How effective do you think security by obscurity is, as an addition to whatever else you do? EDIT: I did not describe this very well I am afraid. I was not meaning that you build your system security based on obscurity. What I meant was how do you feel obscurity fares against exploits in certain circumstances for how you do things. Such as use foxit or sumatra instead of adobe reader, or years ago using Opera instead of IE. Maybe its using an alternative to Word so you don't have to deal with VBA. Most replies seem to think, and rightfully so I suppose based on how I wrote it, that I was suggesting "complete system security through obscurity". As I say, I am just wondering how you feel doing those things, on purpose or not, that are not what the majority do or just a much "lesser known", has "helped" your overall security or just how it might have helped one specific aspect. Sorry for the poor wording. We have all heard the term, and many of us, whether we know it or not, benefit from it. A prime example is using something other than Acrobat reader. What do you think, is security by obscurity really security, in the real world? By"real world" I mean what most of us would be LIKELY to encounter. Not interested in whether a determined hacker can crack you or not, because the answer will always be yes, but most of us won't encounter such a person on our personal systems. Sul.
As effective as it will be, until the instant anyone wants it not to be. To say "the answer will always be yes" isn't right. A determined hacker can't exploit my system without significant funding/ experience. At no point does my system rely on obscurity. If I were running XP with an AE I'd be benefiting from obscurity. I'd be running a system that's unlikely to be targeted. I'd remain uninfected until someone cared to infect me. Security is a matter of costs. Obscurity doesn't drive up the cost, at all.
But, you just said a determined hacker can't exploit your system without significant funding/experience So, you are saying that a hacker could exploit your system, providing they have the means to do so? lol, I believe any software written can be exploit, just as you say, if there is the motive and means to do so. Actually, I only included that bit because I was interested to hear how others found obscurity to work for them in "normal" situations that one encounters in everyday computing, not the more theoretical "it can be done" stuff that we all know can be done, but like I said, will likely never happen to us. I don't know if "rely on it" is how one would describe it. Maybe something akin to "not using the exploit magnets" would be more appropriate. I think of things like adobe reader, with all the vulnerabilities that have been found over the years. Or, in the not too distant past, IE and all its issues. Using something "else" didn't mean the "something else" was any more secure, but because of the popularity of things like adobe reader and IE, the mere fact that you used something different greatly reduced your risk, because who really wants to exploit Kmeleon when it only has 0.5% of the populace using it. I get that. I was thinking along the lines of what programs or methods one might use that deviate from the way the "majority" do it. If one used a program not many have even heard of, but had as many flaws as a mainstream one, the obscurity of the program brings better odds (not necessarily better security) against an exploit, which in the end translates to better security simply because you don't get exploited. Kinda hard to actually call it better security because it isn't really any form of security. I don't know what to call it really. Maybe something like "exploit ignored software" lol. Sul.
I prefer speed over security. Foxit is just so much faster than Adobe Reader the fact that it is less target is another plus.
I hope I understand the poll question correctly. Tee hee... Security by using the factor of being unknown is IMO would give you some benefits, but very little that it might barely do anything. Exploits aren't necessarily exclusive to the "top pick" products. But those "top pick" product developers *usually* know what to do to patch the never ending exploits.
I've chosen "Would provide minimal benefits for how I do things" . If there were two choices available I would add "Offers nothing for me at all". That's just for my routine situations, which are most probable.
I refuse to let the possibility of malware affect my thinking as to which programs I will use or that I want to run on my system. That's why we take measures like firewall/HIPS/antivirus/antispyware/hardened browsers/safe browsing practices/sandboxing technologies, etc. But like Hungry Man said....if someone wants in bad enough, it doesn't matter what "obscure" measures you practice. But to avoid using certain software products because "malware authors generally target those" isn't the right way of thinking. Actually, because they ARE targeted more so, the chances are much greater that it will be discovered and a fix issued much sooner than if you are using some "obscure" knock-off product. I mean, look at it this way: There's always a chance we could be killed in a car accident, but I don't see any reason not to drive. Idiots lose control of their cars and drive them into convenient stores or supermarkets all the time. You could be out walking your dog and become another statistic. No need to change the way you live your life because something "could" happen.
Security by obscurity is a very dangerous mindset to have. For one, it's a bomb just waiting for someone to light the fuse. For another, what a lot of people don't get is that with every step vendors of popular software take to make their products more secure, hackers are just going to leave for greener pastures. Guess what pastures those are. They aren't just going to pout and say "Darn you Adobe! Fine, I give up."
Which leads to even more possible holes to squeeze through and exploit. The more crap you load on your system to keep me out, the more doors you give me the opportunity to try and get into.
I chose: Would provide minimal benefits for how I do things If I wanted to secure my system through obscure means, I could probably run a lesser known Linux distro at default installation, with no additional security measures, it could provide me all the apps I need and I'm rather confident it would remain secure, just because I believe "security through obscurity" does provide decent security whether people believe it or not. But this is not the way I want to do things. I just don't like the idea of securing my computers this way.
I use alternate programs simply because I like those programs over the main stream ones. Like Adobe Reader, I don't use it because it's just to heavy for my needs. That and it does not run to well in Linux without help. I use Linux because I like it over the main stream Windows. While there may be some consideration to security factors it is definitely not the deciding factor on the programs I use. Security by obscurity is only good as long as you are obscure. On the Internet that is not an easy task.
My fault I guess for not defining what I meant exactly. Edited the first post and the title to reflect this. Sorry about that. Sul.
lol, that made me laugh. Truly it did. The thought of IE being patched, and the hackers moving on to greener pastures, really, I laughed out loud. I don't understand what you mean TBH. The greener pasture is the one with the most chance of a ROI. And actually, the hacker who cannot crack the latest adobe reader with an exploit, I should think, would indeed say "Darn you Adobe! Fine, I give up", and move on to something easier to exploit, like maybe sumatra, but they give up the ROI, which is why obscurity works in the first place, because its "below the radar" of many exploits because even hackers usually want an ROI. If I were a hacker, and exploited Sumatra (just using it as an example), who am I going to brag to lol? The user base is not going to garner near what an adobe exploit would, which is why the mainstream popular apps are always patching, because the hackers keep hacking. Maybe I just look at it differently (I usually do ) but I personally believe the majority of exploits are for someones gain, whether monetary or ego. Maybe in the blackhat world the idea of "I exploited sumatra just because I could" still exists, but if it does, you sure don't hear about it very often like you do the "big boys". To each his own I guess. But that really did give me a good chuckle about hackers giving up on IE Sul.
"How effective do you think security by obscurity is?" The problem with this question is that it doesn't specify what it's protecting against. You can't quantify security without specifying the adversary. If you're referring to malicious code that's in the wild, obscurity can be extremely effective. Try infecting Win 98 with a typical rootkit or by exploiting a service. The attack will fail before it starts. Referring to just the operating system ATM, theoretically, 98 is very vulnerable. In practice, it will require a targeted attack to be successful against it. At that point, it comes down to your security package/policy vs the attackers skills. Regarding apps, using non-mainstream apps like Foxit or PDFXchange instead of Adobe does reduce the likelihood of a malicious PDF working as it was intended. Here, configuration matters just as much as app selection if not more. Denying the PDF reader internet access, disabling javascript, and not integrating the PDF reader into the browser defeats many attacks. Restricting the PDF apps permissions and parent child settings breaks a lot more attacks. Then there's still the social engineering aspect of such an attack, getting you to open that malicious PDF to begin with. Unless it's a targeted attack, obscurity is an effective component in a security policy.
Some exploit kits automatically determine what exploit is usable. Some of them are designed to exploit multiple Operating Systems as well as multiple third-party software. There are many that can successfully infect vulnerable Windows versions, from 95 to 7 and probably beyond (example: CrimePack Exploit Kit). The popularization and advancements in exploit kits are marking the end of "security by obscurity/minority".
Very true. Some malicious sites have had over 40 different exploits in their arsenal. The hard part from their perspective is determining which one(s) to use. There's only so many ways to determine what software/OS a potential target is running, eg. browser headers, javascript, etc. Obscurity isn't limited to just using less common target apps and/or operating systems. It can just as easily include misrepresenting them. If the detection methods such as headers are spoofed and the javascript is blocked, either by a NoScript type extension or an app like Proxomitron, or they return conflicting information, what exploit does an automated attack choose? Choose wrong, the attack fails and the attacker reveals himself. Target the wrong version of an app or plugin and the attack fails. Target something not allowed by the security policy/package and the attack is detected. The biggest challenge with automated attacks is getting it right the first time. If an attack misses or gets detected, the attacker probably won't get a 2nd shot.
I don't know what's so laughable about it. If it becomes harder to crack, say Adobe Reader than FoxIt, Sumatra or whomever, how is it silly they'll attack these programs? Hackers go after low hanging fruit, that's a fact. Maybe there's a lost in translation thing going on here, lol, but I never said they'd give up on Adobe, IE or whomever. It was more of a comment on hackers not giving up, but just moving on to easier targets, which they will certainly do. If Oracle ever gets its crap together, hackers will focus less on Java and work on something else. Chrome is a great target now that the "untouchable" myth has been broken into itty bitty pieces.
Security through obscurity "would provide minimal benefits for how I do things". By using less common software, I might be less susceptible to an attack/exploit, but I don't build my security policy based on that.
I was laughing at the thought of hackers moving on to greener pastures because it was patched or a new version came out. That browser (IE) has had hole after hole fixed for years and years, and version after version, its still a prime target because so many use it. When you said that as a vendor of popular software make thier products more secure hackers are just going to leave for greener pastures. I am saying, if that is so, why are the same programs hacked upon time after time to find an exploit? Doesn't sound like they ever left the original pasture to me, maybe they just branched out into other pastures as well lol. I found it humorous because of the prolific exploit history IE in particular has had, it just struck me as funny. Regardless of how many less exploits there are today, I guess I don't see as its lost its appeal to exploit because the payoff could be pretty large based of the number of users. If you didn't say they would give up on adobe (or whatever), then what exactly did you mean by on one had saying they would move on to greener pastures but then close the paragraph with saying they aren't just going to give up? lol, I guess I had a picture in my mind of the hackers just giving up but not giving up, as it were I don't find it silly they would attack foxit or sumatra, it would make sense if they don't expect much in the way of ROI (return of investment). I would think it silly, I guess for lack of a better word, that one would attack such applications with such a small user base compared to adobe in this instance. Low hanging fruit I guess that a fair way to look at it, but I'm just no so sure theres always enough low hanging fruit to make it worth the while? Yes, as little as I follow that sort of thing, it is unfortunate to see. It used to be when you used an alternate, you were left alone for the most part, because why go after that when the major apps were so rife with holes, especially on 9x or when everyone on XP was admin and had nothing more than an AV running. Its a shame really, it has always been such a "freebie". You sort of touch on why I was curious about this topic, because there does seem to be fewer and fewer "unknown" apps, at least to me. I can remember when nobody had really heard of Opera (well, nobody being a collective large circle of people I was in contact with). It is suprising now how many have heard of or use things like foxit or sumatra, even 7zip and other applications which used to be the domain of geeks because geeks were the only ones who cared really. I guess it pretty easy these days to go to any number of review sites to find the top 5 archive applications, or the top 10 adobe reader alternatives. And the fact that a lot of people just like to install software lol. So many computer I fix have software that is never used but was installed anyway. Still, its interesting to see how others view things, get some expanded perspective.. which is always good IMO. Sul.
There have been many debates and school of thoughts on the subject and each is right in their own way. My personal belief: "Security by Obscurity" is not security per se in principle and not something to be dependent upon. This is what most folks argue when they say it is "bad". However, I make a concession in that obscurity is another layer which may add value/usefulness in addition to "Security by Design". Here's a few links that share the same sentiments: "Security Through Obscurity" Ain't What They Think It Is The Great Debate: Security by Obscurity Security and Obscurity Revisited In addition to those, I think a few of the quotes from "Sun Tzu, the Art of War" provides an interesting insight when you apply it to the subject at hand. Different folks have different interpretations but this is how I look at it: a) One should not depend solely on 'security by obscurity'. b) Obscurity is a good layer in addition to security by design.
Okay, then in this case it probably fares quite well for the way I do things because I browse primarily with Firefox, although it is now a quite popular browser, even if it's not the one hackers are going after as much as IE, but this I'm not sure about. It has a built-in pdf viewer as well so I suppose that helps too. I do, however, want to emphasize I never feel: "since I'm using obscure applications, I'm secure so I don't have to concern myself with system security to remain secure"
