Obscurity Adds to Defense

Many security experts who I hold in the highest esteem are ticking me off!

I hear it all over that, “you should never use obscurity as security” and while I agree if you put the word “only” in front of obscurity, but otherwise you are often teaching the wrong lesson.

When I was in the Infantry, we had these things called tanks.  They didn’t rely on obscurity for their defense.  They had several feet of armor in the front and often a 120 mm smooth bore cannon backed up by a couple of machine guns, but we did camoflage them.  We did try to prevent them from being obvious.  The truth is that obscurity is a layer in the overall defense.  It is not a fool proof layer and on the Internet, in some respects it is not even a very good one, but I want all the layers I can get.  If obscurity isn’t important at all then publish your schema and your overall architecture.  I am taking it to extremes, but we need all the help we can get in all things security.

I know that in a conversation I can get agreement on my point from those who are trying valiantly to just teach a valuable lesson, but I think the wording has to be more exact.

Maybe my war analogies are misplaced when it comes to Internet security and defeating hackers, but no one has convinced me of that yet.  It feels like war to me! 

Security is a war, don’t fight fair!

6 thoughts on “Obscurity Adds to Defense”

  1. Patrick,

    Good to see you speaking again at CodeCamp 4. I didn’t get to talk to you, but I always like hearing you speak.

    Why make things easy for people? The whole idea behind a good password / secret is that you make it complex enough(i.e., obscure enough) that no one could easily guess / uncover it.

    I think people who argue against obscurity are really just making an argument that the only valid security methods are those that can be mathematically formalized. Shared Key Cryptography really is just a form of mathematical obfuscation, otherwise we wouldn’t need to use the word "private" when discussing it. Adding bits to your cryptographic key really just creates more obscurity, except that the algorithm and time it takes to uncover the secret is formally predictable and mathematically well defined. Of course, the prediction is often that the person who uncovers the secret will be looking over our dead, rotted bodies millions of years from now. You can’t make this kind of prediction with tanks in the bushes, but you can predict that the bushes will (with some undefined yet mathematically determinate) probability increase the likelihood that you will be looking over their dead, rotting bodies before they get to look over yours…

    So I think if you are going to use obscurity, do your best to understand what it will take to unhide your secret. Just because you can’t mathematically formalize your obscurity method doesn’t mean it’s not valid.

    Dotfuscator for .NET assemblies (at least the Community edition) works on the basis of obscurity, i.e., it kind of "hides your code behind the bushes," except that it can also camoflage the bushes to look like tanks, add extra bushes, etc.

  2. Security is war. I work for the State and this is a war we constantly wage. Obscurity is one of those very basic, but useful tools. We do not have the luxury of throwing thousands of dollars at security solutions so we seek opportunities to make the best of the situation we are in. Sometimes it works really well, sometimes not at all, but you’ll never know until you try.

Comments are closed.