samba hide shares

Levi Pearson levipearson at gmail.com
Tue Sep 14 23:41:15 MDT 2010


On Tue, Sep 14, 2010 at 9:57 PM, Von Fugal <von at fugal.net> wrote:
> <quote name="Levi Pearson" date="Tue, 14 Sep 2010 at 12:01 -0600">
>> On Mon, Sep 13, 2010 at 11:53 PM, Von Fugal <von at fugal.net> wrote:
>>
>> You seem to have snipped my first paragraph, in which I explain why
>> arguing against a "first rule of security" standing by itself is
>> pointless, as such phrases do not offer much information by
>> themselves.  Let me illustrate my point by presenting a simple
>> 'security plan' by extending the analogy presented in the OP:
>
> It made my point anyway, that there is no first rule of security. To say
> there is one, and to say it is to use obscurity, is folly.

It didn't make your point, it made *my* point, and you seem to have
misunderstood me.  We're making different points, apparently, because
you still insist that "the first rule of security" has some sort of
meaning by itself that can be argued against.

> Ok, tell me how "don't show the thief where the doors are" is different
> than security by obscurity. That's what it *means*. "Security by
> obscurity" is the more general umbrella, the doors thing is a more
> specific and metaphorical example. Whatever. Not showing where the doors
> are is obscuring. That's simple definition. That's OK, because as I've
> said many times now, I don't have a problem with obscuring per se. I
> just pointed out it's not wise to tout it as a 'first rule'.

Besides having explicit meanings, words and phrases also have
connotations, i.e. secondary meanings given to them by cultural
association, etc.  The phrase "security by obscurity", as you noted,
has a lot of negative connotations that arise from a long debate in
the security community originally dealing with whether keeping
cryptographic algorithms secret was a valid form of security.  A
Caesar Cipher only works if the algorithm is kept secret, so it is
"security by obscurity".  Since all cryptographic algorithms rely on
something being obscured, "security by obscurity" by connotation means
that obscurity is the primary means of security, as opposed to the
strength of a cryptographic algorithm.  "Don't show the thief where
the doors are" has no such connotation of primacy.

>> 1. You chose the worst possible interpretation of the phrase.
>
> I interpret the phrase as meaning to use obscurity. I don't see how it
> can be interpreted otherwise. I don't have a problem with that per se, I
> have a problem with the "first rule of security" part of it.

Your interpretation of "the first rule of security" is what I have a
problem with.  I mean, does the phrase "The first rule of Fight Club
is you don't talk about Fight Club" mean that Fight Club is primarily
focused on not talking about itself?  Clearly not--it's just a first
rule, and without knowing more there's no real way to know if being
the "first rule" has anything to do with its general importance
relative to other ones.

> You created a straw man by putting words in my mouth. I never attacked a
> specific policy. I never said it was bad to use obscurity. I said it is
> not a good general first rule.

Merril said:
> I believe the first rule of security is "Don't show the thief where
> the doors are."

You said, in reply:
> That is a disastrous policy. "Security by obscurity" it is often called, ...

That looks like an attack on a specific policy to me.  If you don't
want to be misunderstood in that way, you should be more clear and
less abrasive.

I made no straw man.  You clearly interpreted the phase "The first
rule of security is..." to mean that obscurity was the most important
principle of security, and then you slagged it.  The notion that
obscurity is the most important principle of security is indeed worthy
of rebuke, but you committed an error in associating that notion with
Merrill's phrase.  There was not enough information to make a positive
association, and indeed his previous line stating that he had
passwords in place already was a clear indication that Merrill did not
believe that obscurity was the most important principle of security.

I thought I spelled out my identification of your straw man pretty
explicitly, but hopefully it is more clear this time.

> Obscurity is fine in context.
> Obscurity is fine in context.
> Obscurity is fine in context.
> *breath*
>
> I think it is a poor choice for a first rule. That doesn't mean I'll
> pounce on anyone that has it at the top of a plan.

But the only thing that 'The first rule of ...' necessarily means is
that it is on the top of a list.  The significance of that top
position varies depending on the list, which was not given in this
case.  It might mean the most important, it might mean the first
chronologically, it might mean the first that an attacker would
encounter.  You assumed, unreasonably so, that it meant that obscurity
was the most important principle.  I demonstrated already (in two
different ways now) how this does not have to be the case.

> To recap, the phrase was "The first rule of security is '...'" This
> implies a generalized and overarching relevance to any security
> application. This is not so. I'm only trying to teach here. I really am
> sorry if anyone finds it rude.

No, it does not necessarily imply that, as I have amply demonstrated.
A note to remember for future 'teaching moments': Trying to teach
people by assuming they meant something that they probably didn't mean
and then telling them they were disastrously wrong is not usually very
effective.  It usually helps to ask non-confrontational questions
first to clarify what they really mean.

> Finally, if I *had* to pin down a first rule of security, I would say it
> is "mind your weakest link."

Welcome to the ranks of those who have released their security maxims
into the world.  I'm sure it's good advice in the proper context.

        --Levi


More information about the PLUG mailing list