Gentoo Archives: gentoo-security

From: Andrew Ross <aross@×××××××××××.au>
To: gentoo-security@l.g.o
Cc: geeks@××××××.au
Subject: [gentoo-security] Security without obscurity (was: [gentoo-security] firewall suggestions?)
Date: Sun, 01 Feb 2004 00:13:01
Message-Id: 401C3BFF.3050309@westnet.com.au
In Reply to: Re: [gentoo-security] firewall suggestions? by Stewart Honsberger
Stewart Honsberger wrote:

> I don't send anything back to any unexpected port probes because I don't > want to. > > Sure, to some extent it is security through obscurity, but the old > addage isn't entirely correct. If not for security through obscurity > we'd all have our PIN numbers sharpie'd on our ATM cards.
Actually, keeping my PIN secret isn't security through obscurity. The idea of security without obscurity focuses on keeping the number of secrets at an absolute minimum. Systems designed around security through obscurity tend to rely on the secrecy of certain procedures or algorithms - once these are discovered by third parties, the security of the system has been reduced. Moving back to the PIN/ATM example: Ideally, your PIN should be the ONLY secret involved - the encryption algorithms and communication protocols could all be public. In the real world, this isn't feasible (eg. ATMs do not authenticate themselves to the card holder. If the algorithms and protocols were public, someone could theoretically construct a trojan ATM and collect people's PINs and bank cards). Cheers Andrew P.S It's a PIN, not a Personal Identification Number (PIN) Number :-) Sorry, but it's one of my pet hates (just like Automatic Teller Machine (ATM) machines). -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Security without obscurity Mike Tangolics <mtangolics@××××××××.net>