Free Republic
Browse · Search 		News/Activism
Topics · Post Article

To: my3centseuro
Microsoft also believes security through obscurity does not work.

That is a true statement. More specifically...

Never Depend On Security Through Obscurity Alone

Always assume that an attacker knows everything that you know - assume the attacker has access to all source code and all designs. Even if this is not true, it is trivially easy for an attacker to determine obscured information. Other parts of this book show many examples of how such information can be found. Obscurity is a useful defense, so long as it is not your only defense. In other words, it's quite valid to use obscurity as a small part of an overall defense in depth strategy.

- P. 66, Writing Secure Code, 2nd Ed., by Howard & LeBlanc (Microsoft Corporation)

This "Security Through Obscurity" strawman that you and others are arguing against, while amusingly easy to criticize, has no basis in reality. MS doesn't hide its code to enhance security. It was hiding its code long before security was a big issue. Closed source is part of their overall strategy as a proprietary software vendor. They're acting no differently than other closed-source vendors.

150 posted on 07/26/2003 1:02:25 PM PDT by TheEngineer
[ Post Reply | Private Reply | To 148 | View Replies ]

To: TheEngineer
I agree with you 100% My original post was written to argue against the fact that basing security on obscurity is bad. I never said you should have no obscurity. We do all kinds of things to secure ourselves just a little bit more by adding elements of obscurity. If nothing else it deters a large number of attackers. My argument is againt basing our security policy on obscurity.

I can post a sign in front of my house that I have an alarm system and it would deter most burglars. But if I rely on that sign to protect me then I would be making a big mistake. (I could use it to beat them over the head I suppose)

The fact is, the more people can see a piece of code and can study it for vulnerabilities, the better. At our company we force engineers to have all of their code peer reviewed before it becomes part of the product. This is because other people can see problems that we cannot obviously see.

Many of our customers employ "ethical hackers" to look for vulnerabilities in our products. The "ethical hackers" will first try everything in their playbook to probe for vulnerabilities. They then ask for source code to look for areas to try to exploit. This is very valuable in finding issues.

Open source by its nature encourages this without even having to pay anyone to do it :-) Again, I agree with you that obscurity has a place in security but it cannot be the base for your security strategy.

I even agree with Golden Eagle on most of the things he has posted even though they are slanted toward "If it is MS it must be good, if its open source then it must be vulnerable since everyone can see it"

155 posted on 07/26/2003 4:27:14 PM PDT by my3centseuro
[ Post Reply | Private Reply | To 150 | View Replies ]

Free Republic
Browse · Search 		News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson