Linux Format forums

Re: Websites with transparent security

guy — Sat Feb 09, 2013 11:42 am

Author: guy

Posted: Sat Feb 09, 2013 11:42 am

Ho-hum, it's a quiet moment today:

Nelz wrote:

Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it.

I was rather under the impression that securing access to something is a great way to make it less easy to find.

AndyBaxman wrote:

guy wrote:

For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm.

Obscured suggests that something is accessible, but hidden. The private key in a PKI transaction should never be made available and, indeed, because of the nature of PKI, never needs to be.

No. Obscured means the relevant information is not accessible, e.g. a proprietary binary obscures the algorithm. That's exactly what makes the private key obscured - it is held where others cannot access it.

We must be careful not to treat the phrase "security through obscurity" as ideological dogma which gives meaning to the words which make it up - it is itself given meaning and context by the pre-existing meaning of the words within.

Fortunately we all agree on how to secure a system, and like all good techies we disagree on how to talk about it. I am tempted to make bad puns about obscure language, but my life calls me to get it back.

Re: Websites with transparent security

Anonymous — Sat Feb 09, 2013 7:53 am

Author: Anonymous

Posted: Sat Feb 09, 2013 7:53 am

The whole discussion if informative regarding data security point of view. Nelz and Admin opinions are appreciable to solve the said issue.
[spam link removed]

Re: Websites with transparent security

AndyBaxman — Thu Aug 16, 2012 4:50 pm

Author: AndyBaxman

Posted: Thu Aug 16, 2012 4:50 pm

nelz wrote:

Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it.

Indeed.

Like the three piggies painting their straw house to look like its made of brick.

Re: Websites with transparent security

AndyBaxman — Thu Aug 16, 2012 4:47 pm

Author: AndyBaxman

Posted: Thu Aug 16, 2012 4:47 pm

guy wrote:

Obscured suggests that something is accessible, but hidden. The private key in a PKI transaction should never be made available and, indeed, because of the nature of PKI, never needs to be.

Re: Websites with transparent security

guy — Thu Aug 16, 2012 4:39 pm

Author: guy

Posted: Thu Aug 16, 2012 4:39 pm

I thought that was what you meant.

Re: Websites with transparent security

nelz — Thu Aug 16, 2012 3:39 pm

Author: nelz

Posted: Thu Aug 16, 2012 3:39 pm

That's not what is generally meant by security through obscurity. When you send a PGP-encrypted email, there is nothing obscured about the security, it plainly states that the message is PGP encrypted. The message itself is encrypted, but not hidden, you can still see that there is an encrypted message there.

Security through obscurity relies on making the object you are hiding less easy to find, rather than securing access to it.

Re: Websites with transparent security

guy — Thu Aug 16, 2012 3:00 pm

Author: guy

Posted: Thu Aug 16, 2012 3:00 pm

nelz wrote:

how do you work that out? A great big locked door is not obscure, a small door with a poor lock hidden behind a curtain is the physical equivalent of security through obscurity.

The point of that quote, which a first heard from a cryptography professional, is that it is important for all affected to know that the method of securing the data really is secure. Millions of people know how PGP works, but not one of them has cracked it when used with a secure key.

So we descend to playing with meanings. If a message is encrypted and needs a private key to read it, does that encryption "obscure" the message? In my book, sure it does.

I used the phrase "Security through obscurity" with one meaning in mind, you replied with a more restricted meaning in mind.

For example I would regard a private encryption key as "obscured" because that's what "private" means. You would presumably say that you weren't referring to that, but to the more general software algorithm.

Many an encryption procedure has remained uncracked only because it was obscure. Of course, to ensure success the obscurity must not be compromised. But there are ways of reducing that risk.

Of such joys are flawed security arrangements made - whether or not you have a tame cryptographer on hand to trot out his favourite dogma. As you rightly point out, this is not a good approach for most Internet-facing software.

Re: Websites with transparent security

nelz — Thu Aug 16, 2012 8:32 am

Author: nelz

Posted: Thu Aug 16, 2012 8:32 am

I'd say that if they had to publish the information, they would never have used such an insecure method. Especially on a site with a large number of technically aware members. The hackers are going to find out anyway, the only people they are hiding the information from are the honest users who trust the organisation to do things properly, even when they do not.

Re: Websites with transparent security

leke — Thu Aug 16, 2012 6:51 am

Author: leke

Posted: Thu Aug 16, 2012 6:51 am

So let's take a real life example. If Linkedin would have had a security page that published that user passwords where stored as unsalted MD5 hashes, do you think they would have become an obvious target for hackers (before they where hacked and the hashes obtained), or would you say they would be bothered by their community to use a more secure system to secure password contents before the hack happened?

I think there is enough of a time-frame were the users can force a web-company make a change before hackers can obtain the hashes.

Re: Websites with transparent security

nelz — Wed Aug 15, 2012 11:20 pm

Author: nelz

Posted: Wed Aug 15, 2012 11:20 pm

how do you work that out? A great big locked door is not obscure, a small door with a poor lock hidden behind a curtain is the physical equivalent of security through obscurity.

The point of that quote, which a first heard from a cryptography professional, is that it is important for all affected to know that the method of securing the data really is secure. Millions of people know how PGP works, but not one of them has cracked it when used with a secure key.

Re: Websites with transparent security

guy — Wed Aug 15, 2012 9:54 pm

Author: guy

Posted: Wed Aug 15, 2012 9:54 pm

nelz wrote:

Security through obscurity is never good
...

"Keep ... the key secret".

Isn't that a contradiction in terms? The purpose of needing a key is to provide obscurity.

Re: Websites with transparent security

Nuke — Tue Aug 14, 2012 2:08 pm

Author: Nuke

Posted: Tue Aug 14, 2012 2:08 pm

Another point is that I have bank accounts with more than one bank, and one account I run purely for potentially dodgy deals, such as buying things over the Internet. I do not keep much in it, have a deliberately low overdraft limit, and my income is not paid into it. Moreover, it would not inconvenience me to pick up the phone and shut it down if I had to.

So if an on-line merchant rooks me over it, then, like bobthebob1234 the poor student earlier here, I would not lose much even if the Bank stone-walled over it.

PS It is with First Direct. I only opened it because they said they would pay me �50 if I did. Having opened it they also then sent me a crate of wine "in gratitude". I think they blundered into giving me two promotional gifts Best business I ever did. Funny, they have this "Go ahead" image but they were one of the last banks to offer Internet Banking.

TSB (now Lloyds TSB) were much earlier and I was told I was TSB's first on-line customer in SW England. It went through a special Windows app which I ran under OS/2. I was also told I was their only ever OS/2 customer (that they knew of anyway).

Re: Websites with transparent security

Nuke — Tue Aug 14, 2012 1:49 pm

Author: Nuke

Posted: Tue Aug 14, 2012 1:49 pm

Debian Acolyte wrote:

leke wrote:

Should websites be legally required to be transparent about how they store their user data?

I may be a little cynical, but as far as I am concerned, how they store data is irrelevant. What is important is what information they store.

No, Leke asked how they store it. What they store may (or may not) be more important, but that is a different question. There are things that you may have asked them to store such as your bank card details because you deal with them regularly. Maybe you don't yourself, but some of us do.

Debian Acolyte wrote:

I never have, and never shall, use on-line banking. I do not care how good a bank claims their security is. Banking and purchasing transactions require broadcasting sensitive information. The bank or store one is buying from and you, are not the only eyes on the internet.

Without knowing much about it I'm guessing that the bank's customer database is accessible from the internet anyway, even if your particular account is not flagged as activated for such use. They are hardly going to split their customer database into two parts just because some use Internet banking and some do not. So your not using it may not such a good barrier as you thought it was.

Are there actually any cases of hackers getting into someone's bank account other than the owner being careless with their passwords or card details, or them being stolen?

Anyway, I do not think banks are much of a problem - they would fall over themselves to restore things as they would not want a public panic. Small merchants are a bigger threat - you know, the ones who see your credit or debit card every time you buy something.

Re: Websites with transparent security

bobthebob1234 — Tue Aug 14, 2012 12:43 pm

Author: bobthebob1234

Posted: Tue Aug 14, 2012 12:43 pm

towy71 and others wrote:

I do not bank online.

But you are missing all the fun! 1 bank I use I have two passwords, and if I want to to move money to anyone else I get a fancy call from an automated voice which is all very exciting, and then I get texts and emails saying are you sure, then another bank I have 3 passwords and a weird calculator thing. Its all great fun and if you are a poor student like me you don't have much money for anyone to steal anyway!

And then I can tweet them when it all goes wrong*

* Thus revealing who I bank with to the world, in hopes that the spammers pick this up and send me phishing emails from the correct bank

Re: Websites with transparent security

leke — Tue Aug 14, 2012 11:00 am

Author: leke

Posted: Tue Aug 14, 2012 11:00 am

My bank issues us with a card containing key => values, so when we try to pay a bill we have to enter one from our issued card. It seems the system was recently open to trickery though. It looks like something was changing the account number on the bill upon submission. The guy didn't check the payee's account number on the returning SMS (SMS is only issued when suspicion arises) and sent his money to another account.