One of the security tenants that I live by is Kerckhoffs's principle.

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

-- Auguste Kerckhoffs, 1883

It's beautiful in it's simplicity and yet counter intuitive.

It's a beguiling myth that if you want to make a system secure you should make it secret. Hundreds of years of experience have thought us that for a system to be truly robust it needs to be open and auditable.

Kerckhoffs's principle is applicable to so much more than just cryptography. I think it needs to be much broader, and apply to any system designed to provide security.

A security system should be secure even if everything about the system, except the key, is public knowledge.

I recently spent a little time looking at physical security controls, things like security cameras and digital locks (RFID cards). It makes my blood boil when I see how much vendors try to restrict information and refuse to publish even a basic manual.

Especially as often once someone takes a good look their products turn out to be riddled with vulnerabilities. Then rather than fix the vulnerabilities vendors try to use things like the Digital Millennium Copyright Act (DMCA) to silence security researchers and prevent the information spreading.