[Full-Disclosure] Response to comments on Security and Obscurity
jftucker at gmail.com
Wed Sep 1 21:05:21 BST 2004
On Wed, 1 Sep 2004 21:33:55 +0400, 3APA3A <3apa3a at security.nnov.ru> wrote:
> really poor. I can break my own ass by falling into the pit, and I will
> never have another one. In informational world (like in any business)
> all I risk is not more than money.
Of course no one was ever hurt as a result of poor computer security. (sarcasm)
Count yourself lucky that your business is only commercial, some of
mine aren't and problems in systems can cause injuries and fatalities.
When you are in this situation you will give high regard to all
possible areas of security, none are less relevant than any other as
it only takes a single hole (physical or virtual) to let an intruder
> But in case of your quotation, you have a lot of mistake because of
> misunderstanding real world. It's really impossible to show your mistake
> because at least this part of your paper is one large mistake.
> Currently, situation someone breaks program's protection to put a virus
> into it is really strange and probably is taken from Hollywood. There
> are crackers (not hackers, it's different term) who breaks program
> protection for illegal copying. Yes, they are criminals. But I see no
> relation between breaking program's copy protection mechanism and
> informational security like (OK you wanted analogies) there is no
> relation between VHS tape copy protection (there are some techniques
> used by film distribution companies to prevent illegal copying) and
> physical security.
Actually, there is, to follow the same analogy, if the Hollywood
production company never release any copies of the film, then it won't
get cracked or copied, unless of course their physical security was
> Situation of you analogy also came from Hollywood: cracker to buy a new
> copy of program after trap catches debugging. Unlike real world, in
> computer there is always a chance to make a roll back, and to try to
> break protection again and again on the same copy of the program. You're
> trying to compare real situation from physical world with something
> impossible from informational world. How can someone who understand it
> to see any analogy?
Further on the physical to information systems comparison, how do you
exploit a computer in russia from a computer in new york if there is
no physical data path between them? (The answer is directed
electromagnetic radiation, but there certainly aren't any hackers in
the world which have access to such a device; if anyone. In this case
the only defense is physical infrastructure.)
This is not dissimilar from the discussion that, for example:
Walk into the headquarters of a major business firm, you take the
elevator up to the top floor as you don't have a keycard to get you in
a lower level. It's lunchtime and the secretary at reception has left
her desk. You are free to walk around the corner to the CEO's office
(there are no physical barriers, as these would not "look nice" and
would "impose upon business impressions". The CEO is a dear chap who
forgets to lock his workstation when he goes to lunch. Where did all
that hard effort of virtual security go? This is not an uncommon
scenario. The stronger audits in the world fail you for this kind of
possibility; again count yourself lucky in this regard.
Full-Disclosure is hosted and sponsored by Secunia.