Last issue I was philosophizin’ about security failures in complex systems, a topic triggered by a reader asking whether full, i.e. public, disclosure of security vulnerabilities was a better strategy than trying to keep the security holes secret.
I began by pointing out that the most common state of knowledge about a specific way a computer system or network can be exploited — a security hole — is when both the good guys and the bad guys don’t know about it.
So, what of the other situations? There are three states that both the good guys and the bad guys can be in regarding any specific hole: The entire group knows about the hole, some of the group knows, or none of the group knows.
An important point is that for any given hole the group goes from no one knowing about it through some of the group knowing to all of the group knowing. So, when none of the good guys know about a hole but some of the bad guys know, then the good guys are at risk.
But here’s an important issue: The situation where all of the bad guys know but none of the good guys know or vice versa — all of the good guys and none of the bad guys know — can never happen because knowledge of holes spreads so quickly. Once some percentage of either group knows, the knowledge is pretty much guaranteed to percolate through both sides of the community.
Imagine this: Draw a table with the columns, reading from left to right, showing none of the good guys knowing, then some, then all of them, while the rows — reading from bottom to top — showing none of the bad guys knowing, then some, then all knowing. First of all you can never logically have all of either group knowing about a particular hole if all of the other group does not know; as I said earlier, knowledge about holes will naturally diffuse through the population.
This means that after some subset of either group knows about a hole, before all of that group knows at least some of the other group will know. Let me say it another way: If, for example, some good guys find a hole then by the time they have told all of the other good guys at least some of the bad guys will know too, and vice versa.
The table shows us that there are three cases where the good guys have minimized their risk: The case from last week where no one in either group knows of the hole (which of course we can ignore because, a priori, no one knows about these vulnerabilities), where just some of the good guys know but none of the bad guys do, and where everyone in both groups knows.
This leaves two cases where the good guys are exposed: Where some bad guys but no good guys know, and where only some guys in both groups know.
So, what can we conclude from this? I’d suggest that efforts to keep tabs on the bad guys — surveillance, if you will — is essential to provide early warning of holes that the bad guys might know of or be using.
That said, the most important conclusion I draw is that when just some good guys know of a hole they need to make sure the rest of the good guys know. The greatest advantage is found where all of the good guys know and have good defenses. To put that another way, full disclosure is the best path to community safety.
