Home page logo
/

interesting-people logo Interesting People mailing list archives

Re: Security By Obscurity = Ignorance Is Strength
From: David Farber <dave () farber net>
Date: Wed, 3 Sep 2008 20:10:35 -0400



Begin forwarded message:

From: Rod Van Meter <rdv () sfc wide ad jp>
Date: September 3, 2008 7:31:45 PM EDT
To: Peter John Hill <peterjhill () mac com>, David Farber <dave () farber net>
Subject: Re: [IP] Re:    Security By Obscurity = Ignorance Is Strength

There is a risk that "bad
people" will find a vulnerability before a "good person" does. Thus is
born the zero-day attack. On the other hand, there are many many many
research groups who are working to find the bugs before the "bad
people" do.


More importantly, the goal is not to find and fix problems in the field
before the bad guys find and exploit them, it's to open up the *design
phase* so that vulnerabilities are found and fixed *before widespread
deployment*.

In that sense, it doesn't even necessarily matter if the problems are
found by White Hats or Black Hats -- if the Black Hats can't keep their
collective mouths shut and wait patiently for deployment and a good
opportunity to exploit, then they in effect do the work of White Hats.
(Not that I know of any such instance, but It Could Happen.)

In theory, you could design an airplane, a building, a microprocessor, a
security system, or an operating system the same way.  When asking for a
community to help with your design, you simply have to balance the work
of managing distributed contributors, including analyzing the *possible*
problems they find, versus the work of doing it all yourself.
(Certainly the hassle of setting up a SourceForge page and getting help
wouldn't pay off if your goal is to have a good "Hello, world" program.)

                --Rod






-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault