Security ‘net: Security by obscurity
This week I have two major themes to discuss on the topic of security, and one interesting bit of research. Let’s start with some further thoughts on security by obscurity.
First: Obscurity isn’t security
I’ve heard this at least a thousand times in my life as a network engineer, generally stated just about the time someone says, “well, we could hide this server…” Reality, of course, is far different; I still put curtains on my house even though they don’t increase the amount of time it takes a thief to break in. Whether or not we want to believe it, obscurity does play a positive role in security.
But there are two places where obscurity is a bad thing in the world of security. The first is the original reference of this common saying: algorithms and implementations. Hiding how you encrypt things doesn’t improve security; in fact, it decreases the overall security of the system. The second place? Communication between companies and security professionals about the types, frequency, and methods of attack. Imagine, for a moment, that you were commanding a unit on a battlefield. You hear the sounds of combat in the distance. Realizing a unit in your army is Continue reading