|
|
Posted by The Natural Philosopher on 10/22/07 01:10
Gary L. Burnore wrote:
> On Sun, 21 Oct 2007 18:42:40 GMT, "Sanders Kaufman"
> <bucky@kaufman.net> wrote:
>
>> "Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
>> news:HZqdnWi_EtW0DobanZ2dnUVZ_vfinZ2d@comcast.com...
>>> The Natural Philosopher wrote:
>>>>> Nope. Security by obscurity is no security at all.
>>>>>
>>>> Oh, indeed it is.
>>> Not at all. It is false security.
>> The only total security is to unplug the damned thing.
>
> So if you can't have total security, simply obscure it and leave it
> unlocked?
>
Its not a bad way.
Obscurity is a form of lock. A lock is a puzzle that you have the answer
to and the bad guy does not.
That puzzle can be just as much where to look, as how to get past a
barrier.
I know of many many cases of things that were hidden in houses that a
thorough police search never found.
>> Everything else either works, or it doesn't.
>> If obscurity keeps the bad guys away - it's REAL security.
>
> Except obscurity keeps no one away.
It does. If you walk past a bush, and all you see is a bush, who's to
know it stands on a bit of earth that is in a pot that ca be removed
that has a trapdoor underneath.. the bad guys don't even know its there.
>> It's painfully common for Republican folks like Jerry here to tell people
>> who are perfectly safe that they are not.
>
> Says someone who claims obsuring something is security.
If a maze is well enough designed so it takes you twice as long to get
to the center of it as to crack a 64bit code, I'd say it was as good.
I believe the US intelligence services used to send messages in Navaho,
knowing that probably no one in Japan spoke that language.
Cryptography itself is security by obscurity.
In essence you have two aspects to protecting something. The first line
is to make sure that as few people know its there at all, and is worth
anything.
The second line is to make it easy for the person who needs to access it
to get at it and hard for the person you assume knows it's there to
access it.
Obscurity is the prime line of attack in the first aspect. Obscurity
also features in the second. The method of access must be obscure, but
known to the good guys.
For php? why not call your files - say - .fortran instead of .php, and
configure your web server to know that. Some geek browsing your site and
seeing all those .fortran URLs coming up will give up in disgust
already. Even if he downloads one somehow and tries to execute it, it
won't run..
Patch the PHP interpreter or the web server to do something simple like
reverse every two bytes and invert the high bit. then run your source
through something that does the inverse.. None of that will survive a
sustained investigation by a top cryptographer, but you aren;'t dealing
with that. Or if you are the CIA is onto you anyway, and your PHP is the
last of your worries.
If I was an islamic terrorist, I would send my messages in an arrogant
right wing sort of way on some obscure newsgroup like comp.lang.php and
sign them 'Jerry' ;-)
They would be encoded into all sort of messages. Misspelt words would
be significant, as would ad hominem attacks. ;-)
Navigation:
[Reply to this message]
|