[Jay D. Dyson]

Actually, people who work in the field of security usually assume that the attacker knows the full details of how the system works. "Security through obscurity" is a bad idea. The idea is even if someone knows the entire mechanism or procedure, that they still cannot break it due to its safeguards.

Further, that the code is published means that everyone is free to audit it, including the NSA (which produced its own set of patches for Linux and ended up doing their own Linux distribution and made it freely available).

If the WH were using Windows XP, they would not have the ability to view the source code, and under US law could not decompile it to assure themselves it was working correctly.

Your entire post is basically incorrect.

Actually, the bulk of it is right on the money.

You say "security through obscurity is a bad idea." No it's not, it the basis of the entire "classification" system of the US Government. I know because I have worked there.

The "security through obscurity" idea is deeply flawed, and the example you cite relies only marginally on StO practices in that certain data is kept classified and certain terms are deemed classified entirely or when used in concert with other terms. However, the means of keeping it classified is not via StO practices but thoroughly reviewed and openly-tested means of security.

Bottom line: Security through Obscurity Isn't. If it was, then Microsoft wouldn't be leading the pack in terms of having the most worm- and trojan-friendly OS and applications out there. As it stands, it does...even though its product is closed-source.

You bring up the NSA Linux, but failed to provide the hyperlink.

Haven't we had this discussion before? I know I provided you a link then, but I'll provide it again.

http://www.nsa.gov/selinux/

As soon as you provide it, I will use, cut copy and paste right from it and post back on here where it says it is NOT a security solution for Linux.

To quote from the site:

This work is not intended as a complete security solution for Linux. Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux. Instead, it is simply an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux.

Essentially it provides a version of Linux that possesses mandatory access control (a system-wide chrooted jail if you will) for all processes and files (since UNIX treats everything as a file, this is actually quite important).

Sure, it's not the be-all/end-all of security solutions, but it's a far cry better than what Microsoft has to offer. Hell, that OS coughs up system-wide control at the drop of a hat.

The White House very well could request to review the source of XP, which they may or may not have done.

What would be the point? So the White House could direct its tech professionals to strip the Windows OS down to the point that it no longer resembles the XP with which the rest of the populace has to suffer? Besides, Microsoft itself has already admitted to fundamental flaws in its code base that spans all versions of Windows. The flaws are so fundamental that Microsoft itself has stated that they cannot fix them.

Doesn't exactly leave me with a sense of confidence in Microsoft's closed-source "security"...

-Jay

[Golden Eagle]

Again, as I asked the previous poster, if you do not feel "security by obscurity" is an acceptable model for security, please post your name, birthdate, SSN and bank account information for us. I may not even care to read it, but you will from that point on have no idea of who did.