RE: RE: Re: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

"I'm not sure how you are defining survivability, but if you put an
unpatched Windows system on the Internet, it will be compromised in 20
minutes.  Change the ports, and it will survive far longer."

Fine - prove me wrong, do the experiment and show us the evidence.
Please, I do mean this. 

"You used the word survivability, but your original assertion wasn't
limited to survivability."
Fine, than give us a validly definable concept for security to test. The
number of scans is not a function of security. This is just a statistic.
The number of port scans for instance has nothing to do with how
security a system or site is (feel free to prove me wrong, but with
evidence). Time based security is nothing new, this is a survivability
factor. 

In case you have no noted it, by survivability I am refering to the
probabilistic modeling of hazard functions. Hazard functions in this
instance represent the risk model.

If you want - make the experiment a group of unpatched windows hosts and
use these as the benchmarh - time the survival from those with ports
changed to those in a default state. A valid experiment and this would
give the answer to the question of obscurity.

Scientifically however, the Null hypothesis holds until disproven. The
statement that there is no additional gain through the addition of a
layer of obscurity is the null hypothesis. I am challenging you to prove
this wrong. 

"I've given what I feel is proof, you just rejected my proof due to the
scope from which it comes."

I do not care where it copes from and I will even help wholeheartedly
ANY valid attempt to prove me wrong. Proof is something that is
quantifiable and replicable. It is not a statement of belief. That is
philosophy and I am not interested in the philosopy of security at the
moment, rather this is a scienbtific test of proof I am requesting.

Proof is not based on annecdote or oppinion. It requires fact. If you
want to do this using an unpatched Windows box - go for it. Setup a
series of unpatched hosts (or virtual hosts) all running the same
services and of about the same speed. Set some up with the standard
ports, hide the other ports. Time how long it takes to compromise them
and validate the results statistically with an ANOVA test.

You do not have to rely on my experiment - propose one yourself. It just
has to be valid and unbiased.

As for "If you want to state that obscurity does not make a system any
more survivable, that's quite different from saying that obscurity never
has any positive benefit for anyone." Please explain how. Are you
stating that a warm fuzzy feeling but no improvement in the time to
detect or respond to an attack is a valid part of security. That false
security really helps?

Regards,
Craig

validation, proof, substantiation
    the act of validating; finding or testing the truth of something  
    any factual evidence that helps to establish the truth of something;
"if you have any proof for what you say, now is the time to produce it"




Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of levinson_k () securityadmin info
Sent: Tuesday, 17 April 2007 1:53 AM
To: security-basics () securityfocus com
Subject: Re: RE: Re: Concepts: Security and Obscurity


> I stated survivability - the number of scans by service not the key 
> to this test. 

Most computer security professionals don't discuss survivability or use
it as the ONLY measure of security.  Survivability is a subset of
overall security.  It is not fair or ideal to limit the argument only to
survivability.  

You used the word survivability, but your original assertion wasn't
limited to survivability.  When you assert that obscurity is not
beneficial, and will always cause an increase in both costs and risks in
every situation, you're not talking survivability, you're talking
overall security.  That is a risk assessment statement that has to be
answered by risk assessment, not just survivability. 

If you want to state that obscurity does not make a system any more
survivable, that's quite different from saying that obscurity never has
any positive benefit for anyone.  And I'm not sure I would agree with
that statement.  I'm not sure how you are defining survivability, but if
you put an unpatched Windows system on the Internet, it will be
compromised in 20 minutes.  Change the ports, and it will survive far
longer.


> all cases is near impossible, but you have to prove the positive, 
> and this is not being done. You have not as yet proved proof.

I've given what I feel is proof, you just rejected my proof due to the
scope from which it comes.

To give proof relating to the example of wireless... a good example of
obscurity with wireless would be disabling SSID broadcast.  The benefit
of this has been debated (again because it does not defeat a determined
attacker, and was never designed to).  Nevertheless, doing so is a
common security suggestion and at least some people find this a useful
benefit, especially in home uses where nonskilled attackers and viruses
are a much more likely risk than a determined attacker.  

Disabling SSID broadcast raises the bar that an attacker must pass to
compromise a system.  If you choose not to disable SSID broadcast,
that's your call, and it can be the right call depending.  But you're
arguably lowering the bar to the point where unskilled attackers become
equal in threat as determined attackers.  All you need to crack the
system is any unpatched or unmitigated vuln.  The attacker no longer
needs skill, time or effort.

kind regards,
Karl Levinson
http://securityadmin.info