Re: New paper on Security and Obscurity

[Dave Aitel <dave () immunitysec com>]

The paper itself is academic fluff. It's not your fault, it's just that
you've never written an exploit and have no technical background, so
you've got a keyhole view into a large issue. Example:

"This sort of defense would work reasonable well against a one-time
attack. In the physical world, an attacker would face a grave risk (11
out of 12) of falling into the pit and getting injured. Similarly, in
the computer world, a hacker who can get only one copy of the program,
and who needs that program to keep functioning, will find it too risky
to fool around with the program and likely have it freeze into
uselessness"

I'm not going to point out the specific flaw in that paragraph, but the
fact that you didn't see it is exemplifying a lack of understanding of
technology and the information security field. Argument by analogy
doesn't work at all when going between the physical world and
information theory. 

It might be good to focus on what's really different, instead of trying
to make up analogies or meaningless equations. If your paper cut every
paragraph starting with "Consider an analogy from the physical world"
then it would be much better off. Your fundamental conclusion, that
"there is no logical or necessary difference between cybersecurity and
physical security" is simply wrong. There are many logical and necessary
difference based in information theory for why the two are completely
disparate. Do you know if you got hacked today? Do you know if I stole
your chair today?

When papers like this affect legal doctrine, they are extremely harmful.
You should consider not publishing it.

Dave Aitel
Immunity, Inc.

On Tue, 2004-08-31 at 23:10, Peter Swire wrote:
> Greetings:
>
>       I have been lurking on Full Disclosure for some time, and now would like to
> share an academic paper that directly addresses the topic of “full
> disclosure” and computer security:
>
>       http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782
>
>       It is called “A Model for When Disclosure Helps Security: What is Different
> About Computer and Network Security?”  The paper begins by analyzing the
> cliché that “there is no security through obscurity.”  It observes that the
> traditional military and intelligence cliché is that “loose lips sink
>  ships.”
>
>       How can disclosure both improve security (no security through obscurity)
> and harm security (loose lips sink ships)?  The paper creates a model to
> explain when each is true, and then compares computer/network security with
> physical-world security.
>
>       Conclusions – both clichés are often wrong.  Secrecy often helps security
> (the paper tries to explain when).  Secrecy often hurts security (more
> explanations).
>
>       The paper is part of my ongoing research.  Comments emphatically welcome on
> this version, and I hope to go into more depth on various topics (including
> proprietary v. Open Source) in forthcoming work.
>
>       Thanks,
>
>       Peter
>
> Prof. Peter P. Swire
> Moritz College of Law of the
>     Ohio State University
> John Glenn Scholar in Public Policy Research
> Formerly, Chief Counselor for Privacy, U.S.
>    Office of Management and Budget
> (240) 994-4142; www.peterswire.net
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html