As I see it, though, the issue is that I can walk up to your house, notice that you're using a XYZ-brand lock as I knock on the door, give you a standard door-to-door spiel, you turn me away and you forget about me before you're back on your couch.

Half an hour later I have a master key to your house because I Googled "XYZ master key" and filed the appropriate key blank to match. How do you combat that?

That's the security-by-obscurity argument - once the information on "XYZ master key" is available, your house is compromised and you can't fix it by rekeying, only by replacing all XYZ-brand locks with a different brand.

Security through obscurity is, ultimately, betting your system on something you can't ever change.

A key that you give out to thousands of people and cannot be changed afterwards ceases to be a key and becomes an intrinsic part of the system.

With a real key, when a leak like this happens, you invalidate the leaked key and issue a new one. In this particular case, they're basically stuck hoping that nobody does anything nefarious with this key.

The mere existence of a physical key does not make it security through obscurity. It's the fact that the same physical key is distributed to thousands of people with no good way to control them all or compensate for a leak that makes it security through obscurity.

> The mere existence of a physical key does not make it security through obscurity. It's the fact that the same physical key is distributed to thousands of people with no good way to control them all or compensate for a leak that makes it security through obscurity.

Semantic nitpick, but how does that make this security through obscurity? S.T.O. is not betting your system on something you can't ever change, it's betting your system on hoping the attacker won't guess how the lock works. I think we should be careful not to use inappropriate labels, as this dilutes the language and makes it more difficult to communicate.

My point is that if you set up a master key in the fashion described, such that thousands of people have access to it and it's basically impossible to change, that key becomes part of the system, rather than being a separate key. It becomes part of "how the lock works".

To quote Kerckhoffs's principle, which Wikipedia leads me to believe is the basis of the whole concept of security through obscurity:

"Its key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents"

Despite the name, this master key is not a "key" in the cryptographic sense. Any system intended to provide security without a key is necessarily relying on security through obscurity.

It's a different sort of "security through obscurity". We all know that many locks (elevators, etc) have a master key -- we see the receptacles every time we ride in such an elevator. The obscure part is not that there IS a master key, but rather its shape.

A master key is the same as a backdoor known to few. Whether you're using a key that fits the lock, or know that 'Joshua' is the superuser's login, it's still a "secret" which only provides protection while it's actually secret. I think it still counts as STO.

Not meaning to start any kind of semantic flame war, but I'm still not convinced.

> Whether you're using a key that fits the lock, or know that 'Joshua' is the superuser's login, it's still a "secret" which only provides protection while it's actually secret.

But isn't the same true about passwords? Aren't passwords secrects providing protection only when they remain unknown?

The problem here lies, IMO, not with secrecy but with the password/key distribution and protection. I could imagine a situation similar to described in the article if an administrator gave server's root password to half of the company staff, hoping that no one leaks it.