this post was submitted on 22 Apr 2026
1328 points (99.6% liked)
Technology
84041 readers
5070 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This is not true.
And what part, exactly, is not true?
People like to think in black and white, but you're definitely right. Having your SSH server on port 36271 will likely stop a ton of drive by attacks because they simply won't check it. Having it only listen on IP6 would stop almost all of them because you can't trawl the IP6 space efficiently. These are "obscurity", but they have real benefits. The idea that "obscurity" doesn't help is just a meme that people love to quote because it's a great single sentence with some nice rhyming "security by obscurity". I assume the reason it became a meme is because tons of products fully relied on obscurity; I still see it all the time. As you said, it's all layers.
Yep! I don't know a single engineer who would say that security by obscurity is never useful. Everyone knows, as you said, to put SSH on a random port. It's the first step you do to secure a server.
I mean really the whole thing. Security by obscurity is no security at all. Device search engines like shodan exist and seeking out specifically insecure devices becomes easier by the day.
Absolute security is achievable, but comes with costs. If I'm willing to airgap everything and never go online, only using my own code, my device will be safe.
Black box testing is MUCH harder than white box testing, especially as, and I hate to say it, AI based security scanners become better and better at identifying flaws in source code. Having more information about your target is always the first step in penetration testing, and more information is ALWAYS better.
The difficulty of black box over white box is the reason obscurity has benefits...
You're going to write your kernel and bootloader as well? Drivers for the hardware? And a compiler for those? And an assembler to build that bootstrap compiler? Build the CPU? The second any of these are "out of your control" you lose "absolute security". The reason people say there is no "absolute security" is that it is not a useful concept to even consider. Since you have to approach it theoretically, you can easily end up stuck at the fact that every computation changes the state of the world and thus every computation can in some way be measured. It's a useless endeavor even if it were theoretically possible because it leads you to absurd solutions against absurdly powerful attackers. You want security in a well defined threat model not some "absolute".
Air gapping isn't sufficient to prevent communication either. For example there are functional TCP stacks working over audio. Silence on the Wire is quite old at this point, but also explores esoteric exfiltration methods.
This comment... Confuses me.
This is exactly why security by obscurity is a valid tactic. It hides information and makes a system harder to attack.
No, it's not. Every system has flaws. Using your own code is especially a bad idea, as it is much more likely to be flawed than a 20 yo open source project. Your airgapped device may be secure from remote attacks, since it is not connected to any network, but if it is stolen, that means nothing.
Absolute security is impossible.