Stewart Stremler wrote: > begin quoting Tracy R Reed as of Wed, Apr 20, 2005 at 09:25:19AM +0700: > > > You have > > a password on your email account right? That is security by obscurity. > > No, it isn't. It's a secret. > > > There are different kinds of > > security-by-obscurity. The traditional and most unwise kind is to > > scramble your movie in a proprietary non-peer reviewed algorithm and > > hide the key on the device that decrypts it and hope nobody finds out. > > That is the worst kind of security by obscurity and we have seen it > > fail. > > Erm, that's not the example that comes to mind for me. I'm thinking of > code obfuscation, unpublished encryption algorithms, and created web-pages > that have no public links to them.
What is the difference between a password that no one knows (a secret) and an url that has no links to it (obscure). Either way, only those that know have it. It cannot be found by any other means short of brute forcing. Not all password schemes can support limitless passphrases, but I have seen nastily long urls that would put most passphrases to shame. I am yet to find a wedserver that will not support 1024+ long urls. So, where is the practical difference between an unknown token (password) and an unknown token (url)? [snip of Tracy talking about copying data to another person's harddrive] > Keeping just one copy of your data strikes me as a security concern. Keeping multiple copies seems an even greater security concern. > > Of course it's the point! It's one of the big reasons why we don't run > > as root! > > WE don't run as root because WE run servers and multi-user machines. I thought we had established (though not to your satisfaction) that the single-user computer is a nonesuch. As soon as Joe User installs a peer-to-peer program, they run into the concept of server. As soon as NetBUI is enabled, they run into the concept of server. As an experiment, take a system and do a default install of Linspire. See if there are any services running (nmap is very useful here). If there are any in teh default install, then, by default, the system is not a single user system. I will agree that there is the single-user mindset. There is also the ``I am the only one in the world that matters'' mindset. Both are false, for rather obvious reasons. > > I still think nobody is really after your data. They are after your box > > as a network/computing resource and they need access to the OS to do > > That's not a safe assumption. Depends upon who you are. Let's see... http://webcast.berkeley.edu/courses/replay.php?prog=58&group=59&date=20050415&rep=real About 48:45 into the lecture. (I was merely told about this, I have not actually been able to view/listen to it because Real does not work) > You've already lost your data in this case. Why are you worrying about > the OS? We are working from flawed premises: 1) (User) Data is King If this is true, then data would be protected. Single user people rarely (this is well documented) back up (read: protect) their data. Data is not king. Premise one defeated. 2) On a single user system, a user compromise is effectively the same as a root(admin) compromise. If this is true, a single user system must exist. We have seen that these are actually rare. 3) A user can damage their own data as well as root can. This goes back to premise 1, which is flawed. We can stop discussing here. However, I contend that root has a larger class of powers that enable him to destroy a user's data than a user does. Ths allows for more problems. Example: toasting the application. Since a mere user cannot do that, but root can, this requires the application to be re-installed. Sometimes, this destroys user data too. Sometimes that data is in the form of configuration files. I am not making an artificial distinction between things like .doc files or .jpegs, and the rc/.ini files. Best practice dictates that admin functions be performed by an admin role, and non-admin stuff be performed by non-admin. Because we like car anologies :) (We all do, don't deny it). We wear normal clothes when driving the car, but wear our grease stained clothes when working on it. We are the same person, but different roles. > The assertion is that the safety vs usability tradeoff for a single-user > system is 'full access everywhere'. That's the claimed 'sweet spot' for > this case. Some people do not learn from other people's mistakes. I won't argue with them. You are filling the role of that person. To them, I will give them all the rope they want, let them fashion their neat and interesting nooses, and hang themselves in the noonday sun. When they come back, and are willing to learn, then we go over everything we have discussed. Then they are ready for the teachings of the ancients (to mix metaphors badly). Before then, you are merely teaching a cow to sing. > No... I'm saying that difficulty for its own sake does not make things > any better. I demand that additional difficulty in the name of security > ought to actually provide a concomitant improvement in security. We throw this word around - security. What are we actually saying? What do we actually mean? I contend that the whole argument is flawed, because it presumes conditions that do not and cannot exist. -john -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
