I disagree with the answer.
The correct answer is that THIS IS FREAKIN' KERCKHOFF'S PRINCIPLE FROM 1880!!!!!!! Seriously, at some point we have to point out YOUR CONCERN WAS ADDRESSED OVER 100 YEARS AGO!!!!
The correct answer is that THIS IS FREAKIN' KERCKHOFF'S PRINCIPLE FROM 1880!!!!!!! Seriously, at some point we have to point out YOUR CONCERN WAS ADDRESSED OVER 100 YEARS AGO!!!!
https://twitter.com/joshcorman/status/1400184808601534464
Yes, yes, we can't apply this principle has a clichéd response to every question (as some people do). But at the same time, we can apply it where it's clearly appropriate, such as in this case.
The naive believe we need to hide the details of how things work, in the name of security, so that the attacker doesn't know the details.
Kerckhoff's principle is that the attacker can figure out these details anyway, that you are doing much less than you think to hinder them.
What you are doing instead is hiding the details from your friends, who would otherwise be able to point out of the flaws in a system.
SBOM has many problems, but the one problem is doesn't have is the benefits of transparency. Such transparency so that customers (in particular) and the public (in general) know the components of a system is a net improvement in security -- according to over 100 years experience.
Even if you reject transparency-for-cybersecurity, it's the same thing as transparency-for-government. It's why we have FOIA, accountability for spending, election finance laws, and so on: security comes from transparency not secrecy.
The fact that transparency helps defenders more than attackers has been the repeated observation in cybersecurity since the 1880s. I shouldn't have to yet again defend this principle in 2021.
Now I hate clichés. Maybe you have a more sophisticated argument that I'm strawmanning into this argument. But so far, in regards to SBOMs, with criticism from those like Oracle, I haven't found the more sophisticated argument.
Oracle is a shittastic company. They reject transparency because they don't want their competitors to know all the components of their system. I suspect they reject transparency to hide their violations of the GPL.
These are all good reasons to reject transparency. Cybersecurity isn't some moral imperative that overwhelms other concerns, such as protection of trade secrets. But people don't like to argue thusly, so they pretend they are arguing about something else.
Thus, the argument "transparency leads to insecurity" isn't even serious to begin with, they are really meaning "transparency reveals our trade secrets".
Note that I'm happy for closed-source software companies like Oracle to protect trade secrets. I'm not criticizing them for that. I'm criticizing them for the dishonest and unprincipled "transparency is bad for security" argument. Bad argument is bad.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
