Gentoo Archives: gentoo-security

From: Mike Tangolics <mtangolics@××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Security without obscurity
Date: Sun, 01 Feb 2004 19:59:14
In Reply to: [gentoo-security] Security without obscurity (was: [gentoo-security] firewall suggestions?) by Andrew Ross
Hash: SHA1

This may be a tad offtopic but I had to mention it.  There actually
already has been a case of people setting up faux ATM's.

Andrew Ross wrote:
| Stewart Honsberger wrote:
|> I don't send anything back to any unexpected port probes because I
|> don't want to.
|> Sure, to some extent it is security through obscurity, but the old
|> addage isn't entirely correct. If not for security through obscurity
|> we'd all have our PIN numbers sharpie'd on our ATM cards.
| Actually, keeping my PIN secret isn't security through obscurity.
| The idea of security without obscurity focuses on keeping the number of
| secrets at an absolute minimum. Systems designed around security through
| obscurity tend to rely on the secrecy of certain procedures or
| algorithms - once these are discovered by third parties, the security of
| the system has been reduced.
| Moving back to the PIN/ATM example:
| Ideally, your PIN should be the ONLY secret involved - the encryption
| algorithms and communication protocols could all be public. In the real
| world, this isn't feasible (eg. ATMs do not authenticate themselves to
| the card holder. If the algorithms and protocols were public, someone
| could theoretically construct a trojan ATM and collect people's PINs and
| bank cards).
| Cheers
| Andrew
| P.S It's a PIN, not a Personal Identification Number (PIN) Number :-)
| Sorry, but it's one of my pet hates (just like Automatic Teller Machine
| (ATM) machines).
| --
| gentoo-security@g.o mailing list
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


gentoo-security@g.o mailing list