Security by obscurity

A lot of wanna-be IT-experts claim that ‘security by obscurity does not work’. That’s a load of horseshit. Every magician knows it works. Their whole profession is based on the success of obfuscation. What one does not notice, one will not take note of. What you see, you will act upon. If it’s easier to find, it’s less secure.

Take for example the (wonderful) web-based server administration software called Webmin. When you install this package on your server, it will immediately be accessible on port 10000 in your browser (http://server-address:10000). Because of that, everybody knows where to look for users who use webmin: Scan for port 10000. And as soon as some kind of vulnerability gets known about webmin, optional victims are easily found. Using webmin on its standard port is like saying:
“Hey there, I’m one of those strict idiots always using every standard setting, come look at my default machine, everything is stock config here! Come look, you will have it easy because everything works as advertised! By all means, see for yourself! No obscurity implemented here!”
Proving why security by obscurity does work: It will confuse the person who wants to break security, and it will cause a huge time-delay for your server security to be broken, if not prevent it from happening entirely! People wanting to do evil are people wanting to do evil. Often lazy, and usually idiots making mistakes like every other human being does. They assume, and they take risks, and more risks need to be taken when you have obscured things for them. The attackers suddenly need to think: “Why did he/she do this? What kind of strange machine is this?” So I say:
Security by obscurity works wonders. It will *always* be much more secure to obscure than to be insecure. It will chase away those who expect standard insecure setups. Obscurity is one hell of an extra security layer you should never underestimate.

Leave a Reply