Example: there are teenage gangs going around on high powered scooters in my city, carrying hammers and mini grinders. They pair up on a scooter, steal a bike and disappear.

I watched them. They don't want to hang around longer than necessary. They will only approach a bike rack that is clearly visible from the road. They will only steal a bike that has unobstructed access to the road (no tricky bollards or other bikes to get around). Even though they are full of bravado, and shout obscenities and threats at me when I tell them to fuck off, they still run away (even though the one approaching the bikes is carrying a weapon while his companion stays on the scooter ready to escape)

Anything that even mildly inconveniences these guys is enough to stop them attempting theft. The bikes they steal needs to be expensive, out in the open, with direct access to the road, and with a shitty lock. And believe it or not, those tumblers line up a lot.

Throwing a blanket over a bike is probably enough to stop them from even approaching it.

This is an especially good analogy because facing a well-resourced adversary in cybersecurity is like finding out that the enemy brought artillery -- hopefully you weren't relying entirely on obscurity because pretty soon there will be nowhere to hide

Agreed with your sentiment, and that was a great example.

Just like any security control, if it's your only means of security, it will not offer much risk reduction. Just like all security controls, the if you want risk reduction use more security controls together. Like all security controls, there is no way to eliminate risk, just reduce it as much as possible while still being able to effectively achieve your mission.

Because of this I believe security through obscurity to be important component in a healthy and mature risk posture.

It irks me when it's dismissed because obscurity is not security. No single security control is security on its own.

Security through obscurity is mitigation basically. You reduce risk/impact, not eliminate it. There are problems - such as denial of wallet attacks - where you can only mitigate and can't eliminate the problem completely

I don't think that really works because obscurity isn't harder to see or find. I don't know the analogy, it's like standing out in the open and being like "yeah but who would think to look here lol".

Obscurity isn't security but it can support security. Until it doesn't.

The problem with that statement is that a lot of people who yield it fail to see the advantages that come with these extra shenanigans ; and let's just take pure concealment so I don't pushing weird arguments ; in the age of AI - each time we are able make an attacking AI misaligned we are essentially buying time ; an on-going attack is never a on-shot event ; it's an ongoing process where the attacker has to understand where it is located and what it can do ; since each element will be a resource ; do not let it have it in the first place.

It's a bit of an elitist view of security that romanticize concepts without thinking about what they can actually be used for. My personal bad experience with that was a manager who was stating me that having a different subdomain for the admin panel was a concealment and not a security practice.

I mean - it's very easy to see how this kind of argument actually prevents from doing something that can help just on the basis of philosophical purity - which often just miss the point - security is not a mechanism that will solve all your problems ; heck in fact I have to layer at least 4 mechanisms just on the http interface to feel safe ; it's more of a lot of layers that together form a barrier ;

We sit too much on TLS thinking "That's it, security job is done" - then we get some crazy stuff like French ANTS that get pawned with some IDOR ; as IF f* using some hash or something ; ANYTHING PLEASE F* HELL ; would have not helped

Well off-topic, but did you recently listen to Andy Stumpf on a podcast?

Asking because of the Baader–Meinhof phenomenon :)

Because I love how seriously the DoD takes newly invented terms, we have:

"The Integrated Survivability Onion"

https://cogecog.com/the-threat-onion/

1. Don't be seen.

2. Don't be acquired

3. Don't be hit

4. Don't be penetrated

5. Don't be killed

It's actually not a bad mental model training aid for teaching people who might find themselves in an active combat environment.

100%.

Obscurity alone isn't security. Security that includes obscurity in it's architecture is relevant.

>Obscurity can be fine but it's not security

You literally just read how Obscurity protected OP in a cybersecurity incident. Now you are just playing word games, which are a waste of time.

All modes of cyber security depend on some obscurity (e.g. password)

Ideally we want a viable plan B, for when it’s leaked/figured out. (E.g. generate new passwords)

(For convenience let’s label air-gap as kind of physical security)

I kind of wonder if the analogy might also carry over to the age of AI.

if you were hiding in cover during ww1, maybe you had a chance.

But if you were hiding from the Terminator, who is "Tireless, Fearless, Merciless", it might not last that long.

same might be said of exploits hiding from people... vs AI.

> Obscurity can be fine but it's not security.

All security is security through obscurity. When it gets obscure enough we call it “public key cryptography”. Guess the 2048-bit prime number I'm thinking of and win a fabulous prize! (access to all of my data)