The Steady Decline of Security via Obscurity
Two recent stories illustrate the web’s disruptive potential. Farhad Manjoo of Slate covers the recent uptick in lockpicking fan sites, and Jeffrey R. Young of the Chron describes a new test clearinghouse. Both raise tough questions about what happens when “security via obscurity” starts breaking down.
In the case of the lockpickers (or “locksporters.” as they might like to be called), Manjoo points out some interesting parallels to “computer-security debates:”
An entrenched community that’s used to working in secret suddenly sees its entire business upended by the secrecy-busting ways of the Internet. It’s a fate suffered by voting machine firms, software companies, and ATM manufacturers. Now it’s happening to locksmiths and lockmakers, too. . . .
Recreational lock pickers meet regularly in community centers around the country, challenging each other to break new locks as casually as others nearby work to break the Queen’s Gambit. On Web culture blogs, fans of locksport enjoy a place besides cryptography enthusiasts and DRM hackers as practitioners of a morally defensible, geeky dark art.
The upside of the new locksporting craze is that security flaws in locks are more quickly detected. The predictable downside is the more rapid obsolescence of many locks, and one more worry for home, car, and bikeowners–has my lock been picked publicly on YouTube?
The owner of the test clearinghouse claims that his site is mainly designed to level the playing field in test prep:
Demir A. Oral, a Web designer living in San Diego, said he started his online test collection, PostYourTest.com, because he felt that such materials were already available to some students but not others. “I know that fraternities and a lot of organizations have test banks, and I just didn’t think that was fair that some students got access to these things and some didn’t,” he said. . . .
Are students authorized to publish exams created by their professors? That depends, said Peter A. Jaszi, a law professor at American University. “It’s very situational — the analysis is going to be different from test to test,” he said. For instance, at some colleges, it is not clear whether professors hold the copyright to their course materials or whether their employers do. He said that in his own courses he assumes that students do have the right to share exams he hands back — and so he constantly changes his questions.
I’ve thought a bit about copyrighting test questions, and criticized ETS’s doomed attempts to maintain “security via obscurity” for its LSAT, SAT, and other tests. My sense is that all this does is increase the advantage of those who pay for test prep, which is often offered by companies who can send “spies” in to memorize all the questions at a given administration. As I argued a few years ago,
Given the futility of “leveling down” by banning or crippling test prep programs, why not go the opposite direction, by putting both their materials–and all previous test questions–into the public domain? This “leveling up via laissez-faire” promises to add some fairness to a competitive process too often skewed by wealth and connections. This may seem like an extreme step, but the high stakes of test results may mandate nothing less than universal access and disclosure.
This proposal, like the locksports and test bank websites, will be controversial; there are some instances where security via obscurity can work. But where it’s repeatedly failed, other solutions have to be tried. And if that makes you feel sick. . . .well, you can always get a fake doctor’s note for work [warning--link is annoyingly loud!].