Re: Security By Obscurity = Ignorance Is Strength

[David Farber <dave () farber net>]

Begin forwarded message:

From: Rod Van Meter <rdv () sfc wide ad jp>
Date: September 3, 2008 7:31:45 PM EDT
To: Peter John Hill <peterjhill () mac com>, David Farber <dave () farber net>
Subject: Re: [IP] Re:    Security By Obscurity = Ignorance Is Strength

> There is a risk that "bad
> people" will find a vulnerability before a "good person" does. Thus is
> born the zero-day attack. On the other hand, there are many many many
> research groups who are working to find the bugs before the "bad
> people" do.

More importantly, the goal is not to find and fix problems in the field
before the bad guys find and exploit them, it's to open up the *design
phase* so that vulnerabilities are found and fixed *before widespread
deployment*.

In that sense, it doesn't even necessarily matter if the problems are
found by White Hats or Black Hats -- if the Black Hats can't keep their
collective mouths shut and wait patiently for deployment and a good
opportunity to exploit, then they in effect do the work of White Hats.
(Not that I know of any such instance, but It Could Happen.)

In theory, you could design an airplane, a building, a microprocessor, a
security system, or an operating system the same way.  When asking for a
community to help with your design, you simply have to balance the work
of managing distributed contributors, including analyzing the *possible*
problems they find, versus the work of doing it all yourself.
(Certainly the hassle of setting up a SourceForge page and getting help
wouldn't pay off if your goal is to have a good "Hello, world" program.)

                --Rod






-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com