Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] security through obscurity



On Thu, Mar 28, 2013 at 02:51:05PM -0400, Richard Pieri wrote:
> On 3/28/2013 2:21 PM, Derek Martin wrote:
> > This is nonsense.  A script kiddie will go away after at most a
> > handful of meager attempts.  A well-informed, extremely determined
> 
> Wow. You utterly missed the point. When I say "assume an attacker will
> get in" it's not a statement of fact. It's a statement of philosophy.

I utterly did not.  I addressed that directly, in the part you didn't
quote, about risk management.  What I'm attempting to point out is that 
it's a very narrow philosophy.  You should not assume that your
measure will work; but you should expect that they will work
*sometimes*, and understand the value of that.  There are measures you
can take which are cheap and which will ELIMINATE low-hanging fruit,
whereas the more "thorough" approach which ignores those may allow
them to mount their attack, and by some miracle penetrate your
otherwise excellent defenses.  Like my zero-day example.

> I believe it was you who mentioned bank vaults. 

It wasn't, but no matter.

> I can't secure the front door anywhere near as well as I can secure
> the vault. What I can do is rigorously control access between the
> door and the vault. 

Surely by now you understand that this point is not lost on me, nor 
have I ever said you should ignore such concerns in favor of security
PURELY by obscurity, or anything remotely similar.  My premise
throughout simply has been that security by obscurity has its place,
and can be an effective tool.   What I've taken issue with is your
absolute rejection of the idea that it can provide any value whatever.

> If you think that hanging a curtain over the front door when the bank is
> closed is any security at all 

I don't.  But if your bank is made of 6-foot thick stone and the door
is the only practical means of entry, then making the door hard to find
IS.  It greatly improves the chances that the cops will drive by and
notice some dudes behaving oddly around an obvious target, before they
manage to gain entry.  Sure you COULD blast a hole in the outer
wall... someone's going to notice that pretty quick, it tends to make
a racket.

Popes and Presidents alike have made use of that very technique for
centuries for a slightly different purpose (but still well within the
purview of security): to escape harm or threat from an attacker, using
an obscured door to an obscured passageway to another obscured door,
their attackers meanwhile unaware that their prey has long since
absconded undetected.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org