Sunday, December 08, 2013

Security Through Obscurity Analogy

I missed my November post, which had me thinking about productivity again. Going back through my notes on blog post ideas I always seem to come back to security.

To be honest, I don't like security. I'd much rather live in a perfect world where it wasn't necessary. On the other hand, the need for security drives innovation.

Poor guy is going to get made fun of by the geek
community for the rest of his acting career, but my gf
thinks he's cute and that's what matters to actors.
One of my favorite misunderstood security phrases is "security through obscurity". Even though it is what it sounds like, Hollywood has been known to misuse it (No Mr. Bond writers--I expect you to Google phrases before you use them).

As an IT guy working for smaller companies I've had the luxury of making practical use of security through obscurity. It comes down to the fact no one cares or knows my servers exist. Even if they did know about them there isn't anything on them worth the effort.

I'd imagine this is true for the majority of businesses, which is why only the big corporations with real secrets higher security experts. The rest of us are okay with patches from Microsoft and Canonical.
For years I've had conversations about the phrase. Eventually I started using an analogy, and then expanded on it.

Think of the idea of security through obscurity as an unlocked box filled with a million dollars somewhere in New York city. No one knows where the box is, what is in it, or even that it exist. The box is obscure. It is secured only by the this fact no one knows about it. If someone was to stumble upon it, they'd get a million dollars.

Now normal security practices might put a luggage lock on this box. If anyone stumbles on it they will see it's locked and move on unaware of the box's value. If this is analogous to the Internet there are now hundreds of thousands of boxes all over the city. Most filled with pocket change and not worth the effort to break the luggage lock. A mischievous person might break into a few boxes just to see if they can, but odds are they will get nothing of value out of it.

Of course, we could extend the analogy to include large corporations that have security experts to better secure their box (maybe a bullet proof master lock). Just like in the real world that will let people know there is something better in that box than the others. Perhaps this makes them a target, maybe it makes some steer clear... I couldn't say, I'm not a mischievous hacker.

All I can say for sure is the luggage lock that protects my worthless box that looks like the other millions of worthless boxes has always worked for me. I enjoy reading others weigh in on these kinds of topics, but when it comes down to it "security through obscurity" is what most of us use because in the grand scheme of things there isn't much worth protecting.

Actual actual reality: nobody cares about his secrets.
(Also, I would be hard-pressed to find that wrench for $5.)

1 comment:

The Editor said...

Course he's cute, and really, that's not all that matters.

He does have a nice head of crazy hair. If you're going to have me edit posts, definitely add pictures of him.

Also - love the post, content wise, I did enjoy reading about it. A program the method of "security through obscurity" reminded me of was TrueCrypt. Sure you know all about it.