Vin McLellan wrote:
>
> Actually, Mr. Tynan (apparently inadvertently) and Mr. Vincenzetti
> (from the lofty perch of the Italian CERT) suggested just that. With no
> apparent evidence beyond the inevitable vague and untracable rumors.
Considering I didn't suggest that they had a hole, I refuse to see why
I should have to prove it. I include (for the record) my original
(offending) paragraph;
>> Mark Horn [ Net Ops ] wrote:
>> >
>> > The point is that obscurity isn't necessarily bad unless it's the
>> > *only* thing that you're using to protect yourself.
>>
>> I couldn't agree more. In point of fact, a lot of so-called secure
>> systems are based on this [Obscurity] principle. If you take something
>> like SecurID, and their handheld time-based authentication units, if
>> you knew the alogrithm and serial number [should have said "card code",
>> but I think it is obvious what I meant] involved, you could possibly
>> predict the next number.
I was in no way stating that this was feasible or indeed likely. The
point is that it is a form of obscurity, which is more than adequate
for defence purposes. If I have a card on my desk, of whatever type,
which "knows" something I don't (ie, the next series of numbers), then
it is security by obscurity in my book. Something is being hidden from
me (and from user @
hacker .
net) which can grant me special privileges.
If "joe down the road" knew what the card knew, he too would have those
privs. At no time have I suggested or would I suggest, that this was
trivial or that there was some gaping hole which could be exposed. It
is just a case of STO being a workable solution. That is, as long as
the Obscurity can be maintained (in this case, either f(x) or x).
> This whole array of threads was spawned by Mr. Tynan's reaction to
> a published comment by Mr. Ranum that a well-designed and solid security
> system doesn't suffer any _loss_ of security if a layer of secrecy
> ("obscurity") is _added to_ that secure design. He said attackers may
> pause before tackling a (firewall) system they don't recognize.
I don't remember replying to such a posting, and I can't find such a
reply in my mailbox, unless you mean the reply to Mark Horn above. I
do have to say, I certainly wouldn't disagree with what you quoted.
> In the judgement of SDI's very successful marketeers -- given who
> makes the decision to actually purchase their products -- the lack of a
> cyberpunk free-for-all doesn't hurt their case.
While Netscape got a lot of stick (at a bad time) when their https was
"broken" in two different ways, it was a good lesson for them because
while we're all aware that 40-bit ain't the bees knees, it still took a
lot of horsepower to defeat it. The key prediction attack however,
caught them off guard. To their credit, they fixed it quite quickly,
and no harm was done. If an undesirable had discovered the same thing,
would it have been as painless?
- Der
--
Dermot Tynan +353 91 754608
dtynan @
ilo .
dec .
com DTN: 822-4608
Digital Equipment International BV, Galway, Ireland
Follow-Ups:
References:
|
|
