01 June 2009

Why Security by Obscurity Fails, Part 674

Great story in Wired about a master lock-picker, opening what are supposedly the most secure locks in the world:

These were the same Medeco locks protecting tens of thousands of doors across the planet

...

One by one, brand-new Medeco locks were unsealed. And, as the camera rolled, one by one these locks were picked open. None of the Medeco3 locks lasted the minimum 10 to 15 minutes necessary to qualify for the "high security" rating. One was cracked in just seven seconds. By Roberson's standards, Tobias and Bluzmanis had done the impossible.

Although these are physical, rather than software locks, the lesson is the same: there is no such thing as an unpickable lock, there is no such thing as unhackable software, even if it's closed and encrypted. Since *someone* will be able to find the flaws in your software, you may as well open it open so that they can be found and fixed. Go open source.

No comments: