Re: Concepts: Security and Obscurity

["Joe Yong" <justasqlguy () gmail com>]

I'm really curious to know if some of the folks who responded to this
thread really gave the article a fair and honest chance by reading
objectively or just jumped in and started hammering as soon as they
saw the words security and obscurity in the same line.

Half the responses are slamming security that is dependent exclusively
or heavily on obscurity. Was that really what the article proposed?
Show me where. It's been a while since high school English classes so
I will be the first to admit I can misread things at times.

> From what I can tell, the article proposes that adding obscurity to an
already well secured system can add benefits. While I think the
analogy used in the article is pretty weak, the idea is not.

Quite a few security researchers have done this but feel free to try
it for yourself. Setup some server application that is a common target
for attacks (just so you'll get some quick responses) using standard
secure configuration and setup another one in exactly the same secure
way but listening on some completely off-the-wall port and non-default
protocol. Track how many attempts you get on each.

Again, security that is heavily or solely dependent on obscurity is
bad - I don't think there'll be a lot of contention there. However,
Mr. Miessler is proposing that if you already have reasonable security
measures in place, obscurity can provided an added layer. This
actually does help in many situations. Is it a security cure-all?
Well, is anything?