On Tue, 16 Jan 2024 12:31:36 -0500, Phil Smith III wrote: > ... >For example, 256-bit AES can be broken by brute force-if you have until the >end of time. (And if you'll know it when you see it, another issue.) But that >"until the end of time" means you can use it to outrun the bear. > >When people say "That's security by obscurity", they really mean "That's weak >security because the barriers aren't high enough". That's all. It's not a big >revelation. > I believe otherwise. I know of a case where a vendor allowed a product to escape to the field containing a tester's back door, and another related to II14489. Either could be exploited with no brute force, merely knowledge of the existence and nature of the defect. In the case of the latter, the vendor chose to obscure the details very long term to protect customers who might not have installed the fix. "That's security by obscurity."
But protecting passwords is a valid use of "That's security by obscurity." A password is not a pervasive defect as those other cases are. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
