OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   RE: [xml-dev] The sky is falling! XML's dirty secret! Go back! It's a

[ Lists Home | Date Index | Thread Index ]
  • To: xml-dev@lists.xml.org
  • Subject: RE: [xml-dev] The sky is falling! XML's dirty secret! Go back! It's a trap!
  • From: "Bullard, Claude L (Len)" <clbullar@ingr.com>
  • Date: Fri, 31 May 2002 08:35:53 -0500

From: Michael Kay [mailto:michael.h.kay@ntlworld.com]

"The risk of your car being stolen depends much more on where
you leave it than on whether it is locked."

That's actually true of most criminal acts.  One of the 
aspects of policing that is interesting if not always 
obvious is that crime is a location-dependent 
service particularly where the professional criminal 
class is involved, not simply opportunistic.   
Criminal behavior systems use this 
information for link analysis and resource planning.  Had 
the FBI or CIA done this better, 911 wouldn't have happened. 
We can cover it with as much bluster as we like, but the 
clues were all in plain sight and field officers understood 
where they were leading.  A policy of "no that's silly" 
prevented them from being acted on.  Result:  we just 
gave our security forces unprecedented snooping rights. 
Maybe facing up to theoretical possibilities early is a 
better idea than post fixing.  Part of this is understanding 
how professionals in a field do their work.  If you want 
to keep the pros out of your knickers, understand who 
they are, how they work, and what they deem of value.

The other aspect is the value of the information.  One 
secures to the degree that one can afford to or has to. 
Had the military known about granny's jewels, I doubt they would 
still have been there had they been valuable.  As already pointed 
out by Rich, a lot of the issues of security are the problems 
securing the insider.  That is why vaults 
and auditable access lists exist.   Very high value information 
with very critical bits simply shouldn't be on the Internet.

So the XML cracker is likely to be looking in specific 
places for information of value.  So is his opposite number 
BTW.  Let's remember that despite all the early protests 
about how secure systems were, the crackers have managed to 
get a lot of credit numbers out of those systems and do 
damage.  It is the "no, that's silly" arguments I dismiss 
first because our history is one where those arguments 
were quickly proven wrong by the wrong people and the 
innocent paid for it while the experts said, "well, if we 
knew then what we know now".  Maybe we should plan for the 
the exceptional.  It costs a bit but some peace of mind 
is worth something these days.

There seem to be divided opinions here.  Some 
say the XML is of some value in cracking and others 
say it isn't.   That means the article, if not very 
informative, isn't on a silly topic and we should be 
better informed.  A bit of paranoia is warranted.



News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS