The opening up of the mobile industry is great news for application developers but not so good for IT security professionals, according to experts. For example, Symbian, the single most widely used mobile software platform, has already wrestled with the dangers of openness to third-party developers, said Khoi Nguyen, group product manager in mobile security at Symantec. Symbian 7 and 8 were fairly open and allowed almost any application to be installed and run. This led to a few hundred viruses being introduced within a couple of years, so Symbian 9 was locked down significantly, he said.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2006-02-05
But what techniques you are using to implement them are. If you know exactly how security is implemented, that knowledge is better to have then not to have when attacking it. If that is all that is protecting you, it isn't enough. But a well implemented security scheme that nobody knows of is more secure then a well implemented security scheme that everyone has the source code to.
Member since:2005-07-06
Member since:2005-07-06
Member since:2007-09-06
Knowing how the mechanism works does not make it less secure. It only means that peer review can figure out how to make it better.
SSL; open source yet it still works pretty damn well, why has that not been invalidated (other than Debian's meddling where Crypto experts should have been consulted).
Safe locks; known yet still secure
Key locks; known, still secure
PAM; source is out there, security isn't compromised by that
Cryptography research; a purely open science valueing peer review. This is not by accident but by the understanding that it results in better crypo.
You should be able to publish the blueprints of your security mechanism and still not allow anyone to walk through it without having a valid authentication key. Keeping that key safe is not obscurity either. It's not that I have an SSL certificate hidden some place that makes it secure, it's that breaking the encryption it provides will take you so long that the information is no longer relevant by the time you get it. Keeping your keys in your pocket is not obfuscation, it's keeping your personal authentication with you and safe so you can use it in the security mechanism on your front door when you get home that night.
Member since:2005-07-24
You are correct to direct the discussion towards the matter of underlying definitions. (Many a lengthy forum thread actually comes down to the simple matter of a lack of agreement upon definitions.)
In this case, I think that it makes sense to examine "the definition" you refer to. My point is this: There is nothing fundamentally different about "credentials" and "obscurity". It is a matter of degree. The effectiveness of passwords depend entirely upon their obscurity. In effect, passwords often have a high enough level of obscurity to be considered good security. The point at which that line is crossed is a matter of opinion. But its still "obscurity" on both sides of it.
Edited 2008-09-13 16:25 UTC
Member since:
2005-07-06
Cryptographic secrets are, by definition, not security through obscurity. Trying to argue otherwise is just making up your own definitions.
Edited 2008-09-12 18:57 UTC