[Discuss] Security through obscurity

[tmetro+blu at gmail.com (Tom Metro)]

Rich Pieri wrote:
> Tom Metro wrote:
>> We're getting a bit wrapped up in dogma. This isn't a black-and-white
>> issue. If you take a broad enough definition of "obscurity" it could be
>> taken to mean your knowledge of a password - it's obscure, you know it,
>> and yet it's guessable, just like the oddball port your service is
>> running on.
> 
> Passwords aren't obscured things. They're supposed to be secrets. A
> password that is not a secret but merely obscured is a password that has
> been compromised.

This is exactly my point...it's a spectrum of complexity, without a
crisp delineation between what is obscurity and what is secret.

Choosing a port number from a space of 65535 possibilities is exactly
identical to choosing a password with 16-bits of strength, provided both
lack measures to prevent brute force attacks.

You could, if you so desired, have a port knocking client that
translated a pass phrase with 40+ bits of strength into a knock
sequence. Now is this a secrete or is it still just obscure?

Obscure, in most security contexts, is just a synonym for weak strength.
What you consider to be weak is subjective, and relative to the threat
scenarios.


> I want that "noise" because it isn't noise. It's useful information.

If you find it so, then good for you. Others consider it useless noise,
and it detracts from more valuable signals.


> ...that "noise" can be used to tune passive and
> active defenses, much like how a corpus of spam can be used to train a
> spam filtering engine. If I don't have that "noise" then it's harder to
> tune my security rules.

Sure, in some contexts, I agree completely.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/