lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <413639E5.9010307@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: Response to comments on Security and Obscurity

James Tucker wrote:

>This is not dissimilar from the discussion that, for example:
>Walk into the headquarters of a major business firm, you take the
>elevator up to the top floor as you don't have a keycard to get you in
>a lower level. It's lunchtime and the secretary at reception has left
>her desk. You are free to walk around the corner to the CEO's office
>(there are no physical barriers, as these would not "look nice" and
>would "impose upon business impressions". The CEO is a dear chap who
>forgets to lock his workstation when he goes to lunch. Where did all
>that hard effort of virtual security go? This is not an uncommon
>scenario. The stronger audits in the world fail you for this kind of
>possibility; again count yourself lucky in this regard.
>
>
>  
>
You're right with this scenario, of course, but I don't think that they 
meant that there was no room for physical protection in information 
security.

I think they meant that you can't make a physical comparison to an 
information security structure.  One can't actually, as an example, 
compare a firewall to a constantly burning facade. 

Take a military base, for example.  One can, if they were so inclined, 
use the military base as an example of a well secured area.  You've got 
gates, gun emplacements, armed guards, many locked doors, cameras at the 
gates, razorwire, etc.  Military gates are presumably well secured, right? 

Well, you can try to make an analogy between this and a well-secured 
network.  The problem is that the analogies don't align.  A firewall 
isn't really like a gate with an armed guard at it.  Your soldiers can't 
be turned into unwitting zombies by IE exploits.  An IDS isn't really 
like a camera.  System passwords aren't actually like locked doors.

The analogy can loosely be used to illustrate a point, but anything 
beyond very loose interpretation is virtually worthless because of its 
inaccuracy.

             -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ