logoalt Hacker News

rasculyesterday at 7:00 PM8 repliesview on HN

Obscurity can be fine but it's not security. I think of it like cover and concealment in the military. Security is cover. Something you can get behind so the bullets don't hit you. Obscurity is concealment. Harder to see, harder to find, so the enemy doesn't know where to shoot, but it's not stopping any bullets. Both have advantages and disadvantages and can complement each other depending on how they're used.

Replies

neoCrimeLabstoday at 1:55 AM

Agreed with your sentiment, and that was a great example.

Just like any security control, if it's your only means of security, it will not offer much risk reduction. Just like all security controls, the if you want risk reduction use more security controls together. Like all security controls, there is no way to eliminate risk, just reduce it as much as possible while still being able to effectively achieve your mission.

Because of this I believe security through obscurity to be important component in a healthy and mature risk posture.

It irks me when it's dismissed because obscurity is not security. No single security control is security on its own.

mday27yesterday at 7:55 PM

This is an especially good analogy because facing a well-resourced adversary in cybersecurity is like finding out that the enemy brought artillery -- hopefully you weren't relying entirely on obscurity because pretty soon there will be nowhere to hide

show 1 reply
red369today at 1:40 AM

Well off-topic, but did you recently listen to Andy Stumpf on a podcast?

Asking because of the Baader–Meinhof phenomenon :)

show 1 reply
staticassertionyesterday at 7:29 PM

I don't think that really works because obscurity isn't harder to see or find. I don't know the analogy, it's like standing out in the open and being like "yeah but who would think to look here lol".

show 1 reply
lucketoneyesterday at 9:13 PM

All modes of cyber security depend on some obscurity (e.g. password)

Ideally we want a viable plan B, for when it’s leaked/figured out. (E.g. generate new passwords)

(For convenience let’s label air-gap as kind of physical security)

show 2 replies
walrus01yesterday at 10:24 PM

Because I love how seriously the DoD takes newly invented terms, we have:

"The Integrated Survivability Onion"

https://cogecog.com/the-threat-onion/

1. Don't be seen.

2. Don't be acquired

3. Don't be hit

4. Don't be penetrated

5. Don't be killed

It's actually not a bad mental model training aid for teaching people who might find themselves in an active combat environment.

m463yesterday at 11:27 PM

I kind of wonder if the analogy might also carry over to the age of AI.

if you were hiding in cover during ww1, maybe you had a chance.

But if you were hiding from the Terminator, who is "Tireless, Fearless, Merciless", it might not last that long.

same might be said of exploits hiding from people... vs AI.

Lammytoday at 12:09 AM

> Obscurity can be fine but it's not security.

All security is security through obscurity. When it gets obscure enough we call it “public key cryptography”. Guess the 2048-bit prime number I'm thinking of and win a fabulous prize! (access to all of my data)