Re[2]: Response to comments on Security and Obscurity

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Peter Swire,

--Wednesday, September 1, 2004, 7:27:17 PM, you wrote to bkfsec () sdf lonestar org:


PS>     Dave Aitel also criticizes analogies of computer and physical security.  Is
PS> that topic strictly off-limits for discussion?  Yes, sometimes information
PS> can be copied but chairs cannot.  Does that change everything about
PS> security?  The paper proposes explanations for why computer and physical
PS> security are often different, because computer security often features a
PS> high number of attacks, learning by attackers from each attack, and
PS> communication among attackers.  At the same time, some physical situations
PS> have those same features. Where is the flaw in that analysis?

As  far  as  my  poor  English  allows  me  to understand Dave correctly
criticises  analogies  between  informational theory and physical world,
not  between  physical and information security. In your case analogy is
really  poor. I can break my own ass by falling into the pit, and I will
never  have  another  one. In informational world (like in any business)
all I risk is not more than money.

But  in  case  of  your  quotation, you have a lot of mistake because of
misunderstanding real world. It's really impossible to show your mistake
because  at  least  this  part  of  your  paper  is  one  large mistake.
Currently,  situation someone breaks program's protection to put a virus
into  it  is  really strange and probably is taken from Hollywood. There
are  crackers  (not  hackers,  it's  different  term) who breaks program
protection  for  illegal  copying. Yes, they are criminals. But I see no
relation  between  breaking  program's  copy  protection  mechanism  and
informational  security  like  (OK  you  wanted  analogies)  there is no
relation  between  VHS  tape  copy protection (there are some techniques
used  by  film  distribution  companies  to prevent illegal copying) and
physical security.

Situation  of you analogy also came from Hollywood: cracker to buy a new
copy  of  program  after  trap  catches debugging. Unlike real world, in
computer  there  is  always  a chance to make a roll back, and to try to
break protection again and again on the same copy of the program. You're
trying  to  compare  real  situation  from physical world with something
impossible  from  informational world. How can someone who understand it
to see any analogy?


-- 
~/ZARAZA
Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его прочитать. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html