If obscurity is useless, then why does the Army camouflage tanks? Why not just paint them blazing orange/pink and let them stand on their own defenses? There is a place for obscurity in security and the endless parroting of "security through obscurity is useless" should stop.
It seems like the argument against security through obscurity is similar to the argument that T(n) = 10,000n^2 is equivalent to T(n) = 10n^2, as both are O(n^2) even though they have vastly different coefficients.
At the end of the day, they have the same Big-O notation, but one of them is a thousand times better than the other.
Sometimes the coefficients matter. Obscurity in security is like the 'lost' coefficient in Big-O notation: it's not the first thing you should focus on, but it can really help.
It's not that obscurity is useless, it's that it often inconveniences the legitimate user as much as the attacker. "Often," in this case, scales with the size of the organization. Changing the ssh port on your home server might not be overly inconvenient. Changing the ssh port in a 1.4 million person organization puts you on the wrong side of the cost/benefit curve.
Obscurity isn't useless in all situations, but in this case it's important to realize that changing the port number is really only effective in preventing scanning attacks.
For a targeted attacker, finding the new port is trivial. (There are only 65k of them...)
Comparing service discovery with maintaining a fog of war isn't really an apt comparison.
How about using "password" as a password if security is so good? Or do you suggest people keep track of 255 UTF-8 characters for a password?
An attacker would still need to go through all 65k ports. I would assume by even false scanning 5 ports, the attacker gets immediately null-routed and still get no response. I would also hope such programs have a paranoid sense of security that they would deny user/password if either are false by not even providing a response as if the program didn't exist.
Due to lack of feedback, users will get inconvenience and confusion why ssh doesn't work. Much like passwords example, there's a trade off between usability vs security with varying obscurity levels.
> I would assume by even false scanning 5 ports, the attacker gets immediately null-routed and still get no response.
So run the scan using a botnet. Each machine makes one attempt (there are some really big botnets out there). There's no way for the machine to prevent the attacker from finding the port being used, unless the machine notices that lots of requests are coming in from unknown machines and starts refusing all requests - of course, refusing requests from unknown machines is a good thing to do if you're being paranoid. Use a whitelist of allowed machines, not a blacklist of disallowed machines.
Is there really no way for the machine to prevent private ports from being be known without a specific call? It seems to me that machines are designed to follow the standard to be nice and respond back [0]. Even with a whitelist, I have concerns that the machine is opening itself for a DDoS SYN attack by simply replying back rejections.
Tanks don't have camouflage for defensive protection from attacks - they have it to reduce the likelihood of detection.
This is exactly the same as how a computer system attacker will attempt to disguise their attacks as legitimate traffic, and how honeypot system disguise themselves as real targets to attempt to detect attackers.
Security is a subtle field. "Security through obscurity is useless" is a useful starting point, but - as with most things - you need to understand what it means.
