On Wed, Nov 18, 2009 at 11:59 AM, N. Coesel <[email protected]> wrote: > [...] >>Security by obscurity doesn't work. > > Which is big a misconception! > > Part of my job involves assessing and implementing electronic security > measures. I did a lot of thinking and reading about what security by > obscurity actually *means* and came to the following conclusions (I'll use > [...]
Sorry, but if you're getting paid to be responsible for security and you think security by obscurity has any significant value above the level of an irritant; then you are going to need to be either very lucky or get used to disappointment. Maybe you've been relying on this for years, and it's all been great so far, but you're on the wrong side of technical history these days. I trust an open, peer reviewed encryption/authentication scheme whose inner workings are probably published in an RFC over a scheme dreamt up by some guy 3 offices down the hall who thinks he's the next Bruce Schneier. Speaking of Bruce, here's some related fodder from his blog: http://www.schneier.com/crypto-gram-0205.html#1 The tech world is rife with examples, people have already mentioned MiFare et al. <insert obligatory comment about horses, water and drinking here> -- Andy
