Posts by Matthew Poole
Last ←Newer Page 1 2 3 4 5 Older→ First
-
Hard News: Book review: 'Wikileaks:…, in reply to Paul Campbell,
they can use 1-way pads distributed by the world’s music industry (the LSBs of CDs)
You can just imagine that scream of confession at Gitmo: "OK, OK, enough. It's My Heart Must Go On, from her latest Greatest Hits album. Now please stop playing her songs!"
-
Hard News: Book review: 'Wikileaks:…, in reply to BenWilson,
The cheapest cryptographic attack is very often the “rubber hose method”, in which you beat the keys out of some poor miscreant.
ETA: This is also why people who have high-level clearances are subjected to travel restrictions. The people who design the security systems that interact with the “meat space” world have no illusions about the interrogation resistance ability of your average office-dwelling classified-materials handler.
One interesting thing I read about interrogation resistance for the SAS (all candidates get subjected to a resistance exercise before getting accepted for training) was that guys who’d actually been caught by “bad guys” and given a proper working-over, as opposed to the largely psychological working-over (with a few punches, but nothing serious) they got in training, said it was harder to resist the guys on their own side. The line between friend and foe got blurrier much more quickly, and the lack of physical torment made it much harder to focus on resisting.
-
OnPoint: Election 2011: GO!, in reply to recordari,
Enough of this self flag elation.
Ian may be gone, but his memory remains.
-
Hard News: Book review: 'Wikileaks:…, in reply to Don Christie,
Do you really think, for example, that the “terrorists” don’t have bloody cameras and have to rely on 3rd parties to take photos of army vehicles and then publish them on the web?
If you do, they you really should rethink your security model.
Wrong sub-thread, Don.
-
Hard News: Book review: 'Wikileaks:…, in reply to Neil Graham,
A wise man once said “the real world cannot be reduced to a cryptographic style problem”
A wiser man would never have suggested the comparison, however.
-
Hard News: Book review: 'Wikileaks:…, in reply to Neil Graham,
In IT terms that’s known as security by obscurity, and is considered poor practice. While the real world cannot be reduced to a cryptographic style problem. I think there is merit in the notion that you plan your actions as if your adversaries can see everything you are doing and planning.
Really, really, really weak response. Computer security enjoys the benefit of an ultimately binary world. Meat-space, not so much. Much of modern computer security is built on mathematical problems that are considered sufficiently unsolvable that it doesn't matter who knows about them. And even then, companies don't publish detailed network designs and username lists on the web. That's security through obscurity too.
The thing about a tactical response plan is that it's not the finished product, just a guide to "If this happens, then we'll do something that looks like that." "If a plane gets hijacked, we'll keep it on the runway, try and talk them out, exercise a forceful resolution under cover of darkness. Forceful resolution will not be considered for x hours unless the hijackers escalate." Knowing that much means the hijackers can plan their periods of alertness for the late night/early morning hours. They don't need to know the precise operational plans to be able to bugger things up for a tactical resolution. It may not change the ultimate outcome, but it could change the casualty count for the SAS/STG team that's going in.
Similarly, knowing that response resources will be staged in areas that meet particular criteria relative to the initial attack allows additional attacks to be aimed at potential staging areas for maximum disruptive effect.It's nice and easy to sit in your chair and cry "Security through obscurity. Get a proper operating model", but it doesn't work that way. When lives are on the line, having to start from scratch is not an option. You need to at least be doing a colour-by-numbers, not looking at a blank canvas. Filling in the blanks as the situation dictates is fine, even necessary because too rigid a tactical plan leads to poor responses, but if the best you've got is a strategic plan that looks like "We don't negotiate with terrorists, the escalation is AOS to STG and the STG decide if it needs to go further, if it's chem/nuke/bio Fire Service will be needed for decontamination and the hospitals need to be warned" then you've got too many lines to draw before you get something that looks like a picture to be able to respond effectively.
The security comes from the details in the operational plan, but that plan has to be built on something that already exists. Has to. Just like your theoretically perfect system design is considered over a period of weeks, if not months, and builds on the decades of work by giants that precedes your effort.
-
Hard News: Book review: 'Wikileaks:…, in reply to Russell Brown,
I think they’d whinge a lot and still bid. Whether the government would get a better price if all pricing was transparent is an interesting question.
When you consider that government = us, it’s a very interesting question. Can we get an economist up in here?
From a purely economic dollars-and-cents headline cost perspective, probably. Would you get the best-quality work with lowest lifetime cost? Not necessarily.
A huge problem I have with the libertarian viewpoint that the private sector does it cheaper meaning the private sector does it better is that, often, the private sector's only looking to the end of the period. They have no long-term investment in the project, nothing on the line if it turns to custard in a decade's time. By that point they've made millions on government contracts, nobody remembers that they built the latest historical fuckup that's emerged, just that they've got a history of coming in on time and under budget and they've probably got several contracts in train that cannot be cancelled because of the penalties.Low cost, high quality, ready tomorrow; pick two.
-
Hard News: Book review: 'Wikileaks:…, in reply to Rich of Observationz,
They wouldn’t tender? Just walk away and leave the money on the table? I doubt it.
I think it would depend on the tender. For a road or something equally boring, where your costs are labour and materials plus a spot of margin, just stumping up wouldn’t hurt too bad.
For “soft” deliverables, like a consultancy contract, they quite possibly would walk away. Pricing of professional services is a really delicate balance between getting a foot in the door and cutting off your nose to spite your face. Even though all the big players know the headline rates of their competitors, they don’t know for sure where their wincing point lies. Opening the tenders up to competitors for scrutiny would allow more-ruthless operators to know just where to pitch for any given deal.
-
Hard News: Book review: 'Wikileaks:…, in reply to George Darroch,
NZ has no good reason not to be completely open in treaty negotiations. We have precious little to give away in terms of trade barriers, and nothing to give away in strategic military commitments. We're not a nuclear power, bargaining away strategic advantage by reducing, however symbolically, our arsenal of ICBMs, and our farmers have been competing honestly and openly on the world stage for the best part of 30 years.
-
Hard News: Book review: 'Wikileaks:…, in reply to George Darroch,
Honesty in foreign policy. Now there’s a thought.
Be nice if MFAT announced that all treaty negotiations, starting with TPPA, were going to be conducted with absolute openness short of opening the meetings up to public attendance. Daily summaries, public input on talking points, public input on bottom-line negotiating positions, the whole works.
Never happen, but it's a nice dream.