Interesting People mailing list archives
Re: Security By Obscurity = Ignorance Is Strength
From: David Farber <dave () farber net>
Date: Wed, 3 Sep 2008 17:36:09 -0400
Begin forwarded message: From: Peter Swire <peter () peterswire net> Date: September 3, 2008 5:31:10 PM EDT To: "dave () farber net" <dave () farber net> Subject: RE: [IP] Security By Obscurity = Ignorance Is Strength Dave:I tend to agree that the gag orders are wrong-headed. But it's wrong to think that secrecy never helps.
Openness often improves security. Sometimes it doesn't. I've tried to explain how this works in "A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?" It's recently been included in at least one computer security textbook:
http://ssrn.com/abstract=531782"This Article asks the question: When does disclosure actually help security? The discussion begins with a paradox. Most experts in computer and network security are familiar with the slogan that there is no security through obscurity. The Open Source and encryption view is that revealing the details of a system will actually tend to improve security, notably due to peer review. In sharp contrast, a famous World War II slogan says loose lips sink ships. Most experts in the military and intelligence areas believe that secrecy is a critical tool for maintaining security. Both cannot be right - disclosure cannot both help and hurt security." Then, the paper gives an analytic way to figure out when obscurity either does or does not help.
So, perhaps of interest. Best, Peter Prof. Peter P. Swire C. William O'Neil Professor of Law Moritz College of Law The Ohio State University Senior Fellow, Center for American Progress (240) 994-4142, www.peterswire.net -----Original Message----- From: David Farber [mailto:dave () farber net] Sent: Wednesday, September 03, 2008 3:35 PM To: ip Subject: [IP] Security By Obscurity = Ignorance Is Strength Begin forwarded message: From: Seth Finkelstein <sethf () sethf com> Date: September 3, 2008 1:13:43 PM EDT To: David Farber <dave () farber net>, ip <ip () v2 listbox com> Subject: Security By Obscurity = Ignorance Is Strength [For IP, if worthy] IP'ers might enjoy my most recent column in the _Guardian_, which argues against attempts to issue gag orders prohibiting disclosure of security flaws: "Orwell was right: security by obscurity = ignorance is strength" http://www.guardian.co.uk/technology/2008/aug/28/security.law As specialised computer systems become more and more integrated into the utilitarian functioning of society, we will repeatedly face issues of their potential for subversion, corruption, and failure. While open disclosure of security weaknesses may seem troublesome, the alternative is to follow an Orwellian concept of "ignorance is strength". I'm hoping to popularize my coinage of describing such gag orders as "Ignorance Is Strength" (a deliberate pun on the idea of cryptographic strength). -- Seth Finkelstein Consulting Programmer http://sethf.com Infothought blog - http://sethf.com/infothought/blog/ Interview: http://sethf.com/essays/major/greplaw-interview.php ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Security By Obscurity = Ignorance Is Strength David Farber (Sep 03)
- <Possible follow-ups>
- Re: Security By Obscurity = Ignorance Is Strength David Farber (Sep 03)
- Re: Security By Obscurity = Ignorance Is Strength David Farber (Sep 03)
- Re: Security By Obscurity = Ignorance Is Strength David Farber (Sep 03)