[AusNOG] RISK - IT Industry - Concern Over Equipment Being, Installed in Data Centre Facilities - Further Replies

Mark Smith markzzzsmith at gmail.com
Wed Sep 28 09:46:21 EST 2016


On 28 September 2016 at 01:58, Skeeve Stevens
<skeeve+ausnog at eintellegonetworks.com> wrote:
> A lot of people have this idea that everything should be openly discussed
> because doing it helps us all understand the situation and we can all
> contribute and solve the problem. This is a stupid idea mostly perpetrated
> by people who is not the person actually at most risk or the most to lose.
>

Security experts likely far more qualified than anybody here disagree.

"Keep it secret, stupid!" by Matt Blaze
http://www.crypto.com/papers/kiss.html

or the the Preface of the first edition of this book (the whole books
is about security weaknesses and mitigations - how they protect
nuclear weapons is quite novel)

"Security Engineering" by Ross Anderson
http://www.cl.cam.ac.uk/~rja14/book.html

or

"Full Disclosure of Security Vulnerabilities a 'Damned Good Idea' by
Bruce Schneier
https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html



> Should we openly discuss, on an archived list, with press watching. how we
> could use household goods to make explosives?
>

The press show that all the time on the news. Ever seen video on TV of
a petrol station blowing up?

My car carries around a tank of that explosive chemical, and I'm
almost sitting on top of that tank when I drive it!

Dangerous chemicals surround us, and they helpfully label them with
symbols to tell us what danger they present and what level of danger.
The argument for security secrecy would say that these safety symbols
should not be present, which would then make them unsafe to use for
people with legitimate uses of them.

> Or talk about how easy it is to make certain bioweapons and the different
> ways we could deploy them?
>
> Or should we perhaps talk about how easy it is to commit fraud?
>

It might be easy to commit fraud, but it isn't easy to get away with it.

Security systems need more than prevention mechanisms, they also need
detection and response mechanisms.

> Yes... lets give blueprints to people who are motived by malice so that they
> can go off and do what we're suggesting puts us at risk.
>
> Suitable forums are private industry ones with a membership criteria which
> is often gated to certain professions, peer recommendations, and so on.
>
>

The fundamental flaw in this argument is that preventing the good guys
from having this knowledge and being aware of the threats and risks
(so that they can protect themselves) also ensures the bad guys can't
find it out and secretly share it. Evidence shows otherwise in both
the physical and virtual worlds.


More information about the AusNOG mailing list