top | item 24787151

(no title)

danimal88 | 5 years ago

Its funny because the most hardcore in open source and security would argue that good techniques don't rely on obfuscation and secrets because those cats can get out of the bag. Never purrsonally subscribed to those as I agree with the cat and mouse perspective. Information assymetry is effective.

discuss

tptacek|5 years ago

People in security who say that categorically are betraying ignorance, because there are several "hardcore" settings in software security where the same dynamic --- attacker/defender cost competition occurring by degrees --- plays out. Anti-ATO, content protection, botnets, anti-DDOS, hardware platform security, just to rattle a few off my head.

The correct security objection is to obfuscation being deployed in settings where there are decisively effective controls that could be deployed instead: where it doesn't make sense to raise attacker costs by degrees, because those costs can be raised to intractable levels instead. I'd cite an example, but it would spawn a 500 comment thread about how Linux sysadmins manage their networks.