I finally got around to listening to episode 30 of Martin McKeay’s Network Security Podcast where he and I discussed numerous things. I am pleased with the results, and I look forward to hearing next week’s podcast as well.
But I didn’t post this to talk about my melodious voice (yea, right – more like my rambling, hick-accented voice). I am posting to correct a mistake. One topic we discussed about was the post at Spire Security about the VA data theft not being as big a deal as everyone thinks because of the high number of records that were on the laptop. If you have listened to the podcast, I said that it upset me that Ira Winkler agreed with the post. It wasn’t Ira Winkler that agreed with the post. It was Mike Rothman. He posted about it here. I wanted to clear that up.
Now, I know Mike reads my blog, and I am sure he understands that everyone is going to disagree, so I am posting this with confidence that he will continue to read my blog after this post. If he stops reading my blog, I will dig up even older pictures of him from the Internet. 
Vet
I recently posted on security by obscurity, and Martin McKeay and I discussed it on his most recent podcast. After taking issue with Mike Fratto’s point of view, I now find myself in the position of putting my security where my mouth is, so to speak.
Here’s the deal: I have not posted for the last couple of days because I have had a vendor on site doing a proof of concept. This is a security-related vendor, and I am seriously considering using their product. I like their product so much that I considered posting a review of the product. This is where the problem lies. How can I post a review on their product without letting everyone know that I am considering using their product? If I let everyone know that I am considering using their product, it could give a possible attacker an attack vector by giving them information on my security infrastructure. Also, this vendor has included in their contract that they want a press release done when the contract is signed. Not a good idea from my S-B-O viewpoint.
Then, I realized that I needed to confess that I had violated this same principle a couple of times in the last few months. I have posted about some of my security infrastructure in this blog (I recently deleted the post – though there are probably clues that I am not aware of). Also, I recently did an interview with a company about a product of theirs I had purchased. I won’t say here what the product is (the interview has not been published yet), but a determined attacker will eventually be able to find this and possibly use it to their advantage. It is not an integral part of my protection plan, but it can hurt me in a small way. And my take is that giving ANY information to a potential attacker is not good, no matter how small.
So I am human, and I make mistakes, but I still hold to the principle of S-B-O, or at least in the scope of giving information that may help an attacker.
In the podcast mentioned above, Martin McKeay held that security by obscurity from a vendor’s point of view is not good (like in the case of a proprietary encryption protocol not being a good idea because it is not tested in the public arena, thus it likely has not been tested for weaknesses adequately), and I agree with that view. Basically, it goes to prove my point that S-B-O can be defined in many ways. You just have to figure out which definition applies to you and whether or not it is a good idea in that scope. AND you have to be very careful if you are going to expose yourself to the world like I am doing with this blog.
Vet
Technorati Tags:security,obscurity
