samba hide shares

Levi Pearson levipearson at gmail.com
Tue Sep 14 12:01:17 MDT 2010


On Mon, Sep 13, 2010 at 11:53 PM, Von Fugal <von at fugal.net> wrote:
> <snip/>
>> In this case, he's clearly got other security measures in place
>> (described in the immediately preceding line, even!), and hiding the
>> secured shares is likely to decrease the incidence of random or
>> opportunistic attacks, so his actual policy is not disastrous at all.
>> Calling his policy 'disastrous' is uncalled for when it's clearly not
>> disastrous.
>
> And I clearly mentioned that obscurity is a perfectly valid part of an
> overall security plan. What I called disastrous was not any particular
> security plan and not his. What I called disastrous was "the first rule
> of security is obscurity". And I stand by it. Ya, I called it a
> disastrous policy. Not the best choice of words on my part. It's a
> disastrous axiom. How's that?

You seem to have snipped my first paragraph, in which I explain why
arguing against a "first rule of security" standing by itself is
pointless, as such phrases do not offer much information by
themselves.  Let me illustrate my point by presenting a simple
'security plan' by extending the analogy presented in the OP:

<example security plan>
The first rule is "Don't show the thief where the doors are".  A
proper defense plan is multi-tiered, and a proper first-line of
defense is to avoid advertising to potential ne'er-do-wells that there
is in fact something to steal.  This first step will stop the majority
of casual crimes of opportunity, which are all that most of us will
ever have to deal with.

The second rule is "Don't leave the doors unlocked".  If, for some
reason, someone has chosen you as a target for theft, they will
probably be persistent enough to find your doors.  Leaving your hidden
doors unlocked will leave you vulnerable to anyone who specifically
targets you, or even some unlikely malevolent passerby that happens to
find them.

The third rule is "Don't limit your security to the doors".  There are
probably a lot of windows, too, that could be exploited to gain access
to your belongings.
</example security plan>

In this case, the "first rule" makes sense in context; it is the
first-line defense, meant to avoid intrusion attempts rather than
prevent them, and is not meant to be the all-encompassing theme of the
system.  This example invalidates the claim that "The first rule of
security is 'Don't show the thief where the doors are'" necessarily
represents a disastrous policy by presenting a non-disastrous
counterexample that includes it.  I think this example is likely to be
along the lines of what Merrill was thinking, given the fact that his
"first rule" followed information about how he had passwords set up,
but I don't really have any way of knowing.  This illuminates my point
that calling him out on it in such harsh terms, without further
information about what he actually meant by it, was not called for.

You took a phrase that could mean multiple things depending on context
("The first rule of security is 'Don't show the thief where the doors
are'") and rewrote it to resemble a common security bugbear ("The
first rule of security is 'security by obscurity'"), thereby
significantly narrowing possible interpretations.  You then claimed
that the policy represented was disastrous.  In doing this, you did a
number of things:

1. You chose the worst possible interpretation of the phrase.
2. You created a straw man by rewriting the phrase in light of your
interpretation.
3. You denounced the straw man as a disastrous security policy.
4. You insinuated that Merrill was incompetent by claiming he was
espousing and advocating your straw man.

This was both poor argument practice and rude behavior.

        --Levi


More information about the PLUG mailing list