I just received the latest Microsoft security newsletter, and I was surprised to find that according to Microsoft, there is a debate about security vs. obscurity. Which may go a long way towards explaining why Microsoft products are so notorious when it comes to their (lack of) security!
That is not to say that there are no valid points in favor of obscurity measures; as the example discussed by Microsoft clearly demonstrates, it is always beneficial to make an attacker’s life a little harder. But it is a real stretch to call this a “debate”.
That is because it is not an either-or proposition. You can never have security through obscurity, and no amount of obscurity will make an otherwise unsecure system secure. But the security of a well-secured system can be improved by a little bit of obscurity, and in that sense, obscurity can supplement (but never replace) real security.
Reading on, it seems to me that some of the contributors to Microsoft’s “Great Debate” realize this. Too bad the person in charge of giving the article its title didn’t.
