[HN Gopher] Traffic Light Protocol
___________________________________________________________________
Traffic Light Protocol
Author : eXpl0it3r
Score : 47 points
Date : 2025-10-24 12:52 UTC (10 hours ago)
(HTM) web link (www.first.org)
(TXT) w3m dump (www.first.org)
| woodruffw wrote:
| I've always found TLP confusing: it's not really clear (despite
| definition) what a community or organization is, which means that
| there's no clear decision procedure for determining whether a
| degree of access has been violated.
|
| In my experience doing security embargos/disclosures, it's a lot
| easier to just explicitly enumerate the set of
| people/organizational entities who should be given access to non-
| public information.
| yohannparis wrote:
| From the protocol the community and organization needs to be
| defined by the source of the information. If not, then it
| cannot be shared without request from the source. They even
| have example for those situations.
| woodruffw wrote:
| It's not clear to me that I'm not able to meaningfully define
| these things, or that I'm even remotely unique in being
| unable to!
| MattSayar wrote:
| In practice, "organization" usually means your company or
| business. "The community" usually means an Information
| Sharing and Analysis Center (ISAC) aka a group of similar
| orgs that share information with each other; think
| financial services companies in the US, or energy companies
| in Japan.
| woodruffw wrote:
| Okay, maybe I'm just not the target audience for this. I
| didn't know what an ISAC was, but I've seen plenty of TLP
| markers on open source disclosures where it was
| _exceedingly_ unclear what a "community" meant w/r/t
| appropriate sharing.
| MattSayar wrote:
| Yeah, in the cybersecurity space it's a lot more
| prevalent. TLP:CLEAR, if you will.
| tptacek wrote:
| He's a security practitioner.
| tptacek wrote:
| You know what an ISAC is. It's a meetup of beardy mid-
| level security managers from huge companies.
| sxzygz wrote:
| Since you're being abstruse, consider information by
| definition is in possession by an entity (or rephrased a
| property of a system). For that information to move the
| system needs to be brought into contact with another
| system, and it is the nature of this contact that is being
| policed. If information doesn't have an ambient system that
| is discernible then there is no distinction to be made if
| its sensitivity--it may as well be noise.
| woodruffw wrote:
| ...what?
| MeetingsBrowser wrote:
| using the word abstruse is abstruse
| ape4 wrote:
| Wikipedia article:
| https://en.wikipedia.org/wiki/Traffic_Light_Protocol
|
| Its NOT about controlling traffic lights. Some are networked
| ("synchronized") so it might be interesting to read about how
| that's done.
| https://en.wikipedia.org/wiki/Traffic_light_control_and_coor...
| hexomancer wrote:
| Yeah I got exited thinking this is about traffic lights. I use
| a bike to commute to work and recently I was thinking if I
| could adjust my cycling cadence so that I never hit a red
| light, but unfortunately the timing of the traffic lights in my
| city is not constant. If there was a publicly accessible API to
| get the current timing info, I could write an app to do that.
| helterskelter wrote:
| If you're in America, take a look at the strobe on top of
| school busses. I'm not sure if they still have them (they
| used to). It would flash at a specific frequency and trip a
| photovoltaic sensor connected to the traffic light, which
| would turn it green so the kids aren't late for class. If you
| had a bright enough strobe which flashed at the same
| frequency...you get the idea.
| pavel_lishin wrote:
| Is that actually true? I've heard of ambulances & police
| cars having such devices, but they were supposed to be
| infrared.
|
| The last time I saw the strobe on top of a school bus
| active, it was when I was a passenger in one, driving down
| the freeway at night, and it wasn't strobing particularly
| fast. It's possible that our driver just forgot to turn it
| off, I suppose - he was that kind of guy.
| jagged-chisel wrote:
| School buses in my state are legally required to run the
| strobe when passengers are onboard.
|
| No two strobes I have seen strobe at the same frequency.
| I think this traffic control story is urban legend.
| jagged-chisel wrote:
| Emergency vehicles have devices that announce their
| presence to get traffic lights to change in their favor.
| "Kids being late to class" is not on the order of
| importance to create a complex scheme to change traffic
| lights based on strobe lights from a bus.
|
| Sounds like urban legend.
| Yeroc wrote:
| We definitely have this system in place in some cities in
| Canada, primarily for express bus routes.
| dylan604 wrote:
| So as a driver, you want to follow an express route bus
| when you can?
| toast0 wrote:
| Bus priority lanes and traffic lights that give priority
| to busses are definitely a thing. Usually for municipal
| busses and not school busses, but I'd expect a community
| that had priority lights for busses would allow school
| busses onto the system as well.
|
| Not specifically to avoid late arrivals of pupils, but
| because prioritizing many passenger vehicles is valuable.
| dylan604 wrote:
| I never heard about this being used on school busses. This
| was always something for emergency services like
| firetrucks/ambulances to not have to sit in traffic at a
| red light, but it was only active if they were actively
| responding to a call with their lights on. Otherwise, they
| sit at the lights too.
| euroderf wrote:
| A newspaper article told of a mayor of some city that had
| one installed so he could zip along to emergencies.
| gwbas1c wrote:
| That wikipedia article makes a whole lot more sense defining
| what the traffic light protocol is. At first I thought this was
| some kind of tech protocol that's implemented by a computer.
| Now I realized it's an informal protocol.
| lbourdages wrote:
| I was at a security conference recently and one of the
| presentations had some TLP:RED slides in it.
|
| I couldn't help but find that pointless. The conference is open
| to the public, the only barrier to entry being a small amount of
| money to purchase a ticket. How would that prevent bad actors
| from signing up to access the sensitive information?
|
| It absolutely makes sense when used within an organization where
| access/membership is properly vetted, but there, I feel like
| there was no point.
| 9x39 wrote:
| You're right that it doesn't make sense. It suggests a failure
| in data handling (who can I share this with?).
|
| A lot of these are borrowed from the US .gov in which
| prosecution is a relatively effective way to get compliance
| with these policies, but, and I'll take some license here, are
| copied to appear sophisticated by unsophisticated players
| outside of that.
| ramses0 wrote:
| I've self-discovered a similar categorization for my imaginary
| social network that will dethrone El Zuck:
| Ultimate - black/white - passwords/keys/finance/backups
| Private - red - hidden by default Protected -
| yellow - default "logged in to computer" Public -
| green - shared w/ others (individuals) Broadcast -
| blue - intentionally wide distribution
|
| ...the key insight being that as you go "deeper" you know "less"
| (if that makes sense). Take the pictures on my phone and the
| album names (eg: Fall Trip 2025).
|
| If I post my headshot to hire-an-actor.com, that's
| "Blue/Broadcast". If I share a picture of my kid blowing out
| birthday candles, that's "Green/Public". From "Green" you might
| be able to see the LABELS of my "Yellow" stuff and request access
| to it, but there should be no indication that "Red" or "Black"
| even exists.
|
| So basically you as a user always operate at "Yellow", and can
| push "up" to Green (aka: discord), or Blue (aka: tweeter), and
| can unlock "Red" or "Black" via Password or 2FA/Cert.
|
| I wish there were a way to easily "vivify" this, but at least
| putting names to it exposes where/how we're currently lacking.
|
| The biggest issue still remains that content is "slippery" ... if
| it's not 10000% protected and airgapped, there's a chance that it
| can "escape".
| Animats wrote:
| If Google made Gmail pay attention to that, or Microsoft made
| Outlook pay attention, then it might mean something. Otherwise,
| no.
___________________________________________________________________
(page generated 2025-10-24 23:01 UTC)