OT: Obscurity - what is it ? was Re: DNS version

[Simon Waters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Barry Finkel wrote:
>
> This falls into the category of
> "security by obscurity", which is not security.

Hmm, or is this an evil dogma repeated mindlessly without thinking?

Let's take passwords - Barry email me all your passwords.

Why not - they are only a "secret" they only work because they
are obscure - if I happen to guess one it ceases to be obscure,
this isn't security it is security by obscurity ;-)

But passwords are hard to guess - well maybe - so keeping your
passwords secret is better than keeping your BIND version secret
because it is "more" obscure, not less.

I think the problem with the phrase "security through obscurity"
is it is used in the wrong context.

It was originally primarily applied in the context of encryption
systems, where undisclosed algorithmns are considered suspect
because as they are less thoroughly tested/inspected.

Does this apply to my version of BIND - clearly not the code to
most versions of BIND is reasonably accessible, so in that sense
the algorithmn is disclosed.

However when I send a message to my secret agent in Iraq, do I
tell the Iraqi's it is in
Garfinkel-Blows-Hot-and-Cold-On-Obscurity cipher, or do I enjoy
the fact that they don't know?

Sure you don't run a version of BIND with known vulnerabilities,
just as you wouldn't choose to rely on an encryption algorithmn
with known weaknesses, so in the encryption analogy this is "not
a secret" and so doesn't make your system more fragile if the
information is compromised.

Thus if the Iraqi's discover I'm using
Garfinkel-Blows-Hot-and-Cold-On-Obscurity cipher, they may be
able to reduce their code breaking effort by the order of the
number of known ciphers, but they still don't crack the code
(unless they happen to know of an undisclosed weakness -- and
software probably has more readily discoverable weaknesses than
the typical encryption algorithmn).

Compare passwords which are "secret" and whose disclosure is
clearly an issue - we don't upgrade BIND just because someone
left the organisation, or left on bad terms.

The decision to disclose BIND version numbers comes down to the
question of whether public knowledge of that information is a
net gain to the person or organisation doing the disclosing,
their customers or users, or if he is public spirited a net gain
to the Internet (or larger) community.

Non-disclosure of the version number may make it harder to craft
a vulnerability or otherwise slow an attacker down. Sure he can
try all attacks against all possible versions - but unless each
such attack has a zero cost to the attacker you have moved the
barrier up - no matter how imperceptably.

The mistake is to muddle "secret" (i.e. something which if
disclosed compromises the integrity of the system) with
information that is not voluntarily given.

Then again I could be wrong.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+P/TAGFXfHI9FVgYRAgtUAJ4qZhkV0xqiLjNln2lSsFptmcMkLACfVq2U
ewquZdvlx4zxFalGzo8PvDI=
=y5vh
-----END PGP SIGNATURE-----