Hi everyone Ed Amoroso here. Now in cybersecurity there's certain mottos, or slogans, or ideas that just pervade what we do, and one of them, that's pretty universally accepted is that, security through obscurity, I'll explain what that means in a minute, is generally not a great idea. Now I think it's a more complex concept than that. Let me give you some idea. So, in the cryptography community, security though obscurity means I'm going to make my cryptographic algorithm more secure by just not telling you what it is, and hoping that maybe you don't find out. Now, you can see how that's a terrible process, because in our world it seems like keeping secrets is almost impossible. So, you'd prefer something to be secure in the full knowledge that your adversary might know exactly what it is that you're doing, which is the opposite of security through obscurity. However, this introduces a little bit more nuance set of concerns when we talk about software. Now I think a lot of you are familiar with more or less the two types of software that we deal with. One is called open source. That's where we celebrate the openness of the code. We share the ability amongst all of us to look at the code, and there's usually rules, depending on what community you're dealing with, around if you make updates, you share, and so on. You're familiar with the idea of open source, but for our purposes now, it's just that you see the code, you know the code, you can look at different types of routine statements, and so on, that's in the code, and you'd be able to understand it. The second type is proprietary software and that's where a software vendor makes the specific business decision to keep their code secret. Now what does this mean in terms of security through obscurity? Well let's look at a little graph here. I'll pop one up on the screen. You can see in the graph that if I have a piece of code that is in fact open source, then over time, once it's released, it's subjected to scrutiny, and you can see the intensity of known vulnerabilities will grow. Obviously as it's subjected to more scrutiny, you will find more vulnerabilities. So you're going to see a graph, in some sense, going up to some very intense point where perhaps you have maximum scrutiny on the code, and you've looked at through very thoroughly, the whole community, the whole world maybe. But what happens after that typically is that things start getting fixed at a more rapid pace than they're getting found. Do you follow? As you're finding vulnerabilities, yeah you're fixing them, but it's usually the case, [LAUGH] and with open search you find them so quickly, that you do see that intensity graph go up. But over time eventually things get better, like think Unix in the 70s, 80s, 90s, kind of was at its peak. Since then, Unix is by far the most robust, the most secure operating system that we have, because we've been staring at it for 50 years. So obviously you come way down the curve, and you see the benefits of all that scrutiny, and all that code review. Now, proprietary, in contrast, when it's released, and is secret, and you can't see the kernel, can't see see system code, you can't see source code, tends to see a much flatter sort of a known vulnerability intensity curve. It's flat, and it will stay flat because as long as you keep it hidden, then there's no reason to believe that you'd have a more intense period of scrutiny, unless somebody gets lucky for some reason, or something leaks. But if you keep it proprietary, then it'll stay the same. Now, what this suggests is that if the same piece of code made open source were made proprietary, and they started a different paths, you have a latent set of problems embedded in proprietary code that you haven't noticed yet, because nobody's noticed it, haven't looked at it. You follow? So the advantage of open source is eventually you get to a pretty good place. The disadvantage is it could be a bumpy ride. The advantage of proprietary is that over a life cycle there's a very good chance that you can stay just below some acceptability threshold, think Windows operating system, right? In fact, to kind of test our understanding here, I want to give you a little bit of a quiz, as we often do. The answer obviously is B. So we would see a spike, the characteristic spike that comes with making something open source. It would probably cause a lot of problems for for business, as you would expect. Over time maybe things would be better, but it'd be a pretty rocky ride. So, between you and I, I hope that Microsoft never makes the decision to just wake up one day and open source Windows, because we'd all see some problems. So I hope that's been helpful, and we'll see you in our next video.
