begin quoting Todd Walton as of Thu, Jan 25, 2007 at 03:49:26PM -0600: > On 1/25/07, Carl Lowenstein <[EMAIL PROTECTED]> wrote: > >Isn't this just "security by obscurity" which isn't much security at > >all. It's almost as good as starting your reply with "^begin ". > > One could argue that all encryption is.
That would certainly provoke an argument! A good encryption algorithm is still hard to break once you've been given the system; or, given all of the information except for a few bytes (the algorithm and the data), it's still hard. With security by obscurity, having all of the information except a few bytes just makes it annoying. > Instead of "which of these > two billion different password combinations encrypts this data", it's > "which of these umpteen files has a another file or words hidden in > it, and at which umpteenth byte, and (maybe) what's the password to > open it?". That's just tedious book-keeping; computers are VERY good at that. Worse, if we publish the scheme, it's trivial to break it. "Look at all GIF and JPEG files for data longer than what the headers say." isn't going to be difficult to program. > I think the benefit of regular encryption style "security through > obscurity" is that it's simpler and therefore more understandable, and > mathematically analyzable through more straightforward means. ...and it's harder to break. > Now it's got me wondering just how many different combinations of > hiding one could accomplish. If you get, say, 20 sizable Files That > Can Have Embedded Data a day... and sizable equals... Ah, forget it. We're no longer defending against someone with a quill pen and a stack of parchment. -- Paint your house-key green and put it in a flowerpot. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
