On Fri, 2010-10-29 at 18:10 +0200, Henning Eggers wrote: > This is a request for a principal policy decision although I raise it based on > a specific case. > ... > Is it a conscious policy decision to treat private data like non-existent > data? If not, what should the policy be? What do we gain by hiding the fact > that private data exists? What risks are we taking with a statement like "The > code for this series is held in a private branch." or "You have no access to > the code for this series." ?
It's a known nasty trap in the security world; and one of the most painful to recognise as being problematic. To help explain, I'll paraphrase a quite serious discussion from the early 90's in regards the Aust. Military Logistics Redevelopment project. Q: What classification is this system expected to be? A: Unclassified, it's only numbers of boots and such Q: But boots are important right? Don't soldiers need them to fight effectively and efficiently? A: Yes... Q: So if I know how many boots, and how long they last; I can infer that if you have Y boots, Australia can fight for Z days. Is that classified? A: Yes! Q: Right, so this system won't be unclassified. I simplify, but hopefully you get the gist. Basically, by information gathering from publicly available sources, you can gather ALL sorts of amazing info and draw inferences from that, that will horrify those who don't want you to know those things. [1] Individually, the items may be "unclassified", but collectively, the entire database can give an incredibly accurate picture of a nation's war fighting capability. Which is um... Secret Squirrel - ie peoples lives really are on the line. ie Sensitivity in the Confidential side of Security, via Aggregation of Information. (vs Integrity or Availability) eg in LP's case: Branch names; Bug Subject's; The sheer number of bugs could be (ab)used negatively about a commercial project. Be aware, you're talking about someone else's data. It's not ours, we're just holding it in trust for them. So to some extent, what we think is appropriate protection, is irrelevant. Rather, focus on what a moderately paranoid owner of that data would expect to see. My advice - if information is private, even alluding to it's existence differently to "that bug doesn't exist", is not recommended. HTH? Cheers! - Steve [1] It's the same thing in tracking down persons of interest for doing naughty things over the 'Net. It's not a single (ha) bit of info that exposes them. Rather it's the collective traces they leave scattered around that add up to identification. _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
