Steve's Views Rotating Header Image

February, 2024:

Security by obscurity…

Today I spotted this reply someone gave to how to secure something online:

I mean its secure, generally, but your best bet is security by obscurity. hide them (robots.txt), make them accessible from only certain ports / IP addresses.

I felt the need to enlighten the thread rather than leaving such a bad advice:

I’m sorry but security by obscurity is not security. No security consultant worth his salt would ever suggest obscurity is secure. True, it can be a layer on the security union, but you sure cannot rely on it.

It takes mere seconds to locate the unusual port or file name.

There are many common misconception and natural conclusion that people arrive at when they are not actually familiar with the details, and there are indeed very technical details behind computers, software and networking. And not to forget social engineering which is a very effective tool. I saw a survey which indicated that a large percentage of people would give away the company login for a piece of chocolate.

Security is one of the least understood subjects. For your own wellbeing read up on some well established professionals such as https://www.schneier.com.

Large corporations are, unlike popular belief, not automatically more secure. For one they usually have a much larger attack vector (more things open to attack) than a small operation. Take Microsoft, they had their Crown Jewels (source code to Windows) stolen by some hacker.

My stable rule is that if there’s something I really don’t want to share I don’t put it online at all. Before coming here I saw someone’s website advertising a tool to scrape web pages that are hidden behind a login wall.

That’s not to suggest you can’t put reasonable security on things online, but the operating basis you establish is how to deal with a break-in once it has occurred, not if but when.

If you don’t get violated – great! But you are well prepared for it.

As for reason to hack you is not an applicable logic. I often hear people saying that they don’t have anything worth stealing. For one the criminal hacker does not know what you have or not until after he’s broken in. Secondly you have something valuable to any hacker – a different online identity than his/hers.

That is valuable, nay vital, when you go about your criminal activities. Much better to put you in the middle. There is certainly a lot of organized crime and then you have the script kiddies (people who don’t know how to break in but relies on scripts that does it for them).

I have a great story from many moons ago on a security forum. A person, presumably a kid, was challenging people to give him their IP address, saying he would hack them. After a while we got fed up with the noise and one of us gave him an IP address. (Each computer has local IP address which is there so that you can test networking without having an actual network connection. That IP is 127.0.0.1, also known as the loopback address.)

So the kid was given the loopback IP which he immediately fed into whatever script he was executing and he was announcing – Ah you have a E: drive. Watch it disappear. Ah a D: drive, C: drive… and then he was gone. He’d just wiped out his own computer. 🙂

We got a lot of laughs from that one.