Updated: Oct 29, 2020
Obscurity does not apply if folks know the mechanism you are using and they just have a resource issue. Using a defense that is known but a hidden secret is a well-established part of security, and it has been for millennia. The question is whether you are concealing the mechanism or the key. Even if your enemy knows you are camouflaged somewhere in the dessert all their work remains ahead of them. In summary, you just made it more difficult for the enemy to successfully strike you by giving them a source issue. Sure, they could check under every rock in Central Park and finally discover the bundle, but you'll be done with the assignment by then. No. And here is why. Oh man, that is nothing but Security by Obscurity...
In all those cases we've got something that's being hidden. We are concealing the frequency we're using. We are hiding the location of this dead-drop. We are hiding the location of the tank in the desert making it look like sand. And we are hiding which limousine the President is really in so it will be more difficult to attack him. I did an experiment one weekend and got ~10,000 probes on port 22 and 4 to some random high port. Allow me to repeat that a few distinct ways, with illustrations. There are a number of good reasons to not move SSH ports in certain environments, such as usability. Significantly, it is very expensive to take some opportunity to assess all the places the goal may be. To get a camouflaged tank. All of these are well-known by attacker and defender. It's confusing because vague and conceal are very similar. I just came across another article on hacker news talking about why you should not move your SSH port from 22 because it is Security by Obscurity. It's a fact that Security by Obscurity is poor; the problem is many individuals don't have any idea when it applies. Including the majority of the individuals being loudest about it.
Allow me to tell you the key to the debate that will permanently solve it for you. Everyone knows what's happening. Everybody knows that the tank is someplace from the desert, they simply can not see it to take it. Everybody knows the President is in one of these three helicopters, but it is way more dangerous and costly to guess which one and fire. With the dead-drop, you understand the package is somewhere in Central Park, but you do not know where. Certain types of security controls (such as encryption) have two elements: the mechanism, along with the key.
It is a conversation ender. If you hide the way the algorithm works, you are using Security by Obscurity. And that is bad. All of us agree there. It is nice that people know you changed your SSH port. But now they must scan all ports and discover the new one. Sure, that isn't overly hard, but how many folks are really going to do that? Increasing attacker campaign is invaluable.
Frequency hopping on a radio system to Prevent eavesdropping
A dead-drop mechanism used by spies to swap notes and bundles
Using camouflage on tanks and airplanes in war
Using decoy limos for heads of state in hazardous regions
Security by Obscurity is when you hide the way the safety measure works, not when you keep some portion of it a secret.
Read More of our blogs at Woodsllp.com