It seems every time I write something about obscurity in TDI, I piss someone off. I guess part of that goes with the territory of being me, but the other part is that it's very hard to be clear and complete in a 100-word snippet each morning.

So Chandler Howell takes me out (here [1]) because I advocated actually being careful about what we disclose to who relative to potential vulnerabilities in physical door locks. He has a point, that I wasn't exactly clear or complete in my statements, so let me clarify a bit.

First, let me get the religion out of the way. There are times when it makes sense to obscure information about exploits and defenses. I've written about this in the past, and I don't believe there is an absolute right or wrong here. But if you are religious about it, the rest of this post is really going to piss you off. In general, I think more information is better than less information, but I'm not about to make a blanket statement that security by obscurity is bad in all cases.

Chandler's post got me thinking about when obscurity may be a better option. Of course, it does carry a significant amount of risk (and that's what Chandler is steamed about), but it may be worth it. We are security folks, no? Our jobs are to evaluate risk and then decide if it's worth taking.

I'm sure I'm missing something here and the odds fairly high that I'll kick off some crap-storm. But to me, the key questions are how easy is it to spread the word about a vulnerability and how active a community is there to receive and take advantage of the information? If you can think in 3D, maybe you also add what it will cost (in terms of time and/or money) to fix the problem.

If the answer to either of the first two questions is yes or if the cost to fix it is small, then obscurity is probably not worth the risk.

Let's look at OS-level exploits (Windows, Mac, Linux exploits, etc) to illuminate the point. In that case, since it's technology-related, there are lots of ways to disseminate that information. Underground newsgroups, blogs, etc. make exploit information spread like wildfire when discovered. And there are certainly lots of hackers to consume the information and have the ability to use it effectively pretty much immediately. And though many will argue how much it costs to patch, it's really trivial relative to having to replace the machine.

Given the answer to both questions is yes and it doesn't cost a lot to fix the problem, it's a bad idea to obscure information relative to these types of exploits. This has been proven many times in practice. I suspect Apple is now learning this the hard way, given how they've behaved lately.

Now let's look at physical locks. Is there a lock-pickers newsgroup, or bulletin board? Are there blogs written by lock pickers that share the latest gadgets and techniques. Are folks RSS readers buzzing with how to break a Schlage F-Series? I honestly don't know. And how many of the lock pickers frequent these information sources and would be able to quickly take advantage of the new information. Again, I don't know.

Let's say both of the answers are no, in that there aren't well built out information dissemination vehicles for lock-pickers and these folks wouldn't know where to look anyway. And what about cost. Replacing physical devices is expensive. And even if the vendor replaces the locks, someone has to do the labor to swap them out. This is non-trivial.

So based on my analysis, obscurity is not out of the question for the physical lock issue. Of course, that turned out to be a bad decision, but we are talking theory here. If you look at the downside, this biggest risk is that the information becomes public. Then we have to clean up the mess. 

And it's quite a mess. When an obscured exploit becomes public it becomes a fiasco quickly. Kind of like Chandler relates relative to the Kryptonite/Bic Pen issue of a few years ago. But even that only involved replacing portable locks, not necessarily having to replace every lock in your house (that would be 5 for me).

So to net this out, there are a few factors that need to be considered relative to whether obscurity is a viable option. The religious will say it's never a viable option and I think they are wrong. Clearly obscurity didn't work in the case that Jeff Hayes brought up to kick this discussion off, but how many other issues did we not worry about because we were blissfully unaware. And the lock-pickers were unaware as well.

That's what I have to say about that. Obscurity can and should be looked at on a case-by-case basis, but just keep in mind that it's a tight-rope act. Like the Flying Wallenda's [2], you can certainly get away with it, but probably not forever. If the wind blows in the wrong direction at the wrong time, SPLAT.