Just overnight an, um, discussion has erupted online among people I really, really like — Chandler Howell, Mike Rothman, and a few others. They are discussing “vulnerability disclosure” and the concept of obscurity.

Kind of. The disagreement has to do with something entirely different.

On Obscurity

This is one of my least favorite InfoSec topics. Why? Because we (myself included — at least before I was trained on FAIR) allow our common sense and logic to be slaves to paranioa and “the possible.” Anyone who claims that there is such a thing as “Security through Obscurity” seems to be castigated until they recant. This is, of course, nonsense. In the past, I’ve brought up piecemeal examples (Blackbeard’s treasure) as to how obscurity can be an effective control. Let me try to put this in FAIR terms for us:

An attacker, in order to attack you, must have contact with you (contact can be intentional, random, or regular) and then the ability to attack you. Obscurity is a way to limit contact. Simple, right?

In fact, however, when we say with absolute certainty that obscurity is not an effective control, and then advocate encryption with enthusiasm — we’re contradicting ourselves.

That Empty Feeling, or, Why Such Strong Opinions About Disclosure

In reading the discourse between Mike and Chandler, both of whom I consider my online friends, neither of them leave me with any feeling of satisfaction or resolution. There is a reason for this. Both are ignoring the relative nature of risk tolerance. Chandler’s risk tolerance seems pretty low when it comes to his familial assets (and rightly so). So he’s less than thrilled about the fact that his home may have less Control Strength than is needed to thwart a threat. Mike, who I’m sure is loved no less, has a higher risk tolerance.

When our scanner picks up a weakness, or something is released to the world without a patch/fix — the “obscurity” debate rages because we all have different risk tolerances, and even different risk tolerances concerning the specifics around the object of weakness.

Risk Tolerance, The Obscurity Debate, and Vendor Relations

Some folks say that we need/have a right to know the moment a weakness is found. Others say that depending on factors, it may make sense to “obscure” that fact by keeping it secret until a patch, fix, or other control is found. The impetus for this difference is risk tolerance.

So the question isn’t whether or not a vendor has an obligation to tell the world that there is a bug in their wireless drivers. The question is: should a vendor respect all ranges of risk tolerance in their entire customer population, or simply ignore the most paranoid in favor of taking advantage of the extra control strength obscurity provides?

Your comments and thoughts, as always, are very welcome.

Posted on November 3