[e2e] security through obscurity *does* work - keep an open mind...
David P. Reed
dpreed at reed.com
Mon Feb 13 11:36:10 PST 2006
Scott Boone wrote:
>[ insert anecdotate about "why security through
> obscurity doesn't work" here ]
Actually, cryptography is merely "security through obscurity". The
only issue is the work factor involved.
It's perfectly reasonable, IMHO, to use precise timing correlation
filters vs. keyed sequence filters (e.g., PR sequences generated
algorithmically from a key that has relatively low entropy generated
from a 6-8 character mnemonic password) as the mechanism to raise the
There's no a priori reason that precisely controllable timing can't
generate high robustness against attacks. Remember that DDoS attacks,
for example, gain some of their power by synchronization, so limiting
the ability to synchronize collective action would raise the work factor
threshold for DDoS.
Reasoning by slogan is dangerous - that's more or less how we end up
with MD5 being viewed as "secure" as it was...
Or those who are ignorant of evanescent waves saying such boners as "you
can't tap optical fibers without detection because you have to break
them; you can't inject signals into optical fibers without detection
because that can only be done at the endpoints". Such scientific
ignorance provides no protection at all...
More information about the end2end-interest