Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security News

Security By Obscurity — a New Theory 265

Posted by Soulskill from the can-we-try-this-at-airports dept.
mikejuk writes "Kerckhoffs' Principle suggests that there is no security by obscurity — but perhaps there is. A recent paper by Dusko Pavlovic suggests that security is a game of incomplete information and the more you can do to keep your opponent in the dark, the better. In addition to considering the attacker's computing power limits, he also thinks it's worth considering limits on their logic or programming capabilities (PDF). He recommends obscurity plus a little reactive security in response to an attacker probing the system. In this case, instead of having to protect against every possible attack vector, you can just defend against the attack that has been or is about to be launched."
This discussion has been archived. No new comments can be posted.

Security By Obscurity — a New Theory More

Security By Obscurity — a New Theory

Comments Filter:

  • Remember it only talks about cryptography (Score:5, Informative)

    by tech4 ( 2467692 ) on Saturday October 01, 2011 @06:16PM (#37579776)
    I hate it when people always seem to take the phrase out of context and apply it to mean any kind of security, like network security or the old Windows/Linux battle. It's a completely different kind of situation, and in the former it's especially true that security by obscurity is a hardener layer. It's also why Linux has managed to stay as (consumer) malware free to day, even though it still has a fair share of its own worms and other security problems.

  • You have it wrong. (Score:4, Informative)

    by khasim ( 1285 ) <brandioch.conner@gmail.com> on Saturday October 01, 2011 @06:52PM (#37580006)

    And once you guess their encryption password, their encryption isn't completely broken?

    You're confusing the "obscurity" portion of that statement.

    Passwords should rely upon the difficulty in cracking them due to their complexity. The system is known. The password is not known.

    Security through obscurity refers to the workings of the system being hidden. Such as the key under the flower pot opening the door. Once that information is discovered, the system is cracked.

  • Re:Sure (Score:5, Informative)

    by EdIII ( 1114411 ) on Saturday October 01, 2011 @07:16PM (#37580152)

    Uhhhhhh..... okay

    I am not redefining terms here at all.

    Granted, this is from Wikipedia:

    Security through (or by) obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them. A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities in those products and versions. An attacker's first step is usually information gathering; this step is delayed by security through obscurity. The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.

    icebraining is not correct here, and your assertion I am changing the definition from the norm and widely accepted definition is false. Security through obscurity, as a concept, is not something vague and a matter of perspective. It is a very well defined term in security and has been for quite some time.

    According to the definition above, a password is not incomplete information, or information being obscured, as it is being presented in the context of the article and the principle of security through obscurity.

    Making this a philosophical debate that a password is also obscurity at some level has nothing to do with the principles that are mentioned.

  • Nope. That would be "obscurity". (Score:4, Informative)

    by khasim ( 1285 ) <brandioch.conner@gmail.com> on Saturday October 01, 2011 @07:19PM (#37580156)

    I am not suggesting leaving it open and just not telling anyone. That would be crazy.

    No, that would be "security through obscurity".

    What you want to do is keep it secure as possible, but give the potential intruder something else to work on that yields no results, but increases their risk of exposure.

    But that does nothing to improve the security of the system. If the attacker choose the correct door (or whatever) then you're left with only the defenses of that door.

    Security through obscurity does not automatically assume that it is a door left wide open, just no one knows about it.

    No. The "security THROUGH obscurity" means that the door IS unlocked (or unlockable with the hidden key) and that the "security" comes from no one KNOWING that it is a way in. That's what the "through" part of that statement means.

    Do you understand the thinking now?

    I've always understood it. And you're making a very common mistake. Obscurity != Secret in "security through obscurity".

  • OpenBSD: Only two remote holes in years (Score:5, Informative)

    by tepples ( 727027 ) <tepplesNO@SPAMgmail.com> on Saturday October 01, 2011 @08:16PM (#37580458) Homepage Journal

    Of course, just correctly guess sooner, and then you can fix the system beforehand

    One method to make such a guess is called a "code audit", and code auditing practices applied since mid-1996 [openbsd.org] are part of why OpenBSD has had only two remote vulnerabilities for over a decade.

Slashdot Top Deals

"Protozoa are small, and bacteria are small, but viruses are smaller than the both put together."

Close