Comments on: Swire on Disclosure http://emergentchaos.com/archives/2004/09/swire-on-disclosure.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Freedom to Tinker http://emergentchaos.com/archives/2004/09/swire-on-disclosure.html/comment-page-1#comment-26 Freedom to Tinker Tue, 14 Sep 2004 11:27:16 +0000 http://emergentchaos.com/?p=32#comment-26 <strong>Security by Obscurity</strong> Adam Shostack points to a new paper by Peter Swire, entitled "A Model for When Disclosure Helps Security". How, Swire asks, can we reconcile the pro-disclosure "no security by obscurity" stance of crypto weenies with the pro-secrecy, "loose lips sink s... Security by Obscurity

Adam Shostack points to a new paper by Peter Swire, entitled “A Model for When Disclosure Helps Security”. How, Swire asks, can we reconcile the pro-disclosure “no security by obscurity” stance of crypto weenies with the pro-secrecy, “loose lips sink s…

]]> By: Peter Swire http://emergentchaos.com/archives/2004/09/swire-on-disclosure.html/comment-page-1#comment-25 Peter Swire Thu, 09 Sep 2004 18:05:42 +0000 http://emergentchaos.com/?p=32#comment-25 Adam: Thanks for the insightful read of the paper. I agree that it is often hard to estimate "L", or the amount of learning that attackers get from an attack. Surveillance seemed the one clear area where the entire game is about the person doing the surveillance keeping sources and methods secret. On the Capital Markets point, you seem to be saying that sufficient (satisficing) data is all that the hacker needs, because the hacker can take it from there (especially with multiple attacks until something works). In the stock market, optimal data is needed to beat the market. To the extent you are correct about the usefulness of satisficing data, then the set of attackers will be closer to efficiency. That is, less reason not to disclose. peter Adam: Thanks for the insightful read of the paper.
I agree that it is often hard to estimate “L”, or the amount of learning that attackers get from an attack. Surveillance seemed the one clear area where the entire game is about the person doing the surveillance keeping sources and methods secret.
On the Capital Markets point, you seem to be saying that sufficient (satisficing) data is all that the hacker needs, because the hacker can take it from there (especially with multiple attacks until something works). In the stock market, optimal data is needed to beat the market. To the extent you are correct about the usefulness of satisficing data, then the set of attackers will be closer to efficiency. That is, less reason not to disclose.
peter

]]>