Information Considered Harmful

December 9, 2009 at 1:19 am · Filed under Current Events

It looks like a manual containing information about TSA screening procedures has been posted to the web (with yet more poor redaction — will they never learn? Actually, software vendors should really improve their redaction function to eliminate all versions of sensitive info from the given file, and prove it to the user).

http://us.cnn.com/2009/TRAVEL/12/08/u.s.tsa.training.manual/index.html

Although most quotes in the above article express alarm and frustration at the release of this “sensitive” information, and the TSA claims that the information about procedures is “outdated” and “unimplemented” (which I see as simply a thin way to re-create some uncertainty in an attacker’s mind), I see this sort of release of information as a good thing: it lets the traveling public understand the actual level of security the TSA achieves rather than some vague, fuzzy notion of safety.

Responsible or ethical disclosure of information (be it vulnerabilities, exploits, proof-of-concepts, proprietary or confidential information, etc.) has long been a favorite sawhorse and controversial subject in the information security community. At least some forms of whistleblowing have some public value, and in general I think more information is a good thing.

The key question, however, is this: if indeed the act of creating uncertainty in an attacker or adversary’s mind has value, why does it have value and how can we measure this value? Although security through obscurity is an oft-derided “technique” (even that word gives it too much credibility as a defensive mechanism), keeping secrets has arguably had at least some value in a variety of contexts (mostly espionage or military operations). The problem, of course, is measuring how much your ability to keep information secret has limited the enemy’s options, and so counterintelligence is needed. Such active techniques, however, seem distasteful as an academic research area, since presumably many of the techniques would require attack techniques, and thus some loss of moral authority (hey, we’re not the “good guys” anymore).

Followup & Updates: (added 9 Dec)

CNN has a followup: some heads rolled (predictably — this is a terribly MAJOR BREACH of national security).

http://us.cnn.com/2009/TRAVEL/12/09/tsa.training.manual/index.html

A good article from Wired:

http://www.wired.com/threatlevel/2009/12/tsa-leak/

The Wired article has a link to an Adobe guide to “proper” redacting techniques.

Finally, those wishing to actually read the manual can download it here:

http://cryptome.org/tsa-smoke/tsa-smoke.htm

Comments are closed.