[lugg]

I'm not exactly disagreeing with you here. I just dont understand how that is different from obscuring your attack surface making you less likely to be targeted by some sort of mass generic attack vector.

Nobody argues security through obscurity doesn't work in some form, we argue that it doesn't make you secure as a matter of fact. Much like using some obscure SSL implementation. It sure does have the net effect of making you less likely to fall victim but that isn't security that is obscurity.

[bch]

It's not about "obscure SSL implementations", it's "alternative implementations", and letting different projects theoretically play off each others strengths and mitigating consumer risk similar to investing in an index or mutual fund rather than all-in with any single entity.

Also, there's nothing wrong with security through obscurity, but please don't let that be your only security.

[lugg]

As someone else has already pointed out that could be better classified as risk management than the way I originally put it.

The problem with security through obscurity is that it is not security. Kind of what people mean when they bring it up.. At least in my circles anyway.

It is fine to have security through obscurity but you can't, much like the alternative implementation scenario claim it makes you more secure as a result. Its exactly like when apple claimed they were more secure and couldnt get viruses like their PC counterparts.

That is what I was trying to bring to the conversation when I made my first post. I get the feeling were starting to move off topic / split hairs over words now so I'm going to leave it at that I dont think I can explain myself any further.

[bch]

> The problem with security through obscurity is that it is not security.

I'm sure we'd like each other if we sat down over coffee, and would find more in common than, not, but I have to politely disagree with you here. It does offer a degree of security, and I can give you a challenge that is measurably testable:

Move your sshd from 22 -> (eg) 222, and watch the hack attempts disappear.

Now, in the context of "remote logins", moving telnet from 23 -> 223 offers a _degree_ of security from a casual person connecting to port 23 and trying their luck, but we all know that telnet is a poor remote access tool these days. Switching from telnet to ssh is security by technology (encryption, mechanism (ie: keys vs passwords)). Moving sshd from port 22 -> 223 keeps that many more people from knocking on the door, no matter what other security is setup. "Security by Obscurity" adds to "Proper" security.

Surely we're both on the same page that, given better options, security solely through obscurity is stupid.