Security Basics mailing list archives
Re: Re: Concepts: Security and Obscurity
From: "Lord Bane" <lordl3ane () gmail com>
Date: Fri, 20 Apr 2007 19:34:08 -1000
Dan/Craig; I'm really disappointed that there was a "decision" to terminate this thread. Although I have to admit that this is a very long and loud thread, I believe that this topic is a fundamental issue in combining Information Technologists into a Security/Law Enforcement career field. The very fact that it has spawned such an in-depth debate is the very reason it should be considered. If the intent of this forum is to create a bunch of soap boxes and shut down any real security discussions between professionals both old hats and new blood, then this place is a waste. It's 100% acceptable to disagree. If everyone thought the same, we would never advance as a society. It's the nature of innovation to be deviant from the accepted culture. This is exactly what our Black-Hat adversaries do on a daily basis. To shun the process of academic discussion on what works and what doesn't isn't helpful. There are still obvious concepts that are not being communicated. Instead of getting frustrated and annoyed, take it upon your professional selves to champion and challenge your beliefs at the same time. 1) Again I would like to point out that obscurity *IS NOT* a preventative or detective control, it's an avoidance control! 2) A firewall is not a type of obscurity since there is not a random chance someone will come across the systems behind the firewall by hammering against the firewall itself. 3) Non-encrypted steganography IS an example of obscurity since it's publicly viewable, if someone happens to look for it. I believe this may have been the one prime example of successful obfuscation. 4) Books get old and talk about yesterday's methodology. I've used books as classic examples of why people who just read and accept things are probably one of the worst candidates to be considered security professionals. Maybe that works in information technology, but it does not work in security. Quoting books, and relying on authorship as a prime reason for your correctness is asinine in my opinion. I've quoted books in writing papers about what not to do and in propagation of misleading information within the security community. Sincerely, Eric B. -----Original Message----- From: Daniel Miessler [mailto:daniel (at) dmiessler (dot) com [email concealed]] Sent: Thursday, 19 April 2007 6:06 AM To: Craig Wright Cc: Nhon Yeung; TheGesus; Florian Rommel; levinson_k (at) securityadmin (dot) info [email concealed]; security-basics (at) securityfocus (dot) com [email concealed] Subject: Re: Concepts: Security and Obscurity On Apr 18, 2007, at 3:20 PM, Craig Wright wrote:
Again as I have stated - the number of scans or some aribtary reduction which has been argued in the number of people who know of the service are irrelevant.
Irrelevant? What sort of academic gyrations do you need to go through to in order to realize that a server that's behind a firewall and is only connected to by 100 internal users is MORE SECURE than that IDENTICAL server exposed to billions of potentially malicious systems online (in addition to the same 100 users)? And this is what obscurity does -- it *effectively* reduces the attack surface of your system while the obfuscation is in effect. It doesn't require a committee, an academic paper, or an elaborate experiment to realize that reducing your potential attackers from 1,000,000,000 to 100 improves your security. It's so obvious that I'm losing IQ points just by arguing about it. You're giving academia a bad name by using big words to illustrate your inability to grasp a concept that your less-educated colleagues understood the instant they saw it. It's precisely the type of behavior that fosters stereotypes about academia. And the PhD who writes infosec books for O'Reilly who thinks you're insane will likely mention this when he blogs about this thread. Good luck with that. Wow, I'm entirely too riled up about this. :) -- Daniel Miessler E: daniel (at) dmiessler (dot) com [email concealed] W: http://dmiessler.com G: 0xDA6D50EAC
Current thread:
- RE: Re: Concepts: Security and Obscurity, (continued)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- Re: Re: Concepts: Security and Obscurity TheGesus (Apr 17)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 17)
- RE: RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Nhon Yeung (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 19)
- Re: Re: Concepts: Security and Obscurity Lord Bane (Apr 23)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)