Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003.

Published byRyan Hamilton Modified over 10 years ago

Similar presentations

Presentation on theme: "A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003."— Presentation transcript:

1 A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003

2 The Paradox Open Source mantra: No Security Through Obscurity Open Source mantra: No Security Through Obscurity Secrecy does not work Secrecy does not work Military base and the location of the defensive machine guns Military base and the location of the defensive machine guns Secrecy as essential Secrecy as essential I am working on a book on What Should Still Be Secret – basic model today I am working on a book on What Should Still Be Secret – basic model today

3 Open Source & Disclosure Helps Defenders Presume that attackers will easily/quickly learn of flaws Presume that attackers will easily/quickly learn of flaws Disclosure does not help attackers (much) Disclosure does not help attackers (much) Writers of software learn of flaws and fix Writers of software learn of flaws and fix Users of software learn of patch and fix Users of software learn of patch and fix Disclosure does help the defenders Disclosure does help the defenders [I am not taking a position on proprietary v. Open Source – focus on when disclosure can improve security] [I am not taking a position on proprietary v. Open Source – focus on when disclosure can improve security]

4 Military Base & Disclosure Helps Attackers It is hard for attackers to get close enough to learn the physical defenses It is hard for attackers to get close enough to learn the physical defenses Disclosure thus helps attackers Disclosure thus helps attackers The defenders likely get little benefit from outside/peer review broadcast to all The defenders likely get little benefit from outside/peer review broadcast to all Disclosure provides little help to defenders Disclosure provides little help to defenders

5 Effects of Disclosure Low Help Attackers High Open Source Military/Intelligence Help Defenders Low High

6 Physical & Cyber Security Defend the buried pipeline Defend the buried pipeline Hard for attackers to learn the key vulnerable point Hard for attackers to learn the key vulnerable point Expensive to rebuild pipeline once in place Expensive to rebuild pipeline once in place Vulnerabilities often unique Vulnerabilities often unique Change the software Change the software Easy for attackers to do remote attacks & tell others of vulnerability (warez & hacker sites) Easy for attackers to do remote attacks & tell others of vulnerability (warez & hacker sites) Relatively inexpensive to patch & update Relatively inexpensive to patch & update Vulnerabilities often large scale/mass market Vulnerabilities often large scale/mass market

7 Effects of Disclosure Low Help Attackers High Open Source Physical facilities 1. Military/ Intel 2. Physical facilities Help Defenders Low High

8 Conclusion I am proposing a simple model for when disclosure helps security I am proposing a simple model for when disclosure helps security Disclosure helps defenders? Attackers? Disclosure helps defenders? Attackers? Explains reasons for less disclosure of vulnerabilities for military, intel, & physical Explains reasons for less disclosure of vulnerabilities for military, intel, & physical Explains reasons for greater disclosure for many software and computer system settings Explains reasons for greater disclosure for many software and computer system settings Other reasons to consider disclosure or not Other reasons to consider disclosure or not FOIA/accountability FOIA/accountability Privacy/confidentiality Privacy/confidentiality Have an intellectual framework for proceeding Have an intellectual framework for proceeding

Download ppt "A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003."

Similar presentations

Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Security Market: Incentives for Disclosure of Vulnerabilities Peter P. Swire Ohio State University Houston/Sante Fe Conference June 4, 2005.

Security Market: Incentives for Disclosure of Vulnerabilities Peter P. Swire Ohio State University Houston/Sante Fe Conference June 4, 2005.
A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.
Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.

Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.
Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.

What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory Professor Peter P. Swire George Washington.
Free/Libre & Open Source Software and When Disclosure Helps Security Peter P. Swire Ohio State University Western Ontario: Free/Libre and Open Source Software.

Free/Libre & Open Source Software and When Disclosure Helps Security Peter P. Swire Ohio State University Western Ontario: Free/Libre and Open Source Software.
Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005.

Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005.
A New Framework for Protecting Consumers on the Internet Peter P. Swire Ohio State University & Center for American Progress Center for American Progress.

A New Framework for Protecting Consumers on the Internet Peter P. Swire Ohio State University & Center for American Progress Center for American Progress.
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.

The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.
TUF: Securing Software Update Systems on GENI Justin Cappos Department of Computer Science and Engineering University of Washington.

TUF: Securing Software Update Systems on GENI Justin Cappos Department of Computer Science and Engineering University of Washington.
Computer Security CIS326 Dr Rachel Shipsey.

Computer Security CIS326 Dr Rachel Shipsey.
National Disability conference 2010 Making Advocacy easy to access Judi strid Director of Advocacy.

National Disability conference 2010 Making Advocacy easy to access Judi strid Director of Advocacy.
Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesn’t Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?

Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
By Ashlee Parton, Kimmy McCoy, & Labdhi Shah

By Ashlee Parton, Kimmy McCoy, & Labdhi Shah
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.

Similar presentations

Ads by Google