Full Disclosure mailing list archives
Re: New paper on Security and Obscurity
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 01 Sep 2004 07:02:18 -0400
The paper itself is academic fluff. It's not your fault, it's just that you've never written an exploit and have no technical background, so you've got a keyhole view into a large issue. Example: "This sort of defense would work reasonable well against a one-time attack. In the physical world, an attacker would face a grave risk (11 out of 12) of falling into the pit and getting injured. Similarly, in the computer world, a hacker who can get only one copy of the program, and who needs that program to keep functioning, will find it too risky to fool around with the program and likely have it freeze into uselessness" I'm not going to point out the specific flaw in that paragraph, but the fact that you didn't see it is exemplifying a lack of understanding of technology and the information security field. Argument by analogy doesn't work at all when going between the physical world and information theory. It might be good to focus on what's really different, instead of trying to make up analogies or meaningless equations. If your paper cut every paragraph starting with "Consider an analogy from the physical world" then it would be much better off. Your fundamental conclusion, that "there is no logical or necessary difference between cybersecurity and physical security" is simply wrong. There are many logical and necessary difference based in information theory for why the two are completely disparate. Do you know if you got hacked today? Do you know if I stole your chair today? When papers like this affect legal doctrine, they are extremely harmful. You should consider not publishing it. Dave Aitel Immunity, Inc. On Tue, 2004-08-31 at 23:10, Peter Swire wrote:
Greetings: I have been lurking on Full Disclosure for some time, and now would like to share an academic paper that directly addresses the topic of “full disclosure” and computer security: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 It is called “A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?” The paper begins by analyzing the cliché that “there is no security through obscurity.” It observes that the traditional military and intelligence cliché is that “loose lips sink ships.” How can disclosure both improve security (no security through obscurity) and harm security (loose lips sink ships)? The paper creates a model to explain when each is true, and then compares computer/network security with physical-world security. Conclusions – both clichés are often wrong. Secrecy often helps security (the paper tries to explain when). Secrecy often hurts security (more explanations). The paper is part of my ongoing research. Comments emphatically welcome on this version, and I hope to go into more depth on various topics (including proprietary v. Open Source) in forthcoming work. Thanks, Peter Prof. Peter P. Swire Moritz College of Law of the Ohio State University John Glenn Scholar in Public Policy Research Formerly, Chief Counselor for Privacy, U.S. Office of Management and Budget (240) 994-4142; www.peterswire.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New paper on Security and Obscurity Peter Swire (Aug 31)
- Re: New paper on Security and Obscurity gadgeteer (Sep 01)
- Re: New paper on Security and Obscurity Dave Aitel (Sep 01)
- Re: New paper on Security and Obscurity gadgeteer (Sep 01)
- Re: New paper on Security and Obscurity stephane nasdrovisky (Sep 01)
- Re: New paper on Security and Obscurity stephane nasdrovisky (Sep 01)
- Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 01)
- RE: Response to comments on Security and Obscurity Peter Swire (Sep 01)
- RE: Response to comments on Security and Obscurity Dave Aitel (Sep 01)
- Security & Obscurity: First-time attacks and lawyer jokes Peter Swire (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Georgi Guninski (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Honza Vlach (Sep 03)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Dave Aitel (Sep 02)
- RE: Response to comments on Security and Obscurity Peter Swire (Sep 01)