[Full-Disclosure] New paper on Security and Obscurity

From: Peter Swire (peter_at_peterswire.net)
Date: 09/01/04

  • Next message: Dominick Baier: "[Full-Disclosure] Cross-Site Scripting Vulnerability in Newtelligence DasBlog"
    To: <full-disclosure@lists.netsys.com>
    Date: Tue, 31 Aug 2004 23:10:01 -0400
    
    

    Greetings:

            I have been lurking on Full Disclosure for some time, and now would like to
    share an academic paper that directly addresses the topic of “full
    disclosure” and computer security:

            http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782

            It is called “A Model for When Disclosure Helps Security: What is Different
    About Computer and Network Security?” The paper begins by analyzing the
    cliché that “there is no security through obscurity.” It observes that the
    traditional military and intelligence cliché is that “loose lips sink
     ships.”

            How can disclosure both improve security (no security through obscurity)
    and harm security (loose lips sink ships)? The paper creates a model to
    explain when each is true, and then compares computer/network security with
    physical-world security.

            Conclusions – both clichés are often wrong. Secrecy often helps security
    (the paper tries to explain when). Secrecy often hurts security (more
    explanations).

            The paper is part of my ongoing research. Comments emphatically welcome on
    this version, and I hope to go into more depth on various topics (including
    proprietary v. Open Source) in forthcoming work.

            Thanks,

            Peter

    Prof. Peter P. Swire
    Moritz College of Law of the
        Ohio State University
    John Glenn Scholar in Public Policy Research
    Formerly, Chief Counselor for Privacy, U.S.
       Office of Management and Budget
    (240) 994-4142; www.peterswire.net

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Dominick Baier: "[Full-Disclosure] Cross-Site Scripting Vulnerability in Newtelligence DasBlog"

    Relevant Pages