I've always found TLP confusing: it's not really clear (despite definition) what a community or organization is, which means that there's no clear decision procedure for determining whether a degree of access has been violated.
In my experience doing security embargos/disclosures, it's a lot easier to just explicitly enumerate the set of people/organizational entities who should be given access to non-public information.
From the protocol the community and organization needs to be defined by the source of the information. If not, then it cannot be shared without request from the source. They even have example for those situations.
Since you’re being abstruse, consider information by definition is in possession by an entity (or rephrased a property of a system). For that information to move the system needs to be brought into contact with another system, and it is the nature of this contact that is being policed. If information doesn’t have an ambient system that is discernible then there is no distinction to be made if its sensitivity—it may as well be noise.
In practice, "organization" usually means your company or business. "The community" usually means an Information Sharing and Analysis Center (ISAC) aka a group of similar orgs that share information with each other; think financial services companies in the US, or energy companies in Japan.
Okay, maybe I'm just not the target audience for this. I didn't know what an ISAC was, but I've seen plenty of TLP markers on open source disclosures where it was exceedingly unclear what a "community" meant w/r/t appropriate sharing.
I was at a security conference recently and one of the presentations had some TLP:RED slides in it.
I couldn't help but find that pointless. The conference is open to the public, the only barrier to entry being a small amount of money to purchase a ticket. How would that prevent bad actors from signing up to access the sensitive information?
It absolutely makes sense when used within an organization where access/membership is properly vetted, but there, I feel like there was no point.
You're right that it doesn't make sense. It suggests a failure in data handling (who can I share this with?).
A lot of these are borrowed from the US .gov in which prosecution is a relatively effective way to get compliance with these policies, but, and I'll take some license here, are copied to appear sophisticated by unsophisticated players outside of that.
I've self-discovered a similar categorization for my imaginary social network that will dethrone El Zuck:
Ultimate - black/white - passwords/keys/finance/backups
Private - red - hidden by default
Protected - yellow - default "logged in to computer"
Public - green - shared w/ others (individuals)
Broadcast - blue - intentionally wide distribution
...the key insight being that as you go "deeper" you know "less" (if that makes sense). Take the pictures on my phone and the album names (eg: Fall Trip 2025).
If I post my headshot to hire-an-actor.com, that's "Blue/Broadcast". If I share a picture of my kid blowing out birthday candles, that's "Green/Public". From "Green" you might be able to see the LABELS of my "Yellow" stuff and request access to it, but there should be no indication that "Red" or "Black" even exists.
So basically you as a user always operate at "Yellow", and can push "up" to Green (aka: discord), or Blue (aka: tweeter), and can unlock "Red" or "Black" via Password or 2FA/Cert.
I wish there were a way to easily "vivify" this, but at least putting names to it exposes where/how we're currently lacking.
The biggest issue still remains that content is "slippery" ... if it's not 10000% protected and airgapped, there's a chance that it can "escape".
Yeah I got exited thinking this is about traffic lights. I use a bike to commute to work and recently I was thinking if I could adjust my cycling cadence so that I never hit a red light, but unfortunately the timing of the traffic lights in my city is not constant. If there was a publicly accessible API to get the current timing info, I could write an app to do that.
If you're in America, take a look at the strobe on top of school busses. I'm not sure if they still have them (they used to). It would flash at a specific frequency and trip a photovoltaic sensor connected to the traffic light, which would turn it green so the kids aren't late for class. If you had a bright enough strobe which flashed at the same frequency...you get the idea.
Is that actually true? I've heard of ambulances & police cars having such devices, but they were supposed to be infrared.
The last time I saw the strobe on top of a school bus active, it was when I was a passenger in one, driving down the freeway at night, and it wasn't strobing particularly fast. It's possible that our driver just forgot to turn it off, I suppose - he was that kind of guy.
I never heard about this being used on school busses. This was always something for emergency services like firetrucks/ambulances to not have to sit in traffic at a red light, but it was only active if they were actively responding to a call with their lights on. Otherwise, they sit at the lights too.
Emergency vehicles have devices that announce their presence to get traffic lights to change in their favor. “Kids being late to class” is not on the order of importance to create a complex scheme to change traffic lights based on strobe lights from a bus.
Bus priority lanes and traffic lights that give priority to busses are definitely a thing. Usually for municipal busses and not school busses, but I'd expect a community that had priority lights for busses would allow school busses onto the system as well.
Not specifically to avoid late arrivals of pupils, but because prioritizing many passenger vehicles is valuable.
That wikipedia article makes a whole lot more sense defining what the traffic light protocol is. At first I thought this was some kind of tech protocol that's implemented by a computer. Now I realized it's an informal protocol.
If Google made Gmail pay attention to that, or Microsoft made Outlook pay attention, then it might mean something. Otherwise, no.
I've always found TLP confusing: it's not really clear (despite definition) what a community or organization is, which means that there's no clear decision procedure for determining whether a degree of access has been violated.
In my experience doing security embargos/disclosures, it's a lot easier to just explicitly enumerate the set of people/organizational entities who should be given access to non-public information.
From the protocol the community and organization needs to be defined by the source of the information. If not, then it cannot be shared without request from the source. They even have example for those situations.
It's not clear to me that I'm not able to meaningfully define these things, or that I'm even remotely unique in being unable to!
Since you’re being abstruse, consider information by definition is in possession by an entity (or rephrased a property of a system). For that information to move the system needs to be brought into contact with another system, and it is the nature of this contact that is being policed. If information doesn’t have an ambient system that is discernible then there is no distinction to be made if its sensitivity—it may as well be noise.
using the word abstruse is abstruse
...what?
In practice, "organization" usually means your company or business. "The community" usually means an Information Sharing and Analysis Center (ISAC) aka a group of similar orgs that share information with each other; think financial services companies in the US, or energy companies in Japan.
Okay, maybe I'm just not the target audience for this. I didn't know what an ISAC was, but I've seen plenty of TLP markers on open source disclosures where it was exceedingly unclear what a "community" meant w/r/t appropriate sharing.
You know what an ISAC is. It's a meetup of beardy mid-level security managers from huge companies.
Yeah, in the cybersecurity space it's a lot more prevalent. TLP:CLEAR, if you will.
He's a security practitioner.
I was at a security conference recently and one of the presentations had some TLP:RED slides in it.
I couldn't help but find that pointless. The conference is open to the public, the only barrier to entry being a small amount of money to purchase a ticket. How would that prevent bad actors from signing up to access the sensitive information?
It absolutely makes sense when used within an organization where access/membership is properly vetted, but there, I feel like there was no point.
You're right that it doesn't make sense. It suggests a failure in data handling (who can I share this with?).
A lot of these are borrowed from the US .gov in which prosecution is a relatively effective way to get compliance with these policies, but, and I'll take some license here, are copied to appear sophisticated by unsophisticated players outside of that.
I've self-discovered a similar categorization for my imaginary social network that will dethrone El Zuck:
...the key insight being that as you go "deeper" you know "less" (if that makes sense). Take the pictures on my phone and the album names (eg: Fall Trip 2025).If I post my headshot to hire-an-actor.com, that's "Blue/Broadcast". If I share a picture of my kid blowing out birthday candles, that's "Green/Public". From "Green" you might be able to see the LABELS of my "Yellow" stuff and request access to it, but there should be no indication that "Red" or "Black" even exists.
So basically you as a user always operate at "Yellow", and can push "up" to Green (aka: discord), or Blue (aka: tweeter), and can unlock "Red" or "Black" via Password or 2FA/Cert.
I wish there were a way to easily "vivify" this, but at least putting names to it exposes where/how we're currently lacking.
The biggest issue still remains that content is "slippery" ... if it's not 10000% protected and airgapped, there's a chance that it can "escape".
Wikipedia article: https://en.wikipedia.org/wiki/Traffic_Light_Protocol
Its NOT about controlling traffic lights. Some are networked ("synchronized") so it might be interesting to read about how that's done. https://en.wikipedia.org/wiki/Traffic_light_control_and_coor...
Yeah I got exited thinking this is about traffic lights. I use a bike to commute to work and recently I was thinking if I could adjust my cycling cadence so that I never hit a red light, but unfortunately the timing of the traffic lights in my city is not constant. If there was a publicly accessible API to get the current timing info, I could write an app to do that.
If you're in America, take a look at the strobe on top of school busses. I'm not sure if they still have them (they used to). It would flash at a specific frequency and trip a photovoltaic sensor connected to the traffic light, which would turn it green so the kids aren't late for class. If you had a bright enough strobe which flashed at the same frequency...you get the idea.
Is that actually true? I've heard of ambulances & police cars having such devices, but they were supposed to be infrared.
The last time I saw the strobe on top of a school bus active, it was when I was a passenger in one, driving down the freeway at night, and it wasn't strobing particularly fast. It's possible that our driver just forgot to turn it off, I suppose - he was that kind of guy.
School buses in my state are legally required to run the strobe when passengers are onboard.
No two strobes I have seen strobe at the same frequency. I think this traffic control story is urban legend.
I never heard about this being used on school busses. This was always something for emergency services like firetrucks/ambulances to not have to sit in traffic at a red light, but it was only active if they were actively responding to a call with their lights on. Otherwise, they sit at the lights too.
A newspaper article told of a mayor of some city that had one installed so he could zip along to emergencies.
Emergency vehicles have devices that announce their presence to get traffic lights to change in their favor. “Kids being late to class” is not on the order of importance to create a complex scheme to change traffic lights based on strobe lights from a bus.
Sounds like urban legend.
Bus priority lanes and traffic lights that give priority to busses are definitely a thing. Usually for municipal busses and not school busses, but I'd expect a community that had priority lights for busses would allow school busses onto the system as well.
Not specifically to avoid late arrivals of pupils, but because prioritizing many passenger vehicles is valuable.
We definitely have this system in place in some cities in Canada, primarily for express bus routes.
So as a driver, you want to follow an express route bus when you can?
That wikipedia article makes a whole lot more sense defining what the traffic light protocol is. At first I thought this was some kind of tech protocol that's implemented by a computer. Now I realized it's an informal protocol.