Re: [Hampshire] Your Set Up

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPhilip Stubbs at <-
MGordon Scott at ->
Author: Adam Trickett
Date:  
To: Hampshire LUG Discussion List
Subject: Re: [Hampshire] Your Set Up

Reply to this message
gpg: failed to create temporary file '/var/lib/lurker/.#lk0x57a1b100.hantslug.org.uk.13822': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Sun Feb 25 12:43:08 2007 GMT
gpg: using DSA key 019AD0D8166C4BF0
gpg: Can't check signature: No public key
On Saturday 24 February 2007 18:43, Andy Smith wrote:
> On Sat, Feb 24, 2007 at 06:14:45PM +0000, Adam Trickett wrote:
> > >
> > > In the real world it is used a lot, and not always foolishly.
> >
> > The problem with security through obscurity is that it's always best to
> > assume that the attacker knows as least as much as you do. In which case
> > security through obscurity is no security at all.
>
> Against that particular attacker, yes. However against the entire
> community of attackers IMHO it has great value, allowing one to focus
> one's resources on the smaller group who do know as much as you
> about the design of the system.
>
> For example, should the military keep the floor plans of its important
> bases and the deployment of its units secret? Should an
> organisation publish the plan of its internal network? Should we
> all publish our firewall rules? Was "loose lips sink ships" poor
> advice?

The problem with security through obscurity is that you think it adds
security, but in fact it adds little or nothing. Recently it has come to
light that the KGB had better maps of the UK than our own Ordnance Survey
had. OS maps of the UK maps excluded sensitive locations, they just weren't
there. People thought we were secure, in fact the KGB had all the locations
accurately marked on their maps - in fact their maps were quite superior to
our own in many ways.

The single greatest weakness with security through obscurity is you don't know
it's been compromised and then it's too late. I don't believe in advertising
your security technology, but you have to assume that the bad person has
access to everything that you have.

> If the obscurity is all that is relied upon then it's very fragile.
> But it's still a valid technique in combination.

I suppose my position is that you don't advertise what you are doing, but at
the same time it's best to use public algorithms and technologies. You don't
tell your enemy when your ships leave and arrive but you have to assume that
they know.

--
Adam Trickett
Overton, HANTS, UK 

A people that values its privileges above
its principles soon loses both.
    -- Dwight D. Eisenhower

This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-[Hampshire] [OT] BBC PetitionRe: [Hampshire] [OT] BBC Petition->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)