Collaborate Disseminate
Answers to the question “How safe are password managers like LastPass?” suggest that storing personal passwords on a physical notebook might be a reasonable option:
I know someone who won’t use Password Safe and instead h… Continue reading How to store passwords written on a physical notebook?
As a follow-on to these questions:
What unique fingerprinting information can an iOS7 app collect?
What unique device fingerprinting information can an iOS8 app collect?
Apple has apparently removed the ability to see othe… Continue reading What unique device fingerprinting information can an iOS9 app collect?
This question already has an answer here:
Is including a secret GUID in an URL Security Through Obscurity?
5 answers
Is a w… Continue reading Use of obscure URL for security [duplicate]
On almost any website that relates information about cryptography in general there is this common notion that almost all encryption/decryption algorithms should use a key as one of their inputs. The reason behind this is that encryption al… Continue reading Why do we keep our keys secret, rather than our algorithms? [duplicate]
cookies usually contain a sessionId to keep track of a logged user.
What would prevent a malicious user to forge millions of requests with random sessionIds and send them to a server, hoping to luckily end up with an existin… Continue reading Session Hijacking through sessionId brute-forcing possible?
I know that one shouldn’t rely on “obscurity” for their security. For example, choosing a non-standard port is not really security, but it also doesn’t usually hurt to do so (and may help mitigate some of the most trivial attacks).
Hashing and encryption relies on strong randomization and secret keys. RSA, for instance, relies on the secrecy of d, and by extension, p, q, and ϕ(N). Since those have to be kept secret, isn’t all encryption (and hashing, if you know the randomization vector) security through obscurity? If not, what is the difference between obscuring the secret sauce and just keeping the secret stuff secret? The reason we call (proper) encryption secure is because the math is irrefutable: it is computationally hard to, for instance, factor N to figure out p and q (as far as we know). But that’s only true because p and q aren’t known. They’re basically obscured.
I’ve read The valid role of obscurity and At what point does something count as ‘security through obscurity’?, and my question is different because I’m not asking about how obscurity is valid or when in the spectrum a scheme becomes obscure, but rather, I’m asking if hiding all our secret stuff isn’t itself obscurity, even though we define our security to be achieved through such mechanisms. To clarify what I mean, the latter question’s answers (excellent, by the way) seem to stop at “…they still need to crack the password” — meaning that the password is still obscured from the attacker.
According to something I spotted something in a set of directions for connecting to a hidden wireless network from windows 8 found here (located under Step 1 > “Troubleshoot connection problems” > “How do I connect to a hidden wireless network?”):
A hidden wireless network is a wireless network that isn’t broadcasting its network ID (SSID). Typically, wireless networks broadcast their name, and your PC “listens” for the name of the network that it wants to connect to. Because a hidden network doesn’t broadcast, your PC can’t find it, so the network has to find your PC. For this to happen, your PC must broadcast both the name of the network it’s looking for and its own name. In this situation, other PCs “listening” for networks will know the name of your PC as well as the network you’re connected to, which increases the risk of your PC being attacked. (emphasis added)
I had always believed that hidden wireless networks were actually safer than normal ones, because only those who already know of the network are able to connect to it, so an attacker wouldn’t be able to connect to it to listen to your traffic.
Are hidden networks actually more risky, as the paragraph says, and if so, what measures can be taken to help mitigate the risk?
Also, I know that there are some countries where publicly broadcasting home networks are actually illegal, and hidden networks are the only option for wireless. If broadcasting networks are safer, why are they illegal in some places?
Continue reading How risky is connecting to a hidden wireless network?
According to something I spotted something in a set of directions for connecting to a hidden wireless network from windows 8 found here (located under Step 1 > “Troubleshoot connection problems” > “How do I connect to a hidde… Continue reading How risky is connecting to a hidden wireless network?
So, I keep finding the conventional wisdom that ‘security through obscurity is no security at all’, but I’m having the (perhaps stupid) problem of being unable to tell exactly when something is ‘good security’ and when something is just ‘o… Continue reading At what point does something count as ‘security through obscurity’?
Given that it’s possible for the average consumer to send covert signals over normal AC lines how can an IT department identify and filter out this communication?
I’m not sure how difficult this is considering that there are many differen… Continue reading Detecting and filtering data over AC power lines?