1 / 25

Free/Libre & Open Source Software and When Disclosure Helps Security

Free/Libre & Open Source Software and When Disclosure Helps Security. Peter P. Swire Ohio State University Western Ontario: “Free/Libre and Open Source Software as Democratic Principle” April 7, 2007. Dueling Slogans. Open Source mantra: “No Security Through Obscurity”

moana
Download Presentation

Free/Libre & Open Source Software and When Disclosure Helps Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Free/Libre & Open Source Software and When Disclosure Helps Security Peter P. Swire Ohio State University Western Ontario: “Free/Libre and Open Source Software as Democratic Principle” April 7, 2007

  2. Dueling Slogans Open Source mantra: “No Security Through Obscurity” • Secrecy does not work (or at least we shouldn’t depend on it) • Disclosure is good (“virtuous”) Military motto: “Loose Lips Sink Ships” • Secrecy is essential • Disclosure is bad (“treason”) Both can’t be true at the same time

  3. Overview Three papers complete, at www.ssrn.com, search “Swire” 1. A model for when each approach is correct -- assumptions for the Open Source & military approaches • Key reasons computer & network security often differ from earlier security problems and favor disclosure 2. “A Theory of Disclosure for Security & Competitive Reasons: Open Source, Proprietary Software, and Government Agencies” • Incentives for secrecy & openness to be used, even in Open Source, for both security and competitive reasons 3. “Privacy & Information Sharing in the War Against Terrorism” All concern when disclosure helps security We can identify where openness most likely to succeed

  4. I. Model for When Disclosure Helps Security • Identify chief costs and benefits of disclosure • Effect on attackers • Effect on defenders • Describe scenarios where disclosure of a defense likely to have net benefits or costs • Utilitarian in approach • Economics & computer security, not law

  5. Open Source Perspective & DisclosureHelps Defenders • Attackers learn little or nothing from public disclosure • Disclosures prompts designers to improve the defense -- learn of flaws and fix • Disclosure prompts other defenders/users of software to patch and fix • Net: Costs of disclosure low. Bens high. • [This is not a discussion of proprietary v. FLOSS – focus is on when disclosure improves security]

  6. Military Base & Disclosure Helps Attackers • It is hard for attackers to get close enough to learn the physical defenses • Disclosure teaches the designers little about how to improve the defenses • Disclosure prompts little improvement by other defenders. • Net: Costs from disclosure high but few benefits.

  7. First Paper: Effects of Disclosure Help Defenders Low High

  8. Low Help Attackers High Open Source Information Sharing Public Domain Military/ Intelligence Effects of Disclosure -- II Help Defenders Low High

  9. Why Computer & Network Systems More Often Benefit From Disclosure • Hiddenness & the first-time attack • N = number of attacks • L = learning from attacks • C = communicate with other attackers • Hiddenness helps for pit or for mine field • Hiddenness works much less well for • Mass-market software • Firewalls • Encryption algorithms

  10. What Is Different for Cyber Attacks? • Many attacks • Each attack is low cost • Attackers learn from previous attacks • This trick got me root access • Attackers communicate about vulnerabilities • Because of attackers’ knowledge, disclosure often helps defenders more than attackers for cyber attacks

  11. III. Incentives to Disclose • “A Theory of Disclosure for Security & Competitive Reasons: Open Source, Proprietary Software, and Government Agencies” • Security reasons to disclose or not • Competitive reasons to disclose or not • Actual disclosure is a function of both • Distinct models needed to analyze security & competitive incentives

  12. Case 1: Open Source/Security • By ideology, by definition, & under licenses, open source code is viewable by all • Based on interviews, secrecy still used: • For passwords and keys • “Stealth firewalls” and other hidden features that are not observable from the outside • “Secret sauce” such as unusual settings and configurations, to defeat script kiddies • In short, rational secrecy is used to foil first-time and unsophisticated attacks

  13. Case 2: Open Source/Competition • Interviews with O.S. devotees, they smile and admit that they don’t publish their best stuff – what’s going on? • Stay six months ahead of the curve – a form of trade secrets • Users and widgit manufacturers won’t want to disclose their internal software activities

  14. Open Source/Competition • Services dominate over products in many Open Source business models • Systems integrators: “We take very valuable OS software, and build it into a suite of services that is event more valuable” • GPL 2.0 applies to any work “distributed or published”, but not to services provided by one company • Conclusion: trade secrets used in services have become a key competitive tool • Consistent with IBM and other major players’ services activities

  15. Case 2: Open Source/Competition • Debate on GPL 3.0 • Apparent defeat of earlier proposal to require publishing of code used internally • Services companies (including large commercial players) sticking with secrecy of their “non-distributed” GPL 2.0 software to protect their trade secrets and business models

  16. Case 3: Proprietary/Security • Initially, the owner of closed-source software is in a monopoly position about flaws in the software it wrote • An externality leads to under-disclosure: software company loses reputation and risks liability with disclosure but harm on the 3rd party user • This description was likely more true several years ago, before computer security was so important • Size of externality depends on the degree to which the seller’s reputation suffers due to security flaws • Over time, outside programmers gain expertise, the 1st party loses its monopoly position in knowledge about vulnerabilities, & reputation effect is greater

  17. Case 3: Proprietary/Security • What pressures force disclosure of vulnerabilities? • Large buyers, who have a taste to know the code in their system • Especially governments, who can (and do) require disclosure of vulnerabilities (Air Force) • To the extent there is competition based on software security, then disclosure may be profit-maximizing • Over time, have seen substantially greater openness about vulnerabilities in proprietary software

  18. Case 4: Proprietary/Competitive • Hidden source code as a trade secret and possible competitive edge • Countervailing incentive to have at least partly “open standards” in order to get broad adoption, network effects, & first-mover advantage • At least share with developers & joint ventures • Complex game theory on when to be open

  19. Open Source & Proprietary • Greater secrecy in Open Source than usually recognized • Secret sauce for security • Trade secrets in services • Greater openness in proprietary than usually recognized • Large buyers, governments, reputation • Financial gains from at least partly open standards • Convergence of the two approaches when it comes to disclosure?

  20. Case 5: Government/Security • Summary – incentives for government to disclosure often weak • Unclear when to do information sharing: • Disclosure helps both attackers & defenders • 1st party wants to share only with trusted third parties • Other 3rd parties may want/need information to protect their own systems/jurisdictions • Examples such as terrorist watch lists, terrorist modes of attack, alerts based on intelligence

  21. Case 5: Government/Security • Not good market mechanisms for disclosure • Thus a rationale for legal rules • FOIA to create transparency, including risks to communities • Executive Orders & congressional mandates to encourage information sharing

  22. Case 6: Government/Competitive • Widespread view that law enforcement & intelligence agencies hoard data • Most famously, the FBI has not shared with locals • Hoarding can protect turf – others can’t use it against the 1st party (the agency) • Hoarding can garner credit with stakeholders – the arrest, the correct intelligence analysis • Again, FOIA and Information Sharing mandates can seek to counter-act excessive secrecy

  23. Implications for FOSS & Government • Descriptive project – large zone where have a credible claim for security in Open Source approach to software • Openness much more likely to help security for software than for physical security • Areas where claim for Open Source security are less strong • Nuclear launch codes – few coders • First-time attacks – secrecy helps • Vulnerabilities that can’t be fixed – obscurity may be the best among imperfect strategies

  24. Conclusions • Goal of describing when disclosure is societally optimal – does it help or hurt security • Goal of describing incentives, for OS, proprietary, and government • I hope you can apply this to your setting, to see when each approach is most likely to achieve security

More Related