[Klug-general] The only security is obscurity

Stuart Buckland stuart at nightime.org.uk
Wed Jan 16 07:21:33 GMT 2008 

On Wed, 2008-01-16 at 00:19 +0000, Stephen Ryan wrote:
> After a long discussion regarding the relative merits and demerits of
> PC security and Bill Gates contribution, i'd like to ask anyone out
> there (especially Stu):
>  
> Not to give any information out about any of your specific clients.
> Just in case they become a target. 

I take a small amount of offence at that the implication I would give
out compromising information.  I don't take a lot of offence as I'm
aware you don't know a great deal about me, what I do for a living, my
motivations for doing it or my beliefs.

>  
> This isn't a threat - i say it simply to prove that the only reason
> why everyone feels so safe out there is that they are generally
> sufficiently obscure and hidden enough - not to become a target. 

That certainly isn't true.  While obscurity is a component of system
security it is not major contributor.  The last thing any business wants
to be considered is obscure in the marketplace.  All but a handful of
organisations I've worked for in the past 15 years are FTSE 100
companies.  Hardly what anyone would call obscure.

>  
> This might seem like an off topic issue - but believe me it affects us
> all. You don't like FUD - well maybe you haven't felt any of the
> reality yet.
>  
> Whatever any one says - PC software and the industry it supports is
> inherently flaky - and that has an impact on everything from ensuring
> business integrity to maintaining our childrens data to personal
> citizens records held by the Inland revenue.

The repeated data losses experienced by HMRC were the results of
ignorance and stupidity.  It could even be argued the only reason HMRC
lost the CD's containing the child benefit database was because their
system security was pretty good.  The events demonstrate quite clearly
that no matter how secure a particular system may be all it takes is a
couple of really stupid decisions made by ignorant people to render all
of that system security useless.
 
> A major rethink of the computing security paradigm by those who can
> and will help is essential.
>  

It's one thing calling for a rethink but if you really want to get the
ball rolling you'll need to detail what is flawed about the current
situation and propose alternatives.


-- 
Stuart Buckland <stuart at nightime.org.uk>

More information about the Kent mailing list