Weekly Edition
Return to the Security page
| |||||||||||||
Quotes of the week
FWIW, security by obscurity has a bad rep in some circles, but it
is an essential component of any serious security policy. It just
should never be the *only* component.
-- Guido van Rossum
[I]t appears to be a packet of pork product, combined with a big
sign saying something like: "Warning. If you blow up a bomb right
here, you'll get pork stuff all over you before you die -- which
might be suboptimal from a religious point of view."
-- Bruce
SchneierThis appears to not be a joke. (Log in to post comments)
Quotes of the week Posted Jul 29, 2010 3:50 UTC (Thu) by AndreE (subscriber, #60148) [Link]
The security by obscurity critique is often misused.
There is security in obscurity. The problem is, however, that their really very little "obscurity" in computing. Networked machines that execute machine instructions locally are not obscure. Operating systems that are found in routers, gateways, and provide the backbone for much of the computing industry are not obscure or small targets. Proprietary code that can still be decompiled or attached to a debugger is not obsure.
The closest thing that fulfills the obscurity criterion now is TPM. Although I'm sure we'll one day have encrypted executables that can only be run on authenticated distributed platforms.
Quotes of the week Posted Jul 29, 2010 6:16 UTC (Thu) by drag (subscriber, #31333) [Link]
If you get somebody raving a bit incorrectly about the invalidity of 'security by obscurity' it's funny to see their reaction when you go:
'Ok, so security through obscurity is always invalid... so what is your password?' (and username, and server address, etc)
:)
100% agree Posted Jul 29, 2010 7:38 UTC (Thu) by khim (subscriber, #9252) [Link] And this certainly shows what the "security through obscurity" can do and what it can not do. In fact the "security through obscurity" motto is centuries old. It's the infamous you may fool all the people some of the time, you can even fool some of the people all of the time, but you cannot fool all of the people all the time: if obscure thing is only used on a single site then obscurity helps immensely (the sample is in this LWN's issue), but if it's used on a millions of routers it can buy you few days of protection at beast (still a good idea sometimes). What is can not do is to "fool all of the people all the time" - but this is intrinsically very hard problem...
Quotes of the week Posted Jul 29, 2010 11:06 UTC (Thu) by cesarb (subscriber, #6266) [Link] What people mean by "security by obscurity" is systems that violate Kerckhoffs' principle: "a cryptosystem should be secure even if everything about the system, except the key, is public knowledge". So yeah, you should be able to reveal your username, server address, operating system version, exact configuration, etc, and as long as you do not reveal the key (in this case your password), your system should still be secure.
Quotes of the week Posted Jul 29, 2010 7:06 UTC (Thu) by tzafrir (subscriber, #11501) [Link]
Only the quote in question seems to refer to potential issues in the code, and not in the data.
Disclaimer: I didn't read the full thread, only the single message (and "thread") quoted here. Perhaps I misunderstood that snippet.
Quotes of the week Posted Jul 29, 2010 9:18 UTC (Thu) by paulj (subscriber, #341) [Link]
A factor v. Rossum's quote leaves out is that the security system should be designed so that the obscure part is a) minimised b) individually obscure (i.e. not shared between different instances). I.e. it should be a key.
Quotes of the week Posted Aug 6, 2010 1:27 UTC (Fri) by Baylink (subscriber, #755) [Link]
I've been saying that for years, but it carries a lot more weight when Guido says it.
These two make an amusing combination as quote of the week.
|
|||||||||||||