Security Through Obscurity (STO) is the belief that a system of any sort can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms. Hiding account passwords in binary files or scripts with the presumption that “nobody will ever find it” is a prime case of STO.
STO is a pejorative referring to a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security. It’s a philosophy favoured by many bureaucratic agencies (military, governmental, and industrial), and it used to be a major method of providing “pseudosecurity” in computing systems.
A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them. The basis of STO has always been to run your system on a “need to know” basis. If a person doesn’t know how to do something which could impact system security, then s/he isn’t dangerous. The technique stands in contrast with security by design.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s