On Fri, 10 Aug 2001, Gareth Coltman wrote:
> Are you seriously trying to argue that something is either secure or it isn't? Maybe
>I misunderstood. Security is all shades of grey
> because no system is 100% secure due to the deterministic nature of all current
>security measures. Obscurity does seem at best a way
> of buying time, kind of similar to leaving the light on when your out - it won't
>stop a serious attempt at breaking in.
>
> The question must surely be: does obscurity significantly decrease the risk of
>attack?
>From my experience, I haven't found security through obscurity to
significantly decrease the risk of a skilled attack being successful, but
it can most certainly decrease the risk of a script kiddie attack being
successful. I have also found that security through obscurity helps when
defending skilled attacks, by helping me to observe the attacker's
actions and skill level. My observations form the basis of whether or
not I deem it necessary to take action against the attack (eg: by routing
the attacker's packets to /dev/null). As you say, no system is 100%
secure. Another way of looking at this is that all security systems can
be successfully breached, so any measures you can take to help you defend
your system will be most useful when your system is under attack.
> Some statistics would be good so if anybody has any....
I haven't got the time right now to parse all of the system logs of the
servers that I take care of. This would give you at least some statistics
to consider. However, I analyse my logs daily, and I can tell you
from experience that script kiddie attacks definitely occur much more
often than skilled attacks.
As I stated in my initial post, "security implemented solely through
obscurity is no security at all". I hope that this discussion has made it
clear that obscurity can help defend the actual security of your systems.
Hope this information helps and I apologise for the off-topic posts.
Jon, one thing I was taught as a child was "if you haven't got something
good to say, don't say it at all", and everyone in the Turbine community
would be benefit if you put some more thought into your posts.
Regards,
-- Rodney
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
