Is it harmful to discuss security vulnerabilities?

The debate over the open discussion of security vulnerabilities long predates the Internet and computers. The recent reaction of some locksmiths to my master keying research paper heightened my interest in this subject. (January '05 update: See also the reaction to my paper on safe locks.) Here's what one of the 19th century's foremost inventors of mechanical locks had to say 150 years ago:

A commercial, and in some respects a social doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.

Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.

It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear, milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.

-- From A.C Hobbs (Charles Tomlinson, ed.), Locks and Safes: The Construction of Locks. Published by Virtue & Co., London, 1853 (revised 1868). (My thanks are due to Steve Bellovin for having first brought this text to my attention almost ten years ago.)

Contrast this with a view from 100 years later, when the authors of the standard textbook on safes and safe lock manipulation included this warning in their own book:

It is extremely important that the information contained in this book be faithfully guarded so as not to fall into the hands of undesirables.

We also suggest after you become proficient in the art of manipulation to destroy this book completely, so as to protect yourself and our craft.

-- From Clyde Lentz and Bill Kenton, The Art of Manipulation. (Privately published) 1953. (Fortunately, many readers failed to follow this advice and copies have survived 50 years into the present.)

Ironically, while Hobbs' reasoning today enjoys wide acceptance among practitioners of computer security and cryptology, the locksmith world seems to have at least partially reverted to embracing the security through obscurity advocated by Lentz and Kenton. Predictably, the dearth of open literature in that field now makes it quite difficult for a potential user to be sure whether or not a given lock suffers from known attacks. One can only wonder whether the locksmiths' reticence is more for the benefit of the security of their profession than for that of their clients.

Matt Blaze
January 2003 (revised January 2005)

Click here to return to the home page.