funsec mailing list archives

Re: security theater is useful, stop abusing it [was: PCI]

From: nick hatch <nicholas.hatch () gmail com>
Date: Tue, 24 Mar 2009 10:54:40 -0700

On Tue, Mar 24, 2009 at 6:46 AM, Gadi Evron <ge () linuxbox org> wrote:

Security theater does in fact have uses. Secrecy can be a strong line of
defense and psychological barriers are in fact barriers, as we are
dealing with human beings. So, security by obscurity is an extremely
useful tool, the problem is when it is the only one, it then becomes a
single, lonely, point of failure, and potentially a waste of resources
(TSA).



There's a big difference between security through obscurity of security
procedures and measures -- for example having an extra layer of auditing
that is generally unknown or adding randomness to the mix -- and security
through obscurity of flaws. (e.g., "So what if those passwords are
industry-wide defaults, we're behind a firewall, and nobody knows.")

The former is genuinely useful, the latter is an excuse for management and
the lazy. This distinction is not normally made. I think its a good point
that good security through obscurity will involve some aspect of human
psychology as a deterrent.

-Nick

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: The PCI sky *isn't* falling!, (continued)
- - - Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
    - Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
    - Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 24)
    - Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
    - Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
    - Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
    - Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
    - security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
    - Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
    - Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
    - Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)
  - Re: The PCI sky *isn't* falling! Kaegler, Mike (Mar 24)
    - Re: The PCI sky *isn't* falling! David Harley (Mar 24)
    - Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- Re: The PCI sky *isn't* falling! nick hatch (Mar 23)
  - why is certification useful anyway? [was: PCI] Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Valdis . Kletnieks (Mar 23)
  - Re: The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 23)
  - Re: The PCI sky *isn't* falling! Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Jay Singala (Mar 25)