Security through openness
- Internet dating services often advise first meeting in a public, crowded place.
- A million-dollar statue in the middle of an always-crowded room is safe from theft.
- Robbers avoid well-lit houses as they are more likely to be seen approaching them.
In computers, openness is used to solicit community feedback on security problems. This would seem to make software more vulnerable by making their interior known, akin to the a building's blueprints public. But this actually makes them more robust and useful, like a lock thousands have tried to pick and can modify themselves to make more secure. Of course, buildings are expensive to rebuild to fix inherant security problems but software is much easier to rewrite.
Several elements are important to security through openness:
How many people could see something amiss.
As it is so carefully looked over by a variety of developers daily, security problems are quickly found and repaired.
Conversely, sometimes to garner the attention of security-aware developers, they must first be popular. Open programs that have not been critiqued and tested are often flawed and broken as in the case with CIPE and VTun.
As in the example of a building's blueprints, something that cannot change once a vulnerability is found is not secure. A lock on a door can be replaced with a better lock. Software can be rewritten or patched.
Countries concerned with corporate loyalty to their home country are rarely available to purchasing software whose internals are not made open to them. This is why open source has become increasingly embraced on the International stage and in countries like North Korea and China who are wary of western interests. Other countries like Germany are worried about painful licensing issues.
Loss of Privacy
This type of Security Through Openness can lead to a loss of privacy. For instance: credit card freud; when you use cash you are obscure and difficult to track but when you purchase with your credit card, you are not. By knowing what you buy, your information is open to your credit card company so they can recognize out-of-character purchasing habits and block spending with your card. Because your credit card company now knows everything you buy in the interest of keeping you safe, you have sacrificed privacy for security.
Openness can be meaningless if no one is watching. This is often the case with open source projects that are presumed to be secure but if no one is monitoring the situation or actively searching for bugs, this can be difficult.
Issues Full Disclosure
A major issue in software development is how quickly and how much to tell users about security problems to both inform users so they may take advanced steps to prevent issues and pointing crackers to security issues.
Full disclosure can also be a legal minefeild. There is no clearly established way to point out a software bug to an organization that they will actually fix. Releasing a bug into the wild can force an organization or company to react but may also compromise other's security and may be ultimately be unethical.
Notably, OpenBSD - an extremely secure operating system - uses Full Disclosure as a policy in all its software.