I have to backup the purist position.
Although I would agree that Obscurity can add value I can't agree that it necessarily makes any security plan better.
What obscurity does do is make weak security plans better. From a utilitarian point of view you could argue since you can't know for sure a system is secure, adding obscurity adds value. The opposing view would be that adding obscurity gives users a false sense of security which then allows highly intelligent attacks to be more successful. In the case of CodeRed, Microsoft had been open about the exploit and a patch had been made available a month before. Any company with a responsible System admin team would have been protected. Indeed this isn't the case for most companies and hence the problem (obscurity protects weak systems).
I'm willing to buy that obscurity is a useful short term hack before known vulnerabilities can be patched.
If you want to argue the exceptional theoretical case that a password/key itself is by its defined purpose the most obscure data we can create, then everyone would agree with that.
I have to disagree
I have to backup the purist position.
Although I would agree that Obscurity can add value I can't agree that it necessarily makes any security plan better.
What obscurity does do is make weak security plans better. From a utilitarian point of view you could argue since you can't know for sure a system is secure, adding obscurity adds value. The opposing view would be that adding obscurity gives users a false sense of security which then allows highly intelligent attacks to be more successful. In the case of CodeRed, Microsoft had been open about the exploit and a patch had been made available a month before. Any company with a responsible System admin team would have been protected. Indeed this isn't the case for most companies and hence the problem (obscurity protects weak systems).
I'm willing to buy that obscurity is a useful short term hack before known vulnerabilities can be patched.
If you want to argue the exceptional theoretical case that a password/key itself is by its defined purpose the most obscure data we can create, then everyone would agree with that.
Daniel Gerson