Re: Re: Re: Re: Concepts: Security and Obscurity

[levinson_k () securityadmin info]

> > > One might as well throw away your antivirus and firewalls, because
> those won't block social >>engineering either.
>
> I don’t understand the relevance of your statement.  
> I’ve just stated that Oranges are Orange and Apples are not Oranges;
> and I believe you’ve just gone off and started talking about how we 
> shouldn’t grow wheat because it’s not an effective fuel for space travel.

The relevance is that some here are arguing against obscurity by pointing out that obscurity doesn't block determined 
attackers.  Obscurity was never intended to block that.  Judging a countermeasure as useless because it won't block 
something it was never intended to block is not an accurate assessment.  I'm suggesting such an argument is comparing 
apples to oranges.

Antivirus doesn't prevent determined attackers either.  Determined attackers will make a new unseen file or use other 
tricks to evade antivirus signatures for known malware.  But can you imagine anyone successfully arguing that "You 
shouldn't use antivirus, because it only protects you from viruses, not determined attackers?"  If a countermeasure 
like AV or obscurity does nothing except protect you from most viruses (which is just what antivirus does), isn't that 
an obviously good thing, an obvious reduction in risk?  Most people seem to think so, in deciding to spend billions of 
dollars yearly on antivirus software.

Surely you will have to agree with me that the number of determined attackers is less than the number of script kiddies 
plus number of virus-infected hosts.  Furthermore, it seems likely that your Internet-facing hosts are scanned far more 
frequently by scripts and viruses than by determined attackers.  So, if you were able to protect yourself against the 
latter, would that not be a desirable, beneficial reduction in risk?  

> Obscurity doesn’t actively BLOCK anything.  

Fair enough, poor choice of word on my part.  Change my word "block" to "mitigate," "reduce risk," etc.


> What I’m trying to show you here, is that obscurity is done to make 
> the implementer “feel good”.  

That's not universally true.  Clearly I'm not advising using obscurity to make anyone feel good.  I'm advising using it 
to lessen the statistical risk of certain kinds of threats.  Personal motive is irrelevant to the effectiveness of a 
countermeasure, just the effectiveness of one implementation of it.

Motive and false sense of security are irrelevant to security.  There are people that install firewall and antivirus to 
make them feel good.  That motive doesn't make these the wrong products to implement.  Furthermore, having antivirus 
can give you a false sense of security.  But if the user gets a false sense of security, that's not the fault of the 
antivirus, that's the user's fault.  That's an effective countermeasure being weakened by poor implementation and 
operation, and it can happen to any countermeasure.

I absolutely agree that obscurity is most effective if the user is advised to be aware what it does and does not 
mitigate.  I also agree that depending on obscurity without this knowledge of the risks can be dangerous.  (But then, 
these statements are true of firewalls, antivirus and most any countermeasure.)


kind regards,
Karl Levinson
http://securityadmin.info