Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!newshost.telstra.net!act.news.telstra.net!psgrain!nntp.cs.ubc.ca!newsxfer.itd.umich.edu!news.mathworks.com!news.kei.com!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!glacier.MIT.EDU!ghudson From: ghudson@mit.edu (Greg Hudson) Newsgroups: comp.os.linux.misc,comp.os.linux.development.system,comp.os.linux.networking,comp.unix.bsd.bsdi.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.freebsd.misc Subject: Re: need secure OS to entrust millions to Followup-To: comp.os.linux.misc,comp.os.linux.development.system,comp.os.linux.networking,comp.unix.bsd.bsdi.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.freebsd.misc Date: 5 Mar 1996 16:13:21 GMT Organization: Massachvsetts Institvte of Technology Lines: 27 Message-ID: <4hhp71$cv9@senator-bedfellow.MIT.EDU> References: <4gi6t6$3h9@lace.colorado.edu> <nc0453Dn96w6.93F@netcom.com> NNTP-Posting-Host: glacier.mit.edu X-Newsreader: TIN [version 1.2 PL2] Xref: euryale.cc.adfa.oz.au comp.os.linux.misc:90118 comp.os.linux.development.system:18728 comp.os.linux.networking:30718 comp.unix.bsd.bsdi.misc:2553 comp.unix.bsd.netbsd.misc:2390 comp.unix.bsd.freebsd.misc:14928 ghudson@mit.edu (Greg Hudson) writes: ] It's disappointing that some people still think that security through ] obscurity is a net gain. Terry Lambert <terry@lambert.org> writes: : Public key cryptography (RSA, et. al.) is the ultimate in : security through obscurity. People trust it every day. As I'm sure you're perfectly aware, "security through obscurity" refers to the practice of assuming that enemies will not be able to exploit flaws in your security system because they do not know the algorithms you use. "Security through obscurity" does not refer to the practice of assigning private information to users and services. RSA as a cryptosystem has been subject to extensive academic review. We know its weaknesses and we know how to avoid being subject to them. (We also know cryptosystems which provably don't share most of its weaknesses, but they haven't been subject to the same level of review.) In short, we know that if we can address the key management problem, we have a very good idea (comparatively) of what the risks are of an attacker being able to read things we send over the net using RSA. What do we know about a proprietary operating system's risks? Nothing. I expected more from you than argument by unconventional definition, Terry.