me to gain read access to ttys on a Dynix system, and read all of the passwords for people logging in via the terminal pools in my university. This is even without the scads of rootkits floating around for Skript Kiddies who don't even bother learning about the APIs, because they have ready-made rootkits.
So, how hard do you think it's going to be to hide your billion-dollar fibre project from anyone interested enough to come looking for it? These aren't day trippers out for a little sightseeing, off to see the new trench where the Intarw3b is. These are seriously bad people who want to ruin your day, and are willing to die trying. I imagine that, honestly, they'd spend a year walking a three-block section of Manhattan, just to find the right spot to blow up. Your solution is not making it harder to find the information, because it's a one-way valve. Once it gets out, it's way too hard to contain.
Your solution needs to involve a communciations infrastructure that can't be destroyed by a limited coordinated attack upon a few of its links. Your communications network needs massive redudancy, or the ability to heal and re-route around any disturbances. Why is DARPA sleeping through this?
(Yes, I did write this so that I could look back in a year and laugh over "gay day at the petting zoo". You got me.)
delicious
digg
reddit
technorati