A Clueful Interview

If you have ten minutes and want to be genuinely more informed when it's over, read Federico Biancuzzi's excellent interview of Nate Lawson titled Racing Against Reversers. I found this comment interesting:

Q: It sounds as security through obscurity has some admirers among the DRM designers. What is the role of "secrets" in a DRM system?

A: In software protection, obscurity is everything. You're ultimately depending on the attacker to not be able to just "see" the key or how the protection works. That sounds weak and against normal security principles but actually works quite well in practice, if you're good at it.

I think that insight echoes what I said in Fight to Your Strengths last year:

Apparently several people with a lot of free time have been vigorously arguing that "security through obscurity" is bad in all its forms, period. I don't think any rational security professional would argue that relying only upon security through obscurity is a sound security policy. However, integrating security through obscurity with other measures can help force an intruder to fight your fight.

Don't get hung up on the obscurity issue if you disagree, however. The interview is awesome.


dre said…
Um... i think the point is that `security through obscurity' is not for newbies or intermediate-level people. In other words, unless you have 20 years of hard-core experience with assembly, then you can forget about security through obscurity and concentrate on something else.
In other news, the U.S. military announced today that due to new and unprecedented confidence in its defensive capabilities, it will be immediately abandoning the tried standard of camouflaged and stealth equipment in favor of new and bright orange hunting gear, and obnoxiously beaconing airplanes!!

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4