|
You are right in this case. The only one who must be informed about how the system works is the client. In this case, the F1 team should know how is this security achieved, not the attackers or the general public. On the other hand, if it is my information you are securing and if I don't have good reasons to trust you, I want to know how it is being done, even if that means attackers also know. If everyone is your client (for example, if you provide public services), then everyone must know, so they can independently audit the system. Obscurity can be a layer of security in one system, made ,managed and audited by trusted entities, but, generally speaking, it is a weak layer for a attacker with a great enough motivation. On the other hand, obscurity is detrimental to a collective of systems made, managed and audited (or not) by a great variety of entities. Sure, on the real world we place trust on companies to handle their security well, but that has ended badly in the past. The knee jerk reaction to security through obscurity we have is beneficial because it is a symptom of security issues in the system. In conclusion, regarding obscurity, the beneficial effect of an extra security layer is only greater than the potential malefic effect of hiding security problems if the entities behind it, including the auditor, are competent and trustworthy. As a rule of thumb it should be avoided or have its bad side mitigated by independent security audits. |