Wednesday, 7 September 2011

John Young (@Cryptomeorg) on the security of disclosure sites

Cybersecurity wizards often repeat that a race is on between cyber defenders against cyber attackers and the attackers are winning due to the greater variety of attacker swarms against Maginot Line defenders.
A Dutch official said today that online security of government websites cannot be assured, that ordinary paper and mail are much superior. That has been Cryptome's advice for several years -- that online security is very poor and security peddlers and product distributors are concealing this deficiency to capitalize on the popularity of the Internet -- among them disclosure sites.
New cyber defenses become outdated instantly due to a continuous onslaught, some by amateurs having fun, some by competitors, most by criminals who sell their produce to a bevy of purchasers, governmental, commercial, individual.
Attacks are increasing geometrically as youngsters coming into cyber maurading proliferate, in particular in nations outside the major powers who are learning the limits of power in cyberworld they have created and promoted.
This means that any platform which offers disclosure services, aka leaksites, will lag the prowess and multitude of attackers and should warn submitters that the first and most important defense must start on the submitters' end.
And that the greater the risk a submission poses to the submitter the greater the need for for submitter's own defenses and never rely upon the platform's promises of protection. This was put in a nutshell by a National Security Agency paper in 2000 addressing the futility of computer security, "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments."
http://www.nsa.gov/research/_files/publications/inevitability.pdf
Beyond unavoidable insecurity in computers an networks, submissions may be intercepted in transit, misplaced at the platform end, misunderstood and/or misjudged by the platform staff, or improperly explained and published. Disclosure platforms do
not have sufficient stable, well-trained staff to compensate for the turnover in volunteers with their limited skills ineptly directly by site operators.
You will recall that these are all applicable to WikiLeaks and most of its emulators as well as governments, commerce and the wealthy. OpenLeaks has attempted to address them but it is quite difficult not only for a low-resourced initiative but also
for the well-endowed.
At the moment the well-endowed and those less so are obscuring the lack of online and other forms of digital security, instead engage in what the wizards call "security by obscurity," hoping attackers will not find and exploit weaknesses.
As we see near daily, admission of security breaches are escalating not because the providers want to tell but because insecurity is being exposed by those who wish to no longer hide the truth known to insiders and a growing crowd of outsiders. To wit, DDB and others in the security and hacker world. They are calumnized by insiders who hope to maintain obscurity a while longer.
This means your most distinguished institutional readers in finance, law, government, intelligence and the rest who vaunt their prowess for credibility, authenticity and security, face increasing disclosure of faults in their protection pretenses -- which includes global Cyber Command initiatives.
The petit furor with Wikileaks, OpenLeaks, Anonymous
and newsy ilk portends a grand furor building toward disclosing something wonderful, I hope, about the cost of excessive secrecy and security obscurity,
no matter who lurks beneath the cloak. Wikileaks and emulators are the least problematic compared to the Titanic-grade protectors of the commonweal who are being outmatched by icebergs much more threatening than security-truth-disclosure sites.
Via

No comments:

Post a Comment