RE: Concepts: Security and Obscurity

["Mandelcorn, Seymour" <smandelc () umd edu>]

Are you aware of any scientific study that proves your point that
"Security by Obscurity is an ineffective control" and that any benefit
is outweighed by the cost?

Some simple technique like disallowing DNS transfers enhance security
without causing lost of functionality.
 

                Seymour M. Mandelcorn, M.S. 
                System Administrator 
                Institute for Govermental Service and Research
                University of Maryland 
                9658 Baltimore Blvd, Suite 205 
                College Park, Maryland 20742 
                Telephone: 301 397-2349 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Craig Wright
Sent: Wednesday, April 04, 2007 8:15 PM
To: warl0ck () metaeye org; security-basics () securityfocus com
Subject: RE: Concepts: Security and Obscurity

What is forgotten is that there is an economic/financial cost to all
controls.

A control is only effective if the cost of the control provides more
utility than not having the control. Thus a control that provides some
security at a cost that is greater than another control is ineffective
overall.

Security by Obscurity is an ineffective control. The gains are minimal
in economic terms. The cost however is more than the pure cash/money
costs. The additional losses to productivity and added difficultly in
maintaining secrecy does not provide the required level of gains to
offset the costs and thus creates a dead-weight loss in economic terms.

Thus security by obscurity is no security as the costs in real economic
terms do not bring benefit. 

It is of no use to spend $1,000,000 protecting a $1,000 asset. This is a
loss and thus it is not a decision that provides security as the loss
exists even before the system goes live.

Regards,
Craig




Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If
you are not the named addressee you must not read, print, copy,
distribute, or use in any way this transmission or any information it
contains.  If you have received this message in error, please notify the
sender by return email, destroy all copies and delete it from your
system. 

Any views expressed in this message are those of the individual sender
and not necessarily endorsed by BDO Kendalls.  You may not rely on this
message as advice unless subsequently confirmed by fax or letter signed
by a Partner or Director of BDO Kendalls.  It is your responsibility to
scan this communication and any files attached for computer viruses and
other defects.  BDO Kendalls does not accept liability for any loss or
damage however caused which may result from this communication or any
files attached.  A full version of the BDO Kendalls disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website at
http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and
entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Pranay Kanwar
Sent: Thursday, 5 April 2007 5:55 AM
To: security-basics () securityfocus com
Subject: Re: Concepts: Security and Obscurity

Hi Daniel,

Nice write up,but you are missing the crux of the matter obscurity is
mostly about secrecy and according to kerchoff's princliple and Mr.
Bruce Schneier. secrecy or obscurity induces brittleness in the system.
I'll replay the kerchoff's principle here from the wikipedia

"Kerckhoffs' principle applies beyond codes and ciphers to security
systems in general: every secret creates a potential failure point.
Secrecy, in other words, is a prime cause of brittleness-and therefore
something likely to make a system prone to catastrophic collapse.
Conversely, openness provides ductility."

http://en.wikipedia.org/wiki/Kerchoffs_law

Regards

warl0ck // MSG
http://www.metaeye.org