Security Basics mailing list archives

Re: RE: Re: Concepts: Security and Obscurity

From: levinson_k () securityadmin info
Date: 16 Apr 2007 15:53:23 -0000

I stated survivability - the number of scans by service not the key 
to this test.


Most computer security professionals don't discuss survivability or use it as the ONLY measure of security.  
Survivability is a subset of overall security.  It is not fair or ideal to limit the argument only to survivability.  

You used the word survivability, but your original assertion wasn't limited to survivability.  When you assert that 
obscurity is not beneficial, and will always cause an increase in both costs and risks in every situation, you're not 
talking survivability, you're talking overall security.  That is a risk assessment statement that has to be answered by 
risk assessment, not just survivability. 

If you want to state that obscurity does not make a system any more survivable, that's quite different from saying that 
obscurity never has any positive benefit for anyone.  And I'm not sure I would agree with that statement.  I'm not sure 
how you are defining survivability, but if you put an unpatched Windows system on the Internet, it will be compromised 
in 20 minutes.  Change the ports, and it will survive far longer.

all cases is near impossible, but you have to prove the positive, 
and this is not being done. You have not as yet proved proof.


I've given what I feel is proof, you just rejected my proof due to the scope from which it comes.

To give proof relating to the example of wireless... a good example of obscurity with wireless would be disabling SSID 
broadcast.  The benefit of this has been debated (again because it does not defeat a determined attacker, and was never 
designed to).  Nevertheless, doing so is a common security suggestion and at least some people find this a useful 
benefit, especially in home uses where nonskilled attackers and viruses are a much more likely risk than a determined 
attacker.  

Disabling SSID broadcast raises the bar that an attacker must pass to compromise a system.  If you choose not to 
disable SSID broadcast, that's your call, and it can be the right call depending.  But you're arguably lowering the bar 
to the point where unskilled attackers become equal in threat as determined attackers.  All you need to crack the 
system is any unpatched or unmitigated vuln.  The attacker no longer needs skill, time or effort.

kind regards,
Karl Levinson
http://securityadmin.info

Current thread:

Re: Re: Re: Re: Re: Concepts: Security and Obscurity, (continued)
- Re: Re: Re: Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 13)
- Re: Concepts: Security and Obscurity jbloss (Apr 13)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 15)
  - RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 15)
    - Re: Re: Concepts: Security and Obscurity Florian Rommel (Apr 16)
    - Re: Re: Concepts: Security and Obscurity Justin Lintz (Apr 16)
    - Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 17)
    - RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
  - Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 16)
- Re: Re: Re: Re: Concepts: Security and Obscurity levinson_k (Apr 15)
- Re: RE: Re: Concepts: Security and Obscurity levinson_k (Apr 16)
  - Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 16)
  - Re: Concepts: Security and Obscurity Michael Rash (Apr 17)
    - RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
    - Re: Concepts: Security and Obscurity Michael Rash (Apr 17)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 16)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
  - Re: Re: Concepts: Security and Obscurity TheGesus (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)

(Thread continues...)