brian will . net

Nobody in here but us chickens!

Dmiessler makes a good point I’d been meaning to make myself: the axiom against ’security through obscurity’ is often taken too far. First of all, any kind of cryptography, whether the algorithms are publicly known or not, always ultimately relies upon ‘obscurity’ in the form of an unrevealed piece of information, the key. Second, well, just ask Osama bin Laden.

Arguably this comes down to a semantic disagreement: ‘obscure’, here, surely means ‘unrevealed information’, but the authors of the phrase ’security though obscurtiy’ also seem to assume ‘obscure’ implies ‘reliance upon unrevealed information that is guessable by brute force means (no matter how arduous, as long as it’s doable) or derivable by logic (no matter how byzantine)’. I don’t think everyone shares that definition, hence a lot of unnecessary back-and-forth around this slogan. (Not that there isn’t a real substantive disagreement here—just that much of the argument is probably unnecessary.)