Internet Shield: Secrecy and Security

THERE’S considerable confusion between the concepts of secrecy and security, and it is causing a lot of bad security and some surprising political arguments. Secrecy is not the same as security, and most of the time secrecy contributes to a false feeling of security instead of to real security. Last month, the SQL Slammer worm ravished the Internet, infecting in some 15 minutes about 13 root servers that direct information traffic, and thus disrupting services as diverse as the 911 network in Seattle and much of Bank of America’s 13,000 ATM machines. The worm took advantage of a software vulnerability in a Microsoft database management program, one that allowed a malicious piece of software to take control of the computer. This vulnerability had been made public six months previously when a respected British computer researcher had published the code on the Web. During the same month, an AT&T researcher published a paper that revealed the vulnerability in master-key systems for door locks, the kind that allow you to have a key to your office and the janitor to have a single key that opens every office. The gap in security is this: The system allows someone with only one office key, and access to the lock, to create a master key for himself. This vulnerability was known in the locksmithing community for more than a century, but was never revealed to the general public. Full Story