|Security through obscurity
||[Friday 5th June 2009 at 11:00 pm]
After stating for years that security through obscurity doesn't work, some cheeky spammer went and found my supposedly secure-because-noone-knows-where-it-is forum. Hmm.
Security through obscurity isn't really security when you get down to it. It's the principle that something is secure, not because of any solid measures taken to ensure this but through making the secret hard to find. It's rather like hiding the front door key under the doormat, or writing your PIN down with the label "Mum's birthday". The result is that it's only secure as long as no-one knows where it is, but as soon as they look under your doormat and find the key that's it, game over. A better form of security would be to, for example, put the front door key in a box with a combination lock - that provides security by making it Hard to get the key without knowing the code. Of course, one can then reduce that by writing the code down somewhere, at which point you're back to security through obscurity
Anyway, back to the forum. As well as the publicly-available pages and gallery on my website, there's several restricted areas on it. Things like a private forum install for a few friends, the administration pages for the gallery, a set of files from a university group project - stuff that's not meant to be publicly available. Some of this is protected with real security: the university pages require a password. Some of this is both passworded and hidden: the administration pages not only have a strong password, but are not linked anywhere. And some of this is merely hidden in the hope that this is enough.
The forum falls into the latter category, as it was never intended to be particularly secure. And this was all well and good, as for over a year the existence of this forum was known to maybe a dozen people. Unfortuantly, I then placed a link to this forum in the topic of a small, private-access IRC channel. While the channel is private, the topic is available to anyone on the same server. That itself is not a problem, except there's a couple of websites that continually index the channels and keep a log of recent topics. Those websites are public, and since I hadn't added the forum to my site's robots.txt (a small file telling search engines where they're not allowed to go - unfortuantly a bad place to list any hidden areas, as anyone can see this file), Google then merrily followed the links from those sites to my forum. And the spammers (well, spammer, but it's only a matter of time now) followed Google.
The best part? It is now impossible for me to remove all links to the forum. Once security through obscurity is broken, it's usually impossible to repair. On the internet, once something has been made public it is nearly impossible to claw it back (a common quote is "the Internet treats censorship as damage and routes around it). Fortuantly there wasn't anything private on there, and the forum's own security is adaquate to deal with future spammers. It's still annoying, and serves me right for not making it properly secure in the first place.
Incidentally, the DVD encryption scheme was broken through a similar method. The first DVD key to be found was extracted from a software DVD player that had tried and failed to hide the key somewhere in the program's files. The HD-DVD and Blu-ray keys were discovered through exactly the same method - reverse engineering of software DVD players. The best part? When the HD-DVD key was leaked, the publishers revoked it quickly and released an updated version of the DVD player. The new key was extracted and spread across the Internet about a month later.