Tuesday, December 7, 2010

WiKileaks releases list of high value soft targets

I have to confess that I simply don't understand the motivations behind this:
In February 2009 the State Department asked all US missions abroad to list all installations whose loss could critically affect US national security.


The list includes pipelines, communication and transport hubs.

Several UK sites are listed, including cable locations, satellite sites and BAE Systems plants.

BBC diplomatic correspondent Jonathan Marcus says this is probably the most controversial document yet from the Wikileaks organisation.
Something that Internet Security people had to grapple with a decade ago is called "Responsible Disclosure".  Imagine that you're a security researcher.  Imagine that you discover a vulnerability that effects many, many computers on the 'Net.  Do you notify the vendor that created the software, who could create a fix, or do you call a press release?

If you announce the vulnerability before there's a fix available, then you put lots of people at risk.  There's nothing that they can do to defend themselves (remember, there's no fix available because you didn't notify the vendor), but the Bad Guys will have information they can use to create a new attack.

While Responsible Disclosure remains somewhat controversial to this day, the basic motivation is solid.  The world is filled with soft targets, and people who would like to exploit them.  You don't just recklessly disclose this sort of thing without good - really good - justification.

I'm struggling to understand Wikileak's rationale.  What does releasing the location of the terminus of the tran-Atlantic fiber optic cables accomplish?  I mean, politically?

Having been in the Internet Security community for a long time, I have personal experience with being stonewalled by vendors who didn't want to make a fix.  For one vendor (no, it wasn't Microsoft), I had to call one of their people in the Netherlands because nobody in Mountain View would get back to us.  I called himj because he was active on the security Usenet lists, and so I knew that his heart would be in the right place.  It was.  That's no way to run a RailRoad, but it would have been irresponsible for us to throw up our hands and go public on a vulnerability in widely deployed software, for which there was no way for people to defend themselves.

It looks like Wikileaks just did precisely that.

Cables about Gitmo or the like are plausibly political in nature.  Their release could cause embarrassment to governments, and potentially effect the political debate in the West.  But releasing the fact that such-and-such factory is critical for the nation's blood supply?

I'm normally one to take statements about the need for secrecy from government officials with a huge grain of salt.  But this seems so reckless that it gives credibility to this:

Former UK Foreign Secretary Sir Malcolm Rifkind condemned the move.

"This is further evidence that they have been generally irresponsible, bordering on criminal," Sir Malcolm said. "This is the kind of information terrorists are interested in knowing."
Are they interested?  I don't know.  Could they use this to cause terrible damage?  It sure seems plausible.  And Wikileaks' PR flack simply sounds idiotic here:

But Wikileaks lawyer Mark Stevens denied that Wikileaks was putting people and facilities at risk.

"I don't think there's anything new in that," he told the BBC.

"What I think is new is the fact that it's been published by Wikileaks and of course we have the Wikileaks factor because a number of governments have been embarrassed by what's happened..."
Mr. Stevens, you sound precisely like a bunch of Internet Security nerds I've run across before.  With them, it wasn't about security, it was about getting in the glare of the Klieg Lights.

Hat tip: Legal Insurrection.

6 comments:

  1. "I'm struggling to understand Wikileak's rationale. What does releasing the location of the terminus of the tran-Atlantic fiber optic cables accomplish? I mean, politically?"

    You are making the assumption that they have a goal in mind except just to be the opposition. They are on the other side, so they will work to support that other side.

    ReplyDelete
  2. Simplest of motivations at work, IMO.

    Hate.

    More fully explains the action than simply wanting attention. The basic motivations for pretty much everything are love, sex, and money. Hate, being the other side of the "love" coin, is a powerful motivator.

    ReplyDelete
  3. Limelight... possibly looking to disabuse the US Govt of its preeminent position in the world's hierarchy... gloryhounding... I could go on...

    There ae some thinkers that feel all information should be free and open. Obviously they are not married.

    Regards,
    Albert
    The Rasch Outdoor Chronicles
    The Range Reviews: Remington R-25 Multi-Caliber Rifle

    ReplyDelete
  4. While I think the whole WikiLeaks publicity stunt despicable, and fully worthy of the blindfold and last cigarette; it is interesting to note that Assange and Co. were pretty much given free rein until Assange said he had "Enron type E-mails" on a major bank.

    And then the roof fell in. Perhaps that is "just coincidence" - but I lost faith in coincidence while Ike was still president.

    And then there's the little matter of this sexual assault charge. Everything was peachy, at least until after breakfast the next morning. Sweden has retroactive laws?

    ReplyDelete
  5. I will believe the goal of Wikileaks is better government when they leak about the conditions in the Cuban political prisons or life in general in that hellhole. Or the conditions in Venezuela. Or North Korea. Or China, the Sudan, Myanmar, or any of the real dictatorships on this planet.

    Until then, they're just another anti-American organization at best; at worst, they're an organization trying to plunge the world into chaos and darkness.

    ReplyDelete
  6. It's like the Gary McKinnon situation he embarrassed the authority's by showing they had very little basic security on their systems.

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.