lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: full-disclosure at ifokr.org (Brian Hatch)
Subject: UN support for "security by obscurity"



> Another data point in the full-disclosure/security-by-obscurity debate:
...
> The United States, Russia, and other countries are concerned about
> releasing information that would provide "a training manual for how to
> build weapons of mass destruction," a Western diplomatic source told
> CNN. 


In the computer world we say relying on security through obscurity
is bad.[1]  However in this case I might agree with them.  It's a
very different situation.

We constantly argue that Open Source makes a level playing field, and
makes it more possible for us to secure our code.  If a bug is found,
we can all fix it in the source even before our vendor supplies a new
version, for example.  If someone writes an exploit, we can use it
in legitimate ways test our servers for weakness and fix them.

I don't think comparing code to nuclear 'secrets' is the same thing.
Does publishing the recipe for a bomb make it easier for me to secure
anything?  We know that big bomb == lots of distruction.  We can prepare
for lots of distruction equally without ever having the instructions
to create the bomb itself.

I wouldn't call this security through obscurity.


I cannot think of a legitimate reason that I'd need the 'code' for
a missle -- if I want to secure my house from missle attack, I know
the results a missle would have.  I'd be vaporized.  No amount of
knowledge about the makings of a nuke would help me there.

I can see a reason I need the code for Apache.  That's something I
use that I can effectively defend from attackers.

And just to continue the analogy, those who posses nuclear technologies may
consider themselves the white hats, and want to keep that knowledge
from the black hats.  Of course the'd define black hats as
everyone except themselves. 


[1] *Relying* on security through obscurity is bad.
     However *adding* security through obscurity is good.
     This distinction is too often overlooked.  Why say "I'm
     running Apache 1.2.26 with mod_perl and mod_ssl version
     BLAH" when you can just say "Apache"?  It only makes it
     easier for crackers to mark you down on their well-
     tailored lists.

--
Brian Hatch                  Anxiously awaiting
   Systems and                the millenium so
   Security Engineer          I can start programming
http://www.ifokr.org/bri/     dates with 2-digits again.

Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021206/2d7e5549/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ