launchpad-dev team mailing list archive

[Steve McInerney <steve.mcinerney@xxxxxxxxxxxxx>]

On Fri, 2010-10-29 at 18:10 +0200, Henning Eggers wrote:
> This is a request for a principal policy decision although I raise it based on
> a specific case.
> 
...
> Is it a conscious policy decision to treat private data like non-existent
> data? If not, what should the policy be? What do we gain by hiding the fact
> that private data exists? What risks are we taking with a statement like "The
> code for this series is held in a private branch." or "You have no access to
> the code for this series." ?

It's a known nasty trap in the security world; and one of the most
painful to recognise as being problematic.

To help explain, I'll paraphrase a quite serious discussion from the
early 90's in regards the Aust. Military Logistics Redevelopment
project.

Q: What classification is this system expected to be?
A: Unclassified, it's only numbers of boots and such
Q: But boots are important right? Don't soldiers need them to fight
effectively and efficiently?
A: Yes...
Q: So if I know how many boots, and how long they last; I can infer that
if you have Y boots, Australia can fight for Z days. Is that classified?
A: Yes!
Q: Right, so this system won't be unclassified.

I simplify, but hopefully you get the gist.

Basically, by information gathering from publicly available sources, you
can gather ALL sorts of amazing info and draw inferences from that, that
will horrify those who don't want you to know those things. [1]
Individually, the items may be "unclassified", but collectively, the
entire database can give an incredibly accurate picture of a nation's
war fighting capability. Which is um... Secret Squirrel - ie peoples
lives really are on the line.

ie Sensitivity in the Confidential side of Security, via Aggregation of
Information. (vs Integrity or Availability)


eg in LP's case: Branch names; Bug Subject's; The sheer number of bugs
could be (ab)used negatively about a commercial project.
Be aware, you're talking about someone else's data. It's not ours, we're
just holding it in trust for them. So to some extent, what we think is
appropriate protection, is irrelevant. Rather, focus on what a
moderately paranoid owner of that data would expect to see.

My advice - if information is private, even alluding to it's existence
differently to "that bug doesn't exist", is not recommended.


HTH?

Cheers!
- Steve
[1] It's the same thing in tracking down persons of interest for doing
naughty things over the 'Net. It's not a single (ha) bit of info that
exposes them. Rather it's the collective traces they leave scattered
around that add up to identification.