GeekSpeak: June 17, 2002
Obscurity isn't security, as Xbox crack proves.If Microsoft's Xbox is going to be the digital home's gateway to the net, it might be a good idea if that gate could be lockedwith a different key for every home.If Microsofts Xbox is going to be the digital homes gateway to the net, it might be a good idea if that gate could be lockedwith a different key for every home. Ignoring a fundamental precept of security, Microsoft has been shipping the Xbox with a security key, identical in every unit, embedded in its hardware. Although obscured by obstacles and distractions, the key was readily exposed earlier this month (see how at www.eweek.com/links) by an MIT graduate student who had time on his hands after finishing his doctoral thesis on latency reduction in distributed parallel computing.
Enterprise IT buyers must shun any "security" offering that is based on obscuring implementation. The mechanism must be fully disclosed so it can be examined from all sides; the keys must be controlled by the user alone. Whether the aforementioned rule is invoked by its formal name of the Kerckhoff Principle (more information is at www.eweek.com/links) or more colloquially under the label of simple common sense, its like Newtons law of gravity. You can pretend to break it but not for long.