Security Through Obscurity
Why is it not dead yet?
Security through obscurity has been around a long time. Just ask Alfred Charles Hobbs who died in 1891. He was criticized for demonstrating how to pick locks. I was reminded recently by my esteemed compatriots on TechYeet1 that the notion of keeping security mechanisms secret is distinctly not dead. We were discussing the use of ChatGPT by cybercriminals, which is a fun topic all by itself. This lead to red teaming and those people who say “we shouldn’t train anyone to break into systems, because it give the bad guys tools and training as well.” Because clearly criminals can’t train themselves. We didn’t even get started on obscurity in cryptographic algorithms.
So in short, security through obscurity is the belief that hiding the details of a security mechanism is the best way to protect it.
Why is it So Tempting?
I found myself wondering why security through obscurity keeps rearing its ugly head. Why is it so tempting to say “well, we’ll just not tell anyone and they’ll never know”? There are a few ideas that spring to mind. Maybe many people don’t expect anyone to take things apart to see how they work? This was something my parents discovered with our iron, among other appliances. Hey, at least I could put them back together again (mostly). Maybe it’s easier not to worry about a proper security audit or a reasonable application security program? After all, they cost money. And they cost more money to do well. Maybe security is one of those things that can be ignored until after you need it. After all, we all buy insurance after a fire, right? I am honestly not sure what to think.
Why is it Not Dead Yet?
This is another mysterious question. We’ve been talking about this in the industry longer than Lady Gaga has been alive. The general conclusion is “security through obscurity? Don’t do it,” although clearly the arguments are more nuanced than that.
What Should We Do About It?
It’s our job as security people to call out people who suggest it and educate them. To do this, we need to educate ourselves. We need to find the best ways to explain that the knowledge of the inner workings of a security system should not enable an attacker to break it. If a system relies solely on secrecy, it is doomed to fail.
TechYeet is an invite-only tech community that brings members together for fun to see what innovative ideas and professional opportunities ensue. Ask me nicely if you want to join.