[Discuss] security through obscurity

[Richard Pieri]

On 3/28/2013 2:21 PM, Derek Martin wrote:
> This is nonsense.  A script kiddie will go away after at most a
> handful of meager attempts.  A well-informed, extremely determined

Wow. You utterly missed the point. When I say "assume an attacker will
get in" it's not a statement of fact. It's a statement of philosophy.
It's an assumption. I *HOPE* it's wrong. I *HOPE* that my perimeter
security is good enough to deter both the script kiddie and the pro. But
I still assume that it isn't because I know that I can't defend against
every conceivable attack and exploit.

I believe it was you who mentioned bank vaults. A public-facing server
isn't the vault. It isn't the contents of the vault. It's the door to
the bank lobby. I can't secure the front door anywhere near as well as I
can secure the vault. What I can do is rigorously control access between
the door and the vault. This is detection and containment. This is where
I detect the intruder, analyze the attack, and shut it down permanently.

If you think that hanging a curtain over the front door when the bank is
closed is any security at all then by all means do whatever makes you
feel better.

-- 
Rich P.