2014-04-26 10:52:28 -04:00
|
|
|
security through obscurity
|
|
|
|
|
2014-04-26 11:54:15 -04:00
|
|
|
(alt.: security by obscurity ) A term applied by hackers to most OS vendors'
|
|
|
|
favorite way of coping with security holes namely, ignoring them,
|
|
|
|
documenting neither any known holes nor the underlying security algorithms,
|
|
|
|
trusting that nobody will find out about them and that people who do find
|
|
|
|
out about them won't exploit them. This strategy never works for long and
|
|
|
|
occasionally sets the world up for debacles like the RTM worm of 1988 (see
|
|
|
|
Great Worm ), but once the brief moments of panic created by such events
|
|
|
|
subside most vendors are all too willing to turn over and go back to sleep.
|
|
|
|
After all, actually fixing the bugs would siphon off the resources needed to
|
|
|
|
implement the next user-interface frill on marketing's wish list and
|
|
|
|
besides, if they started fixing security bugs customers might begin to
|
|
|
|
expect it and imagine that their warranties of merchantability gave them
|
|
|
|
some sort of right to a system with fewer holes in it than a shotgunned
|
|
|
|
Swiss cheese, and then where would we be? Historical note: There are
|
|
|
|
conflicting stories about the origin of this term. It has been claimed that
|
|
|
|
it was first used in the Usenet newsgroup comp.sys.apollo during a campaign
|
|
|
|
to get HP/Apollo to fix security problems in its Unix- clone Aegis/DomainOS
|
|
|
|
(they didn't change a thing). ITS fans, on the other hand, say it was coined
|
|
|
|
years earlier in opposition to the incredibly paranoid Multics people down
|
|
|
|
the hall, for whom security was everything. In the ITS culture it referred
|
|
|
|
to (1) the fact that by the time a tourist figured out how to make trouble
|
|
|
|
he'd generally gotten over the urge to make it, because he felt part of the
|
|
|
|
community; and (2) (self-mockingly) the poor coverage of the documentation
|
|
|
|
and obscurity of many commands. One instance of deliberate security through
|
|
|
|
obscurity is recorded; the command to allow patching the running ITS system
|
|
|
|
(escape escape control-R) echoed as $$^D. If you actually typed alt alt ^D,
|
|
|
|
that set a flag that would prevent patching the system even if you later got
|
|
|
|
it right.
|
|
|
|
|