CNET: Decrypting the Secret to Strong Security
Whitfield Diffie reiterates in this article what everyone in the security field should now by now, but unfortunately to few people obide buy.
It's simply unrealistic to depend on secrecy for security in computer software. You may be able to keep the exact workings of the program out of general circulation, but can you prevent the code from being reverse-engineered by serious opponents? Probably not.
Diffe, Schneier and just about everyone else who knows anything about this field are constantly forced to reiterate this, because it goes against common human gut reactions. I cant remember the name of the first person to realise this, but if memory serves me right a French cryptographer stated these rules over 100 years ago.
Even NSA are releasing software for public review and use for god sake.
I think the real problem is that people are scared of truely identifying the security problems they have in their software.
Just remember though that the default installations of many linux distributions are often as or even more flawed than windows installations. Java offers support for advanced security in your applications, but it's not automatic security for your applications.
This entry was posted in the following Categories: Crypto & Security
I have had many fights, with people in Panamá and from other countries, trying to explain them that Windows isn't more secure than Linux, just because Windows is closed source.
Talking about Diffie, or Schneier, to suport the famous sentence "security through obscurity is a fallacy" doesn't helps... most people don't know those names, they just know that they paid $$$$lots for Windows, so it obviously is more secure than some free OS you can read the source from.
Posted by: Ramsés Morales on January 16, 2003 04:36 PMThis is almost always the case. Which ever cost the most, must be the best.
Luckily things are changing. Linux is getting easier and cheaper to deploy while NT/2K/XP are actually getting more secure.
As with anything it's all about configuration. You can setup very good strong NT based corporate networks if you have guys who know what they're doing. Unfortunately most dont.
In many cases actually us techno geeks are at fault. For example if you work in an office with windows and you know what you're doing you want Administrator rights or at least be able to do some things.
So in many cases we might unconciously look the other way and not make NT networks as secure as they could be, because it would be inconvenient for us. ;-)
-P
pyaolts bhde.
Posted by: Alan on December 28, 2004 03:22 PM