Security through obscurity

Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security. A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that if the flaws are not known, then attackers will be unlikely to find them. A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities in those products and versions. An attacker's first step is usually information gathering; this step is delayed by security through obscurity. The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.

Security through obscurity has never achieved engineering acceptance as an approach to securing a system, as it contradicts the principle of "keeping it simple". The United States National Institute of Standards and Technology (NIST) specifically recommends against security through obscurity in more than one document. Quoting from one, "System security should not depend on the secrecy of the implementation or its components."^[1] Despite this many United States Military Standard specifications have been deprecated since 2003 which was argued to promote innovation and/or cost reductions.^{[clarification needed]}

Background

There is scant formal literature on the issue of security through obscurity. Books on security engineering will cite Kerckhoffs' doctrine from 1883, if they cite anything at all. For example, in a discussion about secrecy and openness in Nuclear Command and Control:^[2]

[T]he benefits of reducing the likelihood of an accidental war were considered to outweigh the possible benefits of secrecy. This is a modern reincarnation of Kerckhoffs' doctrine, first put forward in the nineteenth century,^[3] that the security of a system should depend on its key, not on its design remaining obscure.

In the field of legal academia, Peter Swire has written about the trade-off between the notion that "security through obscurity is an illusion" and the military notion that "loose lips sink ships"^[4] as well as how competition affects the incentives to disclose.^[5]

The principle of security through obscurity was more generally accepted in cryptographic work in the days when essentially all well-informed cryptographers were employed by national intelligence agencies, such as the National Security Agency. Now that cryptographers often work at universities, where researchers publish many or even all of their results, and publicly test others' designs, or in private industry, where results are more often controlled by patents and copyrights than by secrecy, the argument has lost some of its former popularity. An example is PGP released as source code, and generally regarded (when properly used) as a military-grade cryptosystem. The wide availability of high quality cryptography was disturbing to the US government, which seems to have been using a security through obscurity analysis to support its opposition to such work. Indeed, such reasoning is very often used by lawyers and administrators to justify policies which were designed to control or limit high quality cryptography only to those authorized by a given state.^{[citation needed]}

Open source repercussions

Software which is deliberately released as open source experienced a security debacle in the late 1980s; for example, the Morris worm of 1988 spread through some obscure — though widely visible to those who looked — vulnerabilities. An argument sometimes used against open-source security is that developers tend to be less enthusiastic about performing deep reviews than they are about contributing new code. Such work is sometimes seen as less interesting and less appreciated by peers, especially if an analysis, however diligent and time-consuming, does not turn up much of interest. Combined with the fact that open-source is dominated by a culture of volunteering, the argument goes, security sometimes receives less thorough treatment than it might in an environment in which security reviews were part of someone's job description.^[6]

On the other hand, just because there is not an immediate financial incentive to patch a product, does not mean there is not any incentive to patch a product. Further, if the patch is that significant to the user, having the source code, the user can technically patch the problem themselves. These arguments are hard to prove. However, research indicates that open-source software does have a higher flaw discovery, quicker flaw discovery, and quicker turn around on patches. For example, one study^[7] reports that Linux source code has 0.17 bugs per 1000 lines of code while non-Open-Source commercial software generally scores 20-30 bugs per 1000 lines.

Security through minority

A variant of the basic approach is to rely on the properties (including whatever vulnerabilities might be present) of a product which is not widely adopted, thus lowering the prominence of those vulnerabilities (should they become known) against random or even automated attacks. This approach has a variety of names, "minority"^[8] being the most common. Others are "rarity",^[9] "unpopularity",^[10] "scarcity", and "lack of interest".

This variant is most commonly encountered in explanations of why the number of known vulnerability exploits for products with the largest market share tends to be higher than a linear relationship to market share would suggest,^[8] but is also a factor in product choice for some large organisations.

Security through minority may be helpful for organisations who will not be subject to targeted attacks, suggesting the use of a product in the long tail. However, finding a new vulnerability in a market leading product is likely harder than for obscure products, as the low hanging fruit vulnerabilities are more likely to have already turned up, which may suggest^{[weasel words]} these products are better for organisations who expect to receive many targeted attacks.^{[dubious ]} The issue is further confused by the fact that new vulnerabilities in minority products cause all known users of that (perhaps easily identified) product to become targets. With market leading products, the likelihood of being randomly targeted with a new vulnerability remains greater.^{[original research?]}

The whole issue is closely linked with, and in a sense depends upon, the widely used term security through diversity - the wide range of "long tail" minority products is clearly more diverse than a market leader in any product type, so a random attack will be less likely to succeed.

The argument for security through minority runs counter to a principle observed in nature, in predator-prey scenarios. There, the term "safety in numbers", or "safety of the herd" are observed principles that would argue against the "security through minority" strategy. However, in an extinction event it would be advantageous to fill a minor niche from which to emerge after the previously dominant species are affected (e.g. mammals after dinosaurs).

Security through obsolescence is, for example, using obsolete network protocols (e.g. IPX instead of TCP/IP) to make attacks from the Internet difficult. ATMs often use X.25 networks.

Historical notes

There are conflicting stories about the origin of this term. Fans^[who?] of MIT's Incompatible Timesharing System (ITS) say^{[citation needed]} it was coined in opposition to Multics users down the hall, for whom security was far more an issue than on ITS. Within the ITS culture the term referred, self-mockingly, to the poor coverage of the documentation and obscurity of many commands, and to the attitude that by the time a tourist figured out how to make trouble he'd generally got over the urge to make it, because he felt part of the community.

One instance of deliberate security through obscurity on ITS has been noted: the command to allow patching the running ITS system (altmode altmode control-R) echoed as ##^D. Typing Alt Alt Control-D set a flag that would prevent patching the system even if the user later got it right.^[11]

See also

• Steganography
• Code morphing
• Kerckhoffs' principle
• Need to know
• Obfuscated code
• Presumed security
• Secure by design
• AACS encryption key controversy

References

1. "Guide to General Server Security". National Institute of Standards and Technology. July 2008. Retrieved 2 October 2011. 
2. Anderson, Ross (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. New York, NY: John Wiley & Sons, Inc. p. 240. ISBN 0-471-38922-6. 
3. Auguste Kerckhoffs (January 9, 1883). "La Cryptographie Militaire". Journal des Sciences Militaires: 5–38. 
4. Peter P. Swire (2004). "A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?". Journal on Telecommunications and High Technology Law 2. SSRN 531782. 
5. Peter P. Swire (January 2006). "A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Agencies". Houston Law Review 42. SSRN 842228. 
6. Seltzer, Larry (February 22, 2004). "How Closely Is Open Source Code Examined?". eWeek.com. Retrieved 2008-05-01. 
7. Delio, Michelle (December 14, 2004). "Linux: Fewer Bugs Than Rivals". Wired. 
8. Kiltak (December 19, 2006). "Mac Users Finally Waking Up to Security". [Geeks are Sexy] Technology News. Retrieved 2008-05-01. 
9. Schneier, Bruce. "Crypto-Gram Newsletter: August 15, 2003". Retrieved 2008-05-01. 
10. CmdrTaco (July 23, 2001). "When 'Security Through Obscurity' Isn't So Bad". Slashdot. Retrieved 2008-05-01. 
11. "security through obscurity". The Jargon File. 

External links

• Eric Raymond on Cisco's IOS source code 'release' v Open Source
• Computer Security Publications: Information Economics, Shifting Liability and the First Amendment by Ethan M. Preston and John Lofton
• "Security Through Obscurity" Ain't What They Think It Is by Jay Beale
• Secrecy, Security and Obscurity & The Non-Security of Secrecy by Bruce Schneier
• "Security through obsolescence", Robin Miller, linux.com, June 6, 2002