lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <413727E4.5020606@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: Response to comments on Security and Obscurity

yaakov yehudi wrote:

>A firewall is more akin to a specialized filter medium, but filter mediums aren't used as the entrance or exit to a military base.  
>
>It is probably possible to find analogies between the information security world and physical - but only on a piecemeal basis, and that is simply irrelevant and pointless.
>
>Peter might be much better to concentrate on the realities and forget about straw-man analogies.  What do you think?
>
>
>  
>
I... tend to agree.  It's a difficult question because analogies are 
useful if the person reading the paper has no point to base their 
opinion off of.  However, I see two problems with this: 

1) Perhaps a paper of this type shouldn't be considered introductory 
material.  Perhaps the knowledge of the system should be a pre-requisite 
for reading the paper.  Familiarity with the topics should be assumed.  
Discerning between the advantages and disadvantages between disclosure 
and secrecy isn't a small or simple thing and perhaps people without 
that level of familiarity, shouldn't venture directly down that path.

2) The above is especially true in the case of influence of public 
policy.  If person shaping public policy is basing their opinion off of 
a (most likely defunct) analogy, we have a major problem.  As I'm sure 
Peter is aware, this is probably more often than not, the rule in the 
shaping of public policy.  It reminds me of the scene in Fahrenheit 9/11 
where they were discussing the fact that the Patriot Act was passed 
without a single legislator reading it.  This scares me a lot.  Of 
course, this increases the need for simplification of the issues so that 
legislators can at least vote with a modicum of knowledge on a subject, 
but thus begins the cycle...

Perhaps a series of papers is more appropriate, starting with an 
in-depth understanding of the ideologies from the ground level?

                -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ