The opening up of the mobile industry is great news for application developers but not so good for IT security professionals, according to experts. For example, Symbian, the single most widely used mobile software platform, has already wrestled with the dangers of openness to third-party developers, said Khoi Nguyen, group product manager in mobile security at Symantec. Symbian 7 and 8 were fairly open and allowed almost any application to be installed and run. This led to a few hundred viruses being introduced within a couple of years, so Symbian 9 was locked down significantly, he said.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2006-02-05
I am not saying that. If you are implementing a security system, it is better if potential attackers do not know what you are using then if they do. What is more important then that is that the system is inherently secure, but all things being equal, it is better if they do not know how it works then if they know.
Also, just because something is published, does not mean the peer review is really worth anything. I would go out on a limb and say I would be willing to put down money that at least 90% of open source code is not peer reviewed by anyone with any level of competence. There are some shining exceptions to this (like openbsd for example), but most of the source code I have read off the net has been fairly average in quality, compared to what I have seen from inside companies throughout my career, and I have worked at several places that did not implement automated testing or peer reviews. Anyone who publishes security code that is not reviewed is only making it easier for the bad guys to identify attack vectors.
Member since:2007-09-06
I didn't intend to suggest that all open source is more secure because it gets exhaustive peer review. There is some truth to that with active projects but it's still not a universal truth. In terms of chryptography and thigns designed for the security field, peer review is very important. Do I trust that IPS system X is rock solid because one company told me so or because one company plus everyone in the security and cryptography industries told me so?
Regarding your first point and with all things being equal, someone with intent is going to learn your system. If I'm contracted to audit the security of a company, I'll learn whatever they use and negate any obscurity they are putting value in. With an amateur, not knowing how your system works may be the thing that makes them interested os it's actually reducing your security overall by attracting attack.
Overally, I just can't accept any improved security based on obscuring part of your mechanisms. That may be my limitation but that's how it is until I find solid reason to believe otherwise.
Member since:
2007-09-06
Knowing how the mechanism works does not make it less secure. It only means that peer review can figure out how to make it better.
SSL; open source yet it still works pretty damn well, why has that not been invalidated (other than Debian's meddling where Crypto experts should have been consulted).
Safe locks; known yet still secure
Key locks; known, still secure
PAM; source is out there, security isn't compromised by that
Cryptography research; a purely open science valueing peer review. This is not by accident but by the understanding that it results in better crypo.
You should be able to publish the blueprints of your security mechanism and still not allow anyone to walk through it without having a valid authentication key. Keeping that key safe is not obscurity either. It's not that I have an SSL certificate hidden some place that makes it secure, it's that breaking the encryption it provides will take you so long that the information is no longer relevant by the time you get it. Keeping your keys in your pocket is not obfuscation, it's keeping your personal authentication with you and safe so you can use it in the security mechanism on your front door when you get home that night.