funsec mailing list archives
Re: security theater is useful, stop abusing it [was: PCI]
From: nick hatch <nicholas.hatch () gmail com>
Date: Tue, 24 Mar 2009 10:54:40 -0700
On Tue, Mar 24, 2009 at 6:46 AM, Gadi Evron <ge () linuxbox org> wrote:
Security theater does in fact have uses. Secrecy can be a strong line of defense and psychological barriers are in fact barriers, as we are dealing with human beings. So, security by obscurity is an extremely useful tool, the problem is when it is the only one, it then becomes a single, lonely, point of failure, and potentially a waste of resources (TSA).
There's a big difference between security through obscurity of security procedures and measures -- for example having an extra layer of auditing that is generally unknown or adding randomness to the mix -- and security through obscurity of flaws. (e.g., "So what if those passwords are industry-wide defaults, we're behind a firewall, and nobody knows.") The former is genuinely useful, the latter is an excuse for management and the lazy. This distinction is not normally made. I think its a good point that good security through obscurity will involve some aspect of human psychology as a deterrent. -Nick
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The PCI sky *isn't* falling!, (continued)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 24)
- Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)
- Re: The PCI sky *isn't* falling! David Harley (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- why is certification useful anyway? [was: PCI] Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Gadi Evron (Mar 24)