RE: Update to BCP-38?

["Keith Medcalf" <kmedcalf () dessus com>]

On Friday, 4 October, 2019 16:05, William Herrin <bill () herrin us> wrote:

> On Thu, Oct 3, 2019 at 2:28 PM Keith Medcalf <kmedcalf () dessus com> wrote:

> > On Thursday, 3 October, 2019 11:50, Fred Baker <fredbaker.ietf () gmail com> wrote:

> > > A security geek would be all over me - "too many clues!".

> > Anyone who says something like that is not a "security geek".  They
> > are a "security poser", interested primarily in "security by obscurity"
> > and "security theatre", and have no clue what they are talking about.

> It's called "operations security" or "OPSEC." The idea is that from lots
> of pieces of insignificant information, an adversary can derive or infer
> more important information you'd like to deny to him. There's a 5-step
> process used by the U.S. Military but the TL;DR version is: if you don't
> have to reveal something, don't.

You and I have completely different opinions of how security works.  In my world, security must continue to be 
effective even in the face of an adversary that knows everything there is to know about what is being attacked (except 
for some authentication secrets, which of course need to be kept secret).

If the attacker does not already have that information, then obtaining it is usually a rather trivial reconnaissance 
operation.  The job of "securing" something means to make it impervious to outside influence -- it is the other side of 
the "safety" coin -- and Safety and Security go hand in hand.

Security based on keeping something which is trivial to discover secret is trivial security and can still be trivially 
bypassed.

It is telling that of the thousands of "ransomware attacks" that occur each second, only 617 have been successful so 
far this year.  Those victims probably relied on keeping something secret that did not matter.  In other words, they 
expended effort on the wrong things -- their analysis of risk was inherently flawed.

Can you provide a scenario in which knowledge of the VLAN number is a vulnerability that can be exploited?  And if you 
can find one, is there a more effective way to prevent that exploit that will work even if the attacker knows the VLAN 
number?  Would it not be more effective to implement that measure than simply using trivial means (that are trivial to 
defeat) to hide the VLAN number?  This does not mean that you need to publish the VLAN numbers on Facebook for all to 
see, merely that knowledge of that fact is now irrelevant, and that even if the someone posted the VLAN numbers on 
Facebook for all to see, then that would not be helpful to the adversary.

> IMO, anyone who thinks the folks who developed OPSEC don't have a clue is
> the one I find wanting.

Opinions vary.  That is the nature of opinion.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.