Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: UN support for "security by obscurity"
From: Brian Hatch <full-disclosure () ifokr org>
Date: Fri, 6 Dec 2002 17:10:09 -0800

Another data point in the full-disclosure/security-by-obscurity debate:
The United States, Russia, and other countries are concerned about
releasing information that would provide "a training manual for how to
build weapons of mass destruction," a Western diplomatic source told

In the computer world we say relying on security through obscurity
is bad.[1]  However in this case I might agree with them.  It's a
very different situation.

We constantly argue that Open Source makes a level playing field, and
makes it more possible for us to secure our code.  If a bug is found,
we can all fix it in the source even before our vendor supplies a new
version, for example.  If someone writes an exploit, we can use it
in legitimate ways test our servers for weakness and fix them.

I don't think comparing code to nuclear 'secrets' is the same thing.
Does publishing the recipe for a bomb make it easier for me to secure
anything?  We know that big bomb == lots of distruction.  We can prepare
for lots of distruction equally without ever having the instructions
to create the bomb itself.

I wouldn't call this security through obscurity.

I cannot think of a legitimate reason that I'd need the 'code' for
a missle -- if I want to secure my house from missle attack, I know
the results a missle would have.  I'd be vaporized.  No amount of
knowledge about the makings of a nuke would help me there.

I can see a reason I need the code for Apache.  That's something I
use that I can effectively defend from attackers.

And just to continue the analogy, those who posses nuclear technologies may
consider themselves the white hats, and want to keep that knowledge
from the black hats.  Of course the'd define black hats as
everyone except themselves. 

[1] *Relying* on security through obscurity is bad.
     However *adding* security through obscurity is good.
     This distinction is too often overlooked.  Why say "I'm
     running Apache 1.2.26 with mod_perl and mod_ssl version
     BLAH" when you can just say "Apache"?  It only makes it
     easier for crackers to mark you down on their well-
     tailored lists.

Brian Hatch                  Anxiously awaiting
   Systems and                the millenium so
   Security Engineer          I can start programming
http://www.ifokr.org/bri/     dates with 2-digits again.

Every message PGP signed

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]