Schneier on Security
A blog covering security and security technology.
« TSA Removing Rapiscan Full-Body Scanners from U.S. Airports |
| Google's Authentication Research »
January 22, 2013
Thinking About Obscurity
This essay is worth reading:
Obscurity is the idea that when information is hard to obtain or understand, it is, to some degree, safe. Safety, here, doesn't mean inaccessible. Competent and determined data hunters armed with the right tools can always find a way to get it. Less committed folks, however, experience great effort as a deterrent.
Online, obscurity is created through a combination of factors. Being invisible to search engines increases obscurity. So does using privacy settings and pseudonyms. Disclosing information in coded ways that only a limited audience will grasp enhances obscurity, too. Since few online disclosures are truly confidential or highly publicized, the lion's share of communication on the social web falls along the expansive continuum of obscurity: a range that runs from completely hidden to totally obvious.
Many contemporary privacy disputes are probably better classified as concern over losing obscurity. Consider the recent debate over whether a newspaper violated the privacy rights of gun owners by publishing a map comprised of information gleaned from public records. The situation left many scratching their heads. After all, how can public records be considered private? What obscurity draws our attention to, is that while the records were accessible to any member of the public prior to the rise of big data, more effort was required to obtain, aggregate, and publish them. In that prior context, technological constraints implicitly protected privacy interests. Now, in an attempt to keep pace with diminishing structural barriers, New York is considering excepting gun owners from "public records laws that normally allow newspapers or private citizens access to certain information the government collects."
The essay is about Facebook's new Graph search tool, and how its harm is best thought of as reducing obscurity.
Posted on January 22, 2013 at 5:23 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
As author Michael Pollan has pointed out out, American laws against opium poppies are predicated almost entirely on obscurity. Whether or not you are aware of the possibility of opioids being extracted from the plants can make the difference between your being treated as an innocent gardener or a drug manufacturer (subject to having your property forfeited without trial):
Barriers - An argument has been made by the police/prosecutors, that since there is no law forbidding the police from following someone around, that they can, legally without a warrant, use a gps tracker to do the same thing.
Having a policeman follow someone around costs a lot, using a gps tracker to record their movements costs very little. The cost barrier prevented this from happening in the past, but should it be made illegal to use a gps or other automated tracking device without a warrant?
Glad I got off FB. "Security by obscurity" got a very bad name back in the nineties with bugfinders making a point (Mudge, Dildog, etc)... but in physical and everyday security it is very much a truism if you consider keeping your mouth shut is security by obscurity.
Ultimately, however, there are no secrets, unless Jesus is dead wrong. :O (Ka Bang you guys trusting in your sealed lips and bad deeds. Yay for you guys quietly doing good painfully so and not getting credit for it.)
That does not mean we should take a *** in public. :)
Nakedness is nakedness...
And yes your non-literal nakedness is ugly too. :-)
"Two may keep a secret if one if them is dead" -Ben Franklin
To continue with the train of thought started by rob at January 22, 2013 7:03 AM said:
There is also the issue of "being observed in public", where there is no expectation of privacy, to having one's movements recorded and stored for an indefinite amount of time.
1) It's one thing is a cop sees me at location A at time X. Nobody objects to this.
2) It's another thing if a cop has to put in the effort, expense, and time to follow me going from A at time X to B at time Y.
n) And it's another thing if law enforcement can create and compile a database showing everywhere I've been and gone for the past 20 years.
And that, boys and girls, is how the slippery slope led to a Stasi-like surveillance state.
Publishing the names and addresses of gun license holders has happened in several other states, generally resulting in legislation to close the records. Ohio wound up with an interesting solution--you can go to the sheriff's office and ask if John Doe has a license, but you can't write anything down while in the office.
Similar reaction was to Shodan the search engine that lists previously obscure scada systems that are misconfigured or open.
Weev's federal indictment was literally the govt angry response to finding obscure info by manipulating public htmls. The court never really had a chance to hear about how easy and wide open to the public his 'crime' was they only heard cyber terrorist from the prosecutor and panic convicted
Another example are exam grades. They used to be published in a board so everyone could read their grade (and peek at classmates). Now when they are published in the Internet, they are restricted within a personal account to prevent aggregation by third parties.
But this new restriction prevents snooping into other people, which used to be interesting to have an idea of "across the board" averages and even a casual control of corruption ("Hey, how's this one received an A if we all know he's the dork of the classroom?"
Ironically if states actually cared about gun safety publicly available information on gun owners would allow members of the public to continually audit gun owners in regards to their legal status. First if you know that someone has some sort of disqualification you can report it to police, but you can also check the database to determine if a specific gun owner has properly registered his or her weapons. Criminals would know which homes not to rob which would fulfill a deterrent effect and parents could prevent their children from staying over in homes with a firearm which would further prevent unsafe situations.
By curbing access to such information New York State probably did more to hinder firearms safety than all the new restrictions did to promote it.
Obscurity is almost precisely how hard it is to run certain searches. Not computationally, but in wall-clock time (or person-hours) from deciding to do the search to getting a result. With a side order of who gets informed about the search.
About 20 years ago, a court clerk (don't remember which county) gave a talk about putting records online, and said that pretty much the first search someone did after probate records in his county went live was "Home addresses of female beneficiaries over 65 in cases of estates over $250,000." It wasn't just the ease of doing the search but also the fact that the searcher didn't have to endure scrutiny.
I'm not sure how much damage Graph Search will truly do to StO, namely because the entire point of 'social' information is that it is not obscure. You post it because you want it to be available to at least someone, and it is at least my presumption that Facebook will have measures in place to allow you to hide that information from those who wouldn't have access to it in the first place (to be honest, I'm still a little vague, as a non-Facebook user, as to whether Graph Search only uses your 'friends' information or everyone's, the article seems to point to the former, but that seems like too limited a data set). This isn't the same thing as frilly straw enthusiasts (yes, XKCD) being comfortable what they post about themselves on a board because that community is so small that the said information becoming easily findable to anyone is minimal. Putting information on Facebook is inherently an act of public distribution.
StO in a stricter sense then as a metaphor for privacy is of course also a strange topic because it's been shown to be unnecessary, but it still has benefits and I am quite happy with the apparent gravitation of security away from Security through Correctness to StO and Security through Isolation (the group making Qubes is doing some great work in that department, for instance).
Similar situation in Washington state over anti gay rights.
Essentially, the state legalized gay marriage then conservatives got petition signatures to overturn it, and the "pro" folks tried to put the list of signers on an easily searchble web site.
I think there will need to be changes in whatis considered public data or how it is disseminated.
It's actually: "Three can keep a secret if two of them are dead."
"Criminals would know which homes not to rob which would fulfill a deterrent effect and parents could prevent their children from staying over in homes with a firearm which would further prevent unsafe situations."
You're kidding, right? Criminals _who want to steal guns_ would know exactly which houses to rob! At least two gun owners on that list had their guns stolen after the publication of the list.
Regarding "children staying over in homes with a firearm", why would knowing whether they own a firearm have anything to do with whether you trust someone enough to let your children stay overnight in their house? If you don't know them well enough to trust them with your children's safety, maybe you shouldn't be trusting them with your children's safety, gun owner or no gun owner. And if you do know them and trust them, your children might actually be safer: statistics show that on average, gun owners are more law-abiding than the overall population.
This is the flip-side of the "democritization of information" on the web, and even this flip side has its benefits. Once upon a time, only "advanced stalkers" knew how to get this stuff, but now search engines make it available to practically everyone. Because of this, we're becoming more concerned. As we find better ways to protect information, we may also be closing at least some of those loopholes once exploited by the few aforementioned stalkers.
(I'll use "advanced stalker" to cover the guy looking for rich widows, as well as the more normal definition.)
I think there's some irony in the gun owners' complaints in this matter. Guns are for the protection of lives, not property, and the guns themselves are property.
Publishing these names acts as a deterrent against home invasions, which are the "go-to" scenario when describing the advantages of gun ownership for self-defense.
So while gun owners' property is perhaps more at risk, their lives are arguably better protected, since any burglar using this list will first be very sure that the home is unoccupied.
If these gun owners are responsible, these guns will be securely stored (i.e. gun safe bolted to the floor) when they are not on the premises, and theft (of the firearms) won't be an issue.
Guns are for the protection of everything worth protecting. If you feel the need to violate my rights, I may feel the need to shoot you.
About warrant-less GPS tracking...along with the fact that infringing on our freedoms for the govt should be difficult (ie warrant) there is also the consideration that in many places hidden cameras are illegal without signs stating they are in use. This is to prevent your privacy from being violated without your knowledge.
Similarly, if a cop follows you everywhere you have a good chance to know your privacy is being violated. If you are tracked via hidden GPS or spy satellite you do not.
@CaptianObvious The moral justification for individual use of deadly force is only for protection of life itself. By crossing over into using deadly force to protect "stuff", you are placing yourself on par with those who use force to take "stuff": the strong-arm thief or mugger. You speak or protecting rights, but in response to a comment on the taking of property (the guns themselves).
ObSpeciousLegalArgument: This is why it's important to shoot the burglar on his way in, rather than in the back on his way out ...
Re: tracking ... I'm amazed how many people are giving up GPS tracking data for lower insurance rates, straight to a corporation that will certainly cooperate, or at least respond to weak subpeonas (everyone travelling northbound on Main past 2nd, within 5 minutes of the bank robbery ...)
@ATexasResident given your "only for protection of life itself" justification for the use of deadly force, it's not much of a stretch to justify shooting someone who is stealing a gun, since the primary purpose of a gun is to jeopardize life.
Interesting thought. We've had these discussions plenty on this blog. Some times obscurity by itself meets one's goals. For secure systems/networks, I prefer to combine good security engineering practices with obscurity. The obscurity complicates things for the enemy. Rather than guaranteed fire-and-forget malware, they must risk detection trying to take each step toward their goal. It's proven itself in practice for almost a decade now.
@ Nick P,
We've had these discussions plenty on this blog
Yes we have and nearly always as little snippets here and there towards the end of one of Bruce's posts.
Some times obscurity by itself meets one's goals.
Bruce has brought this up before but when analysed it usualy turns out to be,
1, A one off,
2, in the physical world,
3, with a high degree of preceadiing secrecy
4, carried out by trusted people.
Such as sending a high value item via an unknown route etc using a security carrier that specialises in such operations.
Now if you look at those points it starts to be clear why obscurity is rarely used as a physical world security mechanism and why it's a non starter for most of InfoSec.
Firstly it's entirely reliant on secrecy.
Secondly it's entirely reliant on a trust model.
Thirdly it's Physical objects -v- Information copies.
Fourthly it only works reliably once.
Thus it is very much like a One Time Pad...
One Time Pads (OTPs) are secure based on certain assumptions, these are,
The key is generated secretly and turned into a physical property that is only touched by trusted persons and delivered to the sending and receiving parties by them.
In essence this is the equivalent of the route planning, schedualing and sourcing of the armoured cars etc of transporting a high value physical object.
The important thing to note about an OTP is you turn the information that is the truely randomly generated key into a physical object by making the pads that you then control as a physical object from that point onwards.
On sufficient analysis all our InfoSec relies on this "transformation into a physical object" and "trusted handeling of the physical object" by "trusted entities" as the fundemental underpinning of it's security.
Even PKI relies on this physical trust model to be secure, and as we know when costs etc cause it to be removed from the process PKI is nolonger secure and bogus certificates appear based on misrepresentation.
When you think about it --as I've mentioned several times in the past-- The "Tangible" physical world is very different from the "Intangible" information world, the physical world is limited by the fundemental principles of physics' of forces, mass/energy and distance, all constrained by various constants such as the speed of light etc.
Information is not limited by the laws of physics except when we impress it onto physical mass/energy for conventional storage or communication (look up quantum teleportation and spooky action at a distance).
Further thought shows that obscurity is only possible because of the constraints of the fundemental principles of physics to a physical search space. That is to search it you have to use energy to move mass over distance which takes time, and any individual mass can only be in one place at one time, yes you can use multiple masses to do searches in parallel but that requires multiple energy sources etc etc.
Whilst it is true that there is a certain minimum mass/energy required to store or communicate impressed information, we do not belive it is true of an information space which has no physical constraint. Conceptualy an information space can be of infinite size in an infinitely small physical space and does not require the use of mass/energy to search it just to communicate with it.
Thus conceptualy the only difficulty we have searching an information space it is that we are constrained by the use of impressed physical entities to get the searches in and the results out. This is part of the idea behind Quantum Computing but even this has it's limitations.
I suspect that at some point our knowledge of the physical laws that appear to govern our physical world will improve and thus with it something beyond the limitations that quantum physics as we currently know it imposes.
This holds the possibility of computing beyond that we currently belive is the limitations of quantum computing, however there are problems which we do not know solutions to and this gives rise to the possibility of other problems.
For instance if we discover that we can get unfettered access to information spaces the concept of random nolonger holds and thus with it the ideas of obscurity, secrecy and thus our current notions of security and obscurity.
However we have reason to belive there will always be some form of interface barrier between us tangible beings of the physical world and the intangible information world simply because there is only a finite amount of mass/energy, whilst the information in our universe (entropy) is rising according to the cherished axioms of the laws of thermodynamics. And it is at this point it goes mind bendingly awkward.
We belive that fundementaly information cannot be lost and that it stays forever encoded within the state of physical objects. Thus the implication is each physical object should be able to hold an infinite amount of information and this has further implications which may put it firmly beyond our reach.
I am surprised that it is the gun owners who got jumpy when the public gun permit records were put on the map. They moaned about being exposed to theft etc. Nobody noticed that, by simple elimination, this revelation showed which homes do not have a gun and can be targeted by thugs as much-lower-risk places.
The initial problem isn't that the paper published the records, but that the records existed in the first place.
I chose to live in an enlightened state that has neither registration nor restrictions on what kind of firearms I own. There's some Federal paper on some of them, but that's not public information.
Gun owners aren't home 24 hours a day. They have do things like, you know, go to work.
It's when they're not home that their guns are vulnerable to theft.
I'm not sure why this concept is so hard for some people to understand.
@ Robert, Peter A, et al,
First off lets be very clear about guns they are tools just like a specialist screwdriver or drill etc.
Admittedly it's an extreamly dangerous tool capable of transporting a projectile with high accuracy in some cases to over 1000yards. As a tool they are often used for killing vermin or game etc.
Unlike most other tools you find around the house in the US most guns are not used as tools for a job of work but if used at all are used for leasure/pleasure or even as ornaments or decorations . Like a blunt tool a badly maintained gun is of considerable danger to the user, likewise not being proficient in using a gun is a lot like getting behind the wheel of a hot-rod car without knowing how to drive.
Few people would go out and just buy a tool of equivalent leathal potential without some form of training. However in many places around the world it's lay your money down and walk away with a gun, apparently it's not a lot different in quite a few places in the US.
Do I personaly think there are two many guns in the US well the answer is most certainly yes, but worse there are way way to many US gun owners who don't know how to be safe with a gun in storage use and maintenance. None of this bodes well for the accident statistics let alone that of non legal use of the guns.
Unfortunatly one asspect of safety where a lot of gun owners are let down is gun safes. To be honest many are a real menace. As has been linked to on this blog before many hand gun safes won't keep a curious three year old out. This can give rise to a problem, some owners think because the gun is in a safe it's safe to leave it partialy or fully loaded "just in case" where as they would not leave the gun unloaded next to the magazine in an unlocked draw for safety reasons.
If I was asked what I would consider would be a wise thing to do, it would be the requirment of those wishing to own and keep a gun to have a profficiency test (like a driving test) and be required to re-new it every couple of years. The test would include testing in both theory and practice with testing on safe use, cleaning and maintanence and safe storage of the guns and their ammunition
Would it be to much to ask? after all you require drivers of cars to show they are proficient, and pilots and some classes of vehical driver are required to be re-tested every 2 to five years...
 Depending on who's figures you use there are upwards of 150million guns in the US that are effectivly not used at all. Likewise it would appeear that many hand gun owners in the US have not had any training or become moderatly proficient in firing them let alone care and maintenance.
@Robert: You did not get my point at all. There are other valuables in many a home, often much more valuable than a gun... and much easier and safer to sell on the black market. The published information is of little value to simple burglars, who make sure to break in when nobody's home.
The major purpose of keeping a gun at home is to defend yourself and your property. Even if not all homeowners actually have a gun, but a significant number does, it is, by the virtue of doubt, a strong deterrent for robbers and murderers. Does that granny have a shotgun in her closet? Or can we simply kick in the door and strangle her with her own shoe laces?
Therefore, keeping the gun ownership records public undermines safety of those that choose not to keep a gun. Having the records publicly available at leisure and with nearly perfect anonymity over the Internet removes the deterring effect completely. It affects non-owners much more than owners. So it should be non-owners that got outraged most by the whole affair. People are stupid and can't apply simple logic.
@lvps1000vm Re exam grades
When I started school grades were posted by last name or two initial, but there were some privacy issues so that changed to something less identifiable. In some cases grades were not posted at all. I have posted grades by secret code.
Grades are a case, however, where technology has allowed the useful 'how the class did' to be answered without privacy violations. In Moodle it is possible to set the course home page so the most recent grades are listed without any identifiable information. This let's a student see where their grade falls within the spectrum of the class. Moodle also creates a frequency distribution that can be printed and posted.
So computer analysis can not only destroy obscurity, but also put it back in. Of course it is hard to make data completely anonymous, as we have seen with the recent analysis of the DNA database.
"It's when they're not home that their guns are vulnerable to theft."
I can't understand anyone who doesn't have at least one gun safe. Otherwise you run the risk of coming home to someone still in you house after they broke-in who then arms themselves with one of your guns!
I've just read you comment on gun safes. I should add I was assuming a good quality gun safe and usage.
I should know better than to make assumptions!
... I should add I was assuming a good quality gun safe...
And there is an additional problem of how do you or anyone else for that matter know they are buying "a good quality gun safe"?
I used to design electronic locks and have some knowledge of physical security and back in the days when I used to shoot competativly I had a couple of safes.
It turns out that the small one (I used for ammo and the bolts) could be opened with a custom made tool poked through one of the mounting holes in the back. Or a very long narrow screw driver and one of those cute enderscopes you can now buy for well less than 100USD.
So it was only conditionaly secure in that you had to have bolted it to something very strong from the inside of the safe, for the safe to be secure.
Luckily I locked it in the large safe which was of a more conventional design using traditional hasps and locks which was also alarmed.
Had I known the small safe was vulnerable I would not have purchased it. Further I made the mistake of not actually testing it because various reviews had rated it highly...
Had I actually tested it there was a good chance I would have quickly seen the design flaw, because it was obvious when you spotted it, but you would have had to partialy disasemble it to spot it...
That said even now I see new vulnerabilities with safe technology come up well within the vulnerable products expected life time. Worse as it's a cost sensitive market some new versions of older proven safes have had cost savings put in the production process which makes the newer model weaker than the old...
Thus I don't see how the average consumer can know if the safe they buy is secure or not.
Now arguably stolen guns are actually worth more to certain criminals than legitimatly purchased ones. Simply because they come with a tag of "untracable" attached. That is whilst the LEO's know the gun has been stolen they don't know by who or who they have subsiquently sold them onto etc.
This obviously makes them worth stealing in their own right, and you would expect the smarter criminal just like the safe breakers of old would know how to quickly open the usual brand of gun safes sold in local gun shops, if said safes had exploitable vulnerabilities (which it appears many do).
So whilst I can see the pros and cons of making the list of gun owners public I personaly think the cons outweighs the pros considerably and makes it an undesirable thing to do.
I should also say that when ill health ment I had to give up competative shooting, rather than hang onto the guns out of sentiment I either sold them or donated them along with most of the rest of the paraphernalia (apart from the cups/medals/phots etc). Which is a bit akward now I have a child who is of age to learn to shoot and has expressed an intrest in doing so...
Your activities at the local bar are public knowledge. One could discern how many drinks you've had, when you left the bar, the type of women you go for as the night progresses, their reactions to you, or if you're a lass, the number of drinks it took to go home with a guy, and many other things about you. Either through direct observation, or just by asking the bartender. This is all public information, as a bar is a public place. The only protection was some obscurity. Now who would like it if this was all nicely cataloged and searchable? It's possible now, with facial recognition, along with social networking, credit card data, GPS data from your cellphone, etc. Hey, I just thought of a great business idea! Employers, moms and spouses will pay big money for this, not to mention the government (ok, they will just use the courts to take it for free).
What this really draws attention to is the fact that people were making their privacy decisions incorrectly before. If you don't want your information to be available, but you believe it's ok to be published because "who's gonna find it" and "what're the odds that...", then you deserve to have that information made available.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.