OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1994: Re: Security through obscurity, etc.

Re: Security through obscurity, etc.

Leo Bicknell (bicknellussenterprise.async.vt.edu)
Tue, 13 Dec 1994 15:27:15 -0500 (EST)

> The difference is too large to even argue about.  A CERT advisory doesn't 
> give root to someone on any unprotected system on the Internet.  Perhaps 
> 1 in 10 people will figure out the problem, would you rather have 10 out 
> of 10 people be guaranteed to?

	It doesn't matter if 1 in 10, or 10 in 10 can get into your
site as root.  One person with root access, can, in one command
obliterate everything on your system.

	Frankly, I look at it this way.  If the advisory doesn't tell
you specifically what the problem is, someone will have to go look for
it.  If they look and find it, this tells me they have some
intelegence/experience -- ie might be able to cover up their tracks,
at least for a little while.  With exploit scripts the odds are some
bozo who doesn't know what it is will run it wrong and you'll notice
right way because it's such a botched attempt.  

	If one person knows how to get root on my site, I want to know
too.  And if that means that 10 other people learn in the process
that's ok, because knowing is the only way I'll be able to stop that
first person from doing something I don't want them to do.  Keeping
people in the dark only keeps those who don't already know from
finding out.  Those who do already know are still just as dangerous
(if not more so because no one is looking for them).

	Also, vendors are (in a relative sense) slow to fix problems.
As bad as it may sound, things will get fixed a lot faster if someone
breaks into 50 of vendor x's systems and makes the news.  I've seen
vendors not release a patch for months because "no one knew about it".
Perhaps a newspaper headline like "50 sites running x wiped out last
night" would make them work a little faster.  Of course, I wouldn't
want it to be my site, but that's a risk you run being on the
Internet, at any moment you might be destroyed.

-- 
Leo Bicknell - bicknellvt.edu                     | Make a little birdhouse
               bicknellcsugrad.cs.vt.edu          | in your soul......
               bicknellussenterprise.async.vt.edu | They Might
http://ussenterprise.async.vt.edu/~bicknell/       | Be Giants