[Discuss] security through obscurity

[Richard Pieri]

On 3/28/2013 7:01 PM, Derek Martin wrote:
> I utterly did not.  I addressed that directly, in the part you didn't

No. You did miss it.

In my model I'm less concerned if an intruder exploits a zero-day
vulnerability in mod_ssl than you are. Said intruder is trapped in the
DMZ between web server and whatever is behind it. Yes, he's compromised
a web server but that's ALL that he's compromised. And once any
anomalous activity is detected I can shut him down, identify how he got
in, close that off, and swap in a clean and fixed server.

I'm not ignoring perimeter security. It's best if attackers don't get in
at all. But I'm not one for relying on the chance that some misdirection
will prevent intrusion. I'm not one for relying on the chance that
someone will spot the attempts before they succeed. Chance, by
definition, is not reliable.

As for the secret escape routes? Those aren't perimeter security. There
a last resort when everything else has failed and the alternative is
death or capture. And historically, they're not particularly reliable.

-- 
Rich P.