samba hide shares

Von Fugal von at fugal.net
Tue Sep 14 21:57:45 MDT 2010


<quote name="Levi Pearson" date="Tue, 14 Sep 2010 at 12:01 -0600">
> On Mon, Sep 13, 2010 at 11:53 PM, Von Fugal <von at fugal.net> wrote:
> 
> You seem to have snipped my first paragraph, in which I explain why
> arguing against a "first rule of security" standing by itself is
> pointless, as such phrases do not offer much information by
> themselves.  Let me illustrate my point by presenting a simple
> 'security plan' by extending the analogy presented in the OP:

It made my point anyway, that there is no first rule of security. To say
there is one, and to say it is to use obscurity, is folly.

> <example security plan>
> ...
> </example security plan>

As I said, I have no problem with a plan that uses obscurity in context.

> ...
>
> You took a phrase that could mean multiple things depending on context
> ("The first rule of security is 'Don't show the thief where the doors
> are'") and rewrote it to resemble a common security bugbear ("The
> first rule of security is 'security by obscurity'"), thereby
> significantly narrowing possible interpretations.  You then claimed
> that the policy represented was disastrous.  In doing this, you did a
> number of things:

Ok, tell me how "don't show the thief where the doors are" is different
than security by obscurity. That's what it *means*. "Security by
obscurity" is the more general umbrella, the doors thing is a more
specific and metaphorical example. Whatever. Not showing where the doors
are is obscuring. That's simple definition. That's OK, because as I've
said many times now, I don't have a problem with obscuring per se. I
just pointed out it's not wise to tout it as a 'first rule'.

> 1. You chose the worst possible interpretation of the phrase.

I interpret the phrase as meaning to use obscurity. I don't see how it
can be interpreted otherwise. I don't have a problem with that per se, I
have a problem with the "first rule of security" part of it.

> 2. You created a straw man by rewriting the phrase in light of your
> interpretation.

You created a straw man by putting words in my mouth. I never attacked a
specific policy. I never said it was bad to use obscurity. I said it is
not a good general first rule.

> 3. You denounced the straw man as a disastrous security policy.

This is your straw man. I said nothing of the policy other than using
the word 'policy' which I already apologized for as a poor word choice.

> 4. You insinuated that Merrill was incompetent by claiming he was
> espousing and advocating your straw man.

I didn't mean to call him incompetent. I'm sorry if you interpreted it
that way. I'm more sorry if Merrill interpreted it that way. Yeah, I
guess my words could have come off as a little harsh. I did not mean it
that way. I just wanted to point out that "security by obscurity" is, in
fact, looked down on in security circles, when used as "a first rule".
Again, your documented policy can start out with that, whatever. There's
a difference between a first rule and a first bullet point in an
outline. IMO, there are other things that should always take precedence
over obscuring. Maybe those things are already in place sine qua non.
All other things equal, obscurity strengthens overall security.

Obscurity is fine in context.
Obscurity is fine in context.
Obscurity is fine in context.
*breath*

I think it is a poor choice for a first rule. That doesn't mean I'll
pounce on anyone that has it at the top of a plan.

> This was both poor argument practice and rude behavior.

I regret you found it so.

To recap, the phrase was "The first rule of security is '...'" This
implies a generalized and overarching relevance to any security
application. This is not so. I'm only trying to teach here. I really am
sorry if anyone finds it rude.

Finally, if I *had* to pin down a first rule of security, I would say it
is "mind your weakest link."

Von Fugal
-- 
Government is a disease that masquerades as its own cure
-- Robert Lefevre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20100914/59e51131/attachment.bin 


More information about the PLUG mailing list