[e2e] security through obscurity *does* work - keep an open mind...

David P. Reed dpreed at reed.com
Mon Feb 13 11:36:10 PST 2006

Scott Boone wrote:

>[ insert anecdotate about "why security through
>  obscurity doesn't work" here ]
Actually, cryptography is merely "security through obscurity".   The 
only issue is the work factor involved.

It's perfectly reasonable, IMHO, to use precise timing correlation 
filters vs. keyed sequence filters (e.g., PR sequences generated 
algorithmically from a key that has relatively low entropy generated 
from a 6-8 character mnemonic password) as the mechanism to raise the 
work factor.

There's no a priori reason that precisely controllable timing can't 
generate high robustness against attacks.   Remember that DDoS attacks, 
for example, gain some of their power by synchronization, so limiting 
the ability to synchronize collective action would raise the work factor 
threshold for DDoS.

Reasoning by slogan is dangerous - that's more or less how we end up 
with MD5 being viewed as "secure" as it was...

Or those who are ignorant of evanescent waves saying such boners as "you 
can't tap optical fibers without detection because you have to break 
them; you can't inject signals into optical fibers without detection 
because that can only be done at the endpoints".   Such scientific 
ignorance provides no protection at all...

More information about the end2end-interest mailing list