Schneier on Security
A blog covering security and security technology.
« Magnetic Ring Attack on Electronic Locks |
| Eavesdropping on Encrypted Compressed Voice »
June 18, 2008
Security Through Obscurity
Sometimes security through obscurity works:
Yes, the New York Police Department provided an escort, but during more than eight hours on Saturday, one of the great hoards of coins and currency on the planet, worth hundreds of millions of dollars, was utterly unalarmed as it was bumped through potholes, squeezed by double-parked cars and slowed by tunnel-bound traffic during the trip to its fortresslike new vault a mile to the north.
In the end, the move did not become a caper movie.
"The idea was to make this as inconspicuous as possible," said Ute Wartenberg Kagan, executive director of the American Numismatic Society. "It had to resemble a totally ordinary office move."
Society staff members were pledged to secrecy about the timing of the move, and "we didn't tell our movers what the cargo was until the morning of," said James McVeigh, operations manager of Time Moving and Storage Inc. of Manhattan, referring to the crew of 20 workers.
From my book Beyond Fear, pp. 211-12:
At 3,106 carats, a little under a pound and a half, the Cullinan Diamond was the largest uncut diamond ever discovered. It was extracted from the earth at the Premier Mine, near Pretoria, South Africa, in 1905. Appreciating the literal enormity of the find, the Transvaal government bought the diamond as a gift for King Edward VII. Transporting the stone to England was a huge security problem, of course, and there was much debate on how best to do it. Detectives were sent from London to guard it on its journey. News leaked that a certain steamer was carrying it, and the presence of the detectives confirmed this. But the diamond on that steamer was a fake. Only a few people knew of the real plan; they packed the Cullinan in a small box, stuck a three-shilling stamp on it, and sent it to England anonymously by unregistered parcel post.
This is a favorite story of mine. Not only can we analyze the complex security system intended to transport the diamond from continent to continent--the huge number of trusted people involved, making secrecy impossible; the involved series of steps with their associated seams, giving almost any organized gang numerous opportunities to pull off a theft--but we can contrast it with the sheer beautiful simplicity of the actual transportation plan. Whoever came up with it was really thinking -- and thinking originally, boldly, and audaciously.
This kind of counterintuitive security is common in the world of gemstones. On 47th Street in New York, in Antwerp, in London: People walk around all the time with millions of dollars' worth of gems in their pockets. The gemstone industry has formal guidelines: If the value of the package is under a specific amount, use the U.S. Mail. If it is over that amount but under another amount, use Federal Express. The Cullinan was again transported incognito; the British Royal Navy escorted an empty box across the North Sea to Amsterdam -- where the diamond would be cut -- while famed diamond cutter Abraham Asscher actually carried it in his pocket from London via train and night ferry to Amsterdam.
Posted on June 18, 2008 at 1:13 PM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"He who can modify his tactics in relation to his opponent and thereby succeed in winning, may be called a heaven-born captain." - Sun Tzu, The Art Of War
I've seen it a number of places, but the concept is still the same.
The best place to hide is in the open. Some place that you can look at a thousand times and still never find what you're looking for.
I think it's talked about in the book, "Art of Deception" (without diving into the subsequent Scientology drama).
Sherlock Holmes touches on how to expose something so hidden in "A Scandal in Bohemia" (e.g. do something that forces the other person to expose it for you).
I'm not sure this is Security through Obscurity, which to me means that it's hidden in a way that cannot be found. Instead, this is much more a magician's trick of deception & misdirection. It's effective until you know the secret.
You misunderstand the term "security through obscurity".
Sometimes the most simplistic, seemingly obvious, approaches is the best way to obscure something.
I once, back in the very early 90s, bought a handgun in Europe. I field stripped, it wrapped it in oilcloth, and packed it up in a plain brown box. I then shipped it to my home address in the US labeled "Fragile - Machine Parts"
Sometimes the most simplistic, seemingly obvious, approaches is the best way to obscure something.
I once, back in the very early 90s, bought a handgun in Europe. I field stripped it, wrapped it in oilcloth, and packed it up in a plain brown box. I then shipped it to my home address in the US labeled "Fragile - Machine Parts"
> Security through Obscurity... means
> that it's hidden in a way that cannot
> be found.
What does "cannot be found" mean?
There is no such thing as "cannot be found" unless it is truly lost. Otherwise, it's merely a matter of who holds the knowledge of where something is at.
This type of security can be foiled by an insider alas there never are any guarantees. Just wondering what would become of the person responsible for these plans if there would have been a theft!
"... while famed diamond cutter Abraham Asscher actually carried it in his pocket from London via train and night ferry to Amsterdam."
So they reduced the odds of a theft from those of a targeted attempt to steal that specific diamond to the odds of a random mugging? Statistically, was that really a sound choice? What are the relative odds? Was the diamond cutter escorted by a "friend" who just happened to be a trained bodyguard?
I'm not opposed to security through obscurity but I am opposed to confusing luck with security. Had the diamond got lost in the mail or stolen by a mugger looking for pocket change would the story then be about the dangers of security by obscurity? What are the real details? Is this real security or just luck? Sometimes security through obscurity works and sometimes people just get lucky.
At the time (1905) the Royal Mail was at its peak of efficiency and reliability so the random risk was probably not large.
The real beauty of the plan was that even if you found out what had been done it would still have been really hard to locate the diamond and steal it. You would have to steal all the mail and then sift through it. So it isn't security through obscurity at all.
The definition of security through obscurity is that it relies on you not knowing the general scheme - as opposed to methods (like this one) which retain security even if you know the approach that has been taken.
Similar odds, I guess, with OS choice:
(March 20, 2007) "Today we know of over 236,000 malicious malware items. These are mostly meant for the MS-Windows environment. Only about 700 are meant for the various Unix/Linux distributions. Current known Mac OSX malware count is even less with 7..."
"I'm not opposed to security through obscurity but I am opposed to confusing luck with security."
I agree with that. And I wonder if instead of as Bruce put it:
"Sometimes security through obscurity works:"
it would be better phrased as:
"Sometimes security through obscurity does not fail:"
"Had the diamond got lost in the mail or stolen by a mugger looking for pocket change would the story then be about the dangers of security by obscurity?"
Would we even have heard the story in that case? Would they want to publicize how STUPID they were?
If someone attacks an armoured carrier with armed guards and gets the jewels, that's one thing. The company took what seemed to be appropriate measures.
If someone robs some guy who just happens to be carrying a few million dollars in jewels because management thought that it would be a "safe" way to transport them ... it would be quietly forgotten.
All of these things have one thing in common: they're one-shot operations or very short-term arrangements.
For long-term security, such as operating system design and DRM, security through obscurity will always fail eventually, but for one-shots it has a decent chance of being useful.
I read an article a year or two ago about a coin collector who had to transport a remarkable rare dime across the country to a new buyer; the sale was valued in the millions. So, he dressed in shorts and a tshirt, stuck the coin in a small box in his pocket, hopped a coach flight across the country, and walked to meet the guy at his office. No problem!
Surely the Transvaal government did not appreciate the "literal enormity of the find" . . .
> Had the diamond got lost in the mail or stolen by a mugger looking for pocket
> change would the story then be about the dangers of security by obscurity?
In either case, there is an additional factor. If someone commits an armed robbery of an armored car in an attempt to steal something extremely valuable, it's probable that they already have someone to whom they can sell it for some reasonable (to the criminal) return.
If someone opens a package that's been mis-delivered and finds a diamond the size of an apple, they probably are going to turn it in for a reward (even if they're not basically honest folk), because it is unlikely they can get more from hawking the thing than they could from the original owner. Similarly, if someone mugs the diamond carrier, they're going to take his wallet, but what the hell would they do with a diamond that big? Take it to their local pawnshop? Give it to their girlfriend? Perhaps, but what's the local pawnshop going to do with it? Turn it in for a reward, duh.
So the additional factor in the failure scenario for the security by obscurity tactic is that *if* the item is taken by force or misplaced, it is much more likely that it will be returned for marginal cost than lost forever. While in the case of the armored car defense, the failure scenario includes almost by nature the fact that disposal of the item is part of the plan.
"Enormity" doesn't mean the same thing as "enormousness". It means wickedness, as in "The enormity of King Leopold's crimes cannot be overstated".
My family works in jewellery wholesale. The standard method of transporting gems is to stick them in a plain paper envelope, put them in an inside jacket pocket, and walk from place to place.
The chance you are going to be mugged in business hours, in the upmarket areas of the central bis districts that these places are in is negligible. As someone else pointed out: If you are mugged, you hand over the gems, and the mugger is stuck with them. The only potential market for unmounted / uncut gems is the rather small fraternity of jewellers, who won't touch unsourced gems with a 10 foot pole.
Insurance companies buy risk. Insuring gem couriers is very cheap.
Security through obscurity is different from security through obfuscation.
In an ecological context, the difference is between camouflage and false flagging. The former is blending in with the scenery; the latter is actively pretending to be something that you are not.
Sending a diamond through the post is the former; a fake shipment with detectives as in your example, or a real shipment styled as an office move, is the latter.
False flagging takes a LOT more effort to get right. It can be amazingly effective.
Good point - in fact there are cryptosystems built around security through obfuscation.
Wikipedia has an article on "Chaffing and winnowing", a system by Rivest. I also vaguely remember a system designed to mock the (at the time) higher export controls on Encryption versus Digital Signature algorithms - it may have been Chaffing with biased reporting, of course.
> So, he dressed in shorts and a tshirt, stuck the coin in a small box in his
> pocket, hopped a coach flight across the country, and walked to meet the guy
> at his office.
While I would have no problem sticking a rare coin or a precious gem in my pocket and walking across town, I wouldn't want to go through airport security with something unusual and valuable. I have no idea what Joe Security Screener's response would be if he discovered I was carrying, say, a bag of uncut diamonds on my person. Maybe he would wave me through. Maybe he would decide the diamonds were suspicious, and needed be taken away for further investigation.
Obscurity is a useful layer in any security system. It does no harm to have it, provided all the other layers are in place.
For example, on a dynamic website, if the cgi-bin folder is called (say) bobs-photos, it helps a little bit in hiding it from attacks that are targeting the expected folder name.
Similarly, if you have Truecrypt files, don't call them anything obvious.
Obscurity is one layer among many.
Poe, "The Purloined Letter" comes to mind.
the more you see it, the less you focus on it!
To me, title "security through obscurity" doesn't really match.
I would say this is not "security through obscurity", but rather "security through anonymity", which certainly can be a good security measure. Hiding valuable assets in the crowd makes it possible to divert attention to them. I would not call this obscurity... simply anonymity.
For the actual transport, you are kind of right; the security comes from anonymity. However, the trick is that if the thief is aware of your security mechanism then they could take action (like watching your office and waiting for the trucks to come out) which would break the security of your system before you became anonymous. For cryptosystems and locks, the strength of the system is measured assuming that the attacker already knows which system is in use. For this system, you have to assume (and try to make sure) that the attacker doesn't know you are going to use anonymity. That's where the "obscurity" comes in.
Probably that means you should only use this scheme once per lifetime. And definitely before Bruce publishes his article about you using it :-)
Would a closer analogy be steganography? The couriers (interesting bits) are lost in the crowd ("normal" message).
So is camouflage a smart security technique or "just" security-by-obscurity?
@Rich: "security by obscurity" doesn't mean "being invisible".
Likewise, "just security by obscurity" doesn't mean "just security by making yourself difficult to see". Being difficult to see is often a great trick if you can manage it. For example, it's believed to be the reason that brownish gazelles are a lot more likely than bright pink gazelles to survive among other brownish gazelles in brownish regions of Africa :-)
"Security by obscurity" most frequently refers to a crypto algorithm which relies on the algorithm being unknown in order to be uncrackable. Good crypto is uncrackable even if the algorithm is known: it relies only on the secrecy of the key. Crypto which also relies on the secrecy of the algorithm is less robust, since the algorithm doesn't change between users: it is therefore easier to figure out than a particular user's key, and all users are compromised once it is figured out.
So when security experts sneer at "security by obscurity", they are not claiming that remaining physically unseen is poor security tactics. That claim would attract a lot of angry disagreement from some exceedingly tough military guys who use camo. Also tigers.
The phrase means that the security measure in question is bad because it will be critically weakened if it is analysed by potential attackers. This is not the case with camo - knowing that someone is camouflaged doesn't mean you can easily spot them in the woods.
The difference is between obscurity of the subject (often useful) and obscurity of the security measure (limits the useful lifetime of the measure).
All these cases of shipping valuables just like non-valuables are based on obscurity of the subject. The main risk is that the time of the shipment will become known to attackers. If it does, then the goods are easier to steal than if they were moved by an armoured convoy. If it remains secret, they're harder to steal. Pay your money and take your chance: both gazelles and rhinos are quite well protected from predators in general (mind you, gazelles also run faster). The question is which is better for any given purpose.
I think you're seriously undervaluing the complexity of the secrecy involved in these operations.
Finding staff reliable enough to maintain high-value cargo secrets and carry out complex delivery plans without exposing or abandoning is non-trivial.
In hindsight it might seem like just another delivery day and your examples leaves out enough details to make the operations seem simple. However, the fact that you mention the planners spent a lot of time preparing the deliveries shows that you are not totally unaware of the security controls beyond obscurity that are required to make these operations a success. A decoy, for example, is more than obscurity. Background checks as well as updates along a route are more than obscurity...
"The only potential market for unmounted / uncut gems is the rather small fraternity of jewellers, who won't touch unsourced gems with a 10 foot pole."
Ooops, I think your example works against you.
Evidence of "source" is a huge control. Again, this is evidence of more than obscurity providing security.
Like a file with a secure signature, obscure it all you want but the fact that a signature is required to show value means obfuscation plays an almost irrelevant role.
The problem I often see in the obfuscation fan base is that people THINK obfuscation works when they simply do not inventory or appreciate the other more significant/complex controls that are in place. These controls might be social, physical or technical, but they are important to notice as something above and beyond obfuscation.
I dont like the concept of "security through obscurity", but it should be used in conjunction with good security to make analasis even more difficult
> I once, back in the very early 90s,
> bought a handgun in Europe.
> I field stripped it, wrapped it in oilcloth,
> and packed it up in a plain brown box.
> I then shipped it to my home address in
> the US labeled "Fragile - Machine Parts"
Mr. Decekr, we'll be stopping by your home shortly to have a "talk" with you.
I once bought a nuclear missile capable of destroying a small continent. I field stripped it down to 1-square-cm pieces, stuck each piece to the back of a postage stamp, then used the postage stamps to post small boxes of lutefisk to my home address in the US labelled "Fragile and Revolting Gelatinous Fish Parts". I disposed of the lutefisk in an environmentally friendly way, carefully removed the stamps, steamed off the parts from the back of the stamp and pieced together the missile.
I've taken to calling this "fog of war" i.e. a beneficial subset of "security through obscurity," driven by the principle that since there is no perfect security plan to cover the entire attack surface, obscurity will frequently play a useful role in real world operations. Another way I look at it (at the risk of violating what I say about hyperbole below) is as an example of applying fuzzy logic to a security problem.
We all understand the aphorism "security through obscurity == bad"; is there some more nuanced terminology we can move to that encompasses the endless historical examples of obscurity being beneficial to an overall security operation, without giving up the right to scorn people who equate hyperbole with mathematical certitude?
"... while famed diamond cutter Abraham Asscher actually carried it in his pocket from London via train and night ferry to Amsterdam."
And, more recently, a man in the UK took a violin to London to be valued, it was a valuable violin. He travelled back by train, with his very expensive instrument alighted at his stop, and at some point, realised he had left the violin on the train.
Brining it right up to date, TOP SECRET documents were left on a train by a high ranking officer in the defence community. These were handed to the BBC.
All I'm saying is that security through obscurity does not negate the requirement for 'proper' security measures.
The good version of security through obscurity is another way of saying, "We've done everything we had time and budget and cleverness to possibly do. For the rest of it we're going to have to get lucky."
They should have camouflaged that thermal exhaust port.
Let's get back to basics. The more secrets your system depends on, the more fragile it is. Ideally, we'd like to keep the number of secrets down to just one (such as the value of a secret key in a cryptosystem). Security through obscurity is bad because it tends to increase the number of secrets you're relying on.
OTOH, if you keep this effect in mind, you can design a system which uses obscurity as an additional layer. In this case, you're not relying on the secret staying a secret, because you've got other layers to protect you if that one doesn't work.
If you want to have such as broad definition of "security by obscurity" then it's ALL security by obscurity. After all, if you don't "obscure" your key, I can easily decrypt your AES encrypted files.
This sort of thing is a bit like steganography - hiding things in everyday noise. Which is good for sending a message, but a terrible way to "store things".
What we usually call "security by obscurity" is something akin to having a bank with no vault and leaving one of the doors unlocked each night. You may not get robbed the first night, but a determined attacker will always get in.
Ask yourself the question: is my requirement like smuggling a diamond from A to B, or am I keeping barbarians at the gates of a city under siege?
i met a retired american gemology specialist traveling in china who claimed to have bought some kind of national iranian crown jewels when the shah fell, carried them in his jacket to switzerland, and passed them on to sotheby's. exactly who contracted him to do so remains a mystery, but i guess it was sotheby's. he certainly had the cash in hand to make the story of this sort of career more believable.
Remember the tale (several variants) about the lady who travelled frequently between Britain & France? Each time, she opened a handbag full of Swiss watches for the Customs officer, & paid up the duty. Years later, the (retired) Customs officer met her by chance. "We knew you were smuggling something, but obviously not the watches: you paid the duty. Just for the record, what was it?" "Handbags" was the reply!
This doesn't always work, though. Recently a 35,000$ watch was stolen from the mail (and replaced by a rock). It was not registered (to avoid attention?) and not insured.
what about insurance risk if something should happen? would it be covered in this senario? or the mail with no insurance story?
(also diamonds are unique, as they are worthless. ever try and sell a used diamond?)
jeweller- ya, hi insurance company, I just mailed out a million in stones and they got lost in the mail... how long before you can send a check? hello? hello? are you still there? Hello?
this would work with computers were in not for grep sed awk find and findall with their parameters (and the like hehe)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.