free/libre & open source software and when disclosure helps security peter p. swire ohio state...
TRANSCRIPT
Free/Libre & Open Source Free/Libre & Open Source Software and When Software and When Disclosure Helps SecurityDisclosure Helps Security
Peter P. SwirePeter P. SwireOhio State UniversityOhio State UniversityWestern Ontario: “Free/Libre and Open Source Western Ontario: “Free/Libre and Open Source Software as Democratic Principle”Software as Democratic Principle”April 7, 2007April 7, 2007
Dueling SlogansDueling Slogans
Open Source mantra: “No Security Through Open Source mantra: “No Security Through Obscurity”Obscurity” Secrecy does not work (or at least we Secrecy does not work (or at least we
shouldn’t depend on it)shouldn’t depend on it) Disclosure is good (“virtuous”)Disclosure is good (“virtuous”)
Military motto: “Loose Lips Sink Ships”Military motto: “Loose Lips Sink Ships” Secrecy is essentialSecrecy is essential Disclosure is bad (“treason”)Disclosure is bad (“treason”)
Both can’t be true at the same timeBoth can’t be true at the same time
OverviewOverviewThree papers complete, at Three papers complete, at www.ssrn.comwww.ssrn.com, search “Swire”, search “Swire”1. A model for when each approach is correct -- assumptions 1. A model for when each approach is correct -- assumptions
for the Open Source & military approachesfor the Open Source & military approaches Key reasons computer & network security often differ Key reasons computer & network security often differ
from earlier security problems and favor disclosurefrom earlier security problems and favor disclosure2. “A Theory of Disclosure for Security & Competitive 2. “A Theory of Disclosure for Security & Competitive
Reasons: Open Source, Proprietary Software, and Reasons: Open Source, Proprietary Software, and Government Agencies” Government Agencies” Incentives for secrecy & openness to be used, even in Incentives for secrecy & openness to be used, even in
Open Source, for both security and competitive reasonsOpen Source, for both security and competitive reasons3. “Privacy & Information Sharing in the War Against 3. “Privacy & Information Sharing in the War Against
Terrorism”Terrorism”All concern when disclosure helps securityAll concern when disclosure helps securityWe can identify where openness most likely to succeedWe can identify where openness most likely to succeed
I. Model for When Disclosure I. Model for When Disclosure Helps SecurityHelps Security
Identify chief costs and benefits of Identify chief costs and benefits of disclosuredisclosure Effect on attackersEffect on attackers Effect on defendersEffect on defenders
Describe scenarios where disclosure of a Describe scenarios where disclosure of a defense likely to have net benefits or costsdefense likely to have net benefits or costs
Utilitarian in approachUtilitarian in approach Economics & computer security, not lawEconomics & computer security, not law
Open Source Perspective & DisclosureHelps Defenders
Attackers learn little or nothing from public Attackers learn little or nothing from public disclosuredisclosure
Disclosures prompts designers to improve Disclosures prompts designers to improve the defense -- learn of flaws and fixthe defense -- learn of flaws and fix
Disclosure prompts other defenders/users Disclosure prompts other defenders/users of software to patch and fixof software to patch and fix Net: Costs of disclosure low. Bens high.Net: Costs of disclosure low. Bens high.
[This is not a discussion of proprietary v. [This is not a discussion of proprietary v. FLOSS – focus is on when disclosure FLOSS – focus is on when disclosure improves security]improves security]
Military Base & DisclosureMilitary Base & Disclosure Helps Attackers Helps Attackers
It is hard for attackers to get close enough It is hard for attackers to get close enough to learn the physical defensesto learn the physical defenses
Disclosure teaches the designers little Disclosure teaches the designers little about how to improve the defensesabout how to improve the defenses
Disclosure prompts little improvement by Disclosure prompts little improvement by other defenders. other defenders. Net: Costs from disclosure high but few Net: Costs from disclosure high but few
benefits. benefits.
First Paper: Effects of DisclosureFirst Paper: Effects of Disclosure
Low Help Attackers HighLow Help Attackers High
Open Source:Open Source:
““No security throughNo security through
obscurity”obscurity”
Military/Intel:Military/Intel:
““Loose lips sink Loose lips sink ships”ships”
Hel
p D
efen
ders
Low
H
igh
Effects of Disclosure -- IIEffects of Disclosure -- II
Military/Military/
IntelligenceIntelligence
Public DomainPublic Domain
Information Information
SharingSharing
Open SourceOpen Source
Low Help Attackers HighLow Help Attackers High
Hel
p D
efen
ders
Low
H
igh
Why Computer & Network Systems Why Computer & Network Systems More Often Benefit From DisclosureMore Often Benefit From Disclosure
Hiddenness & the first-time attackHiddenness & the first-time attack N = number of attacksN = number of attacks L = learning from attacksL = learning from attacks C = communicate with other attackersC = communicate with other attackers
Hiddenness helps for pit or for mine fieldHiddenness helps for pit or for mine field Hiddenness works much less well forHiddenness works much less well for
Mass-market softwareMass-market software FirewallsFirewalls Encryption algorithmsEncryption algorithms
What Is Different for Cyber What Is Different for Cyber Attacks? Attacks?
ManyMany attacks attacks Each attack is low costEach attack is low cost Attackers learn from previous attacksAttackers learn from previous attacks
This trick got me root accessThis trick got me root access Attackers communicate about Attackers communicate about
vulnerabilitiesvulnerabilities Because of attackers’ knowledge, Because of attackers’ knowledge,
disclosure often helps defenders more disclosure often helps defenders more than attackers for cyber attacks than attackers for cyber attacks
III. Incentives to DiscloseIII. Incentives to Disclose
““A Theory of Disclosure for Security & A Theory of Disclosure for Security & Competitive Reasons: Open Source, Competitive Reasons: Open Source, Proprietary Software, and Government Proprietary Software, and Government Agencies”Agencies” SecuritySecurity reasons to disclose or not reasons to disclose or not CompetitiveCompetitive reasons to disclose or not reasons to disclose or not Actual disclosure is a function of bothActual disclosure is a function of both Distinct models needed to analyze security & Distinct models needed to analyze security &
competitive incentivescompetitive incentives
ProducerProducer SecuritySecurity CompetitionCompetition
Open Open SourceSource
Ideologically open;Ideologically open;
Some “secret sauce”Some “secret sauce”
(Case 1)(Case 1)
Ideologically open;Ideologically open;
Apparently high use Apparently high use of trade secretsof trade secrets
(Case 2)(Case 2)
ProprietaryProprietary
SoftwareSoftware
Monopolist on source Monopolist on source code; disclosure code; disclosure based on monopsony based on monopsony and market power and market power (Case 3)(Case 3)
Monopolist on source Monopolist on source code; disclosure code; disclosure based on how open based on how open standards help profits standards help profits (Case 4)(Case 4)
GovernmentGovernment Information sharing Information sharing dilemma (help dilemma (help attackers & attackers & defenders); public defenders); public choice model (Case choice model (Case 5)5)
Turf maximization, Turf maximization, e.g., FBI vs. local e.g., FBI vs. local police for the credit police for the credit (Case 6)(Case 6)
Case 1: Open Source/SecurityCase 1: Open Source/Security
By ideology, by definition, & under licenses, open source By ideology, by definition, & under licenses, open source code is viewable by allcode is viewable by all
Based on interviews, secrecy still used:Based on interviews, secrecy still used: For passwords and keysFor passwords and keys ““Stealth firewalls” and other hidden features that are Stealth firewalls” and other hidden features that are
not observable from the outsidenot observable from the outside ““Secret sauce” such as unusual settings and Secret sauce” such as unusual settings and
configurations, to defeat script kiddiesconfigurations, to defeat script kiddies In short, rational secrecy is used to foil first-time and In short, rational secrecy is used to foil first-time and
unsophisticated attacksunsophisticated attacks
Case 2: Open Source/CompetitionCase 2: Open Source/Competition
Interviews with O.S. devotees, they smile and Interviews with O.S. devotees, they smile and admit that they don’t publish their best stuff – admit that they don’t publish their best stuff – what’s going on?what’s going on?
Stay six months ahead of the curve – a form of Stay six months ahead of the curve – a form of trade secretstrade secrets
UsersUsers and widgit manufacturers won’t want to and widgit manufacturers won’t want to disclose their internal software activitiesdisclose their internal software activities
Open Source/CompetitionOpen Source/Competition
Services dominate over products in many Open Source Services dominate over products in many Open Source business modelsbusiness models
Systems integrators: “We take very valuable OS Systems integrators: “We take very valuable OS software, and build it into a suite of services that is event software, and build it into a suite of services that is event more valuable”more valuable”
GPL 2.0 applies to any work “distributed or published”, GPL 2.0 applies to any work “distributed or published”, but not to services provided by one companybut not to services provided by one company
Conclusion: trade secrets used in services have become Conclusion: trade secrets used in services have become a key competitive toola key competitive tool Consistent with IBM and other major players’ services Consistent with IBM and other major players’ services
activitiesactivities
Case 2: Open Source/CompetitionCase 2: Open Source/Competition
Debate on GPL 3.0Debate on GPL 3.0 Apparent defeat of earlier proposal to require Apparent defeat of earlier proposal to require
publishing of code used internallypublishing of code used internally Services companies (including large commercial Services companies (including large commercial
players) sticking with secrecy of their “non-distributed” players) sticking with secrecy of their “non-distributed” GPL 2.0 software to protect their trade secrets and GPL 2.0 software to protect their trade secrets and business modelsbusiness models
Case 3: Proprietary/SecurityCase 3: Proprietary/Security
Initially, the owner of closed-source software is in a Initially, the owner of closed-source software is in a monopoly position about flaws in the software it wrotemonopoly position about flaws in the software it wrote
An externality leads to under-disclosure: software An externality leads to under-disclosure: software company loses reputation and risks liability with disclosure company loses reputation and risks liability with disclosure but harm on the 3but harm on the 3rdrd party user party user This description was likely more true several years ago, This description was likely more true several years ago,
before computer security was so importantbefore computer security was so important Size of externality depends on the degree to which the Size of externality depends on the degree to which the
seller’s reputation suffers due to security flawsseller’s reputation suffers due to security flaws Over time, outside programmers gain expertise, the 1Over time, outside programmers gain expertise, the 1stst
party loses its monopoly position in knowledge about party loses its monopoly position in knowledge about vulnerabilities, & reputation effect is greatervulnerabilities, & reputation effect is greater
Case 3: Proprietary/SecurityCase 3: Proprietary/Security
What pressures force disclosure of vulnerabilities?What pressures force disclosure of vulnerabilities? Large buyers, who have a taste to know the code in Large buyers, who have a taste to know the code in
their systemtheir system Especially governments, who can (and do) require Especially governments, who can (and do) require
disclosure of vulnerabilities (Air Force)disclosure of vulnerabilities (Air Force) To the extent there is competition based on software To the extent there is competition based on software
security, then disclosure may be profit-maximizingsecurity, then disclosure may be profit-maximizing Over time, have seen substantially greater openness Over time, have seen substantially greater openness
about vulnerabilities in proprietary softwareabout vulnerabilities in proprietary software
Case 4: Proprietary/CompetitiveCase 4: Proprietary/Competitive
Hidden source code as a trade secret and Hidden source code as a trade secret and possible competitive edgepossible competitive edge
Countervailing incentive to have at least partly Countervailing incentive to have at least partly “open standards” in order to get broad adoption, “open standards” in order to get broad adoption, network effects, & first-mover advantagenetwork effects, & first-mover advantage At least share with developers & joint venturesAt least share with developers & joint ventures Complex game theory on when to be openComplex game theory on when to be open
Open Source & ProprietaryOpen Source & Proprietary
Greater secrecy in Open Source than usually recognizedGreater secrecy in Open Source than usually recognized Secret sauce for securitySecret sauce for security Trade secrets in servicesTrade secrets in services
Greater openness in proprietary than usually recognizedGreater openness in proprietary than usually recognized Large buyers, governments, reputationLarge buyers, governments, reputation Financial gains from at least partly open standardsFinancial gains from at least partly open standards
Convergence of the two approaches when it comes to Convergence of the two approaches when it comes to disclosure?disclosure?
Case 5: Government/SecurityCase 5: Government/Security
Summary – incentives for government to Summary – incentives for government to disclosure often weakdisclosure often weak
Unclear when to do information sharing:Unclear when to do information sharing: Disclosure helps both attackers & defendersDisclosure helps both attackers & defenders 11stst party wants to share only with trusted third party wants to share only with trusted third
partiesparties Other 3Other 3rdrd parties may want/need information parties may want/need information
to protect their own systems/jurisdictionsto protect their own systems/jurisdictions Examples such as terrorist watch lists, terrorist Examples such as terrorist watch lists, terrorist
modes of attack, alerts based on intelligencemodes of attack, alerts based on intelligence
Case 5: Government/SecurityCase 5: Government/Security
Not good market mechanisms for disclosureNot good market mechanisms for disclosure Thus a rationale for legal rulesThus a rationale for legal rules
FOIA to create transparency, including risks to FOIA to create transparency, including risks to communitiescommunities
Executive Orders & congressional mandates Executive Orders & congressional mandates to encourage information sharingto encourage information sharing
Case 6: Government/CompetitiveCase 6: Government/Competitive
Widespread view that law enforcement & Widespread view that law enforcement & intelligence agencies hoard dataintelligence agencies hoard data Most famously, the FBI has not shared with Most famously, the FBI has not shared with
localslocals Hoarding can protect turf – others can’t use it Hoarding can protect turf – others can’t use it
against the 1against the 1stst party (the agency) party (the agency) Hoarding can garner credit with stakeholders Hoarding can garner credit with stakeholders
– the arrest, the correct intelligence analysis– the arrest, the correct intelligence analysis Again, FOIA and Information Sharing mandates Again, FOIA and Information Sharing mandates
can seek to counter-act excessive secrecycan seek to counter-act excessive secrecy
Implications for FOSS & GovernmentImplications for FOSS & Government
Descriptive project – large zone where have a Descriptive project – large zone where have a credible claim for security in Open Source credible claim for security in Open Source approach to softwareapproach to software Openness much more likely to help security for Openness much more likely to help security for
software than for physical securitysoftware than for physical security Areas where claim for Open Source security are Areas where claim for Open Source security are
less strongless strong Nuclear launch codes – few codersNuclear launch codes – few coders First-time attacks – secrecy helpsFirst-time attacks – secrecy helps Vulnerabilities that can’t be fixed – obscurity may be Vulnerabilities that can’t be fixed – obscurity may be
the best among imperfect strategiesthe best among imperfect strategies
ConclusionsConclusions
Goal of describing when disclosure is Goal of describing when disclosure is societally optimal – does it help or hurt societally optimal – does it help or hurt securitysecurity
Goal of describing incentives, for OS, Goal of describing incentives, for OS, proprietary, and governmentproprietary, and government
I hope you can apply this to your setting, I hope you can apply this to your setting, to see when each approach is most likely to see when each approach is most likely to achieve securityto achieve security