Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tim Berners-Lee Warns of Danger of Chaos in Unprotected Public Data (theguardian.com)

Posted by msmash on from the in-public-interest dept.

Hackers could use open data such as the information that powers transport apps to create chaos, Sir Tim Berners-Lee, the inventor of the world wide web, has said. An anonymous reader shares a report on The Guardian: "If you disrupted traffic data for example, to tell everybody that all the roads south of the river are closed, so everybody would go north of the river, that would gridlock you [and] disable the city," he said. Prof Sir Nigel Shadbolt, a co-founder, with Berners-Lee, of the Open Data Institute (ODI), described this as "the Italian Job scenario" and "the ultimate hack". The pair, who have both advised the British government, are leading campaigners for publicly accessible data. Berners-Lee points out as an example that reliable, detailed transport information "really makes London better". But they warned that the potential for such datasets to be tampered with if not properly protected was largely overlooked. "When people are thinking about the security of their systems, they worry about people discovering what they are doing," Berners-Lee said. "What they don't think about is the possibility of things being changed."

20 comments

  1. YES BUT WHAT DOES SETH GODIN THINK by Anonymous Coward · · Score: 0


       

  2. Security on my mind by nitehawk214 · · Score: 4, Interesting

    Companies and governments will not give one thought to information security until there is direct legal and monetary pressure, usually after a major hack or outage.

    Telling people that security is poor will not make them act. It has been shown time and time again. And from the government side, reporting a security flaw usually gets the reporter investigated and harassed.

    Even monetary penalties are not sufficient. Companies will just consider it "the cost of doing business" and pay off fines as necessary, it is cheaper than implementing good security from day one.

    We have reached the point of "hacking is inevitable, why bother protecting ourselves?" as corporate policy.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
    1. Re:Security on my mind by ColdWetDog · · Score: 2

      Nine different police departments and public security agencies were absorbing the information that an obscure subsect of militant Christian fundamentalists had just taken credit for having introduced clinical levels of an outlawed psychoactive agent known as Blue Nine into the ventilation system of the Sense/ Net Pyramid. Blue Nine, known in California as Grievous Angel, had been shown to produce acute paranoia and homicidal psychosis in eighty-five percent of experimental subjects.

      Gibson, William (2000-07-01). Neuromancer (pp. 60-61). Ace. Kindle Edition.

      It really won't take hacking into databases. Just rely on the interconnectedness of everything and the fact that people tend not to think things through too carefully.

      --
      Faster! Faster! Faster would be better!
    2. Re:Security on my mind by Anonymous Coward · · Score: 3, Insightful

      Companies and governments will not give one thought to information security until there is direct legal and monetary pressure, usually after a major hack or outage.

      Part of the problem is that we're not allowed to sue until after we've been harmed. Our complaints about potential harm are just dismissed.

      In a more pro-active system of government, any complaint about potential harm would be considered, and only dismissed if the possibility seemed too remote, or too inconsequential.

    3. Re:Security on my mind by Anonymous Coward · · Score: 0

      Yeah, that is one of the things that pisses me off. My car has a fundamental design flaw that caused my brakes to completely stop functioning while I was driving. Would like to sue to force them to fix it, as my brakes actually did fail, but can't because they failed at an extremely lucky moment and no harm came to myself or anybody else. Bring up the issue and they (VW) completely ignored me. NTHSA was notified as well, and again, because nobody was harmed, completely ignored.

    4. Re:Security on my mind by Wootery · · Score: 1

      To play Devil's advocate: the 'upside' of the way things work at the moment is that actual harm having been caused is a far more reliable indicator of the potential for harm, that lawyers' arguments. That, combined with limited government resources, means the current system has at least some merit.

    5. Re:Security on my mind by Tom · · Score: 4, Insightful

      Companies and governments will not give one thought to information security until there is direct legal and monetary pressure, usually after a major hack or outage.

      That is not true.

      I'm an information security professional (CISM and all). I've been part of more than one project where IS expertise was brought in before the project even launched, though for my personal taste it should have been even earlier, during the design/architecture phase, but that's a seperate discussion.

      Some companies don't understand IS until it bites them in the arse. But many other companies and government institutions (never make the mistake of thinking the government is one monolithic entity) do understand the necessity for IS.

      Even monetary penalties are not sufficient. Companies will just consider it "the cost of doing business" and pay off fines as necessary, it is cheaper than implementing good security from day one.

      That is called accepting a risk and is a perfectly valid business strategy. If a law is intended to make a risk inacceptable, it needs to make that clear. For some risks, accepting it should mean going to jail. But both the laws and the enforcement is lacking in such things. How many CEOs have ever gone to jail for something except financial crimes (stock fraud, tax evasion, etc.) ?

      We have reached the point of "hacking is inevitable, why bother protecting ourselves?" as corporate policy.

      That's not what I tell people hiring me. I tell them that being attacked is inevitable. But because their competitors probably bother less with security than they should, not being the weakest target is more important than having perfect security.

      Because many companies come from literally nothing and need to build up an ISMS to get an ISO certification or whatever the business reason for the sudden interest in IS is. They cannot possibly get to state-of-the-art in one year. But they can fix the most serious problems and then go from there. And yes, that takes considerable resources, because people like me are expensive, and training your IT people and hiring some new ones is expensive, and the costs of some firewalls and IDS systems almost doesn't matter because replacing your fundamentally, unfixable broken legacy systems (you know, that machine still runing windows 95 with your business critical application...) is what will really kill you.

      Sometimes, management has no other choice but to accept the risk, and your success as the IS guy is that at least they're aware of it now and understand they need to do something about it next year.

      --
      Assorted stuff I do sometimes: Lemuria.org
  3. WTF is a "transport app'? by Anonymous Coward · · Score: 0

    I suppose I could use up some of my monthly 50MB of cell data to check what the Internet thinks traffic is like somewhere I'm headed, but I doubt the info would be accurate by the time I get to that area.
    Maybe it's an urban thing; I live in a small suburb.

    1. Re:WTF is a "transport app'? by Anonymous Coward · · Score: 0

      No, you are correct. I have Google Now on my phone and I have an MS Band 2. This means I can get notifications on my band. Towards the end of my workday I start getting "30 minutes to home" notifications. Right at the end of the workday, "35 minutes to home" starts coming up. By the time I walk all the way to my car "38 minutes to home". After driving for 5 minutes (what should now be "33 minutes to home") it will say "45 minutes to home". Drive another 5 minutes and I get "50 minutes to home". So - just like you said - by the time you GET to where it was checking, conditions have changed. They either got worse (happens every day) or they get WAY worse (I had "1 hr 40 minutes to home" pop up the other day after a big wreck closed some lanes - and I was only 3 miles from home at the time - traffic was not moving at all). So sure - the traffic NOW is fine. Wait until you get there. It may not be anymore...

  4. Crowdsource to verify by Merk42 · · Score: 2

    People have already tried to provide false information to move traffic where they wanted it didn't work

  5. BlockChain by Anonymous Coward · · Score: 0

    Blockchain all the data in the cloud with encrypted AI and big data. With an App.

  6. Would never share that exploit... by eth1 · · Score: 1

    Heck, if I could do that with the traffic data, I'd never share it - wouldn't want it fixed.

    I'd just write an app where I could input a route 30 minutes before I leave for somewhere, that makes everyone think the traffic is horrible, so they clear out...

  7. Waze by Anonymous Coward · · Score: 0

    Isn't that what waze is already doing?

  8. Path motivation by See+Attached · · Score: 1

    How about a routing algorithm that steers drivers past preferred locations... like your store? Should GoogMaps or Waze send everyone thru downtown Paterson? This always seemed unethical, but understandable, since "its all about money".

    --
    Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
  9. so everybody would go north of the river, by rossdee · · Score: 2

    The (Red( River flows north, all the way to Hudson Bay
    There are no roads north of Hudson Bay AFAIK

  10. Not at this time of night... by Ambient+Sheep · · Score: 1

    "If you disrupted traffic data for example, to tell everybody that all the roads south of the river are closed, so everybody would go north of the river..."

    And for London black cabbies, nothing of value was lost.

  11. Re:Beware of experts by Anonymous Coward · · Score: 0

    Expert warnings of impending catastrophe (chaos in this scenario) are often excessive. Remember the nightmare warning of Y2K.

    The seriousness it was discussed with and wide publicity made the transition mostly painless.
    This is a big problem about such warnings.
    When people actually act accordingly and prepare there's plenty of people later thinking that it wasn't really necessary because not much happened.

  12. Incompetence, gross negliegence in fact by Tom · · Score: 1

    "When people are thinking about the security of their systems, they worry about people discovering what they are doing," Berners-Lee said. "What they don't think about is the possibility of things being changed."

    In such case they need to be fired and replaced.

    Considering information disclosure as well as manipulation or simple destruction (without disclosure) is Information Security 101 and anyone working with data who doesn't think about the possibility of manipulation should be escorted to the door immediately.

    This is the I part of CIA - Confidentiality, Integrity, Availability - and thus practically one of the first things you learn when you deal with IS.

    --
    Assorted stuff I do sometimes: Lemuria.org