Security through obscurity can make something a bit more secure in practice by annoying an attacker IF AND ONLY IF you're not relying on the hidden information remaining secret in order to the system remaining secure. E.g., if you're using a broken cipher and assume this is ok because no one knows which cipher you're using, you're gonna have a bad time.
replyIn the case of FOSS software, it is generally recognized that the small advantage of keeping the source secret is far outweighted by the contributions and vuln reports you get if you publish the source.
"one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them" - Claude Shannon
replyIf you believe this, then why did you say?
reply> starting to think security through obscurity might not be a bad thing
Because of asymmetric differences, I don't have access to powerful LLMs but attackers might. And also the complexities of software dependencies (supply chain vulnerabilities), my software depends on packages not in my control and I don't have time to audit the entire stack.
replyPerhaps the answer is to depend only on packages that come from people that are more competent than you so you can know if or when your program is compromised that it'll most likely be your fault and not theirs.
reply