October 16th, 2004, 04:22 PM
It isn't a layer of protection, and treating it as such is relying on it to actually do something to protect you. Phase one of an intrusion generally includes enumeration, which generally defeats measures relying on obscurity to protect them.
Originally posted here by jdenny
I understand that we can't rely on security by obscurity (alone). However, it adds another layer of protection, doesn't it? I just want to understand why people try to avoid it. I mean it's not that bad, but yes, we also need to put some other kind of security measure in place.
Imagine if you will, the following scenario. A car company makes a car with remote door locks that are uniquely keyed to frequencies, one per car. This frequency in and of itself is how the door is unlocked, there is no data sent on the signal, nor is there a "fingerprint" or encryption-key style mechanism in place to ensure it is really the owner, only the frequency identifies the proper owner. Now, the only people who have the remote door locks are the owners, but let's say a car thief wants to open some doors. He develops an ingenius device to broadcast a signal on increasing frequencies until he hits the kill switch, and manages to rather easily unlock the door of the car and steal it.
Even if you consider it a layer of protection, security through obscurity doesn't actually protect you from anything.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
October 18th, 2004, 07:21 AM
I'm still seeing that password authentication method and encryption method implement security thru obscurity in more general/loose term. Passwords can be sniffed and/or brute-forced. Ditto with encryption.
I think I'll still use some security thru obscurity efforts, combined with IDS and logging, in an early warning/action system. But of course I won't rely on that as my sole protection.
[ Borrowing chsh's example of remote door locks, the vendor should develop a scanning detector which disables the lock (ignoring unlock request) for a given period (say 5 minutes) if it detects such scanning. One could argue that the thief would increase the delay between frequency broadcasts to avoid detection. And I would say he'd better be very patient as he may need to spend some time doing it before the owner comes and forces him find another victim. And so on, and so on. ]
Well, I believe I've got the answers I need. Thank you all.
edit: I'm sorry for being stubborn (see my sig).
Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds