The opening up of the mobile industry is great news for application developers but not so good for IT security professionals, according to experts. For example, Symbian, the single most widely used mobile software platform, has already wrestled with the dangers of openness to third-party developers, said Khoi Nguyen, group product manager in mobile security at Symantec. Symbian 7 and 8 were fairly open and allowed almost any application to be installed and run. This led to a few hundred viruses being introduced within a couple of years, so Symbian 9 was locked down significantly, he said.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-07-06
Member since:2006-02-05
But what techniques you are using to implement them are. If you know exactly how security is implemented, that knowledge is better to have then not to have when attacking it. If that is all that is protecting you, it isn't enough. But a well implemented security scheme that nobody knows of is more secure then a well implemented security scheme that everyone has the source code to.
Member since:2005-07-24
You are correct to direct the discussion towards the matter of underlying definitions. (Many a lengthy forum thread actually comes down to the simple matter of a lack of agreement upon definitions.)
In this case, I think that it makes sense to examine "the definition" you refer to. My point is this: There is nothing fundamentally different about "credentials" and "obscurity". It is a matter of degree. The effectiveness of passwords depend entirely upon their obscurity. In effect, passwords often have a high enough level of obscurity to be considered good security. The point at which that line is crossed is a matter of opinion. But its still "obscurity" on both sides of it.
Edited 2008-09-13 16:25 UTC
Member since:2007-09-06
Good security is indeed a layered approach but putting obscurity anywhere in the official strategy only reduces your overall security posture. If you want to tack on obscurity after the security strategy is confirmed then by all means, enjoy the blue icing on top but, here's the thing as I see it.
Obscurity is only of use to the attacker and has no place in the official defense policy; itâs too short lived. When you are the outsider, you want to remain hidden and sneaky and until your found with your eyes covered crouched behind a tree saying "you can't see me".. it's all good. The gig is up once your detected so obscurity is the attackers entire world.
On the other hand, you still have to defend when your obscurity is blown. Anyone coming into your network or device is going to be looking for what you have hidden:
"oh look, they have a clear IDS/IPS on the wire.. good for them.. we'll just step around that and continue on".. now your obscure detection device is useless.
"Say, that's an interesting obscure OS they are using but I really want to get in so I'll have to learn it".. and, your nifty mainframe or obscure software platform is useless.
"say, this software is only available as a binary.. where's my binary auditing tools".. and your security through keeping source code obscure is useless. The police search your house and you have bad stuff hidden; they'll find it and your screwed.
Your child figures out how to open door handles; time for child proofing locks for real security.
If your including obscurity in your security planning with the idea that it is increasing your potential security posture in any way, your already begging failure. Obscurity on the part of the defender in a computer network is nothing more than "security theater"; It's feeling safe instead of actually being safe.
It may not be fully applicable to this article being that the point is platforms trusting any third party program thrown at it without having a strong approach to security from the ground up. In general though, it's just bad planning to think that hiding stuff makes you safer.
Edited 2008-09-12 20:04 UTC
Member since:2005-07-24
Ah yes. The "false sense of security" non-argument that I often see employed when there is no real argument to make. (I know I've scored a point when people are forced fall back to using it.) If you have an otherwise solid plan in place, adding anything that the attacker might not happen to know about can only make it harder for him. Layering security already implies that you don't trust any layer completely. All things being equal, security Plan X + Obscurity is always going to be more secure than Plan X by itself.
Member since:2005-07-06
Member since:2007-02-26
Member since:
2005-07-24
Actually "security through obscurity is a myth" is a myth. Good security is layered. Obscurity can legitimately be one of those layers. (What are passwords if not security through obscurity?) Security *solely* through obscurity has been shown to be inadequate. But the old adage which you quote goes further, and is wrong.
Edited 2008-09-12 17:49 UTC