Re: Re: Concepts: Security and Obscurity

["Lord Bane" <lordl3ane () gmail com>]

Dan/Craig;

I'm really disappointed that there was a "decision" to terminate this
thread.  Although I have to admit that this is a very long and loud
thread, I believe that this topic is a fundamental issue in combining
Information Technologists into a Security/Law Enforcement career
field.  The very fact that it has spawned such an in-depth debate is
the very reason it should be considered.  If the intent of this forum
is to create a bunch of soap boxes and shut down any real security
discussions between professionals both old hats and new blood, then
this place is a waste.

It's 100% acceptable to disagree.  If everyone thought the same, we
would never advance as a society.  It's the nature of innovation to be
deviant from the accepted culture.  This is exactly what our Black-Hat
adversaries do on a daily basis.  To shun the process of academic
discussion on what works and what doesn't isn't helpful.  There are
still obvious concepts that are not being communicated.  Instead of
getting frustrated and annoyed, take it upon your professional selves
to champion and challenge your beliefs at the same time.

1)  Again I would like to point out that obscurity *IS NOT* a
preventative or detective control, it's an avoidance control!

2)  A firewall is not a type of obscurity since there is not a random
chance someone will come across the systems behind the firewall by
hammering against the firewall itself.

3)  Non-encrypted steganography IS an example of obscurity since it's
publicly viewable, if someone happens to look for it.  I believe this
may have been the one prime example of successful obfuscation.

4)  Books get old and talk about yesterday's methodology.  I've used
books as classic examples of why people who just read and accept
things are probably one of the worst candidates to be considered
security professionals.  Maybe that works in information technology,
but it does not work in security.  Quoting books, and relying on
authorship as a prime reason for your correctness is asinine in my
opinion.  I've quoted books in writing papers about what not to do and
in propagation of misleading information within the security
community.

Sincerely,

Eric B.


-----Original Message-----

From: Daniel Miessler [mailto:daniel (at) dmiessler (dot) com [email concealed]]
Sent: Thursday, 19 April 2007 6:06 AM
To: Craig Wright
Cc: Nhon Yeung; TheGesus; Florian Rommel; levinson_k (at)
securityadmin (dot) info [email concealed];
security-basics (at) securityfocus (dot) com [email concealed]
Subject: Re: Concepts: Security and Obscurity

On Apr 18, 2007, at 3:20 PM, Craig Wright wrote:

> Again as I have stated - the number of scans or some aribtary
> reduction which has been argued in the number of people who know of
> the service are irrelevant.

Irrelevant?

What sort of academic gyrations do you need to go through to in order
to realize that a server that's behind a firewall and is only
connected to by 100 internal users is MORE SECURE than that IDENTICAL
server exposed to billions of potentially malicious systems online
(in addition to the same 100 users)?

And this is what obscurity does -- it *effectively* reduces the
attack surface of your system while the obfuscation is in effect.

It doesn't require a committee, an academic paper, or an elaborate
experiment to realize that reducing your potential attackers from
1,000,000,000 to 100 improves your security. It's so obvious that I'm
losing IQ points just by arguing about it. You're giving academia a
bad name by using big words to illustrate your inability to grasp a
concept that your less-educated colleagues understood the instant
they saw it. It's precisely the type of behavior that fosters
stereotypes about academia.

And the PhD who writes infosec books for O'Reilly who thinks you're
insane will likely mention this when he blogs about this thread. Good
luck with that.

Wow, I'm entirely too riled up about this. :)

--
Daniel Miessler
E: daniel (at) dmiessler (dot) com [email concealed]
W: http://dmiessler.com
G: 0xDA6D50EAC