another big lie: obscurity == security

I was doing some research today, keeping up on new developments in HIPAA compliant software. (HIPAA is U.S. law which regulates the portability, privacy and security of healthcare information)

On the site of a software company that is selling a "secure email system" that they claim is HIPAA compliant, I found the following completely ignorant statement about the relationship between security and free/open source software

"Why does SafetySend use Proprietary Code and Technology?
Because any code or technology that can be purchased is vulnerable. Generic security codes and technology is is considered 'at risk' because of its shared accessibility. SafetySend code and technology is exclusive and not sold or shared. If you can buy security technology, it can be compromised."

This is completely false and misleading.

Before I continue to rant, let me explain that there are two ways of looking at digital security: Security by obscurity or Security by design.

SafetySend believes that there product is secure because the code is kept secret (security by obscurity). There could be very serious holes, but they think that by keeping prying eyes away from the code that no one could ever figure out where the holes are. History has shown that keeping something secret rarely works to keep it secure.

The security by design camp believes that by releasing code for frequent and open auditing, code can truly be made secure. It is not a failure when a security hole is found via such an audit, it is part of the process, it is a good thing as it allows for that hole to be patched.

Technologists have to assume that the entire design of a security system is known -- at least to those that want to compromise your system. The only piece of data that must remain private is the cryptographic key, which also should be easy to regenerate from time to time (and not be a hard-coded part of the application).

Releasing code does not automatically mean it is vulnerable -- any code is vulnerable. The issue is how you handle that reality.

Think of it as the difference between hiding under your bed because you are afraid someone might pick your lock and learning how to pick locks (or hiring a locksmith that knows how to pick locks) to test and make sure your locks are secure.

When security related code is released in Free/Open Source Software, the developers explicitly deny the ideas of security through obscurity, we must design secure code. It has been argued that this publication of source code can actually improve security because the code can be peer-reviewed by anyone.

The end result is that bugs are found and fixed, instead of hidden. Many security holes that are ignored, for example, in proprietary operating systems have been found, published and patched in Linux. This is not despite the open nature, but due to the open nature of the code that it becomes more secure.

PGP is a publicly published codebase for encryption. The fact that it is public has not changed its status as a military grade encryption tool. The argument put forth by the folks at SafetySend to sell their product is completely false.

Keeping insecure code private does nothing to make it more secure or less vulnerable.


Every once in a while I find myself talking with a vendor who thinks they'll get anywhere by pulling that particular batch of wool over my eyes and it really pisses me off.

Too many organizations are overwhelmed by anxiety about security and don't really understand the difference between obscurity and real security. In my experience, many organizations also get stuck on the difference between open source software and publishing data for the world to see. I usually go back to the same lock analogy: security by obscurity means that you're relying on the lock-maker to be telling the truth (this lock is secure. trust me.) where as a free and open source lock, by necessity, is available for scrutiny. I can look over the lock design, take the lock apart and study its inner workings: if I do the leg work, I can *know* that this is a well designed lock. I'm not leaving it to trust.