| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Dec 14 03:11:30 2005 From: peter at peterswire.net (Peter Swire) Subject: New paper on theory of disclosure for security & competitive reasons To the Full Disclosure list: Last year I got a lot of comments from this list on a draft paper, many of which were helpful. The final version of that paper, "A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?" is at www.ssrn.com/abstracts=531782 Now the follow-up paper is ready for your (tender/helpful/snide) comments. www.ssrn.com/abstracts=842228. The current paper is called "A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government." The current version reflects comments from when I presented it at last month's ACM Conference on Computer and Communications Security. Excerpts from the abstract: A chief point of this paper is that the incentives for disclosure depend on two, largely independent, assessments - the degree to which disclosure helps or hurts security, and the degree to which disclosure creates advantages or disadvantages for the organization competitively. The paper presents a 2x3 matrix, where disclosure for security and competition are assessed for three types of systems or software: Open Source; proprietary software; and government systems. The paper finds greater convergence on disclosure between Open Source and proprietary software than most commentators have believed. For instance, Open Source security experts use secrecy in "stealth firewalls" and in other ways. Open Source programmers also often rely on gaps in Open Source licenses to gain competitive advantage by keeping key information secret. Meanwhile, proprietary software often uses more disclosure than assumed. For security, large purchasers and market forces often lead to disclosure about proprietary software. For competitive reasons, proprietary software companies often disclose a great deal when seeking to become a standard in an area or for other reasons.... This research provides a general approach for determining when disclosure is societally efficient (the first paper) as well as for describing the incentives actors face to disclose or not (this paper). The actual decision of whether to disclose in a given instance will depend on assessment of the empirical magnitude of the factors set forth in the papers. The research provides, however, the first theoretical structure for assessing these issues, which are so important to the design of systems and software in our information-rich age. ------------- I appreciate any constructive comments. I especially welcome technical insights and examples about where secrecy is used in Open Source software or where disclosure is used in proprietary software. Cites to prior, relevant literature also most welcome. Peter Prof. Peter P. Swire C. William O'Neill Professor of Law Moritz College of Law of The Ohio State University Visiting Senior Fellow, Center for American Progress (240) 994-4142, www.peterswire.net
Powered by blists - more mailing lists