On 07/24/2009 03:21 PM, Matthew Woehlke wrote: > Why is it people seem to have a problem with obscurity *on top of* > security? What's wrong with making it as hard as possible for the "bad > guys"? It's well known that "security through obscurity" is an insufficient defense. Only fools would rely on obscurity for strong security. Some have taken that to mean that only fools employ obscurity as part of their security. In nearly all cases that anybody here will be asked to deal with, attackers have more than one potential target and will take the lowest-cost path to achieve their ends. Obscurity increases costs. Getting a strong safe with a good lock is important if you're going to keep your gold in your house. Burying that safe in the back yard or behind a wall increases the amount of time it will take a good safe-cracker to get your gold, by varying amounts. He's only got so much time since your alarm system already called the cops, so if you make him spend that time finding the safe, he has less time to crack it. But the costs aren't only for the safe cracker. If you've buried that safe in the back yard, it's going to be a bitch to get the gold out when you need it. Same with DROP'ing packets - it makes network management and troubleshooting harder. So, more people will opt for a hidden wall-mounted safe and not put a sign on their front door that reads, "the safe is under bar in the study". Even if it's got an awesome lock. I use layered firewalls, encrypt my disks, keep my software up-to-date, REJECT connections, respond to pings, and I'm not telling you where my gold is hidden. ;) Those are the right trade-offs for my situation, YMMV. -Bill -- Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 http://www.bfccomputing.com/ Cell: 603.252.2606 Twitter, etc.: bill_mcgonigle Page: 603.442.1833 Email, IM, VOIP: bill@xxxxxxxxxxxxxxxx Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
