Security through obscurity meaning1/9/2024 ![]() Remember that just because the ticket format has been discovered by the students does not mean others have not already done so and used it for less than honest purposes. Kudos and credit to the students for not only discovering the public transport ticket format and “encryption” mechanism (if true encryption was actually ever used) but revealing it in a responsible (or “white hat”) manner, such as by allowing the targeted state to reveal itself. That said, there is little impetus to improve computer security without people willing to push the boundaries of systems and reveal flaws. See Bruce Schneier’s “Liars and Outliers” for more discussion. Although most people recognise computer security is important, the first reaction of most when confronted with a security warning is to ignore or bypass it. After all, social engineering attacks are behind many of the headline grabbing computer security incidents over the last few years, such as Operation Aurora and Stuxnet. Others take a different direction and focus on the sociology and behavioural patterns behind security. See Bruce Schneier’s “ Schneier on Security” or “ Freakonomics” by Steven D. Similarly, most software is sold “as is”, meaning the customer assumes all the risk. However, if the customer cannot differentiate the security (or quality) of two otherwise seemingly identical products, the cheaper (and likely less secure) product will win. ![]() That said, computer security practitioners eventually realise it is a matter of economics instead – as Allan Schiffman said in 2004, “ amateurs study cryptography professionals study economics.” It is not that we do not know how to build secure systems. A plethora of software security tools are also available with interesting and technical sounding names like “static analysis tools” and “fuzzers”. If we build more secure encryption systems if we fix every buffer overflow and every injection attack if every object has the appropriate authentication, access control, auditing and so on, the “bad guys” will be helpless.Ī lot of progress has been made in improving computer security. Organizations like OWASP and SAFECode provide software security guidance for software developers. Many vendors provide frameworks, such as Microsoft’s Security Development Lifecycle, and software patching is a regular occurrence. The US government has FIPS 140-2, a standard for hardware or software that performs cryptography, and Common Criteria is an attempt by multiple governments to provide a framework for software security assurance. When people initially approach computer security, they start at cryptography and software security. The programmers knew that two digit years were not going to work after the century changed but why should the manager responsible spend resources to fix it when he or she is unlikely to be around in the year 2000 to take credit for the work? The customer and management decided the security provided was sufficient. Ultimately, poor computer security for the public transport ticket system is not the programmers’ or engineers’ fault. These are as true now in computer security, particularly cryptography and encryption, as they were then. Over half a century later, Claude Shannon rephrased it as assume “the enemy knows the system”, called Shannon’s Maxim. This became known as Kerckhoff’s principle. ![]() In 1883, Auguste Kerckhoff theorised that the only truly secure parts about a system (computerized or otherwise) were the hidden or secret parts. Security through obscurity is not a new concept. In other words, it relied on “ security through obscurity“. The public transport ticket format’s security relied on people not knowing the format of data on the ticket’s magnetic stripe and not having access to equipment to create tickets. A group of Australian university students recently “ cracked” the “encryption” used by public transport tickets in New South Wales (NSW), Australia.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |