Security By Obscurity — a New Theory

mikejuk writes "Kerckhoffs' Principle suggests that there is no security by obscurity — but perhaps there is. A recent paper by Dusko Pavlovic suggests that security is a game of incomplete information and the more you can do to keep your opponent in the dark, the better. In addition to considering the attacker's computing power limits, he also thinks it's worth considering limits on their logic or programming capabilities (PDF). He recommends obscurity plus a little reactive security in response to an attacker probing the system. In this case, instead of having to protect against every possible attack vector, you can just defend against the attack that has been or is about to be launched."

Remember it only talks about cryptography

[tech4]

I hate it when people always seem to take the phrase out of context and apply it to mean any kind of security, like network security or the old Windows/Linux battle. It's a completely different kind of situation, and in the former it's especially true that security by obscurity is a hardener layer. It's also why Linux has managed to stay as (consumer) malware free to day, even though it still has a fair share of its own worms and other security problems.

Re:Remember it only talks about cryptography

[davester666]

This part of the summary is just great: "... is about to be launched"

Yes, having somebody sitting there as the attack is taking place and somehow guessing how the attacker will try to compromise your system makes it much easier to defend against the attack. Of course, just correctly guess sooner, and then you can fix the system beforehand and then you don't need someone sitting there....

Re:Remember it only talks about cryptography

[elucido]

This part of the summary is just great: "... is about to be launched"

Yes, having somebody sitting there as the attack is taking place and somehow guessing how the attacker will try to compromise your system makes it much easier to defend against the attack. Of course, just correctly guess sooner, and then you can fix the system beforehand and then you don't need someone sitting there....

It also assumes we can determine the capability or the resources the enemy is willing to employ. It's a lot safer to assume you don't know than to try and assume you know.

Re:Remember it only talks about cryptography

[ghjm]

Not necessarily, if the money you spent trying to defend against all possible attacks means that you can no longer have seat belts.

Re:Remember it only talks about cryptography

[cgenman]

The problem is that Security by Obscurity is the defense of lazy vendors who should damn well know better. On the one hand, it's "obscure" that a particular keyphrase known by trusted people will get you to a layer of network security. It is slightly less "obscure" to have your server up on an unresponsive IP address. It's technically a form of "obscurity" to think the hackers wouldn't notice that you left an FTP server up and running without realizing it, or that the default login was still viable. But when vendors use that form of the term obscurity, they're just masking the fact that they are selling you rubbish.

Any properly secured system should be able to proudly proclaim all of its pertinent information to the world, including source code to all available participants, and still be secure. ONLY THEN, should obscurity be layered on. But if your vendor or contractor starts talking about obscurity first, they don't have a clue what they're doing.

Obscurity is icing. Minimalist, properly protected system design with multiple layers of protection, iron-clad internal logging, and no routes to priviledge escalation (especially social) is the route to security. Obscurity is a mildly nice icing that makes maintaining servers less problematic. It also usually leads to lazy vendors creating the illusion of security out of a soon-to-be-had massive privacy lawsuit.

Re:Remember it only talks about cryptography

[camperdave]

This part of the summary is just great: "... is about to be launched"

Yes, having somebody sitting there as the attack is taking place and somehow guessing how the attacker will try to compromise your system makes it much easier to defend against the attack. Of course, just correctly guess sooner, and then you can fix the system beforehand and then you don't need someone sitting there....

Yes, because you may not have a helping hand nearby.

Re:Remember it only talks about cryptography

[OeLeWaPpErKe]

An IDS is worthless. There's 2 classes of IDS systems :
1) those that detect threats you already know about
This is the class all commercial IDS'es fall into. They can do one thing, and one thing only : they can give you an idea where your clueless attackers are. They are less than worthless against a serious threat, because they convince people they're safe, and they give off tons of alarms for attacks that have zero chance of success, which can effectively DoS the security team. They're also hugely expensive, money that could be spent on developing actual decent security.
2) those that attempt to detect what happens after a breach
I've yet to see the first IDS system that falls into this category. There may be some value in this, presuming that you've got good internal firewalls, as they can alert you to a subsystem being infected. It *is* too late, of course, and probably too late to prevent the attacker from trying all known easy escalation measures. But at least you know you're fucked, and you know before the press tells you.

I do agree with the basic premise that implementing a bit of obscurity can help you. This is what things like custom tripwires depend on, and you really should have one of those. It can be as simple as having a mysql install, and replace the mysql binary on production systems with one that sends out a single udp syslog packet, then completely shuts down without warning (ie. alt-sysrq-o), because no-one should locally use that binary.

Re:Remember it only talks about cryptography

[downhole]

Will somebody please repeat this about 10,000 times? I'm tired of seeing all of these debates where people try to apply the same obscurity theory that works for cryptography to every kind of security in the world, including physical security. Arguments about whether security guard patrol schedules are the key or not, good grief.

Re:Remember it only talks about cryptography

[AK+Marc]

I've seen IDS that does both #1 and #2. And nearly every hacker uses script kiddie tools. They are free and easy. They aren't the breach, but they are the precursors, while the attacker is probing for the easiest way in. And all security is obscurity, just with different definitions of obscurity. I secure all my computers with obscurity. A password that I hope no one else knows. That's obscurity. And nearly all security is based on that, biometrics being the only possible exception to that.

Re:Remember it only talks about cryptography

[bluefoxlucid]

What's funny here is even in that limited scope, it's been completely debunked already. Hello, A/52! We know, from constant experience, that imagining your secret system is secure represents a failed strategy. In the case of encryption, we've decided that fewer secrets leaves fewer attack vectors: we *think* our algorithm is secure, but maybe not; we let *everyone* see it, and see if anyone tells us it's broken, and as time goes by we become more and more confident that our algorithm is secure. With these minimal attack vectors, we know we're keeping one secret: the key.

Humans have proven terrible at detecting probes. The constant crapflood doesn't help; it's a good place to hide while you work out the structure of the system. Your secrets are your passwords, keys, and the data they protect.

Re:Remember it only talks about cryptography

[Henour]

I've seen IDS that does both #1 and #2. And nearly every hacker uses script kiddie tools. They are free and easy. They aren't the breach, but they are the precursors, while the attacker is probing for the easiest way in. And all security is obscurity, just with different definitions of obscurity. I secure all my computers with obscurity. A password that I hope no one else knows. That's obscurity. And nearly all security is based on that, biometrics being the only possible exception to that.

Biometrics are not different then a password viewed this way, it simply makes it harder to enter the right "code".

Re:Remember it only talks about cryptography

[AK+Marc]

Biometrics are not different then a password viewed this way, it simply makes it harder to enter the right "code".

I would agree for the cheap biometrics with a calculated hash of a user's biometric. However, if the biometric was a fully-sequenced DNA strand and there didn't exist technology to cook up DNA of arbitrary length and sequence, then it would be a verification of the sample, making it either a verification of who the person is, or what the person has. Just knowledge of the necesssary code would be insufficient to gain access (as can be done with the cheap ones where nearly anyone could pass it, with the right work around). So you could pull a lifelock and publish your DNA and still nobody would be able to access the system. But yes, I understand your point, and I agree it's correct for nearly all (if not all) biometrics in use today, just like all passwords, certificates, and keys are only valid as long as nobody knows them. But I've sent a picture of a key to a company, and they sent me back keys to my car (they cut off of pictures, based on the lock manufacturer's specs, rather than "copying" a physical key as the key duplication places do, do it's like a digital copy, often more "correct" than the key it was made from. So there's nothing stopping anyone else from taking a picture of my keys and getting a perfect copy, other than I keep my keys in my pocket to obscure them from observation.

I don't think they understood.

[khasim]

Obscurity only makes your security "brittle". Once broken, it is completely broken. Like hiding your house key under a flower pot.

Which means that the real security is the lock on the door. All you've done is allow another avenue of attacking it.

Re:I don't think they understood.

[jhoegl]

There is another way to look at this.

Imagine you have gold behind a locked door. Now imagine you have 50 locked doors.

This is your security through obscurity.

Re:I don't think they understood.

[Cryacin]

Well, if you had them behind 2^128 you'd have a trust certificate :P

Re:I don't think they understood.

[bondsbw]

Put up more doors with more locks... that'll fix it! (Just don't tell them about the hidden door into the basement...)

Re:I don't think they understood.

[RoFLKOPTr]

There is another way to look at this. Imagine you have gold behind a locked door. Now imagine you have 50 locked doors. This is your security through obscurity.

You hid the gold under the floorboards. Consider your security broken.

Re:I don't think they understood.

[jhoegl]

This isnt Rook >

Re:I don't think they understood.

[jmerlin]

And once you guess their encryption password, their encryption isn't completely broken? Your analogy is flawed, fundamentally you are assuming someone leaves a key lying around in an easily accessible area. No security we have isn't fundamentally based on obscurity. None.

Re:I don't think they understood.

[jhoegl]

Hahah, good point.

Although these days CA authorities are becoming the weak link.
They will have to rethink centralized security, big time.

Re:I don't think they understood.

[thegarbz]

Which means that the real security is the lock on the door.

But that is also just obscurity in another form. The obscure part is that the attacker doesn't know the combination to the lock, or doesn't know how the tumblers specifically are keyed. Otherwise a key could be made up.

All security is obscurity, just different levels of it. In some schemes the obscure value is shared (hidden directory on the server that isn't crawled but can none the less be accessed by a direct link). Some obscure values aren't (public key encryption).

The hiding the key under the rock is analogous to using a weak form of obscurity to hide a strong one. Which in this case is no better than the obscurity of not letting anyone know that the door lock doesn't actually work anyway.

Re:I don't think they understood.

[jhoegl]

Exactly.

In fact, viruses are developed based on obscurity. I mean, it is in our everyday lives. To believe that obscurity is somehow the Achilles heel is just crazy thinking.

Re:I don't think they understood.

[TwinkieStix]

But, isn't the pattern to the very lock you describe a "secret" or obscure in as much that the lack of knowledge about how to duplicate that key is what keeps intruders out?

Most forms of security rely on some form of obscurity to decide which group of people is allowed access and which group of people is not. A password or a private key, if known to everybody would allow everybody into the system. Only those who hold that extra piece of information are able to access the system through the means by which it was intended to be accessed.

I believe that the point of contention is whether obscuring the system in some way prevents people from entering the system in ways it was NOT intended to be accessed. We could make an argument either way here: Does holding back information on a vulnerability until the vendor has a few days to release a patch first make the system more secure in that period of time? Maybe because fewer people (good and bad) know about this exposed surface. Does keeping ALL of the source code to an application away from open peer review make the system less secure? Mabe, but perhaps the answer depends on if that specific system has more security brain-power put behind breaking into the system or making the system better. There is probably a lot more brain-power behind keeping popular security libraries secure, so open peer-review is surely better. But, I suppose that there exists at least one piece of software with no open source community that if suddenly showed up on github would see the black-hats use it negatively before the white-hats start helping contribute patches.

Re:I don't think they understood.

[Tasha26]

I agree. Security in CompSci has to be a bit more than putting up safeguards (fw, av, encryption) or going from one DES to triple DES just to make brute force attack more difficult. Surely the only solution is to develop a language or maths for it. This way we can reason about security problems and be able to say for sure: this is provably secure just like 1+1=2. After the logic comes the implementation details.

Re:I don't think they understood.

[buchner.johannes]

Think about it a little more and you'll see that it's the same thing. A number and it's representation in a numeral system share a duality. Also, it's not 2^128 bits, it's 128 bits, but you probably meant that anyways.

Re:I don't think they understood.

[jbengt]

I, for one, don't trust certificate "authorities"

Re:I don't think they understood.

[Pence128]

Or you could add 6 bits to your key.

Re:I don't think they understood.

[burris]

No because you can change the key, which is much easier than changing the cryptosystem. With a good source of entropy, I can generate large numbers good keys all day long. Good cryptosystems are much harder to come by, so the cryptosystem is designed to make changing keys easy. Cryptosystems are also designed to minimize the impact of a single key being discovered. Forward secrecy, for instance, where stealing a key might not get you anything at all.

Re:I don't think they understood.

[rainsford]

No, the encryption ISN'T completely broken. If I have an encryption system that uses passwords for security, and you guess my password, the security is broken for this instance of the system...but I can just pick another password and security is restored. "Security through obscurity" doesn't mean security based on ANY secret, it means security through secrecy in some fundamental element of the system, especially when such a secret makes the system brittle. If you steal my key, I can simply rekey a lock and I'm just as secure as before. But if I ALWAYS leave a spare key in the same spot, once you figure that out the entire system is fundamentally broken. That's security through obscurity.

Re:I don't think they understood.

[jbengt]

Your analogy is flawed, fundamentally you are assuming someone leaves a key lying around in an easily accessible area. No security we have isn't fundamentally based on obscurity. None.

Secrecy is not identical to obscurity. The meaning of obscurity in "Security Through Obscurity" refers to the overall scheme and methods. The secured secrecy of keys and the like is assumed and does not mean that the security system is based on obscurity as understood in the context of discussing security through obscurity.

From the Wikipedia article linked in TFS:

Using secure cryptography is supposed to replace the difficult problem of keeping messages secure with a much more manageable one, keeping relatively small keys secure.. A system that requires long-term secrecy for something as large and complex as the whole design of a cryptographic system obviously cannot achieve that goal. It only replaces one hard problem with another. However, if a system is secure even when the enemy knows everything except the key, then all that is needed is to manage keeping the keys secret.

Think of going to two banks to decide where to store some irreplaceable valuables.
In one bank, they tell you about their armed security guards, they show you the vault and describe how thick the steel is, how it operates on a timeclock and a combination They detail how they give you one key to the safety deposit box and how they keep the other, and that you need both keys to open the box. They tell you know that before they let you past the armed guards they require you to show identification and sign in, and only then will they accompany you to your box to turn their key while you turn yours to open the box. They even give you the blueprints to the bank to assure you how well it's built.
The other bank tells you that they can't say what they do with your valuables, because they need to keep it a secret in order to maintain security.
Which bank would you prefer?

Of course, if you are handling your own security, adding multiple layers, including obscurity, can help. But at the core, you need to implement similar protections as the first bank, or you are just fooling yourself to think you are being as secure as it.

Re:I don't think they understood.

[Dr.+Tom]

The key is a secret. If it gets loose you have no security. However, the security protocol (if it is a good one) will allow rekeying; keys are one-time only, and if a key is revealed you can immediately switch to a new key the attacker doesn't know (keys are just random numbers).

Re:I don't think they understood.

[burris]

Here is a real world example where getting a key gets you nothing. Lets say you're targeting someone specific to get their secret cookie recipe or their confession and you've installed a wire tap on their net connection and you've been recording all of the traffic. The target has been chatting with their friends over some encrypted chat thing and you're sure they've been discussing the recipe/crime. So one day your goons stop the mark, steal their laptop which contains their private keys, and beat them with a hose until they give up the password that unlocks them. You type in the password right there and make sure it works. Maybe you just try a password cracker and get lucky.

Now you're golden, you can go back and decrypt all that old traffic and get the recipe, right? No, the private keys stored on the hard drive were only used to authenticate the exchange of randomly generated temporary keys used to do the actual encryption and do you no good at all.

Lets say you manage to steal the key material undetected and guess the passphrase protecting them. Now you can passively watch all of the traffic that goes by? No, you must do an active "man in the middle" attack.

Lets say you are very powerful and are capable of doing an active attack during the conversation. Now you're all set to get your marks secrets as soon as they discuss them again, right? No, because your mark is using voice or video chat, recognizes whom they are speaking with, and are comparing the hashes of the temporary keys being used to encrypt the conversation before talking about anything sensitive.

Re:I don't think they understood.

[gatkinso]

Yes, well, what if they can't find the lock?

Re:I don't think they understood.

[gatkinso]

Many crytpo schemes are provably secure.

However the implementation itself could be flawed, providing a side channel that can be exploited.

Re:I don't think they understood.

[interval1066]

No security we have isn't fundamentally based on obscurity. None.

Yes, we have no bananas. You didn't mean to use a double negative, did you?

Re:I don't think they understood.

[jmerlin]

And what part of that isn't obscurity? Every layer you mention is just another obscurity on top of the previous. Is it potentially stronger obscurity? Sure. It's just obscurity. It's not a hard concept to grasp.

Re:I don't think they understood.

[wisty]

There is another way to look at this.

Imagine you have gold behind a locked door. Now imagine you have 50 locked doors.

This is your security through obscurity.

That is *not* security through obscurity. There are 50 locked doors - that's about 6 more bits of password strength, but it's not obscure that you need to go through one of the doors.

Hiding your key under the flower pot is a better example of obscurity. As is hiding your money in the freezer, or in your sock drawer. Ask someone who has worked in a prison, or served time - most people tend to come up with the same banally unoriginal ways to hide stuff, and the bad guys are pretty good at figuring those methods out.

All they need is a few thoroughly rooted systems, and they can watch what "original" solutions get used. Then generalize them a little, and add the new attacks to their tool chains. Then it's like: Oh, that's nice, you rot13'ed the hash, concatenated it with an easily guessed "key word", then hashed it again? How very original.

Re:I don't think they understood.

[mrxak]

Obscurity has its uses, because with enough determination anybody can get any key regardless of how strong of a lock you use, or how mathematically sound your encryption is. Either they beat it out of you, as you say, or they do some social engineering, or they get a job working for you where they'll have access.

Obscure, therefore, who it is that you need to beat up, talk to, or work for, and obscure what it is that you're locking up so nobody knows to go looking. It's perhaps your only defense against a determined enough opponent, but ultimately this strategy can be beat as well. The only real security is in keeping your measures, whatever they are, far more costly to break than the value of what it is you're locking up. Overkill, yes, but it will keep you perfectly secure.

Since that's rather expensive, instead make yourself a higher-hanging fruit than all the others. Use more security than anyone else, but as cheap as possible otherwise. People are lazy, and will go after the easiest targets first, and there's only so much time in the day so they'll never get around to you. Call it security in being the fastest of the herd.

Re:I don't think they understood.

[a_hanso]

Isn't all security not based on a physical token ultimately by obscurity? Passwords, for example, are *not* inaccessible to attackers. They're just obscured among billions of possibilities.

Re:I don't think they understood.

[hjf]

I run SSH on non-standard ports. That's "security by obscurity", and guess what? IT WORKS! Because every scanner out there is looking on port 22. Do you know how many login attempts you get when you run SSH on port 22? Way too many. Do you know how many you get when you run SSH on port other-than-22? Zero.

Saying that security by obscurity is "brittle" or "fragile", or whatever, doesn't mean that there is such thing as "security by transparency". I don't go publishing all my server's configuration, ports, addresses, VPN endpoints and other stuff out there, because it doesn't make my system any more secure. In fact, keeping that information private actually decreases the chances of getting h4x0red.

Of course, I also firewall the servers, run SELinux on them, run sensitive services in chroots (or FreeBSD jails, or solaris zones, etc), I keep everything patched and up-to-date, and try to subscribe to security mailing lists.

One more thing: I ALLOW SSH root access.

Re:I don't think they understood.

The important part is that you should know how obscure your security is. If you have a 128-bit key, you know that the attacker has 2^128 combinations to try. If you're hoping the attacker doesn't know the vendor's master password, you don't know how reliable your assumption is.

Re:I don't think they understood.

[GuldKalle]

The one door model has a proven track record; nobody has been able to pick the lock despite many tries.The 50 doors are all custom-built models, some have never been installed before and the only one who has ever heard of them except your supplier (who might have a financial interest in supplying you). Furthermore, you are not allowed to observe him while he installs the doors, so you can't see if he made a systematic error

Re:I don't think they understood.

[indeterminator]

Many crytpo schemes are provably secure.

Actually, only one: the one-time pad.

Re:I don't think they understood.

[azgard]

Exactly. The "obscurity" is related to the system of security you use. The key point in "security by obscurity is bad" is when you developed a system yourself or with just a few people, it may have more flaws in it than if you open it for the whole world to see. It's the openness (and usage of the system by others) that gives additional assurance that the design is reliable.

So the study is flawed. It assumes that closed system has the same quality as the open system, which is exactly what is asserted not to be true.

Re:I don't think they understood.

[thsths]

> Which bank would you prefer?

And that is the key point. Real security can be audited without compromising it. Obscurity cannot be audited - you have to take their word that it is "obscure" enough. And what is obscure or inconceivable to some person may be perfectly obvious to another (such as a blackhat with actual security skills...).

Re:I don't think they understood.

[buchner.johannes]

No. Only the following two are true:
(a) A 128 bit certificate is the equivalent of 128 light switches that have all to be in the right setting (not 2^128),
(b) A 128 bit certificate is the equivalent of 2^128 doors, of which you have to find the right one.

Here the arrangement of 128 options with 2 choices is the equivalent of choosing the ordering number in a sequence of 2^128 elements.

Doors with (counter)clockwise just half the number of doors needed, as you can see each rotation as a separate door. Or you go back to the example of a vault lock based on a certain order of specific rotations -- then you are again taking about a combinatoric issue. If your argument is that the unknown procedure is the security, then I just have to find a way to list all the possible solution procedures -- the complexity of that is the security of the lock. Nothing is gained.

Re:I don't think they understood.

[TheLink]

In practice there can be significant added security by adding obscurity.

Consider this:
a) you run your ssh server on the default port 22.
b) you run your ssh server on a different port.

In the a) scenario you get lots of automated break-in attempts every day, with a finite chance of a break in via a lucky guess or a zero-day ssh exploit.
With b) you get hardly get break-in attempts on your ssh server, if you ever get one, you might be being targeted and so should take appropriate action (you might even be able to automate the response). Meanwhile the automated attacks won't pwn you even if there's a zero-day in your ssh server.

Re:I don't think they understood.

[poofmeisterp]

> Which bank would you prefer?

And that is the key point. Real security can be audited without compromising it. Obscurity cannot be audited - you have to take their word that it is "obscure" enough. And what is obscure or inconceivable to some person may be perfectly obvious to another (such as a blackhat with actual security skills...).

Interesting point.

My counter-point (if it even matters) is that I know of a company that recently lost one of their biggest customers through an audit of the IT infrastructure (along with all security mechanisms, etc).

The logic was simple but the outcome was unfortunate because it employed valid logic rather than "valued logic":

1. The company didn't want to give the auditors copies of all of the usernames and passwords, along with the encrypted versions of said usernames and passwords, along with the formats of data transfer files, along with detailed descriptions of exchange methods, because that would be a perfect embarrassing example of willingness to hand out the most secure information to whomever requested it (keep reading, the validation of them can be f00b3d). *ON PAPER*, mind ya.

2. Customer also had a team perform stress-tests and backdoor security testing of the servers from the external and internal networks. The company saw the obscurity of internal information as an excellent tool in proving the customer's audit team's point. If you don't know what you're going to be trying to overcome, good luck overcoming it. Quote: "We'd be glad to know if you can because you'd be the first and only to do it."

3. Simple logic is more secure for the sake of image... Why should they hand them all of the securely hidden information in order to show you how secure their information security is? Isn't that breaking security?

4. Complex logic is strong, but has missing points... Assume they trusted that they were who they say they were and trusted them to maintain the security of the data. Having said that, giving them the data represents that part of the security system is lacking; i.e. if they performed checks to ensure they were, in fact, who they said they were, who is to say that they haven't found a way to exploit the security of the customer's communication beforehand, effectively making it impossible (they didn't have mobile numbers for any of the customer contacts, FYI) for them to validate that the customer really did send them there and approve that action?

End statement: it's a chance situation. They lost that customer. It hurt. Another large customer, on the other hand, actually did perform the stress testing and security vulnerability testing (with random strikes and methodologies) and was unable to harm or break the security. They were quite pleased with my friend's company and still use them to this day, refusing to switch providers because all of the others release their security information openly. :)

Re:I don't think they understood.

[niftymitch]

There is another way to look at this.
Imagine you have gold behind a locked door. Now imagine you have 50 locked doors.
  This is your security through obscurity.

Or another way...
Imagine you have 50 locked doors all alike.
Behind those 50 locked doors are 50 more doors
all alike. And behind those doors 50 more doors.

Since the doors are "all alike" 49 can open to find
any of the 48 all alike doors in large circular
lists that never end. The 50th door that opens
to the 50th door etc... to the interesting door can
have any sane number of externally specified levels.

As long as there is no way for the attacker to leave
gold coins to disambiguate his walk the location
of the prize behind door number (pick a large number)
remains well obscure.

Another way to think of this is that key+method
is the necessary set of information to decrypt
data. There is no reason to expose either.

Re:I don't think they understood.

[Pentium100]

They even give you the blueprints to the bank to assure you how well it's built.

Someone still might be able to find a weakness by looking at those blueprints. If that bank did not show you around (but had the same security) it would be harder because the thief would need to obtain the blueprints first before he can attempt to find the weakness.

Example from computer security - DRM. A lot of people are trying to break DRM and they manage to do so because uncrackable DRM for passive content (video, audio) does not exist. If the creator of the DRM scheme published the source code, it would be cracked much faster than it is now.

Re:I don't think they understood.

[Kjella]

Which bank would you prefer?

Well, the bank who gave you the blueprints is plain arrogant. Same as if a server administrator posted his intrusion detection system configuration publicly so attackers could emulate the attack in advance and avoid tripping it. You have to assume there are unknown exploits in the system, but you counter it with an unknown of your own that attackers won't know what will trigger alarms. Don't think for a second that a bank tells you all the security systems and routines when they give you the tour, they just point out the obvious ones so the people from America's Dumbest Criminals won't try.

Re:I don't think they understood.

[Archangel+Michael]

No, Security through obscurity is like having your gold behind 50 doors, each with 3 locks, some are trivial to pick, but not all of them. And the thief cannot tell by looking at the doors or the locks which one is which. The Thief has to take the time to start picking locks to start getting to the gold, but while he's picking locks, alarms are triggered and security can monitor the progress and take remedial steps to minimize the danger.

Most security is based on making it difficult to gain access. Social Engineering is often the best attack for "secure" systems, because it is the known risk.

Re:I don't think they understood.

[jbengt]

If the creator of the DRM scheme published the source code, it would be cracked much faster than it is now.

One reason DRM is crackable is because they are trying to keep the key secret from the person who uses it to decrypt the message. This is not the same problem as keeping the key secret for yourself to use.
Most DRM schemes are published, though not the source code.

Re:I don't think they understood.

[Pentium100]

Yes, but that's the thing. DRM with published source code will be cracked faster.

If I encrypt some files and do not tell you the encryption algorithm then it will be harder for you to break the encryption because you will need to find the algorithm as well as the key (or maybe I encrypted the file twice with different algorithms). If you know the algorithm then breaking the encryption becomes a bit easier since now you know what (if any) weaknesses you can exploit and you only need to find the key.

Sure

[EdIII]

That's fine and all. If you want to create your security through incomplete information, or different tactics and strategy, that is a choice.

Just don't be a childish whining little bitch and run to the FBI to stop the big bad anti-social "hackers" from revealing your used-to-be incomplete information in security conventions and trying to have them arrested.

You get double whiny bitch points trying to invoke copyright to prevent the "leakage" of your incomplete information.

I certainly get the point of the article, but a system that is secured through well thought out and tested means will always trump a system where, "Golly Gee Willickers Bat Man.... I hope they don't find the secret entrance to our bat cave that is totally unprotected and unmonitored".

Re:Sure

[icebraining]

What's a password - or even a private key - if not incomplete information?

Re:Sure

[EdIII]

I don't think that is what they mean by incomplete information.

In the context of security through obscurity it has always, to me, seemed to mean that your method and process of providing security is not well understood and it is this fact that is providing the majority of the security. If somebody figures out the method or process, your security is greatly compromised.

A password, or private key, is not a good example in this case. I think a better example would be that passwords and private keys protect documents created by a certain well known company, but that their methods and processes were so laughable that you could create a program to bypass the keys themselves.

Or in other words........ the only thing keeping Wile E Coyote (Super Genius) from getting to Bugs Bunny though the locked door is his complete lack of awareness that there is nothing around the door but the desert itself. Take two steps to the right, two steps forward, turn to your left, and there is Bugs Bunny. You did not even have to get an ACME locksmith to come out.

Re:Sure

[circletimessquare]

you attempted to redefine his terms, and then you attempted to change the topic. in other words, you don't have an answer

aka, incomprehensibility by affability

because the real answer would be to concede that icebraining is correct: it's just a matter of perspective of what security is, and what obscurity is, and, on some philosophical level, they are indeed the same concept after all. not that this is a mighty a thunderclap of a realization, and not that it completely changes security paradigms. but it is indeed and interesting, noteworthy platitude, a musing you might have while sitting on the toilet: security IS obscurity, after everything is said and done

so just admit the simple platitude is true on some abstract, unuseful and inconsequential level, and move on with your life

Re:Sure

[EdIII]

Uhhhhhh..... okay

I am not redefining terms here at all.

Granted, this is from Wikipedia:

Security through (or by) obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them. A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities in those products and versions. An attacker's first step is usually information gathering; this step is delayed by security through obscurity. The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.

icebraining is not correct here, and your assertion I am changing the definition from the norm and widely accepted definition is false. Security through obscurity, as a concept, is not something vague and a matter of perspective. It is a very well defined term in security and has been for quite some time.

According to the definition above, a password is not incomplete information, or information being obscured, as it is being presented in the context of the article and the principle of security through obscurity.

Making this a philosophical debate that a password is also obscurity at some level has nothing to do with the principles that are mentioned.

Re:Sure

[EdIII]

Whatever man. I am not resisting anything.

Passwords and secret keys don't have anything to do with the principles of security through obscurity.

I am getting the distinct impression I am feeding a troll, so the kitchen is closed. Come back tomorrow.

Re:Sure

[circletimessquare]

http://slashdot.org/comments.pl?sid=2455818&cid=37579932

read it again

go "yeah sure, on an abstract and inconsequential level," and move on. why is that so difficult for you

Re:Sure

[moderatorrater]

It's an identifier. Security through obscurity is where methods, processes and algorithms are hidden in an attempt to create security. It's the difference between having a vault door with a lock and having a hidden door with no lock.

Passwords and private keys are very specific pieces of information that use algorithms to make it mathematically (almost) impossible to figure out. Obscure processes and methods and algorithms, on the other hand, are negligibly easy to find out when it comes to computers. Computers are too powerful to hide something from them (with a few exceptions mentioned above). Relying on obscurity is a fools game in those circumstances.

Re:Sure

[shutdown+-p+now]

mean that your method and process of providing security is not well understood and it is this fact that is providing the majority of the security. If somebody figures out the method or process, your security is greatly compromised.

Not necessarily. It may also mean using a public and well-understood method - but not telling which method you're using, so the attacker has to figure it out on his own.

Re:Sure

[GuldKalle]

It is incomplete information in the sense that it doesn't open all systems based on that tech.
Same difference as having an extra key vs. knowing how to pick the lock.

Re:Sure

[icebraining]

So if I configure my SSH daemon to use a port chosen at random, it's not security by obscurity since knowing that port doesn't help you access other servers?

Re:Sure

[Jeremi]

Or in other words........ the only thing keeping Wile E Coyote (Super Genius) from getting to Bugs Bunny though the locked door is his complete lack of awareness that there is nothing around the door but the desert itself.

The greatest trick the Road Runner ever pulled was convincing the world he did not exist. And like that... poof, he is gone.

Re:Sure

[GuldKalle]

The algorithm for choosing a port at random is security by obscurity.

Re:Sure

[icebraining]

No, I mean choosing it manually. I chose 7222, for example.

Re:Sure

[indeterminator]

The algorithm for choosing a port at random is security by obscurity.

If the algorithm is keyed, publicly known, and known to provide good security, then it's not security through obscurity. At least according to some some other comments here.

Of course, the result space (2^16) is too small to provide actual security.

Nature disagrees

Camouflage is the oldest and most natural form of security on the planet.

Re:Nature disagrees

[RenHoek]

Carrying a bigger stick then your opponent is the oldest and most natural form of security.

Re:Nature disagrees

[perpenso]

Camouflage is the oldest and most natural form of security on the planet.

Carrying a bigger stick then your opponent is the oldest and most natural form of security.

Actually its camouflage *plus* the bigger stick. The camouflage gives one the potential advantage of deciding if and when the bigger stick comes into play.

Re:Nature disagrees

[Pentium100]

Or you can hide they key somewhere else, not under a flower pot. That would be OK if you wanted someone to be able to get in your house, but could not be there to meet him or mail the key but did not want to keep your house unlocked. Hide the key somewhere not obvious and instruct the guest where to find it.
Will the thief really find out that the key is hidden under one of the flower pots that are dispersed trough the yard, in a pile of bricks or in a bucket that's in the well?Does he really have time to run around and check everywhere that the key could be hidden before just assuming that the key isn't there and either going away or just breaking the door/window? My yard is about 6a (600m^2), there are a lot of places to hide a key.

Re:Nature disagrees

[dkleinsc]

No it's not. The oldest and most natural form of security on the planet is the cell membrane, a.k.a. the biological firewall.

Re:Nature disagrees

[heson]

The stick* costs alot of food to carry around. Camouflage is almoast for free once aquired.

* Whenever it is an actual stick, stronger cheeck muscles or whatever.

Half the story

Obscurity is good when backed up by good code where it takes time and effort to break into. That is not often the case where instead obscurity is used to hide the large holes cause by badly written code. Obscurity buys you nothing when these holes can be broken into through blind attacks. And it is often for this reason why we don't like obscurity as it also motivates companies not to fix these holes as it cost time and money to look for them continuously (which they have to spend themselves if they want obscurity).

So in actuality, open code is the best compromise in general.

Misapplication of Kerckhoff's Principle

[telekon]

Kerckhoff's Principle specifically applies to cryptosystems. Not only does TFA describe more of a generalized application to systems and code, but it's not really describing 'security through obscurity.' It's describing informational arbitrage, i.e., profiting (not necessarily financially) from an imbalance of knowledge on one side of a two-participant game.

The dynamic adaptive approach has its merits, particularly as it is increasingly clear that most security is only the illusion of security, maintained until it is breached. But traditional 'security through obscurity' refers to systems for which the only security measure in place is maintaining the secrecy of a protocol, algorithm, etc.

It seems to me the ideal approach is a balanced one, that embraces the UNIX philosophy: cover the 90% of most common attack vectors with proven security measures (and update practices as needed), and take a dynamic adaptive approach to the edge cases, because those are the ones most likely to breach if you've done the first 90% correctly.

Re:Misapplication of Kerckhoff's Principle

[telekon]

The difference between keys, and algorithms or protocols, is while the latter can be reverse engineered, a strong key is practically impossible to recover, even when every detail of the implementation of the cryptosystem is known to both parties.

To put it in simpler terms, "security through obscurity" would be not telling anyone where my house is, and hoping they never find out. Better security would not be handing out copies of my house key, having an alarm system, and dealing with novel intrusion techniques as they arise.

Luck

[El_Muerte_TDS]

Call it luck, or educated guess, call it fate for all I care. One miss, and you're screwed.

Series or parallel?

[khasim]

Does the attacker have to get through 50 doors to get the gold? Not all locked with the same key? (etc) This is good security (unless locked with the same key and so forth). ..or..
Does the attacker have to get through ONE door that is NOT locked (the security depends upon the attacker not getting the right door) ? ..or..
Does the attacker just have to check the doors for recent fingerprints to guess which door to attack?

Re:Series or parallel?

[jhoegl]

Well, there are many methods. One would be honeypotting, another would be and in line with the "Security through Obscurity" thinking, you have to choose which door to attack. The point being, the hacker doesnt know because of security through obscurity. What you can do is Honeypot all the other doors and know about the attempt, or setup an alert and know about the attempt.

Frankly, if it is that important to be connected to the internet, but requires high security, the cost is justified.

You can even setup a "wag the dog" approach where you let it slip that Site A is how everyone accesses things, and have a few tricks there, but site B or C is where it actually is.

My point is Security through obscurity is a valid point to be made, but under the right direction and/or policies.

This is new?

[denshao2]

I thought it was obvious.

SbO: lame

[Dr.+Tom]

Security by Obscurity is lame. The REAL test of a good security protocol is when you publish ALL the details and the bad guys STILL can't get in. If you are merely relying on somebody, somewhere, not saying anything, you are asking for it. All the real security products that people actually trust are open source. I will never, ever, ever, ever, trust anything that is closed source. There could be a back door, and you can't argue with that. Again, and again, and again, the ONLY security algorithms worth talking about are OPEN. If you can publish your work in public and STILL be secure, THAT is security. That is quite possible, it has been done many times. If you can't do that, you are just making excuses for your lame security that relies on a secret. Look at history. Your secret will be published, and then your product will be dead.

Re:SbO: lame

[jmerlin]

Someone else can get in -- all they need is a little bit of information you've left out (like a key). Obscurity. Right there. Self defeating posts are self defeating.

Re:SbO: lame

[jmerlin]

It's a little scary someone from the NIH with a doctorate in a field is so short sighted. Never mind, that's really, really scary. It explains a lot, really.

Re:SbO: lame

[jmerlin]

Writing code does not imply intelligence nor skill, similarly, neither does duration of residence. Nice try, though.

Re:SbO: lame

[stephentyrone]

"Open Source" doesn't buy you much. Sure, you can see what the program is "supposed" to do. But do you fully understand what the compiler does with it? Do you trust the compiler to be both bug free and non-malicious? I've filed far too many bugs against compilers to trust them to be bug free. Even if you assume they are, what about the compiler that was used to build your compiler? How do you know that the hardware on which the program is running doesn't leave it open to attack?

If you want "actual trust" you use machine code that has been proven correct running on hardware that has been proven correct and exhaustively tested. You don't care about whether or not the code is "open source". Most people don't require that level of paranoia, of course, nor can they afford the expense of doing such verification, but you shouldn't pretend that "publishing" or "open source" is magic security fairy dust.

Re:SbO: lame

[DarwinSurvivor]

=Anything server-side is never truly "open" in the sense that you can't truly know that it has your open software.

It is if YOU put the software there.

Re:SbO: lame

[Dr.+Tom]

you're paranoid

Re:SbO: lame

[Dr.+Tom]

seriously, security by obscurity has been show to be stupid many times over. why are we even still talking about this?

Re:SbO: lame

[jmerlin]

Credentials mean nothing. WIth a few hundred thousand and a few years to spend, anyone who isn't an idiot can get a Ph.D. It does not imply that their opinion and misguided trollings on /. about any subject is even remotely accurate. It definitely does not absolve them from heinous ignorance and shortsightedness, as you have clearly demonstrated.

Re:SbO: lame

[jamesh]

Someone else can get in -- all they need is a little bit of information you've left out (like a key). Obscurity. Right there. Self defeating posts are self defeating.

If you have the key then all bets are off. But if the inner workings of the lock are completely known to the opponent and they still can't get in without the key then you can say your system is secure. If there is a flaw in your lock such that it is possible to get in without requiring the key then you have to obscure the inner workings of the lock, and you can't say your system is secure because it's always possible that someone could reverse engineer it and find the flaw, allowing them access to _all_ such locks.

Re:SbO: lame

[GuldKalle]

Yes, but you need one key per system. If you get my private key you can log on to my computer over ssh. If you find a fatal flaw in ssh, you can log in to any computer.
I don't have to trust that the developers of my security implementation can keep a secret, I only have to trust that they implemented it safely and correctly. The only person I need to keep a secret is myself. And if I can't trust myself, the attacker is already in (i.e. myself).
Now go back to where you came from.

Re:SbO: lame

[stephentyrone]

Yes, security by obscurity is stupid. So is security by "openness". Security and openness are orthogonal.

Re:Yet...

[RoFLKOPTr]

A new kind of goatse troll in which the troll commenter hides his actions by contributing to the thread in a positive manner.

*golfclap*

Missing the point?

[nine-times]

Well maybe I'm wrong, but I always thought the complaints of "security by obscurity" were not that obscurity couldn't be helpful to security, but that it was a bad idea to rely on obscurity.

It seems obvious to me that the more complete the attacker's knowledge, the greater the chance of a successful attack. If an attacker knows which ports are opened, which services are running, which versions of which software are running which services, and whether critical security patches have been applied, for example, it's much easier for them to find an attack vector if there is one. You're more secure if attackers don't know that information about your systems, because it forces them to discover it. That takes additional time and effort, and they may not be able to discover that information at all.

However (and here's the point), it's not a good idea to leave your systems wide open and insecure and hope that attackers don't discover the holes in your security. It's not smart to rely on the attacker's ignorance as the chief (or only) form of protection, because a lot of times that information can be discovered. It's true that "obscurity" is a form of security, but it's a fairly weak form that doesn't hold up over time. The truth tends to out.

Re:Missing the point?

[jamesh]

You're more secure if attackers don't know that information about your systems, because it forces them to discover it. That takes additional time and effort, and they may not be able to discover that information at all.

But on the other hand if you find a back door to a security system, you now have access to all such security systems. Not publishing the intricate details about the security system doesn't add nearly as much security as people think.

Put it another way, if your security system is completely open and documented and nobody has ever discovered a backdoor that would allow them access without a key, then you can say it is secure with a great degree of confidence.

Re:Missing the point?

[mrxak]

Unless there is strong incentive to not reveal knowledge of a backdoor if you find it, such as the desire to exploit it yourself. With open source, you're still trusting the people who really spent the time to look at and understand the code. How many of those people are there? How many of them do you trust absolutely?

Re:Missing the point?

[marcosdumay]

"I always thought the complaints of "security by obscurity" were not that obscurity couldn't be helpful to security, but that it was a bad idea to rely on obscurity."

Sometimes that isn't true, and those are the most common times people use the term "security by obscurity".

When dealing with algorithms or protocols, if you don't let the white hat people discover the problems with your idea (what can't happen when it is obscure), all those problems will be still there when you deploy it. On those cases, obscurity really oposes security.

Re:Missing the point?

[nine-times]

Yes, but that's certainly not the whole story. In a sense, you could even say that passwords are an instance of "security through obscurity". Your security depends on a lack of knowledge on the attacker, i.e. not-knowing the password.

When I'm running a network, I keep documents on what all the servers are, what their IP addresses are, what services are running and what ports are open. I keep a map of which servers have access to which other servers, and my own assessment of possible attack vectors. If I knew an attacker was trying to gain access to my network, I would certainly prefer that the attacker didn't have access to those documents. If, open reviewing those documents, I see a gaping security hole, then I'll fix it rather than rely on the ignorance of attackers, but I still wouldn't want potential attackers to have access to all of that information.

Realistically, the purpose of security is to make access inconvenient, difficult, and dangerous in proportion to the importance of whatever you're trying to protect. In common practice, your goal is not to make your systems absolutely secure, but instead to make yourself an unappealing target. If gaining access to your system requires a large investment of time, money, energy, interest, and risk while the payout is indeterminate, then you're probably safe.

Your attacker's ignorance is not sufficient security, but it is the first line of defense.

Rational, but flawed.

[RyanFenton]

Past performance IS a proper indication of how the future will be, if everything stays as expected. But reality is rarely fully what we expect it to be.

Defending against known threats is certainly part of the task of securing something - but the other part is observing what makes up the thing you're defending, and looking for weaknesses, and from that how to react when those weaknesses are exploited. Not doing the last bits is one of the very bad parts of groupthink, complacency.

One of the best ways to develop groupthink? Pretend that everything you're doing is a crucial secret, and cut yourself off the entire outside world - and thus never invite outside input to help you adapt to anything new.

Obscurity works by default - because it's all about protecting your precious secret from any experimentation. But once it becomes important to someone to test your secret, your obscurity is a very limited defense.

Ryan Fenton

Re:Rational, but flawed.

[siride]

I don't think you even read the article.

Re:Rational, but flawed.

[mrxak]

Who actually reads anything more than TFS?

Re:Rational, but flawed.

[siride]

There's a joke in here about information via obscurity and Slashdot readers' tendency to read nothing but the headline, but I can't get it to work :-/.

Re:Yet...

[NoSleepDemon]

Goatse through obscurity?

Re:Yet...

[RoFLKOPTr]

Wow that didn't even cross my mind. So in addition to contributing to the thread positively, the goatse troll is actually relevant to the topic at hand. Absolutely amazing. A technological marvel.

I don't think that's correct.

[khasim]

One would be honeypotting, another would be and in line with the "Security through Obscurity" thinking, you have to choose which door to attack.

Just as in my house key example. The attacker has to know WHICH flower pot has the house key.

The problem is that once that piece of information is uncovered, the entire security implementation is broken.

The point being, the hacker doesnt know because of security through obscurity.

Yes, I understand the concept. I just don't agree with it. Again with the house key example: the work of putting a decent lock on the door is negated by having an easier, alternative avenue of attacking the door.

My point is Security through obscurity is a valid point to be made, but under the right direction and/or policies.

My point is that it is not because all it does is allow another, easier, avenue of attack.

If it does not, then it is not "security through obscurity".

Re:I don't think that's correct.

[jhoegl]

I am not suggesting leaving it open and just not telling anyone. That would be crazy.

What you want to do is keep it secure as possible, but give the potential intruder something else to work on that yields no results, but increases their risk of exposure.
Security through obscurity does not automatically assume that it is a door left wide open, just no one knows about it.

Consider things that are currently unknown to the public, such as Air Force one. Only a few people know about its defenses and potential. However, they do not leave it out in the open devoid of guards and security. So therefor, including the security surrounding it, you also have obscurity of its potentials.

Do you understand the thinking now?

Re:I don't think that's correct.

[vux984]

Just as in my house key example. The attacker has to know WHICH flower pot has the house key.

The problem is that once that piece of information is uncovered, the entire security implementation is broken.

There are other ways to have obscurity.

What if you put the lock for the door underneath one of the many flower pots, and perhaps even have a completely non-functional keyhole on the door itself.

That is also "security through obscurity".

Moving the lock to an an unusual place certainly doesn't make system any less secure.

And it will arguably foil or at least delay a real attacker.

Especially if the fake keyhole on the door is wired to an alarm...

Re:Yet...

[Shoe+Puppet]

On top of that, he was logged in while an AC pointed out it's goatse.

"Security by obscurity" is misleading.

[ZouPrime]

As a information security professional, I've always seen the whole "security by obscurity" issue somewhat misleading. By repeating the mantra, I feel many people forgot its true meaning.

Security shouldn't RELY on obscurity. That's true. But it doesn't mean obscurity, by itself, doesn't provide security benefits.

There are many examples where this is obvious. For example, would you publish your network topography on your public website? Of course not. Even if you were convinced that its security and access control are air tight, the cost of keeping such documentation "obscure" is negligible versus its usefulness by a potential attacker.

The problem arise when obscurity is used in lieu of proper security. Unfortunately, it still happens too often. But while the presence of obscurity may be seen as suspicious by an outside party trying to evaluate the security of a system, it shouldn't be considered as evidence of its insecurity, as it sometimes is.

Finally, I understand the "many eyes" argument, and how public disclosure of the security details of a system can help improving it. After all, nobody would think about trusting a crypto algorithm that hasn't been made public and scrutinized accordingly. But this logic cannot be generalized for all systems in all context.

You have it wrong.

[khasim]

And once you guess their encryption password, their encryption isn't completely broken?

You're confusing the "obscurity" portion of that statement.

Passwords should rely upon the difficulty in cracking them due to their complexity. The system is known. The password is not known.

Security through obscurity refers to the workings of the system being hidden. Such as the key under the flower pot opening the door. Once that information is discovered, the system is cracked.

Re:You have it wrong.

[jhoegl]

So once someone gets your password, the access is granted?

So how is this different?

Re:You have it wrong.

[Daniel_Staal]

The idea of any security system is to reduce the number of fatal secrets. The minimum number is one. (Otherwise you have an open-access system.)

Your password, or key, should be that one. It shouldn't matter if the attacker gets everything else, they still can't get your data.

'Security Through Obscurity' is saying 'we've removed this fatal secret by hiding it from the attackers'. Um, no. All you've done is made it slightly harder for them to find. It's still a fatal secret. If you want to remove it from the system, you'll have to make it not matter if they've got it.

Then, of course, you hide it. Because you assume that you missed something. ;) But the intent is that it doesn't matter if the attacker finds everything but the key.

Re:You have it wrong.

[ProfessorPillage]

It's different because you can still change your password thus restricting access again, and also everyone else's passwords to the same system are still effective. You have a problem if everything shares the same password and it can't be changed- that is security by obscurity. Or if you have a system where everyone's password is their birthday, and then it leaks that this is your obscurity system.

If a password is used directly to grant access to you system, then yes, that is security by obscurity and is bad security. In a more sufficient security system, you might use a password as a shared secret to authenticate someone's identity, and use that identity to grant access. This is a completely different security architecture, and is better. It's different because authentication and authorization are treated as separate issues.

Certainly obscurity can add to security, but you really want a security system that is sufficient without it.

Re:You have it wrong.

[shutdown+-p+now]

Security through obscurity refers to the workings of the system being hidden. Such as the key under the flower pot opening the door. Once that information is discovered, the system is cracked.

Security through obscurity doesn't mean that you hide the flaws instead of patching it (it can mean that, but it's a narrow definition). Even when you patch the holes, it's still worth it to make it as hard as possible for the attacker to figure out what the state of your system is - let him waste time looking for the flaws that simply aren't there. That's security through obscurity, too.

It's just another layer. Ignoring it makes sense only when you're absolutely confident that your other layers will hold. If there is a chance that they won't, obscurity might just buy you enough time to thwart the attack, or at least prevent the attacker from doing everything that he wanted to a pwned system due to time constraints.

Re:You have it wrong.

[GuldKalle]

A password can easily be changed - a security model takes a lot of work to change.
When the password is changed, the attacker has to start over.

Re:You have it wrong.

[Fjandr]

Only if your obscurity provides the key to opening the system. Using obscurity as an additional layer, rather than relying solely on it in places where knowledge would break all the security, is how to use it effectively.

People seem to conflate the two approaches a great deal, whereas there are ample areas to use obscurity in order to make systems harder to compromise. It's just not useful in every situation, but there are certainly areas it would be useful as an addition to other security measures. A lock isn't going to be of much use if you don't have a door.

anything that can be made by a man

[circletimessquare]

can be unmade by another man

it's that simple

the rest is just an arms race to keep one slight step ahead in constant effort and constant motion

Re:anything that can be made by a man

An arms race, indeed. And a war. But as Sun Tzu noted one of the most important strategies of was is misleading your opponent.

Re:anything that can be made by a man

[circletimessquare]

yes, you can do all of those things

Re:anything that can be made by a man

[allo]

Most of them can be transformed into each other in time P. Now we only wait, that one of them gets broken.

OK, great, but not at the expense of users

[bersl2]

The entire concept of security by obscurity acts as a justification for keeping secrets. It often sweeps up information whose release will help users much more than it will help attackers. Once it becomes a sanctioned tool of security, instead of an objective of the security, those who set up and maintain the security lean on obscurity like a crutch.

I realize my argument is an appeal to the slippery slope, but I see it everywhere in society. People, organizations, and governments can get into frames of mind wherein they lose focus of the overall goal of information security and just start obscuring everything, which makes their interactions with others difficult and sometimes hostile.

In fairness, the article itself says as much:

Typing and proling are frowned
on in security. Leaving aside the question whether gathering
information about the attacker, and obscuring the system,
might be useful for security or not, these practices remain
questionable socially. The false positives arising from such
methods cause a lot of trouble, and tend to just drive the
attackers deeper into hiding.
On the other hand, typing and proling are technically
and conceptually unavoidable in gaming, and remain re-
spectable research topics of game theory. Some games can-
not be played without typing and proling the opponents.
Poker and the bidding phase of bridge are all about trying
to guess your opponents’ secrets by analyzing their behav-
iors. Players do all they can to avoid being analyzed, and
many prod their opponents to sample their behaviors. Some
games cannot be won by mere uniform distributions, with-
out analyzing opponents’ biases.
Both game theory and immune system teach us that we
cannot avoid proling the enemy. But both the social ex-
perience and immune system teach us that we must set the
thresholds high to avoid the false positives that the prol-
ing methods are so prone to. Misidentifying the enemy leads
to auto-immune disorders, which can be equally pernicious
socially, as they are to our health.

But inevitably, this kind of caveat is thoroughly ignored by most people. They will only hear something like "Security by Obscurity Now Considered Useful", and a whole new set of administrative roadblocks will be thrown up in the name of security, when in fact it's helping very little, if any; furthermore, those who try to circumvent the new measures to do something they consider to be within the permitted use of the network may be considered security risks (or even malicious entities outright) and will be dealt with as such, when nothing of the sort was intended.

Security thru

[JustOK]

Security thru absurdity is just crazy enough to work.

Secrecy != Obscurity

[ewanm89]

In information security, secrecy does not equal obscurity.

Obscurity is if I give out access cards for the doors of my building, but all the magic of the card is a single magnet, and just changing the magnetic field at the reader will unlock the door.

Another example of obscurity: I give out access cards but encode them all to the same code and just tell people this one is only for these particular non restricted zones (this is more like DRM systems).

Secret != Obscure in this instance.

[khasim]

But that is also just obscurity in another form.

Nope. Similar to the use of "theory" in science. The common usage of the word is not the exact same as the usage in this context.

The system is designed so that it can only be opened by the correct secret (the key in this case). That does not mean that the key is "obscure" even though it is the "secret".

Obscurity refers to the system. The key is still the secret. What the obscurity is is the fact that you're hiding (obscuring) the secret under a flower pot.

To put it another way, using a password cracker to "find" a password and spending 2^128 years doing so is very different from "finding" a password hidden under a keyboard.

Re:Secret != Obscure in this instance.

[Prune]

You're shamelessly playing with word semantics here. We use von Neumann machines and the distinction between data and progtam is arbitrary and only in the mind. A key and a system are only separate from a subjective view. There is no reason other than practicality why we have many keys but few crypto systems. One could trivially create a set of systems which can have an exponential number of variations on the underlying algorithm,with automatic generation of these variations. Then the specific set member is your secret. There is no distinction between secret and obscure other than one of degree (at best).

Re:Secret != Obscure in this instance.

[azgard]

There is a distinction between secret and obscure, because there is a distinction between the system and the key. It's hidden in the methods you can apply to attack the security. The security methods differ in system if you can apply different attacks differently. They differ only in key if all the potential attacks (or their effectivness) are the same. In other words, a system is a class of ways how to do security, which are all resistant the same to all possible attacks; they are distinguished by the specific keys.

Layers

[lowy]

People, many of your implementation examples aren't "either/or" situations. From a practical standpoint you are usually better with a layer of each: security and obscurity, For example, a strong vault that is hidden is better than the same one exposed. A steganographically-encrypted file is safer than that same file in the public domain. How much safer is open for debate, but you are probably safer with both layers in most individual *implementation* situations.

Where the debate comes alive is in two main areas:

1) Design. An open system design tends to be more trustworthy for reasons explained elsewhere. Obscurity in the *design* of any particular layer is usually bad idea (but obscurity in the choice of layers may be a good thing, e.g. what vault you chose or which tested open source encryption algorithm you picked).

2) Testing. If many people use the same system it becomes obvious if a vulnerability is found, and more people are looking for cracks. That same system in a one-off implementation is less obviously secure, even though (paradoxically) it may have been made more secure through obscurity.

Nope. That would be "obscurity".

[khasim]

I am not suggesting leaving it open and just not telling anyone. That would be crazy.

No, that would be "security through obscurity".

What you want to do is keep it secure as possible, but give the potential intruder something else to work on that yields no results, but increases their risk of exposure.

But that does nothing to improve the security of the system. If the attacker choose the correct door (or whatever) then you're left with only the defenses of that door.

Security through obscurity does not automatically assume that it is a door left wide open, just no one knows about it.

No. The "security THROUGH obscurity" means that the door IS unlocked (or unlockable with the hidden key) and that the "security" comes from no one KNOWING that it is a way in. That's what the "through" part of that statement means.

Do you understand the thinking now?

I've always understood it. And you're making a very common mistake. Obscurity != Secret in "security through obscurity".

Re:Nope. That would be "obscurity".

[artor3]

Man, you beat the ever-loving shit out of that strawman!

Nobody talks about security exclusively through obscurity. Secrecy is just an added layer.

The added security of many eyes reviewing your code makes up for the loss of security from having the code visible. <i>That</i> is why Linux is more secure than Windows. But security through obscurity is not useless.

Re:Nope. That would be "obscurity".

[Artifakt]

You're using obscurity and secrecy as though they are synonyms, and they aren't. Take the Air Force 1 example already introduced in this thread. Secrecy means that certain information about the craft or procedures might, for example, be stored only on machines that are separated from the Internet by an air gap, dispensed only on a need to know basis, accessible only under a two man rule, or otherwise controlled by a set of formal rules. Obscurity might be relying on the fact that few people know who contracted to service various systems or where those people might keep information filed. That sort of definition is true whether obscurity is all you rely on or if its just a part of a greater security system.
          You could have both these situations at once, and they could each have some properties in common, (such as there being 20 people who might serve as the source of information to an outsider), so they can look similar. But, and it's a big but,, they are still very different. In the case of organized secrecy, the supervisors know that an exact number of people have the information, they know if those people have had background checks, if they have been trained in not talking about their jobs, reporting attempts to contact them, and other indicators of a possible attack, and a number of things that the person relying on obscurity hasn't checked (or they would have turned the obscure system into a genuine secret.). The point is, when you take something somewhat obscure, and you put in place formal methods, you move out of just using obscurity for that part of the security system. When you take those 20 employees and former employees that might spill the beans, make a list of just who they are and change '20 or so' to an exact number, check up on the former employees who might be disgruntled, or change information access so those people can't rely on their old knowledge to harm your security, and probably take a dozen other steps, you've stopped relying on the obscurity of some information to protect you and started relying on something else.

Re:Nope. That would be "obscurity".

[swalve]

Security through obscurity is (or can be) an element of a security plan, but I'm not sure anyone is saying it should be the only one. I might have my FTP on a non-standard port, but I still have a password.

Re:Nope. That would be "obscurity".

[shadowrat]

I've never understood security through obscurity to be inherently bad. It's most often leveled as a critique of a system. But that doesn't mean it isn't a viable layer to add.

Consider a web application with an admin section. You use 4096 bit encryption, 9 factor authentication, etc. That's all very good. You can also not put a link to the admin site anywhere on the site. That's your security through obscurity. And it's good. Probably even better if you host it on an entirely different domain.

It will keep snooping down. As long as you understand you can't rely on just the obscure admin site to keep attackers out, it's a good decision to make.

Too often, a naive engineer will think having a secret admin page is enough. That's when we point and laugh about security through obscurity.

Time.

[khasim]

In the end, it all comes down to time.

If it takes you 20,000 years to crack my password with a password cracker, then the system is secure for 20,000 years. After which it is cracked (until I change my password again).

If the password is hidden on a post-it under my keyboard, then there is an easier, alternative avenue of attack. And the system is cracked in a minute.

So, having the "security through obscurity" resulted in a less secure system that was cracked a lot quicker than the original system.

That is why you do not use "security through obscurity".

Re:Time.

[hazem]

> That is why you do not use "security through obscurity".
Well, if you define "security through obscurity" to such an absurd point, then of course there's no value to obscurity.

However, obscurity is an important part of any security system, but only an idiot would rely on obscurity as the only source of security, and only someone being obtuse would assume that that's what others mean.

Soldiers use "security through obscurity" by wearing camouflage. It's by no means their only means of security. I helps prevent observers from seeing them, but it doesn't prevent a motion sensor from detecting them. Does that mean the use of camouflage is invalid? Of course not. But they use it for the intended purpose, obscuring them from observation (an important part of their security), but they must rely on other methods for securing against other threats.

You also have to take into consideration the threats you are securing against. I can use many obscurity methods to hide the fact that I'm running a spy network out of my house this week. And all those methods may suffice to prevent the casual police officer or even citizen from finding me out. Of course, that won't protect me from a double-agent who already knows where my house is, nor will it protect me from deliberate surveillance once I'm already a suspect. I have to use other methods against that. However just because those things are possible, it doesn't mean I should give up the idea of obscurity and just hang out a sign that says, "spies meeting here". There is still value in the obscurity. However it's only part of the security puzzle.

Of course if you want to narrowly define it into absurdity by a scheme where you put a key to your door under a flower pot, tell everyone you have gold in your house and then say you put a key under your flower pot, then of course, that's stupid. But who would think otherwise?

Real security by obscurity

[ShooterNeo]

What about true obscurity. What kind of OS or software runs on the computers in a nuclear missile silo? Do those computers even use an OS? The point is, with little or nothing published, an attacker who was able to access systems like those would have little realistic hope of hacking them. There's no 0 day lists, no marketplace to pick up working cracks, no books describing how the internals of such a system.

Re:Real security by obscurity

[Dr.+Tom]

You are young. You don't know. Eventually they'll figure out the secret, if it's valuable. Your security is flawless if nobody wants your data. You are a script kiddie. Pro hackers can figure out what OS is being used by the way it responds to packets. The point is that if you are relying on secrets like what OS version you are running, then you lose.

Re:Real security by obscurity

[ShooterNeo]

But the OS in projects like that was probably a one-off written JUST for the application. And the software probably won't RESPOND to most packets, nor support modern networking methods. It's one thing if a true hacker who knows everything had something to work with. But if he doesn't know what computer it is he is trying to hack into is using, and even if he did it he wouldn't be able to find any information about how it works, being a one-off project with the books being top secret...

I am not saying that such security is perfect, merely that in this example there might BE serious security holes that no one would ever be able to exploit since they wouldn't have any experience with the OS in question.

Re:Real security by obscurity

[Dr.+Tom]

How do you know that code they are using is any good? What if some bad guy (or a Russian teenager with nothing better to do) rooted a server somewhere and got the code, and discovered that it's shit? I would seriously be MUCH happier if the missile silos published their code along with proofs that you can't get in. As of now, I assume anybody can get in

Re:Real security by obscurity

[ShooterNeo]

Yes but if you publish the code + proofs, and the mathematical analysis you used to formulate the proofs is flawed, and an attacker is able to see that but others aren't...Then you have just given him or her the means to break in.

Same goes for encryption. You can't generally crack an encryption algorithm, even a flawed one, if you only have the encrypted data and plaintext but no idea at all what algorithm was used.

This shit counts as CS paper?

[Alex+Belits]

Seriously?

Which is the whole point.

[khasim]

Well, if you define "security through obscurity" to such an absurd point, then of course there's no value to obscurity.

You may view it as "absurd" but it having no value is the whole point.

In these SPECIFIC instances, obscurity only REDUCES the security of a system.

Soldiers use "security through obscurity" by wearing camouflage.

The problem is that we're discussing computer security. Physical security is a different matter and has very limited usefulness as an analogy.

Of course if you want to narrowly define it into absurdity by a scheme where you put a key to your door under a flower pot, tell everyone you have gold in your house and then say you put a key under your flower pot, then of course, that's stupid.

No. You misunderstood that. The "obscure" part is where you do NOT tell everyone that the key is under the flower pot.

The key is the "secret". Just like a password is a "secret".

No matter how good the lock is, once the "obscure" part is found, the security is cracked.

It may SOUND "absurd" but there are a LOT of people arguing for exactly that in this thread.

Re:Which is the whole point.

[fatphil]

The distinction you make is an artificial one, and not useful. The location of the flowerpot is just as secret as the key itself. Reread Kerckhoff's principles again - it makes no reference to "obscurity". There is secret, and there is non-secret, that's all.

Minimisation of the amount that needs to be kept secret is all that matters. Perfection in this regard is when all the necessary secrecy is condensed into a datum of small size N, and the work-factor required to get around not knowing that datum is O(2^N). For historical reasons, we call that datum either a password or a key.

OpenBSD: Only two remote holes in years

[tepples]

Of course, just correctly guess sooner, and then you can fix the system beforehand

One method to make such a guess is called a "code audit", and code auditing practices applied since mid-1996 are part of why OpenBSD has had only two remote vulnerabilities for over a decade.

Re:OpenBSD: Only two remote holes in years

[swalve]

Seems like someone knows how to make secure, bug free code. Their attitude makes me think about switching to them...

Re:OpenBSD: Only two remote holes in years

[feepness]

part of why OpenBSD has had only two remote vulnerabilities for over a decade.

Well geez! If they've been there for ten years how come they haven't fixed them!

Re:OpenBSD: Only two remote holes in years

[TheLink]

And MSDOS has had zero remote vulnerabilities in the default install for longer (you can add TCP/IP support to MSDOS, but it's not there by default).

Seriously, the main reason why OpenBSD had few remote vulnerabilities in the default install was because they only had one service running in the default install- e.g. openssh. ( http://en.wikipedia.org/wiki/OpenBSD#Security_and_code_auditing )

If some idiot installed phpnuke/phpbb, apache with an outdated version of the app, php etc, they'd be just as pwned whether they were running OpenBSD, FreeBSD, Ubuntu or Windows.

So such claims are as stupid as Microsoft saying that the default IE on Windows Server 2003/2008 is not vulnerable to XYZ. With the default IE, javascript doesn't run on most sites, you can't download practically anything, you get warnings on almost any webpage. Who really uses IE in its default config on Windows Server 2003/2008? I normally reconfigure it so that I can download another browser ;).

I look on suspicion on anyone making such claims.

Now if on the other hand you had an operating system which tracked where input/output came from e.g. untrusted NIC vs trusted NIC, then all processes, threads etc launched and any resulting communications would be "tainted", and tainted processes would be unable to do certain things unless the communications was "untainted" via a special processes, then things would be much harder for attackers but they might be much harder for developers as well (debugging why an app failed could be harder ;) ). Which is probably why such operating systems aren't popular ;).

Of course even if you go through all that trouble, if there are bugs the attacker might still be able to break out. But the difference is if the system actually works, you get an extra layer of protection even if there are bugs in the applications.

No. It's the usage.

[khasim]

You're shamelessly playing with word semantics here.

No. It's the usage of the terms in the context.

The same as people complain about evolution being "just a theory". The words have multiple definitions and using the incorrect one in this context is incorrect.

One could trivially create a set of systems which can have an exponential number of variations on the underlying algorithm,with automatic generation of these variations. Then the specific set member is your secret. There is no distinction between secret and obscure other than one of degree (at best).

That's an awful lot of effort to go through (and easily confused) just to use "obscure" in both instances.

I'll stick to "secret" to identify the password. It's in common usage in this discussion.

It seems that you're arguing over whether the word "secret" or "obscure" can be applied to a password.
Which then confused the concept of "security through obscurity".

That's why I originally used the example of a house key hidden under a flower pot.

Not exactly.

[khasim]

There are other ways to have obscurity.

What if you put the lock for the door underneath one of the many flower pots, and perhaps even have a completely non-functional keyhole on the door itself.

That isn't "obscurity" in the context of "security THROUGH obscurity". The word "through" is important there.

You can have a functional security system and add misdirection to that without reducing the overall security of the system. But the system, in the end, still depends upon the original security model. Once the correct key hole is known, the lock still must be cracked.

You can add obscurity without making the security dependent upon the obscurity.

Re:Not exactly.

[allo]

it is like security by obscurity additional, which is often done. like putting the login-page on an unsual location.

Re:Not exactly.

[felipekk]

Exactly. The thing is, the term can basically be interpreted in two ways, and people will interpret in the way more convenient for them.

You could see it as "improved security through obscurity", implying that there are other layers of security.

Or you could see it as "security through obscurity only", which is just insane.

Re:Not exactly.

[vux984]

That isn't "obscurity" in the context of "security THROUGH obscurity". The word "through" is important there.

Of course it is. The keyhole is secured "through" obscurity.

You can add obscurity without making the security dependent upon the obscurity.

Adding obscurity adds to the security. It is a more secure system than it was because the obscurity layer hardens it. Thus the overall security is dependant in part to the obscurity.

But the system, in the end, still depends upon the original security model. Once the correct key hole is known, the lock still must be cracked.

If I have a zero day exploit vs your lock, then your lock isn't offering you any security either. The fact that the correct keyhole is hidden might save your ass though.

Obscurity is a LAYER of security. Nothing more, but nothing less either.

A hacker with a zero day exploit vs a particular ssh server will blast ranges of ip addresses on the standard ssh port and get in wherever he finds a vulnerable server. Simply moving your ssh server to an unusual port will probably save you more often than not from that sort of attack. Its a lot more work and a lot easier to detect and block someone running a comprehensive port scan against you... even from a botnet.

Re:Not exactly.

[HappyPsycho]

Adding obscurity adds to the security. It is a more secure system than it was because the obscurity layer hardens it. Thus the overall security is dependant in part to the obscurity.

Obscurity as part of a larger system only serves to increase the signal to noise ratio, by making the login more difficult to find "accidental" contact with it is reduced (or completely negated). Which mean when someone is messing with the lock you either have a legitimate user or a very determined attacker. In a way it removes the grey area to which the system might otherwise have to respond. The most benefit I can see is it allows more strict policies (shoot first, ask questions never) to be implemented with relative guarantees that there will be few "false positives".

If I have a zero day exploit vs your lock, then your lock isn't offering you any security either. The fact that the correct keyhole is hidden might save your ass though.

I agree, but I think you will also agree that what you are describing is someone searching for low hanging fruit. What you are relying on there is that you are not of interest to the attacker. If someone is targeting you or your organization then moving the key hole will offer little protection.

Funny thing is all of this reminds me of Scooby Doo and all those passageways behind the bookshelves

I think this has always been how it's been done

[bigsexyjoe]

I think on a practical level, people have always implemented security through obscurity, but no one has mentioned it because... well you know.
And I'm not security expert, but the wikipedia says that Kerckhoffs' Principle merely states that the encryption key has to be strong enough (or obscure enough) that if everything else is known about the encryption scheme it should still be difficult to crack.
Frankly, Kerckhoff's Prinicple sounds like it is just a truism. A good encryption is very important. That doesn't exactly mean that hiding other information isn't helpful. I mean who advertises their ports, the names of their servers, db schema, etc.?

Insider threat

[hilather]

I'll be honest, didn't even bother reading the article based on the summary. Most threats come from the inside, from people that understand the system. Obscurity isn't an issue for these people, since they built the systems. Obscurity isn't security at all.

You've all been suckered

[russotto]

This isn't a serious paper; it's an attempt to get vaguely pornographic diagrams into a computing journal. Since it's on arxiv, I assume it hasn't yet succeeded.

Security by Absurdity

[Mr_ZnArK]

There is something to be said about the effectiveness of this tactic, but me thinks it's usually not completely intentional. I'm confident most of you know what I'm saying.

Cryptography IS Security through Obscurity

[BitZtream]

Thats the point. A secret key (this is the obscurity part) that you'd never guess or be able to figure out. Of course, practically, this is never going to be true, you'll figure it out eventually, unless the key happens to be the universe itself, in which case the rules of our universe probably aren't applicable to you. The point is that you can't do anything other than use the key though.

All the security depends on the obscurity of the key. The algorithm just makes it so the key is required, or thats the hope. Its the part that makes the obscurity work.

Re:Cryptography IS Security through Obscurity

[TeknoHog]

In my understanding, the point is that the number of possible keys is much higher than the number of different encryption schemes. If your crypto is valid, and someone breaks in with a stolen key, you only need to change the key. But if the crypto itself is broken, you have a much bigger problem; it is likely that the same crypto is used in many other places, because there aren't that many to choose from.

An openly specified system is more likely to be proven secure. This applies to the system at large, including client machines. Thus there are many places where obscurity is bad, even though the key should be as obscure as possible.

"all you've done"

[epine]

Which means that the real security is the lock on the door. All you've done is allow another avenue of attacking it.

What's the driving need to oversimplify this? The meme exists to put a damper on tree-fort chortle from idiots who've never performed a base 2 logarithm.

If I'm just one guy, and I grab the source code for OpenSSL and hack myself a unique protocol by adding some kind of fairly simple input permutation to AES, I certainly haven't made AES stronger, but I have most certainly inconvenienced any agency that thinks it knows what an orthodox AES bit stream looks like. There are stupid ways to do this (re-using key bits from the AES pass could blow AES open). And there are less stupid ways to do this.

One problem with obscurity is that it's a bad idea to go around asking for advice concerning whether you landed on "less stupid". And no, it's not as hard as crypto experts pretend. It's not like it's the virgin birth to mangle some bits. Experts always exaggerate their fiefdoms. What is tremendously difficult is to achieve sufficient mixing of the right potency with the minimal number of rounds--and to have any kind of formal justification for the cake-batter which ensues.

There's simply not enough expertise out there to go around cracking all the different cipher variations if every geek rolled up their obscurity sleeves (and added to strong primitives already in place), even supposing most of them make a botch of it.

The big problem with obscurity there is that you never really know if you're on the botch list. Doesn't come with a satisfaction guarantee you can take to the bank.

Finally, obscurity sucks if there's anyone on the inside you distrust by the least amount. Your fly could be undone in the worst possible way and you would have no clue.

Even in professional systems, the password is protected through obscurity, but it's been boiled down to absolutely the least amount of obscurity necessary to get on with business, so internal vigilance can be extremely intense.

How many firms hire consultants to set the master password? Maybe we should call this "security by short and curlies". They can hand over your weakness any day of the week to any black hat anywhere on the globe, but if you catch them at it, you can sue them to dirt.

By hiring a security consultant, all you've done is open up another avenue for your credentials to leak.

Come on, there are limits to this kind of cognitive reduction.

Could someone please properly frame this!

[rsagris]

It isn't Security Through Obscurity. When Obscurity is added as part of an overall Security Architecture it is Security In Depth. For Obscurity to be a proper security enhancer, you have to have a fundamentally secure foundation onto which you add Obscurity to outside attackers. For example, I would wager it'd be very difficult to even begin to conduct cryptoanalysis aagainst an unpublished/undocumented NSA designed crypto-system over trying to crypto-analyze a documented crypto-system. I am presuming that the system itself is secure by design, as it was designed by the NSA (the largest single employer of mathematicians in the world, devoted to cryptography to boot.) So, if we are going to discuss adding depth to secure systems by overlaying more obscurity could we stop rehashing how obscurity isn't security. Anyone who knows anything about this topic knows that, Obscurity by itself does not provide a robustly secure system, it fails once the obscurity is peirced.

Damn straight

[CAIMLAS]

I came into a position a while back where my predecessor had run everything ass-backwards. He'd roll out a 'standard' FreeBSD install he built onto all the hardware which consisted of software he'd compiled years prior. He ran SSH on non-standard ports. He didn't believe in DNS (or hardware RAID, for that matter, believing in the obscurity of geom). For just a couple racks of equipment (two) there were over 15 VLANs. He didn't label anything, and documentation was worse.

When I started, the software he was installing on new hardware was over 3 years old. Some of it had vulnerabilities. But it mostly had no public face, and when it did, it was obscure (eg. SSH on a non-standard port) or it was facing something that wasn't of much of a threat (eg. LAN workstations). SSH never got exploited (that I could tell), and password cracking attempts against the machines were very rare.

Furthermore, this guy was seen as somewhat of a messiah because he could do "hard things quickly". Sure, it's impressive to do a build ina couple minutes, I suppose. But it was obscure due to being cloistered knowledge. It gave him a hell of a lot of job security, too.

Quis fidet ipsos fides...

[lvxferre]

I obviously don't trust crackers, but hey... why should I trust security companies? One only can trust source code. And this means that a security company that feels itself safe for obscurity cannot be trusted at all.

Which is more than it's coders got

[dutchwhizzman]

Come on, you are way off topic here. You deserve the troll remark. It's about obscurity as a risk mitigation factor, not as an unbreakable defense. That has nothing to do with what OS is better at staying secure. All "major" operating systems get code reviews. Once they get more popular, they get more people reviewing code and probing for vulnerabilities. I'm fairly certain Windows and OSX get more code reviews and probing than FreeBSD does. If you want to spend time finding a vulnerability in an OS for profit, you spend time on the one with the biggest potential gains. Getting a zeroday on FreeBSD most likely will not gain you a lot, while getting one on Windows will give you your own botnet of meeeeelions of machines, controlling meeeelions of credit cards, bank accounts and what not.

Not the quality of the code, but the obscurity of FreeBSD is what caused the lack of remote vulnerabilities.

Re:Which is more than it's coders got

[drinkypoo]

Come on, you are way off topic here. You deserve the troll remark. We're talking about OpenBSD, not FreeBSD. You didn't read the comment you replied to and you don't know what you're talking about anyway. OpenBSD is rarely used, but when it is used, it is used because it is protecting something, and that means that the value of attacking it is very high; virtually every OpenBSD system not on some nerd's desk is guarding something important to someone.

interesting, but incomplete

[Tom]

Applying game theory is always an interesting approach.

However, this one misses what I consider an extremely important part: The multiplayer aspect. If obscurity is a part of your defense strategy, you can not cooperate with other defenders. As your are competing with the attacker, that means obscurity is only advantageous if the additional cost to the attacker is higher than the benefit you could gain from such cooperation. In general, your security mechanism will not be so new, innovative and hard to crack that this is true. It does depend on the size and resources of your organisation, though. If you're a large organisation that can keep a secret (say, a secret service), it could have a net advantage. For almost everyone else, though, having more eyes on the problem will generally provide a better solution than the additional difficulty that obscurity provides for the attacker.

Bugs Bunny?

[reiisi]

I thought that was Road Runner.

At least, when I was a kid it was always Road Runner letting poor old self-deluding Wyle E. Coyote beat himself up.

Re:Bugs Bunny?

[EdIII]

There were a couple of them with Bugs Bunny. In the Road Runner ones he never actually speaks. However, he has dialogue with Bugs Bunny.

It is in one of these episodes that the door incident occurs. You might also remember him making nitro filled carrots in a shed talking to himself while Bugs Bunny moves the shed on to the train tracks. I think the same episode also has him using a UNIVAC computer to come up with his strategies.

Search YouTube. A lot of cartoons have been uploaded there.

Wile E Coyote also did some cartoons trying to steal sheep. At least the coyote looks really really similar.

Re:Bugs Bunny?

[reiisi]

Ah, yeah, Bugs was a bit more active in baiting poor Wyle E., now that you remind me.

Heh. Talk about social engineering.

I hope the TSA embraces this one!

[E.I.A]

'twould be nice if they'd just get really, really, obscure.

Well, yeah.

[Arancaytar]

Kerckhoff's principle doesn't say that there is no security by obscurity, but that a system is only reliably secure if that security holds even without obscurity. Of course there is a game of incomplete information, and this includes information about the system itself.

Making the system public and placing all crucial information into a key is simply a matter of sanitizing and simplifying secrecy. Instead of the secret information being spread in lots of pieces that are available to different parts of the system, and can't be readily replaced if they are compromised, the entire secret is in a single block of random bits, which is only stored where it is needed, and which can be replaced when necessary.

If on top of that method information about the system is also protected, this may well yield some additional security - what Kerkhoff's principle says is that you can't rely on it.

Kerckhoff and obscurity

[tmdybvik]

The article pushes blatant misinformation. Kerckhoff said that a cryptosystem should be secure even if everything about the system, except the key, is known by the enemy. ("Il faut qu'il n'exige pas le secret, et qu'il puisse sans inconvénient tomber entre les mains de l'ennemi" )
Relying on obscurity for your security is poor engineering, in particular for a mass market system. Taking advantage of obscurity for "one of a kind" systems to gain an additional security advantage is fair game.
There's nothing new here, this has been done for decades and centuries. Problems arise when people think this is the golden ticket to keeping the barbarian hordes outside the castle wall.

Securit is in layers and obscurity is one of them

[Quantum_Infinity]

Security is all about having various layers and I think that obscurity is an important one. The lack of information can make it very difficult for a hacker to get past what he does not know or he may not even know that you exist in the first place. For example, if you don't broadcast SSID of your wi-fi, a hacker would certainly pick up some other wi-fi to hack unless he has a strong motivation to hack your wi-fi only.

Not really new...

[Thad+Zurich]

"Applied security by obscurity" is not a new concept: it is usually referred to as "operational security (OPSEC)," at least in military circles. The author's use of complex notation doesn't change anything, although he seems to imply that it might be appropriate to deliberately analyze and model OPSEC at very high levels of design. The "know your enemy" concept is popular among pundits, but also problematic: while directed profit-motivated attacks and state-sponsored hacking have become popular topics in the press, there are still plenty of work-in-the-dark-do-what-we-can basement hackers out there, who will take delight in breaching your OPSEC just to prove it's possible (the ability to sell their results only adds motivation).

Every security experts

[geekoid]

knows this. Any one who sells themselves as an security experts and says there is no security through obscurity should be fired, immediately.

As always its about layers and time paired against risk and value.

I think Sun Tzu said it first:

[alteveer]

"Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of the opponent's fate." Or "all war is deception"

Multics & Primos

[DutchUncle]

One of the security aspects of Multics was the limit on available programming languages. This was carried into Prime Minicomputer's Primos which restricted normal programming to PL/1 and Cobol. If you can't directly access memory, you can't hack the OS.