Obscurity, redux squared

Submitted by Mike Rothman on Thu, 2006-11-02 15:16.
::

It seems every time I write something about obscurity in TDI, I piss someone off. I guess part of that goes with the territory of being me, but the other part is that it's very hard to be clear and complete in a 100-word snippet each morning.

So Chandler Howell takes me out (here) because I advocated actually being careful about what we disclose to who relative to potential vulnerabilities in physical door locks. He has a point, that I wasn't exactly clear or complete in my statements, so let me clarify a bit.

First, let me get the religion out of the way. There are times when it makes sense to obscure information about exploits and defenses. I've written about this in the past, and I don't believe there is an absolute right or wrong here. But if you are religious about it, the rest of this post is really going to piss you off. In general, I think more information is better than less information, but I'm not about to make a blanket statement that security by obscurity is bad in all cases.

Chandler's post got me thinking about when obscurity may be a better option. Of course, it does carry a significant amount of risk (and that's what Chandler is steamed about), but it may be worth it. We are security folks, no? Our jobs are to evaluate risk and then decide if it's worth taking.

I'm sure I'm missing something here and the odds fairly high that I'll kick off some crap-storm. But to me, the key questions are how easy is it to spread the word about a vulnerability and how active a community is there to receive and take advantage of the information? If you can think in 3D, maybe you also add what it will cost (in terms of time and/or money) to fix the problem.

If the answer to either of the first two questions is yes or if the cost to fix it is small, then obscurity is probably not worth the risk.

Let's look at OS-level exploits (Windows, Mac, Linux exploits, etc) to illuminate the point. In that case, since it's technology-related, there are lots of ways to disseminate that information. Underground newsgroups, blogs, etc. make exploit information spread like wildfire when discovered. And there are certainly lots of hackers to consume the information and have the ability to use it effectively pretty much immediately. And though many will argue how much it costs to patch, it's really trivial relative to having to replace the machine.

Given the answer to both questions is yes and it doesn't cost a lot to fix the problem, it's a bad idea to obscure information relative to these types of exploits. This has been proven many times in practice. I suspect Apple is now learning this the hard way, given how they've behaved lately.

Now let's look at physical locks. Is there a lock-pickers newsgroup, or bulletin board? Are there blogs written by lock pickers that share the latest gadgets and techniques. Are folks RSS readers buzzing with how to break a Schlage F-Series? I honestly don't know. And how many of the lock pickers frequent these information sources and would be able to quickly take advantage of the new information. Again, I don't know.

Let's say both of the answers are no, in that there aren't well built out information dissemination vehicles for lock-pickers and these folks wouldn't know where to look anyway. And what about cost. Replacing physical devices is expensive. And even if the vendor replaces the locks, someone has to do the labor to swap them out. This is non-trivial.

So based on my analysis, obscurity is not out of the question for the physical lock issue. Of course, that turned out to be a bad decision, but we are talking theory here. If you look at the downside, this biggest risk is that the information becomes public. Then we have to clean up the mess. 

And it's quite a mess. When an obscured exploit becomes public it becomes a fiasco quickly. Kind of like Chandler relates relative to the Kryptonite/Bic Pen issue of a few years ago. But even that only involved replacing portable locks, not necessarily having to replace every lock in your house (that would be 5 for me).

So to net this out, there are a few factors that need to be considered relative to whether obscurity is a viable option. The religious will say it's never a viable option and I think they are wrong. Clearly obscurity didn't work in the case that Jeff Hayes brought up to kick this discussion off, but how many other issues did we not worry about because we were blissfully unaware. And the lock-pickers were unaware as well.

That's what I have to say about that. Obscurity can and should be looked at on a case-by-case basis, but just keep in mind that it's a tight-rope act. Like the Flying Wallenda's, you can certainly get away with it, but probably not forever. If the wind blows in the wrong direction at the wrong time, SPLAT.

 

locks and disclosure debate: happy 153th anniversary
Submitted by ivan (not verified) on Thu, 2006-11-02 23:25.

Mike: Perhaps this is relevant to the security thru obscurity argument for locks. Credit Matt Blaze for bringing it up. Btw, last time I checked Matt Blaze wasn't classified as a evil outlaw but rather as a seasoned, world re-known top-notch researcher and one that through his research work actually had some things to say about the security of locks.

Quoted from http://www.crypto.com/hobbs.html :

A commercial, and in some respects a social doubt has been started within the last year or two, whether it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear, milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.

— A. C. Hobbs (Charles Tomlinson, ed.), Locks and Safes: The Construction of Locks. Published by Virtue & Co., London, 1853 (revised 1868).

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.