Skip to main content

The Greek Wiretapping Scandal

"The Athens Affair" is the story all the cool security bloggers are talking about. Now, when Matt Blaze, Bruce Schneier and Steve Bellovin all chime in, it makes life hard for us little guys. I mean, what can I say that they haven't?

Building facilities for wiretapping is dangerous? Covered. Logging is important? Covered.

Hah-ha! I have an angle! Longtime readers will be shocked to discover that a security breach we're talking about. And I'm fascinating by security breaches, especially when we get to talk about them. Now, Greek law doesn't require disclosure, and as Chris pointed out in "Data on Data Breaches," small breaches are less likely to hit the press than big ones. So we're pretty lucky to know about this. We're even luckier that this caught the eye of the legislature, and details came out, which the authors read through, and analyzed and summarized for us.

More seriously, I'd like to respond to this line in the IEEE Spectrum article:

It's also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations of any kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate.

Excuse me? Major network penetrations are exceedingly uncommon? I'll accept that documented evidence of major network penetrations, or of attacks this sophisticated* are uncommon. However, absence of evidence is not evidence of absence.

This is, I think, an important point. The story we see is fascinating, but we lack context. Listening to people at security conferences, claims of major network penetrations are exceptionally common. Now, I'll fully admit that the sweep-it-under-the-rug club would have you believe that everything is fine. Me, I think we need more evidence, more data, and more context. We're starting to get it through privacy breach laws.

* By 'this sophisticated,' I'm referring to the (apparent) creation of a custom rootkit for Ericsson phone switches.