Does Security Through Obscurity Actually Work?

security through obscurity

There is an age old question that philosophers have wrestled with over the years –

“If a tree falls in the forest and no one is around to hear it, does it make a noise”?

There are a couple of other philosophical and psychological sayings that are in the same vein as that one, that also fit with today’s topic.

Is something secured just because no one knows about it?

There have been persuasive arguments that come out of both camps.

Just as soon as your foot is firmly planted with one side, then the other makes an argument to support their point of view and now you change your mind.

This debate will go on for many years to come.

Security Through Obscurity

I guess I should explain now what I mean by security through obscurity.

It is a well known topic, but only in the security community.

When I say security through obscurity, what I mean is that we can hide a piece of data and hackers will not bother to search for it, or a machine does not have enough market share to warrant an attack from hackers.

This is a big reason why people say that an Apple Mac machine is secured.

Apple, and people who own Macs, will argue that the machine is very secure.

Others on the outside will argue that the machine is secured only because there is not enough attention paid to it by hackers.

They say that the reason is because of its low install base.

There is a case to be made for this, since there are known exploits for a Mac system but they are not wide spread.

Also the OS X is based on a Unix derivative, BSD, and Unix based systems are very secured but have been known to be attacked.

Linux, another derivative of Unix, has one of the largest install bases on servers and it is attacked often.

Popularity Breeds Attack

We can take another example, the Apple IPhone.

It is based on a modified version of OS X and there is a whole market based on people that have cracked it.

People want to open their IPhones so hackers have found a way to do that too.

They have made it trivial to break through the defenses.

Again, this is another case of a device being so popular that hackers want to break it.

This is not an air tight case that security through obscurity works but it does bring some reasonable points.

Where it breaks down is, as we see in the examples, once the item has been found, it is easy to exploit.

That is the biggest argument against security through obscurity.

There is one fail safe and when that is gone, there is no recourse, your data has been exposed.

So far, what seems to be the best solution is to use security through obscurity but do not let that be your only piece of security on the item.

You will have to make sure that you provide other serious layers of security or the data that you want to protect will be a sitting duck.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Comments

  1. Great article. I’d agree with you, security through obscurity has its place as one of the many layers of security.

    I also don’t believe that just because someone releases a product for the masses, they are in any way obliged to divulge the inner workings or security mechanisms of their product.

    In many ways it’s a bit like blogging. By publishing something, there is an assumption that strangers are free to insult your views – woah, I’m really going off on a tangent aren’t I! :)

    • “I also don’t believe that just because someone releases a product for the masses, they are in any way obliged to divulge the inner workings or security mechanisms of their product.”

      Yeah, thats a good point because doing so opens things up for hackers, yet you could also make the point that if someone wants to crack something they will – and the harder it is to achieve, the greater the challenge and the more they will relish it.

      Your last comment suggests you have been the victim of flaming, I am I correct?

Trackbacks

  1. […] as good as the other systems that we use in our everyday lives. We know now that we cannot rely on security through obscurity anymore. If we use a system enough we must make sure that it is protected and not just sitting out […]

  2. […] would be gone.In the digital world, using the ability to hide as your security would be known as security through obscurity. This means that no one knows how to crack your software or not enough people know about it or use […]

  3. […] This post was mentioned on Twitter by Keivan Komeilipour, Javvad Malik, 김광태(Andy Kim), 김광태(Andy Kim), Secure R T and others. Secure R T said: Does Security Through Obscurity Actually Work? http://bit.ly/bHnSwP RT @intel_chris @infoseccynic @Security_FAQs […]

Speak Your Mind

*