undefined | Better HN

0 pointsstaunton3y ago0 comments

> don't rely on security through obscurity

Which doesn't mean you shouldn't also use obscurity. NIST recommends it [1], and the industry widely uses it. In practice "don't rely on obscurity" usually means "have enough security besides obscurity to give you a grace period to switch out the obscurity". That's for whole systems, you might get away with people knowing you use standardized primitives like AES.

[1]: https://csrc.nist.gov/news/2021/revised-guidance-for-develop...

0 comments

AlotOfReading3y ago

Everything we know about the subject of this discussion (windows product key validation) comes from reverse engineering the relevant DLLs because none of it has been discussed publicly. I think MS is probably of a similar opinion regarding publishing unnecessary details.

j / k navigate · click thread line to collapse

0 pointsstaunton3y ago0 comments

> don't rely on security through obscurity

[1]: https://csrc.nist.gov/news/2021/revised-guidance-for-develop...

0 comments

AlotOfReading3y ago

j / k navigate · click thread line to collapse