Published – Security by Obscurity, and FDCC

In case I actually have any fans that are interested in things I’ve written outside of this blog (must be sick people)… I recently contributed a sidebar to the cover story of this month’s TechNet Magazine:  Hiding in Plain Sight – Security By Obscurity.  Jesper Johansson and Roger Grimes wrote the main point/counterpoint, to which Steve Riley and I contributed further debate.  (By the way:  Roger is right.  Jesper and Steve are wrong. 🙂

I’ve also been keeping busy helping US Federal government customers with the implementation of the Federal Desktop Core Configuration.  My fingerprints can be seen in various posts on our FDCC blog where I’ve published some utilities for managing Local Group Policy, and presented some webcasts, too.

Comments (1)

  1. zzz says:

    Funny article. Jesper is entirely right here. I would’ve liked to see more discussion on not actually using passwords at all, because you need that 100 char password for security and writing it down isn’t good one either.

    The only reasonable security solution I can see is using both a 20+ char pin + some additional binary key blob on USB stick or something.

    It should be secure enough that you just log in once and then you can access everything (incl banks & every internet forum etc) and if you move away from the computer it detects this and logs you out even if you forget the USB stick in which alone isn’t of use.

    [Aaron Margosis]  No, Jesper is wrong! 🙂  But, for what it’s worth, Jesper disagrees with you (as do I) about writing down passwords.  He got a lot of press attention a few years ago when he mentioned in a presentation that writing down a password (and — critically important — properly protecting the thing you write it down on) is one useful and valuable way to enable strong passwords.

    But, discussion of other techniques for hack-proofing accounts would have been out of scope.  The purpose of the article wasn’t about specific techniques as it was about “security by obscurity”.  Reducing attack surface by (for example) requiring possession of a physical object to log on does reduce the number of ways that an attacker can compromise a system.  Security by obscurity is completely different — it does not change the number of interfaces into a system.  If the attacker knows where to look, “security by obscurity” is effort wasted for no gain at all.  But quite often (as Roger’s data convincingly shows), the attacker doesn’t know to look in a non-standard place.  SBO should not be relied on as a sole defense, but if used appropriately it can reduce the likelihood of successful attack.