Security should be discussed!
> Of course, "they" won't tell us and, in fairness, they shouldn't.
This is a dangerous and outdated view of computer security. It is well understood that how systems are secured MUST be the subject of public discussion and review. The security of live systems should rely on few well understood secrets (like keys or passwords), and not ignorance of the security architecture.
This is key to the development of the fields of cryptography, and security engineering that are taught and discussed in public, as well as the security of free source software that is open for all to inspect.
The government is clearly trying to say as little as possible on the matter, with good *political*, not security, reasons. It is unclear why IT journalists should play along with this strategy instead of asking for the full requirements, specifications, and even security audits of the systems that were involved in the data leaks. Making such documents public should not make the system more vulnerable, if it is engineered with security in mind.
George Danezis
(Security Researcher)
http://homes.esat.kuleuven.be/~gdanezis/
PS The idea that ignorance of the database format, or even the encrypted archive format, would slow down even an amateur attacker from retrieving the data is particularly silly.
Biting the hand that feeds IT
