Anthony Atkielski wrote:
Caitlin writes:
If a node only requires accessibility by a
few specialized nodes (such as a water meter)
then making it *visible* to more is just
creating a security hole that has to be plugged.
Only if the information made thus available itself constitutes a security
breach, which is not necessarily the case. Knowing how much water someone
consumes or how many cans of Coke remain in a distributing machine would
probably not be a security issue for most users...
I can't help myself.
Actually, having access to such stats as amount of power used, coke consumed,
late-night pizzas ordered from the Pentagon, or number of routine status
messages transmitted from ships of a specific call sign, can reveal a surprising
amount of detail.
It's fairly well known that the Americans had broken the Japanese codes during
World War II, but it's less well known that this was not a one shot break, but
an ongoing process of breaks, loss of capability and rebreaks. Periodically the
Japanese would reissue their code books and change the callsigns of their
various ships. The U.S. code breakers would then have to recreate their
penetration by identifying each vessel's new call sign, identify specific
message types and using these to rediscover the code groups.
One technique they had for this was to detect traffic patterns from specific
callsigns; by detecting similar patterns before and after the change, they could
identify specific ships. They could then attack the message traffic looking for
identical or similar messages, which in turn would lead to new breaks into the
system. Another technique was to monitor ambient traffic patterns. A spike in
traffic for a vessel or group would indicate potential upcoming operations,
especially if you were monitoring major capital ships.
Operations research has come a long way since then, and these or similar
techniques are now used in industry for marketing and sales purposes. U.S. law
enforcement was even using power consumption (as measured by infrared detectors)
as an indicator of potential pot growing in your hydroponic basement garden for
a while. This last one ran afoul of the illegal search and seizure bits of the
U.S. constitution but The World Is A Very Big Place and not everybody might be
as picky as the U.S. on such things.
The moral of the story? Traffic patterns and metadata can be powerful tools and
one person's junk is another person's data. You should not assume that the
majority of people shouldn't or wouldn't care about it leaking out, even if at
first glance it seems pretty mundane.
- peterd
--
----------------------------------------------------------------------
Peter Deutsch work email: pdeutsch(_at_)cisco(_dot_)com
Director of Engineering
Edge Delivery Products
Content Networking Business Unit private: pdeutsch(_at_)earthlink(_dot_)net
Cisco Systems
Many people can predict the future. Me, I can predict the past...
----------------------------------------------------------------------