(redirected from SecurityThroughObscurity)
![[Home]](http://meatballwiki.org/meatball.gif)
SecurityByObscurity
MeatballWiki | RecentChanges | Random Page | Indices | CategoriesSecurityByObscurity is a means of discouraging casual attacks by avoiding prominence. Examples from MeatSpace include:
- The data operations center of CBI (Credit Bureau Incorporated) in the Atlanta area, which is a featureless office building with no outward indication of its purpose
- Interexchange telephone switching facilities, which are almost always unmarked
- Outdoor parties held by nudist and swinger's groups; the general public is usually unaware of the date or location
As such, SecurityByObscurity is highly effective against casual attackers with weak motivation or few resources, particularly in cases where the obvious presence of a facility or event could by itself be enough to encourage attacks. In these cases it is a cost effective defense that has the side benefit of reducing the ScopeOfConflict?. Conversely, it is a weak method when used against motivated, resourceful attackers.
Early computer systems relied on obscurity for a good measure of their protection, which remained effective until the widespread availability of modems and personal computers starting around 1990. At that time the resources required to perform an attack dropped substantially, and many previously uncompromised systems were penetrated in the ensuing years.
SecurityByObscurity was overused as a stated strategy by software firms and information systems staffs for a time when more effective security solutions could not be implemented quickly or in a cost-effective manner.
Many software firms in that era incorporated weak encryption and weak authentication into their products and refused to discuss the "proprietary" details, under the pretext that if the workings of the mechanism were understood it would be easier to defeat. Time has shown the folly of this "trust us" method of security implementation; most people AvoidIllusion today and seek effective HardSecurity that has been publicly vetted.
A related topic is Steganography, which is the process of encoding data in media files (classic examples used uncompressed TIFF and BMP formats) in such a way that the data appears to be part of the noise inherent in the image.
This is an architectural solution where problem areas are kept permanently obscured. A more dynamic approach is to LimitVisibility.
See PracticalObscurity, WikiPedia:Security_through_obscurity
More examples
A version of this is "hiding in plain sight" - disguise something by placing it amongst other things which are usually not examined in detail. Examples:
- Include a UserName amongst the Category links relegated to the bottom of the page.
- Break the LinkPattern or use <nowiki></nowiki>, so the link word doesn't call attention to itself by being highlighted as a link. The interested who are determined will copy/paste that LinkPattern into a URL and get to the page anyhow. [Careful: "being interested" and "knowing that URLS are non-opaque, editable things" do not correlate]
- Create a dummy UserName page, which simply redirects to the page of real interest, and then sign innocuous comments.
- Set up a network printer, and gave it the name of " ". Yep, a space. Nobody will see it in their GUI printer chooser, and so no one will select it.
- One kind of safe has almost a perfectly featureless front -- just the handle and the manufacturer's name. Sides are also plain brushed metal. No combination dial, no keyhole, nothing. Even if you knew the combination was "123", how would you know to press the first letter in the manufacturer's name, the second letter in the manufacturer's name, and then the third letter in the manufacturer's name ?
- One kind of push-button lock only had 4 different buttons. I observed someone unlock it: his elbow only moved forward 3 times. How long would it take me to try out all possible 3 digit numbers in base 4 ? Less than 10 minutes, but I still wouldn't unlock the door. When I was given the combination, I learned that I had to hold down 2 specific buttons at the same time on the last button press to get it to unlock. (If I pressed these 2 buttons one after the other, it wouldn't unlock).
- Cutting out a secret compartment in a book, then "hiding" it in plain sight on the bookshelf.
- "The Purloined Letter" short story 1841 by Edgar Allan Poe (1809-1849) http://www.kingkong.demon.co.uk/gsr/purloind.htm
[CategorySoftSecurity] SécuritéParObscurité