Security Basics mailing list archives
Re: Concepts: Security and Obscurity
From: krymson () gmail com
Date: 5 Apr 2007 13:35:16 -0000
I think too many people knee-jerk and say, "security through obscurity is bad!" to lots of things. They've heard the phrase spoken by other experts so that must be the answer. But is a password really much more than obscurity itself? I think Dave is correct. Security through obscurity ALONE is bad. But it certainly can reduce risk in security measures... When experts typically use this phrase, they, sadly, leave unspoken that "alone" part at the end even though that is really what they mean. One problem I have with people who dismiss security measures is the assumptions they imply. By saying a security measure is useless and therefore not needed (no matter if it does offer some level of security that is above zero and below perfect), such people are implying that only a perfect security measure will satisfy their needs. And I think it should be an accepted assumption that there is no perfect security measure (silver bullet). Lots of those people just argue for the sake of arguing without really examining their own unspoken assumptions... Another dangerous assumption deals with threats. What sorts of threats are your arguments geared towards defending against? Some people are gearing all of their security measures towards the dedicated, driven, uber-hacker. Others realize there are many other less-skilled opportunistic insiders and drive-bys that also pose a threat. Gear yourself towards just one, and you might find yourself surprised by the other (or spending so much of your org's money that you run yourself into a very deep hole...). I'm a decent fan of port knocking. It is not fool-proof and you can misconfigure it, but I really like the added layer of obscurity. You need a specific sequence to open up the service to you. Just like you need a password to open up a service to you. You can still sniff or brute it, but you don't necessarily know something is there to brute and you might not realize what you're seeing when sniffing a port knock...
Current thread:
- Re: Concepts: Security and Obscurity, (continued)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 09)
- Re: Concepts: Security and Obscurity ericfurman (Apr 10)
- RE: Concepts: Security and Obscurity David Gillett (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 09)
- RE: Concepts: Security and Obscurity security (Apr 05)
- Re: Concepts: Security and Obscurity work (Apr 04)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- RE: Concepts: Security and Obscurity Mark Sutton (Apr 09)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 05)
- RE: Concepts: Security and Obscurity Mandelcorn, Seymour (Apr 09)
- RE: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- Re: Concepts: Security and Obscurity krymson (Apr 05)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 09)
- RE: Concepts: Security and Obscurity John Rodriguez (Apr 09)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 10)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 09)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 05)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 09)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 09)
- RE: Concepts: Security and Obscurity krymson (Apr 10)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)
- RE: Concepts: Security and Obscurity Young, Randy (Apr 11)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 11)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)