| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: yehudi at tehila.gov.il (Yaakov Yehudi) Subject: Security & Obscurity: First-time attacks and lawyer jokes Dave wrote... > The flaw in your specific example [about a software program freezing up it is attacked] is that every program can be run as > many times as you need to "attack" it. You would never need more than > one copy. Peter replies... First, there are times when you cannot attack the program over and over. For instance, you may not have the ability to access the software over and over again, such as when it is running on someone else's system and you don't have continuous access. Second, other persons on FD have written to me privately about self-modifying code that would render Dave Aitel's point untrue. With that said, the example could be better written. Much more importantly, though, is that Dave accepts one of the fundamental points of my paper in trying to refute it. He says "every program can be run as many times as you need to attack it." Exactly! The big difference between physical and computer security that I emphasize is the number of attacks. Dave emphasizes the number of attacks. Hey, it's a unifying principle that even lawyers and non-experts can understand in the future! (See separate post today on why the analogy between physical and cyber security is useful.) A theme of the paper: when attacks are closer to first-time attacks (when they have high uniqueness), then secrecy can be an effective tool. When there is low uniqueness, security through obscurity is BS. And many, many cyberattacks fall into the second category. **************************** A smart firewall, or other appliance, or policies of a smart security administrator, may quickly detect an attack, and restrict or bar access of the attacker to the program. That will keep the obscurity factor high for a much longer period of time. A prime example is the attempt to discover a password. Two or three failed attempts will lock you out (at least for a certain period of time). This makes the attack on a well designed password statistically unlikely to succeed within the attackers lifetime - regardless of the raw computational power available to him / her. If security by obscurity _always_ sucks, then I hope that all the readers of this post will send me detailed network diagrams, IPs and passwords; also name, address and credit card number while you're at it. :-) If you're going to be "open", be open! We make passwords difficult precisely because we (all?) believe that _sometimes_ a lot of obscurity is a very good thing. And many of us now use two factor authentication just so that we can widen the gap, between what is known and what is unknown, just that much further. Food for thought I hope. Best Regards, Ya'akov
Powered by blists - more mailing lists