søndag 9. januar 2011

WikiLeaks lessons

ENISA identified three major incidents from "WikiLeaks Cablegate". In summary, these three incidents are:
  • The leaks themselves
  • DNS and Cloud Service interruption
  • Hacktivist DDoS attacks
To address the first issue, the US government has distributed an internal memo, which ironically has been leaked. The memo focuses on assessments of the technical solutions and policies. While these areas certainly are important, one must keep in mind that the leaks were done by people who see their loyalty to "the world population" rather than "the boss". Hence the "leakers" are known as whistle blowers, rather than parts of a broken system.

No matter how strict you define your policies and attempt to enforce these through access restrictions, this will never account for the whistle blowing humans you employ. Hence the real issue for each agency should then be the psychology of whistle blowers, not system cracksdowns.

In other words, the system will take care of internal policies and access control, and you could tighten up firewalls against external threats, but WikiLeaks is about whistle blowers - the people you thought were loyal to you turn out to be loyal to their personal ethical principles instead.

Principles of whistle blowing
  • The sound of the whistle is something that was supposed to be secret.
  • The whistler has something to gain by whistling, for one of these reasons;
    The tone of the whistling is in disharmony with the whistler.
    The whistler gains something politically, economically or other.
  • The whistling is amplified by a party that gains something by doing this job.
Hidden information leakage between agencies are known as espionage and are not considered leakage. While an employee is still the weak link in the security chain, the reason for leaking are quite different, and therefore differs also in psychology and machinery: While espionage is dependent on nobody knowing that the espionage has occured, leaking is based on public disclosure as a weapon. This, again, means that the disclosure is effective only when the content is to the benefit of the public - either directly by the disclosure of disharmonious behaviour (the most common forms of leakage) or indirectly by amusement.

Further, one might claim that information that only causes amusement is not directly harmful. On the other hand, secret information that is to public benefit typically means that the information is in regard to organizational behaviour in disharmony with public opinion.

So how do we avoid leakage?

Be good.

No seriously, don't do anything that the public would hate you for if they knew about it.

lørdag 8. januar 2011

Snail Mail explained

By using SIT (Snail Imprint Technology), an e-mail can be etched into the shell of a snail. The trained homing snail then sets off a journey of thousands of miles to its recipient, who uses an SIR (Snail Imprint Reader) to decode the secret e-mail.

  • Conflict between distance and average snail life span.
  • Recipients may have to decode thousands of snails before the correct snail is found.
  • Good homing snail programs have not been developed.
  • No RFC available at this time, specifying the exact coding.

Beyond the caveats, we are excited to present this idea to the world community!

See also: RFC1149 Standard for the Transmission of IP Datagrams on Avian Carriers
RFC1149 Real life implementation

fredag 7. januar 2011

Child aged zero or more

What about children aged less than zero? Are those considered children?