Date: Thu, 31 May 2001 12:28:31 -0400 From: Daniel Hagan <dhagan@colltech.com> To: WebSec WebSec <secure21st@hotmail.com> Cc: security@FreeBSD.ORG Subject: Re: Port 21 Message-ID: <3B16712F.9DD3EC61@colltech.com> References: <F45opYC98Bi89QtpfTY000063a4@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 WebSec WebSec wrote: > Also, in my opinion it may not be a good idea to provide real IPs (at > least in this list) because you never know how you can tip someone. > Yes, this is "security" by obscurity, but.... That phrase has become so popular that people apparently forget what it actually *means*. Restricting information about an ongoing incident is not security by obscurity. That is information control, and is a critical component in "winning" any aggressor/defender scenario. (Just check something like the SANS Incident Handling guidelines, they make it clear that need-to-know and out-of-band communications are important.) Security by obscurity is designing a system that is hopelessly insecure from a technical viewpoint and assuming that someone will never notice (using xor as an encryption algorithm, for example). When designing a security infrastructure, you should have confidence that even given full knowledge of your system, an attacker would have a difficult time achieving a compromise. But it doesn't make much sense to actually give your attackers that information ahead of time, does it? (I'm not referring to special situations like red-team intrusion testing, I mean actually publishing it willy-nilly on the Internet.) Daniel - -- Consultant, Collective Technologies http://www.collectivetech.com/ Use PGP for confidential e-mail. http://www.pgp.com/products/freeware/ Key Id: 0xD44F15B1 3FA0 D899 4530 702F 72B0 5A17 C2A5 2C2B D22F 15B1 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOxZxJsKlLCvSLxWxEQK66ACcDetfPuCmklTymk9wXw0289b9VPgAoPeJ fUDW+WDHWHC9nLCQv3NsrCBs =qYfv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B16712F.9DD3EC61>