Security by Obscurity

Posts: 11
Comments: 6
Trackbacks: 0

<< Finding a performance issue with dynaTrace | Home | Specification of My Garage Door >>

If you read enough about security in general you will hear the often touted principle of do not rely on security by obscurity. It even has its own Wikipedia page.

You see this advice thrown out a lot when somebody does something like embedding encryption keys in their code. The developers assumption is that the code will never be read by anyone and thus the key is safe. I have personally seen that one cracked in about one minute.

So the advice is good, you should not RELY on security by obscurity. It cannot be counted on.

However, does that mean you should never use obscurity at all?

A common example is code obfuscation. A lot of people will tell you there is no point because someone determined enough, or good enough, or who just has a lot of time to waste will be able to break it down. So absolutely, you should not rely on obfuscation to secure your application (i.e. key hiding).

But my immediate thought is: Why make it easy for them?

Why not cause them more hassle, even if it is not all that much. What is more, the additional hassle onto itself will serve as a deterrent for the less determined, or talented, or patient.

So I believe you should assume that any information you obscure will end up in the attacker’s hands no matter what you do. But, if there is nothing you can do about it (such as somebody reverse engineering your code), then you should obscure it anyway just to be a pain in their ass. It is not like they are going to thank you for making it easier for them.

posted on Wednesday, January 28, 2009 9:25 AM Print

Comments

# re: Security by Obscurity: Martin L. Shoemaker; 2/27/2009 1:10 PM; More than that: a lot of people (me included) will look on any clear attempt at security as a sign that says, "Oh, he didn't want me to see that. I'll respect that." Yes, some people only see that as a challenge; but I can't believe I'm the only one who respects the "No trespassing sign."

# re: Security by Obscurity: Mark Flory; 2/27/2009 1:17 PM; Oh, you are definitely with the majority on that one. Unfortunately though there are just a very few who do not and spoil it for everyone else.

Post Comment

Title *
Name *
Email
Url
Comment *: Remember Me?

Enter the code shown above

Archives

Post Categories

News

Twitter: markflory Really can't wait for Jason to return from Grandma's! about 445 days ago

markflory Got the first paycheck! Always a nice feeling to realize they are going to actually pay you. about 451 days ago

markflory Working on setting up FinalBuilder on my box to understand how to cut into our build process NDepend metrics runs. about 452 days ago

markflory coughing *** a lot about 454 days ago

markflory Looking at the maintenance complexity violators to see what we can see. about 454 days ago

markflory Put up a post on the newly minted blog...think I am going to make a Run For the Bathroom ™ about 454 days ago

markflory Attending a meeting about a performance monitoring tool! about 455 days ago

markflory Figuring out how to hook NDepend up to our coverage results. about 455 days ago

markflory Adding some shelves to a closet...hopefully I won't cut off a thumb. about 473 days ago

markflory Filling out my Financial Peace University wrap-up...only three weeks late! about 474 days ago

Struggling With My Inner Code Nazi

Post Comment