free libre open source software and when disclosure helps security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Free/Libre & Open Source Software and When Disclosure Helps Security PowerPoint Presentation
Download Presentation
Free/Libre & Open Source Software and When Disclosure Helps Security

Free/Libre & Open Source Software and When Disclosure Helps Security

130 Views Download Presentation
Download Presentation

Free/Libre & Open Source Software and When Disclosure Helps Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Free/Libre & Open Source Software and When Disclosure Helps Security Peter P. Swire Ohio State University Western Ontario: “Free/Libre and Open Source Software as Democratic Principle” April 7, 2007

  2. Dueling Slogans Open Source mantra: “No Security Through Obscurity” • Secrecy does not work (or at least we shouldn’t depend on it) • Disclosure is good (“virtuous”) Military motto: “Loose Lips Sink Ships” • Secrecy is essential • Disclosure is bad (“treason”) Both can’t be true at the same time

  3. Overview Three papers complete, at, search “Swire” 1. A model for when each approach is correct -- assumptions for the Open Source & military approaches • Key reasons computer & network security often differ from earlier security problems and favor disclosure 2. “A Theory of Disclosure for Security & Competitive Reasons: Open Source, Proprietary Software, and Government Agencies” • Incentives for secrecy & openness to be used, even in Open Source, for both security and competitive reasons 3. “Privacy & Information Sharing in the War Against Terrorism” All concern when disclosure helps security We can identify where openness most likely to succeed

  4. I. Model for When Disclosure Helps Security • Identify chief costs and benefits of disclosure • Effect on attackers • Effect on defenders • Describe scenarios where disclosure of a defense likely to have net benefits or costs • Utilitarian in approach • Economics & computer security, not law

  5. Open Source Perspective & DisclosureHelps Defenders • Attackers learn little or nothing from public disclosure • Disclosures prompts designers to improve the defense -- learn of flaws and fix • Disclosure prompts other defenders/users of software to patch and fix • Net: Costs of disclosure low. Bens high. • [This is not a discussion of proprietary v. FLOSS – focus is on when disclosure improves security]

  6. Military Base & Disclosure Helps Attackers • It is hard for attackers to get close enough to learn the physical defenses • Disclosure teaches the designers little about how to improve the defenses • Disclosure prompts little improvement by other defenders. • Net: Costs from disclosure high but few benefits.

  7. First Paper: Effects of Disclosure Help Defenders Low High

  8. Low Help Attackers High Open Source Information Sharing Public Domain Military/ Intelligence Effects of Disclosure -- II Help Defenders Low High

  9. Why Computer & Network Systems More Often Benefit From Disclosure • Hiddenness & the first-time attack • N = number of attacks • L = learning from attacks • C = communicate with other attackers • Hiddenness helps for pit or for mine field • Hiddenness works much less well for • Mass-market software • Firewalls • Encryption algorithms

  10. What Is Different for Cyber Attacks? • Many attacks • Each attack is low cost • Attackers learn from previous attacks • This trick got me root access • Attackers communicate about vulnerabilities • Because of attackers’ knowledge, disclosure often helps defenders more than attackers for cyber attacks

  11. III. Incentives to Disclose • “A Theory of Disclosure for Security & Competitive Reasons: Open Source, Proprietary Software, and Government Agencies” • Security reasons to disclose or not • Competitive reasons to disclose or not • Actual disclosure is a function of both • Distinct models needed to analyze security & competitive incentives

  12. Case 1: Open Source/Security • By ideology, by definition, & under licenses, open source code is viewable by all • Based on interviews, secrecy still used: • For passwords and keys • “Stealth firewalls” and other hidden features that are not observable from the outside • “Secret sauce” such as unusual settings and configurations, to defeat script kiddies • In short, rational secrecy is used to foil first-time and unsophisticated attacks

  13. Case 2: Open Source/Competition • Interviews with O.S. devotees, they smile and admit that they don’t publish their best stuff – what’s going on? • Stay six months ahead of the curve – a form of trade secrets • Users and widgit manufacturers won’t want to disclose their internal software activities

  14. Open Source/Competition • Services dominate over products in many Open Source business models • Systems integrators: “We take very valuable OS software, and build it into a suite of services that is event more valuable” • GPL 2.0 applies to any work “distributed or published”, but not to services provided by one company • Conclusion: trade secrets used in services have become a key competitive tool • Consistent with IBM and other major players’ services activities

  15. Case 2: Open Source/Competition • Debate on GPL 3.0 • Apparent defeat of earlier proposal to require publishing of code used internally • Services companies (including large commercial players) sticking with secrecy of their “non-distributed” GPL 2.0 software to protect their trade secrets and business models

  16. Case 3: Proprietary/Security • Initially, the owner of closed-source software is in a monopoly position about flaws in the software it wrote • An externality leads to under-disclosure: software company loses reputation and risks liability with disclosure but harm on the 3rd party user • This description was likely more true several years ago, before computer security was so important • Size of externality depends on the degree to which the seller’s reputation suffers due to security flaws • Over time, outside programmers gain expertise, the 1st party loses its monopoly position in knowledge about vulnerabilities, & reputation effect is greater

  17. Case 3: Proprietary/Security • What pressures force disclosure of vulnerabilities? • Large buyers, who have a taste to know the code in their system • Especially governments, who can (and do) require disclosure of vulnerabilities (Air Force) • To the extent there is competition based on software security, then disclosure may be profit-maximizing • Over time, have seen substantially greater openness about vulnerabilities in proprietary software

  18. Case 4: Proprietary/Competitive • Hidden source code as a trade secret and possible competitive edge • Countervailing incentive to have at least partly “open standards” in order to get broad adoption, network effects, & first-mover advantage • At least share with developers & joint ventures • Complex game theory on when to be open

  19. Open Source & Proprietary • Greater secrecy in Open Source than usually recognized • Secret sauce for security • Trade secrets in services • Greater openness in proprietary than usually recognized • Large buyers, governments, reputation • Financial gains from at least partly open standards • Convergence of the two approaches when it comes to disclosure?

  20. Case 5: Government/Security • Summary – incentives for government to disclosure often weak • Unclear when to do information sharing: • Disclosure helps both attackers & defenders • 1st party wants to share only with trusted third parties • Other 3rd parties may want/need information to protect their own systems/jurisdictions • Examples such as terrorist watch lists, terrorist modes of attack, alerts based on intelligence

  21. Case 5: Government/Security • Not good market mechanisms for disclosure • Thus a rationale for legal rules • FOIA to create transparency, including risks to communities • Executive Orders & congressional mandates to encourage information sharing

  22. Case 6: Government/Competitive • Widespread view that law enforcement & intelligence agencies hoard data • Most famously, the FBI has not shared with locals • Hoarding can protect turf – others can’t use it against the 1st party (the agency) • Hoarding can garner credit with stakeholders – the arrest, the correct intelligence analysis • Again, FOIA and Information Sharing mandates can seek to counter-act excessive secrecy

  23. Implications for FOSS & Government • Descriptive project – large zone where have a credible claim for security in Open Source approach to software • Openness much more likely to help security for software than for physical security • Areas where claim for Open Source security are less strong • Nuclear launch codes – few coders • First-time attacks – secrecy helps • Vulnerabilities that can’t be fixed – obscurity may be the best among imperfect strategies

  24. Conclusions • Goal of describing when disclosure is societally optimal – does it help or hurt security • Goal of describing incentives, for OS, proprietary, and government • I hope you can apply this to your setting, to see when each approach is most likely to achieve security