[Discuss] Security through obscurity
Rich Pieri
richard.pieri at gmail.com
Wed Mar 27 21:10:06 EDT 2013
--On Wednesday, March 27, 2013 8:47 PM -0400 Tom Metro
<tmetro+blu at gmail.com> wrote:
> This is exactly my point...it's a spectrum of complexity, without a
> crisp delineation between what is obscurity and what is secret.
Either a password is a secret (known to authorized personnel) or it isn't.
That's not a "spectrum of complexity". It's a yes/no fact.
> You could, if you so desired, have a port knocking client that
> translated a pass phrase with 40+ bits of strength into a knock
> sequence. Now is this a secrete or is it still just obscure?
In principle it's a secret. In practice 25 years ago it would have been
considered a secret since exhaustive search of a 40-bit keyspace was
considered to be prohibitively costly. In practice today an exhaustive
search of a 40-bit keyspace takes about 3 seconds.
> Obscure, in most security contexts, is just a synonym for weak strength.
> What you consider to be weak is subjective, and relative to the threat
> scenarios.
Obscure, in serious security contexts, is synonymous with NO strength
regardless of threat scenarios.
> If you find it so, then good for you. Others consider it useless noise,
> and it detracts from more valuable signals.
Anyone who thinks that way hasn't figured out how to use the tools they
have or hasn't switched to using tools that do what is needed.
--
Rich P.
More information about the Discuss
mailing list