Shostack + Friends Blog Archive


Swire on Disclosure

Peter Swire has a new working draft A Model For When Disclosure Helps Security. Its a great paper which lays out two main camps, which he calls open source and military, and explains why the underlying assumptions cause clashes over disclosure. That would be a useful paper, but he then extends it into a semi-mathematical model of the factors that contribute to the usefulness of hiding information. (Semi-mathematical because there’s no numbers attached, but rather “high/low” rankings.)

There’s a variable, “L”, that Swire uses to refer to how much an attacker learns from each attack. He mentions in the context of surveillance that (III.4, page 24) secrecy helps the defender a great deal. It helps an eavesdropper to stay secret when listening to attackers plan. I think that estimating L is hard, harder than Swire gives credit for. And a good estimate of L is important, because if your estimate of what your attacker is learning is too low, you make bad decisions. “Oh, no, that’ll take them weeks to figure out.”

He then evaluates why computers are different, mainly in that attacks can be honed and perfected and then replicated. It then gets really interesting when he drags in a relationship to the Efficient Capital Markets Hypothesis (ECMH). “Efficiency in the Open Source paradigm also means that all relevant information is already known to outsiders — disclosure of a vulnerability does not help attackers. The claim here is that the open source paradigm has implicitly assumed what is called the ‘strong’ form of the EMCH, that ‘current security prices fully reflect all currently existing information, whether publicly available or not.'” (III.5.b, p 28). I think this is actually not correct.

We can look at information flows as being three markets: There’s a public market, a restricted market, such as is created by official, but controlled information sharing, like ISACS, and an underground market. The best market is where information is factored in quickly, and the market has low transaction costs. So we might re-state Swire’s claim as “…sufficient relevant information is already known to attackerspublicdisclosure of a vulnerability does not further help attackers.” Its easy to see that a public market has much lower transaction costs than a restricted market, but its hard to know how good the underground market actually is.

2 comments on "Swire on Disclosure"

  • Peter Swire says:

    Adam: Thanks for the insightful read of the paper.
    I agree that it is often hard to estimate “L”, or the amount of learning that attackers get from an attack. Surveillance seemed the one clear area where the entire game is about the person doing the surveillance keeping sources and methods secret.
    On the Capital Markets point, you seem to be saying that sufficient (satisficing) data is all that the hacker needs, because the hacker can take it from there (especially with multiple attacks until something works). In the stock market, optimal data is needed to beat the market. To the extent you are correct about the usefulness of satisficing data, then the set of attackers will be closer to efficiency. That is, less reason not to disclose.

  • Security by Obscurity

    Adam Shostack points to a new paper by Peter Swire, entitled “A Model for When Disclosure Helps Security”. How, Swire asks, can we reconcile the pro-disclosure “no security by obscurity” stance of crypto weenies with the pro-secrecy, “loose lips sink s…

Comments are closed.