Re: OT: Obscurity Is Not Security... Or Is It?

Sat, 07 Sep 2013 05:47:36 -0700 

I think the main problem with "security through obscurity" is a false feeling 
of security. 
What tend to happens is that you don't try to do "security through security" 
but let it be at the obscurity level. 

Which bites when a really competent attacker arrives.  (Or the obscurity is not 
so obscure anymore...) 



Best Regards
Thomas Berg
___________________________________________________________________
Thomas Berg   Specialist   zOS\RQM\IT Delivery   SWEDBANK AB (Publ)


> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of R.S.
> Sent: Saturday, September 07, 2013 2:32 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: OT: Obscurity Is Not Security... Or Is It?
> 
> W dniu 2013-09-07 06:39, Ed Gould pisze:
> > http://www.securityweek.com/obscurity-not-security-or-it
> >
> > While obscuring website code, server architecture, and security
> > mechanisms doesn’t provide bullet-proof security on its own, it can be
> > effective...
> >
> > By this point, everyone has probably heard the phrase, “Obscurity is
> > not security.” Or some variation thereof. Technically, it’s true. No
> > matter how obscure you make something, it doesn’t make it impossible
> > to “crack.” It just makes it more difficult. That’s because whatever
> > you do to obscure something, you can always reverse your way out of it
> > to get the clear picture again. The time it takes to achieve clarity
> > just depends on how obscure you make it.
> Well,
> Sometimes you know (or at least you feel) that your system is not
> bullteproof. In such case you could do the following:
> a) make your system bullteproof. WRONG. Usually you would already do it
> if you could. But you Couldn't.
> b) make your system obscure. That makes any attack much more labor
> intensive. That's why pentesters demand detailed documentation of your
> system, LAN, connections, etc. befor they start their tests. Otherwise
> the service is significantly more expensive.
> 
> For example that's the reason why some people don't use IBM suggested
> UACC(R) for parmlib - no access to parmlib = no chance to read it and
> find bad/poor statements.
> (fine print: the above is strong simplification. IBM disitinguishes
> parts of parmlib and clearly says about possible passwords in the
> members - see SAG manual).
> It's hard to read RACF db if you know nothing about it, but having the
> dataset name and the volser it simplifies looking for improperly
> protected volume dump.
> 
> Of course obscurity instead of security is definitely not security.
> 
> 
> My €0.02
> 
> --
> Radoslaw Skorupka
> Lodz, Poland
> 
> 
> 
> 
> 
> 
> --
> Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku
> przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by
> jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie
> jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do
> jej przekazania adresatowi, informujemy, e jej rozpowszechnianie,
> kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze
> jest prawnie zabronione i moe by karalne. Jeeli otrzymae t
> wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc
> odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej
> kopie wydrukowane lub zapisane na dysku.
> 
> This e-mail may contain legally privileged information of the Bank and
> is intended solely for business use of the addressee. This e-mail may
> only be received by the addressee and may not be disclosed to any third
> parties. If you are not the intended addressee of this e-mail or the
> employee authorised to forward it to the addressee, be advised that any
> dissemination, copying, distribution or any other similar activity is
> legally prohibited and may be punishable. If you received this e-mail by
> mistake please advise the sender immediately by using the reply facility
> in your e-mail software and delete permanently this e-mail including any
> copies of it either printed or saved to hard drive.
> 
> BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00
> 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl
> Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego
> Rejestru Sdowego, nr rejestru przedsibiorców KRS 0000025237, NIP: 526-
> 021-50-88.
> Wedug stanu na dzie 01.01.2013 r. kapita zakadowy BRE Banku SA (w
> caoci wpacony) wynosi 168.555.904 zotych.
> 
> 
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to