There are two schools of thought when it comes to security Security, strength, a lower TCO: find out about all the advantages of IBM Middleware on Linux.. Some believe in security through obscurity while others believe in security through transparency. Lately, this argument has spilled out into the area of cyber crime legislation and reflects a given society's understanding of the nature of security (or lack thereof).
This argument used to be the domain of open source Latest News about open source advocates arguing in favor of open software development versus the traditionalists who want a closed, controlled development environment where they can patent and copyright every idea that comes out.
Suppose we want a really good encryption Latest News about encryption algorithm to use in a secure device. Traditionally, we would lock the developers away in a secret location and let them develop it under strict non-disclosure agreements so that they are not allowed to talk to anyone about it.
Since there are only a limited number of developers, chances are there are some bugs in the system that have slipped through. When discovered, these bugs could compromise the system security and allow crackers (as opposed to hackers) to enter the system and wreak havoc. The only defense against these criminals is to hope and pray that the developers discover all the bugs and security holes before they do.
The perfect lock in this school of thought is one that works and is secure, but one that nobody knows how it works nor how it can be overcome. Security is not just a function of the key, but is also dependent on keeping the inner workings of the lock secret.
On the other hand, security through transparency takes on a whole new point of view. Open-source development relies on the eyes and ears of a thousand different programmers who have access to the source code. With so many people working on it, chances are that someone, somewhere will spot the error and fix it. The perfect lock is one in which the workings are transparent and everyone can understand how it works, but one which relies on the key to be secure.
Prevent the Anarchy
There is a saying that if we outlaw guns, then only the outlaws will have guns. By that same token, the way cyber crime legislation is progressing in many developing countries, if mere attempts to break encryption are outlawed, then the security you are left with will be very rudimentary indeed. The crackers are not bound by the legal straightjacket that restricts real-world experimentation by the developers who designed the encryption. The result will be anarchy.
Take this hypothetical example. Suppose we have a certain government system that is supposed to be encrypted and secure. Suppose also that a bright security researcher has found a way to break into the system and change the details it contains. What then?
As things stand, should that hypothetical researcher say anything, even to warn the authorities, he would immediately be arrested for breaking into a government system and tampering with official documents -- currently a criminal offense. Trying to warn the authorities without proof would only be met with skepticism as the authorities naturally have an interest in claiming their system is a success.
So the bottom line is that because all attacks have been outlawed, even those attacks in the name of journalistic truth and security research, the security of the system we would have is minimal at best.
Pick Your Battle
Many countries, like Germany and Singapore, I am told, grant general amnesty on certain designated days for people to try and break into government systems. Without these open days, these governments would never know how secure their systems are in reality, and have only their advisers and vendors to tell them it is secure.
Would it not be better to be told that your system is flawed by someone trying to make things right rather than a terrorist bent on damaging the country?
Even the most technologically-advanced nation has been criticized; the United States Digital Millennium Copyright Act (DMCA) is said by many as not being well thought-out, to put it mildly. For instance, Adobe's (Nasdaq: ADBE) Latest News about Adobe Acrobat e-Book system was broken easily, yet instead of thanking the programmer for pointing out the relatively simple flaw and fixing it, they launched a lawsuit against him citing the fact that it is a criminal offense to try to break encryption. That lawsuit was quickly withdrawn once public opinion clearly indicated that everyone thought it was Adobe being silly, but the law being the law, today the matter is still in the courts.
The mentality of our leaders here in Thailand is no different. We have a smart ID card project that some experts have warned has seriously compromised security. Instead of listening and focusing on fixing these problems, these warnings have been ignored and the messenger overruled on political rather than technical grounds. Debate and factual discussion are shunned, while bureaucrats find excuses to legitimize these decisions rather than decide according to facts.
This is not how things should be. The brave new world we are entering should be one where technology liberates, not one where technology is used to reinforce the limitations of old. Source