-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2008-07-14 at 16:09 -0400, John E. Perry wrote:
Carlos E. R. wrote:
The Sunday 2008-07-13 at 23:26 -0700, John Andersen wrote:
On Sun, Jul 13, 2008 at 9:26 PM, Rajko M. <> wrote:
[1] Security trough obscurity is often criticized as bad practice, but actually it is the only way security can work. ... The patches for the recent DNS security problem were prepared in secret by all distros and OSes. The hole itself has not been publicly explained, as far as I know.
That's a good sample of security by secrecy...
This is stretching the definition of "security by obscurity" to the point of silliness. You're usually better than this, Carlos.
In all these cases, the algorithms are publicly known and described, the procedures are publicly specified, the programs are exposed to public scrutiny. All of this has always been known as "security by design".
"Security by obscurity" has always been defined as hidden algorithms, hidden procedures, hidden programs. So we have no way of knowing whether a program is secure or not, until either someone cracks it, as is usual in the Microsoft environment, or until the developers and their allies uncover a flaw in the programming, as is usual in the open-source environment.
When developers uncover a critical flaw in a critical, widely required component like DNS, it is only prudent to fix the flaw before letting it be known to users _and_possible_evildoers_. The old source has always been available (with the flaw), and the fixed source will be available as soon as is prudent.
To put the hiding of keys and passwords in the same class as hiding algorithms, procedures, and programs is simply silly. Really, guys!
Nevertheless, what I said is absolutely true: the recent patches for the DNS security problem have been prepared in secret. It was a secret there were a security problem and that they were preparing a solution, and it was released simultaneously by all distributions on the same day. Till everyone was prepared, the kept silence. Whether that is security by obscurity, maybe not; I didn't say that. It is security by secrecy, if you prefer. The secret was that the door had a hole, lest somebody tried to find and use it. Not that I object to that procedure. It was secret for good reasons. But a secret for security reasons none the less, in the open source camp. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIf+bptTMYHG2NR9URAlbnAJwLerk7ncroaAnU2Ht36gVOmRyNngCfZwJ1 pcbuECqZZ+vk5GCWp5AriUE= =7C4y -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org