Re: [Full-Disclosure] New paper on Security and Obscurity
From: Barry Fitzgerald (bkfsec_at_sdf.lonestar.org)
To: Peter Swire <firstname.lastname@example.org> Date: Wed, 01 Sep 2004 10:48:37 -0400
Peter Swire wrote:
> I have been lurking on Full Disclosure for some time, and now would like to
>share an academic paper that directly addresses the topic of “full
>disclosure” and computer security:
There are some glaring flaws in the the basis of this paper. Though I
tend to agree with the abstract theme of the paper (being that there is
both a place for secrecy and a place for disclosure) I disagree with the
very basis of the analysis. It seems to oversimplify both the military
position and the "Open Source and Encryption" position. Further, it also
misrepresents the arguments of disclosure advocates.
The paper makes the assumption (without adequate evidence) that the
military and Open Source positions are fundamental opposites when
juxtaposed. In actual practice, this couldn't be further from the truth.
I'm not saying that primary military policy isn't to maintain a state of
secrecy and that Open Source ideology dictates disclosure; that much is
blatantly true. However, in order for your model to work, these
oversimplifications have to be put into their actual context in order to
First and foremost, when talking about disclosure most Free Software and
Open Source advocates are referring to disclosure regarding "things"
that they have direct access to. They're referring to programs that are
distributed to them. In fact, this is written into the archetype Free
Software document, the GNU General Public License. If I write a program
and never distribute it to you, I have absolutely no (0) obligation to
disclose anything about the program to you. Similarly, if I modify a GNU
GPL'ed program and don't distribute it, I have no obligation to disclose
anything. I can even distribute the program to an isolated set of people
and I still have no obligation to share any information with you if you
aren't one of the recipients. (note: in this economy, the program will
probably get distributed and disclosure will eventually occur because
the people I distribute it to can choose to distribute it -- but, they
might not choose to.) Any customizations I make can stay secret -- it's
written into the ideology and practice.
You can extend this to identify the *true* rule of disclosure in the
Free Software and Open Source movement: If you "own" something (though
software is not exactly owned by the user) you should have the right to
be able to modify it to fit your needs. In order to have this right,
disclosure must occur. Hence, disclosure only counts towards items that
are openly distributed. Full disclosure in the market sense.
This is a fundamental point because the military secrecy argument
applies almost exclusively to proprietary information utilized almost
exclusively by the military. I can't own a trident missile so therefore
not having access to its design schematics is not counter to Free
Software/Open Source ideology.
Now we get into a little cultural history and applying this to society
in general. The Free Software movement does have, within its roots, the
ideological belief that information "wants" to be free. All information
will eventually get out and therefore, relying on secrecy is foolish.
This is fundamentally true. It's fundamentally true because it only
applies to information that the person comes in contact with. If I have
a black box that has some function but it's locked by the manufacturer,
I can eventually gleen information out of it -- enough to discover its
secrets. There is no way to hide secrets indefinitely.
The military doesn't even hide secrets indefinately. There is a limit to
how long information can be regarded as top secret. Eventually all
secrets are disclosed, if they're sufficiently interesting enough that
someone would look for them. To the context of our society, this is
absolutely essential. Without information disclosure, you have a
dictatorial tyrrany. Participation in the system is essential for
democracy, but perhaps even more essential is open access to the secrets
of the "democratic" nation. Without access to this information, the
polis is making decisions blindly. Thus, said society would only be a
democracy in name and not in function.
As the information distribution context, in either case, has to be taken
into effect -- I think that once this is done, you'll see that there
aren't that many real-world differences between the military paradigm
and the Open Source paradigm regarding secrecy of proprietary
information. The difference is the belief in whether or not disclosure
of infrastructure can create an economic benefit. Note that I'm
referring to specialized infrastructure (like, say, a corporate network)
and not a generalized infrastructure. The reason for keeping trident
missile design specs secret, for example, is to keep "enemies" from
reproducing them. This is a very specialized motivation and has to be
taken into account when analyzing the issue. To understand the
comparrison, consider how many public projects the military runs and how
much public infrastructure they use. The military does actively benefit
on a regular basis from technical disclosure. I think you'll find that
they military is much more open than it advertises itself as.
A flaw in the basis of the analysis can bring into question the entire
method of analysis.
p.s. It's good that someone is trying to tackle this issue. I do have to
agree with Dave Aitel, though, and say that you should not publish this
until you are 100% certain that it is accurate, which is may never be.
This kind of paper can be very influential and should be done with great
care. If incorrect conclusions are gleened from the data, it could be
Full-Disclosure - We believe in it.