Pensieri di un lunatico minore

26 October 2006 Security

Scare mongering of the most absurd kind

Security is one of those areas that tends to attract people with strong views. It’s somewhere I’ve occupied for a decade now, and I’ve seen a lot of people express a lot of divergent viewpoints. The one that binds every dedicated and serious security person together is this: “Security through obscurity is no security at all.”

If you think that hiding your “secrets” or weaknesses is going to provide more than the slightest modicum of protection from anyone with an IQ over 50 then you are not only deluding yourself, you are doing a major disservice to your clients—and we all have clients that we serve in one way or another. Dr. Dobb’s Journal cranks of the Fear-O-Matic mongering-machine and comes up with this gem of an article on the Metasploit Project.

There’s nothing singularly wrong with the article, and yet it’s breathless tone of astonishment that someone might create a tool for exploring security weaknesses and then might, horror-of-horrors, release it to the entire world, is so absurd as to be laughable. Just about every security person I know believes in full disclosure. Now, we all don’t agree on the exact mechanism and potential warnings, but we all believe that keeping something secret doesn’t serve the “greater good” that we focus on in general.

Why is that? Why do I think that Moore should release his exploits? It’s quite simple. If you don’t embarass the hell out of most vendors, they will simply ignore the problem. Security is almost nobody’s top priority, even at the security vendors1, and that creates a situation where many problems go unresolved. Most researchers, although not usually Moore, try to make sure they tell a vendor ahead of time. They don’t always listen, or agree. Once it’s out in the open, they often have no choice but to resolve the issues.

I wish I could say it wasn’t necessary to shame people into writing non-crap code, but sometimes it is. Some people will say “but you’re giving our opponents all our secrets,” and that’s true. It is, however, massive folly to delude yourself into thinking they haven’t discovered them independently—especially considering how common a lot of the problems are—or that they aren’t capable of it. You must always assume that your opponent is smarter than you are. Anything less than that and you will lose. Pretending that sweeping a problem under the rug means nobody will know about it is simply not effective.

1 The number of security products that have gaping security holes in their own implementation is pretty substantial.

This entry was posted at 9:50 am on 26 October 2006 and is filed under Security. You can follow any responses to this entry through the post-specific RSS 2.0 feed.

No comments found.

Responses are currently closed, but you can trackback from your own site.

Syndicate using either Atom or RSS.

All content of this site is covered under the Createive Commons Attribution-Noncommercial 3.0 license unless otherwise specified. The postings on this site are my own and don’t necessarily represent the positions, strategies or opinions of my employer.