Uh, I was paraphrasing the conclusions of the article in order to convey that the authors clearly have no clue about security software. I (incorrectly) thought there was sufficient sarcasm in my post to convey that. Question - where did the below-highlighted opinion come from? Also, I do disagree with your statement "security through obscurity is no security at all." A rather high degree of security can be had through obscurity, but it is often entirely unpredictable whether or not a particlar 'obscurity method' will be secure or not (any 15 year old hiding cigarettes under the bed can attest to that). I see this as an extension of the pricipals underlying modern crypto - it could be that a factoring attack on RSA is possible but really obscure. It is simply an example of more predictable security through obscurity. Perhaps I'm pushing definitions a little too far here. At 2:45 PM 9/15/94, Chael Hall wrote:
These are my favorite paragraphs.
1) Proprietary == secure
2) Understanding how it works == insecure
I disagree. Proprietary is MORE secure, but security through
^^^^^^^^^^^^^^^^^^^^^^^^^^
obscurity is no security at all. The only thing that does is separate the proverbial men from the boys. It keeps the idiots who think they can crack a system from touching it, but the people who know what they are doing will learn it rather quickly.
Understanding how it works is also not necessarily insecure either. What about PGP? Would you rather use some proprietary methond that may or may not have a backdoor or may not be as secure as it is touted to be? I prefer to use something that has been proven and tested.
Chael
-j -- "It's a question of semantics, and I've always been rather anti- semantic." -Gene Simmons ___________________________________________________________________ Jamie Lawrence <foodie@netcom.com> <jamiel@sybase.com>