By BoLOBOOLNE payday loans

Protecting against casual hacking: security through inconvenience

I’ve often heard that "security through obscurity is no security."  I don’t agree with this one bit.  After all a password is only useful in that its value is obscure.  DRM schemes rely on obscurity — they are only effective because the public doesn’t know where or how the secure media’s decryption keys are stored.  Similarly, it actually does help to use a non-standard port number for exposing a service to the public net that you really don’t want outsiders using — it significantly reduces the number of people who will notice that the service is exposed and even think to try to get in.  The key difference is what kind of hacker are you protecting against?  Casual or determined?  Protecting against casual hackers is a totally valid and useful technique, especially for those of us who nobody really cares about hacking.  But if foreign teenagers can win big bragging rights by finding a hole in your security, you’d better lock things down really well.

Inconvenience is another security technique that doesn’t get talked about as much, but shares many qualities with obscurity.  An example of security through inconvenience is streaming video using flash — the content isn’t encrypted at all, but is protected by the fact that there aren’t any common tools for saving streaming flash video to a persistent (non-streaming) format.  You could also put this into the category of legal security since Adobe can send cease-and-desist letters to anybody distributing such a tool.

I use inconvenience security to protect my private wifi network at my house.  I use WPA which still seems to be not installed by default on most windows machines.  For a long time (probably still) there’s been a bug in the installer for the WPA patch that Microsoft distributes so that it wouldn’t install on XP machines with Service Pack 2.  (It complains that you need Service Pack 1 or later installed in order to use the patch, and good luck trying to convince it that you do.)  This inconvenience security provides effective protection against casual war drivers who are just looking for a little bandwidth to borrow.  Very few of these casual hackers can even try to use my network, so they just drive on.  I also employ a second security technique to protect my private wifi that is based on a carrot rather than a stick.  I offer a free, open wifi network that is outside my firewall. 

On the other hand, inconvenience security is totally inappropriate for something like a corporate VPN.  An IT manager that chose a VPN because it’s not installed by default on client machines is only making things more difficult for legitimate users.  Corporate VPN’s need to do a rock-solid job of protecting themselves from foreign teenagers as well as hired corporate espionageers.  So while making it inconvenient to even try to connect will dissuade casual hackers.  If you’re doing your job at all well, the casual hacker wouldn’t have gotten in anyway, and you’re also making your actual customers’ lives more difficult.

  1. […] and that the other server box had long since been virtualized into the file server.  I moved my local public wifi off the blue network onto the red to make its security brain-dead simple.  So despite all the […]