Lothar Scholz wrote:
Hello Steven,
> Lothar Scholz wrote:
The first rule of security is not to talk about security.
> Precisely the opposite:
For academics: yes.
For practical use: no.
Maybe i'm reading this wrong, but it looks as though you're saying
that not talking about it increases its security. If so... i think
we only need one counter argument: DeCSS. "Highly" secret and
pitifully simple to crack.
D
Lothar Scholz wrote:
> Lothar Scholz wrote:
The first rule of security is not to talk about security.
> Precisely the opposite:
For academics: yes.
For practical use: no.
Sorry, that's just wrong. I'm not an academic, and what I know about security is largely shaped by interacting with experts from large commercial providers and consumers of security technology (e.g., IBM and Wall Street).
For an amusing counterexample, see Secure Digital Music Initiative and Felten v. RIAA.
But let me put the burden of proof back on you. Can you name a single acknowledged security expert who says "the first rule of security is not to talk about security". I can find plenty who say the opposite.
Steve
Hello Derek,
Maybe i'm reading this wrong, but it looks as though you're saying
that not talking about it increases its security. If so... i think
we only need one counter argument: DeCSS. "Highly" secret and
pitifully simple to crack.
With such a simple stupid implementation that it can be written on
the backside of your wall-mart bill.
I'm talking about serious implementations. How many people know what to
do if there debugger is not able to attach to a windows process and
all the other ways to see into your process memory do also fail ?
Not that many.
And you think you can goggle the answer ? No. Not that easy too.
So you already catched a lot of the attackers on your first defense line.
After this if you still want a crack you have to get the attention of
an experienced cracker and that will cost month of time if you will
ever find one who things that this would give him fame and fortune.
Remeber the topic of the thread. We are not really discussing security here,
at least thats not what i do. I'm talking about business rules to increase
the ROI of your development by talking more time to be cracked and making it
harder for people to use this without paying and harder for average people to
apply the crack to your program. That was the OP question/intention.
I would guess that only 1% of this has something to do with a mathematical formula.
--
Best regards, emailto: scholz at scriptolutions dot com
Lothar Scholz http://www.ruby-ide.com
CTO Scriptolutions Ruby, PHP, Python IDE 's
Steven Jenkins said:
But let me put the burden of proof back on you. Can you name a single
acknowledged security expert who says "the first rule of security is not
to talk about security". I can find plenty who say the opposite.
I believe all Lothar was trying to say is that on an academic level it's
very right and proper to talk openly about security concepts, practices,
etc and to learn from each other, but as a commercial company hoping to
protect IP it's probably not wise to go about volunteering information
about your specific security mechanisms.
That's my read on it, anyway.
Thanks,
John
Lothar Scholz wrote:
Remeber the topic of the thread. We are not really discussing security here,
at least thats not what i do. I'm talking about business rules to increase
the ROI of your development by talking more time to be cracked and making it
harder for people to use this without paying and harder for average people to
apply the crack to your program. That was the OP question/intention.
In that case, public key encryption is way overkill. Just use AES, or any other random encryption scheme provided by the OS, with the key embedded in the binary. Or even use a trivial XOR scrambling.
Anyone who knows how to hack past that would be just as able to hack past a call to a public-key decryption routine.
mathew
--
<URL:http://www.pobox.com/~meta/>
WE HAVE TACOS
But let me put the burden of proof back on you. Can you name a single
acknowledged security expert who says "the first rule of security is not
to talk about security". I can find plenty who say the opposite.I believe all Lothar was trying to say is that on an academic level it's
very right and proper to talk openly about security concepts, practices,
etc and to learn from each other, but as a commercial company hoping to
protect IP it's probably not wise to go about volunteering information
about your specific security mechanisms.
"protect security IP", wth is that supposed to mean?
If somone refuses to tell me how they implement security, I'm not going
to believe them it's secure.
+--- Kero ------------------------- kero@chello@nl ---+
all the meaningless and empty words I spoke |
Promises -- The Cranberries |
+--- M38c --- http://members.chello.nl/k.vangelder ---+
Hello Kero,
"protect security IP", wth is that supposed to mean?
If somone refuses to tell me how they implement security, I'm not going
to believe them it's secure.
It's not the goal to make you believe it's secure.
It's the goal to cost you time (and for many of us this means money)
to show us that it is not.
--
Best regards, emailto: scholz at scriptolutions dot com
Lothar Scholz http://www.ruby-ide.com
CTO Scriptolutions Ruby, PHP, Python IDE 's
> "protect security IP", wth is that supposed to mean?
> If somone refuses to tell me how they implement security, I'm not going
> to believe them it's secure.It's not the goal to make you believe it's secure.
Myeah, I think I misunderstood what you meant (no security IP, but just
security to protect your own interests), but...
It's the goal to cost you time (and for many of us this means money)
to show us that it is not.
....how do *you* know it is secure 
convincing yourself is easy, but that doesn't mean you're right.
and that's why you have to talk with smart ppl about it.
out in the open, you have the best chances to find them.
+--- Kero ------------------------- kero@chello@nl ---+
all the meaningless and empty words I spoke |
Promises -- The Cranberries |
+--- M38c --- http://members.chello.nl/k.vangelder ---+
Lothar Scholz wrote:
It's not the goal to make you believe it's secure.
It's the goal to cost you time (and for many of us this means money)
to show us that it is not.
Well, if that's your goal, you're a snake-oil company, not a security company.
mathew
--
<URL:http://www.pobox.com/~meta/>
WE HAVE TACOS
It's not the goal to make you believe it's secure.
It's the goal to cost you time (and for many of us this means money)
to show us that it is not.Well, if that's your goal, you're a snake-oil company, not a security
company.
That's wat I misinterpreted at first. He isn't selling security.
He's just trying to protect [the sourcecode] that he does sell.
+--- Kero ------------------------- kero@chello@nl ---+
all the meaningless and empty words I spoke |
Promises -- The Cranberries |
+--- M38c --- http://members.chello.nl/k.vangelder ---+