(keitai-l) Re: Tricking a server or Tricking yourself. (Long!)

From: Nick May <nick_at_kyushunet.com>
Date: 03/17/01
Message-id: <fc.000f761000051e353b9aca0072de86a7.51e38@kyushunet.com>
keitai-l@appelsiini.net writes:
>"If I take a letter, lock it in a safe, hide the safe somewhere in New
>York,
>then tell you to read the letter, that's not security. That's obscurity.
>On
>the other hand, if I take a letter and lock it in a safe, and then give
>you
>the safe along with the design specifications of the safe and a hundred
>identical safes with their combinations so that you and the world's best
>safecrackers can study the locking mechanism - and you still can't open
>the
>safe and read the letter - that's security"
>    Bruce Schneier,  "Applied Cryptography", Wiley, 1996


This is getting off topic - but the view expressed in the quote above has
always struck me as being crazily idealistic and largely irrelevant to the
real world. Security admits of degree - and is really only relevant
insofar as it ties in with the concept of risk and risk management. In
reality it is the first (really a mixture of security and obscurity, we
lock the safe before we hide it) that is the more relevant. Would Schneier
2001 agree with Schneier 1996?

Compare: the mathematical search space for a "brute force" attack on an
algorithm and physical search space (new york) to find the safe. Why is
one "security" and the other "obscurity"? The first often just relies on
the (temporary) inconvenience of not having enough cpu power available.... 

That said, passing sensitive data in a url is just daft and I agree with
everything else you said. 

nick



[ Did you check the archives?   http://www.appelsiini.net/keitai-l/ ]
Received on Sat Mar 17 16:32:06 2001