Cart
[Home] [By Thread] [By Date] [Recent Entries]
> Okay, maybe I am slow to see what's wrong here, but I don't > see what's wrong here. I have questions about the security > solution presented, but isn't the problem itself legitimate? > If it isn't, would someone be kind enough to educate me why a > self-describing data file is not an easier target for data theft? The main criticism of the article is that the author appears to believe that obscurity provides security, whereas it is a basic premise of security professionals that it doesn't. If you leave your car unlocked, it is insecure whether or not you post a big red notice saying "this car is unlocked". Sending XML in clear with tags saying "this is a credit card number" is therefore no less secure than sending it with tags saying "xwhgts". (And in any case, XML allows both). Actually, I have for a long time been a heretic on this. My grandmother's jewellery survived for five years in a house requisitioned by the military by being hidden under a loose floorboard, I doubt it would have survived if it had been in a locked cupboard. Hiding your valuable data works well, providing no-one is making a determined effort to find it. The risk of your car being stolen depends much more on where you leave it than on whether it is locked. I therefore have some sympathy with the author of this article, even though he is ignorant and should not be writing about security. Michael Kay Software AG home: Michael.H.Kay@n... work: Michael.Kay@s...
|
