[Home]SecurityByObscurity

MeatballWiki | RecentChanges | Random Page | Indices | Categories

SecurityByObscurity is a means of discouraging casual attacks by avoiding prominence. Examples from MeatSpace include:

  1. The data operations center of CBI (Credit Bureau Incorporated) in the Atlanta area, which is a featureless office building with no outward indication of its purpose
  2. Interexchange telephone switching facilities, which are almost always unmarked
  3. Outdoor parties held by nudist and swinger's groups; the general public is usually unaware of the date or location

As such, SecurityByObscurity is highly effective against casual attackers with weak motivation or few resources, particularly in cases where the obvious presence of a facility or event could by itself be enough to encourage attacks. In these cases it is a cost effective defense that has the side benefit of reducing the ScopeOfConflict?. Conversely, it is a weak method when used against motivated, resourceful attackers.

Early computer systems relied on obscurity for a good measure of their protection, which remained effective until the widespread availability of modems and personal computers starting around 1990. At that time the resources required to perform an attack dropped substantially, and many previously uncompromised systems were penetrated in the ensuing years.

SecurityByObscurity was overused as a stated strategy by software firms and information systems staffs for a time when more effective security solutions could not be implemented quickly or in a cost-effective manner.

Many software firms in that era incorporated weak encryption and weak authentication into their products and refused to discuss the "proprietary" details, under the pretext that if the workings of the mechanism were understood it would be easier to defeat. Time has shown the folly of this "trust us" method of security implementation; most people AvoidIllusion today and seek effective HardSecurity that has been publicly vetted.

A related topic is Steganography, which is the process of encoding data in media files (classic examples used uncompressed TIFF and BMP formats) in such a way that the data appears to be part of the noise inherent in the image.

This is an architectural solution where problem areas are kept permanently obscured. A more dynamic approach is to LimitVisibility.

See PracticalObscurity, WikiPedia:Security_through_obscurity


More examples

A version of this is "hiding in plain sight" - disguise something by placing it amongst other things which are usually not examined in detail. Examples:


[CategorySoftSecurity] SécuritéParObscurité

Discussion

MeatballWiki | RecentChanges | Random Page | Indices | Categories
This page is read-only | View other revisions | Search MetaWiki
Search: