If you're using secure software, perhaps it's better to let people know so that they don't waste your bandwith trying to break in.
Usually the "Security Through Obscurity" complaint is in response to the use of obscurity *instead of* security.
If you have a secure server, an attacker *cannot* break in. In this case, obscurity only increases the attack rate. If you're running OpenBSD 3.2 default install, and you let everyone know that you are running it, people won't bother trying to attack it.
If you're running the same server but make it claim to be Windows NT sp 3, people will constantly be tying up your bandwith with attacks.
If you connect to the internet, there's no such thing as "concealing your address". If you are colocating your server with an ISP, or running your own small buisness, your IP is in the list of likely targets, and it takes an attacker less than 8 hours to scan that *entire range* from a residential broadband connection. You can't change your OS fingerprint, so if you're scanned and have a vulnerability, you will be broken into.
This is the same as making a lock that opens to any key, and not telling anyone. The lock is still insecure. But security components are different from security practices. Your locks should be secure, and nobody should know what make and model of locks you have. Your software should be secure, and nobody should know what software you use.
Say you are running Windows NT 4 service pack 3, and there's a script kiddie who knows about the IIS hole.
If you leave the server ID string as "IIS / NT 4" then the script kiddie will know he can exploit the known security hole in your server.
If you change it to "Apache / Red Hat 6.2", the script kiddie will port scan it for other vulnerabilities and not find an open Telnet or SSH port, realize it's not actually Red Hat, OS fingerprint it, discover that it's NT 4, and then he'll know he can exploit the known security hole in your server.
If you want to compare physical security to computer security, imagine the following: Everyone in the world is invisible and people are standing on every street corner handing out automatic lockpick guns (Picks any lock with less than 5 tumblers in no more than 0.17 seconds!).
Against a half-assed attacker, obscurity might discourage them.
Against a full-assed attacker, obscurity does nothing - they eithor already know about your methods of obscurity, never see them, or work around them faster than it took you to devise and implement them.
The problem with security through obscurity is that it makes the security methodology more complex without increasing the actual level of security, and it potentially confuses the issue of what exactly needs to be protected by real security methods.
This holds true in physical security systems only because your goal in most physical security systems is to discourage half-assed attackers. In computer security, you can't assume that you have half-assed attackers.
No, he should find a cryptographer and say "Hey, I've got this neat crypto scheme, can you take a look at it? Oh, BTW, I'm thinking of patenting it, so don't tell anyone how it works."
Actually, the scary fact of the matter is that in the EULA cases that *have* resolved through the court system, the courts have tended to uphold the EULAs.
In some states, laws have gone through that *explicitly* back software EULAs.
Now, they're pretty lame and should be ruled invalid, but that's not how the current legal situation is.
Most of the rest of what you list are just additions of common adjictives to one of those three.
Imagine a language that had the word "Canine", but no specific word for Wolf, Dog, or any of the various breed of dogs. In a conversation about languages, someone could say "English has hundreds of words for canine" and someone could reply "So what, we have Big Canines, Little Canines, Feirce Canines, Yapping Canines, Wild Canines, etc."
No, Java will have other retarded security holes. The only programming language that you can be *sure* won't result in dumb security holes is VBScript running on Mosaic.
UML -> Brainfuck would be nigh-on impossible, but I do tend to agree that the best way to program in Brainfuck is to write a Something -> Brainfuck converter.
I could care less how much power my desktop PC's processor consumes... my mother's paying the electric bill at the moment anyway.
In a laptop, battery life = power available / power consumption. I want that processor to run on 4 milliwatts... so that my display and harddrive can eat the battery in 8 hours, not 2.5 hours like current Intel compatible laptops.
If an airplane fails, it's really easy to hold the manufacturer accountable. A couple hundred people may die, but that's not too bad as transportation accidents go. In any case, although *you* may not be able to check the airplane schematics yourself, the FAA can and does - and if the FAA screws up you can be *damn sure* that they will be held accountable.
If a voting system fails, especially in a potentially politically unstable country, it may be impossible to hold the manufacturer accountable, since the new *government* has reason to protect them, and it may be impossible for the failure to be discovered, much less publicised.
It shouldn't actually be too hard to write a compilation verifier. (Input source code and resulting binary, output GOOD if the binary does nothing that wouldn't be a reasonable compliation of the source code otherwise output BAD)
Alernitively the vote system can be written in raw assembly - which allows for really easy verification.
Because he doesn't prioritize playing games above other more important things he uses his computer for... such as his *job*, selling banner ads by ranting about Linux being mad 'leet.
Why would he want to split his email between a random Windows program and his comphy unix mail reader?
Re:Possession of a high resolution digital camcord
on
High Definition DVD
·
· Score: 1
In addition, the sale of digital video cameras will be permitted only to those people who have a legitimate reason to own one (scientific research, motion picture production, etc).
When Sony has to choose between selling their personal electronics (which they have the best brand recognition for) and questionable copy protection for their crappy movies, I'm betting that Sony will be on *our* side.
It may be bullshit, but there is nothing which prohibits copyright holders from limiting use of the material. Authors are not required to translate books into multiple languages nor are they required to allow any third party to offer this service. If they want to write their book in hieroglyphics they may do so and no one may translate the material and distribute these translations.
But if some buyer of the book happens to have an automatic translation device, he can use it to read his own copy of the book.
How many of the major programs used on NT are old VMS programs that now also target NT as a compilation platform?
How close is NT to still being VMS?
How close is Linux to still being Unix?
If you're using secure software, perhaps it's better to let people know so that they don't waste your bandwith trying to break in.
Usually the "Security Through Obscurity" complaint is in response to the use of obscurity *instead of* security.
If you have a secure server, an attacker *cannot* break in. In this case, obscurity only increases the attack rate. If you're running OpenBSD 3.2 default install, and you let everyone know that you are running it, people won't bother trying to attack it.
If you're running the same server but make it claim to be Windows NT sp 3, people will constantly be tying up your bandwith with attacks.
If you connect to the internet, there's no such thing as "concealing your address". If you are colocating your server with an ISP, or running your own small buisness, your IP is in the list of likely targets, and it takes an attacker less than 8 hours to scan that *entire range* from a residential broadband connection. You can't change your OS fingerprint, so if you're scanned and have a vulnerability, you will be broken into.
Say you are running Windows NT 4 service pack 3, and there's a script kiddie who knows about the IIS hole.
If you leave the server ID string as "IIS / NT 4" then the script kiddie will know he can exploit the known security hole in your server.
If you change it to "Apache / Red Hat 6.2", the script kiddie will port scan it for other vulnerabilities and not find an open Telnet or SSH port, realize it's not actually Red Hat, OS fingerprint it, discover that it's NT 4, and then he'll know he can exploit the known security hole in your server.
If you want to compare physical security to computer security, imagine the following: Everyone in the world is invisible and people are standing on every street corner handing out automatic lockpick guns (Picks any lock with less than 5 tumblers in no more than 0.17 seconds!).
Because the government will never do anything.
Why are software patents even useful?
Against a half-assed attacker, obscurity might discourage them.
Against a full-assed attacker, obscurity does nothing - they eithor already know about your methods of obscurity, never see them, or work around them faster than it took you to devise and implement them.
The problem with security through obscurity is that it makes the security methodology more complex without increasing the actual level of security, and it potentially confuses the issue of what exactly needs to be protected by real security methods.
This holds true in physical security systems only because your goal in most physical security systems is to discourage half-assed attackers. In computer security, you can't assume that you have half-assed attackers.
No, he should find a cryptographer and say "Hey, I've got this neat crypto scheme, can you take a look at it? Oh, BTW, I'm thinking of patenting it, so don't tell anyone how it works."
As these things go, we've got a couple of symmetric algorithims that are considered pretty well understood: DES, 3DES, Blowfish, IDEA
And we have at least one public key algorithim that's consided *very* well understood: RSA
Actually, the scary fact of the matter is that in the EULA cases that *have* resolved through the court system, the courts have tended to uphold the EULAs.
In some states, laws have gone through that *explicitly* back software EULAs.
Now, they're pretty lame and should be ruled invalid, but that's not how the current legal situation is.
If the licence says "People who have dyed their hair green may not use our product", then you can't use their product if you have dyed green hair.
Umm... I'm afraid I disagree with your stated opinion.
Parsing that, I show 3 words for "Rain":
Drizzle, Rain, and Downpour
Most of the rest of what you list are just additions of common adjictives to one of those three.
Imagine a language that had the word "Canine", but no specific word for Wolf, Dog, or any of the various breed of dogs. In a conversation about languages, someone could say "English has hundreds of words for canine" and someone could reply "So what, we have Big Canines, Little Canines, Feirce Canines, Yapping Canines, Wild Canines, etc."
No, Java will have other retarded security holes. The only programming language that you can be *sure* won't result in dumb security holes is VBScript running on Mosaic.
UML -> Brainfuck would be nigh-on impossible, but I do tend to agree that the best way to program in Brainfuck is to write a Something -> Brainfuck converter.
I could care less how much power my desktop PC's processor consumes... my mother's paying the electric bill at the moment anyway.
In a laptop, battery life = power available / power consumption. I want that processor to run on 4 milliwatts... so that my display and harddrive can eat the battery in 8 hours, not 2.5 hours like current Intel compatible laptops.
http://tmo.jpl.nasa.gov/tmo/progress_report/42-131 /131D.pdf
If an airplane fails, it's really easy to hold the manufacturer accountable. A couple hundred people may die, but that's not too bad as transportation accidents go. In any case, although *you* may not be able to check the airplane schematics yourself, the FAA can and does - and if the FAA screws up you can be *damn sure* that they will be held accountable.
If a voting system fails, especially in a potentially politically unstable country, it may be impossible to hold the manufacturer accountable, since the new *government* has reason to protect them, and it may be impossible for the failure to be discovered, much less publicised.
It shouldn't actually be too hard to write a compilation verifier. (Input source code and resulting binary, output GOOD if the binary does nothing that wouldn't be a reasonable compliation of the source code otherwise output BAD)
Alernitively the vote system can be written in raw assembly - which allows for really easy verification.
Not processors for commodity desktop computer systems.
Because he doesn't prioritize playing games above other more important things he uses his computer for... such as his *job*, selling banner ads by ranting about Linux being mad 'leet.
Why would he want to split his email between a random Windows program and his comphy unix mail reader?
When Sony has to choose between selling their personal electronics (which they have the best brand recognition for) and questionable copy protection for their crappy movies, I'm betting that Sony will be on *our* side.
Just having a licence doesn't protect them from having potentially broken this law... just from being charged with it.