Skip to main content

View Diary: HHS - Security through Obscurity (9 comments)

Comment Preferences

  •  You should provide the background (2+ / 0-)
    Recommended by:
    Curt Matlock, edrie

    so that people new to the topic know where you are starting from. The right way to do this combines at least one link and a summary.

    Basically this is the story that Darrell Issa is demanding unrestricted information on unfixed vulnerabilities in the healthcare.gov code, and that HHS won't give it to him because he leaks like a sieve. He and his committee members and staff can examine the documents, but cannot have copies.

    HHS to Darrell Issa: We don’t trust you

    Here is a dKos Diary on the subject.

    Issa Tries to Subpoena Sensitive ACA Website Code. Cummings Fires Back UPDATED HHS Refuses Request

    The original title, since toned down, said, "Cummings PWNs him".

    However, this Diary is a complete misapplication of the concept of Security through Obscurity. That only applies to systems that are supposed to be secure as they are, where allowing everybody to see the code would either increase confidence in it, or allow further vulnerabilities to be found and fixed.

    That is nothing like this case, where there are known vulnerabilities that should not be advertised to the bad guys. They should be fixed, and then the fixed system made public. Or a test system should be made public where fixes can be tried out without further risk to the live system. The best time to publish source code is when it is first being tested and nobody is relying on it, not when it has gone live and is a mess.

    This is what is done at cryptography conferences, where algorithms are introduced and discussed publicly. Many are cracked and discarded on the spot, and then the survivors go into serious analysis and testing. Only the survivors of this extended process can be considered as possible encryption standards.

    I was at the publishing conference many years ago at which Adobe announced that nobody would ever crack its PostScript font encryption, though I was only on an exhibits pass because my publisher wouldn't pay the admission fee for me to attend conference sessions. I was told that three people from different companies stood up in the audience to say that they had already partially or completely cracked it.

    My own very small achievement in this area was finding a math error in the original RSA public-key encryption paper in 1977. Not a problem with the encryption algorithm, but with the process for finding large prime numbers. Contrary to what the paper said, you can use pseudoprime Carmichael numbers in generating keys for encryption and decryption. They work, but they do make the system far less secure.

    Ceterem censeo, gerrymandra delenda est

    by Mokurai on Sat Dec 14, 2013 at 11:07:18 AM PST

    •  the other factor that many miss is that years ago (0+ / 0-)

      it took time to "guess" the encryption code - now with the fastest processor, that data can be run through "hal" and found fairly easily IF one has the computer power to do so.

      awesome about the rsa thing - i got into computers in 1986-89 - worked with wang labs.  i LOVED the three day machine language course - bits and bytes and how the codes were applies and to what part of the byte.  0000s and 1111s and 0101s... it was so much fun!  (i know, i know, i'm weird - but GOOD weird!)

      EdriesShop Is it kind? is it true? is it necessary?

      by edrie on Sat Dec 14, 2013 at 01:12:32 PM PST

      [ Parent ]

      •  heh - just realize WHY i loved it so... (0+ / 0-)

        the ONLY way i got out of undergrad school was by taking "modern math" - base 4, etc... i had a mental block about math and algebra and couldn't do it UNTIL i realized the application in the development of sailing navigation and the old atari stand up games - then i understood it.

        my attitude was that if you were on a train going 60 mpg northbound on the same track as a train going southbound at 60mph on the same track, MY only thought was "how do i get off the train and live!"

        i found out the answer to both questions in my late 30s -

        first answer is "jump" (that worked for two guys in a crash that year) and the second answer is "add the two friggin' numbers together to get 120 - someone finally told me HOW to get that answer the same year!

        EdriesShop Is it kind? is it true? is it necessary?

        by edrie on Sat Dec 14, 2013 at 01:16:54 PM PST

        [ Parent ]

        •  oh, and i made a b+ in that course! (0+ / 0-)

          took it the last semester of my senior year to fulfill that damned math requirement - i graduated - YAY!

          fortunately, grad school in theatre didn't HAVE a math requirement!  ;)

          EdriesShop Is it kind? is it true? is it necessary?

          by edrie on Sat Dec 14, 2013 at 01:18:08 PM PST

          [ Parent ]

Subscribe or Donate to support Daily Kos.

  • Recommended (175)
  • Community (71)
  • Baltimore (50)
  • Civil Rights (42)
  • Bernie Sanders (39)
  • Culture (34)
  • Elections (26)
  • Law (26)
  • Economy (25)
  • Freddie Gray (23)
  • Education (23)
  • 2016 (22)
  • Rescued (22)
  • Labor (22)
  • Hillary Clinton (22)
  • Texas (21)
  • Racism (20)
  • Media (20)
  • Environment (20)
  • Barack Obama (19)
  • Click here for the mobile view of the site