AC here. I think you've started a new meme in your comment by calling things memes to discredit them :)

The cloud guys (Amazon, Microsoft, VMware, others) employ the top talent in the world to work on this around the clock and will never stop. Company X selling widgets (lets say golf clubs) will just buy machines, and employ people to run the data center as efficiently as possible. How far do you think they will go in terms of maxing out the power efficiency of their data center to name just one metric on which individual data centers simply cannot compete. How do they even build the expertise in that? How can they afford to revamp that when progress renders their once-awesome data center obsolete in just 5 years or so?

Correct. And that's one of the other sources of cost efficiency for the cloud guys. Their data centers are humongously vast arrays of machines managed by very few humans.

Spikes can happen when you don't expect them. Hardware purchases don't happen automatically as your traffic spikes. 'Elastic' can do that. Even if you buy hardware ahead of time -- you now have to own and maintain that hardware. There's even scope for handling daily spikes -- prime time traffic spikes across time zones can be balanced in the cloud so you have less infrastructure serving more clients than would be the case if each client owned their own datacenters. It's actually weird that you question these concepts and disparagingly call them memes. A wait-and-see approach is certainly warranted. Questions regarding portability, and trust issues with the providers are warranted. Questioning the cost-effectiveness of cloud vs. on-premise is a little silly IMO.

My crypto knowledge is fine. What do you think I meant by "cheap" above? And you're accusing me of arguing semantics. Do you measure the cost of brute-forcing RSA-512 in terms of the lifetime of the universe? Please upgrade your crypto knowledge if that's the case.

This is just dissembling now. So many words, because you refuse to acknowledge a simple point: algorithmically there is no difference between the two.

Same issue again. So many words to exlain why you prescribe it, and so many words to then disown it as a security measure. The point is simple and clear. Obscuring that version info is a tiny little security measure. No individual thing provides security -- so your line at the end does not apply.

Playing tricks with semantics? After you ramble on with some nonsense about grains of sand instead of just discussing the core of the issue? As an attacker, you know there's a freaking stack (for example), don't you? With ASLR the only difference is that you don't know where it is anymore -- because it has been *obscured* from you. That's not a semantic trick -- you are the one dancing around with endless verbiage to defend a stupid and pointless stigma over the word 'obscurity'.

What are the other factors? Everything translates into cost eventually.

You know the relatives costs inside your system. What is the cheapest point of attack in your system currently? That is your first priority. Once that's dealt with, ask and answer that question again and again. You will *raise* the *cost* of breaking your system by doing so. You don't need to project the attackers cost to do that. You are deliberately being dense now.

Sometimes people ramble on when they lose the plot. This was a great discussion until this post.

Somebody originally developed it at some cost. Whatever the economoes of them selling it, if you raise that initial cost, you improve the chances of them looking at someone else's product for holes instead of yours.

My exact words were "As a security professional your job is to make their cost of doing business in your neighborhood prohibitively high." You're saying the exact same thing back to me and lecturing me on how wrong I am.

Actually, that's just a scenario where the attacker is willing to pay such a high cost that nothing you do cryptographically will deter them. If they are willing to hold a gun to your head or a loved one's head to make you give up your passwords, you better make sure they can't find you (i.e., make your location obscure).

We are talking about security. The currency in this trade is *cost*. One-time pads are a great example of that -- for an effectively unbreakable system, its pretty seldom used. Why do you think that is? Because it's manual nature means that the *cost* is not worth it to the good guys.

Whatever man... This shit is getting pointless...

Who said anything about the security if their DB resting with the schema being a secret? Did I even imply that this will be your only security mechanism? And you're accusing me of strawmen? WTF man?

You're lecturing me about stupid shit that adds nothing of value again (see grains of sand above). Stop doing this! See your above strawman -- did I suggest that hiding your IP address is a single point of defense you should rely on? WTF is this logic?

You accuse me of semantics, and then argue semantics in the very next sentance.

Another strawman -- citing a silly example doesn't make your point valid. It just means you used a silly example as a strawman. Do you consider re-arranged keys obscurity? If yes, then why?

Low cost measure of what? Low cost measure of what? Ans: security.

This is a pitfall people fall into too easily. The algorithm has to be public knowledge else even the good guys wouldn't be able to use it. But you do obscure something -- the key. And it still comes down to cost. If something else in your system is easy (cheap) to bypass, will you object to your attacker "but, but, I was using crypto!!"?

That is constricted thinking. If brute-force becomes cheap your scheme is broken. Citing a real-world example, what is the difference between RSA-512 vs. RSA-2048 that you would consider one secure and the other insecure? That alone should illustrate to you that your above definition of "broken" in cryptography is incorrect. The longer (more obscure) key increases the cost of the attack.

In ASLR you *obscure* addresses from an attacker. It's an important security mechanism, any modern OS is incomplete without it, and there's just no escaping the fact that it is nothing but a form of obscurity.

You actually supported my point there. Obscuring the version info increases the cost (time, bandwidth) of the attack. Also remember -- a slightly more resourceful attacker could even catalog this info and save it for a day when an attack against this version falls into their lap. However intangible the difference, you did recommend obscurity to your client (rightly so) and you did make them ever so slightly more secure by doing so.

You're missing my point again, which is that you *should* really be talking about *cost*. By any means necessary (obscurity, dancing naked, whatever helps), increasing the *cost* of a successful attack is what's important. Writing malware is a for-profit business. As a security professional your job is to make their cost of doing business in your neighborhood prohibitively high.

Established on slashdot, and in journalism circles perhaps.

I don't know what to tell you at this point. You yourself recommend obscuring version info to your customers. If you're truly a security professional, then you know very well that absolutely any unnecessary piece of information you give an attacker about your system is one piece too many. Real world example: would you ever let your clients share even the slightest information about a DB schema publicly? Even if you authenticate all entry points? C'mon man!

Obscurity is an inextricable part of security. Anyone claiming otherwise has never worked in the profession.

RSA has long been broken? This is news to me. And the 'fix' for RSA 1024 being 'broken' even by conventional means is what -- a longer key right? That's higher level of obscurity, that's all.

Not necessarily too tough to crack -- just harder to crack than anything else in your system suffices. I'm *not* advocating the use of weak crypto though -- my point is simple -- there's a ton of other techniques that go into creating a secure system. Once you have a good crypto scheme, you need to concentrate on everything else, and some of those things will fall under what people love to call security through obscurity. Thinking of obscurity as bad is not helpful. Thinking of security in terms of "cost to break things" and "cheapest thing to break" is what's helpful. High cost = high obscurity, if you will. Good crypto just represents the best obscurity there is (and therefore has the highest cost to break). Then you move on to the next cheapest thing and make it more expensive to break, and so on, until all options for breaking your system are more expensive than the value of what your system is protecting. This is a pretty standard rule of evaluating threat models -- I don't know why people are resisting it so much.

My initial point was merely this: When security issues are discussed on Slashdot some idiot (several of them actually) will come along and put in a one-liner about security through obscurity being no good -- and that spells the end of rational discussion on the topic. The fact of the matter is that there has always been a balancing act between obscurity, and transparency, and cost when it comes to security, and that clichéd effing line contributes absolutely nothing of value to the conversation.

Completely dead wrong! First, let's look at some expensive methods:
http://www.h-online.com/security/news/item/Cracking-WPA-keys-in-the-cloud-1168636.html (WPA)
http://www.darkreading.com/authentication/cloud-based-crypto-cracking-tool-to-be-u/229000423 (SHA-1)
http://web.archive.org/web/20121115112940/http://people.ccmr.cornell.edu/~mermin/qcomp/chap3.pdf (RSA)

Next: less expensive is to circumvent that altogether and look for other weaknesses (less expensive, and much more common -- and Ormandy's exploit is an example of that -- he gains root by some other weakness rather cracking crypto to get passwords and then authenticate as root -- get it?). And lastly, depending on the value of the protected data (or the desperation of the attacker) a gun can be held to your head, or other such extreme measures can be taken. The point is not what you stated. The point is that everything can be broken by some means! Make sure the cost of breaking is greater than the value of the thing being protected. If you disagree with that line, re-read Applied Cryptography -- you'll see it mentioned in that book. And in any case, my larger point to GP was to discard of this idiotic one-liner that hinders meaningful discussion of security issues.

Unsupportable assertion?? You're being overly pedantic. Before he went public, Ormandy's knowledge was either exclusive to him, or exclusive to an incredibly small number of people -- as opposed to common knowledge to all -- it's a simple point really.

Really now? Care to explain?

I have nothing -- I share your interest in this if anyone else has some stats.

One word regarding disclosure though -- a happy medium has been reached in the industry -- incidents like this are the outlier these days. Everyone agrees that disclosure is good -- both in terms of doing right by users, and in terms of maintaining a credible threat that vendors better take security seriously or else they will get publicly pantsed. Everyone agrees pure obscurity (basically a cover-up is bad). Almost everyone agrees pure transparency is bad (since vendors & users are sitting ducks that way). I say almost only because every once in a while (for example today) you get a guy trying to make a name for himself, or trying to make an example out of someone, or just generally being a dick.

That's an artificial condition you're placing there (he could merely be the only whitehat who happened to be researching this particular approach at the time, or this particular module). And the way you speculate that the worst case scenario could be true, anyone can speculate that the best-case scenario could have been true. How many times do we play out that nonsensical speculation before people tire of pointing it out and accept it as an unknown for which the best guess has to be made? The illogical part of your scenario btw is that the malware writers got access to this months ago and yet we know of no exploits -- that part does not make sense.

Two things -- as I already pointed out, this is an extremely arbitrary requirement you are placing, and secondly if he is not the smartest person in the world he should pause before acting unilaterally as he did.

You're always welcome to your preferences -- just note that Ormandy's ego made you less secure because whatever % of blackhats knew about this hole, that % just got elevated to 100% and there is still no patch, and no mitigations aside from stupid ones (pull the network cable / shut down the system type nonsense. I'd love to see you recommend that to a hospital or a business with a straight face). MS (software vendors in general -- could be anybody) doesn't have the liberty of catering to just your preferences anyway. They have to consider the world at large which is full of users that will never even know of this event having transpired, so they will not resort to any of the actions that were prescribed above. Many of them wouldn't even know how to, even if they stumbled upon the news of this exploit.

The choice is not quantized in this manner, my friend. Between "disclose" and "hidden from the public" lie infinite shades of grey that you fail to mention. Absolutely nobody -- not one single person of the several 100 posts on this issue is asking him to keep it hidden from the public *forever*. Just that he give MS a fighting chance to fucking patch it before he fucks them (or rather their users) over.

This is a pointless line. I can't prove that *nobody else* knew about it. You can't prove that anyone else *did* know about it. But if a spear-phishing attack occurs, we will know immediately that this is now in the wild. In the meantime, a patch is not ready, no mitigating instructions are ready, but the exploit is known to world+dog now -- so the likelihood of such an attack has gone up if anything.

The flaw in the argument of anyone defending Ormandy is that once you consider the generic case in which a security hole can be found in anyone's product (not just MS's), you'll realize that supporting Ormandy's actions here is the same as saying that responsible disclosure serves no purpose. That's a really extreme stance and it is absolutely not what the industry as a whole has agreed to (Google included, AV vendors and the vast majority of security researchers included). And if that's not what you're advocating, then why does MS not deserve the same courtesy afforded to the rest of the industry? Why does Ormandy think this hole he found is so much more deserving of glory than all the thousands of holes found by researchers each day, who do disclose responsibly? What was so special about this one particular issue that necessitated this extreme step that left users vulnerable?

Allow me to explain then:

You might use every security mechanism and precaution in the book, and still get 'hacked' if you are a sufficiently interesting target. If you're some random obscure individual (which most of us are) you can get away by merely using good passwords, and keeping your OS and apps updated, not visiting compromised sites, not opening random-ass attachments (basic measures like that). Does it mean the software and processes you use are secure? Hell no. Does it mean you are effectively secure? Could be. But even so, you're relying on the fact that you are a random, uninteresting, obscure individual that nobody would bother to single out and specifically target.

Same thing applies to GP's point about asymmetric keys. You can use PKI -- it won't matter if you do careless shit with it and cheaply cough up the symmetric key you exchanged with it. Or if you chose some idiotic block cipher. Or if you do something silly like saving unencrypted data to a temp file. It's a house of cards and attackers are not necessarily looking at it top-down the way you are -- they'll exploit anything they can. You can't say you use encryption therefore you are truly secure and you do not rely on security through obscurity. No -- you have to discard useless clichés like that and actually take the trouble to follow secure development practices.

What that means is -- you draw up your threat models, find your weak points, eliminate the issues you find, mitigate what can't be eliminated, follow other secure practices (banned APIs, code reviews, static analysis tools, fuzz testing, pen testing) etc. etc. -- it's a long list. You do everything you possibly can, and THEN, you still acknowledge that you cannot possibly have found all flaws. There will be exploits found that you'll need to patch. So you prepare an infrastructure for developing, testing, deploying said patches, and a notification system for people to let you know about these holes when they find them.

All of the above exists. All that effort has been taken. Ormandy just defeated it all because he doesn't give a fuck.

Let he who has written absolutely secure software cast the first stone.

In other words, that's a pretty dumb response. No software can be guaranteed to be secure -- it's just not provable that you have no security bugs no matter how good your processes and testing (never mind the fact that new *classes* of exploits are found on a decently regular basis). Besides if you see the details of Ormandy's bug, it's actually an extremely esoteric issue so it's not like you can call MS negligent for not finding it first.

Well put. This is exactly what I was explaining to OP. This is also why the obscurity mantra is irritating -- think about cost/effort of breaking the scheme instead of repeating tried slogans.

Sure -- but MS isn't doing that.

Incorrect -- he told (sold whatever) it to everyone (including the so-called highest bidder) for a price of $0. He did not achieve the "on your team scenario". He could arguably have abetted the "highest bidder", therefore could arguably have hurt MS's customers. He did hurt MS's image, which I do not care about -- but it seems like the only rationale for his insistence on going this route. I repeat -- I don't give a damn about MS's image. But I can't help but think Ormandy likes to hurt them, and that influenced his choice. Because as I said, he certainly achieved no goals of protected users, and he arguably has hurt them, with the route he chose.

Blindly assuming there is no exploit in the wild is silly. Blindly assuming there is an exploit in the wild is equally silly. You have to examine each case as you encounter it.

For the 99% of users that don't read Slashdot, vendor-sec, arstechnica, cnet, etc. etc. how did they even know about the exploit? I'm sick of people making this point without thinking it through for even a moment. Public disclosure will reach the black hats -- guaranteed! Public disclosure will not reach the 99% of non-technical computer users in the world -- also guaranteed! How effing complicated is this point that you seem unable to grasp??

Nobody gives a shit about saving face. Responsible disclosure can save *users* from encountering exploits before patches are ready -- if there wasn't an active exploit out there, there damn sure is one right now, there damn well isn't a patch. Give it one patch cycle, two at the most. How fucking hard is that. You keep on and on and on treating it as if the choice is "disclose now" vs. "never disclose". Why do you insist on being so dense?

*This* is non-sequitur and shows a lack of understanding as well. One -- it assumes there were already active exploits, so it does not account for having put users in danger if there were none. Second, there is no patch yet, so attackers will not "move on" as you put it. Third, attackers do no move to their next vector. They generally use a broad spectrum of attacks and assume some low percentage of success (which is all they need for creating botnets). They just had an easy one drop into their laps, and they know that a defense doesn't exist for now. That's all that happened. Blackhats are not a homogeneous entity either. Even if a small number of them know about this exploit earlier, now they all do and the race is on.

"out of sight, out of mind!" is a bigger strawman than anything I said. Responsible disclosure, so MS has at least a chance to respond -- that's all people are calling for. And the point wasn't about unbeatable protection -- the point was to dispel of this silly one-liner that only serves to hinder meaningful discussion of security issues.

*This* is a strawman. Don't point out stupid shit that other people did, and claim that it makes your point valid. Remember again the general recommendation -- the cost of breaking your scheme must be greater than the value of what you're protecting. If you're using the scheme above, you should be using it to protect minesweeper scores at best.

This is a strawman again. Simply, disclose responsibly. The patch cycle is well documented. If 1 cycle goes without a patch, you can remind them. If they second one goes by and no patch, disclose. How hard is that? Answer -- not hard at all. When you're not out to fuck people over, and don't have some agenda you're trying to further, it's really not that hard to be reasonable.

It's not just that. The patch needs to be tested to ensure that it actually works! That was an issue the last time Ormandy did this -- he provided a binary patch that did not fix the issue! In addition to that, it has to not cause other bugs (not necessarily exploits -- but bugs -- because those too can cause work stoppage etc.). When the hole is being exploited already, all this goes out the window -- exchange information openly and get that shit fixed ASAP. When it's not yet being exploited actively, you can spare users a lot of headache, and a lot of lost productivity by simply following responsible disclosure guidelines that are well documented and well-known to Ormandy himself.

Dude, you can drop the veneer about caring about MS's customers. Ormandy can drop that too. There's a clear course of action by which Ormandy and MS could have done right by them together. Ormandy made sure that's no longer an option, and they are in greater danger now than was strictly necessary. And you are defending his actions out of glee that MS is looking like an idiot.

Nobody is asking to HIDE anything! You complained about a strawman earlier??? Responsible disclosure does not imply infinite time. Ormandy works for Google right? He can follow their guidelines if he wants to be pedantic about it -- 60 days if there are known active exploits, 1 week if not. He's being an asshole, and people like you are encouraging asshole behavior.

What mitigating actions?? There's a fugging exploit out there, the customer is the whole fugging world, and 99% of them do not read Slashdot, arstechnica, etc -- how do you get the word out to all of them??