Security through obscurity: Difference between revisions

(One intermediate revision by one other user not shown)

Line 1:

'''Security through obscurity''' is a practice where companies obfuscate or hide the logic behind their product to supposedly enhance their security. It also includes practices like not revealing details of a system, in the hopes that this will make it more secure. Robust review by a number of experts typically enhances security, since more flaws are found and either fixed, or more secure alternative products are sought. Security is often an afterthought, or not a priority, in products. Trying to keep people from knowing the details of security sometimes obscures known deficiencies.

==Obscurity ~~cannot improve security~~==

==Obscurity techniques==

Obscurity in practice involves intentionally altering the appearance of something to make it difficult to understand, while keeping its end function unchanged. In software development, obscurity is often used because it can be implemented automatically, however it is also possible to apply obscurity in hardware. Companies use various methods to achieve this, such as:

*'''Software refactoring:''' Companies may refactor computer code in production by renaming values from human intelligible to machine intelligible. As an example the function "sendKey~~()"~~ may be renamed to "f_019278~~()"~~ throughout the entire codebase. This does not truly promote security because any person can reverse-engineer what the code does and come up with their own naming schemes for the renamed values. A prime example of this is the video game Minecraft, whose source code is refactored in production. Minecraft's code refactoring has been bypassed years ago and projects such as the [https://docs.spongepowered.org/5.1.0/en/plugin/internals/mcp.html Minecraft Coder Pack] provide environments where intelligible code is viewable.

*'''Software refactoring:''' Companies may refactor computer code in production by renaming values from human intelligible to machine intelligible. As an example the function <code>sendKey</code> may be renamed to <code>f_019278</code> throughout the entire codebase. This does not truly promote security because any person can reverse-engineer what the code does and come up with their own naming schemes for the renamed values. A prime example of this is the video game Minecraft, whose source code is refactored in production. Minecraft's code refactoring has been bypassed years ago and projects such as the [https://docs.spongepowered.org/5.1.0/en/plugin/internals/mcp.html Minecraft Coder Pack] provide environments where intelligible code is viewable.

*'''Software obfuscation:''' Companies may obfuscate computer code by changing the instructions. This may include adding instructions that do meaningless actions or replacing actual instructions with more complicated ones. The end result of this obfuscation is always that the end functionality of the program is unchanged even though the steps are different and possibly unintelligible. This can also involve adding decoy code that has no purpose at all and merely exists to slow reverse-engineering.

@@ Line 1: / Line 1: @@
+{{Main|Security}}
 '''Security through obscurity''' is a practice where companies obfuscate or hide the logic behind their product to supposedly enhance their security.  It also includes practices like not revealing details of a system, in the hopes that this will make it more secure.  Robust review by a number of experts typically enhances security, since more flaws are found and either fixed, or more secure alternative products are sought.  Security is often an afterthought, or not a priority, in products.  Trying to keep people from knowing the details of security sometimes obscures known deficiencies.
-==Obscurity cannot improve security==
+==Obscurity techniques==
 Obscurity in practice involves intentionally altering the appearance of something to make it difficult to understand, while keeping its end function unchanged. In software development, obscurity is often used because it can be implemented automatically, however it is also possible to apply obscurity in hardware. Companies use various methods to achieve this, such as:
-*'''Software refactoring:''' Companies may refactor computer code in production by renaming values from human intelligible to machine intelligible. As an example the function "sendKey()" may be renamed to "f_019278()" throughout the entire codebase. This does not truly promote security because any person can reverse-engineer what the code does and come up with their own naming schemes for the renamed values. A prime example of this is the video game Minecraft, whose source code is refactored in production. Minecraft's code refactoring has been bypassed years ago and projects such as the [https://docs.spongepowered.org/5.1.0/en/plugin/internals/mcp.html Minecraft Coder Pack] provide environments where intelligible code is viewable.
+*'''Software refactoring:''' Companies may refactor computer code in production by renaming values from human intelligible to machine intelligible. As an example the function <code>sendKey</code> may be renamed to <code>f_019278</code> throughout the entire codebase. This does not truly promote security because any person can reverse-engineer what the code does and come up with their own naming schemes for the renamed values. A prime example of this is the video game Minecraft, whose source code is refactored in production. Minecraft's code refactoring has been bypassed years ago and projects such as the [https://docs.spongepowered.org/5.1.0/en/plugin/internals/mcp.html Minecraft Coder Pack] provide environments where intelligible code is viewable.
 *'''Software obfuscation:''' Companies may obfuscate computer code by changing the instructions. This may include adding instructions that do meaningless actions or replacing actual instructions with more complicated ones. The end result of this obfuscation is always that the end functionality of the program is unchanged even though the steps are different and possibly unintelligible. This can also involve adding decoy code that has no purpose at all and merely exists to slow reverse-engineering.