Home page logo

nanog logo nanog mailing list archives

Re: Did Sean Gorman's maps show the cascading vulnerability in Ohio?
From: Scott McGrath <mcgrath () fas harvard edu>
Date: Mon, 18 Aug 2003 09:58:21 -0400 (EDT)

Remember that Dig Safe is implemented on a state by state basis some of
the programs like the one you describe are dreadful. The one in my home
state is fairly thorough in checking bona fides before providing the data

I believe in setting a fairly low bar for access to this information i.e.
can you _prove_ that you have legitimate cause for access to this
information.  The proof would be do you have
fiber/conduit/circuits/pipelines these all have identifiers which can be
checked and generally only the customer and the service provider has this
information.   Not simply whose fibers are in the conduit attached to the
railroad bridge.  if you own one of those fibers you get access to the
information on who else is in the conduit.   if you do not you are not
privvy to the information.

We had a incident where someone accidentally started a fire under a bridge
and burned through a PVC conduit knocking phone and data out for the
better part of a week for 100,000+ lines.  I really do not want that type
of information in the hands of a bored teenager so they would be able
identify potential targets so that they can be _famous_.

Remember when you go to a library to study rare manuscripts you generally
need to prove to the curator that you have a legitimate scholarly interest
in the documents not simply random curiousity.

                            Scott C. McGrath

On Mon, 18 Aug 2003, Mr. James W. Laferriere wrote:

      Hello Scott ,

On Mon, 18 Aug 2003, Scott McGrath wrote:
A measured response is needed.  Obviosly we do not want the
vulnerabilities disclosed to bored teenagers looking for "excitement".
We need controlled access to this data so that those of us who need the
data to fix vulnerabilities can gain access to it but access is denied to
people without a legitimate need for the data.
      And my statement would be ,  And who is that authority ?
      The government ?  The Utilities ?  The ... ?

The "Dig Safe" program might be a good model for controlling access to
Sean's work.   This would not preclude further scholarship on Sean's work
but it would keep the data out of the hands of the 31337 crowd.
      Huh ?,  Try this on for size ,  "Hello ,  I am joe's contracting
      service & I have a building permit(I do) and I need to dig at ..."
      If I remeber correctly the "Dig Safe" program will give me the
      info without so much as a check on the permit or my company name .

      But ,  Something (may) need to be put in place .  I for one am not
      a great fan of any group of "X" that has a vested interest in
      keeping the information out of the public hands as being the ones
      to administer or setup or even give suggestions to a body who'd be
      involved in setting up such a commitee/org./...

      I'd really like to see a "Public" forum be used to take
      suggestions from the PUBLIC (ie: you & I & that neighbor you hate
      so well) for the guide lines as to who &/or when such info s/b
      released .  Not the Gov. or the Util Alone .

On Sun, 17 Aug 2003, Sean Donelan wrote:
So, the US Government wants to classify Sean Gorman's student project.
The question is did Mr. Gorman's maps divulge the vulnerability in the
East Coast power grid that resulted in the blackouts this week?
Would it be better to know about these vulnerabilities, and do something
about them; or is it better to keep them secret until they fail in a
catastrophic way?
              Twyl ,  JimL
       | James   W.   Laferriere | System    Techniques | Give me VMS     |
       | Network        Engineer |     P.O. Box 854     |  Give me Linux  |
       | babydr () baby-dragons com | Coudersport PA 16915 |   only  on  AXP |

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]