Much of this thread would disappear if people used hard numbers instead of opinions. Brian Hatch <bugtraq@ifokr.org> wrote: > People keep saying "but it won't stop everything", and that's true. Exactly. Even DES isn't "perfectly" secure, (i.e. unbreakable). It *obfuscates* the data, but does not *secure* it. The benefit of DES is that it has a provable level of obfuscation. This takes the security versus obscurity argument from the realm of personal opinion to one of quantitative statements. We should have a similar goal for this discussion. > But since when have we turned down a security procedure that is > not a silver bullet against all evils? I'd love to make it harder > for worms to attack my systems. I'd love for them to take longer > to break into the machines down the hall. That means things will > spread slower, and we can stop the damage quicker. Why is this bad? It's not. But many people are of the opinion that if a solution isn't perfect, then it's not "secure". They can then argue that no security is somehow "better" than an imperfect system. The problem with those kinds of arguments is that they don't define the terms used, or what basis is used for the measurements. The appropriate response is to ignore personal opinions, and instead ask for clarifications of terms like "useful", or "better". If attacks can be trivially re-written to work around rebasing, then it's obvious that rebasing changes the form of the attack, but not it's potential to succeed. If rebasing means that attacks have provably a lower probability of succeeding, then it's obvious that rebasing gives some additional level of obfuscation, which is generally called "security". > ... any administrator who has such a "mental" vulnerability probably > has several other non-rebasing related vulnerabilities on their > servers anyway. They probably think that a firewall stops all > attacks, so wouldn't bother rebasing in the first place. This is > not a satisfying argument against rebasing. It's an ad-hominem attack with no substance. "Stupid people use your solution, therefore your solution doesn't help." Security analysis of algorithms has always been done on the assumption of perfect implementation. Analysis of implementation or deployment/configuration bugs is a seperate analysis. Alan DeKok.
