Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Mike Tangolics <mtangolics@...>
Subject: Re: Security without obscurity
Date: Sun, 01 Feb 2004 14:34:17 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This may be a tad offtopic but I had to mention it.  There actually
already has been a case of people setting up faux ATM's.

http://www.globetechnology.com/servlet/story/RTGAM.20030812.gtatmm0812/BNStory/Technology/

Andrew Ross wrote:
| Stewart Honsberger wrote:
|
|> I don't send anything back to any unexpected port probes because I
|> don't want to.
|>
|> Sure, to some extent it is security through obscurity, but the old
|> addage isn't entirely correct. If not for security through obscurity
|> we'd all have our PIN numbers sharpie'd on our ATM cards.
|
|
| Actually, keeping my PIN secret isn't security through obscurity.
|
| The idea of security without obscurity focuses on keeping the number of
| secrets at an absolute minimum. Systems designed around security through
| obscurity tend to rely on the secrecy of certain procedures or
| algorithms - once these are discovered by third parties, the security of
| the system has been reduced.
|
| Moving back to the PIN/ATM example:
|
| Ideally, your PIN should be the ONLY secret involved - the encryption
| algorithms and communication protocols could all be public. In the real
| world, this isn't feasible (eg. ATMs do not authenticate themselves to
| the card holder. If the algorithms and protocols were public, someone
| could theoretically construct a trojan ATM and collect people's PINs and
| bank cards).
|
| Cheers
|
| Andrew
|
| P.S It's a PIN, not a Personal Identification Number (PIN) Number :-)
| Sorry, but it's one of my pet hates (just like Automatic Teller Machine
| (ATM) machines).
|
| --
| gentoo-security@g.o mailing list
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAHVS57ntAARlGIUERAgkfAJ4sil86TWGFsmkFa8UOl1QKBhrKegCgnP18
c5pvsCyRuXDWziIebvkRASc=
=Ze97
-----END PGP SIGNATURE-----

--
gentoo-security@g.o mailing list

References:
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Ben Cressey
Re: firewall suggestions?
-- Oliver Schad
Re: firewall suggestions?
-- Stewart Honsberger
Security without obscurity (was: [gentoo-security] firewall suggestions?)
-- Andrew Ross
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Security without obscurity (was: [gentoo-security] firewall suggestions?)
Next by thread:
Re: firewall suggestions?
Previous by date:
Security without obscurity (was: [gentoo-security] firewall suggestions?)
Next by date:
hacked via Apache/PHP/CGI/...?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.