Is security through obscurity better than nothing?

Before I started using Linux and getting into frequent online discussions with other Linux users about security issues, I had no idea about computer security. I thought having a login and password was enough to keep the “bad guys” out, should my computer ever be stolen. Most people I know think the same. My dad (who actually is quite tech-savvy and can, unlike me, program in several languages and build his own computers from scratch) thought a fingerprint reader on his Thinkpad would keep people from accessing his files, but I showed him (with the aid of Knoppix CD) that that wasn’t the case.

The truth is that most computer “security” for home users is bogus and just security through obscurity. It may (or may not, depending on how resourceful they are) keep nosy family members and friends out, but it won’t stop someone who’s stolen your computer from getting to all your files. Having separate passwords and usernames on a home computer (as opposed to authenticated on a domain at work) is mainly a way to just make it slightly inconvenient for others using the same computer to snoop into your files.

If they had a little bit of knowledge and really wanted to snoop, however, they could. In the case of Mac OS X or Ubuntu, all it would take is booting into single-user mode and copying your files to their folders and changing ownership of those files. Or, if they didn’t want to be stealthy about it, they could change your password and log in as you. In Ubuntu, Mac OS X, and Windows, if you have a live CD (like Knoppix), you can boot it, mount the hard drive, and read any and all files on the computer.

Of course, in addition to having a username and password, there are other ways to slow down intruders and snooping friends from exploring your computer’s contents (setting a BIOS password, for example). Ultimately, though, once physical security is compromised, your computer’s contents have been also compromised… unless your drive is encrypted.

Of course, if one single person learns anything new from reading this, then the obscurity is that much less obscure now than before, but this understanding leads to the next question of “Is security through obscurity better than no security at all?” The Pidgin developers seem to think it’s not, as you can read in their justification for storing instant messaging passwords in plain text. In answer to the question “But surely something is better than nothing, right?” they say No. When a Pidgin user looks at her accounts.xml file, she can tell immediately that it’s a sensitive file and should be treated as such. When an application attempts to ‘trick’ the user into thinking its passwords are secure by obfuscating it in some way, the user assumes it’s safe.

In one sense, I agree with this. I don’t believe in giving users a false sense of security. In another sense, though, I think what they’re saying is ridiculous. Most users of instant messaging programs never look to see whether their passwords are stored in plain text or not, so they will almost always assume it’s safe. What would make much more sense by their line of reasoning would be to have a huge warning the first time you launch up Pidgin saying “Instant messaging is never secure, and that’s why we store your password in plain text.”

I’m a little ambivalent about all this, if you couldn’t tell. On the one hand, I do believe that for most purposes (keeping snooping family members and friends out), having usernames and passwords for unencrypted data serves its purpose. In this regard, security through obscurity works. On the other hand, this does give people a false sense of security, as they may think that not having an autologin will prevent laptop thieves from getting their data. People won’t be careful when it comes to their data and the real “bad guys.” On a lighter note, they may think that forgetting their administrative password means they have to reinstall the entire operating system instead of just resetting the password.

I guess if it really comes down to it, I believe in education. I believe people should know what is secure and what is not secure. What do people think? I know I have a lot of tech-savvy folks (people who know a lot more than I do) who read this blog. Is it ever the case that security through obscurity is better than no security at all?

5 comments

  1. “having usernames and passwords for unencrypted data _server_ its purpose”

    was it supposed to be

    “having usernames and passwords for unencrypted data _serves_ its purpose”

  2. Better, yes. But it’s not something that would, for example, come up in a debate on the security of Windows versus that of Linux.

    It’s can be helpful, no question. It just shouldn’t be relied upon when you have or expect determined attackers or sensitive data. Near-full disk encryption is easy now with debian-installer (which is included on the ubuntu alternate install CD). Having a key passphrase-encrypted on flash drive or separate volume is a more complicated, but allows for plausible deniability and full-disk encryption.

  3. No, I didn’t intend this to be an operating system v. operating system discussion.

    So you agree security through obscurity is better than nothing, if only by a little bit?

    I’m thinking an appropriate analogy might be something like leaving the key to your house underneath the doormat but keeping the door locked. That’s fairly insecure, yes. Nevertheless, it’ll offer you a little more security than doing the same and then having a big sign with an arrow pointing to the doormat “Key to the front door hidden under this doormat!”

  4. in certain situations, yes, in others, no. Look at the history of viruses on Linux compared to Windows. Running Ubuntu, I feel completely safe that I will never get anything. Running Windows, I have to run Spybot, Symantec, or other programs at least weekly to be sure I haven’t contracted something. Surely Linux is at least in the same ballpark of security (despite what some hardcore fanboys will say) and can be hacked, commandeered, or bugged, it’s just that it’s still obscure. When it comes to passwords and such, however, I’m more cautious; I tend to think passwords, just like car locks, are useless. You’re more likely to end up locking yourself out than stopping a thief, who will just break your windows anyway.

Leave a Reply to ubuntucat Cancel reply

Your email address will not be published. Required fields are marked *