Re: Small Bug

To: guy@interlog.com
Cc: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>, dallen@capitalone.com, debian-hurd@lists.debian.org
Subject: Re: Small Bug
From: nisse@lysator.liu.se (Niels Möller)
Date: 05 Mar 2000 19:43:31 +0100
Message-id: <[🔎] nng0u5qmuk.fsf@sture.lysator.liu.se>
In-reply-to: "Guy's Account"'s message of "Sun, 5 Mar 2000 09:36:26 -0500 (EST)"
References: <[🔎] Pine.LNX.3.96.1000305093501.18968A-100000@hal.dms.sni.ca>

"Guy's Account" <guy@interlog.com> writes:

> This is not security by obscurity.  It is long-established practice.

It might well be "long-established practice". But I still agree with
Marcus that it (usually) is security by obscurity.

To get a little further, I'll try to define "security by obscurity".

We have some information (in this case, user names), that the security
model considers as "public knowledge". This means that the security
model admits that a serious attacker is likely to have some or all of
this information handy before mounting an attack. For instance, she
might have scanned related mailing lists or webpages for
email-addresses, obtained lists of standard usernames that are
installed by default by the operating system or other popular
components, or socialized with some of the users.

This is also a question of user expectations; we usually try to
educate users that passwords are secret, but we don't say that
usernames are secret (and I suspect the latter would be quite a hard
task. "If my password is secret and my user name is also secret, why
do I need both?").

To say, in the security model, that some information is "public
knowledge" is a way to express that we don't want security to depend
on the information being kept secret. We want the system to be secure
enough (whatever that happens to mean to us) even if the attacker has
been able to get all the "public information".

I'd define "obscurity" as any steps taken in order to keep
information, which is classified as "public information" in the
security model, secret from attackers (or even secret from ordinary
users).

Note that, by this definition, "security by obscurity" is a
contradiction in terms; on one hand we assume that attackers *already*
know the "obscured" information, on the other hand we're trying to
keep it secret.

/Niels

> > The user login name is often very exposed, for example in email addresses,
> > log files etc. If you already have an account, you can usually just list
> > /home to get all user names of a system.
> 
> But the problem pointed out allows an attacker *without* an account to gain
> information.

Reply to:

Follow-Ups:
- Re: Small Bug
  - From: tb@MIT.EDU (Thomas Bushnell, BSG)
- Re: Small Bug
  - From: "Guy's Account" <guy@interlog.com>

References:
- Re: Small Bug
  - From: "Guy's Account" <guy@interlog.com>

Prev by Date: Re: GNU philosophy[was Re: Hurd on VMware ?]
Next by Date: Re: The networking sub-system
Previous by thread: Re: Small Bug
Next by thread: Re: Small Bug
Index(es):
- Date
- Thread