lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <0IRG008FGWUPOCI0@vms044.mailsrvcs.net>
Date: Wed Dec 14 03:11:30 2005
From: peter at peterswire.net (Peter Swire)
Subject: New paper on theory of disclosure for security &
	competitive reasons

To the Full Disclosure list:

	Last year I got a lot of comments from this list on a draft paper,
many of which were helpful.  The final version of that paper, "A Model for
When Disclosure Helps Security: What is Different About Computer and Network
Security?" is at www.ssrn.com/abstracts=531782

	Now the follow-up paper is ready for your (tender/helpful/snide)
comments.  www.ssrn.com/abstracts=842228.  The current paper is called "A
Theory of Disclosure for Security and Competitive Reasons: Open Source,
Proprietary Software, and Government."

	The current version reflects comments from when I presented it at
last month's ACM Conference on Computer and Communications Security.

	Excerpts from the abstract:

	A chief point of this paper is that the incentives for disclosure
depend on two, largely independent, assessments - the degree to which
disclosure helps or hurts security, and the degree to which disclosure
creates advantages or disadvantages for the organization competitively.

	The paper presents a 2x3 matrix, where disclosure for security and
competition are assessed for three types of systems or software: Open
Source; proprietary software; and government systems. The paper finds
greater convergence on disclosure between Open Source and proprietary
software than most commentators have believed. For instance, Open Source
security experts use secrecy in "stealth firewalls" and in other ways. Open
Source programmers also often rely on gaps in Open Source licenses to gain
competitive advantage by keeping key information secret. Meanwhile,
proprietary software often uses more disclosure than assumed. For security,
large purchasers and market forces often lead to disclosure about
proprietary software. For competitive reasons, proprietary software
companies often disclose a great deal when seeking to become a standard in
an area or for other reasons....

	This research provides a general approach for determining when
disclosure is societally efficient (the first paper) as well as for
describing the incentives actors face to disclose or not (this paper). The
actual decision of whether to disclose in a given instance will depend on
assessment of the empirical magnitude of the factors set forth in the
papers. The research provides, however, the first theoretical structure for
assessing these issues, which are so important to the design of systems and
software in our information-rich age.
-------------

	I appreciate any constructive comments.  I especially welcome
technical insights and examples about where secrecy is used in Open Source
software or where disclosure is used in proprietary software.  Cites to
prior, relevant literature also most welcome.

	Peter


Prof. Peter P. Swire
C. William O'Neill Professor of Law
Moritz College of Law of
   The Ohio State University
Visiting Senior Fellow, Center for American Progress
(240) 994-4142, www.peterswire.net


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ