Lists Home |
Date Index |
- To: email@example.com
- Subject: RE: [xml-dev] The sky is falling! XML's dirty secret! Go back! It's a trap!
- From: "Bullard, Claude L (Len)" <firstname.lastname@example.org>
- Date: Fri, 31 May 2002 08:35:53 -0500
From: Michael Kay [mailto:email@example.com]
"The risk of your car being stolen depends much more on where
you leave it than on whether it is locked."
That's actually true of most criminal acts. One of the
aspects of policing that is interesting if not always
obvious is that crime is a location-dependent
service particularly where the professional criminal
class is involved, not simply opportunistic.
Criminal behavior systems use this
information for link analysis and resource planning. Had
the FBI or CIA done this better, 911 wouldn't have happened.
We can cover it with as much bluster as we like, but the
clues were all in plain sight and field officers understood
where they were leading. A policy of "no that's silly"
prevented them from being acted on. Result: we just
gave our security forces unprecedented snooping rights.
Maybe facing up to theoretical possibilities early is a
better idea than post fixing. Part of this is understanding
how professionals in a field do their work. If you want
to keep the pros out of your knickers, understand who
they are, how they work, and what they deem of value.
The other aspect is the value of the information. One
secures to the degree that one can afford to or has to.
Had the military known about granny's jewels, I doubt they would
still have been there had they been valuable. As already pointed
out by Rich, a lot of the issues of security are the problems
securing the insider. That is why vaults
and auditable access lists exist. Very high value information
with very critical bits simply shouldn't be on the Internet.
So the XML cracker is likely to be looking in specific
places for information of value. So is his opposite number
BTW. Let's remember that despite all the early protests
about how secure systems were, the crackers have managed to
get a lot of credit numbers out of those systems and do
damage. It is the "no, that's silly" arguments I dismiss
first because our history is one where those arguments
were quickly proven wrong by the wrong people and the
innocent paid for it while the experts said, "well, if we
knew then what we know now". Maybe we should plan for the
the exceptional. It costs a bit but some peace of mind
is worth something these days.
There seem to be divided opinions here. Some
say the XML is of some value in cracking and others
say it isn't. That means the article, if not very
informative, isn't on a silly topic and we should be
better informed. A bit of paranoia is warranted.