Security Basics mailing list archives
RE: Concepts: Security and Obscurity
From: "Ken Kousky" <kkousky () ip3inc com>
Date: Thu, 5 Apr 2007 14:23:53 -0400
I think most of the strong feelings on this issue are rooted in attitudes developed in reaction to many of our current federal policies that involve classification of absurd amounts of information that are vital for meaningful public policy debate. Remember you can protect confidentiality ala Bell-Lapadula with no writes down or you can protect data integrity with no reads down. We've got policy made on unvetted and undisclosed data all under the pretence of protecting the confidentiality of sources. It's this debate that has made the arguments against obscurity for security purposes a religion amongst many security professional. Many would say security by obscurity allowed too much policy information to be hidden from public scrutiny. I think the same holds for most organizations internal policies. Your systems and policies need public vetting. KWK -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of krymson () gmail com Sent: Thursday, April 05, 2007 9:35 AM To: security-basics () securityfocus com Subject: Re: Concepts: Security and Obscurity I think too many people knee-jerk and say, "security through obscurity is bad!" to lots of things. They've heard the phrase spoken by other experts so that must be the answer. But is a password really much more than obscurity itself? I think Dave is correct. Security through obscurity ALONE is bad. But it certainly can reduce risk in security measures... When experts typically use this phrase, they, sadly, leave unspoken that "alone" part at the end even though that is really what they mean. One problem I have with people who dismiss security measures is the assumptions they imply. By saying a security measure is useless and therefore not needed (no matter if it does offer some level of security that is above zero and below perfect), such people are implying that only a perfect security measure will satisfy their needs. And I think it should be an accepted assumption that there is no perfect security measure (silver bullet). Lots of those people just argue for the sake of arguing without really examining their own unspoken assumptions... Another dangerous assumption deals with threats. What sorts of threats are your arguments geared towards defending against? Some people are gearing all of their security measures towards the dedicated, driven, uber-hacker. Others realize there are many other less-skilled opportunistic insiders and drive-bys that also pose a threat. Gear yourself towards just one, and you might find yourself surprised by the other (or spending so much of your org's money that you run yourself into a very deep hole...). I'm a decent fan of port knocking. It is not fool-proof and you can misconfigure it, but I really like the added layer of obscurity. You need a specific sequence to open up the service to you. Just like you need a password to open up a service to you. You can still sniff or brute it, but you don't necessarily know something is there to brute and you might not realize what you're seeing when sniffing a port knock...
Current thread:
- Re: Concepts: Security and Obscurity, (continued)
- Re: Concepts: Security and Obscurity ericfurman (Apr 10)
- RE: Concepts: Security and Obscurity David Gillett (Apr 11)
- RE: Concepts: Security and Obscurity security (Apr 05)
- Re: Concepts: Security and Obscurity work (Apr 04)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- RE: Concepts: Security and Obscurity Mark Sutton (Apr 09)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 05)
- RE: Concepts: Security and Obscurity Mandelcorn, Seymour (Apr 09)
- RE: Concepts: Security and Obscurity Daniel Miessler (Apr 05)
- Re: Concepts: Security and Obscurity krymson (Apr 05)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 09)
- RE: Concepts: Security and Obscurity John Rodriguez (Apr 09)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 10)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 09)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 05)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 09)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 09)
- RE: Concepts: Security and Obscurity krymson (Apr 10)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)
- RE: Concepts: Security and Obscurity Young, Randy (Apr 11)
- RE: Concepts: Security and Obscurity Ken Kousky (Apr 11)
- Re: Concepts: Security and Obscurity Joe Yong (Apr 11)