Update to BCP-38?

• Previous message (by thread): Update to BCP-38?
• Next message (by thread): Update to BCP-38?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Friday, 4 October, 2019 16:05, William Herrin <bill at herrin.us> wrote:

>On Thu, Oct 3, 2019 at 2:28 PM Keith Medcalf <kmedcalf at dessus.com> wrote:

>> On Thursday, 3 October, 2019 11:50, Fred Baker <fredbaker.ietf at gmail.com> wrote:

>>> A security geek would be all over me - "too many clues!".

>> Anyone who says something like that is not a "security geek".  They
>> are a "security poser", interested primarily in "security by obscurity"
>> and "security theatre", and have no clue what they are talking about.

> It's called "operations security" or "OPSEC." The idea is that from lots
> of pieces of insignificant information, an adversary can derive or infer
> more important information you'd like to deny to him. There's a 5-step
> process used by the U.S. Military but the TL;DR version is: if you don't
> have to reveal something, don't.

You and I have completely different opinions of how security works.  In my world, security must continue to be effective even in the face of an adversary that knows everything there is to know about what is being attacked (except for some authentication secrets, which of course need to be kept secret).

If the attacker does not already have that information, then obtaining it is usually a rather trivial reconnaissance operation.  The job of "securing" something means to make it impervious to outside influence -- it is the other side of the "safety" coin -- and Safety and Security go hand in hand.  

Security based on keeping something which is trivial to discover secret is trivial security and can still be trivially bypassed.

It is telling that of the thousands of "ransomware attacks" that occur each second, only 617 have been successful so far this year.  Those victims probably relied on keeping something secret that did not matter.  In other words, they expended effort on the wrong things -- their analysis of risk was inherently flawed.

Can you provide a scenario in which knowledge of the VLAN number is a vulnerability that can be exploited?  And if you can find one, is there a more effective way to prevent that exploit that will work even if the attacker knows the VLAN number?  Would it not be more effective to implement that measure than simply using trivial means (that are trivial to defeat) to hide the VLAN number?  This does not mean that you need to publish the VLAN numbers on Facebook for all to see, merely that knowledge of that fact is now irrelevant, and that even if the someone posted the VLAN numbers on Facebook for all to see, then that would not be helpful to the adversary.

>IMO, anyone who thinks the folks who developed OPSEC don't have a clue is
>the one I find wanting.

Opinions vary.  That is the nature of opinion.

-- 
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.

• Previous message (by thread): Update to BCP-38?
• Next message (by thread): Update to BCP-38?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]