Security through obscurity

The magic smoke.

Moderators: phlip, Moderators General, Prelates

0x0ece
Posts: 1
Joined: Sat Sep 29, 2018 6:02 pm UTC

Security through obscurity

Postby 0x0ece » Sat Sep 29, 2018 6:05 pm UTC

Question to instigate a new security comic: how comes that everybody in software rejects security through obscurity, but not in hardware?

User avatar
Thesh
Made to Fuck Dinosaurs
Posts: 6327
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: Colorado

Re: Security through obscurity

Postby Thesh » Sun Sep 30, 2018 2:00 am UTC

What makes you say that they don't? The math behind cryptography doesn't care if it's hardware or software.
Summum ius, summa iniuria.

User avatar
hotaru
Posts: 1042
Joined: Fri Apr 13, 2007 6:54 pm UTC

Re: Security through obscurity

Postby hotaru » Sun Sep 30, 2018 6:14 pm UTC

Thesh wrote:What makes you say that they don't? The math behind cryptography doesn't care if it's hardware or software.

a lot of hardware relies on obscurity instead of cryptography (unsigned firmware updates, relying on not labeling pins to keep people out of powerful debugging interfaces, etc.). the math behind cryptography doesn't do anything for you if you don't use it.

Code: Select all

factorial product enumFromTo 1
isPrime n 
factorial (1) `mod== 1

User avatar
Thesh
Made to Fuck Dinosaurs
Posts: 6327
Joined: Tue Jan 12, 2010 1:55 am UTC
Location: Colorado

Re: Security through obscurity

Postby Thesh » Sun Sep 30, 2018 7:06 pm UTC

The same is true of software. Developers in general do not really study security, and it's common for them to rely on their software being closed source for security.
Summum ius, summa iniuria.

wumpus
Posts: 533
Joined: Thu Feb 21, 2008 12:16 am UTC

Re: Security through obscurity

Postby wumpus » Wed Oct 24, 2018 6:04 pm UTC

0x0ece wrote:Question to instigate a new security comic: how comes that everybody in software rejects security through obscurity, but not in hardware?


I'm not sure what the issue is. Are you suggesting that something like a router might be shipped with a hardcoded admin password? And since the software in question is "burned in ROM" (or at least shipped in flash) it counts as hardware?

Or are you suggesting that there exist JTAG ports that might be available on chip, and they allow for all sorts of evilness? That seems to come under the "attacker has physical access". In general physical access means you can own the machine, no question. It is hard enough to imagine trying to keep out somebody who can adjust I/O ports, reset switches, etc. But trying to keep out somebody with a soldering iron and an oscilloscope is essentially impossible.

User avatar
Sizik
Posts: 1224
Joined: Wed Aug 27, 2008 3:48 am UTC

Re: Security through obscurity

Postby Sizik » Wed Oct 24, 2018 6:20 pm UTC

wumpus wrote:But trying to keep out somebody with a soldering iron and an oscilloscope is essentially impossible.


You can probably beat that by putting everything inside the processor itself (can't trace what you can't see without destroying the thing itself), but even that has its limits.
gmalivuk wrote:
King Author wrote:If space (rather, distance) is an illusion, it'd be possible for one meta-me to experience both body's sensory inputs.
Yes. And if wishes were horses, wishing wells would fill up very quickly with drowned horses.

User avatar
hotaru
Posts: 1042
Joined: Fri Apr 13, 2007 6:54 pm UTC

Re: Security through obscurity

Postby hotaru » Wed Oct 24, 2018 7:19 pm UTC

wumpus wrote:But trying to keep out somebody with a soldering iron and an oscilloscope is essentially impossible.

keeping out someone with a soldering iron and an oscilloscope is essentially impossible, but that doesn't mean you should just connect the chip's JTAG interface to an external port and assume no one will use it just because you didn't document what that port does. someone opening up a device to attach something to the board is a lot easier to detect and stop than someone just plugging something into a port on the outside of the device.

Code: Select all

factorial product enumFromTo 1
isPrime n 
factorial (1) `mod== 1


Return to “Hardware”

Who is online

Users browsing this forum: No registered users and 3 guests