|
|
|
|
|
|
by erhardm
4014 days ago
|
|
|
I think that's the Kerckhoffs' principle[0]. Regarding to state actors who have the resources to attack any system, I think it's important to make it as hard as possible, even if it's "known" they will find a way. Why? Because it will drive the costs very high with years of R&D having as result that they'll only use new attack techniques on high-level targets and that means risk of revealing attacks goes up(assuming high-level targets are more sophisticated and spill the beans - as in Kaspersky case[1]). [0] - https://en.wikipedia.org/wiki/Kerckhoffs%27_principle [1] - https://securelist.com/blog/research/70504/the-mystery-of-du... |
|
|
Most deployments use more tricks than that. I was just amazed at how long that one went on without compromises. Used same trick for desktops with custom client-server apps. These days, I'm working on CPU's that protect pointers & code while tools randomize (i.e. diversify) the application automatically. Orange Book era solution to secure networking, email, & databases still work with minor tweaks. I use hardened client-server schemes instead of web apps to avoid... more than I can count. TEMPEST safe + 100yds of space where applicable. High assurance security = build on what we know works & eliminate anything risky where possible. Obfuscations & diversity I add as you said to just slow down our shadowy friends with deep pockets & large staff. Works well so far.