http://emergentchaos.com/archives/2007/03/from-the-heresy-desk.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2007/03/from-the-heresy-desk.html/comment-page-1#comment-3416 Beryllium Sphere LLC Sat, 24 Mar 2007 16:45:07 +0000 http://emergentchaos.com/?p=2279#comment-3416 My favorite way to look at this debate is the idea of the "defensible secret". Tuesday's Enigma key is a defensible secret: it's feasible to keep it away from the enemy and if it's compromised you can change it easily. The inner workings of your Enigma machine are not a defensible secret: the Polish resistance will eventually capture one and hand it over to the British. A secret becomes less defensible if there are a lot of people looking for it, if it's a long-duration secret, or if it's so interesting that as soon as one person finds it out that person will spread it all over the Internet. Trying to hide the fact that physical locks are vulnerable to bump keys is security by obscurity. The secret can't be defended for long enough to replace the vulnerable locks. Trying to hide what brand of lock I have on my front door is a grayer area. Not many people will care and they won't feel much urge to publicize it. By itself, the information won't hurt me much anyway, except that it might encourage burglars to break a window instead. The Internet has really changed the calculations, and has made security through obscurity far less useful than it was a thousand years ago. There was a time when only locksmiths knew about bump keys and you could assume the information would spread slowly. Not today. My favorite way to look at this debate is the idea of the “defensible secret”. Tuesday’s Enigma key is a defensible secret: it’s feasible to keep it away from the enemy and if it’s compromised you can change it easily. The inner workings of your Enigma machine are not a defensible secret: the Polish resistance will eventually capture one and hand it over to the British.
A secret becomes less defensible if there are a lot of people looking for it, if it’s a long-duration secret, or if it’s so interesting that as soon as one person finds it out that person will spread it all over the Internet.
Trying to hide the fact that physical locks are vulnerable to bump keys is security by obscurity. The secret can’t be defended for long enough to replace the vulnerable locks.
Trying to hide what brand of lock I have on my front door is a grayer area. Not many people will care and they won’t feel much urge to publicize it. By itself, the information won’t hurt me much anyway, except that it might encourage burglars to break a window instead.
The Internet has really changed the calculations, and has made security through obscurity far less useful than it was a thousand years ago. There was a time when only locksmiths knew about bump keys and you could assume the information would spread slowly. Not today.

]]> http://emergentchaos.com/archives/2007/03/from-the-heresy-desk.html/comment-page-1#comment-3415 storms Thu, 22 Mar 2007 16:26:59 +0000 http://emergentchaos.com/?p=2279#comment-3415 I'm laughing over here. Not because you are insane, but because you are reading my mind. Not more than a few months ago, I proposed similar content for a magazine article. The result -- they laughed at me... "everyone knows that security thru obsurity is a joke". Working at nCircle means you've got plenty of remote detection tools at your disposal. I first started a side project a few years ago where I was intentionally trying to fool our systems. That idea spawned a contest in our VERT organization. The goal was to obfuscate some app so much that we couldn't detect it, but it still had to completely function. I don't recall who one, but the most interesting entry was a developer who altered LambaMOO code to respond to FTP commands. I’m laughing over here. Not because you are insane, but because you are reading my mind. Not more than a few months ago, I proposed similar content for a magazine article. The result — they laughed at me… “everyone knows that security thru obsurity is a joke”.
Working at nCircle means you’ve got plenty of remote detection tools at your disposal. I first started a side project a few years ago where I was intentionally trying to fool our systems. That idea spawned a contest in our VERT organization. The goal was to obfuscate some app so much that we couldn’t detect it, but it still had to completely function. I don’t recall who one, but the most interesting entry was a developer who altered LambaMOO code to respond to FTP commands.

]]> http://emergentchaos.com/archives/2007/03/from-the-heresy-desk.html/comment-page-1#comment-3414 Alexandre Carmel-Veilleux Thu, 22 Mar 2007 11:45:23 +0000 http://emergentchaos.com/?p=2279#comment-3414 I like to see the orthodoxy challenged in a thoughtful way. The take home message is also good: Obscurity only works if you don't need it to be secure in the first place. I like to see the orthodoxy challenged in a thoughtful way. The take home message is also good: Obscurity only works if you don’t need it to be secure in the first place.

]]> http://emergentchaos.com/archives/2007/03/from-the-heresy-desk.html/comment-page-1#comment-3413 shrdlu Thu, 22 Mar 2007 10:20:20 +0000 http://emergentchaos.com/?p=2279#comment-3413 I agree, excellent article. Obscurity isn't armor, but then again, there are things that you don't necessarily NEED to publish, either -- or make it too easy for an attacker to know. The creative use of nonstandard infrastructure, as long as it doesn't overly complicate support, is a good tactic to add to the bag of tricks. I agree, excellent article. Obscurity isn’t armor, but then again, there are things that you don’t necessarily NEED to publish, either — or make it too easy for an attacker to know. The creative use of nonstandard infrastructure, as long as it doesn’t overly complicate support, is a good tactic to add to the bag of tricks.

]]> http://emergentchaos.com/archives/2007/03/from-the-heresy-desk.html/comment-page-1#comment-3412 JaBbA Thu, 22 Mar 2007 09:21:23 +0000 http://emergentchaos.com/?p=2279#comment-3412 Interesting - I visited Couterpane's (Schneier's company) NOC in Virginia some years ago. The door was in the back of an office complex with all the windows tinted, and no identifying information anywhere. Even if you got into the reception area, the only place to go was the small bathroom there - all the rest of the doors had biometrics and no signs. You had to go through a "man trap" to get to the conference room, and then they de-polarized the glass in the room to let you see the NOC. Security Theatre and Obscurity, indeed. Interesting – I visited Couterpane’s (Schneier’s company) NOC in Virginia some years ago. The door was in the back of an office complex with all the windows tinted, and no identifying information anywhere. Even if you got into the reception area, the only place to go was the small bathroom there – all the rest of the doors had biometrics and no signs. You had to go through a “man trap” to get to the conference room, and then they de-polarized the glass in the room to let you see the NOC.
Security Theatre and Obscurity, indeed.

]]> http://emergentchaos.com/archives/2007/03/from-the-heresy-desk.html/comment-page-1#comment-3411 Alex Thu, 22 Mar 2007 08:21:59 +0000 http://emergentchaos.com/?p=2279#comment-3411 I'm glad someone wrote this article. Deception and obfuscation are both well known defensive tactics in every other discipline. I’m glad someone wrote this article. Deception and obfuscation are both well known defensive tactics in every other discipline.

]]>