Its NOT about controlling traffic lights. Some are networked ("synchronized") so it might be interesting to read about how that's done. https://en.wikipedia.org/wiki/Traffic_light_control_and_coor...
The last time I saw the strobe on top of a school bus active, it was when I was a passenger in one, driving down the freeway at night, and it wasn't strobing particularly fast. It's possible that our driver just forgot to turn it off, I suppose - he was that kind of guy.
No two strobes I have seen strobe at the same frequency. I think this traffic control story is urban legend.
Sounds like urban legend.
Not specifically to avoid late arrivals of pupils, but because prioritizing many passenger vehicles is valuable.
I couldn't help but find that pointless. The conference is open to the public, the only barrier to entry being a small amount of money to purchase a ticket. How would that prevent bad actors from signing up to access the sensitive information?
It absolutely makes sense when used within an organization where access/membership is properly vetted, but there, I feel like there was no point.
A lot of these are borrowed from the US .gov in which prosecution is a relatively effective way to get compliance with these policies, but, and I'll take some license here, are copied to appear sophisticated by unsophisticated players outside of that.
Ultimate - black/white - passwords/keys/finance/backups
Private - red - hidden by default
Protected - yellow - default "logged in to computer"
Public - green - shared w/ others (individuals)
Broadcast - blue - intentionally wide distribution
If I post my headshot to hire-an-actor.com, that's "Blue/Broadcast". If I share a picture of my kid blowing out birthday candles, that's "Green/Public". From "Green" you might be able to see the LABELS of my "Yellow" stuff and request access to it, but there should be no indication that "Red" or "Black" even exists.
So basically you as a user always operate at "Yellow", and can push "up" to Green (aka: discord), or Blue (aka: tweeter), and can unlock "Red" or "Black" via Password or 2FA/Cert.
I wish there were a way to easily "vivify" this, but at least putting names to it exposes where/how we're currently lacking.
The biggest issue still remains that content is "slippery" ... if it's not 10000% protected and airgapped, there's a chance that it can "escape".
woodruffw•3mo ago
In my experience doing security embargos/disclosures, it's a lot easier to just explicitly enumerate the set of people/organizational entities who should be given access to non-public information.
yohannparis•3mo ago
woodruffw•3mo ago
MattSayar•3mo ago
woodruffw•3mo ago
MattSayar•3mo ago
tptacek•3mo ago
tptacek•3mo ago
woodruffw•3mo ago
integralid•3mo ago
sxzygz•3mo ago
woodruffw•3mo ago
MeetingsBrowser•3mo ago
seanhunter•3mo ago
To make the parent’s point more obvious for people who are not used to a large enterprise context, concretely for example, at my workplace (which I would consider typical of a large organization) there are:
1) Regular employees and contractors who are employed by the main employer.
2) Employees who work for different legal entities from the main employer, have different sso domains handling their auth (and email domains for systems that do sharing protections via email) but are “really” part of the same company for security purposes. Think say people who came in as part of a merger but for various reasons their legal entity and brand needs to stick around so they have different auth, email etc.
3) People who work for actually different companies, have the same sso domains handling handling their auth and the same email domain as people in bucket 1 because we’ve given them logins and are working on sensitive security stuff (think: vendors and vendor contractors in the security or legal space)
4) People who work for actually different companies, have the same sso domains etc as bucket 1 and are not working on sensitive security stuff (think: vendors and vendor contractors everywhere else)
…and people sometimes move between groups 3 and 4 on a project by project basis. Notice all of these are “bound by common policies set by the organization” so all of them are in the “organization” for TLP at least by the second part of the definition, but 2,3 and 4 but don’t share a common affiliation by formal membership so are not part of the “organization” for the first half of the TLP definition.
So if I get a TLP:Amber document, who am I allowed to share it to? I should be sharing it to some of 1, 2 and 3 on a need to know basis. Most automated permission systems will allow me only to share it easily only with people in 1 and 3 or 4, and since people can move between 3 & 4 based on assignment it’s hard to know (and pretty much impossible to tell automatically) if some degree of access violation has occurred. People in 2 are generally sool if we’re trying to share things and I’m not prepared to handwave through the scary-looking “are you sure you want to share this with person x who isn’t from our org?” Boxes.
Basically explicit enumeration is just going to be way better any time you want to be doing this type of thing in the real world.