[AusNOG] RISK - IT Industry - Concern Over Equipment, Being, Installed in Data Centre Facilities - Further Replies

Mark Smith markzzzsmith at gmail.com
Wed Sep 28 15:44:32 EST 2016


On 28 September 2016 at 15:22, Paul Wilkins <paulwilkins369 at gmail.com> wrote:
> Or the One Time Pad, which is perfectly secure, but ironically only  so far
> as it is obscure.
> So should you publish your algorithm for generating a
> pseudo One Time Pad? Very much depends on circumstances and use case.
>

Are you a cryptographer/cryptanalyst in the league of Bruce Schneier?
Otherwise you may be falling into the trap that he has written about:

"Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can't break. It's not even hard.
What is hard is creating an algorithm that no one else can break, even
after years of analysis."

https://www.schneier.com/crypto-gram/archives/1998/1015.html#cipherdesign




> Kind regards
>
> Paul Wilkins
>
> On 28 September 2016 at 14:20, Mark Smith <markzzzsmith at gmail.com> wrote:
>>
>> On 28 September 2016 at 13:35, Chad Kelly <chad at cpkws.com.au> wrote:
>> > On 9/28/2016 12:00 PM, ausnog-request at lists.ausnog.net wrote:
>> >>
>> >> Or should we perhaps talk about how easy it is to commit fraud?
>> >>
>> >> Yes... lets give blueprints to people who are motived by malice so that
>> >> they can go off and do what we're suggesting puts us at risk.
>> >
>> >
>> > Security through obscurity just doesn't work.
>> >
>>
>> Actually it commonly does, this often repeated cliche is a distortion
>> of Kerckhoffs's principle, which was specific to crytographic
>> algorithms -
>>
>> https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
>>
>> "In cryptography, Kerckhoffs's principle (also called Kerckhoffs's
>> desideratum, Kerckhoffs's assumption, axiom, or law) was stated by
>> Dutch cryptographer Auguste Kerckhoffs in the 19th century: A
>> cryptosystem should be secure even if everything about the system,
>> except the key, is public knowledge."
>>
>> Nature has been relying on obscurity for millennia - any animal that
>> uses camouflage to hide itself is deploying obscurity, and many
>> animals do. Human militaries have also successfully deployed obscurity
>> via camouflage. Anybody using a firewall to block inbound ICMP pings
>> is deploying obscurity.
>>
>> When applied more generally, the real point is that obscurity is not
>> sufficient to be relied upon on alone. If the secret is discovered or
>> disclosed, you need some other defensive measure. For example, zebras
>> can also run very fast and kick, and camouflage tanks have big guns
>> and are able to escape fairly promptly over very rough terrain because
>> of their tracks rather than having wheels.
>>
>> Obscurity works well when it works, but fails absolutely when it fails.
>>
>> > Kids are taught how to use computers and the internet at a very young
>> > age
>> > now a days.
>> >
>> > We have lawyers and signed agreements for a reason, when discussing
>> > commercially sensitive data, that is why NDAs exist.
>> >
>>
>> An NDA is actually "Security through obscurity". The secondary defence
>> is the consequence of being sued for breaching the NDA.
>>
>> > As for discussing how to commit fraud and other such things, don't be
>> > stupid.
>> >
>> > By all means discuss ways of preventing it though, plenty of discussions
>> > on
>> > both preventing fraud and other security methods have taken place on the
>> > various web hosting forums over the years.
>> >
>> > These were all public discussions.
>> >
>> > At the end of the day it all comes down to money and the team and or
>> > partners that you have involved with the business.
>> >
>> >
>> >
>> > --
>> > Chad Kelly
>> > Manager
>> > CPK Web Services
>> > web www.cpkws.com.au
>> > phone 03 9013 4853
>> >
>> > _______________________________________________
>> > AusNOG mailing list
>> > AusNOG at lists.ausnog.net
>> > http://lists.ausnog.net/mailman/listinfo/ausnog
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>


More information about the AusNOG mailing list