lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: Response to comments on Security and Obscurity

Dear Peter Swire,

--Wednesday, September 1, 2004, 7:27:17 PM, you wrote to bkfsec@....lonestar.org:


PS> 	Dave Aitel also criticizes analogies of computer and physical security.  Is
PS> that topic strictly off-limits for discussion?  Yes, sometimes information
PS> can be copied but chairs cannot.  Does that change everything about
PS> security?  The paper proposes explanations for why computer and physical
PS> security are often different, because computer security often features a
PS> high number of attacks, learning by attackers from each attack, and
PS> communication among attackers.  At the same time, some physical situations
PS> have those same features. Where is the flaw in that analysis?

As  far  as  my  poor  English  allows  me  to understand Dave correctly
criticises  analogies  between  informational theory and physical world,
not  between  physical and information security. In your case analogy is
really  poor. I can break my own ass by falling into the pit, and I will
never  have  another  one. In informational world (like in any business)
all I risk is not more than money.

But  in  case  of  your  quotation, you have a lot of mistake because of
misunderstanding real world. It's really impossible to show your mistake
because  at  least  this  part  of  your  paper  is  one  large mistake.
Currently,  situation someone breaks program's protection to put a virus
into  it  is  really strange and probably is taken from Hollywood. There
are  crackers  (not  hackers,  it's  different  term) who breaks program
protection  for  illegal  copying. Yes, they are criminals. But I see no
relation  between  breaking  program's  copy  protection  mechanism  and
informational  security  like  (OK  you  wanted  analogies)  there is no
relation  between  VHS  tape  copy protection (there are some techniques
used  by  film  distribution  companies  to prevent illegal copying) and
physical security.

Situation  of you analogy also came from Hollywood: cracker to buy a new
copy  of  program  after  trap  catches debugging. Unlike real world, in
computer  there  is  always  a chance to make a roll back, and to try to
break protection again and again on the same copy of the program. You're
trying  to  compare  real  situation  from physical world with something
impossible  from  informational world. How can someone who understand it
to see any analogy?


-- 
~/ZARAZA
???? ???? ?? ???????? ?????-?????? ??????, ?? ??? ????? ?? ??????? ??? ?????????. (????)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ