Tuesday, September 19, 2006

Obscurity Rode in on a Dead Horse

"Security by obscurity is not security."

I don't know who originated that mantra, but if I did, I'd sign that person up for lots of spam. Because I'm not a nice person. And because there's almost no one more worthy of useless, repetitive garbage clogging up the daily works than the person who first said those words. I would consider it to be a kind of poetic justice. We need more poetic justice in the world.

In and of itself, there's nothing wrong with the *intent* of the statement. Regarding crypto algorithms, just not divulging the algo isn't as safe as using one with a known, tested strength. Ok. Fine. I accept that.

The problem is that the statement has been so often misapplied to anything in the security realm that it loses its meaning. It becomes often wrong. Much in the same way that as it is repeated ad infinitum it becomes nothing more than a mantra. Mere dogma. Dogma that kind of rhymes. It rings through with the mellifluous tones of a dead horse being beaten. Repeatedly.

How is it misapplied? Imagine that you stashed an extra house key in one of those fake rocks. (Who buys all of those anyway?) Is it obscurity to hide the keys there? Sure. Is it security? If it mitigates against easy compromise of the key, then I'd claim it is.

Security isn't just some academic thing. It's about mitigating against real risks in real life. This ain't rocket science. Anybody should be able to understand it. Risk: key compromise. Our chosen mitigation: fake rock.

Perhaps a better mitigation would have been to not leave a key outside your house in the first place. But what if you had a requirement to be able to get into your house even if you had locked your keys inside the house? In real life there are other concerns than one would find in a strict academic (read "not real world") scenario. Maybe . . . just maybe . . . that "obscurity" was just the security that you needed to meet all of your requirements and still mitigate against easy key compromise.

Sometimes obscurity *is* security. Conversely, the lack of obscurity may sometimes also be security. But that's another blogpost entirely.

I wonder if I'll need to explain next how Heisenberg's Uncertainty Principle doesn't apply to prime time network TV programming . . .

I generally keep a key placed on an easily reached surface on a nearby fence. If you looked you could see the key. No one has ever taken my key in 15 years of that trick.
Post a Comment

Links to this post:

Create a Link

<< Home

This page is powered by Blogger. Isn't yours?