I think this is something very unsafe to preach to people.
I'm not sure if this is a joke, or if this person and other comment authors are serious. The idea of Security-by-Obscurity is flawed inherently.
Let me first start by defining security: "the state of being free from danger or threat." Now this is definitely not the best definition, it's just the one that came up when I googled the word and so this will work for now.
The only way for security by obscurity to work, is for you to be able to design a system that is impossible to figure out or comprehend.
Let's assume that one was able to design a system that is incomprehensible to anyone. Let's initially ignore the fact that if the system is not understandable to the user, it couldn't have been invented in the first place.
I'll pose these questions:
- If the system is so obscure to foreign users, how will it be maintained
- If someone who knows the secrets of how this system is fired, what happens if they sell of their knowledge?
- What would happen if there turns out to be a bug in this massive amorphous blob of crap that no one understands? How do you start debugging it without invalidating it's "security"
I'll never use security-by-obscurity as a model. This is mainly due to one of my core beliefs: there are much smarter people out in the world then you. If you think "this is un-guessable" or "this is unbreakable" when slapping a bitshift on a stream of data and calling it "encryption" you need to understand that there are people smart enough in this world that can smell that from a mile away.
I've worked with some of these people, and before then I may have said "yea security by obscurity" is fine; but having worked along side people who are FAR more intelligent then I am. Anything I can think of to circumvent their actions can be trivially figured out by someone out there who is smarter then I am.
I'm not sure if this is a joke, or if this person and other comment authors are serious. The idea of Security-by-Obscurity is flawed inherently.
Let me first start by defining security: "the state of being free from danger or threat." Now this is definitely not the best definition, it's just the one that came up when I googled the word and so this will work for now.
The only way for security by obscurity to work, is for you to be able to design a system that is impossible to figure out or comprehend.
Let's assume that one was able to design a system that is incomprehensible to anyone. Let's initially ignore the fact that if the system is not understandable to the user, it couldn't have been invented in the first place.
I'll pose these questions:
I'll never use security-by-obscurity as a model. This is mainly due to one of my core beliefs: there are much smarter people out in the world then you. If you think "this is un-guessable" or "this is unbreakable" when slapping a bitshift on a stream of data and calling it "encryption" you need to understand that there are people smart enough in this world that can smell that from a mile away.I've worked with some of these people, and before then I may have said "yea security by obscurity" is fine; but having worked along side people who are FAR more intelligent then I am. Anything I can think of to circumvent their actions can be trivially figured out by someone out there who is smarter then I am.