Obama administration embraces “security” by obscurity. If releasing your security plan makes it more likely to be broken into, you don’t actually have a security plan, you just think you do.

US won’t reveal records on health website security :: WRAL.com


Curtis Olson August 19, 2014 11:43

Ouch: http://yro.slashdot.org/story/14/08/19/142228/why-chinese-hackers-would-want-us-hospital-patient-data

Cristian Gafton August 19, 2014 12:31

While in most cases this is actually true, it bugs me when this saying is employed as a an absolute truth. For a planning burglar, knowing in advance the make and and model of the safe he’s going to hit is valuable information. Similarly, knowing architectural details of a website you’re trying to hit will make it easier to navigate around once you’re inside.

And I can think of a lot more cases where “none of your dam beezneez” is the appropriate answer when asked “how do you do security”…

Michael K Johnson August 19, 2014 12:35

They could certainly redact key details, but their history so far gives no particular reason to trust the security of their implementation. I’m suggesting that there’s no particular reason to believe that they have done an effective job of securing our nation’s health data.

Cristian Gafton August 19, 2014 12:40

Oh, the fact that the data is not secure is one of those axioms that need not be questioned. The way you go about proving it (as if an axiom needs proof…) is you assume the best security of the data, and then explain that security is as good as the weakest link, then point to the hordes of computer and security illiterate minimum-wage people who will have full access to all that data to keep the whole system working.

Curtis Olson August 19, 2014 12:47

I think the obscurity portion of a security plan provides an opportunity to catch an attacker while they do the necessary recon.  I’d love a security system that was completely known and still completely impenetrable, but I don’t think that is completely possible because human beings are always in the chain somewhere and are usually the weakest link.

As Christian points out, it’s a system used by hordes of security illiterate people… but then also designed and built by mostly security illiterate people, acting under duress of tight timelines and short budgets.


Imported from Google+ — content and formatting may not be reliable