It's not clear that secrets are a necessary evil. They are, however, greatly desired by exactly the kind of people who definitely shouldn't be allowed them. So that's a bad sign.

Inappropriate reliance upon secrets is a recurrent security design mistake. Remember passwords? Well not so much remember, we still have passwords, and they're still terrible. Compare a FIDO Security Key. No secrets, much better.

If I'm wrong and some secrets are truly necessary we're still best served by restricting ourselves to just those secrets and not creating a Matryoshka doll of secrets kept for their own sake and little more.

>If I'm wrong and some secrets are truly necessary we're still best served by restricting ourselves to just those secrets and not creating a Matryoshka doll of secrets kept for their own sake and little more.

Therein lies the problem. How can you restrict secrets to "just those secrets" when you can't ever find out what the secrets are and you are promised that "this secret is definitely one of THOSE secrets, honest."?

This line of reasoning doesn't hold up at all. The best practice advice 'avoid security through obscurity' has nothing to do with what you're talking about. Also, FIDO absolutely relies on secrets: that's what a security key stores.

I'd be interested to hear how you think law enforcement and intelligence could still work without confidentiality.

Although the typical design for a FIDO key uses what is technically a symmetric ("secret") key that's an implementation detail and the purpose of the FIDO device is to maintain asymmetric (private) keys.

If you've been under the impression that FIDO is just a shared secret system like TOTP then I've got great news, it's much cleverer than that. By not relying on secrets the system is robust against total incompetence by a relying party. If say Facebook paste all the U2F credentials they have for your account into a public Pastebin, not only can that not be used to attack your Login.gov account secured with the same FIDO key, it can't even be used to attack the Facebook account the credentials are for.

Military intelligence services actually rely heavily on analysis of public information. The value of the exciting and expensive Hollywood-style secret agent is mostly in their ability to do stuff, mostly illegal and immoral stuff, not a benefit to collecting intelligence.

You've totally lost me, and it's not because I misunderstand FIDO. The private key you refer to must be kept secret or the credential is compromised. Yes, this is undoubtedly better than passwords, because the system automatically prevents credential re-use across services and is more resilient than a password hash, but it still requires secrecy. You're not providing an example of a system that functions without the need for secrecy, you're providing an example of a system that uses a very tightly controlled secret, known only to the party that needs it i.e. the FIDO key. Sounds a bit like the principles of need-to-know and compartmentation used by intelligence services...

Open source is useful, to be sure, but so are informants / agents, and the safety of those sources and their continued usefulness is completely dependent upon secrecy. If that's too Hollywood then consider undercover law enforcement.

Something is a _secret_ only if at least two people know it. This makes a tremendous difference because now either of them might betray the confidence, a _private_ fact can't be given away by anybody else, it is yours to keep private or not.

Society blurs this line a lot by telling people things are "Private" when in fact they're only a secret, and then there is an opportunity to betray them. This happens for payment cards for example, bank representatives have been known to tell even a court of law that bank employees can't find out your PIN, so if a PIN was used it proves the customer was negligent or actively participated in the transaction. In fact, of course, the PIN is a secret, so the bank and thus its employees are aware of the customer's PIN and an insider could in fact perform transactions using PIN verification despite no negligence by the customer.

I'm not sure what you're talking about. I suppose we have different backgrounds.

- I've never heard a single ranking officer in the army or intelligence circle or the judiciary branch ever claim that "it's not clear that secrets are necessary" — you'd be right many don't think it's an evil though. (I've personally interviewed such people among others for research, many times between 2006-2014, and this question was central to some discussions because we were indeed designing political regimes).

- You seem to confuse "secrets", the general idea of hidden information (e.g. a Christmas gift, the location of a weapons repository, the name of a lover) with secrets as a security device (PIN codes, passwords, the layout of a physical key). The former are content, the latter are means to restrict access (meaningless in and of themselves). You seem to argue that the latter can do better with less "remembering" (security practices, FIDO, etc), and sure go for it; but that has nothing to do with the former, actual secret information (content) which you seek to protect by way of such security devices.

- My point was about secrecy as a function of States, well before digital computers even existed, and well after. Modern computing compounds effects but doesn't change the nature of institutions. You'll always need to secure 'dangerous' stuff. I'm not sure how you envision a hostile invading army on your ground, but if you picture that suddenly many red lines appear clearly.

I'll tell you the dirty secret: the less they have an actual enemy to fight, the more they idle, the more "these people who desire secrets" become threats to the wider population — people report that it's such a parallel world view as an insider that focus can get fuzzy, undetermined, self-harming. This is why historically you see many governments pretty much making up enemies: a mundane observer would tell you it's to a classic to unite the population (or your base versus rival groups), but a historical perspective shows it's also to curb the 'natural deviance' of all the shadowy things in a State, to focus them for good when their idling becomes too evil.

None of this black and white. Nothing's fundamentally changed with computers or electronics — it's more game theory, math, and obviously philosophy, psychology, than whatever implementation of a system throughout history.

For another round at not-so-simple-secrecy-management, consider now corporations, first between them, then in interaction with States. You'd think it's all new, unseen before. Go read some account of the 16th century or even before. See how this is just part of human nature. As I tell myself, "deal with it".