[opensource] Re: [opensource-announce] Meeting Announcement: 10/24/06 - This Week in Slashdot!

Alexander J. Lingo lingo.13 at osu.edu
Mon Oct 23 23:18:16 EDT 2006

Now, Now... Let's be nice to Brian. He's new here.

What Nick is saying is that the security practice known as "security through
obscurity" (StO) is a bad idea. I agree with him.

As Wikipedia states, "A system relying on security through obscurity may
have theoretical or actual security vulnerabilities, but its owners or
designers believe that the flaws are not known, and that attackers are
unlikely to find them."

Basically, StO is the idea that if one does not know about a systems
vulnerabilities or flaws, they they are not really flaws. This is a bad idea
in practice because once the flaws are discovered, then they can be
exploited. It is much better to have real security and assume that all flaws
are known and fix them before they are actually discovered.

An example is the lock-core system used in dorms I mentioned earlier. OSU
may assume that dorm rooms are secure because nobody knows about the flaw I
mentioned. That is security through obscurity. What OSU should do is
actually fix the problem instead of assuming it is A-OK.

-- alex

On 10/23/06, Nick Hurley <hurley at todesschaf.org> wrote:
> BRIAN SWANEY <swaney.29 at osu.edu> writes:
> > Oh yes, about the computer, it should probably have a name that
> > doesn't really make sense, like a set of randomly generated letters
> > and numbers (like dx2Rh86FwP), so black-hat outsiders don't know what
> > system name to look for.
> Normally I wouldn't bother replying, but this just tweaked my radar so
> much that I have to...
> I REALLY hope this was a joke, since it amounts to security through
> obscurity (and it's not even really obscure, just convoluted), which,
> as anyone with any security practice knows, is as good as worthless. If
> it's not a joke, then just... wow. That's probably a little unkind of me
> to say, but I feel it's better to be a little unkind and educate others
> than to be kind and let people continue with misguided (and dangerous)
> misconceptions.
> --
> Peace,
>   Nick
>    Miss Wormwood: What state do you live in?
>    Calvin: Denial.
>    Miss Wormwood: I don't suppose I can argue with that...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.cse.ohio-state.edu/pipermail/opensource/attachments/20061023/e322c1db/attachment.html

More information about the Opensource mailing list