From: jamiel@sybase.com (Jamie Lawrence)
To: Chael Hall <nowhere@chaos.bsu.edu>
Message Hash: 227ce8e9b1ffde5b1462412f61493a286bbdf35e5f5d4b71bc0c23fdd87680eb
Message ID: <aa9e73b800021003070a@[130.214.233.15]>
Reply To: N/A
UTC Datetime: 1994-09-15 22:17:41 UTC
Raw Date: Thu, 15 Sep 94 15:17:41 PDT
From: jamiel@sybase.com (Jamie Lawrence)
Date: Thu, 15 Sep 94 15:17:41 PDT
To: Chael Hall <nowhere@chaos.bsu.edu>
Subject: Re: [CyberCash Media hype]
Message-ID: <aa9e73b800021003070a@[130.214.233.15]>
MIME-Version: 1.0
Content-Type: text/plain
Uh, I was paraphrasing the conclusions of the article in
order to convey that the authors clearly have no clue about
security software. I (incorrectly) thought there was sufficient
sarcasm in my post to convey that.
Question - where did the below-highlighted opinion come from?
Also, I do disagree with your statement "security through
obscurity is no security at all." A rather high degree of
security can be had through obscurity, but it is often entirely
unpredictable whether or not a particlar 'obscurity method'
will be secure or not (any 15 year old hiding cigarettes under
the bed can attest to that). I see this as an extension of the
pricipals underlying modern crypto - it could be that a factoring
attack on RSA is possible but really obscure. It is simply an
example of more predictable security through obscurity. Perhaps
I'm pushing definitions a little too far here.
At 2:45 PM 9/15/94, Chael Hall wrote:
>>
>>These are my favorite paragraphs.
>>
>>1) Proprietary == secure
>>
>>2) Understanding how it works == insecure
>
> I disagree. Proprietary is MORE secure, but security through
^^^^^^^^^^^^^^^^^^^^^^^^^^
>obscurity is no security at all. The only thing that does is separate
>the proverbial men from the boys. It keeps the idiots who think they
>can crack a system from touching it, but the people who know what they
>are doing will learn it rather quickly.
>
> Understanding how it works is also not necessarily insecure either.
>What about PGP? Would you rather use some proprietary methond that may
>or may not have a backdoor or may not be as secure as it is touted to
>be? I prefer to use something that has been proven and tested.
>
>Chael
-j
--
"It's a question of semantics, and I've always been rather anti-
semantic." -Gene Simmons
___________________________________________________________________
Jamie Lawrence <foodie@netcom.com> <jamiel@sybase.com>
Return to September 1994
Return to “Phil Karn <karn@qualcomm.com>”