ydns' blog
information security, the outdoors and me RSS 2.0
# Monday, January 01, 2007
What was that you said?

So the new is that a whole bunch of information was declassified by the US government at midnight 12/31/2006.  These types of information declassifications always seem to be meaningless when you don't know everything else that may have been learned.  The expected (perceived) value of government information is accountability and truth.  But how do we know that no one twisted the information's focus over time or transcribing generations?

http://politics.slashdot.org/politics/07/01/01/1657224.shtml

I've been pondering this problem and I thought that a public system that tracked the thumbprints of various documents and information (of any digital format) would help to assuage the publics fear of misinformation without releasing any information for use by foreign intelligence.  This being one of the primary concerns of governments secrets.  The system would also be key in assuring the governments people that there government wasn't abusing its knowledge or trying to obfuscate its meaning.

A "secret sharing" system that was certified by appropriate international organizations and reviewed by information security bodies could achieve this goal if well designed.  Similar to a Nuclear materials review, a "shared secrets" review could be performed to assure that the related procedures were being followed.

I can see a digital system managed in part by organizations such as the U.N. and monitored universally by peoples such that more accurate criticism can be leveled at participating governments.

Any form of this system would place personnel at risk since information without witnesses is pointless.  I see a multitiered system of witness lists, references, etc such that the individual personnel who may have obtained the information (field agents) may be protected.  Of course information itself may not be needed to determine its focus.  Sometimes simply a datestamp can be enough evidence to direct foreign intelligence to its content.  This can easily be misdirected (counter-intelligence style) by claiming minutia of information, such as "The sky is cloudy today" and recording these in the system as well.

Now, I certainly understand (being in IT and all) the potential amount of information (and misinformation) being gathered here, which is why these "shared secrets" would cost money to the governments listing them.  In addition a multitude of processes (checks and balances) would need to be formalized and protected in various ways, including technological means.

As an example a field agent discovers an assassination plot against the US President and they document this as a "secret" in a system, either indirectly or directly due to exposure concerns.  Presumably a superior ranking professional will receive this "reported secret" an in turn acknowledge its existence and its origin.  this creates definitively the first "digital secret", with a full record of its contents (video, email etc) with several digital signatures stored in public fields (its Digital Secret Signature or DSS) using approved protocols, etc.  Any forwarding (presumably digital) of this information would result in further (automatic?) acknowledgement of secret sharing and result in a digital trail of evidence which is stored in the "Secret Sharing System" of the US government. This "database" exposes its DSS lists and they are synched with external systems in "real time".  Each acknowledgement of secret reception results in a new entry associated with the original secret (perhaps its DSS only?) and therefore there is a fairly reliable breadcrumb trail.

Now, of course this whole system relies on a lot of process and technological innovation that doesn't exist quite yet.  With technology becoming more pervasive in our daily lives, is it too much to expect that government employees would need to comply with participation in such a system?  This may mean extensive monitoring of the work environment and all communication devices owned, as well as GPS tracking, microchip-under-skin, etc.  Essentially until there is such encompassing auditing of persons, this would merely be a Orwellian future.  Not to mention the petabytes of information to be stored to audit all of this.

There would never be a need to demand release of information.  Anything that was deemed releasable could be.  It would validate that the information released was factually represented in the past and provide accountability for any mistakes.  Now you at least have names tied to information in a formal manner.  If people aren't willing to take the accountability for the information they handle they should not be a government agent.  Prescribe jail time and related sentences to those who fail to abide by the universally accepted law.  Now you have a globally backable justice system brewing...no need for a UN court, just make the various goverments courts abide by international laws when treating related cases and you have provided transparency to government sourced injustice.

But you see what I mean, right?

Monday, January 01, 2007 7:44:39 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
tech
Navigation
Home
My Resume
Bink
CERT
Microsoft Technet
SANS
Security Focus
dasBlog
SourceForge
Categories
 
 
 
 
 
 
Archive
<January 2007>
SunMonTueWedThuFriSat
31123456
78910111213
14151617181920
21222324252627
28293031123
45678910
Blogroll
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2009
ydns
Sign In
Statistics
Total Posts: 68
This Year: 1
This Month: 0
This Week: 0
Comments: 3
Themes
Pick a theme:
All Content © 2009, ydns
DasBlog theme 'Business' created by Christoph De Baene (delarou)