Disclosure or secrecy?

The free software community operates under the assumption that security problems are best addressed through full disclosure. Keeping vulnerabilities secret is seen as a recipe for slower development and deployment of fixes and the recurrence of the same mistakes in new contexts. Many other groups, such as military organizations, take a different approach: secrecy is a key part of how they maintain security. The two approaches would appear to be contradictory; which is the right one? Peter Swire has just published a paper which attempts to answer this problem.

The paper sets the stage by trying to come up with ways of characterizing the costs and benefits of disclosure. In any situation, how much does disclosure of information benefit attackers and defenders? One of the core observations made is that secrecy is most beneficial against first-time attacks. When the defense has something unique or unknown (be it a defensive technique or a vulnerability), secrecy can be effective. But when it is possible to repeatedly probe defenses, and when defenses are not unique, security through obscurity buys little. For this reason, computers and networks tend to be more secure when operated in a full disclosure mode.

Some exceptions are made, however. The paper goes to some lengths to make the point that keys and passwords should be kept secret; it should not be too hard to convince most readers of that. Mr. Swire also points out that surveillance techniques can be a good candidate for secrecy; attackers can often learn very little about monitoring systems by probing, so it is best to keep them in the dark.

In the end, the paper takes few positions; the author will not commit himself, for example, on whether free software is more or less secure than proprietary software. As a framework for evaluating the value and costs of disclosure, however, the paper may be a useful contribution.

---

to post comments