Full Disclosure mailing list archives
Re: New paper on Security and Obscurity
From: gadgeteer () elegantinnovations org
Date: Wed, 1 Sep 2004 11:08:58 -0600
On Wed, Sep 01, 2004 at 07:02:18AM -0400, Dave Aitel (dave () immunitysec com) wrote:
The paper itself is academic fluff. It's not your fault, it's just that you've never written an exploit and have no technical background, so you've got a keyhole view into a large issue. Example:
network rule [...]
It might be good to focus on what's really different, instead of trying to make up analogies or meaningless equations. If your paper cut every paragraph starting with "Consider an analogy from the physical world" then it would be much better off. Your fundamental conclusion, that "there is no logical or necessary difference between cybersecurity and physical security" is simply wrong. There are many logical and necessary difference based in information theory for why the two are completely disparate. Do you know if you got hacked today? Do you know if I stole your chair today?
(1st paragraph p. 27) This paragraph is soooo wrong. The only people who might try to defend such falsity are CEOs, CTOs (etc) of proprietary software companies. There is an analogy about "fishing for vulnurabilities" that is passed around in computer security circles. It is a good one because it provides some insight without invoking a lot of baggage. OTOH, your use of "machine gun nests" drags an entire baggage train behind it. Another sign to look for when re-writing your paper is the 'intitution'. The content of human intitution is an extremely variable thing. It is based on the experience and training of the particular human in question. An example is 'folk physics' AKA "commonsense" physics. It only works at macroscopic scale on the surface of Earth without extreme conditions. Outside of this narrowly defined box it falls flat.
When papers like this affect legal doctrine, they are extremely harmful. You should consider not publishing it.
I agree with Dave on this very strongly. -- Chief Gadgeteer Elegant Innovations _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New paper on Security and Obscurity Peter Swire (Aug 31)
- Re: New paper on Security and Obscurity gadgeteer (Sep 01)
- Re: New paper on Security and Obscurity Dave Aitel (Sep 01)
- Re: New paper on Security and Obscurity gadgeteer (Sep 01)
- Re: New paper on Security and Obscurity stephane nasdrovisky (Sep 01)
- Re: New paper on Security and Obscurity stephane nasdrovisky (Sep 01)
- Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 01)
- RE: Response to comments on Security and Obscurity Peter Swire (Sep 01)
- RE: Response to comments on Security and Obscurity Dave Aitel (Sep 01)
- Security & Obscurity: First-time attacks and lawyer jokes Peter Swire (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Georgi Guninski (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Honza Vlach (Sep 03)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Dave Aitel (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Mr. Rufus Faloofus (Sep 02)
- RE: Response to comments on Security and Obscurity Peter Swire (Sep 01)