#SecurityByObscurity hat mal wieder zugeschlagen. Diesmal ist #TETRA offenbar ganz einfach hackbar.

https://de.wikipedia.org/wiki/Terrestrial_Trunked_Radio

Das ist der #Behördenfunk in #Deutschland: https://de.wikipedia.org/wiki/Digitalfunk_der_Beh%C3%B6rden_und_Organisationen_mit_Sicherheitsaufgaben als auch in #Österreich: https://de.wikipedia.org/wiki/Funksystem_der_BOS_in_%C3%96sterreich

Background: https://blog.fefe.de/?ts=9a415c0f

Unsere Politiker werden's wohl nie lernen, ordentliche IT-Entscheidungen zu machen. Sogar die Anschaffungsskandale sind noch nicht mal aufgearbeitet.

#Sicherheit #Verschlüsselung #Militär #Polizei #Katastrophenschutz

@brianhonan @kimzetter And also why #proprietary /secret algorithms & implementations are a bad idea.

https://web.archive.org/web/20230724204414/https://www.wired.com/story/tetra-radio-encryption-backdoor/

#Encryption #SecurityByObscurity #Security #Insecurity

#OPSEC #TOR #securityByObscurity

#securitybyobscurity ist wohl, wenn man dieses Internet bei diversen Adressen mal mit dem Useragent „docker“ scannt.

Grow up, folks! Setzt Passwörter auf eure Registrys. Heftig…

„Ja, aber da ist nichts relevantes drin“

🤦🏼‍♂️

Rename all files without file extensions #SecurityByObscurity

@disarray For #security. LMAO

I guess they've never heard of https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

#SecurityByObscurity

Stell dir vor, du besitzt ein Auto eines relativ weit verbreiten Modells, und jetzt haben Leute einen Weg gefunden, es zu entsperren und wegzufahren. Patches nicht möglich, weil der Hersteller auf #SecurityByObscurity gesetzt und Authentifizierung gar nicht vorgesehen hat. Unangenehm.
https://www.golem.de/news/can-spoofing-diebe-stehlen-autos-ueber-die-scheinwerfer-2304-173309.html
#Toyota #CANBus

@torrentfreak Relying on #clearnet infrastructure seems like a much bigger planning flaw than any amount of sharing publicly.

Relying on secrecy means that your entire infrastructure's functionality & design is dependent on #SecurityByObscurity and so is irremediably brittle.

@marianisoehartono exactly, there is bascially no way to authenticate myself except through (a) a previously set up mechanism or (b) a replacement screen. To me this is just #SecurityByObscurity. Because I would rather not accidentally delete my data (afterall the whole point is to retrieve my data), I gave up and ordered a very cheap LCD. It's a lot cheaper than the original OLED display. I'm just very disappointed that the #android devs really implemented no other way to authenticate a user

There is a special place in hell for people that block pasting data in password fields or login names...
#securityByObscurity

TL;DR: Wir haben ein Schloss am Serverraum. Wir müssen nicht das Türschild abschrauben.

Erklärung:

Der Verfassungsschutz beschwert sich, dass zu viele Informationen über Infrastruktur frei zugänglich ist.

Das eigentliche Problem aber benennen sie nicht. Das Problem ist nämlich nicht OpenData, sondern das man Infrastruktur möglichst so aufbauen sollte, dass es egal ist, wenn jemand die Struktur kennt.

#OpenData #SecurityByObscurity

https://www.heise.de/news/Verfassungsschutz-Ausspaehen-kritischer-Infrastruktur-hierzulande-zu-einfach-7450013.html?wt_mc=sm.red.ho.mastodon.mastodon.-.-

Egad. Another #lastpass breach? Or, I guess, the last one was a lot worse than originally disclosed?

The last time this happened, I tried to switch to #Dashlane ... but they wouldn't let me use a long password. At the time, they capped password length at 12 letters and numbers.

Been on #Vaultwarden since. I have few illusions that it's secure, but maybe #securitybyobscurity will give me the tiniest advantage just this once.

Oh those stupid Wifi networks, blocking all ports except for 80 and 443! Forcing me to get to one of my machines by tunneling through my other server running an sshd on port 443. #securitybyobscurity #securitytheater

Find two faults: To access the (new) bank account, kid had to a) install an 2fa app and the mobile bank app. Now to activate the 2fa, we needed an activation code, and a password. Where do they send that? Email and SMS.

#securitybyobscurity

Linux kernel source code apparently just got leaked by 4Chan hackers - read more on my website: https://mirkodi.tech/linux-source-code-leak-news.html.

#news #securitybyobscurity #linuxkernel #4chan #hackers

If you visit an archived #BBB page on webarchive.library.unt.edu which contains phone numbers, and you copy-paste a phone number, the digits are reversed so you end up pasting the wrong number. Of course if you scrape their site you’re likely to figure that out and your script can simply reverse the digits. This only inconveniences humans not bots. #securityByObscurity.

#Siteground redirects #Tor users to a ".well-known/captcha" link using "meta http-equiv" in the body instead of a normal 301/302 server redirect & instead of giving a 403 status, it gives a 200. E.g., run this:

curl --ssl --socks4a 127.0.0.1:9050 -L -w $'\n''(effective URL => "%{url_effective}")' 'https://www.samsonbanking.com/'

It seems they are trying to conceal their detection of bots from bots. But it's just another thing for the bot to check.

Is this an example of #securityByObscurity?

Expanding this further, you might also frame this as surveillance by obscurity.

Or the whole suite of information-monopoly vices: surveillance, censorship, disinformation, propaganda, manipulation.

https://joindiaspora.com/posts/7bfcf170eefc013863fa002590d8e506

All rely on a level of indirection between the target and the attacker, and on systems whose malicious behaviour is brokered by a not-immediately-apparent flaw.

#SecurityByObscurity #InsecurityByObscurity #SurveillanceByObscurity #monopoly #surveillance

We’ve been thinking about it wrong: The norm has been Insecurity by obscurity

The Crypto AG CIA backdoor story (2020) clarifies to me much of the neverending flood of “outlaw strong crypto” thinkpieces and “lawful access” (a/k/a mandated backdoors) proposals.

I realised today that the whole #SecurityByObscurity discussion was missing a major insight: For much of the Cold War period, the operational standard has been instead #InsecurityByObscurity ...

https://joindiaspora.com/posts/b596219086b1013991d8002590d8e506

@natecull Crypto AG clarifies to me much of the "outlaw strong crypto" and "lawful access" (a/k/a mandated backdoors) proposals.

Thinking about that earlier today (before seeing your toot), I realised that the whole #SecurityByObscurity discussion was missing a major insight.

For much of the Cold War period, the operational standard has been instead #InsecurityByObscurity

Crypto AG was an allegedly secure system which was, obscure to the public, insecure. And that insecurity (along with fear, suprise, ruthless efficiency, and an almost fanatical devotion to the Pope), seems to have been a key element of US (and #FiveEyes) surveillance capabilities from the 1950s onward. (I'm aware Crypto AG's role under the CIA begain ~1970.)

But yeah, insecurity by obscurity as an operational norm. Describes much of the present Web as well.

@enkiv2