The Steady Decline of Security via Obscurity
posted by Frank Pasquale
Two recent stories illustrate the web’s disruptive potential. Farhad Manjoo of Slate covers the recent uptick in lockpicking fan sites, and Jeffrey R. Young of the Chron describes a new test clearinghouse. Both raise tough questions about what happens when “security via obscurity” starts breaking down.
In the case of the lockpickers (or “locksporters.” as they might like to be called), Manjoo points out some interesting parallels to “computer-security debates:”
An entrenched community that’s used to working in secret suddenly sees its entire business upended by the secrecy-busting ways of the Internet. It’s a fate suffered by voting machine firms, software companies, and ATM manufacturers. Now it’s happening to locksmiths and lockmakers, too. . . .
Recreational lock pickers meet regularly in community centers around the country, challenging each other to break new locks as casually as others nearby work to break the Queen’s Gambit. On Web culture blogs, fans of locksport enjoy a place besides cryptography enthusiasts and DRM hackers as practitioners of a morally defensible, geeky dark art.
The upside of the new locksporting craze is that security flaws in locks are more quickly detected. The predictable downside is the more rapid obsolescence of many locks, and one more worry for home, car, and bikeowners–has my lock been picked publicly on YouTube?
The owner of the test clearinghouse claims that his site is mainly designed to level the playing field in test prep:
Demir A. Oral, a Web designer living in San Diego, said he started his online test collection, PostYourTest.com, because he felt that such materials were already available to some students but not others. “I know that fraternities and a lot of organizations have test banks, and I just didn’t think that was fair that some students got access to these things and some didn’t,” he said. . . .
Are students authorized to publish exams created by their professors? That depends, said Peter A. Jaszi, a law professor at American University. “It’s very situational — the analysis is going to be different from test to test,” he said. For instance, at some colleges, it is not clear whether professors hold the copyright to their course materials or whether their employers do. He said that in his own courses he assumes that students do have the right to share exams he hands back — and so he constantly changes his questions.
I’ve thought a bit about copyrighting test questions, and criticized ETS’s doomed attempts to maintain “security via obscurity” for its LSAT, SAT, and other tests. My sense is that all this does is increase the advantage of those who pay for test prep, which is often offered by companies who can send “spies” in to memorize all the questions at a given administration. As I argued a few years ago,
Given the futility of “leveling down” by banning or crippling test prep programs, why not go the opposite direction, by putting both their materials–and all previous test questions–into the public domain? This “leveling up via laissez-faire” promises to add some fairness to a competitive process too often skewed by wealth and connections. This may seem like an extreme step, but the high stakes of test results may mandate nothing less than universal access and disclosure.
This proposal, like the locksports and test bank websites, will be controversial; there are some instances where security via obscurity can work. But where it’s repeatedly failed, other solutions have to be tried. And if that makes you feel sick. . . .well, you can always get a fake doctor’s note for work [warning--link is annoyingly loud!].
August 18, 2008 at 12:10 pm
Posted in: Criminal Law, Cyberlaw, Education
Print This Post
Responses (4)
Shannon Love - August 19, 2008 at 2:20 pm
We might remember that secrecy is also a synonym for privacy. The techniques that can be used against institutions like lock manufactures can be turned against individuals should anyone choose to.
I imagine it will not be long before every politician, even minor local ones, are relentlessly and publicly tracked 24/7 for signs of unfitness for office. The rest of us will not be far behind.
Phil - August 19, 2008 at 3:22 pm
Security through obscurity does have it’s place. There are certain times you never want to use it, such as crypto algorithms (and open algorithm is much more secure than a “secret” one). And over-reliance on obscurity is always doomed to failure (as with physical locks and test preps noted in the post).
As a security guy myself, I have often argued that obscurity in and of itself is not necessarily a bad thing as part of a layered approach. With a layered approach even when the veil is pierced (which it will be) it’s not a catastrophic event since you have other layers and security measures in place that are effective independent of each other. It can be as simple as not putting any obvious signage or street numbers on a primary data center. If it is disclosed, it still will not alter the effectiveness of the other layers (man traps, CCTV, physical guards).
Fidel, MD - August 19, 2008 at 5:51 pm
I’ve taught (basic sciences in medical school) and yes, there are test banks floating around. Good for the students that use them – some insist on not, and suffer for it.
The US Government tried to keep the questions (and answers) for various licenses and certiciates (Radio Operator licenses, Pilot certificates) confidential, and it failed miserably. Now days you can download the test question bank (with thousands of different questions, and answers) from the government (for free) or buy books that have the information plus some explanations of why one answer is right and the others wrong. The governments attitude: They don’t care how you learn the material, as long as you learn it….
So too in medicine. From organizations that register people to memorize some (or all) of the MCAT to the same organizations that offer testing and training services for the licensure boards, the information is out there, and making some people a LOT of money (a 4-week prep course can cost in excess of $10,000). Likewise, test prep books fill the pages of Amazon and med school book stores.
Why not? For sciences where there are firm associations (an increase in this marker is associated with that disease, this type of drug for that condition, etc any way the student gets the right answer is fine.
As far as professors who object, I feel that as a professor I get paid for two things: Teaching and testing. I write a new test every time. But there are only so many ways certain facts can be questioned, and after a half-dozen different ways of asking the same thing I run out of ideas.
For areas that are subjective, my colleagues can at least ask a different essay question. But when you spend the entire semester discussing (say) the homoerotic symbolism in “Lord of the Rings” there may not be much … substance to ask questions about. So the students are short-changed in their education, their parents are short-changed in their tuition, and the professors are lazy hacks.
AMcA - August 19, 2008 at 9:11 pm
I remember my late father saying to me, in roughly 1972, when I needed to get a Social Security card to get a job: “You know, this is your last chance to stay out of the system.”
I ran myself on Accurint recently. Shudder.
Dad knew what he was talking about.
Leave a Reply