I can, as a citizen, go to a site in my home town and document the specific disruption I think could be caused by certain actions, and go on to describe in detail how to make it come about. This isn't a crime.
No, but giving said information to a person who was a vested interest in causing harm might be. Putting it out in public view where anyone can read it, without regard to the harm that could result, and without a clear benefit, is reckless at best. It may not be a crime, but you shouldn't do it, and that's the message we need to convey. Once again, just because you can release information doesn't mean that you should release that information.
No, but giving said information to a person who was a vested interest in causing harm might be. Putting it out in public view where anyone can read it, without regard to the harm that could result, and without a clear benefit, is reckless at best. It may not be a crime, but you shouldn't do it, and that's the message we need to convey.
That's incredibly short-sighted. You've just effectively said that everyone who ever wrote a realistic novel involving terrorists did so recklessly. That it's reckless to publicly discuss what you see are obvious security failings. That it's reckless to note that, say, the security lines in airports are a much easier and effective target than the planes themselves.
I suppose I must fervently hide the fact that it's obvious to anyone who's ever been in an airport that the lines are an easy target. I must also condemn anyone who ever writes a novel about an attack like that.
Once again, just because youcanrelease information doesn't mean that youshouldrelease that information.
Even information I personally and legally gathered into my own head? Or information I created entirely?
What if someone made Wikinovels? Just a site for authors to discuss possible stories? What if someone, an author writing a book on fictional terrorists who happens to be a skilled engineer, discusses possible terrorist scenarios (real ones, though for his fictional book), how they could come about, and their effects?
Is that wrong? It's certainly not illegal.
IIRC there was a novel about flying some planes into some very large buildings prior to the crazy 9/11 business.
First you have people doing the actual leaking. These are people with security clearances passing information to WikiLeaks. WikiLeaks is just passing it on. The people who are doing the leaking are the ones really at fault. There is some outcry against the actual leakers, but not nearly as much as there is against Assange.
On top of that, there is another group of people who deserve blame even more, the government(s) that are incompetent at keeping secrets. How about we get down on these really shitty government IT guys and the shitty software they use that is so easily compromised. If the FRC ran a government, it probably wouldn't have any secrets. If it did have secrets, you know that the computer security would be so insanely tight that nobody could leak us without giving themselves away.
I am against security through obscurity. If keeping a secret is the only thing that is keeping you safe, then you are effectively wide open. You need to have real security. That being said, if you fail at real security, and use obscurity for safety, you had better be damn good at keeping that information secure. If you can't do that, you are incompetent. Those incompetent government IT people are the ones that should be receiving the brunt of the ill will, not WikiLeaks.
You've just effectively said that everyone who ever wrote a realistic novel involving terrorists did so recklessly.
I don't know what you're talking about, but I'm talking about a real situation with real intelligence about real places. People who want to do harm don't give a shit about fanciful imaginings, they care about getting results in a real-world scenario.
I don't know why you keep distracting the argument with irrelevant hypotheticals and talk of legality. Nobody's talking about legality, they're talking about morality. To paraphrase these two guys I know, I'm not talking about what's legal, I'm talking about what's right.
If you refuse to recognize that there's a mile-wide gulf between saying "You could do a lot of harm if you bombed an airport security line" and "If you use this compound at this airport at this time of day, you will kill this many people in this much time," then there is no meaningful discussion to be had.
First you have people doing the actual leaking. These are people with security clearances passing information to WikiLeaks. WikiLeaks is just passing it on. The people who are doing the leaking are the ones really at fault. There is some outcry against the actual leakers, but not nearly as much as there is against Assange.
This is true. The people who actually gave the information to Assange are seriously to blame.
However, that doesn't absolve Assange of his role in these leaks. He had the information at hand, and could easily make the conscious decision to not release sensitive information. The fact that he still released the information makes him just as responsible as the people who gave it to him in the first place.
If you refuse to recognize that there's a mile-wide gulf between saying "You could do a lot of harm if you bombed an airport security line" and "If you use this compound at this airport at this time of day, you will kill this many people in this much time," then there is no meaningful discussion to be had.
What if I write a detailed novel? I'm serious here. What if I do research on real sites to write a realistic novel? What if I consult engineers and my novel is 100% accurate in its assessment for my story, including the means?
However, that doesn't absolve Assange of his role in these leaks. He had the information at hand, and could easily make the conscious decision to not release sensitive information. The fact that he still released the information makes him just as responsible as the people who gave it to him in the first place.
One, he claims to have sent all of the cables to the State Department and to have asked them if there was anything in particular he should zero in on redacting. Two, aren't the other news organizations who are reprinting the cables then equally responsible for their spread? Average people wouldn't have read them were it not for the wide press coverage.
However, that doesn't absolve Assange of his role in these leaks. He had the information at hand, and could easily make the conscious decision to not release sensitive information. The fact that he still released the information makes him just as responsible as the people who gave it to him in the first place.
I disagree. Information is information. If someone willingly tells you something, you are under no obligation to keep it a secret just because the person who told it to you was so obligated.
If a friend tells you something, and tells you to keep it secret, and you promise, then you keep it a secret. If you fail to keep it secret, then you're a jerk. But if other people you told it to start spreading it, they're not responsible or wrongdoers in any way. The fact is that the world we live in, any information that is out of the box will be nearly instantly replicated around the world. The only people that can be found responsible for not keeping a secret are the initial leakers. Everyone lower on the chains is AOK.
If you think that everyone in the chain is somehow responsible, then how about every newspaper on earth which is republishing everything from WikiLeaks?
I disagree. Information is information. If someone willingly tells you something, you are under no obligation to keep it a secret just because the person who told it to you was so obligated.
This is the theory of "transitive trust," whereby non-inherent limitations on transferred data afford zero security beyond the implicit trust of those with access. That is to say, if you give someone any information prior to forcing them to agree to specific limitations of use, they are free to do whatever they like. Friend-of-a-friend security thus fails if any member of the chain is untrustworthy.
A good system of security identifies now untrustworthy links and severs the dissemination of further information to said party. The US intelligence system clearly has no such system for "Secret" information, as they have not been able to identify the leaking party.
One, he claims to have sent all of the cables to the State Department and to have asked them if there was anything in particular he should zero in on redacting.
And you just believe him? Who did he contact? How did he contact them? How many times? What are the specifics?
Did he contact the State Department about the most recent leak?
Two, aren't the other news organizations who are reprinting the cables then equally responsible for their spread? Average people wouldn't have read them were it not for the wide press coverage.
CNN is not publishing specific details from the list, which refers to pipelines and undersea telecommunications cables as well as the location of minerals or chemicals critical to U.S. industry.
That is responsible journalism.
Everyone lower on the chains is AOK.
As long as we continue to think this, we will never ever ever ever fix the education problem in this country. If we allow people to continue parroting around information without bothering to think about the ramifications of doing so, then we are allowing people to thrive in an environment that does not demand critical thinking nor consideration of the welfare of others.
What if I write a detailed novel? I'm serious here. What if I do research on real sites to write a realistic novel? What if I consult engineers and my novel is 100% accurate in its assessment for my story, including the means?
That still doesn't speak to the situation I'm looking at here. You're still talking hypotheticals, while I'm trying to address the real situation. The most recent leak revealed very detailed scenarios about real-world places and the specific disruptions that would be caused, as well as enumerating their specific vulnerabilities.
The line is where you start writing an instruction manual. Let's use my example from a couple of weeks ago, where I described the vulnerabilities of the milk supply to adulteration with C. botulinum. I gave a hypothetical scenario devoid of details, such that you could not actually act on the information. If I told you where to get C. bot, how to grow it, when to time your attacks, which dairies are the most vulnerable, how to bypass their security, and so on, then I would have been reckless.
As long as we continue to think this, we will never ever ever ever fix the education problem in this country. If we allow people to continue parroting around information without bothering to think about the ramifications of doing so, then we are allowing people to thrive in an environment that does not demand critical thinking nor consideration of the welfare of others.
Freedom of speech. Freedom of the press. These are the first freedoms in the Bill of Rights. We have the right to disseminate information. Period.
That still doesn't speak to the situation I'm looking at here. You're still talking hypotheticals, while I'm trying to address the real situation. The most recent leak revealed very detailed scenarios about real-world places and the specific disruptions that would be caused, as well as enumerating their specific vulnerabilities.
Freedom of speech. Freedom of the press. These are the first freedoms in the Bill of Rights. We have the right to disseminate information. Period.
And the responsibility that comes along with that as well. You can lie to someone all you want, but there are legal precedents for punishing lying in certain circumstances. Just because you have a right doesn't mean you are always right in exercising it. Do you disagree?
I'm not talking about restricting rights at all. I'm talking about changing our culture to one which values the responsible interpretation and consideration of information before dissemination. We'll only get more and more information as time goes on, and unless we teach people how to filter information and stop spreading the useless stuff, we will not advance any further.
EDIT: Furthermore, I doubt that uneducated Islamic extremists have access to the type of intelligence organizations as the major nations.
Uneducated? Hardly. While many of them may be little more than pissed off Goathearders, many of them are quite well educated, with some holding high level degrees in engineering, computing, international relations, so on, so fourth. Don't make the mistake of thinking them all just some pissed off Country bumpkins from the ass end of sand-land with a few crates of AKs and explosives in a cave.
Additionally, blackmailing countries is not exactly the best way to go about things.
I find it hard to really blame him - it's covering his ass with a mutual damage plan. They pick him up and put him away, and he will do the exact thing that they don't want him to do.
Uneducated? Hardly. While many of them may be little more than pissed off Goathearders, many of them are quite well educated, with some holding high level degrees in engineering, computing, international relations, so on, so fourth. Don't make the mistake of thinking them all just some pissed off Country bumpkins from the ass end of sand-land with a few crates of AKs and explosives in a cave.
True, but as far as I'm aware a large ratio of people engaging U.S. interests these day tends towards the uneducated. Besides, the true intent of the statement was that their intelligence network is less than stellar.
What if someone made Wikinovels? Just a site for authors to discuss possible stories? What if someone, an author writing a book on fictional terrorists who happens to be a skilled engineer, discusses possible terrorist scenarios (real ones, though for his fictional book), how they could come about, and their effects?
Is that wrong? It's certainly not illegal.
IIRC there was a novel about flying some planes into some very large buildings prior to the crazy 9/11 business.
True, but as far as I'm aware a large ratio of people engaging U.S. interests these day tends towards the uneducated. Besides, the true intent of the statement was that their intelligence network is less than stellar.
I'll admit that I did exaggerate the contents of the documents, but not to the degree that you seem to think. There is enough information contained in those documents to invite serious disruption to certain critical foreign infrastructure.
EDIT:
Besides, the true intent of the statement was that their intelligence network is less than stellar.
This is the important part. Security through obscurity can work if the other guy has less effective intelligence than you.
By your argument is something like the Anarchists Cookbook equally bad? It contains explicit (albiet poor) instructions for the creation of explosives, expressly for the use in a disruptive manner. Thereby it can easily be construed to be a guide for terrorism, for which the distribution of the book, by such logic, is equally heinous. As a note, I just looked over the document in question for my self on the Wikileaks site. It appears to my untrained eye that the document contains little to no truly sensitive information, it is just a list of places. A large number of them being mines and factories that could probably be trivially linked back to the US. The press seems to be making a mountain out of a molehill on this one, simply because the government did what it will always do when shit like this happens and "condemn" it. As for the overall morality of Wikileaks. In my mind the simple dissemination of information cannot be immoral provided it is done neutrally. Making an argument as to Wikileaks neutrality is hard simply due to the limited nature of their activities so far, and whether or not some documents are as bad for the US as they are for others. Additionally wikileaks by and large has preached(haven't really checked their practice) that they do due diligence in preventing information that is dangerously specific. All in all they seem to me to be neither an "evil" or "good" organization, but somewhere in a grey area, as they've released little that has yet been tied to any direct harm beyond making a few politicians and diplomats red faced.
I'll admit that I did exaggerate the contents of the documents, but not to the degree that you seem to think. There is enough information contained in those documents to invite serious disruption to certain critical foreign infrastructure.
EDIT:
Besides, the true intent of the statement was that their intelligence network is less than stellar.
This is the important part. Security through obscurity can work if the other guy has less effective intelligence than you.
Remember, the 3 pillars of security are Integrity, Confidentiality and Availability. I'm really not sure where "Security through obscurity is bad" came from but obscurity is a part of confidentiality. If you want your information to be confidential, then you don't go around telling people that it is there, that's just common sense. But if all you're doing is making your information invisible then there is no way to determine it's integrity so you fail hardcore from a security standpoint. No audit logs, no user controls = you don't know if the information is in the state it's supposed to be in(has it been falsified, deleted, changed?). With those two things in mind, you no longer have information available for it's intended use.
I'm really not sure where "Security through obscurity is bad" came from
From idiots who use it as a primary and only security measure.
Here's an example of security through obscurity being bad. Go to apreche.net/wp-admin/ If you login there, you will have access to my blog! By default every WordPress blog puts the login at a URL of /wp-admin/. Some morons will tell you to change that URL to something else that only you know, to make it harder for bad people to even find the login page.
Much like airport security that's just security theater. If someone knows your password, or has a way to break in, that's not going to stop them. If they don't have a way to get in, then getting to the login page isn't going to let them in. So changing the URL is just obscurity, it doesn't actually make you more or less secure in any way. The only thing it will do is maybe confuse legitimate users who are used to the default, and it might break some plugins and such that are designed for the default URL, so it could actually hurt you.
As you can see my blog has real security. You need my password and my Yubikey to get in. I always constantly upgrade Wordpress, so no known security vulnerabilities will let you in either. It's just a stupid blog, but it's locked up tighter than the database of diplomatic cables. I'm using only free software and a cheap USB stick (Yubikey). That is how incompetent our government and almost all companies are when it comes to technology.
As you can see my blog has real security. You need my password and my Yubikey to get in. I always constantly upgrade Wordpress, so no known security vulnerabilities will let you in either. It's just a stupid blog, but it's locked up tighter than the database of diplomatic cables. I'm using only free software and a cheap USB stick (Yubikey). That is how incompetent our government and almost all companies are when it comes to technology.
US government stuff is locked up pretty tight, the problem is when some ass hat decides he or she needs to rewrite the policy that they have authority over to make their life easier. For example, USB ports are supposed to be disabled on all sensitive federal IS's but some managers write exceptions so they can enable them and use USB sticks. It was only a matter of time that the circumvented policies bit them in the ass. I remember as a system security officer being told to enable them and the refusing until I had it in writing that the Officer-in-Charge was assuming responsibility for that. I was relieved of my post and they did it without my consent. This was right before I left the Navy. So in reality, Security culture in the Fed has broken down over time, not policy. The policies are all dead on but the people just don't want to deal with the trouble of following it. Like in my situation, a group of ass hats wanted to do it the easy way and I was glad to be relieved of responsibility for those systems, I even reported the incident to a higher authority just to be on the record as opposing the misuse of the system. This type of crap was so prevalent that nobody really cared..... until Assange. So I like the fact that this whole event really kicked them in the sphincter and made them shit themselves.
It's like a story I was told by a professor of mine. "Down at the University of Pennsylvania parking garage there is a reinforced door with a card swiper and a camera at the entrance. Right next to it is a wide open garage door with people walking in and out." Usually it's not that security is not there, it's just easily circumvented or irrelevant . Your example holds true on most low level things like blogs and such, but at higher corporate and federal things, security is implemented, and would be really good if not for some glaring issue that renders it all completely irrelevant.
I'm really not sure where "Security through obscurity is bad" came from
From idiots who use it as a primary and only security measure.
Here's an example of security through obscurity being bad. Go to apreche.net/wp-admin/ If you login there, you will have access to my blog! By default every WordPress blog puts the login at a URL of /wp-admin/. Some morons will tell you to change that URL to something else that only you know, to make it harder for bad people to even find the login page.
Much like airport security that's just security theater. If someone knows your password, or has a way to break in, that's not going to stop them. If they don't have a way to get in, then getting to the login page isn't going to let them in. So changing the URL is just obscurity, it doesn't actually make you more or less secure in any way. The only thing it will do is maybe confuse legitimate users who are used to the default, and it might break some plugins and such that are designed for the default URL, so it could actually hurt you.
As you can see my blog has real security. You need my password and my Yubikey to get in. I always constantly upgrade Wordpress, so no known security vulnerabilities will let you in either. It's just a stupid blog, but it's locked up tighter than the database of diplomatic cables. I'm using only free software and a cheap USB stick (Yubikey). That is how incompetent our government and almost all companies are when it comes to technology.
I defer to Scott's expertise on the issue, naturally.
he policies are all dead on but the people just don't want to deal with the trouble of following it.
Yes, in your example it is true that the policy of disabling USB is a good policy and that people did not follow it. However, let me ask you this. How was it even possible to re-enable? Why did the computer even have USB ports on it in the first place? Why did people even have physical access to the computer in the first place? All that was standing between someone and that data was policies saying they shouldn't do it.
If someone had physical access to the USB ports on a computer, what stops them from putting a keylogger on the USB keyboard? Nothing. Even if you ripped the USB ports off the motherboard, someone with physical access could solder them back on. That's definitely within my capabilities. USB is just four pins, easy as pie. If I've got four wires I can solder the USB stick to the motherboard and hide it inside the computer case. Then I can just use a scissor to remove it and take it home.
If it was truly secure it would be physically impossible to remove the data from the machine, period. No matter what permission given or responsibilities were taken, the policy would be technologically and physically enforced and unbreakable.
Comments
I suppose I must fervently hide the fact that it's obvious to anyone who's ever been in an airport that the lines are an easy target. I must also condemn anyone who ever writes a novel about an attack like that. Even information I personally and legally gathered into my own head? Or information I created entirely?
First you have people doing the actual leaking. These are people with security clearances passing information to WikiLeaks. WikiLeaks is just passing it on. The people who are doing the leaking are the ones really at fault. There is some outcry against the actual leakers, but not nearly as much as there is against Assange.
On top of that, there is another group of people who deserve blame even more, the government(s) that are incompetent at keeping secrets. How about we get down on these really shitty government IT guys and the shitty software they use that is so easily compromised. If the FRC ran a government, it probably wouldn't have any secrets. If it did have secrets, you know that the computer security would be so insanely tight that nobody could leak us without giving themselves away.
I am against security through obscurity. If keeping a secret is the only thing that is keeping you safe, then you are effectively wide open. You need to have real security. That being said, if you fail at real security, and use obscurity for safety, you had better be damn good at keeping that information secure. If you can't do that, you are incompetent. Those incompetent government IT people are the ones that should be receiving the brunt of the ill will, not WikiLeaks.
I don't know why you keep distracting the argument with irrelevant hypotheticals and talk of legality. Nobody's talking about legality, they're talking about morality. To paraphrase these two guys I know, I'm not talking about what's legal, I'm talking about what's right.
If you refuse to recognize that there's a mile-wide gulf between saying "You could do a lot of harm if you bombed an airport security line" and "If you use this compound at this airport at this time of day, you will kill this many people in this much time," then there is no meaningful discussion to be had. This is true. The people who actually gave the information to Assange are seriously to blame.
However, that doesn't absolve Assange of his role in these leaks. He had the information at hand, and could easily make the conscious decision to not release sensitive information. The fact that he still released the information makes him just as responsible as the people who gave it to him in the first place.
One, he claims to have sent all of the cables to the State Department and to have asked them if there was anything in particular he should zero in on redacting. Two, aren't the other news organizations who are reprinting the cables then equally responsible for their spread? Average people wouldn't have read them were it not for the wide press coverage.
If a friend tells you something, and tells you to keep it secret, and you promise, then you keep it a secret. If you fail to keep it secret, then you're a jerk. But if other people you told it to start spreading it, they're not responsible or wrongdoers in any way. The fact is that the world we live in, any information that is out of the box will be nearly instantly replicated around the world. The only people that can be found responsible for not keeping a secret are the initial leakers. Everyone lower on the chains is AOK.
If you think that everyone in the chain is somehow responsible, then how about every newspaper on earth which is republishing everything from WikiLeaks?
A good system of security identifies now untrustworthy links and severs the dissemination of further information to said party. The US intelligence system clearly has no such system for "Secret" information, as they have not been able to identify the leaking party.
Did he contact the State Department about the most recent leak? Sure they are, but I'll note something from the article Andrew linked: That is responsible journalism. As long as we continue to think this, we will never ever ever ever fix the education problem in this country. If we allow people to continue parroting around information without bothering to think about the ramifications of doing so, then we are allowing people to thrive in an environment that does not demand critical thinking nor consideration of the welfare of others. That still doesn't speak to the situation I'm looking at here. You're still talking hypotheticals, while I'm trying to address the real situation. The most recent leak revealed very detailed scenarios about real-world places and the specific disruptions that would be caused, as well as enumerating their specific vulnerabilities.
The line is where you start writing an instruction manual. Let's use my example from a couple of weeks ago, where I described the vulnerabilities of the milk supply to adulteration with C. botulinum. I gave a hypothetical scenario devoid of details, such that you could not actually act on the information. If I told you where to get C. bot, how to grow it, when to time your attacks, which dairies are the most vulnerable, how to bypass their security, and so on, then I would have been reckless.
I'm not talking about restricting rights at all. I'm talking about changing our culture to one which values the responsible interpretation and consideration of information before dissemination. We'll only get more and more information as time goes on, and unless we teach people how to filter information and stop spreading the useless stuff, we will not advance any further.
EDIT: This is the important part. Security through obscurity can work if the other guy has less effective intelligence than you.
As a note, I just looked over the document in question for my self on the Wikileaks site. It appears to my untrained eye that the document contains little to no truly sensitive information, it is just a list of places. A large number of them being mines and factories that could probably be trivially linked back to the US. The press seems to be making a mountain out of a molehill on this one, simply because the government did what it will always do when shit like this happens and "condemn" it.
As for the overall morality of Wikileaks. In my mind the simple dissemination of information cannot be immoral provided it is done neutrally. Making an argument as to Wikileaks neutrality is hard simply due to the limited nature of their activities so far, and whether or not some documents are as bad for the US as they are for others. Additionally wikileaks by and large has preached(haven't really checked their practice) that they do due diligence in preventing information that is dangerously specific. All in all they seem to me to be neither an "evil" or "good" organization, but somewhere in a grey area, as they've released little that has yet been tied to any direct harm beyond making a few politicians and diplomats red faced.
An Analysis of the "Helping the terrorists by giving away key infrastructure" locations argument - Which boils down to "You'd have better luck Just using google."
Finally, an analysis from the Guardian, which essentially boils down to a combination of the above, combined with "Good luck getting the cat back in the bag now, fuckers!"
More info than you could possible use.
Much like airport security that's just security theater. If someone knows your password, or has a way to break in, that's not going to stop them. If they don't have a way to get in, then getting to the login page isn't going to let them in. So changing the URL is just obscurity, it doesn't actually make you more or less secure in any way. The only thing it will do is maybe confuse legitimate users who are used to the default, and it might break some plugins and such that are designed for the default URL, so it could actually hurt you.
As you can see my blog has real security. You need my password and my Yubikey to get in. I always constantly upgrade Wordpress, so no known security vulnerabilities will let you in either. It's just a stupid blog, but it's locked up tighter than the database of diplomatic cables. I'm using only free software and a cheap USB stick (Yubikey). That is how incompetent our government and almost all companies are when it comes to technology.
It's like a story I was told by a professor of mine. "Down at the University of Pennsylvania parking garage there is a reinforced door with a card swiper and a camera at the entrance. Right next to it is a wide open garage door with people walking in and out." Usually it's not that security is not there, it's just easily circumvented or irrelevant . Your example holds true on most low level things like blogs and such, but at higher corporate and federal things, security is implemented, and would be really good if not for some glaring issue that renders it all completely irrelevant.
If someone had physical access to the USB ports on a computer, what stops them from putting a keylogger on the USB keyboard? Nothing. Even if you ripped the USB ports off the motherboard, someone with physical access could solder them back on. That's definitely within my capabilities. USB is just four pins, easy as pie. If I've got four wires I can solder the USB stick to the motherboard and hide it inside the computer case. Then I can just use a scissor to remove it and take it home.
If it was truly secure it would be physically impossible to remove the data from the machine, period. No matter what permission given or responsibilities were taken, the policy would be technologically and physically enforced and unbreakable.