This brings us to security through obscurity (obtaining security because data and processes are hidden from the attackers). The basic understanding of defense by an arbitrary engineer often works like this. I will write a process that obscures data in one way, and since the attacker doesn't know how it's done, meaning he doesn't have access to the source code, the attacker will not be able to determine what the data is and will not be able to hack my program or users.

This is a common misunderstanding about the ability or desire that attackers have when .they want to break software. Suppose a device stores all the possible encryption and decryption keys into a computer chip on the device. When media is distributed, it will already be encrypted, and the device requires the knowledge of what all the keys can be so it can decrypt the data. This secures the information on the media, as long as no one figures out that every device shipped that uses the media always has all of the possible keys stored on the device. If this doesn't sound familiar to you, review the case the Electronic Frontier Foundation (EFF) has been helping defend for Andrew Bunner who republished software that could allow the playback of DVD media on Linux-based computers. On January 22, 2004, the DVD Copy Control Association dropped the case. This case was an argument between the publishing of secrets that were only...