Home page logo
/

interesting-people logo Interesting People mailing list archives

Re: Security By Obscurity = Ignorance Is Strength
From: David Farber <dave () farber net>
Date: Wed, 3 Sep 2008 17:36:09 -0400



Begin forwarded message:

From: Peter Swire <peter () peterswire net>
Date: September 3, 2008 5:31:10 PM EDT
To: "dave () farber net" <dave () farber net>
Subject: RE: [IP] Security By Obscurity = Ignorance Is Strength

Dave:

I tend to agree that the gag orders are wrong-headed. But it's wrong to think that secrecy never helps.

Openness often improves security. Sometimes it doesn't. I've tried to explain how this works in "A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?" It's recently been included in at least one computer security textbook:

http://ssrn.com/abstract=531782

"This Article asks the question: When does disclosure actually help security? The discussion begins with a paradox. Most experts in computer and network security are familiar with the slogan that there is no security through obscurity. The Open Source and encryption view is that revealing the details of a system will actually tend to improve security, notably due to peer review. In sharp contrast, a famous World War II slogan says loose lips sink ships. Most experts in the military and intelligence areas believe that secrecy is a critical tool for maintaining security. Both cannot be right - disclosure cannot both help and hurt security." Then, the paper gives an analytic way to figure out when obscurity either does or does not help.

So, perhaps of interest.

Best,

Peter

Prof. Peter P. Swire
C. William O'Neil Professor of Law
  Moritz College of Law
  The Ohio State University
Senior Fellow, Center for American Progress
(240) 994-4142, www.peterswire.net


-----Original Message-----
From: David Farber [mailto:dave () farber net]
Sent: Wednesday, September 03, 2008 3:35 PM
To: ip
Subject: [IP] Security By Obscurity = Ignorance Is Strength



Begin forwarded message:

From: Seth Finkelstein <sethf () sethf com>
Date: September 3, 2008 1:13:43 PM EDT
To: David Farber <dave () farber net>, ip <ip () v2 listbox com>
Subject: Security By Obscurity = Ignorance Is Strength

[For IP, if worthy]

IP'ers might enjoy my most recent column in the _Guardian_,
which argues against attempts to issue gag orders prohibiting
disclosure of security flaws:

"Orwell was right: security by obscurity = ignorance is strength"
http://www.guardian.co.uk/technology/2008/aug/28/security.law

  As specialised computer systems become more and more integrated
  into the utilitarian functioning of society, we will repeatedly
  face issues of their potential for subversion, corruption, and
  failure. While open disclosure of security weaknesses may seem
  troublesome, the alternative is to follow an Orwellian concept of
  "ignorance is strength".

I'm hoping to popularize my coinage of describing such gag orders as
"Ignorance Is Strength" (a deliberate pun on the idea of cryptographic
strength).

--
Seth Finkelstein  Consulting Programmer  http://sethf.com
Infothought blog - http://sethf.com/infothought/blog/
Interview: http://sethf.com/essays/major/greplaw-interview.php




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault