Freedom of Information Act vs Homeland Security

psyki writes "Should vulnerabilities in our public infrastructure be handled like vulnerabilities in computer security? Wired has an interesting article about the state of the Freedom of Information Act, particularly how it is becoming increasingly difficult to obtain documents from reluctant agencies in the security-conscious post-Sept 11 era. What really made me think, however, was this line: "While keeping information about security vulnerabilities out of terrorists' hands is a legitimate goal, McMasters believes the government is taking secrecy a step too far. In the end, he said, communities would be safer and better able to plan for their own protection if they were aware of potential security holes in power plants, airport terminals or other facilities.". Sounds an awful lot like the raging debate in the computer security community regarding publicizing vulnerabilities."

I'm not so sure...

[wonkamaster]

I admit that I am a firm believer in publicizing software vulnerabilities and that it increases security. As such I believe that open systems are more secure than closed systems in the long run. In other words, I think that it's easier to hack into a closed-source system (via binary disassembly) than into an open-source system (by looking at source code).

But we're not just talking about software here. And there is no question that when an exploit is published that some individuals will take advantage of it. Publishing exploitable details could very well allow a single exploit, which IMHO is one too many.

there's a difference

[Ry+R.]

The difference is that FOIA covers the government while the debate about security vunerabilities is in the private sector.

The analogy is a good one but let's not confuse private industry's interest in profit with our interest in an open government.

The arguement can be made that Microsoft is so vital that it has to be as equally transparent as the government is (supposed to be). But, as influencial and omnipotent as Microsoft is, it isn't government, it is owned by Bill Gates and stock holders not a voting public.

Re:Two points

[Twirlip+of+the+Mists]

Which is more important, liberty or security? Men far wiser than we have been debating that question for generations. The closest thing we have to an answer is, "Neither. Or maybe both. It depends."

Fortunately, while we know of no single right answer to that dilemma, we do know of several that are wrong. And blindly repeating that old saw is one of the wrong ones.

For the fallacy inherent in that oft-quoted aphorism* is that though there can be security without liberty-- totalitarian dictatorships are notably secure-- there can be no liberty without security.

But if you want to take, for sake of argument, the quote attributed to Franklin at face value, at least get it right. "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." We're not talking about a little temporary safety. We're talking about permanent security on a grand scale, directly affecting hundreds of millions of people.

It is wise to be cognizant of your liberties and to defend them when they are challenged.. But it is the acme of foolishness to deny that we must sometimes give up a little temporary liberty to obtain essential safety.

--
* In point of fact, it appears that Benjamin Franklin never wrote nor said it. The line appears in the 1759 Historical Review of Pennsylvania, a work which was published anonymously. The work has been attributed to Franklin, but there seems to be no evidence that it was actually his work.

Re:So you know of a security hole in the power sys

[Com2Kid]

• What are you going to do about it? Pour the 15-foot thick concrete bunker around it yourself?

Demand that the government FIXES it rather than just relying on security through obscurity. . . .

The U.S. Government seems intent on the idea that if they HIDE the security flaws that those flaws will not be exploited by terrorists. (and of course as a bonus side effect they don't have to hear the public keep on bitching about those security holes either!)

Well first off, it is fairly hard to stop people from WALKING THROUGH public places. Second off, copies of plans still exist in archives unscrupulous individuals (a category which terrorists definitely fall into the category of) are more than willing to find ways to gain access to.

So does hiding the security flaws make any difference? No, shit will still get blown up. The only difference is that the people won't get to realize how much danger they are in and thus will not be able to force their legislators to FIX those problems before those problems ARE exploited.

Democracy relies on the principle of a populous educated on issues pertinent to society. Kind of hard to have an EDUCATED populous when the government keeps on taking away the relevant data!

Keep things in perspective

[clonebarkins]

This is a response to several posts made here.

I've seen several posts so far that deal primarily with terrorists causing nuclear plants to meltdown, but really that's an extreme point of the kind of information that is being held back. One poster said, basically, that a dead man doesn't have any civil liberties, and that's certainly true and there are some things that the government should keep secret, like the locations of military weapons depots and our own nuclear arsenal. But the article isn't about just nuclear plants and military weapons. It's about all sorts of ways that communities could make themselves safer. Maybe folks could brainstorm some things that the government should be telling us, and then we can get of this extremist example.

To refer to another post, somebody asked if "you would pour the concrete yourself," presumably in reference to making some sort of architectural structure safer in the event of a terrorist attack. There are a lot of people out there who know how to pour concrete, and I would bet quite a few of them would be willing to provide their knowledge and experience to help make their communities safer.

Finally, a lot of words have been given to the comparison of community security issues to open vs. closed software. Well, I have to say that it's simply not true that secrecy is the best policy because, as any Thursday-night sitcom can tell you, no matter how "secret" you keep something, it's going to be found out sooner or later. Last year sometime I remember hearing a report on NPR about how the government was trying to get libraries to remove from circulation CDs that contained information about reservoirs and water supply sheds, etc., because this information could be used to make a terrorist attack. But the problem with this, besides the fact that the information is already "out there" (you can't close Pandora's box, at least not effectively), is that terrorists obviously do their research, and they're gonna find the reservoirs they want anyway. Heck, all they need to do is read Stephen King's "Dreamcatcher" to take care of greater Boston...perhaps we should ban that! But it's not just about terrorist attacks. People should have the right to know where the water they drink comes from. Sure, a lot of people will do nothing with the information, but should the day come that they need it, god forbid the info isn't there!

Essentially, I do believe that some things should be kept secret, but not many things. Plans for WMDs? Certainly! The structural integrity of the bridge I drive over everyday to go to work? Certainly not!