Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security By Obscurity — a New Theory

Posted by Soulskill on from the can-we-try-this-at-airports dept.

mikejuk writes "Kerckhoffs' Principle suggests that there is no security by obscurity — but perhaps there is. A recent paper by Dusko Pavlovic suggests that security is a game of incomplete information and the more you can do to keep your opponent in the dark, the better. In addition to considering the attacker's computing power limits, he also thinks it's worth considering limits on their logic or programming capabilities (PDF). He recommends obscurity plus a little reactive security in response to an attacker probing the system. In this case, instead of having to protect against every possible attack vector, you can just defend against the attack that has been or is about to be launched."

19 of 265 comments (clear)

  1. Remember it only talks about cryptography by tech4 · · Score: 5, Informative

    I hate it when people always seem to take the phrase out of context and apply it to mean any kind of security, like network security or the old Windows/Linux battle. It's a completely different kind of situation, and in the former it's especially true that security by obscurity is a hardener layer. It's also why Linux has managed to stay as (consumer) malware free to day, even though it still has a fair share of its own worms and other security problems.

    1. Re:Remember it only talks about cryptography by davester666 · · Score: 5, Funny

      This part of the summary is just great: "... is about to be launched"

      Yes, having somebody sitting there as the attack is taking place and somehow guessing how the attacker will try to compromise your system makes it much easier to defend against the attack. Of course, just correctly guess sooner, and then you can fix the system beforehand and then you don't need someone sitting there....

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:Remember it only talks about cryptography by cgenman · · Score: 5, Insightful

      The problem is that Security by Obscurity is the defense of lazy vendors who should damn well know better. On the one hand, it's "obscure" that a particular keyphrase known by trusted people will get you to a layer of network security. It is slightly less "obscure" to have your server up on an unresponsive IP address. It's technically a form of "obscurity" to think the hackers wouldn't notice that you left an FTP server up and running without realizing it, or that the default login was still viable. But when vendors use that form of the term obscurity, they're just masking the fact that they are selling you rubbish.

      Any properly secured system should be able to proudly proclaim all of its pertinent information to the world, including source code to all available participants, and still be secure. ONLY THEN, should obscurity be layered on. But if your vendor or contractor starts talking about obscurity first, they don't have a clue what they're doing.

      Obscurity is icing. Minimalist, properly protected system design with multiple layers of protection, iron-clad internal logging, and no routes to priviledge escalation (especially social) is the route to security. Obscurity is a mildly nice icing that makes maintaining servers less problematic. It also usually leads to lazy vendors creating the illusion of security out of a soon-to-be-had massive privacy lawsuit.

      --
      The ______ Agenda
  2. Sure by EdIII · · Score: 3, Insightful

    That's fine and all. If you want to create your security through incomplete information, or different tactics and strategy, that is a choice.

    Just don't be a childish whining little bitch and run to the FBI to stop the big bad anti-social "hackers" from revealing your used-to-be incomplete information in security conventions and trying to have them arrested.

    You get double whiny bitch points trying to invoke copyright to prevent the "leakage" of your incomplete information.

    I certainly get the point of the article, but a system that is secured through well thought out and tested means will always trump a system where, "Golly Gee Willickers Bat Man.... I hope they don't find the secret entrance to our bat cave that is totally unprotected and unmonitored".

    1. Re:Sure by EdIII · · Score: 4, Insightful

      I don't think that is what they mean by incomplete information.

      In the context of security through obscurity it has always, to me, seemed to mean that your method and process of providing security is not well understood and it is this fact that is providing the majority of the security. If somebody figures out the method or process, your security is greatly compromised.

      A password, or private key, is not a good example in this case. I think a better example would be that passwords and private keys protect documents created by a certain well known company, but that their methods and processes were so laughable that you could create a program to bypass the keys themselves.

      Or in other words........ the only thing keeping Wile E Coyote (Super Genius) from getting to Bugs Bunny though the locked door is his complete lack of awareness that there is nothing around the door but the desert itself. Take two steps to the right, two steps forward, turn to your left, and there is Bugs Bunny. You did not even have to get an ACME locksmith to come out.

    2. Re:Sure by EdIII · · Score: 4, Informative

      Uhhhhhh..... okay

      I am not redefining terms here at all.

      Granted, this is from Wikipedia:

      Security through (or by) obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them. A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities in those products and versions. An attacker's first step is usually information gathering; this step is delayed by security through obscurity. The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.

      icebraining is not correct here, and your assertion I am changing the definition from the norm and widely accepted definition is false. Security through obscurity, as a concept, is not something vague and a matter of perspective. It is a very well defined term in security and has been for quite some time.

      According to the definition above, a password is not incomplete information, or information being obscured, as it is being presented in the context of the article and the principle of security through obscurity.

      Making this a philosophical debate that a password is also obscurity at some level has nothing to do with the principles that are mentioned.

    3. Re:Sure by moderatorrater · · Score: 3, Insightful

      It's an identifier. Security through obscurity is where methods, processes and algorithms are hidden in an attempt to create security. It's the difference between having a vault door with a lock and having a hidden door with no lock.

      Passwords and private keys are very specific pieces of information that use algorithms to make it mathematically (almost) impossible to figure out. Obscure processes and methods and algorithms, on the other hand, are negligibly easy to find out when it comes to computers. Computers are too powerful to hide something from them (with a few exceptions mentioned above). Relying on obscurity is a fools game in those circumstances.

  3. Nature disagrees by Anonymous Coward · · Score: 3, Interesting

    Camouflage is the oldest and most natural form of security on the planet.

  4. Re:I don't think they understood. by jhoegl · · Score: 3, Interesting

    There is another way to look at this.

    Imagine you have gold behind a locked door. Now imagine you have 50 locked doors.

    This is your security through obscurity.

  5. Misapplication of Kerckhoff's Principle by telekon · · Score: 3, Interesting

    Kerckhoff's Principle specifically applies to cryptosystems. Not only does TFA describe more of a generalized application to systems and code, but it's not really describing 'security through obscurity.' It's describing informational arbitrage, i.e., profiting (not necessarily financially) from an imbalance of knowledge on one side of a two-participant game.

    The dynamic adaptive approach has its merits, particularly as it is increasingly clear that most security is only the illusion of security, maintained until it is breached. But traditional 'security through obscurity' refers to systems for which the only security measure in place is maintaining the secrecy of a protocol, algorithm, etc.

    It seems to me the ideal approach is a balanced one, that embraces the UNIX philosophy: cover the 90% of most common attack vectors with proven security measures (and update practices as needed), and take a dynamic adaptive approach to the edge cases, because those are the ones most likely to breach if you've done the first 90% correctly.

    --

    To understand recursion, you must first understand recursion.

  6. Re:I don't think they understood. by Cryacin · · Score: 3, Insightful

    Well, if you had them behind 2^128 you'd have a trust certificate :P

    --
    Science advances one funeral at a time- Max Planck
  7. Re:Yet... by RoFLKOPTr · · Score: 4, Funny

    A new kind of goatse troll in which the troll commenter hides his actions by contributing to the thread in a positive manner.

    *golfclap*

  8. Missing the point? by nine-times · · Score: 3, Interesting

    Well maybe I'm wrong, but I always thought the complaints of "security by obscurity" were not that obscurity couldn't be helpful to security, but that it was a bad idea to rely on obscurity.

    It seems obvious to me that the more complete the attacker's knowledge, the greater the chance of a successful attack. If an attacker knows which ports are opened, which services are running, which versions of which software are running which services, and whether critical security patches have been applied, for example, it's much easier for them to find an attack vector if there is one. You're more secure if attackers don't know that information about your systems, because it forces them to discover it. That takes additional time and effort, and they may not be able to discover that information at all.

    However (and here's the point), it's not a good idea to leave your systems wide open and insecure and hope that attackers don't discover the holes in your security. It's not smart to rely on the attacker's ignorance as the chief (or only) form of protection, because a lot of times that information can be discovered. It's true that "obscurity" is a form of security, but it's a fairly weak form that doesn't hold up over time. The truth tends to out.

  9. Re:I don't think they understood. by thegarbz · · Score: 5, Interesting

    Which means that the real security is the lock on the door.

    But that is also just obscurity in another form. The obscure part is that the attacker doesn't know the combination to the lock, or doesn't know how the tumblers specifically are keyed. Otherwise a key could be made up.

    All security is obscurity, just different levels of it. In some schemes the obscure value is shared (hidden directory on the server that isn't crawled but can none the less be accessed by a direct link). Some obscure values aren't (public key encryption).

    The hiding the key under the rock is analogous to using a weak form of obscurity to hide a strong one. Which in this case is no better than the obscurity of not letting anyone know that the door lock doesn't actually work anyway.

  10. You have it wrong. by khasim · · Score: 3, Informative

    And once you guess their encryption password, their encryption isn't completely broken?

    You're confusing the "obscurity" portion of that statement.

    Passwords should rely upon the difficulty in cracking them due to their complexity. The system is known. The password is not known.

    Security through obscurity refers to the workings of the system being hidden. Such as the key under the flower pot opening the door. Once that information is discovered, the system is cracked.

  11. Nope. That would be "obscurity". by khasim · · Score: 3, Informative

    I am not suggesting leaving it open and just not telling anyone. That would be crazy.

    No, that would be "security through obscurity".

    What you want to do is keep it secure as possible, but give the potential intruder something else to work on that yields no results, but increases their risk of exposure.

    But that does nothing to improve the security of the system. If the attacker choose the correct door (or whatever) then you're left with only the defenses of that door.

    Security through obscurity does not automatically assume that it is a door left wide open, just no one knows about it.

    No. The "security THROUGH obscurity" means that the door IS unlocked (or unlockable with the hidden key) and that the "security" comes from no one KNOWING that it is a way in. That's what the "through" part of that statement means.

    Do you understand the thinking now?

    I've always understood it. And you're making a very common mistake. Obscurity != Secret in "security through obscurity".

  12. OpenBSD: Only two remote holes in years by tepples · · Score: 4, Informative

    Of course, just correctly guess sooner, and then you can fix the system beforehand

    One method to make such a guess is called a "code audit", and code auditing practices applied since mid-1996 are part of why OpenBSD has had only two remote vulnerabilities for over a decade.

  13. Not exactly. by khasim · · Score: 3, Interesting

    There are other ways to have obscurity.

    What if you put the lock for the door underneath one of the many flower pots, and perhaps even have a completely non-functional keyhole on the door itself.

    That isn't "obscurity" in the context of "security THROUGH obscurity". The word "through" is important there.

    You can have a functional security system and add misdirection to that without reducing the overall security of the system. But the system, in the end, still depends upon the original security model. Once the correct key hole is known, the lock still must be cracked.

    You can add obscurity without making the security dependent upon the obscurity.

  14. Re:I don't think they understood. by thsths · · Score: 3, Insightful

    > Which bank would you prefer?

    And that is the key point. Real security can be audited without compromising it. Obscurity cannot be audited - you have to take their word that it is "obscure" enough. And what is obscure or inconceivable to some person may be perfectly obvious to another (such as a blackhat with actual security skills...).