Is Portknocking Real Security?

By Daniel Miessler on March 30th, 2007: Tagged as Obscurity | Philosophy | Security

In a recent article of mine I put forth that obscurity can be used as a layer to bolster true security in a useful way. What follows is a thread on Reddit.com with someone arguing the opposite with me.

I’d love to hear what you guys think about these two viewpoints. I’m specifically looking for others who agree with him and not with me.

[ Reddit.com: Portknocking Security Debate ]

[Edit: Oh, and be sure to check out this thread on the topic at DSLR security ]

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

Comments

  • Sorry, but I agree with you that security via obscurity can add to security. It is a passionate discussion sometimes, and I like to make sure all parties are aware of the difference between "security through obscurity alone" and "security through obscurity." Alone, security through obscurity can be dangerous; yes it is hidden, but it's just like hiding treasure under your porch. Someone just has to peek down there and find it.

    I think part of the problem in security is some people are hellbent on saying there is no silver bullet to security, but then turn around and complain about everything that is not a silver bullet. If it adds to security but is not the silver bullet, it's useless, broken, and stupid. It's an odd little paradox some security folks have...

    I would rather assume no security is absolute and instead put as many barriers between my crown jewels and the attackers. They need to earn it, and in the process I'm thwarting all the lesser attackers.
  • Eamon Landon
    I have to say that I gree with you about the obscurity aspect to security, it is just another layer in the onion. It's never perfect. Someone can always seem to find you, but at least you can make an effort at camoflage rather than wearing a big, pink, flashing bullseye.


    I remember reading an article on some hacker's challenge and a team wore all blue shirts and marched in with a lot of pomp. They were the first team crushed by the red team. Why? Because they stood out. Now the other teams were all slowly taken down, but my point is the one that drew the most attention was hit first.

    The argument should be whether or not you choose to use security through obscurity, like you posted the other day. Just my two cents, a little extra security doesn't hurt.
  • Exactly, and it's even better than watching a sniper put on a gille suit because with portknocking the only thing they gain when the DO compromise the system is a big fat SSH login prompt. :)
  • Dave
    Hi Daniel,

    You're an absolute saint for rolling around in piles of logic with people all the time. Sadly it never seems to stick to some people. They simply 'd|w'on't get it =(

    You're absolutely correct about the merit of portknocking. We argued weather it was authentication or authorization when the paper was first published, but not weather or not it was part of security. Being two, hard headed, "security by philosophy" type people, that should've been your first clue you were right about it bing valuable. For sure one of us would have been arguing that it's just a bad idea.

    This guys argument to you is that camouflage is ineffective. That all someone has to do is watch for you to put on your gille suit then follow where you move to. If someone is able to watch you do your knock sequence, you have more serious issues at hand.

    Cheers,
    -Dave
blog comments powered by Disqus

 

twitter_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives