Biomedicine has a Journal of Negative Results in Biomedicine, edited by Bjorn Olsen from Harvard. Could a Journal of Negative Results in Security and Privacy be viable? Perhaps it’s quixotism, considering the persistent lack of reliable metrics to measure even positive outcomes in these domains. But the absence of “it should do X”-criteria does not imply impossibility to establish “it should NOT do -X” or “it should not do Y”-criteria. Marked for further deliberation.

Here’s a list of (mostly) books about cyberwar, intelligence and security services.

Materials about Netherlands

• Dutch Intelligence: Towards a Qualitative Framework for Analysis by Giliam de Valk
• (Dutch) Geschiedenis van de Binnenlandse Veiligheids Dienst by D. Engelen
• (Dutch) De geheime dienst – verhalen over de BVD by Chris Vos et al.
• (Dutch) In dienst van de BVD by Frits Hoekstra
• (Dutch) Villa Maarheeze (1999) by Bob de Graaff and Cees Wiebes
• (Dutch books + online writings) http://www.burojansen.nl
• (blog) http://intel.web-log.nl/

Not specifically about Netherlands

• Surveillance and Democracy, edited by Kevin Haggarty
• Secret Warriors – 100 yrs of British Intelligence Inside MI5 and MI6” by Gordon Thomas
• Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks by Michal Zalewski
• Body of Secrets – Anatomy of the Ultra-Secret National Security Agency by James Bamford
• Corporate Warriors – The Rise of the Privatized Military Industry by P.W. Singer (bit off-topic here but excellent read)
• Aviation Week (website + subscription magazine)

Cyberwar-related
(thx Niels Groeneveld)

• Cyber War: The Next Threat to National Security and What to Do About It by Richard A. Clarke and Robert Knake
• Cyberpower and National Security by Franklin D. Kramer et al.
• Cyberdeterrence and Cyberwar by Martin C. Libicki
• Cyberthreats: The Emerging Fault Lines of the Nation State by Susan W. Brenner 
• Cyberwar, Netwar and the Revolution in Military Affairs: part 1 by Edward F. Halpin et al.
• CyberWar, CyberTerror, CyberCrime by Julie E. Mehan
• Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet by Joseph Menn
• Hacktivism and Cyberwars: Rebels with a Cause? by Tim Jordan and Paul Taylor
• Inside Cyber Warfare: Mapping the Cyber Underworld by Jeffrey Carr
• Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century by Christopher Burgess
• Surviving Cyberwar by Richard Stiennon
• The Dark Visitor by unknown
• http://conflictsincyberspace.blogspot.com/ (blog by Rain Ottis)
• http://www.slideshare.net/jopiter/infosec-books  (links to these and other books)

What additional study materials do you recommend? Please comment!

For fun, I extracted metadata from most of the documents publicly available at these websites:

Here is a count of e-mail addresses I found in Tag_AuthorEmail and Bytes:

1    accor.com
1    aesn.fr
1    agentschapnl.nl
1    atech-acoustictechnologies.com
1    bda.amsterdam.nl
1    bieleveldvanhoek.nl
1    bletchleypark.org.uk
1    brgm.fr
2    cbs.nl
2    cesg.gsi.gov.uk
1    coe.int
1    CvT.nl
1    diplomatie.gouv.fr
3    ec.europa.eu
2    ecologie.gouv.fr
4    eerstekamer.nl
1    europolhq.net
7    fbinet.fbi  <— internal FBI mail
1    gakushikai.jp
2    gchq.gsi.gov.uk
1    gmail.com
2    hotmail.com
1    hydro.nl
6    ic.fbi.gov
1    inro.tno.nl
1    isc-cie.com
1    iwiweb.nl
1    kabinets-formatie.nl
1    klpd.politie.nl
7    leo.gov
1    let.ru.nl
1    mail.ing.unibo.it
3    militairefondsen.nl
2    minbuza.nl
14    minbzk.nl
1    mindef.nl
7    minfin.nl
22    minjus.nl
3    minlnv.nl
8    MINSZW.NL
1    minvws.nl
1    mma.es
1    mrw.wallonie.be
2    noord-holland.nl
1    oieau.fr
1    olemiss.edu
1    prv.gelderland.nl
1    ross.nl
1    sdu.nl
1    SMOJMD.USDOJ.gov
5    sp.nl
1    sp.se
1    steunfondsofficieren.nl
2    tg.nl
3    tk.parlement.nl
1    tmleuven.be
2    tno.nl
146    tweedekamer.nl
2    unesco.org
2    uwv.nl
2    wereldschool.nl
1    wwi.minbzk.nl
1    wxs.nl
1    xs4all.nl

Furthermore, these are some network/directory paths found in Title and Hyperlinks tags:

http://cd0.bistro.ro.minjus/cgi1frnt.exe
Sggv12fkdbbTemplates GMODCDC-kl+DB 2.jpg
VAF0002groups03$COAlHDPDPLMAPMPmm100 Projecten190 Business Proces Redesign296Fase 11a-04-Digitaliseren formulierenPi Digitale formulierenkastLogo defensie.gif
tante-eshome$LienekeSdatapdfHeffingsverordening Marktgelden Zeeburg 2009, tabel 2009.d…
sk1ntdata03homedir$MRoosDesktopTekening deel 1.xps
U:wp51wp51verlof tbsgesteldeverlof tbs gestelde 7-7-2010.wpd
N:HDP AIMPF GO4 Processen99. Financiële werkinstructiesWerkmap Gerard3TekentjesLogo defensie.gif
T:_PPentaBP Badge.jpg
F:dataProjectenCivTecGroenBomenbeleidsplanBomenbeleidsplan 25-10-2010 Totaal (1)
G:Realisatie en BeheerTeam Vastgoed en ProjectenStedenbouwKimAlgemeenkomgrenzenkomgrenzen Layout1 (1)
sfgvp12FEBCOBiaProjectenZeusZeuswerkODPPwerkChrisLogo´sdefensie.wmf, sfgvp12FEBCOBiaProjectenZeusZeuswerkODPPwerkChrisLogo´sdefensie.wmf, sfgvp12FEBCOBiaProjectenZeusZeuswerkODPPwerkChrisLogo´sdefensie.wmf
V:SHAREDNICS SHAREDEDASDRAFTSKisnerOPS 2008FINAL OPs 2008Copy of 2008 NICS OPERATIONS REPORT PDF.wpd
V:SHAREDNICS SHAREDEDASDRAFTSKisnerOPS 20072007 Operations Report PDF.wpd
H:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2006 NICS Operations Report PDF.wpd
N:AutocadMedewerker TVDBStrooiroutes Berkenwoude (1)
/cgi-bin/pdcsns.cgi?user=%26dir=/9202000/g/%26filename=/9202000/t5.sns%26via=direct%26v01=25910
C:WpdocWORD97LogoConsLogoCons.jpg
C:Documents and Settingsu0072s1Local SettingsTemporary Internet Filesu0072s1Local Settingsu00a110Local SettingsLocal Settingsu00g5m0Local SettingsTemporary Internet FilesOLK12wetsuwior1tog00.htm

Politicians are public figures and therefore have reduced reasonable expectations of privacy. The Dutch House of Representatives provides information about all 150 representatives in a single XML file: http://www.tweedekamer.nl/xml/kamerleden.xml (mirror of today’s copy; also in Google-cache, but not archive.org). Some of the personal information it contains (not all values are present for all representatives):

1. full name
2. gender
3. date of birth
4. place of birth
5. home town
6. education
7. work experience
8. work e-mail (@tweedekamer.nl)
9. travels 
10. personal website
11. personal statement
12. (past) affiliations w/foundations, associations
13. political affiliation
14. photo 

When stumbling upon that file, the following thoughts came to mind:

• I hope these public figures don’t use that information as password or answer to security question in their private life.
• With personal data being readily available, these high-profile targets surely must have already been victim (although maybe not be aware of it) of password-guessing and social engineering attacks?
• If they aren’t, is that…
• …because nobody cared to target them?
• …because this particular knowledge does not pose a threat?
• …because their personal subscriptions/service-usage is unknown?
• E.g. you don’t know they use Gmail, which bank, insurance, webshops.
• …because their personal logins/names are unknown?
• E.g. you know they are customer/employee/student at X but you don’t know their username for logging in to X
• …because this personal info was not used as password or answer to a security question?
• E.g. you know <username>@gmail.com but can’t guess the password
• …because this personal info is, by itself, insufficient to compromise accounts?
• E.g. more information is needed (SSN, bank account number), or multifactor authentication requires possession of token
• …because of something else?

In a sense, our representatives function as guinea pigs for testing assumptions about the risk associated with disclosing personal data — or rather, at least with disclosing this particular personal data. Disclosing SSN, bank account numbers, credit card numbers and DigiD credentials probably remains a bad idea.

UPDATE 2011-04-23: I suddenly realize that A Study on the Re-Identifiability of Dutch Citizens (.pdf) presented at HotPETS 2010 is relevant here. Guido van ‘t Noordende, Cees de Laat and I studied registry office (GBA) data of 2.7 million Dutch citizens (~16% of the total population) to explore their identifiability by various quasi-identifiers consisting of partial or full postal code, partial or full date of birth and gender. We also included this one (tables 2 and 3 in the paper):

QID = { town + date-of-birth + gender }

The median anonymity set size was 2, meaning that half of the combinations of town + date of birth + gender in our data set either unambiguously identified an individual (Dutch citizen), or a group of only 2 individuals. The numbers vary depending on town size, but for ~37% of Dutch citizens in our set that QID is identifying up to a group of 5 or less individuals. As you see on the above list, the disclosed personal information possibly includes quasi-identifier value + real identity for the representatives. Just thought this is worth mentioning.

Since the data is publicly available anyway: here is the list of all representatives and their quasi-identifier value.

I used Firebug and manual code inspection to puzzle out which Dutch govt websites have which (ad)trackers like Google Analytics and Nedstat comScore (who bought Nedstat in Q3/2010). Some reflection is desirable, IMHO, on whether or not to disclose which (Dutch) IP address accessed what (Dutch govt) content to foreign-owned companies who’s government may require/force them to hand it over. Note: I only looked at the homepage of each site.

First the good (tracking-free –> kudos!):

• www.overheid.nl / mijn.overheid.nl –> latter has pretty good (Dutch) privacy statement
• www.digid.nl / applicaties.digid.nl
• www.officielebekendmakingen.nl 

Then the bad:

• www.belastingdienst.nl –> Dutch IRS
• DoubleClick 1
• http://ad.nl.doubleclick.net/activity;src=1418739;type=ih200186;cat=belas097;ord=6537573523639.633?
• Cookie: id=22f9d48403010099|2818894/957634/15073,2542116/1021351/15073|t=1277912634|et=730|cs=ruv5ic4s
• DoubleClick 2
• http://ad.nl.doubleclick.net/activity;src=2648722;type=ih200265;cat=belas959;ord=5862487041676.365?
• Cookie: id=22f9d48403010099|2818894/957634/15073,2542116/1021351/15073|t=1277912634|et=730|cs=ruv5ic4s
•  DoubleClick Spotlight
• http://ad-emea.doubleclick.net/activity;src=3092232;type=belas273;cat=homep252;ord=2888258700728.555?
• Cookie: id=22f9d48403010099|2818894/957634/15073,2542116/1021351/15073|t=1277912634|et=730|cs=ruv5ic4s
• comScore
• http://nl.sitestat.com/belastingdienst/belastingdienst/s?belastingdienst.index&ns__t=1303494363794
• Cookie: s1=4DA6DBE4136201A5
• Also loaded, but not a tracker:
• http://www.opiniecentrum.nl/oc-module/enqueteBSHome.js 
  

• www.minbuza.nl –> Dutch ministry of foreign affairs
• comScore (=Nedstat=sitestat.com)
• http://nl.sitestat.com/minbuza/minbuza/s?nl.homepage
• Cookie: s1=4DB08F2D1DEE011D

• www.rijksoverheid.nl –> Dutch federal government 
• comScore
• http://nl.sitestat.com/rijksoverheid/ro/s?homepage
• Cookie: s1=4C49CC21086E0597
• http://www.rijksoverheid.nl/behaviour/sitestat-1.3.min.js

• www.defensie.nl –> Dutch DoD
• comScore
• http://nl.sitestat.com/mindef/mindef-nl/s?mindef-nl.index&category=portaalhomepage
• Cookie: s1=4DA19E82538D0159; c1=4D9C2CB23C8A00B9
• http://www.defensie.nl/_system/scripts/sitestat.js

• www.tweedekamer.nl –> Dutch house of representatives
• WebTrends. Own server: wt.tweedekamer.nl (62.58.80.119); no other traffic observed.
• http://www.tweedekamer.nl/scripts/webtrends.js
• http://wt.tweedekamer.nl/dcst5f4be00000cxhlmv8ujj0_8c2/dcs.gif?&dcsdat=1303489800934&dcssip=www.tweedekamer.nl&dcsuri=/&WT.tz=2&WT.bh=18&WT.ul=en-US&WT.cd=24&WT.sr=1280×800&WT.jo=Yes&WT.ti=Tweede%20Kamer%20der%20Staten-Generaal&WT.js=Yes&WT.jv=1.8&WT.ct=unknown&WT.bs=1280×541&WT.fv=10.1&WT.slv=Unknown&WT.tv=9.3.0&WT.dl=0&WT.ssl=0&WT.es=www.tweedekamer.nl/&WT.cg_n=Home&WT.vt_f_tlh=1303489793&WT.vtvs=1303489793259&WT.vtid=1.1.1.1-1291280786.270897&WT.co_f=1.1.1.1-1291280786.270897&herkomst=extern
  
• Also use AdWords campaigns: 
• http://www.tweedekamer.nl/?wt.srch=1&wt.mc_id=adwords&adid=2772308253&campaign=TweedekamerAlgemeen&vorm=search&adgroup=TweedekamerderStaten-Generaal&keyword=tweede%20kamer

•  www.eerstekamer.nl –> Dutch Senate
• comScore
• http://nl.sitestat.com/ek/ek/s?toepassing.homepage_eerste_kamer_der_staten_generaal
• Cookie: s1=4D7CE9CB38F00024; c1=4D7CE9CB38F00025

• www.aivd.nl –> Dutch intelligence service
• comScore
• https://nl.sitestat.com/minbzk/aivd/s?aivd%20rijksstijl.home&category=aivd%20rijksstijl&ns__t=1303493835709 
• Cookie: s1=4DA0C4962D1A00CF; c1=4DA0C4962D1A00D
• Some custom internal page visit counter?
•  https://www.aivd.nl/views/global/js/jquery.ip.countpage.js
• Calls: https://www.aivd.nl/aspx/get.aspx?xdl=/views/global/xdl/countpage&ItmIdt=1534&EnvIdt=2&referrer=

• www.om.nl –> Dutch attorney general
• Google Analytics
• http://www.om.nl/views/pagetypes/googleanalytics/js/google.js
• http://www.google-analytics.com/ga.js
• Cookie: none 
• http://www.google-analytics.com/__utm.gif?utmwv=4.9.2&utms=1&utmn=618201313&utmhn=www.om.nl&utmcs=UTF-8&utmsr=1280×800&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=10.1%20r102&utmdt=Openbaar%20Ministerie%20-%20Home&utmhid=1707987541&utmr=-&utmp=%2F&utmac=UA-10025047-2&utmcc=__utma%3D206402061.899058012.1303495052.1303495052.1303495052.1%3B%2B__utmz%3D206402061.1303495052.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmu=q~
• Cookie: none

• www.rechtspraak.nl –> Dutch jurisprudence
• WebTrends. Own server: stats.rechtspraak.nl (159.46.4.78)
• http://www.rechtspraak.nl/Pages/_layouts/Bistro/Rechtspraak/Javascript/Webtrends.js

• www.werkenvoornederland.nl –> Dutch govt’s recruitment site
• DoubleClick 1
• http://ad.doubleclick.net/activity;src=1241697;type=algem113;cat=homep888;ord=1;num=2347132?
• Cookie: id=22f9d48403010099|2818894/957634/15073,2542116/1021351/15073|t=1277912634|et=730|cs=ruv5ic4s
• DoubleClick 2
• http://ad.nl.doubleclick.net/activity;src=1571113;type=q2201042;cat=homep710;ord=70721465675.03656?
• Cookie: id=22f9d48403010099|2818894/957634/15073,2542116/1021351/15073|t=1277912634|et=730|cs=ruv5ic4s
• DoubleClick 3
• http://ad.fr.doubleclick.net/activity;src=1571113;type=ictfi391;cat=homep347;ord=6585131118243.215?
• Cookie: id=22f9d48403010099|2818894/957634/15073,2542116/1021351/15073|t=1277912634|et=730|cs=ruv5ic4s
• Google Analytics
• http://www.google-analytics.com/ga.js
• Cookie: none
• http://www.google-analytics.com/__utm.gif?utmwv=4.9.2&utms=3&utmn=1466502355&utmhn=www.werkenvoornederland.nl&utmcs=UTF-8&utmsr=1280×800&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=10.1%20r102&utmdt=Werken%20voor%20Nederland&utmhid=927477156&utmr=-&utmp=%2F&utmac=UA-13215968-1&utmcc=__utma%3D224441372.1785692190.1303483227.1303483227.1303498490.2%3B%2B__utmz%3D224441372.1303483227.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmu=D~
• WebAds.nl
• http://tr.wl.webads.nl/Cnt/WebAds/CP/werkenbijhetrijk/homepage?d=9007075167230184
• Cookie: wlid=id%3Aa_92a0d829863d87c755175f6682e7e4c7%3A; WebAdsP3P20031217=00007530F5170C3E7B94CCEF61626364; wlrcmd=V2345R%2CV3292N
• KISSinsight survey stuff
• http://s3.amazonaws.com/ki.js/9334/3jU.js
• Cookie: none

I don’t know what data is collected / is not collected by the various trackers, and lack the time to carry out that analysis. If you feel like it, please do so; I will be more than happy to link to your results or post them on this blog on your behalf.