Security through obscurity
Encyclopedia
Security through obscurity is a pejorative
referring to a principle in security engineering
, which attempts to use secrecy
of design or implementation to provide security
. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, then attackers will be unlikely to find them. A system may use security through obscurity as a defense in depth
measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities in those products and versions. An attacker's first step is usually information gathering; this step is delayed by security through obscurity. The technique stands in contrast with security by design and open security
, although many real-world projects include elements of all strategies.
Security through obscurity has never achieved engineering acceptance as an approach to securing a system, as it contradicts the principle of "keeping it simple". The United States National Institute of Standards and Technology (NIST) specifically recommends against it in more than one document. Quoting from one, "System security should not depend on the secrecy of the implementation or its components."
will cite Kerckhoffs' doctrine
from 1883, if they cite anything at all. For example, in a discussion about secrecy and openness in Nuclear Command and Control:
In the field of legal academia, Peter Swire
has written about the trade-off between the notion that "security through obscurity is an illusion" and the military notion that "loose lips sink ships" as well as how competition affects the incentives to disclose.
The principle of security through obscurity was more generally accepted in cryptographic work in the days when essentially all well-informed cryptographers were employed by national intelligence agencies, such as the National Security Agency
. Now that cryptographers often work at universities, where researchers publish many or even all of their results, and publicly test others' designs, or in private industry, where results are more often controlled by patents and copyrights than by secrecy, the argument has lost some of its former popularity. An example is PGP
released as source code, and generally regarded (when properly used) as a military-grade cryptosystem
. The wide availability of high quality cryptography was disturbing to the US government, which seems to have been using a security through obscurity analysis to support its opposition to such work. Indeed, such reasoning is very often used by lawyers and administrators to justify policies which were designed to control or limit high quality cryptography only to those authorized.
strategy.
For example, security through obscurity may (but cannot be guaranteed to) act as a temporary "speed bump" for attackers while a resolution to a known security issue is implemented. Here, the goal is simply to reduce the short-run risk of exploitation of a vulnerability in the main components of the system.
Security through obscurity can also be used to create a risk that can detect or deter potential attackers. For example, consider a computer network that appears to exhibit a known vulnerability. Lacking the security layout of the target, the attacker must consider whether to attempt to exploit the vulnerability or not. If the system is set to detect this vulnerability, it will recognize that it is under attack and can respond, either by locking the system down until proper administrators have a chance to react, by monitoring the attack and tracing the assailant, or by disconnecting the attacker. The essence of this principle is that raising the time or risk involved, the attacker is denied the information required to make a solid risk-reward decision about whether to attack in the first place.
A variant of the defense in the previous paragraph is to have a double-layer of detection of the exploit; both of which are kept secret but one is allowed to be "leaked". The idea is to give the attacker a false sense of confidence that the obscurity has been uncovered and defeated. An example of where this would be used is as part of a honeypot
. In neither of these cases is there any actual reliance on obscurity for security; these are perhaps better termed obscurity bait in an active security defense.
However, it can be argued that a sufficiently well-implemented system based on security through obscurity simply becomes another variant on a key-based scheme, with the obscure details of the system acting as the secret key value.
There is a general consensus, even among those who argue in favor of security through obscurity, that security through obscurity should never be used as a primary security measure. It is, at best, a secondary measure; and disclosure of the obscurity should not result in a compromise.
proper, the argument against security by obscurity dates back to at least Kerckhoffs' principle
, put forth in 1883 by Auguste Kerckhoffs
. The principle holds that design of a cryptographic system should not require secrecy and should not cause "inconvenience" if it falls into the hands of the enemy. This principle has been paraphrased in several ways:
The greater the number of points of compromise in a system, the greater the chance that an attack on one of those points of compromise exists, or will be developed. Systems which include secrets of design or operation which are also points of compromise are less secure than equivalent systems without these points of compromise if the effort required to obtain the vulnerability caused by the secret design or method of operation, and the effort to exploit this vulnerability is less than the effort required to obtain the secret key. The security level of the system is then reduced to the effort required to exploit the vulnerability.
For example, if somebody stores a spare key under the doormat, in case they are locked out of the house, then they are relying on security through obscurity. The theoretical security vulnerability is that anybody could break into the house by unlocking the door using that spare key. Furthermore, since burglars often know likely hiding places, the house owner will experience greater risk of a burglary by hiding the key in this way, since the effort of finding the key is likely to be less effort to the burglar than breaking in by another means. The owner has in effect added a vulnerability—the fact that the entry key is stored under the doormat—to the system, and one which is very easy to guess and exploit.
In the past, several algorithms, or software systems with secret internal details, have seen those internal details become public. Accidental disclosure has happened several times, for instance in the notable case of GSM confidential cipher documentation being contributed to the University of Bradford
neglecting to impose the usual confidentiality requirements. Furthermore, vulnerabilities have been discovered and exploited in software, even when the internal details remained secret. Taken together, these and other examples suggest that it is difficult or ineffective to keep the details of systems and algorithms secret.
Linus's law
, that many eyes make all bugs shallow, also suggests improved security for algorithms and protocols whose details are published. More people can review the details of such algorithms, identify flaws, and fix the flaws sooner. Proponents of this viewpoint expect that the frequency and severity of security compromises will be less severe for open than for proprietary or secret software.
Operators and developers/vendors of systems that rely on security by obscurity may keep the fact that their system is broken secret to avoid destroying confidence in their service or product and thus its marketability, and this may amount to fraud
ulent misrepresentation of the security of their products. Instances have been known, from at least the 1960s, of companies delaying release of fixes or patches to suit their corporate priorities rather than customer concerns or risks. Application of the law in this respect has been less than vigorous, in part because vendors almost universally impose terms of use as a part of licensing contract
s in order to disclaim their apparently existing obligations under statute
s and common law
that require fitness for use or similar quality standards.
once experienced a security debacle in the late 1980s; for example, the Morris worm of 1988 spread through some obscure — though widely visible to those who looked — vulnerabilities. An argument sometimes used against open-source security is that developers tend to be less enthusiastic about performing deep reviews as they are about contributing new code. Such work is sometimes seen as less interesting and less appreciated by peers, especially if an analysis, however diligent and time-consuming, does not turn up much of interest. Combined with the fact that open-source is dominated by a culture of volunteering, the argument goes, security sometimes receives less thorough treatment than it might in an environment in which security reviews were part of someone's job description.
On the other hand, just because there is not an immediate financial incentive to patch a product, does not mean there is not any incentive to patch a product. Further, if the patch is that significant to the user, having the source code, the user can technically patch the problem themselves. These arguments are hard to prove. However, research indicates that open-source software does have a higher flaw discovery, quicker flaw discovery, and quicker turn around on patches. For example, one study reports that linux source code has 0.17 bugs per 1000 lines of code while non-Open-Source commercial software generally scores 20-30 bugs per 1000 lines.
This variant is most commonly encountered in explanations of why the number of known vulnerability exploits for products with the largest market share tends to be higher than a linear relationship to market share would suggest, but is also a factor in product choice for some large organisations.
Security through minority may be helpful for organisations who will not be subject to targeted attacks, suggesting the use of a product in the long tail
. However, finding a new vulnerability in a market leading product is likely harder than for obscure products, as the low hanging fruit vulnerabilities are more likely to have already turned up, which may suggest these products are better for organisations who expect to receive many targeted attacks. The issue is further confused by the fact that new vulnerabilities in minority products cause all known users of that (perhaps easily identified) product to become targets. With market leading products, the likelihood of being randomly targeted with a new vulnerability remains greater.
The whole issue is closely linked with, and in a sense depends upon, the widely used term security through diversity - the wide range of "long tail" minority products is clearly more diverse than a market leader in any product type, so a random attack will be less likely to succeed.
(ITS) say it was coined in opposition to Multics
users down the hall, for whom security was far more an issue than on ITS. Within the ITS culture the term referred, self-mockingly, to the poor coverage of the documentation and obscurity of many commands, and to the attitude that by the time a tourist figured out how to make trouble he'd generally got over the urge to make it, because he felt part of the community.
One instance of deliberate security through obscurity on ITS has been noted: the command to allow patching the running ITS system (altmode altmode control-R) echoed as ##^D. Typing Alt Alt Control-D set a flag that would prevent patching the system even if the user later got it right.
Pejorative
Pejoratives , including name slurs, are words or grammatical forms that connote negativity and express contempt or distaste. A term can be regarded as pejorative in some social groups but not in others, e.g., hacker is a term used for computer criminals as well as quick and clever computer experts...
referring to a principle in security engineering
Security engineering
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
, which attempts to use secrecy
Secrecy
Secrecy is the practice of hiding information from certain individuals or groups, perhaps while sharing it with other individuals...
of design or implementation to provide security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, then attackers will be unlikely to find them. A system may use security through obscurity as a defense in depth
Defense in Depth (computing)
Defense in depth is an information assurance concept in which multiple layers of security controls are placed throughout an information technology system...
measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities in those products and versions. An attacker's first step is usually information gathering; this step is delayed by security through obscurity. The technique stands in contrast with security by design and open security
Open Security
Open security is an initiative to approach application security challenges using open source philosophies and methodologies. Traditional application security is based on the premise that any application or service relies on security through obscurity.On the developer side, legitimate software and...
, although many real-world projects include elements of all strategies.
Security through obscurity has never achieved engineering acceptance as an approach to securing a system, as it contradicts the principle of "keeping it simple". The United States National Institute of Standards and Technology (NIST) specifically recommends against it in more than one document. Quoting from one, "System security should not depend on the secrecy of the implementation or its components."
Background
There is scant formal literature on the issue of security through obscurity. Books on security engineeringSecurity engineering
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
will cite Kerckhoffs' doctrine
Kerckhoffs' principle
In cryptography, Kerckhoffs's principle was stated by Auguste Kerckhoffs in the 19th century: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.Kerckhoffs's principle was reformulated by Claude Shannon as...
from 1883, if they cite anything at all. For example, in a discussion about secrecy and openness in Nuclear Command and Control:
- [T]he benefits of reducing the likelihood of an accidental war were considered to outweigh the possible benefits of secrecy. This is a modern reincarnation of Kerckhoffs' doctrine, first put forward in the nineteenth century, that the security of a system should depend on its key, not on its design remaining obscure.
In the field of legal academia, Peter Swire
Peter Swire
Peter Swire is the C. William O'Neil Professor at the Moritz College of Law of Ohio State University and an internationally recognized expert in privacy law. Swire is also a Senior Fellow at the Center for American Progress...
has written about the trade-off between the notion that "security through obscurity is an illusion" and the military notion that "loose lips sink ships" as well as how competition affects the incentives to disclose.
The principle of security through obscurity was more generally accepted in cryptographic work in the days when essentially all well-informed cryptographers were employed by national intelligence agencies, such as the National Security Agency
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
. Now that cryptographers often work at universities, where researchers publish many or even all of their results, and publicly test others' designs, or in private industry, where results are more often controlled by patents and copyrights than by secrecy, the argument has lost some of its former popularity. An example is PGP
Pretty Good Privacy
Pretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...
released as source code, and generally regarded (when properly used) as a military-grade cryptosystem
Cryptosystem
There are two different meanings of the word cryptosystem. One is used by the cryptographic community, while the other is the meaning understood by the public.- General meaning :...
. The wide availability of high quality cryptography was disturbing to the US government, which seems to have been using a security through obscurity analysis to support its opposition to such work. Indeed, such reasoning is very often used by lawyers and administrators to justify policies which were designed to control or limit high quality cryptography only to those authorized.
Arguments for
Perfect or "unbroken" solutions provide security, but absolutes may be difficult to obtain. Although relying solely on security through obscurity is almost always a very poor design decision, keeping secret some of the details of an otherwise well-engineered system may be a reasonable tactic as part of a defense in depthDefense in Depth (computing)
Defense in depth is an information assurance concept in which multiple layers of security controls are placed throughout an information technology system...
strategy.
For example, security through obscurity may (but cannot be guaranteed to) act as a temporary "speed bump" for attackers while a resolution to a known security issue is implemented. Here, the goal is simply to reduce the short-run risk of exploitation of a vulnerability in the main components of the system.
Security through obscurity can also be used to create a risk that can detect or deter potential attackers. For example, consider a computer network that appears to exhibit a known vulnerability. Lacking the security layout of the target, the attacker must consider whether to attempt to exploit the vulnerability or not. If the system is set to detect this vulnerability, it will recognize that it is under attack and can respond, either by locking the system down until proper administrators have a chance to react, by monitoring the attack and tracing the assailant, or by disconnecting the attacker. The essence of this principle is that raising the time or risk involved, the attacker is denied the information required to make a solid risk-reward decision about whether to attack in the first place.
A variant of the defense in the previous paragraph is to have a double-layer of detection of the exploit; both of which are kept secret but one is allowed to be "leaked". The idea is to give the attacker a false sense of confidence that the obscurity has been uncovered and defeated. An example of where this would be used is as part of a honeypot
Honeypot (computing)
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems...
. In neither of these cases is there any actual reliance on obscurity for security; these are perhaps better termed obscurity bait in an active security defense.
However, it can be argued that a sufficiently well-implemented system based on security through obscurity simply becomes another variant on a key-based scheme, with the obscure details of the system acting as the secret key value.
There is a general consensus, even among those who argue in favor of security through obscurity, that security through obscurity should never be used as a primary security measure. It is, at best, a secondary measure; and disclosure of the obscurity should not result in a compromise.
Arguments against
In cryptographyCryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
proper, the argument against security by obscurity dates back to at least Kerckhoffs' principle
Kerckhoffs' principle
In cryptography, Kerckhoffs's principle was stated by Auguste Kerckhoffs in the 19th century: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.Kerckhoffs's principle was reformulated by Claude Shannon as...
, put forth in 1883 by Auguste Kerckhoffs
Auguste Kerckhoffs
Auguste Kerckhoffs was a Dutch linguist and cryptographer who was professor of languages at the École des Hautes Études Commerciales in Paris in the late 19th century....
. The principle holds that design of a cryptographic system should not require secrecy and should not cause "inconvenience" if it falls into the hands of the enemy. This principle has been paraphrased in several ways:
- system designers should assume that the entire design of a security system is known to all attackers, with the exception of the cryptographic key.
- the security of a cryptographic system resides entirely in the cryptographic key.
- in the 1940s, Claude Shannon put it bluntly; "the enemyAdversary (cryptography)In cryptography, an adversary is a malicious entity whose aim is to prevent the users of the cryptosystem from achieving their goal...
knows the system".
The greater the number of points of compromise in a system, the greater the chance that an attack on one of those points of compromise exists, or will be developed. Systems which include secrets of design or operation which are also points of compromise are less secure than equivalent systems without these points of compromise if the effort required to obtain the vulnerability caused by the secret design or method of operation, and the effort to exploit this vulnerability is less than the effort required to obtain the secret key. The security level of the system is then reduced to the effort required to exploit the vulnerability.
For example, if somebody stores a spare key under the doormat, in case they are locked out of the house, then they are relying on security through obscurity. The theoretical security vulnerability is that anybody could break into the house by unlocking the door using that spare key. Furthermore, since burglars often know likely hiding places, the house owner will experience greater risk of a burglary by hiding the key in this way, since the effort of finding the key is likely to be less effort to the burglar than breaking in by another means. The owner has in effect added a vulnerability—the fact that the entry key is stored under the doormat—to the system, and one which is very easy to guess and exploit.
In the past, several algorithms, or software systems with secret internal details, have seen those internal details become public. Accidental disclosure has happened several times, for instance in the notable case of GSM confidential cipher documentation being contributed to the University of Bradford
University of Bradford
The University of Bradford is a British university located in the city of Bradford, West Yorkshire, England. The University received its Royal Charter in 1966, making it the 40th University to be created in Britain, but its origins date back to the early 1800s...
neglecting to impose the usual confidentiality requirements. Furthermore, vulnerabilities have been discovered and exploited in software, even when the internal details remained secret. Taken together, these and other examples suggest that it is difficult or ineffective to keep the details of systems and algorithms secret.
- The A5/1A5/1A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone standard. It was initially kept secret, but became public knowledge through leaks and reverse engineering. A number of serious weaknesses in the cipher have been identified.-History and...
cipher for GSM mobile cellular telephone system became public knowledge partly through reverse engineeringReverse engineeringReverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation...
. - Details of the RSADSI (RSA Data Security, Inc.) cryptographic algorithm software were revealed, probably deliberately, through publication of alleged RC4RC4In cryptography, RC4 is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer and WEP...
source on Usenet. - Vulnerabilities in various versions of Microsoft WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, its default web browserWeb browserA web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
Internet ExplorerInternet ExplorerWindows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
, and its mail applications OutlookMicrosoft OutlookMicrosoft Outlook is a personal information manager from Microsoft, available both as a separate application as well as a part of the Microsoft Office suite...
and Outlook ExpressOutlook ExpressOutlook Express is an email and news client that is included with Internet Explorer versions 4.0 through 6.0. As such, it is also bundled with several versions of Microsoft Windows, from Windows 98 to Windows Server 2003, and is available for Windows 3.x, Windows NT 3.51, Windows 95 and Mac OS 9...
have caused worldwide problems when computer virusComputer virusA computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
es, Trojan horsesTrojan horse (computing)A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
, or computer wormComputer wormA computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
s have taken advantage of those vulnerabilities. Indeed, assorted government agencies (e.g. the US Department of Commerce) have from time to time issued security warnings about the use of that software. - CiscoCisco SystemsCisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
router operating system software was accidentally exposed to public access on a corporate network. - Details of Diebold Election Systems voting machine software were published on a publicly accessible Web site. (See Bev HarrisBev HarrisBev Harris is an American writer, activist, and founder of Black Box Voting Inc., a national nonpartisan, nonprofit elections watchdog group. She helped popularize the term Black Box Voting, while authoring a book of that title....
)
Linus's law
Linus's Law
There are two statements named Linus's Law: one by Eric S. Raymond concerning software bug detection by a community, and the other by Linus Torvalds about the motivations of programmers.- By Eric Raymond :...
, that many eyes make all bugs shallow, also suggests improved security for algorithms and protocols whose details are published. More people can review the details of such algorithms, identify flaws, and fix the flaws sooner. Proponents of this viewpoint expect that the frequency and severity of security compromises will be less severe for open than for proprietary or secret software.
Operators and developers/vendors of systems that rely on security by obscurity may keep the fact that their system is broken secret to avoid destroying confidence in their service or product and thus its marketability, and this may amount to fraud
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
ulent misrepresentation of the security of their products. Instances have been known, from at least the 1960s, of companies delaying release of fixes or patches to suit their corporate priorities rather than customer concerns or risks. Application of the law in this respect has been less than vigorous, in part because vendors almost universally impose terms of use as a part of licensing contract
Contract
A contract is an agreement entered into by two parties or more with the intention of creating a legal obligation, which may have elements in writing. Contracts can be made orally. The remedy for breach of contract can be "damages" or compensation of money. In equity, the remedy can be specific...
s in order to disclaim their apparently existing obligations under statute
Statute
A statute is a formal written enactment of a legislative authority that governs a state, city, or county. Typically, statutes command or prohibit something, or declare policy. The word is often used to distinguish law made by legislative bodies from case law, decided by courts, and regulations...
s and common law
Common law
Common law is law developed by judges through decisions of courts and similar tribunals rather than through legislative statutes or executive branch action...
that require fitness for use or similar quality standards.
Open source repercussions
Software which is deliberately released as open sourceOpen source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
once experienced a security debacle in the late 1980s; for example, the Morris worm of 1988 spread through some obscure — though widely visible to those who looked — vulnerabilities. An argument sometimes used against open-source security is that developers tend to be less enthusiastic about performing deep reviews as they are about contributing new code. Such work is sometimes seen as less interesting and less appreciated by peers, especially if an analysis, however diligent and time-consuming, does not turn up much of interest. Combined with the fact that open-source is dominated by a culture of volunteering, the argument goes, security sometimes receives less thorough treatment than it might in an environment in which security reviews were part of someone's job description.
On the other hand, just because there is not an immediate financial incentive to patch a product, does not mean there is not any incentive to patch a product. Further, if the patch is that significant to the user, having the source code, the user can technically patch the problem themselves. These arguments are hard to prove. However, research indicates that open-source software does have a higher flaw discovery, quicker flaw discovery, and quicker turn around on patches. For example, one study reports that linux source code has 0.17 bugs per 1000 lines of code while non-Open-Source commercial software generally scores 20-30 bugs per 1000 lines.
Security through minority
A variant of the basic approach is to rely on the properties (including whatever vulnerabilities might be present) of a product which is not widely adopted, thus lowering the prominence of those vulnerabilities (should they become known) against random or even automated attacks. This approach has a variety of names, "minority" being the most common. Others are "rarity", "unpopularity", "scarcity", and "lack of interest".This variant is most commonly encountered in explanations of why the number of known vulnerability exploits for products with the largest market share tends to be higher than a linear relationship to market share would suggest, but is also a factor in product choice for some large organisations.
Security through minority may be helpful for organisations who will not be subject to targeted attacks, suggesting the use of a product in the long tail
The Long Tail
The Long Tail or long tail refers to the statistical property that a larger share of population rests within the tail of a probability distribution than observed under a 'normal' or Gaussian distribution...
. However, finding a new vulnerability in a market leading product is likely harder than for obscure products, as the low hanging fruit vulnerabilities are more likely to have already turned up, which may suggest these products are better for organisations who expect to receive many targeted attacks. The issue is further confused by the fact that new vulnerabilities in minority products cause all known users of that (perhaps easily identified) product to become targets. With market leading products, the likelihood of being randomly targeted with a new vulnerability remains greater.
The whole issue is closely linked with, and in a sense depends upon, the widely used term security through diversity - the wide range of "long tail" minority products is clearly more diverse than a market leader in any product type, so a random attack will be less likely to succeed.
Historical notes
There are conflicting stories about the origin of this term. Fans of MIT's Incompatible Timesharing SystemIncompatible Timesharing System
ITS, the Incompatible Timesharing System , was an early, revolutionary, and influential time-sharing operating system from MIT; it was developed principally by the Artificial Intelligence Laboratory at MIT, with some help from Project MAC.In addition to being technically influential ITS, the...
(ITS) say it was coined in opposition to Multics
Multics
Multics was an influential early time-sharing operating system. The project was started in 1964 in Cambridge, Massachusetts...
users down the hall, for whom security was far more an issue than on ITS. Within the ITS culture the term referred, self-mockingly, to the poor coverage of the documentation and obscurity of many commands, and to the attitude that by the time a tourist figured out how to make trouble he'd generally got over the urge to make it, because he felt part of the community.
One instance of deliberate security through obscurity on ITS has been noted: the command to allow patching the running ITS system (altmode altmode control-R) echoed as ##^D. Typing Alt Alt Control-D set a flag that would prevent patching the system even if the user later got it right.
See also
- Code morphingCode morphingCode morphing is one of the approaches to protect software applications from reverse engineering, analysis, modifications, and cracking used in obfuscating software. This technology protects intermediate level code such as compiled from Java and .NET languages rather than binary object code...
- Kerckhoffs' principleKerckhoffs' principleIn cryptography, Kerckhoffs's principle was stated by Auguste Kerckhoffs in the 19th century: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.Kerckhoffs's principle was reformulated by Claude Shannon as...
- Need to knowNeed to knowThe term "need to know", when used by government and other organizations , describes the restriction of data which is considered very sensitive...
- Obfuscated codeObfuscated codeObfuscated code is source or machine code that has been made difficult to understand for humans. Programmers may deliberately obfuscate code to conceal its purpose or its logic to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source...
- Presumed securityPresumed securityPresumed security is a principle in security engineering that a system is safe from attack due to an attacker assuming, on the basis of probability, that it is secure. Presumed security is the opposite of security through obscurity...
- Secure by designSecure by designSecure by design, in software engineering, means that the software has been designed from the ground up to be secure. Malicious practices are taken for granted and care is taken to minimize impact when a security vulnerability is discovered or on invalid user input.Generally, designs that work well...
- AACS encryption key controversyAACS encryption key controversyA controversy surrounding the AACS cryptographic key arose in April 2007 when the Motion Picture Association of America and the Advanced Access Content System Licensing Administrator, LLC began issuing demand letters to websites publishing a 128-bit number, represented in hexadecimal as 09 F9 11...
External links
- Eric Raymond on Cisco's IOS source code 'release' v Open Source
- Computer Security Publications: Information Economics, Shifting Liability and the First Amendment by Ethan M. Preston and John Lofton
- "Security Through Obscurity" Ain't What They Think It Is by Jay Beale
- Secrecy, Security and Obscurity & The Non-Security of Secrecy by Bruce SchneierBruce SchneierBruce Schneier is an American cryptographer, computer security specialist, and writer. He is the author of several books on general security topics, computer security and cryptography, and is the founder and chief technology officer of BT Managed Security Solutions, formerly Counterpane Internet...
- "Security through obsolescence", Robin Miller, linux.com, June 6, 2002