Knowing how a safety measure works and specifically what it does isn’t the same as knowing how to circumvent it.
Here’s a common example from the software industry: two-factor authentication (2FA).
We KNOW it’s a user-permission validation scheme that combines two things.
* a piece of data that’s provided by an appliance (e.g. a “token”) or a time-sensitive software program (a “virtual token”), and
* a second piece of data that’s made up and memorized by a user.
The user needs to provide BOTH when logging into or connecting to a computer system or network or account. Without BOTH, they can’t get in.
Knowing what the data is on the token, and knowing how 2FA works, heck, even possessing the source code for the 2FA routines, doesn’t help break 2FA because *we still need that second piece of data*. There is **nothing in the source code** that helps us identify or obtain that second piece of data, and it provides no capability or “workaround” to get there.
So, we would still have to use brute force to complete the process 2FA requires to attach to another network or validate an account.
So the source code doesn’t help us because it doesn’t give us what we need to complete the necessary process. Either that data is provided through some other means, or the source code is blocked from any sort of interaction with it… so having it’s not a security threat.
Latest Answers