Full Disclosure mailing list archives
Re: UN support for "security by obscurity"
From: Brian Hatch <full-disclosure () ifokr org>
Date: Fri, 6 Dec 2002 17:10:09 -0800
Another data point in the full-disclosure/security-by-obscurity debate:
...
The United States, Russia, and other countries are concerned about releasing information that would provide "a training manual for how to build weapons of mass destruction," a Western diplomatic source told CNN.
In the computer world we say relying on security through obscurity is bad.[1] However in this case I might agree with them. It's a very different situation. We constantly argue that Open Source makes a level playing field, and makes it more possible for us to secure our code. If a bug is found, we can all fix it in the source even before our vendor supplies a new version, for example. If someone writes an exploit, we can use it in legitimate ways test our servers for weakness and fix them. I don't think comparing code to nuclear 'secrets' is the same thing. Does publishing the recipe for a bomb make it easier for me to secure anything? We know that big bomb == lots of distruction. We can prepare for lots of distruction equally without ever having the instructions to create the bomb itself. I wouldn't call this security through obscurity. I cannot think of a legitimate reason that I'd need the 'code' for a missle -- if I want to secure my house from missle attack, I know the results a missle would have. I'd be vaporized. No amount of knowledge about the makings of a nuke would help me there. I can see a reason I need the code for Apache. That's something I use that I can effectively defend from attackers. And just to continue the analogy, those who posses nuclear technologies may consider themselves the white hats, and want to keep that knowledge from the black hats. Of course the'd define black hats as everyone except themselves. [1] *Relying* on security through obscurity is bad. However *adding* security through obscurity is good. This distinction is too often overlooked. Why say "I'm running Apache 1.2.26 with mod_perl and mod_ssl version BLAH" when you can just say "Apache"? It only makes it easier for crackers to mark you down on their well- tailored lists. -- Brian Hatch Anxiously awaiting Systems and the millenium so Security Engineer I can start programming http://www.ifokr.org/bri/ dates with 2-digits again. Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- UN support for "security by obscurity" Richard M. Smith (Dec 06)
- Re: UN support for "security by obscurity" Brian Hatch (Dec 06)
- Re: UN support for "security by obscurity" Rick Updegrove (Dec 07)
- *Including* Security through obscurity measures is good. Brian Hatch (Dec 08)
- Re: UN support for "security by obscurity" Rick Updegrove (Dec 07)
- Re: UN support for "security by obscurity" Georgi Guninski (Dec 07)
- Re: UN support for "security by obscurity" Michal Zalewski (Dec 07)
- Re: UN support for "security by obscurity" Brian McWilliams (Dec 07)
- "security by obscurity" Berend-Jan Wever (Dec 07)
- Re: "security by obscurity" Niels Bakker (Dec 08)
- Re: "security by obscurity" Georgi Guninski (Dec 09)
- Re: "security by obscurity" Roland Postle (Dec 09)
- "security by obscurity" Berend-Jan Wever (Dec 07)
- Re: UN support for "security by obscurity" Brian Hatch (Dec 06)
- <Possible follow-ups>
- RE: UN support for "security by obscurity" Schmehl, Paul L (Dec 07)