Full-disclosure debate gone mainstream (v. terrorism)
Today I came across a news article in reply to a question asked by Steven D. Levitt, “If you were a terrorist, how would you attack?” The blog posting has struck controversy among many people, and it just reminds me of all the full-disclosure debates we have had in the security industry. Does spelling out attacks on paper help the bad guys? I wouldn’t doubt many of the ideas that people come up with have already been discussed and analyzed by various terrorist groups.
What frightens me more is the possibility of those posting suggestions going on some *-watch-list.
I think I’ve seen mention in the past few years of certain summits that ask this exact question, and they mull over various forms of attacks and what is possible. Things like this are amazingly useful, even if some of the ideas seem far-fetched (ninjas…anything dealing with ninjas…).
In fact, I think candid role-playing/brainstorming like this can be very useful for security-minded admins to figure out a list of projects for the next year, or maybe what to delve into next. (Because I firmly believe that any security/IT job should involve at least 25% free time to try out new things and do some research, as opposed to 120% of the time spent responding to actual events or putting out fires…)