I was interviewed last week by a Chicago computer magazine about network and host security. Most of it revoled around correcting the general misconceptions about all to evil hackers who are exploiting esoteric code to gain access to systems — the fact, of course, is most security breaches occur because of misconfigured or unpatched systems which are exploited by script-kiddies, or are the result of the deadly combination of Microsoft IE and Outlook. Anyway, the discussion of Security through Obscurity came up, and I was reminded of past attempts to achieve the same goal through the same means. The Pharoes tried this tactic and killed their tomb builders to ensure security — didn’t work well in that senario either. Perhaps we should follow and kill app developers so as to hide thier secrets. . . . . One is about as silly as the other. Only by allowing source code to be reviewed and tested, can real app security be a goal, because sooner or later someone will stumble across your tomb . . . .
