New Security Group Hedges Bets And Builds Hedges

7card writes: "ok i was just doing my morning surfing and i found this article, which may be of some interest. It looks like the world has another club of security experts with the goal of security through obscurity. some of the members include Microsoft, Oracle, and Cisco." Reader Junin points to this CNET story as well.

Sovreignty and Corporate Intelligence Agencies

[Bonker]

Well, this is a dangerous step toward the evolution and existence of sovreign corporations.

The real problem with the concept of 'private networks of information' is that they tend to grow, especially with the impetus this one has. It's in their best interest to keep as much of the knowledge they gather classified for as long as they can. If there is the perception that this kind of limited sharing is effective and one has to pay to become a member, there will be leaps and bounds of growth to this organization. Unlike the federal government, there are no laws in place to protect average citezens from this type of secrecy.

What's even more disturbing is the kind of actions this organization will eventually take to protect its secrets. At first it will be legal actions. They will sue to prevent people from releasing important security information. Then the proliferation of 'inter-agency' controls will increase, say giving back-doors to certain law enforcement agencies into certain applications. I'm certain this already goes on to some extent, but this gives tech companies a reason for this to become common practice.

How long is it before this kind of alliance has the ability to conduct its own 'Security' raids and anti-hacker activities through its contacts in law enforcement? Not too damn long, if I'm not mistaken.

What laws are in place to keep a corporation from harrasing and causing problems for an individual? Abso-fricken-lutely none. American business law is written to favor a business or corporation over an individual every single time.

Congratulations! You just lost!

[rjh]

Imagine how secure your data would be if nobody knew where it was except you

Reminds me of of the US raid on Tehran. The special-warfare troopers were out in the middle of the desert, in a spot so remote nobody would be there looking for them... and they got discovered by a busload of people who stumbled across the area by virtue of getting lost.

Moral of the story: security through obscurity doesn't work. It's a numbers game, a calculated risk, and the risk involved is far higher than other more proactive forms of security.

Would you be willing to do all your online banking if your bank told you, "We don't bother to encrypt your financial records or firewall our system from malicious hackers--but don't worry! All the data is kept on a URL so obscure nobody will ever come across it!"

At Americanwicca.com, we make sure that our site is utterly secure by refusing to release details.

Speaking as a cryptographic engineer, I find this amazingly hilarious. :) Guess what--you just did release a detail. Namely, you said that your site's entire security is based around your refusal to release details. That means that you've just announced to the world:

1. "We think our site is utterly secure"
2. "We don't use any security measures to speak of"
3. "There's something we consider important at that site, otherwise we wouldn't feel the need for utter security"

To this utter naievete, your typical malicious attacker would respond with:

1. (convulsions of apopletic laughter--no site is "utterly secure")
2. "Sounds like an easy mark"
3. "Geez, they've got something they think is important AND they don't use any security except the general lack of knowledge of their site? What was the name of that place again?

... In other words, you're being just plain silly.

What's more than this is you're also lying.

At Americanwicca.com, we make sure that our site is utterly secure by refusing to release details.

No, you make sure your site is secure by locking down ports 21 and 23 for starters (telnet and mail). I know this because I just tried to telnet into them to see if they were open. So if security-through-obscurity is so darned good, why do you need to take the additional step of locking down your ports?

The answer is: because security through obscurity is a failed policy. Always has been, always will be. Locking down ports, on the other hand, is a smart and proactive policy.

Let the rhetoric begin

[FallLine]

Before I begin, let me state that there is some merit to the Open Source security "process" (if you could call it that) AND there are legitimate concerns with companies merely shirking off ALL concern for security while depending 100% on so-called obscurity. That being said, I have real issue with going from "security through obscurity" is not a cure-all, to the Open Source mantra that "security through obscurity" has absolutely no merit. A couple key points that all too many just glaze over:

First, the only way the Open Source security philosophy really works is if people ACTUALLY (as opposed to theoretically) sit down and read the code for security flaws in its entirity. I would argue that in a great many cases, no one even approaches this level. Because the Open Source community has very little centralization of effort, there is going to be a great deal of redundancy. In other words, even if you believe that 1000 security "experts" will spend some time reviewing the code, they may well be looking at the same piece of code (which in and of itself, can be a good thing), while leaving other pieces of code largely unscrutinized. Furthermore, I suspect that very few people truely give the code the time of day.

Second, while Open Source makes it easier for white hats to find flaws, it also makes it easier for blackhats to find and exploit flaws. This is particularly relevant if, as I point out, the code is not getting the right kind of attention from white hats.

Third, Closed Source can make it HARDER and DULLER to find flaws. Many people seem to assume that just because obscure products have been cracked, that there is absolutely no reedeeming value to it being closed. In other words, at any given moment in time, if we could some how have two parallel universes that would allow you to have the same piece of code (let's say the latest stable linux kernel with all patches applied) in Open Source and Closed Source at the same time, without knowledge leaking either way, most reasonable people would prefer the Closed Source option.

Fourth, security flaws are found all the time in Open Source code projects. A lot of them are presumably stable pieces of code that have already been put into production. These systems get hacked REGULARLY. Now this isn't to say the same doesn't apply to closed source, but you can't ignore the problem either way.

Fifth, many people constantly bring up the point "well if you just patch regularly...". While I agree that everyone SHOULD do this if possible, it's not always possible, and it's frequently not economical. If there is a piece of closed source code that hasn't had any published (or suspected) security flaws in 4 years of existence, while the competing Open Source alternatives have had many (constantly forcing their admins to patch), then that's a real issue for any competent admin.

Sixth, it's entirely possible for a Closed Source company to do a full internal security audit of their code. It may not be perfect, but it's better than nothing. Although I fully realize that hardly anyone does this, it'd be a mistake to ignore this as an option. If a company can get _most_ of the (presumed) benefits of an Open Source security audit without the corresponding exposure of their source code to blackhats (or at least less "risk" of that), then that might be very good indeed.

In summation, this is not nearly as black and white as people protray it. It comes down to numbers and many other unquantifiable elements. A simple philosophy is a not a one time cure-all. For instance, as I have alluded to, if there are very few white hats reviewing the code (say 50) and those white hats are mostly replicating their own work (say 15% efficiency) while allowing any black hat with proper monetary motivation to put the effort into cracking easy to read source code, then you might well be worse off. The same goes the other way around, if a software company, as all too many do, rush their product out with little to no review and depend entirely on obscurity, they might well use some routines that are well known security problems that can be easily searched for....

The bottom line is that it is just as stupid to assume your carelessness will be automatically covered by "peer review" (or "Open Source") as it is to assume it will be covered by "obscurity".

I'll toss in $5

[scotpurl]

I figure if a bunch of us throw in a bit of money, Slashdot could join this exclusive club, and then we'd get access to the reports on all the unpublished, undiscovered holes and bugs that the marketroids are hiding from us.

So, I pledge $5/year for this endeavour.

I'm not sure I understand...

[Shoeboy]

How is keeping a vulnerability secret until you've got a fix for it "security through obscurity?" There's a big difference between releasing source and releasing vulnerabilities. Releasing vulnerabilities only guarantees that they'll be exploited.
Even the mighty Linux community sometimes keeps vulnerabilities secret until a fix is released.
What makes this security through obscurity rather than good security practices?
Won't some strong virile slashbot please explain it to timid pert little me?
--Shoeboy

This is plainly antitrust!

[Chuck+Flynn]

This is exactly the sort of thing antitrust laws are intended to prevent: collusion among market dominators, patting each others' backs and shunning the upcoming little guy. If you're not a major conglomerate like Oracle or Microsoft (much less AT&T and others), you can't possibly break into this information cartel. Don't people understand that information is the currency of the new age?

Having a cartel like this is not only unnecessary; it's plain wrong. It simulatneously flies in the face of libertarian notions of self-help and of liberal notions of the omnipotent government who can protect citizens corporations on its own. Like so many areas of our economy, things were just fine until the corporations decided to start merging into one giant monopolistic hairball. I urge you all to write your congressmen and senators. This must be put to a stop.

True innovation

[Shoeboy]

Members that discover a new cyber-threat -- a new strain of virus or a break-in method that foils existing electronic defenses -- will be able to send detailed warnings to the rest of the group via e-mail, telephone, fax and pagers.

I wish I had $750,000 dollars to sink into a non-profit center so that I could email, telephone, fax and/or page my friends when something important happened.
*Sigh*
Too bad only big buisness has these capabilities. I guess I'll go feed my carrier pigeons now.
--Shoeboy

Dumb idea

[autocracy]

Based on what I can tell from the report, this "members only" group sends warnings only among its own. That means that if one of these companies finds this nasty virus, all the other companies find out but we don't. When you look at the list of companies that have joined, you'll note that most of the companies have something to gain from knowing about such a virus before anyonne else. Take for example Symantec who makes antivirus programs, and VeriSign - who will ineveiteably bring up the "if you signed all your messages with our keys, then people would know it wasn't from you because you didn't sign it" junk. That in itself may be a good thing (encouraging crypto), but they'll find a way to twist facts so that only VeriSign gains from such a thing. Don't tell me know either: these companies are run by CEOs that worry more about how fat their wallets are than anything else.

Another way this is bad: we have CERTs for a reason - to deal with this kind of thing. By forming this "coalition", they're further fragmenting the system of disaster recovery. CERT.org was created some time ago just for things like this, and it doesn't cost $5k a year to get warnings. It's free.

Propaganda is the best term for this, and marketing is a close runner up. If they really want to team up and help stop attacks on computer systems, they can work with everyone else instead of creating a members-only club.

My karma's bigger than yours!

Secret Only If They Find Flaw First

[nestler]

This business of keeping security flaws secret amongst members of this "elite" group is hardly meaningful given that the bulk of security flaws in these companies' products are probably found by people who are outside of the group.

This policy will only matter in the event that someone within one of these companies is the first person to discover the flaw.

Given that many flaws will be found by people outside of this group, and that it only takes one source to leak a flaw, I doubt this supposed secrecy will be very secret.