Please don't misinterpret me, I am genuinely in search of a practical,
reasonable opinion: how does one distinguish security through
obscurity from ``real'' security? Should one apply that standard to a
corporate security policy? Why or why not?
From: "Johnson-Bryden, Ian" <IJB @
Date: Thu, 09 Nov 95 09:39:00 GMT
X-Mailer: Microsoft Mail V3.0
Sender: owner-gateway-firewalls @
If someone has produced a real risk/security policy it should not be
released to anyone other than authorised users for obvious reasons. If it is
similar to a 'Corporate Mission Statement' it wont be worth much. If it is a
fully detailed document which someone has unwisely made public, it should
only be meaningful to the owner because of those unique elements to that
enterprise, other than it shows how one outfit approached the issues. There
are now a range of books which cover risk/security policy generation in
varying detail and from different perspectives.