On 3/25/2014 10:38, Les Mikesell wrote: > On Fri, Mar 21, 2014 at 4:18 PM, <m.roth at 5-cent.us> wrote: >>> >>> #5 (non-standard port) is very useful. >> >> Huh! That's the *only* rationale I've ever heard for security through >> obscurity that actually makes sense. > > It's all obscurity even if you think you can call it something else. The original term of art has gotten stretched out of its original shape. "Security through obscurity" originally referred only to practices intended to confer security purely through obscurity. As soon as you learn the secret, the security is gone. Security practitioners started beating "security through obscurity is bad" into people's heads, until now people have this knee-jerk reaction to *any* obscurity, as though obscurity is bad in and of itself. Moving Telnet to port 2323 is security through obscurity. Moving SSH to port 2222 is defense in depth, because you still have security after an attacker penetrates the obscuration layer. For another example, think about network switches. They prevent trivial snooping on your neighbor's traffic. ARP poisoning can defeat this security-through-obscurity, but that's no reason for us to all go back to dumb hubs. To the extent that it confers security at all, switched Ethernet is one layer in a good layered defense incorporating switches *and* subnets *and* VLANs *and* encrypted tunnels. Still another example: ALSR. ASLR doesn't prevent buffer overflow attacks, it just makes them a lot harder to craft.