Criticism[edit]

Security by obscurity alone is discouraged and not recommended by standards bodies. The National Institute of Standards and Technology (NIST) in the United States recommends against this practice: "System security should not depend on the secrecy of the implementation or its components."^[9] The Common Weakness Enumeration project lists "Reliance on Security Through Obscurity" as CWE-656.^[10]

A large number of telecommunication and digital rights management cryptosystems use security through obscurity, but have ultimately been broken. These include components of GSM, GMR encryption, GPRS encryption, a number of RFID encryption schemes, and most recently Terrestrial Trunked Radio (TETRA).^[11]

One of the largest proponents of security through obscurity commonly seen today is anti-malware software. What typically occurs with this single point of failure, however, is an arms race of attackers finding novel ways to avoid detection and defenders coming up with increasingly contrived but secret signatures to flag on.^[12]

The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.

Obscurity in architecture vs. technique[edit]

Knowledge of how the system is built differs from concealment and camouflage. The effectiveness of obscurity in operations security depends on whether the obscurity lives on top of other good security practices, or if it is being used alone.^[13] When used as an independent layer, obscurity is considered a valid security tool.^[14]

In recent years, more advanced versions of "security through obscurity" have gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception.^[15] NIST's cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment.^[16]

$_$_$DEEZ_NUTS#0__titleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#0__subtitleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#0__call_to_action.textDEEZ_NUTS$_$_$

Eric Raymond on Cisco's IOS source code 'release' v Open Source

by Ethan M. Preston and John Lofton

Computer Security Publications: Information Economics, Shifting Liability and the First Amendment

at the Wayback Machine (archived February 2, 2007) by Jay Beale

"Security Through Obscurity" Ain't What They Think It Is

& The Non-Security of Secrecy by Bruce Schneier

Secrecy, Security and Obscurity

"Security through obsolescence", Robin Miller, linux.com, June 6, 2002

$_$_$DEEZ_NUTS#2__titleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#2__descriptionDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#1__titleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#1__descriptionDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#3__titleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#3__descriptionDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__titleDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__subtextDEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__quote--0DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__name--0DEEZ_NUTS$_$_$

$_$_$DEEZ_NUTS#4__company_or_position--0DEEZ_NUTS$_$_$