Fizzz mentioned this paper that points out that the security through obscurity debate can be moved to the TCPA field.
The author argues that TCPA, and DRM enabled platform en general, will essentially squeeze open source initiatives out of the security equation.
At least that’s what I can get from a quick diagonal read. I’ll re-read during daytime.
Interesting. If I discount the math, (which was presumed correct, due to my love of math and Sleeman Pale Ale) this paper is worth a read.
« A vendor of proprietary software may have exogenous reasons for not making source code available (a common argument is that he might fear an avalanche of vexatious lawsuits by people holding software patents with no intrinsic merit but who hope to extract a settlement by threatening expensive litigation). Then a straighforward economic analysis can in principle tell us the right time to roll out a product for beta testing. Alpha testers are more expensive, being paid a salary; as time goes on, they discover fewer bugs and so the cost per bug discovered climbs steadily. At some threshold, perhaps once bug removal starts to cost more than the damage that bugs could do in a beta release product, alpha testing stops. »
even better:
« Information security is about money and power; it’s about who gets to read, write, or run which file. The economics of information goods and services markets is dominated by the establishment and defence of monopolies, the manipulation of switching costs, and the control of interoperability »
The paper then drifts into TCPA-land: « Worse, while at present it can be slightly tiresome for a Linux user to read Microsoft format documents, under TCPA Mi- crosoft can prevent this completely: rather than messing around with file formats so that existing competitor products have to be upgraded before they can read them, Microsoft (or any other application owner) can cause data to be encrypted using TCPA keys whose export they control completely. »
It wraps up with: « The debate about open versus closed systems started out in the nineteenth century when Auguste Kerckhoffs pointed out the wisdom of assuming that the enemy knew one’s cipher system, so that security could only reside in the key. It has developed into a debate about whether access to the source code of a software product is of more help to the defence, because they can find and fix bugs more easily, or to attackers, because they can develop exploits with less effort. »
And « Even if data standards achieve `XML heaven’ of complete openness and interoperability, the layer of control will shift elsewhere. Instead of being implicit in deviously engineered file format incompatibilities, it will be overtly protected by storng cryptography and backed up by the legal sanctions of DMCA. Although TCPA is presented as a means of improving PC security and help- ing users protect themselves, it is anything but. »
I love it when engineers and lawyers can agree on an issue with different sets or arguments. It makes the point feel so much stronger.