[AusNOG] RISK - IT Industry - Concern Over Equipment, Being, Installed in Data Centre Facilities - Further Replies
Mark Smith
markzzzsmith at gmail.com
Wed Sep 28 14:20:21 EST 2016
On 28 September 2016 at 13:35, Chad Kelly <chad at cpkws.com.au> wrote:
> On 9/28/2016 12:00 PM, ausnog-request at lists.ausnog.net wrote:
>>
>> Or should we perhaps talk about how easy it is to commit fraud?
>>
>> Yes... lets give blueprints to people who are motived by malice so that
>> they can go off and do what we're suggesting puts us at risk.
>
>
> Security through obscurity just doesn't work.
>
Actually it commonly does, this often repeated cliche is a distortion
of Kerckhoffs's principle, which was specific to crytographic
algorithms -
https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
"In cryptography, Kerckhoffs's principle (also called Kerckhoffs's
desideratum, Kerckhoffs's assumption, axiom, or law) was stated by
Dutch cryptographer Auguste Kerckhoffs in the 19th century: A
cryptosystem should be secure even if everything about the system,
except the key, is public knowledge."
Nature has been relying on obscurity for millennia - any animal that
uses camouflage to hide itself is deploying obscurity, and many
animals do. Human militaries have also successfully deployed obscurity
via camouflage. Anybody using a firewall to block inbound ICMP pings
is deploying obscurity.
When applied more generally, the real point is that obscurity is not
sufficient to be relied upon on alone. If the secret is discovered or
disclosed, you need some other defensive measure. For example, zebras
can also run very fast and kick, and camouflage tanks have big guns
and are able to escape fairly promptly over very rough terrain because
of their tracks rather than having wheels.
Obscurity works well when it works, but fails absolutely when it fails.
> Kids are taught how to use computers and the internet at a very young age
> now a days.
>
> We have lawyers and signed agreements for a reason, when discussing
> commercially sensitive data, that is why NDAs exist.
>
An NDA is actually "Security through obscurity". The secondary defence
is the consequence of being sued for breaching the NDA.
> As for discussing how to commit fraud and other such things, don't be
> stupid.
>
> By all means discuss ways of preventing it though, plenty of discussions on
> both preventing fraud and other security methods have taken place on the
> various web hosting forums over the years.
>
> These were all public discussions.
>
> At the end of the day it all comes down to money and the team and or
> partners that you have involved with the business.
>
>
>
> --
> Chad Kelly
> Manager
> CPK Web Services
> web www.cpkws.com.au
> phone 03 9013 4853
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list