The Impact of Secrecy on Security

Adam at Emergent Chaos writes:

"One of my long-term interests in security is the ongoing cost of secrecy. My current favorite example is the stack smashing buffer overflow...Had we not let the problem fester in secret, we'd be better off."

Assessing alternate courses of history is inherently tricky. In this case, I think it would be useful to first ask whether there was a "festering secret" involved or not, or whether Aleph One really could have been one of the pioneers in buffer overflow research. Remember, the 70s and 80s were about building things and not breaking them, so recognizing the theoretical existence of the problem doesn't mean it was discussed or researched in any depth. Also, I don't think we can ignore the simple fact that distribution of information was much more difficult prior to the Internet.

Perhaps more importantly is the notion that secrecy results in (net) costs. A more objective economic assessment would measure both costs and benefits. I think 'anonymous geek' addresses this challenge well in the comments of Adam's post:

"P.S. Adam, while it's probably fair to say that Aleph One's paper led to significant improvements to buffer overrun defense, it's also my impression that it led to a tremendous increase in exploitation of buffer overrun vulnerabilities for malice. It's not clear to me if it was the publication of Aleph One's paper that led to better defenses -- or if it was the significant uptick in malicious buffer overrun attacks following publication of Aleph One's paper that stimulated work on better defenses."

I believe that, practically speaking, there are an infinite number of ways to compromise systems, so exploits are the key to driving up costs. I don't believe that the period prior to Aleph One's paper had higher costs (due to buffer overflow exploits) than the period after its publication.