Security Basics mailing list archives
Re: RE: Re: Concepts: Security and Obscurity
From: levinson_k () securityadmin info
Date: 16 Apr 2007 15:53:23 -0000
I stated survivability - the number of scans by service not the key to this test.
Most computer security professionals don't discuss survivability or use it as the ONLY measure of security. Survivability is a subset of overall security. It is not fair or ideal to limit the argument only to survivability. You used the word survivability, but your original assertion wasn't limited to survivability. When you assert that obscurity is not beneficial, and will always cause an increase in both costs and risks in every situation, you're not talking survivability, you're talking overall security. That is a risk assessment statement that has to be answered by risk assessment, not just survivability. If you want to state that obscurity does not make a system any more survivable, that's quite different from saying that obscurity never has any positive benefit for anyone. And I'm not sure I would agree with that statement. I'm not sure how you are defining survivability, but if you put an unpatched Windows system on the Internet, it will be compromised in 20 minutes. Change the ports, and it will survive far longer.
all cases is near impossible, but you have to prove the positive, and this is not being done. You have not as yet proved proof.
I've given what I feel is proof, you just rejected my proof due to the scope from which it comes. To give proof relating to the example of wireless... a good example of obscurity with wireless would be disabling SSID broadcast. The benefit of this has been debated (again because it does not defeat a determined attacker, and was never designed to). Nevertheless, doing so is a common security suggestion and at least some people find this a useful benefit, especially in home uses where nonskilled attackers and viruses are a much more likely risk than a determined attacker. Disabling SSID broadcast raises the bar that an attacker must pass to compromise a system. If you choose not to disable SSID broadcast, that's your call, and it can be the right call depending. But you're arguably lowering the bar to the point where unskilled attackers become equal in threat as determined attackers. All you need to crack the system is any unpatched or unmitigated vuln. The attacker no longer needs skill, time or effort. kind regards, Karl Levinson http://securityadmin.info
Current thread:
- Re: Re: Re: Re: Re: Concepts: Security and Obscurity, (continued)
- Re: Re: Re: Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 13)
- Re: Concepts: Security and Obscurity jbloss (Apr 13)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 15)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Re: Concepts: Security and Obscurity Florian Rommel (Apr 16)
- Re: Re: Concepts: Security and Obscurity Justin Lintz (Apr 16)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 17)
- Re: Concepts: Security and Obscurity Michael Rash (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- Re: Concepts: Security and Obscurity Michael Rash (Apr 17)
- Re: Re: Concepts: Security and Obscurity TheGesus (Apr 17)