Very often we have to face the question -- "How can you say Linux is secure when its code is all out in the open?", or "How can you say Linux is secure when there are literally thousands of hackers, hacking away to glory??" Faced with a question like this, many users who are not particularly well into system security suddenly find themselves groping for a suitable answer. The temptation is great to brush off the question, by calling it M$ FUD (Fear, Uncertainty, Doubt). There was an article by Raju (Raj Mathur of SGI), published in the Nov. '99 issue of PCQ... it is rather comprehensive. Today I happened to read a posting of similar (from platform-independent point of view) nature on a comp security mailing list. IMO the post really highlighted the points why security through obscurity fails as a viable security model in the present day. Here it is: ------------- Forwarded Posting -------------- Subject: [antionline] [OPSEC] Security through Obscurity? From: "Adam P. Uccello" <[EMAIL PROTECTED]> Well, as Mr. Forno so 'adequately' pointed out, we live in the information age. Surprise, surprise everyone, give me your name and I can probably tell you where you live; send me an email, and I can tell you what mail server you're running. Big deal. The security arena is undergoing a paradigm shift that apparently some people have missed. Gone are the days of saying 'you can't hit me because you don't know where I am'. Now, we are saying, 'here's a detailed diagram of my system... go ahead and try and hit me.' As the 'net' and its global influence expands exponentially, the availability of information on people and on the systems which they use, grows proportionately. One can no longer have the security of their system be dependent upon people not knowing how it works. The encryption debate has demonstrated this fact over and over again. It also applies here. I say, lay it all out on the table. The information is there anyway. I should be able to give you a map of my network all the way down to the latest patches that I have installed on specific machines and, if designed properly, you still should not be able to get any where. This is not to say that I am naive enough to believe that this is completely obtainable. But open discussion of a system's faults is bound to yield a much more robust system than 'protecting' said system by not telling anyone how it works... because someone is going to find out anyway. Secrecy, on the other hand, does have its place. Governments, just like competing companies, need to keep their 'latest' projects secret from their 'enemies' in order to maintain a competitive edge. But the systems put in place to protect these secrets should not depend on remaining secret. There is no real security in obscurity, only a false sense of one. Real security comes only from well thought out, well engineered, well tested, and time proven systems. If the security of our nation depends upon Joe member of the armed forces not signing his rank at the end of his email, then the nation's security is truly something to worry about. Personally, I'm impressed that we at least have people who know what their doing behind the lines... -Adam P. Uccello --------------- End of Forwarded Posting -------------- --Indra. -- To unsubscribe, send mail to [EMAIL PROTECTED] with the body "unsubscribe ilug-cal" and an empty subject line. FAQ: http://www.ilug-cal.org/help/faq_list.html
