[Catalyst] Re: OT: security through obscurity (was: Encrypt/Decrypt URI)

[A. Pagaltzis]

* Jonathan T. Rockway <jon at jrock.us> [2007-05-18 18:55]:
> Obscurity is a "constant factor". As soon as one person figures
> out your obfuscation, it's useless. When someone figures our
> your real security, it does them no good at all.

You know how easy 99.99% of the locks are to pick?

Doesn’t mean I’ll leave my front door unlocked when leaving the
house.

Security is all about tradeoffs. (I think I’ve seen you quote
Schneier elsewhere? You should be familiar with this statement
if you read him.)

Obscurity buys you a little security, for (usually) virtually no
cost. So it’s almost always a good tradeoff.

> Since there are 6_000_000_000 people in the world, it's likely
> that someone has already figured our your obscurity

I don’t see how that conclusion follows from the premise.

> It's like saying O(2) instead of O(1). Sure, ``O(2)'' is twice
> as slow as O(1), but that's irrelevant and you sound stupid
> when you make a distinction.

In practice, particular in high-level languages like Perl, there
is often a choice to make between something like a 200n and 2n^2
algorithm, and guess what? Unless you’re processing ridiculous
amounts of data, the O(n^2) algorithm turns out faster than the
O(n) one.

For theoretical treatment, constant factors and small terms are
irrelevant. In practice, they can make or break an algorithm.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>