Re: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

Hello,
People are forgetting a little thing called scientific method. The idea is that if you state something exists - you 
have to prove it - not that others have to disprove it. Somebody can (as I have) go on all day giving counter examples, 
but the test is not in disproving the negative, but proving the positive. It is clear that there are some who will just 
never accept evidence and state that "the situation does not reflect every possibility in the real world". This is 
true. This is why a little thing called the scientific method exists.
 
If you state something, the onus of proof is to prove it. I have attempted to demonstrate that there is no evidence 
that obscurity increases security, it you believe this, than demonstrate it.
 
There are thousands of experiments and papers every month. You can even setup and run an experiment yourself. But what 
you need to do is demonstrate significant proof of the claim.
 
People state that they are abducted by aliens and talk to Jessus every day. The onus of proof is on them. You have an 
idea that security is increased by obscurity, demonstrate it. Show quantitively that this is the case. If it is the 
case it will be provable. If this is so you win the arguement and I retract my statement that obscurity has no value in 
security. The task is not big, the proof is some level of gain. A simple hypothesis test with a 95% CI will do.
 
Let us say:
Ho: Obscurity adds no value to security
Ha: Obscurity adds some value to security
 
By some value this is any statistically measurable amount. If you can demonstrate a $0.10 gain or an aditional 1 minute 
real survival time for a system - I will retract and evangalise your claim wholeheartedly. Nothing big for you to 
prove. In contradiction to popular belief - I am happy to be proved wrong. But you have to prove it. You continue to 
state that I can not prove a negative for all situations - true. But science does not base itself on disproving - it is 
based on proof.
 
So define an experiment or find a paper (a peer reviewed one) that validates your belief. If not, the claim is nothing 
better than stating that the obscurity fairy twinkles down and makes systems secure.
 
I will even open the challenge to make it interesting. Burnside is a charity that helps the underprvillaged. If anyone 
can prove the claims about obscurity, I will donate some computers to them to be distributed to needy families (assumig 
some level of altruisim in the IT security community).
Proof at the alpha = 5% level - I will donate 2 computers
Proof at the alpha = 1% level - I will donate 5 computers
 
I will even put up training for the families they go to. The challenge is open. This is a unilateral contract (ie to 
the world) and I have transfered the necessary funds to an account to ensure that this is a valid and open contract. 
See [Carlill v Carbolic Smoke Ball Company [1893] 1 QB 256] if you doubt that I am legally (contractually) bound by 
this claim. You prove it - I have to pay. So please do.
 
This is an open offer - anyone who can prove the claim. Feel free to prove me wrong - I am sure that this is something 
that people love to do.
 
Regards,
Craig S Wright

Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.