Here's another example of "security through obscurity" being proposed by those in our government without Technology Clue One. While this may give such cluebots a warm-fuzzy feeling about keeping such information away from the public eye -- and "potential terrorists" -- it's the thumb-in-the-dike solution ... There are any number of other ways to get the same information or monitor our long-haul networks. At the very least, affected customers would complain and news would get out to the greater internet community in short order. (Or do they also plan to prohibit third-party network monitoring services and software?)
Bruce Schneier calls this kind of thinking "security theater" -- the presentation of the reassuring illusion of security instead of the real thing that works effectively. I call it the Ostrich Security Syndrome -- the cyber equivalent of sticking one's collective head in the sand and hoping the problem/danger goes away before you look up again. While some of you have noted the periodic "sensationalism" of the Register, I repost this article nevertheless, because Kevin is someone I can trust. Rick -infowarrior.org Feds urge secrecy over network outages By Kevin Poulsen, SecurityFocus Published Thursday 24th June 2004 09:46 GMT Giving the public too many details about significant network service outages could present cyberterrorists with a "virtual road map" to targeting critical infrastructures, according to the US Department of Homeland Security, which this month urged regulators to keep such information secret. < snip > The commission is hoping for similar results on the wireless and data networks that have become integral to the US economy and emergency response capability. The proposal would expand the landline reporting requirement to wireless services, and generally measure the impact of a telecom outage by the number of "user minutes" lost, instead of the number of customers affected. It would also require telecom and satellite companies to start issuing reports when high-speed data lines suffer significant outages: specifically, whenever an outage of at least 30 minutes duration affects at least 1,350 "DS3 minutes." A DS3 line carries 45 megabits per second, the equivalent of 28 DS1 or T1 lines. The reports would include details like the geographic area of the outage, the direct causes of the incident, the root cause, whether not there was malicious activity involved, the name and type of equipment that failed, and the steps taken to prevent a reoccurrence, among other things. To the Department of Homeland Security, that's a recipe for disaster. "While this information is critical to identify and mitigate vulnerabilities in the system, it can equally be employed by hostile actors to identify vulnerabilities for the purpose of exploiting them," the DHS argued in an FCC filing this month. "Depending on the disruption in question, the errant disclosure to an adversary of this information concerning even a single event may present a grave risk to the infrastructure." < snip > http://www.theregister.co.uk/2004/06/24/network_outages/ -- You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
