You're an absolute saint for rolling around in piles of logic with people all the time. Sadly it never seems to stick to some people. They simply 'd|w'on't get it =(
You're absolutely correct about the merit of portknocking. We argued weather it was authentication or authorization when the paper was first published, but not weather or not it was part of security. Being two, hard headed, "security by philosophy" type people, that should've been your first clue you were right about it bing valuable. For sure one of us would have been arguing that it's just a bad idea.
This guys argument to you is that camouflage is ineffective. That all someone has to do is watch for you to put on your gille suit then follow where you move to. If someone is able to watch you do your knock sequence, you have more serious issues at hand.
Cheers, -Dave
Daniel Miessler
· 2 years ago
Exactly, and it's even better than watching a sniper put on a gille suit because with portknocking the only thing they gain when the DO compromise the system is a big fat SSH login prompt. :)
Eamon Landon
· 2 years ago
I have to say that I gree with you about the obscurity aspect to security, it is just another layer in the onion. It's never perfect. Someone can always seem to find you, but at least you can make an effort at camoflage rather than wearing a big, pink, flashing bullseye.
I remember reading an article on some hacker's challenge and a team wore all blue shirts and marched in with a lot of pomp. They were the first team crushed by the red team. Why? Because they stood out. Now the other teams were all slowly taken down, but my point is the one that drew the most attention was hit first.
The argument should be whether or not you choose to use security through obscurity, like you posted the other day. Just my two cents, a little extra security doesn't hurt.
LonerVamp
· 2 years ago
Sorry, but I agree with you that security via obscurity can add to security. It is a passionate discussion sometimes, and I like to make sure all parties are aware of the difference between "security through obscurity alone" and "security through obscurity." Alone, security through obscurity can be dangerous; yes it is hidden, but it's just like hiding treasure under your porch. Someone just has to peek down there and find it.
I think part of the problem in security is some people are hellbent on saying there is no silver bullet to security, but then turn around and complain about everything that is not a silver bullet. If it adds to security but is not the silver bullet, it's useless, broken, and stupid. It's an odd little paradox some security folks have...
I would rather assume no security is absolute and instead put as many barriers between my crown jewels and the attackers. They need to earn it, and in the process I'm thwarting all the lesser attackers.
All Comments
You're an absolute saint for rolling around in piles of logic with people all the time. Sadly it never seems to stick to some people. They simply 'd|w'on't get it =(
You're absolutely correct about the merit of portknocking. We argued weather it was authentication or authorization when the paper was first published, but not weather or not it was part of security. Being two, hard headed, "security by philosophy" type people, that should've been your first clue you were right about it bing valuable. For sure one of us would have been arguing that it's just a bad idea.
This guys argument to you is that camouflage is ineffective. That all someone has to do is watch for you to put on your gille suit then follow where you move to. If someone is able to watch you do your knock sequence, you have more serious issues at hand.
Cheers,
-Dave
I remember reading an article on some hacker's challenge and a team wore all blue shirts and marched in with a lot of pomp. They were the first team crushed by the red team. Why? Because they stood out. Now the other teams were all slowly taken down, but my point is the one that drew the most attention was hit first.
The argument should be whether or not you choose to use security through obscurity, like you posted the other day. Just my two cents, a little extra security doesn't hurt.
I think part of the problem in security is some people are hellbent on saying there is no silver bullet to security, but then turn around and complain about everything that is not a silver bullet. If it adds to security but is not the silver bullet, it's useless, broken, and stupid. It's an odd little paradox some security folks have...
I would rather assume no security is absolute and instead put as many barriers between my crown jewels and the attackers. They need to earn it, and in the process I'm thwarting all the lesser attackers.