| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <NFEKKAEDPHOHBCHNMHAOCEFACNAA.peter@peterswire.net>
From: peter at peterswire.net (Peter Swire)
Subject: New paper on Security and Obscurity
Greetings:
I have been lurking on Full Disclosure for some time, and now would like to
share an academic paper that directly addresses the topic of ?full
disclosure? and computer security:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782
It is called ?A Model for When Disclosure Helps Security: What is Different
About Computer and Network Security?? The paper begins by analyzing the
clich? that ?there is no security through obscurity.? It observes that the
traditional military and intelligence clich? is that ?loose lips sink
ships.?
How can disclosure both improve security (no security through obscurity)
and harm security (loose lips sink ships)? The paper creates a model to
explain when each is true, and then compares computer/network security with
physical-world security.
Conclusions ? both clich?s are often wrong. Secrecy often helps security
(the paper tries to explain when). Secrecy often hurts security (more
explanations).
The paper is part of my ongoing research. Comments emphatically welcome on
this version, and I hope to go into more depth on various topics (including
proprietary v. Open Source) in forthcoming work.
Thanks,
Peter
Prof. Peter P. Swire
Moritz College of Law of the
Ohio State University
John Glenn Scholar in Public Policy Research
Formerly, Chief Counselor for Privacy, U.S.
Office of Management and Budget
(240) 994-4142; www.peterswire.net
Powered by blists - more mailing lists