No subject

Fri Jul 8 22:00:42 PDT 2005

Q: In your book you outline 10 principles for writing secure software.
The fourth principle has to do with so-called "security by obscurity,"
which is how many people in the security community characterize the
DMCA (Digital Millennium Copyright Act).

A: If you think about the DMCA, there are the organizations like the
RIAA (Recording Industry Association of America) that are producing
content-protection mechanisms that do not work. And their solution,
instead of building ones that do work, is to pass a law forbidding
people from telling anyone why they don't work. It's a great example
of "The Emperor's New Clothes," and what we have done is outlaw the
little boy from saying that the emperor has no clothes.

Q: What's open source's role in the security-by-obscurity debate?

A: Open-source software is neither more nor less secure than
closed-source software. And the whole issue of whether open source is
more secure is a red herring. We have a chapter in the book about it.
Security by obscurity doesn't work. But just because you have your
source code sitting around in public doesn't mean someone's going to
do a free security review on it, either, which is what the open-source
guys think. That's wrong.

Q: People think that because you can look under its hood, open-source
software is more vulnerable to attack.

A: Incorrect. If I have executable code, I can decompile it, I can
disassemble it, I can poke it and prod it and steal all its little
secrets, just as if I had the source code. I don't need the source
code. But get this: The DMCA expressly forbids me from poking and
prodding and recompiling that. That's ridiculous. The DMCA should be

More information about the Free-sklyarov mailing list