| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dave at immunitysec.com (Dave Aitel) Subject: New paper on Security and Obscurity The paper itself is academic fluff. It's not your fault, it's just that you've never written an exploit and have no technical background, so you've got a keyhole view into a large issue. Example: "This sort of defense would work reasonable well against a one-time attack. In the physical world, an attacker would face a grave risk (11 out of 12) of falling into the pit and getting injured. Similarly, in the computer world, a hacker who can get only one copy of the program, and who needs that program to keep functioning, will find it too risky to fool around with the program and likely have it freeze into uselessness" I'm not going to point out the specific flaw in that paragraph, but the fact that you didn't see it is exemplifying a lack of understanding of technology and the information security field. Argument by analogy doesn't work at all when going between the physical world and information theory. It might be good to focus on what's really different, instead of trying to make up analogies or meaningless equations. If your paper cut every paragraph starting with "Consider an analogy from the physical world" then it would be much better off. Your fundamental conclusion, that "there is no logical or necessary difference between cybersecurity and physical security" is simply wrong. There are many logical and necessary difference based in information theory for why the two are completely disparate. Do you know if you got hacked today? Do you know if I stole your chair today? When papers like this affect legal doctrine, they are extremely harmful. You should consider not publishing it. Dave Aitel Immunity, Inc. On Tue, 2004-08-31 at 23:10, Peter Swire wrote: > Greetings: > > I have been lurking on Full Disclosure for some time, and now would like to > share an academic paper that directly addresses the topic of ?full > disclosure? and computer security: > > http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 > > It is called ?A Model for When Disclosure Helps Security: What is Different > About Computer and Network Security?? The paper begins by analyzing the > clich? that ?there is no security through obscurity.? It observes that the > traditional military and intelligence clich? is that ?loose lips sink > ships.? > > How can disclosure both improve security (no security through obscurity) > and harm security (loose lips sink ships)? The paper creates a model to > explain when each is true, and then compares computer/network security with > physical-world security. > > Conclusions ? both clich?s are often wrong. Secrecy often helps security > (the paper tries to explain when). Secrecy often hurts security (more > explanations). > > The paper is part of my ongoing research. Comments emphatically welcome on > this version, and I hope to go into more depth on various topics (including > proprietary v. Open Source) in forthcoming work. > > Thanks, > > Peter > > Prof. Peter P. Swire > Moritz College of Law of the > Ohio State University > John Glenn Scholar in Public Policy Research > Formerly, Chief Counselor for Privacy, U.S. > Office of Management and Budget > (240) 994-4142; www.peterswire.net > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists