![security via obscurity security via obscurity](https://i.ytimg.com/vi/5DUXTmp5KbI/maxresdefault.jpg)
>If an attacker sees that your SSH port isn't where it's supposed to be OR if an attacker sees that your SSH port ignores all packets sent to it (unless you first send a packet thats 25 0xFF bytes), then either way they're being signaled that you are more trouble than the computer that has an open telnet port. In the language of the article, it's reducing likelihood of being compromised. While I agree base64 is super trivial, the point about either of these is defence in depth. Using base64 encoding, or encrypting your database, are both examples in the article. Your analogy with predators works better here. More investigation or automation can make the obscurity go away, but it does make things a bit harder.įair point! Obscurity as confusion is not what I had in mind, but your points on confusion are totally valid. There are slightly different usages of the same word, but the effect looks to me to be the same. If an attacker sees that your SSH port isn't where it's supposed to be OR if an attacker sees that your SSH port ignores all packets sent to it (unless you first send a packet thats 25 0xFF bytes), then either way they're being signaled that you are more trouble than the computer that has an open telnet port.
SECURITY VIA OBSCURITY CODE
Or running a code obfuscator on source code instead of making the code actually secure.Įither way the economic costs that I'm talking about are valid. For example, using base 64 encoding instead of encrypting something. Most of the usages of "security through obscurity" that I've seen dissected and decried haven't been in the sense that something was being hidden, but rather that something was being confused. The "signal" is there is nothing here (or nothing here worth your time). Security through obscurity's goal is not to signal predators, it's the opposite. Another example: a worm is a self-automating exploit. >Of course in the age of automation, relying on obscurity alone is foolish because once someone has automated an attack that defeats the obscurity, then it is little or no effort for an attacker to bypass it. Likewise an authentication method (once exploited) is not a deterrent. Obscurity (once revealed) is not a deterrent.
![security via obscurity security via obscurity](https://automatech.com/wp-content/uploads/Security-By-Obscurity.jpg)
The only way security through obscurity signals to "predators" is if they've seen past your defence, and thus defeated the obscurity. Just by obscuring your port you can usually filter out the majority of break-in attempts. One of the best examples (it's in the article!) is changing the default SSH port. It's a way to signal to a predator that we're a hard target and that they should give up. >I think we can kind of view obscurity in the same way. And I can't help but think of the guy who was trying to think of ways to perform psychological attacks against reverse engineerers. Of course, sprinkling a little bit of obscurity on top of a good security solution might provide an incentive for attackers to go someplace else. Of course in the age of automation, relying on obscurity alone is foolish because once someone has automated an attack that defeats the obscurity, then it is little or no effort for an attacker to bypass it.
![security via obscurity security via obscurity](https://rpost.com/wp-content/uploads/2020/10/security-obscurity-obsolete-concept-845x321.jpg)
I think we can kind of view obscurity in the same way. One of the explanations is that this is the animal communicating to the predator that it is a healthy prey animal that would be hard to catch and therefore the predator should choose to chase someone else. In nature, prey animals will sometimes jump when they spot a predator.