Gentoo Archives: gentoo-security

From: Mike Tangolics <mtangolics@××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Security without obscurity
Date: Sun, 01 Feb 2004 19:59:14
Message-Id: 401D54B9.7050502@patmedia.net
In Reply to: [gentoo-security] Security without obscurity (was: [gentoo-security] firewall suggestions?) by Andrew Ross
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This may be a tad offtopic but I had to mention it.  There actually
already has been a case of people setting up faux ATM's.

http://www.globetechnology.com/servlet/story/RTGAM.20030812.gtatmm0812/BNStory/Technology/

Andrew Ross wrote:
| Stewart Honsberger wrote:
|
|> I don't send anything back to any unexpected port probes because I
|> don't want to.
|>
|> Sure, to some extent it is security through obscurity, but the old
|> addage isn't entirely correct. If not for security through obscurity
|> we'd all have our PIN numbers sharpie'd on our ATM cards.
|
|
| Actually, keeping my PIN secret isn't security through obscurity.
|
| The idea of security without obscurity focuses on keeping the number of
| secrets at an absolute minimum. Systems designed around security through
| obscurity tend to rely on the secrecy of certain procedures or
| algorithms - once these are discovered by third parties, the security of
| the system has been reduced.
|
| Moving back to the PIN/ATM example:
|
| Ideally, your PIN should be the ONLY secret involved - the encryption
| algorithms and communication protocols could all be public. In the real
| world, this isn't feasible (eg. ATMs do not authenticate themselves to
| the card holder. If the algorithms and protocols were public, someone
| could theoretically construct a trojan ATM and collect people's PINs and
| bank cards).
|
| Cheers
|
| Andrew
|
| P.S It's a PIN, not a Personal Identification Number (PIN) Number :-)
| Sorry, but it's one of my pet hates (just like Automatic Teller Machine
| (ATM) machines).
|
| --
| gentoo-security@g.o mailing list
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAHVS57ntAARlGIUERAgkfAJ4sil86TWGFsmkFa8UOl1QKBhrKegCgnP18
c5pvsCyRuXDWziIebvkRASc=
=Ze97
-----END PGP SIGNATURE-----

--
gentoo-security@g.o mailing list