Security
Today this blog post turned up on Hacker News, titled “Obscurity is a Valid Security Layer”. It makes some excellent points on the distinction between good and bad obscurity and it gives an example of good obscurity with SSH.
From the post:
I configured my SSH daemon to listen on port 24 in addition to its regular port of 22 so I could see the difference in attempts to connect to each (the connections are usually password guessing attempts).
Today my new Yubikey arrived, a Yubikey 4. There’s a whole load of features packed into the YubiKey, but the only feature I really use is the OpenPGP applet which emulates an OpenPGP smartcard.
This is the only device that is trusted to see my private GnuPG keys at the points where I use them. It helps to keep track of where my keys are, as they can only be in a single place.
In the past, I had a Facebook account. Long ago I “deleted” this account through the procedure outlined on their help pages. In theory, 14 days after I used this process my account would be irrevocably gone. This was all lies.
My account was not deleted and yesterday I received an email:
Screenshot of the email I received from Facebook
It took me a moment to figure it out, but what had happened here is someone had logged into my Facebook account using my email address and password.