Fellow journalists have pointed to an interesting issue for those writing about security. In a NY Times story about shoplifters the writer talks about a “boost bag” used by shoplifters, and describes in broad terms what the bag is. The issue: Has the journalist damaged security by including information in the story? Those of us writing about IT security face this question every day, as do journalists who focus on law enforcement, military, or homeland security issues. It’s one of those issues that can bear honest disagreement because judgement is involved.

I tend to come down on the side of “more information is better” in most cases. The information on how to build bombs, put together a boost bag, defeat an alarm system, or construct and SQL Injection attack is out there anyway–none of this involves a deep, dark secret. Trying to keep citizens from understanding these things is not only self-defeating, it diminished the opportunity to enlist the help of thousands (or millions) of intelligent men and women of good will.

Are there exceptions? Of course there are. I think you have to give serious consideration to publishing the details of an on-going operation, and if the subject of the article might endanger human life then a writer must weigh the consequenced very, very carefully before proceeding. I don’t write details like IP addresses in my articles, and I’ll tend to fuzz out the details of an individual’s vulnerabilities when writing about case studies. It’s not that I won’t write about the issues, including details of what’s possible–I just won’t put the key into the lock for someone who might be trying to decide which network will host their next cyber-joyride.

Some of the folks who operate in the political blogosphere talk about groups of citizens as “a pack, not a herd.” I like that. I think that most groups will form themselves into a pack and not a herd if given the opportunity. Part of that opportunity consists in being informed about what the Bad Guys are doing, or are capable of doing. Security Through Obscurity is, in the long run, an unsuccessful strategy and I don’t feel I violate my responsibilities either as a journalist or as a citizen when I make a security issue a bit less obscure. I strongly believe that a well-educated citizenry (whether of a nation or of the world) is best capable to defend himself and help defend other citizens.

Gear up–get educated.

Categories: Uncategorized, Security