more on Interesting article on security and disclosure...

[David Farber <dave () farber net>]

Please send requests for the referenced paper to me and I will send it 
to you.

Dave

Begin forwarded message:

From: David Farber <dave () farber net>
Date: September 8, 2004 8:01:16 PM EDT
To: Ip <ip () v2 listbox com>
Subject: [IP] Interesting article on security and disclosure...
Reply-To: dave () farber net



Begin forwarded message:

From: "Faulhaber, Gerald" <faulhabe () wharton upenn edu>
Date: September 8, 2004 4:34:03 PM EDT

Subject: Interesting article on security and disclosure...

...I have the full article if anyone wants it.  If you subscribe to 
SSRN, you can get it at 
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782
 
 
 A Model for when Disclosure Helps Security: What Is Different About 
Computer and Network Security?  
PETER P. SWIRE
Moritz College of Law of the Ohio State University



Journal on Telecommunications and High Technology Law, Forthcoming    
 Abstract:     
 This Article asks the question: When does disclosure actually help 
security? The discussion begins with a paradox. Most experts in 
computer and network security are familiar with the slogan that there 
is no security through obscurity. The Open Source and encryption view 
is that revealing the details of a system will actually tend to improve 
security, notably due to peer review. In sharp contrast, a famous World 
War II slogan says loose lips sink ships. Most experts in the military 
and intelligence areas believe that secrecy is a critical tool for 
maintaining security. Both cannot be right - disclosure cannot both 
help and hurt security.

 Using a law and economics approach to resolve the paradox, Part I 
provides a model for deciding when either the Open Source or the 
military/intelligence viewpoints is likely to be correct. The model 
analyzes the costs and benefits of disclosure for both attackers and 
defenders. The model also sheds light on when disclosure is likely to 
provide net benefits in two other important cases: information sharing 
(such as between the FBI and the CIA) and the public domain.

Part II explains why many computer and network security problems appear 
different from the traditional security problems of the physical world. 
The analysis focuses on the nature of the first-time attack or the 
degree of what the paper calls uniqueness in the defense. Many 
defensive tricks, including secrecy, are more effective the first time 
there is an attack on a physical base or computer system. Secrecy is 
far less effective, however, if the attackers can probe the defenses 
repeatedly and learn from those probes. It turns out that many of the 
key areas of computer security involve circumstances where there can be 
repeated, low-cost attacks. For instance, firewalls, mass-market 
software, and encryption algorithms all can be attacked repeatedly by 
hackers. Under such circumstances, a strategy of secrecy - of security 
through obscurity - is less likely to be effective than for the 
military case.

Part III applies the analytic tools developed earlier in the paper to 
issues including the following: the enlargement of the public domain in 
a world of search engines; the relationship between disclosure and 
deterrence; the importance of not disclosing passwords or the 
combination to a safe; why secrecy in surveillance may improve security 
(while also threatening other important values); and variables that 
affect when Open Source or proprietary software may provide better 
security. Part III also explains how the academic literature on the 
Efficient Capital Markets Hypothesis can illuminate important issues in 
computer and network security.

In short, this Article provides the first systematic explanation of how 
to decide when disclosure improves security, both for physical- and 
cyber-security settings
 
Professor Gerald R. Faulhaber
Business and Public Policy Dept.
Wharton School, University of Pennsylvania
Philadelphia, PA 19104
 

-------------------------------------
You are subscribed as farber () cis upenn edu
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: 
http://www.interesting-people.org/archives/interesting-people/

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/