On Tue, Mar 24, 2009 at 6:46 AM, Gadi Evron <[email protected]> wrote:
> Security theater does in fact have uses. Secrecy can be a strong line of > defense and psychological barriers are in fact barriers, as we are > dealing with human beings. So, security by obscurity is an extremely > useful tool, the problem is when it is the only one, it then becomes a > single, lonely, point of failure, and potentially a waste of resources > (TSA). There's a big difference between security through obscurity of security procedures and measures -- for example having an extra layer of auditing that is generally unknown or adding randomness to the mix -- and security through obscurity of flaws. (e.g., "So what if those passwords are industry-wide defaults, we're behind a firewall, and nobody knows.") The former is genuinely useful, the latter is an excuse for management and the lazy. This distinction is not normally made. I think its a good point that good security through obscurity will involve some aspect of human psychology as a deterrent. -Nick
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
