Re: Technical Reason? - Why you can't encrypt load libraries (PDSE format)?

Wed, 17 Jan 2024 08:45:46 -0800 

Gentlemen,
Let me chime in
Password are to be kept secret. Encryption keys (except public ones) are to be kept secret. 
This is widely known and quite obvious IMHO.
Lost/disclosed password is more or less like lost door key. (Assuming no MFA, where the password is only one of several "keys"). 

However there is also "key under the mat" aka backdoor or vulnerability.
This is also a secret, but IMHO completely different thing.


For regular access the method is know and documented with the 
requirement to keep the key secret.

For key under the windshield wiper everyone who know the method can enter.


And the term "security by obscurity" means just the key under the mat. 
Unrestricted (or poorly restricted) access, but not documented.  A 
backdoor by definition is undocumented access with no need to have valid 
password or encryption key.


My €_0.02_

--
Radoslaw Skorupka
Lodz, Poland




W dniu 16.01.2024 o 23:22, Phil Smith III pisze:

Paul Gilmartin wrote:

I believe otherwise. I know of a case where a vendor allowed a product
to escape to the field containing a tester's back door, and another
related to II14489. Either could be exploited with no brute force,
merely knowledge of the existence and nature of the defect. In the
case of the latter, the vendor chose to obscure the details very long
term to protect customers who might not have installed the fix.
"That's security by obscurity."

But that's still the same thing, just smaller: IF they knew about it, then they 
could exploit it. It's just a matter of degree. Similarly, OCO makes it harder 
to find the way around, say, a CPUID or license key.


But protecting passwords is a valid use of "That's security by
obscurity." A password is not a pervasive defect as those other cases
are.

"protecting passwords" in what context? I'm sure your point is valid but it's 
escaping me!


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu  with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN























					Reply via email to