35 lines
4.2 KiB
HTML
35 lines
4.2 KiB
HTML
|
<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
|
|||
|
|
<html xmlns="http://www.w3.org/1999/xhtml"><head><title>security through obscurity</title><link rel="stylesheet" href="../../jargon.css" type="text/css"/><meta name="generator" content="DocBook XSL Stylesheets V1.61.0"/><link rel="home" href="../index.html" title="The Jargon File"/><link rel="up" href="../S.html" title="S"/><link rel="previous" href="secondary-damage.html" title="secondary damage"/><link rel="next" href="SED.html" title="SED"/></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">security through obscurity</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="secondary-damage.html">Prev</a><EFBFBD></td><th width="60%" align="center">S</th><td width="20%" align="right"><EFBFBD><a accesskey="n" href="SED.html">Next</a></td></tr></table><hr/></div><dt><a id="security-through-obscurity"/><dt xmlns="" id="security-through-obscurity"><b>security through obscurity</b></dt></dt><dd><p> (alt.: <span class="firstterm">security by obscurity</span>)
|
|||
|
|
A term applied by hackers to most OS vendors' favorite way of coping with
|
|||
|
|
security holes — namely, ignoring them, documenting neither any known
|
|||
|
|
holes nor the underlying security algorithms, trusting that nobody will
|
|||
|
|
find out about them and that people who do find out about them won't
|
|||
|
|
exploit them. This “<span class="quote">strategy</span>” never works for long and
|
|||
|
|
occasionally sets the world up for debacles like the
|
|||
|
|
<a href="../R/RTM.html"><i class="glossterm">RTM</i></a> worm of 1988 (see
|
|||
|
|
<a href="../G/Great-Worm.html"><i class="glossterm">Great Worm</i></a>), but once the brief moments of panic created by such
|
|||
|
|
events subside most vendors are all too willing to turn over and go back to
|
|||
|
|
sleep. After all, actually fixing the bugs would siphon off the resources
|
|||
|
|
needed to implement the next user-interface frill on marketing's wish list
|
|||
|
|
— and besides, if they started fixing security bugs customers might
|
|||
|
|
begin to <span class="emphasis"><em>expect</em></span> it and imagine that their warranties
|
|||
|
|
of merchantability gave them some sort of <span class="emphasis"><em>right</em></span> to a
|
|||
|
|
system with fewer holes in it than a shotgunned Swiss cheese, and
|
|||
|
|
<span class="emphasis"><em>then</em></span> where would we be?</p></dd><dd><p>Historical note: There are conflicting stories about the origin of
|
|||
|
|
this term. It has been claimed that it was first used in the Usenet
|
|||
|
|
newsgroup <tt class="systemitem">comp.sys.apollo</tt> during
|
|||
|
|
a campaign to get HP/Apollo to fix security problems in its
|
|||
|
|
Unix-<a href="../C/clone.html"><i class="glossterm">clone</i></a> Aegis/DomainOS (they didn't change a
|
|||
|
|
thing). <a href="../I/ITS.html"><i class="glossterm">ITS</i></a> fans, on the other hand, say it was
|
|||
|
|
coined years earlier in opposition to the incredibly paranoid
|
|||
|
|
<a href="../M/Multics.html"><i class="glossterm">Multics</i></a> people down the hall, for whom security was
|
|||
|
|
everything. In the ITS culture it referred to (1) the fact that by the
|
|||
|
|
time a tourist figured out how to make trouble he'd generally gotten over
|
|||
|
|
the urge to make it, because he felt part of the community; and (2)
|
|||
|
|
(self-mockingly) the poor coverage of the documentation and obscurity of
|
|||
|
|
many commands. One instance of <span class="emphasis"><em>deliberate</em></span> security
|
|||
|
|
through obscurity is recorded; the command to allow patching the running
|
|||
|
|
ITS system (escape escape control-R) echoed as $$^D. If you actually typed
|
|||
|
|
alt alt ^D, that set a flag that would prevent patching the system even if
|
|||
|
|
you later got it right.</p></dd><div class="navfooter"><hr/><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="secondary-damage.html">Prev</a><EFBFBD></td><td width="20%" align="center"><a accesskey="u" href="../S.html">Up</a></td><td width="40%" align="right"><EFBFBD><a accesskey="n" href="SED.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">secondary damage<67></td><td width="20%" align="center"><a accesskey="h" href="../index.html">Home</a></td><td width="40%" align="right" valign="top"><EFBFBD>SED</td></tr></table></div></body></html>
|