Security Basics mailing list archives
RE: Concepts: Security and Obscurity
From: krymson () gmail com
Date: 10 Apr 2007 14:53:21 -0000
I really think you just like hearing yourself talk. And while you spout some common axims and economics 101 terms, they don't mean much to this topic. Your whole fourth paragraph, while we can agree with what you said, has nothing to do with the topic. You assume that there are absolute security solutions instead of the incremental security that can be experienced by pairing up some forms of obscurity. I'll throw in my own axims that "security is not a state/product but rather a process/layering" and "there is no silver bullet to security." You also assume that gains are minimal with all obscurity, and that they have added difficulty and lost productivity. That is not necessarily true. If I have two forms of obscurity that both cost the same but together the total cost is less than the asset and thus worthwhile, I can't use them? I have to look for something that costs less than both those obscurities that secure the asset perfectly? <- snip -> What is forgotten is that there is an economic/financial cost to all controls. A control is only effective if the cost of the control provides more utility than not having the control. Thus a control that provides some security at a cost that is greater than another control is ineffective overall. Security by Obscurity is an ineffective control. The gains are minimal in economic terms. The cost however is more than the pure cash/money costs. The additional losses to productivity and added difficultly in maintaining secrecy does not provide the required level of gains to offset the costs and thus creates a dead-weight loss in economic terms. Thus security by obscurity is no security as the costs in real economic terms do not bring benefit. It is of no use to spend $1,000,000 protecting a $1,000 asset. This is a loss and thus it is not a decision that provides security as the loss exists even before the system goes live.
Current thread:
- RE: Concepts: Security and Obscurity, (continued)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 05)
- RE: Concepts: Security and Obscurity Mandelcorn, Seymour (Apr 09)
- RE: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- Re: Concepts: Security and Obscurity krymson (Apr 05)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 09)
- RE: Concepts: Security and Obscurity John Rodriguez (Apr 09)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 10)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 09)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 05)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 05)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 09)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 09)
- RE: Concepts: Security and Obscurity krymson (Apr 10)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)
- RE: Concepts: Security and Obscurity Young, Randy (Apr 11)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 11)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)