Benlog

crypto and public policy

Access Control and Security through Obscurity

Filed under: Security & Crypto July 28, 2004 @ 5:07 pm

Dan O’Dowd, the CEO of Green Hills Software believes that Linux is insecure. I won’t try to respond to all of his claims, but there is, at least one point that demands a correction:

Many of the objections to my assertion that Linux is not suitable for defense systems are based on the truly bizarre misconception that secrecy reduces security. If secrecy isn’t important to security, then why does Linus Torvalds keep the means of accessing the core Linux development tree a secret from all but a few people? Because if he published the details of his defenses, some jerk would break in and screw up the Linux development effort.

[…]

“Security through obscurity” is a derisive slogan invented by the open source community to describe the practice of hiding the source code of sloppy software to prevent attackers from finding the vulnerabilities.

Mr. O’Dowd is thoroughly confused.

The term “secrecy,” as used by open-source and security experts, means preventing others from reading the source code. In fact, that’s why the expression “security through obscurity” uses the word “obscurity:” darkness, or the inability to see. On the other hand, Linus keeping “the means of accessing the core Linux development tree” to himself is an example of write access control. Open-source software allows everyone to see the software, but certainly not everyone can modify a particular source tree.

Surely, Mr. O’Dowd knows the difference between reading and writing.

Then there’s this issue of “security through obscurity.” Contrary to Mr. O’Dowd’s claim, this slogan significantly predates the open-source community. By more than 100 years, in fact.

Cryptographers like to refer to Kerckhoff’s Law which dates back to 1883 and states that a system should be secure even if everything about it — except the relatively short cryptographic key — is publicly known. Claude Shannon restated it more than 50 years ago as “the enemy knows the system.” When the National Institute of Standards and Technology decided to select a new American Encryption Standard, they held a world-wide open review for 2 years. This is no fad.

Let’s be fair: Mr O’Dowd’s software is delivered to clients with source code. His software might very well be excellent. Once you’ve paid the licensing fee, you can even verify this claim on your own, assuming you have the resources and time to do so. So Green Hills Software may very well make fantastic software.

What they’re surely not good at, however, is providing an honest, educated critique of another system’s security.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.