| ▲ | lucketone 5 hours ago |
| All modes of cyber security depend on some obscurity (e.g. password) Ideally we want a viable plan B, for when it’s leaked/figured out. (E.g. generate new passwords) (For convenience let’s label air-gap as kind of physical security) |
|
| ▲ | pdpi 3 hours ago | parent | next [-] |
| > All modes of cyber security depend on some obscurity (e.g. password) That's not what the expression means. "Security through obscurity" has a very specific meaning — that your system's security depends on your adversary not understanding how it works. E.g. understanding RSA is a few wikipedia articles away, and that doesn't compromise its security, so RSA isn't security through obscurity. |
| |
| ▲ | sroussey 2 hours ago | parent | next [-] | | No, "Security through obscurity" is a valid and useful layer. A lot of weight hangs on your word “depends” though, in which case if it is the only layer then you will eventually have, uh, problems. I’ve used it for a long long time. Like in 1999 I’d have a knock on certain ports in a certain order to unlock the ssh port. And lots of weird stuff to stop forum spam. Which could work for weeks or months or even a year. | | |
| ▲ | pdpi an hour ago | parent [-] | | Port knocking isn't security through obscurity. Given the knowledge that you have a port knocking system in place doesn't tell me what specific sequence of knocks will open up the service I want to target. Even just a two knock sequence gives you a key with 32 bits of entropy, which makes it trivial to block attempts at bruteforcing the key. | | |
| ▲ | ZoomZoomZoom 37 minutes ago | parent [-] | | I don't see how your argument makes sense. It's all just bits of entropy in the end, be it knowing a port to connect to or a character in your key. | | |
| ▲ | pdpi 15 minutes ago | parent [-] | | Yeah absolutely. That was precisely my point — Requiring a secret (be it a password or the private part of an asymmetric key) isn't security through obscurity, and finding the sequence of knocks is equivalent to finding a password of equivalent complexity. |
|
|
| |
| ▲ | strken 2 hours ago | parent | prev [-] | | Lucketone likely knows this and was pointing out that "obscurity" is a misleading word to use when talking about systems which all rely on obscurity, in the plain English sense of the word. | | |
| ▲ | pdpi an hour ago | parent [-] | | We're in a technical forum, discussing a term of art that refers to a very specific bad practice. Lucketone's argument is essentially saying that the bad practice itself isn't actually a bad practice by equivocating the term of art and the plain language definition. |
|
|
|
| ▲ | 0123456789ABCDE 4 hours ago | parent | prev [-] |
| i don't know a lot about the subject, but the little i know tells me this is not the way to look at this your password (plain text) is secret because only you are supposed to a have it. in the digital realm, sharing the contents of the password (plain-text) is be akin to making a copy of it — undesirable now, the algorithm that hashes the plain-text for comparison with the stored hash, that can be know by anyone, and typically is so password ≠ hashing algorithm |
| |
| ▲ | lucketone 4 hours ago | parent [-] | | Yes. Password and hashing algorithm are distinct things. I fully agree with you. |
|
