| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e92364c30409011305658fdaab@mail.gmail.com> From: jftucker at gmail.com (James Tucker) Subject: Response to comments on Security and Obscurity On Wed, 1 Sep 2004 21:33:55 +0400, 3APA3A <3apa3a@...urity.nnov.ru> wrote: > really poor. I can break my own ass by falling into the pit, and I will > never have another one. In informational world (like in any business) > all I risk is not more than money. Of course no one was ever hurt as a result of poor computer security. (sarcasm) Count yourself lucky that your business is only commercial, some of mine aren't and problems in systems can cause injuries and fatalities. When you are in this situation you will give high regard to all possible areas of security, none are less relevant than any other as it only takes a single hole (physical or virtual) to let an intruder in. > But in case of your quotation, you have a lot of mistake because of > misunderstanding real world. It's really impossible to show your mistake > because at least this part of your paper is one large mistake. > Currently, situation someone breaks program's protection to put a virus > into it is really strange and probably is taken from Hollywood. There > are crackers (not hackers, it's different term) who breaks program > protection for illegal copying. Yes, they are criminals. But I see no > relation between breaking program's copy protection mechanism and > informational security like (OK you wanted analogies) there is no > relation between VHS tape copy protection (there are some techniques > used by film distribution companies to prevent illegal copying) and > physical security. Actually, there is, to follow the same analogy, if the Hollywood production company never release any copies of the film, then it won't get cracked or copied, unless of course their physical security was breached. > Situation of you analogy also came from Hollywood: cracker to buy a new > copy of program after trap catches debugging. Unlike real world, in > computer there is always a chance to make a roll back, and to try to > break protection again and again on the same copy of the program. You're > trying to compare real situation from physical world with something > impossible from informational world. How can someone who understand it > to see any analogy? Further on the physical to information systems comparison, how do you exploit a computer in russia from a computer in new york if there is no physical data path between them? (The answer is directed electromagnetic radiation, but there certainly aren't any hackers in the world which have access to such a device; if anyone. In this case the only defense is physical infrastructure.) This is not dissimilar from the discussion that, for example: Walk into the headquarters of a major business firm, you take the elevator up to the top floor as you don't have a keycard to get you in a lower level. It's lunchtime and the secretary at reception has left her desk. You are free to walk around the corner to the CEO's office (there are no physical barriers, as these would not "look nice" and would "impose upon business impressions". The CEO is a dear chap who forgets to lock his workstation when he goes to lunch. Where did all that hard effort of virtual security go? This is not an uncommon scenario. The stronger audits in the world fail you for this kind of possibility; again count yourself lucky in this regard.
Powered by blists - more mailing lists