On Monday 14 July 2008 01:26:17 am John Andersen wrote:
On Sun, Jul 13, 2008 at 9:26 PM, Rajko M.
wrote: [1] Security trough obscurity is often criticized as bad practice, but actually it is the only way security can work.
Simply not true. Just because you don't have all pieces to the puzzle does not mean that the security is provided by obscurity.
Obscure is something hidden in the dark. While phrase "security trough obscurity" was used mostly to criticize closed source code where is impossible to check applied methods by anyone (good and bad), every security in the world works by hiding in the dark (obscure) some information, ie. pieces of puzzle.
The entire plans for the lock (or the software) can be provided but the key is private. Its an absurd argument to state that because the key is private that obscurity is providing all of the security.
How far it goes is another question, hiding only keys or passwords, or hiding all and providing physical access only to a part of lock or computer that has to be accessed, that depends on specifics of application. There is no need that some highly secure application plans are publicly available, which is true for locks too. You know standard home locks, but not special.
You will not see lock made out of glass,
Glass breaks.
Sure. Let me try again, glass lock will provide visual clue when is part of puzzle solved. Obscuring that information you make lock safe. The same is valid for computer security.
nor your password is not 'open source'. Obscurity is present in any security solution.
Describing Keys as obscurity is a stretch. It perverts the entire argument about closed source code vs open source.
Who was talking about closed source code vs open source, and keys are not public, so they are obscured. -- Regards, Rajko http://en.opensuse.org/Portal needs helpful hands. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org