Re: [Full-Disclosure] New paper on Security and Obscurity

From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
Date: 09/01/04

  • Next message: acidbits .: "[Full-Disclosure] TorrentTrader 1.0 RC2 - SQL Injection - Proof of Concept"
    To: Peter Swire <peter@peterswire.net>
    Date: Wed, 01 Sep 2004 10:48:37 -0400
    
    

    Peter Swire wrote:

    >Greetings:
    >
    > I have been lurking on Full Disclosure for some time, and now would like to
    >share an academic paper that directly addresses the topic of “full
    >disclosure” and computer security:
    >
    >
    >

    Hello Peter,

    There are some glaring flaws in the the basis of this paper. Though I
    tend to agree with the abstract theme of the paper (being that there is
    both a place for secrecy and a place for disclosure) I disagree with the
    very basis of the analysis. It seems to oversimplify both the military
    position and the "Open Source and Encryption" position. Further, it also
    misrepresents the arguments of disclosure advocates.

    The paper makes the assumption (without adequate evidence) that the
    military and Open Source positions are fundamental opposites when
    juxtaposed. In actual practice, this couldn't be further from the truth.
    I'm not saying that primary military policy isn't to maintain a state of
    secrecy and that Open Source ideology dictates disclosure; that much is
    blatantly true. However, in order for your model to work, these
    oversimplifications have to be put into their actual context in order to
    be understood.

    First and foremost, when talking about disclosure most Free Software and
    Open Source advocates are referring to disclosure regarding "things"
    that they have direct access to. They're referring to programs that are
    distributed to them. In fact, this is written into the archetype Free
    Software document, the GNU General Public License. If I write a program
    and never distribute it to you, I have absolutely no (0) obligation to
    disclose anything about the program to you. Similarly, if I modify a GNU
    GPL'ed program and don't distribute it, I have no obligation to disclose
    anything. I can even distribute the program to an isolated set of people
    and I still have no obligation to share any information with you if you
    aren't one of the recipients. (note: in this economy, the program will
    probably get distributed and disclosure will eventually occur because
    the people I distribute it to can choose to distribute it -- but, they
    might not choose to.) Any customizations I make can stay secret -- it's
    written into the ideology and practice.

    You can extend this to identify the *true* rule of disclosure in the
    Free Software and Open Source movement: If you "own" something (though
    software is not exactly owned by the user) you should have the right to
    be able to modify it to fit your needs. In order to have this right,
    disclosure must occur. Hence, disclosure only counts towards items that
    are openly distributed. Full disclosure in the market sense.

    This is a fundamental point because the military secrecy argument
    applies almost exclusively to proprietary information utilized almost
    exclusively by the military. I can't own a trident missile so therefore
    not having access to its design schematics is not counter to Free
    Software/Open Source ideology.

    Now we get into a little cultural history and applying this to society
    in general. The Free Software movement does have, within its roots, the
    ideological belief that information "wants" to be free. All information
    will eventually get out and therefore, relying on secrecy is foolish.
    This is fundamentally true. It's fundamentally true because it only
    applies to information that the person comes in contact with. If I have
    a black box that has some function but it's locked by the manufacturer,
    I can eventually gleen information out of it -- enough to discover its
    secrets. There is no way to hide secrets indefinitely.

    The military doesn't even hide secrets indefinately. There is a limit to
    how long information can be regarded as top secret. Eventually all
    secrets are disclosed, if they're sufficiently interesting enough that
    someone would look for them. To the context of our society, this is
    absolutely essential. Without information disclosure, you have a
    dictatorial tyrrany. Participation in the system is essential for
    democracy, but perhaps even more essential is open access to the secrets
    of the "democratic" nation. Without access to this information, the
    polis is making decisions blindly. Thus, said society would only be a
    democracy in name and not in function.

    As the information distribution context, in either case, has to be taken
    into effect -- I think that once this is done, you'll see that there
    aren't that many real-world differences between the military paradigm
    and the Open Source paradigm regarding secrecy of proprietary
    information. The difference is the belief in whether or not disclosure
    of infrastructure can create an economic benefit. Note that I'm
    referring to specialized infrastructure (like, say, a corporate network)
    and not a generalized infrastructure. The reason for keeping trident
    missile design specs secret, for example, is to keep "enemies" from
    reproducing them. This is a very specialized motivation and has to be
    taken into account when analyzing the issue. To understand the
    comparrison, consider how many public projects the military runs and how
    much public infrastructure they use. The military does actively benefit
    on a regular basis from technical disclosure. I think you'll find that
    they military is much more open than it advertises itself as.

    A flaw in the basis of the analysis can bring into question the entire
    method of analysis.

    -Barry

    p.s. It's good that someone is trying to tackle this issue. I do have to
    agree with Dave Aitel, though, and say that you should not publish this
    until you are 100% certain that it is accurate, which is may never be.
    This kind of paper can be very influential and should be done with great
    care. If incorrect conclusions are gleened from the data, it could be
    catastrophic.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: acidbits .: "[Full-Disclosure] TorrentTrader 1.0 RC2 - SQL Injection - Proof of Concept"

    Relevant Pages

    • RE: [Full-Disclosure] Response to comments on Security and Obscurity
      ... where I worked on privacy and computer security issues ... passwords and similar secrets should remain secret. ... should be designed to withstand full disclosure of the algorithm. ... position and the "Open Source and Encryption" position. ...
      (Full-Disclosure)
    • Re: "Full Disclosure"
      ... public attacks like this are a good way to make him appreciate the ... I would have loved to see the Open Source community ... "Full Disclosure" all represent monumental improvements on the ...
      (rec.games.bridge)
    • [Full-disclosure] New paper on theory of disclosure for security & competitive reasons
      ... When Disclosure Helps Security: What is Different About Computer and Network ... Theory of Disclosure for Security and Competitive Reasons: Open Source, ... Source; proprietary software; and government systems. ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Vulnerability Disclosure Debate
      ... > The free software camp has adopted the responsible disclosure process ... From personal experience with losers like m$ and on the other hand open source ... Personally don't see any open source in the OIS crap. ...
      (Full-Disclosure)