Internet Sellout

Demand Unearned Rewards

Security through Obscurity is the Best

"This is not real security, security through obscurity is not secure."

I heard this over and over again in my early days and I started to believe it. I even railed against Microsoft for a while, in emails, on forums and on support calls about the FrontPage Extensions and its use of generic credentials that could enable one user to read the contents of another users site back end by script in a shared hosting environment. At one point they advocated making the path of these websites obscure by having the home folder of each have a randomly generated directory name like:


Another thing I was told was:

"Look my dude, if you knew about the insecurity of the Jet engine and those potential exploits you would understand this is the least of our problems."

However now that my career is almost over, I can tell you I no longer think security through obscurity is a bad thing. In fact, it may be the only reasonable path. Let me outline my argument:

  1. In light of the potential of bad faith influence upon standards, best practice encryption may be much worse than promised.
  2. We all start to take encryption on faith, that this is a transparently solved problem. It sounds democratic but it is also elitist.
  3. Most people cannot comprehend the weaknesses of complex systems especially if they depend on mathematical proofs.
  4. There is a paradox in mathematically provable improbability.
  5. Mathematically provable security/encryption is necessary because of the desire to standardize.
  6. Standardization is the key to Interoperability.
  7. Interoperability is the key to Ubiquity.
  8. Ubiquity is the key to total technological mediation, savior machines and freedom through automation.
  9. It is an inevitable hell but with varying mitigations.
  10. Overt sabotage is a mistake.
  11. Using human eccentricity and unknown, possibly absurd methodologies can be less predictable than known standardized methodologies and it leaves a component of privacy in human hands.
  12. It will be a crime to have unbreakable encryption.
  13. It will not be a crime to use non standard techniques of obfuscating secrets.


Comments are closed