Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: New paper on Security and Obscurity
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 01 Sep 2004 07:02:18 -0400

The paper itself is academic fluff. It's not your fault, it's just that
you've never written an exploit and have no technical background, so
you've got a keyhole view into a large issue. Example:

"This sort of defense would work reasonable well against a one-time
attack. In the physical world, an attacker would face a grave risk (11
out of 12) of falling into the pit and getting injured. Similarly, in
the computer world, a hacker who can get only one copy of the program,
and who needs that program to keep functioning, will find it too risky
to fool around with the program and likely have it freeze into

I'm not going to point out the specific flaw in that paragraph, but the
fact that you didn't see it is exemplifying a lack of understanding of
technology and the information security field. Argument by analogy
doesn't work at all when going between the physical world and
information theory. 

It might be good to focus on what's really different, instead of trying
to make up analogies or meaningless equations. If your paper cut every
paragraph starting with "Consider an analogy from the physical world"
then it would be much better off. Your fundamental conclusion, that
"there is no logical or necessary difference between cybersecurity and
physical security" is simply wrong. There are many logical and necessary
difference based in information theory for why the two are completely
disparate. Do you know if you got hacked today? Do you know if I stole
your chair today?

When papers like this affect legal doctrine, they are extremely harmful.
You should consider not publishing it.

Dave Aitel
Immunity, Inc.

On Tue, 2004-08-31 at 23:10, Peter Swire wrote:

      I have been lurking on Full Disclosure for some time, and now would like to
share an academic paper that directly addresses the topic of “full
disclosure” and computer security:


      It is called “A Model for When Disclosure Helps Security: What is Different
About Computer and Network Security?”  The paper begins by analyzing the
cliché that “there is no security through obscurity.”  It observes that the
traditional military and intelligence cliché is that “loose lips sink

      How can disclosure both improve security (no security through obscurity)
and harm security (loose lips sink ships)?  The paper creates a model to
explain when each is true, and then compares computer/network security with
physical-world security.

      Conclusions – both clichés are often wrong.  Secrecy often helps security
(the paper tries to explain when).  Secrecy often hurts security (more

      The paper is part of my ongoing research.  Comments emphatically welcome on
this version, and I hope to go into more depth on various topics (including
proprietary v. Open Source) in forthcoming work.



Prof. Peter P. Swire
Moritz College of Law of the
    Ohio State University
John Glenn Scholar in Public Policy Research
Formerly, Chief Counselor for Privacy, U.S.
   Office of Management and Budget
(240) 994-4142; www.peterswire.net

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]