Rich Freeman on 15 Jan 2011 19:27:56 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Virtual Box will not recognize my USB printer (

On Sat, Jan 15, 2011 at 1:08 PM, Steve Slaughter
<> wrote:
> I think keeping some of the details of an otherwise well-engineered system
> secret can be part of a more in-depth security strategy.

I think it greatly depends on the situation, and the threat model.

I don't think it applies well to software - certainly not to software
that is distributed.  It is debatable how well it even applies to
things like military installations.  Sure, carefully screened
volunteers loyal to country may keep secrets pretty well, but after
decades can you really be sure that somebody hasn't talked to an
adversary about the layout of your underground bunker, or whatever?

The only obscurity I'd trust is systematic obscurity.  If you randomly
change the guard rotation every week, that is systematic obscurity.

I wouldn't consider either the iPhone or the Android OS to be
"obscure."  The full specifications for both are well-communicated to
the public.  In the case of android it is easily retrieved from a
website.  In the case of an iPhone it can be retrieved from the ROM of
any device that has been sold.  People put a lot of emphasis on source
code, but I suspect to determined attackers that the source only makes
modifications a little easier.

What is source anyway?  Source is just a verbose description of what a
program does.  Bytecode is less verbose, and machine code is even less
verbose.  Any way you slice it you still have a series of instructions
interpreted by a machine that operates according to a well-defined
specification.  They all can be modified, subverted, and
systematically scanned for weaknesses.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --