[ipv6hackers] Pros and Cons of Address Randomization

Owen DeLong owend at he.net
Tue Dec 4 00:03:30 CET 2012 

On Dec 3, 2012, at 2:05 PM, TJ <trejrco at gmail.com> wrote:

> On Mon, Dec 3, 2012 at 2:33 PM, Owen DeLong <owend at he.net> wrote:
> 
>> 
>> On Dec 3, 2012, at 11:00 AM, Mark Smith <markzzzsmith at yahoo.com.au> wrote:
>>>> 
>>>> I can't agree with that premise. Nature does not kill off that which is
>> to
>>>> useful. Nature kills off that which is harmful or disadvantageous.
>>> 
>>> If camouflage had been disadvantageous (i.e. not an advantage), the
>> animals that attempted to use it would have been made extinct, by being
>> caught and eaten by their predators 10 of 000s of years ago. The usefulness
>> of camouflage has also been proven in war.
>>> 
>> 
>> Disadvantageous does not mean not an advantage. If something is not an
>> advantage, it is merely neutral.
>> On the other hand, disadvantageous indicates some distance beyond neutral
>> in the opposite direction of advantageous. That is, it is detrimental, not
>> merely neutral.
>> 
>> I did not say that camouflage was disadvantageous or even that it was not
>> advantageous.
>> 
> <major snip above>
> 
> 
> To be fair to both sides, FWLIW, I don't think it is quite that simple.
> 
> A trait surviving does not mean it is advantageous.  Or that it is *still*,
> or *always is *and/or* will always be*, advantageous.
> 
> If that were the case, why would some creatures go out of their way to hide
> while others go out of their way to be obvious / visible?
> ... Why would some creatures go small, while others go large?
> ... Why are some smart while others are strong while others are fast while
> others have shells while ... ?
> *(Note: these are largely rhetorical questions, we don't need to extend
> this analogy any further ... please?)*
> 
> What benefits you get from any *(for lack of a better word) *trait depends
> largely upon the specifics of your deployment.  That is, YMMV.
> 
> 

Yes… Exactly what I was attempting to point out…

> So, bringing this back to the topic at hand - security through obscurity *
> tends* to fail because the availability of information *tends* to grow
> faster than your ability to constrain it.  Does that mean it is bad, no -
> but you shouldn't rely solely (or largely) upon it.
> *(Hint: Even perfect camouflage is defeated if the other team has the GPS
> coordinates of all of your team ... doesn't mean hidiing is bad, per se,
> but don't bet the farm on it …)*
> 

True, but, security through obscurity often comes at some cost. At that point,
the question becomes is the (usually negligible) benefit of security through
obscurity sufficient to justify the (often not insignificant) cost associated
with it?

I agree that the answer to that question is deployment-specific.

Owen

More information about the Ipv6hackers mailing list