Saturday, January 2, 2010

Threats And Security

FLG was searching for something when he was rebuilding his computer, and came across several, and typical, rants against security through obscurity. So many people thoughtlessly repeat "Security through obscurity is no security at all," which is complete bullshit.

If your adversary is a determined attacker who is after you specifically, then it's not very helpful. However, if, like most people, you are simply targeted at random by automated bots, viruses, worms, etc, then it sure as hell can be.

For example, web servers normally run on port 80. Consequently, most automated threats will scan the network or Internet for port 80 because 99% of the time that where they'll be. It's a waste of time to scan all ports to find the handful of webservers that are running on another port. So, if you run your web server on some other, random port number, then you won't be found.

Security through obscurity is kinda like putting up those fake alarm system stickers on the windows. Sure, they're bullshit and a professional cat burgler is going to laugh. But the criminals cruising the neighborhood at random looking for soft targets will probably stay away because the house next door looks easier by comparison.

A small oddity which throws off the assumptions of attackers (which some consider to be a subset of "security through obscurity" called "security through minority," like using a mac makes you safer because it's less of a target) make when coding some automated script is probably enough to protect you from most attacks. This isn't to say you shouldn't take additional measures like activating firewalls and using strong passwords, but it will keep you below the radar, which, in FLG's book, is indeed security.

The vast majority people aren't being personally targeted by determined hackers or government agencies. Many people FLG sees offering advice on message boards have a vastly over-sized conception of the threat and make crazy overcomplicated recommendations. His personal favorite of which is that people should over-write their data 35 times using the Gutmann method because, hypothetically, using an electron microscope, mind you, your data might be recovered. When it comes to encryption passphrases and algorithms people are similarly nuts. You should use good encryption like PGP, GPG, or Truecrypt, but if FLG was some Evil Intelligence Agent, then he'd just beat the shit of you until you told him. And that whole torture doesn't work thing kinda goes out the window when FLG's got a laptop that he can test your password with in the room with him.

It's always more important to keep the overall threat in mind. This applies whether you are talking about securing your computer or protecting the country from terrorists. Unfortunately, many people, whether they be message board posters or government bureaucrats, instead become myopically focused on the specifics of the countermeasures.

2 comments:

Anonymous said...

Good point. For Westergaard, for example, security through obscurity is not a good option: http://www.timesonline.co.uk/tol/news/world/article6973966.ece
for me, I would like to keep it a good option... dave.s.

FLG said...

I wish I could find it, but apparently somebody painted a bullseye on an antelope or zebra to see what would happen. And wouldn't you know it, but the lions attacked the one with the bullseye.

 
Creative Commons License
This work is licensed under a Creative Commons Attribution-No Derivative Works 3.0 United States License.