ISP customer assignments

Tue Oct 6 03:42:32 UTC 2009

On Mon, 05 Oct 2009 20:40:28 EDT, TJ said:
> Isn't this really a security by obscurity argument?  

No - security through obscurity is "security measures that only seem to work
because you hope the attacker doesn't know how they are implemented".  In
this case, making sure somebody else can't aggregate data about you is more
akin to making sure somebody else can't obtain your password.  In this case,
you're making it harder for the attacker because they *do* know how the
security measure works - if you're IP-address hopping or using RFC4191
privacy, then they know they have to find other means to do the tracking.

>                                                      Making it a bit harder
> for the attacker, relying on 'Eve' just not realizing who I am?

Actually, yes.  If you're the type of person that is careful not to accept
website cookies to prevent cross-session and even cross-website tracking,
you probably don't want to make it easy for Multi-click or whoever to do
their tracking by having an IP address that shouts "Hey I'm the same laptop
that was in the Starbuck's in Chicago last Tuesday".  That isn't making it
a little harder, it's making it a *lot* harder.

And there's something to be said for Eve just not realizing who I am - the only
reason my father's family made it to the US was because a Soviet border guard
didn't realize my grandfather was on a "take in the forest and shoot on sight"
list. So sometimes being able to keep Eve from making that correlation is
literally a life-or-death issue.

> Most of those concerns are in fact mitigated by a well implemented Privacy
> implementation 

Which is why I started off by mentioning RFC4191. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091005/a73c75b1/attachment.sig>