Full Disclosure: Re: Re[2]: Response to comments on Security and Obscurity

[James Tucker <jftucker () gmail com>]

On Wed, 1 Sep 2004 21:33:55 +0400, 3APA3A <3apa3a () security nnov ru> wrote:
> really  poor. I can break my own ass by falling into the pit, and I will
> never  have  another  one. In informational world (like in any business)
> all I risk is not more than money.
Of course no one was ever hurt as a result of poor computer security. (sarcasm)
Count yourself lucky that your business is only commercial, some of
mine aren't and problems in systems can cause injuries and fatalities.
When you are in this situation you will give high regard to all
possible areas of security, none are less relevant than any other as
it only takes a single hole (physical or virtual) to let an intruder
in.

> But  in  case  of  your  quotation, you have a lot of mistake because of
> misunderstanding real world. It's really impossible to show your mistake
> because  at  least  this  part  of  your  paper  is  one  large mistake.
> Currently,  situation someone breaks program's protection to put a virus
> into  it  is  really strange and probably is taken from Hollywood. There
> are  crackers  (not  hackers,  it's  different  term) who breaks program
> protection  for  illegal  copying. Yes, they are criminals. But I see no
> relation  between  breaking  program's  copy  protection  mechanism  and
> informational  security  like  (OK  you  wanted  analogies)  there is no
> relation  between  VHS  tape  copy protection (there are some techniques
> used  by  film  distribution  companies  to prevent illegal copying) and
> physical security.
Actually, there is, to follow the same analogy, if the Hollywood
production company never release any copies of the film, then it won't
get cracked or copied, unless of course their physical security was
breached.

> Situation  of you analogy also came from Hollywood: cracker to buy a new
> copy  of  program  after  trap  catches debugging. Unlike real world, in
> computer  there  is  always  a chance to make a roll back, and to try to
> break protection again and again on the same copy of the program. You're
> trying  to  compare  real  situation  from physical world with something
> impossible  from  informational world. How can someone who understand it
> to see any analogy?
Further on the physical to information systems comparison, how do you
exploit a computer in russia from a computer in new york if there is
no physical data path between them? (The answer is directed
electromagnetic radiation, but there certainly aren't any hackers in
the world which have access to such a device; if anyone. In this case
the only defense is physical infrastructure.)

This is not dissimilar from the discussion that, for example:
Walk into the headquarters of a major business firm, you take the
elevator up to the top floor as you don't have a keycard to get you in
a lower level. It's lunchtime and the secretary at reception has left
her desk. You are free to walk around the corner to the CEO's office
(there are no physical barriers, as these would not "look nice" and
would "impose upon business impressions". The CEO is a dear chap who
forgets to lock his workstation when he goes to lunch. Where did all
that hard effort of virtual security go? This is not an uncommon
scenario. The stronger audits in the world fail you for this kind of
possibility; again count yourself lucky in this regard.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html