|
|
|
|
|
|
by wolrah
468 days ago
|
|
|
> "Security by obscurity does not work" The saying is "security by obscurity is not security" which is absolutely true. If your security relies on the attacker not finding it or not knowing how it works, it's not actually secure. Obscurity has its own value of course, I strongly recommend running any service that's likely to be scanned for regularly on non-standard ports wherever practical simply to reduce the number of connection logs you need to sort through. Obscurity works for what it actually offers. That has nothing to do with security though, and unfortunately it's hard in cases where a human is likely to want to type in your service address because most user-facing services have little to no support for SRV records. Two of the few services that do have widespread SRV support are SIP VoIP and Minecraft, and coincidentally the former is my day job while I've also run a personal Minecraft server for over a decade. I can say that the couple of systems I still have running public-facing SIP on port 5060 get scanned tens of thousands of times per hour while the ones running on non-standard ports get maybe one or two activations of fail2ban a month. Likewise my Minecraft server has never seen a single probe from anyone other than an actual player. |
|
|
Every branch of the military would like to talk to you and inform you that sometimes, the enemy not finding the target, or not knowing how the target works, can be extremely, actually secure. Like, still alive secure. I'd argue that's a rather effective security measure in certain situations.
Then there's compartmentalization, need to know, and then all of the security clearance levels...
Leaking classified documents can be considered treason, which is one of very few non-violent crimes you can commit that could result in the death penalty.
The Fed seems to think security through obscurity is a pretty fucking alright thing, seeing as how they use it everywhere.