But, it would be possible, however very unlikely, to guess? Or is that
considered "brute force"?

Originally documented in Boris Hagelin's patent, in mechanical form.

That's kind of narrow thinking, isn't it?
I agree with all that, but, the statement seems to still apply, at least
to me. If one doesn't know how to access, then, it is obscure, or by
the statement, unknown, right?

You need to search for and watch a very short George Carlin video discussing the18th century definition of the f-word. It's on You-tube.

"tap with a stick"

To people who are asked by clients to look at this stuff "Security by obscurity" means chanting the mantra "no known vulnerabilities" and bragging about the size of the forest you are about to hide a tree in.

It depends on people not knowing truth and wanting to believe something is true. Poke around in the "Hidden Brain" podcasts for the one covering how people are more apt to believe something completely false without ever verifying it if it supports something they already believe to be true or wish to be true.

People don't search for truth, they search for things that support their opinion. On rare ocassions they ask someone like me to blue-sky how their opinion screwed them.
And honestly, that has less than zero to do with this conversation than you are capable of realizing.

This entire conversations started what now feels like a lifetime ago in my Qt circles on TLS/SSL. People on PC platforms are even more gullible when it comes to believing in one-and-done security than midrange. People chanting they were "secure" because they used SSL/TLS.

https://www.cloudinsidr.com/content/known-attack-vectors-against-tls-implementation-vulnerabilities/

I'm not going to put an extreme search effort into it, but if you poke on-line you will find a link explaining how a Ubuntu "maintainer" helped out the upstream developers cleaning up a compilation warning that then limited all values to 32-bit. What is printed in the book, doesn't matter.This was out there a long time. It impacted every YABU distro, many of which are used for servers in financial transactions.

Prior to life really changing this year, I purchased a 4TB WD black drive to set up a database on because it looked like, testing with the command line tool, there was a severe TOD sensitivity on Ubuntu 18.04 as well. I did not get around to writing the code to generate the database.

I wanted to prove the TOD sensitivity then we could dig in to see if this was introduced by AGILE software development, inept programmer (which AGILE pretty-much indicates) or a compiler introduced issue. Here is a really long and boring read on some of the compiler introduced vulnerabilities.

https://arc.aiaa.org/doi/10.2514/1.I010699
Size of the forest where you are hiding a tree. Completely ignoring the fact the tree you are hiding is a Redwood and the forest you are using is in Wisconsin.

Not in today's world. Not for people who are asked to think about such things. Not for someone looking to hit a single specific target.

Myth #1 of security: A hacker needs everything

No. You don't. If you want to avoid getting caught the longest you can, you well and truly don't want everything. All you really need is "sniffing" access along a feeder and some general public knowledge.

Before you try and spin this into one of your academic imaginary worlds where only you exist, I haven't thought about this in a long time. Winging from memory rather than bothering to look up. The scenario was, as I recall,

1) published XML standard being used
2) single message containing the short XML transaction (like a CC request for authorization)
3) SALT
There was some other piece here that is in my notes on another machine and archived in a long discussion elsewhere.

You know for a fact the message starts with:
<?xml version="1.0" encoding="UTF-8"?>
to be safe you can stop with just: <?xml version="

When the SALT has a TOD sensitivity such that between 2pm and 4pm local time only the last 5 really change (what I had stumbled into with some casual testing) you now only need the password. You know, that's not as difficult as it sounds given the helpful pages like this:
https://help.pearsoncmg.com/rumba/b2c_self_reg/en/Content/b2c_signin_guidelines.html
scattered all around the Internet and most certainly there will be one for your target. On that page you will find a section worded much like this:

======
Password

Your password:

Must be between eight and 32 characters long.
Must include at least one number or special character and one letter.
Can contain any letters a to z and any numbers from 0 through 9.
Can contain some special characters, including @ (at sign) . (period) - (hyphen or dash) _ (underscore).
Cannot contain spaces or non-English characters (such as é).
Is case-sensitive.
Must be different from your first name, last name, and username.

======

I now have all I really need to put my little BOT-NET to work generating entries for a PostgreSQL database. Each table will be named based on the SALT value. Each BOT is given a very simple task.
"Take this list of 100 valid generated passwords using this SALT value and encrypt <?xml version= returning the result for each."
That's it. Once per hour each of your hundreds or thousands of bots gets a tiny packet, possibly less than 1K in size. It does an imperceptibly small amount of calculations and returns, possibly 2K. If you have identified that between 2-4pm the generated SALT will only very within the last 5-digits you now just have 99,999 tables. The password rules mean you don't have all permutations of 32 characters, just a severely limited subset. You are searching for the pre-amble of __exactly__ one known message. The side effect is you _can_ now decrypt every other single XML packet you happen to sniff.

Operation one just builds the database. It gets better over time. How much time depends on how many BOTS you have and how heavy you want to load them.
Operation two is the sniffer. It wakes up near 2pm and shuts down near 4pm. Btw, there was nothing magic about 2-4pm, it was just what I was trying. You could most likely use 7-9am if you wanted people buying coffee, gas, etc. on the way to work.

Operation three receives the sniffed packets and does a partial keyed hit of the encrypted data to the table for the SALT. Upon match it decrypts the packet and routes it to another step that does some more verification before involving a human. If you are low budget and low tech, perhaps you send it straight to a human?
This is very doable today I believe. I simply have too much going on in life to devote a bunch of non-billed effort into it. Storage is certainly getting really cheap - assuming you don't want to pay some hosting service for a 100 TB you can get a "portable" (perhaps with two guys carrying it) 32TB NAS for under $2500.
https://www.newegg.com/p/14P-001N-00010?Description=32tb%20nas&cm_re=32tb_nas-_-14P-001N-00010-_-Product&quicklink=true

Each "record" in each table only has the VARCHAR password and the VARCHAR target encrypted output. Given the previous example that means 32 or fewer characters for the password (many probably closer to eight). What? At most another 32 characters for the target which will be the alternate key? You don't even need a big BOT-NET, just time.

The database can even be "rented out" to evil doers. If the packet has a pure XML message started with the universal beginning and has a SALT within range, it has a high probability of cracking it with a single keyed hit.
Now. I have spent far too long on this. I really have to get on with what I'm supposed to be doing today.

Far too many people in IT try to hide a Redwood in Wisconsin.
Believe it or not; a large number of transactions on the Web are just one XML object in a "secured" packet.

I think you misunderstand me.

I'm not saying that an attacker doesn't know the algorithm, I'm saying
the attacker does not know the secret key. But, however unlikely, an
attacker could "guess" the secret key on his first try. It is the fact
that an attacker doesn't know the secret key is the "obscurity" aspect
of the security. Since an attacker could get incredibly lucky and guess
the secret key on his first attempt, then it is only the difficult of
that guess that is the security.

Right. I think that folks here understand. However, the term "security
by obscurity" has a very specific meaning, and it is confusing to use it
to mean something else.

By your definition, all forms of access restriction are "security by
obscurity", since those who have access have it because they have
something which those who don't don't, though they could, theoretically,
bluff their way through and get lucky.

The real problem with reading up on it is it leads people to be lulled into a false sense of security. That there really is a one-and-done solution. It also leads to people chanting the mantra "no known security vulnerabilities".
Bingo! <to quote Dave>

Again, see the very long response to Arne.

Every false sense of IT security is based on the false belief that a hacker needs or wants absolutely everything. One of the re reasons CC fraud is so rampant is that belief being patently false. They have progressed to the point of charging a few hundred dollars and moving on.

It doesn't matter how perfect the algorithm seems on paper. Compiler optimization introduces issues. AGILE (and by definition low quality) developers fail to understand said algorithm and implement something that only passes the tests they write. Maintenance developers, like the Ubuntu maintainer who decided to "help out upstream" by getting rid of a compilation warning reduce a critical variable to 32-bits in size.

All of this makes the grand assumption the attacker is trying to get in and the even grander assumption they have to know everything because they don't know what they are looking for.

When they are just sniffing packets (collecting echoes really) of authorization request packages being routed to a merchant/cc processor, they are just looking to crack _some_ of them. Fraud investigators try to identify breaches based on shopping patterns of the victims. When they are scattered around the country at different merchants it makes it really difficult; especially when the forensics of the Merchant/CC processor system turn up clean and everyone working there passes a polygraph.

The big business of CC fraud has simply backed into the answer they need like mathematicians back into answers to problems they cannot solve. Instead of saying
"I know the SALT and I know it is an XML packet, but I can't solve for X (the password)" like most gullible enough to believe encryption is secure they appear (at least in my thinking) to have taken the pragmatic approach.

1) "<?xml version=" is at the beginning of every packet I'm interested in.
2) I know the rules for the passwords so it is not every permutation of 32 characters, rather it is a significantly limited subset. Most will be the minimum 8 and definitely under 20 because people hate typing as well as coming up with new passwords. Many people end their passwords with "_n" where n is a number because far too many financial institutions make them change it every month or 60 days so this way they can just increment a number.
3) If I can find a time frame where the generated SALT is a lot less random I can build a rather complete database over time.
4) If I happen to be one of these bot-nets: https://themerkle.com/top-4-largest-botnets-to-date/ my only real problem is the storage I/O. 6+ million bots generating 100 entries per hour each will fill a 32TB NAS up pretty fast. I will need 20-30 of them scattered around the globe. Gee! I guess I will buy them with a stolen CC or 40!

Brute force has gone off-line and high tech.

No. They can't if things are to get through.
MY GOD, QUIT TYPING!!!

You have never worked with Websphere or any of the other message translation sacrificial machine on the Internet tools. I have. That's a physical impossibility. It's a physical mapping. X number of bytes from this tag in this spot. It's the exact same engine for everything.
Not when one has competent developers and has a tool like Websphere (or one of its competitors) creating fixed length messages that are ultimately being processed by COBOL via SQLmod from within an ACMS server, no, 35 is not enough because the code set doesn't allow anything through.

Now, if you are a Java programmer who knows nothing about large scale corporate systems then one byte is probably enough to knock your code over.
Absolutely anyone can edit Wikipedia. Did you quick run out and put your own definition in there?

Don't be too sure. I am aware of a microcode bug for the RET instruction on the 11/780 that was discovered about 25 years after its introduction. I know that it wasn't fixed because it was never found prior to that. So, yes things can be wrong for an extended period of time without discovery.

I can do both of them.
Well, if your going to give the nod to EBCDIC, don't ignore Fieldata.

bill

Know EBCDIC specifically? Probably only a small bunch of guys over 50.

Know that data can be stored differently and be able to
get a list of what is possible in their environment? Millions!

import java.nio.charset.Charset;
import java.util.Map.Entry;

public class CharsetList {
public static void main(String[] args) {
for(Entry<String,Charset> e :
Charset.availableCharsets().entrySet()) {
System.out.println(e.getKey() + " = " +
e.getValue().aliases());
}
}
}

list 156 encodings including 10 flavors of EBCDIC
with Java 5 on VMS.

(and 170 including 21 flavors of EBCDIC with Java 8
on Windows)

using System;
using System.Text;

namespace E
{
public class Program
{
public static void Main(string[] args)
{
foreach(EncodingInfo ei in Encoding.GetEncodings())
{
Console.WriteLine(ei.Name + " = " + ei.DisplayName);
}
Console.ReadKey();
}
}
}

list 140 encodings including 31 flavors of EBCDIC with
.NET 4 on Windows.

Arne

At present, just shy of 1300 OpenVMS servers are directly connected to
the internet, among those that are connected and not otherwise masking
their identities.

Some of those OpenVMS servers are running in AWS, too. Those likely
running under emulation.

Above server population info is publicly available.

Other OpenVMS servers are directly connected but not running services
that can be finger-printed, and others are not directly connected.

And multi-step and indirect security attacks on networks are the norm,
and not at all unusual.

Indirect access applies to OpenVMS too, some of which was described in
the previous posting but was omitted from the quoted text. That text,
TL;DR:

Exploit markets and exploit usage differs for mass-deployed clients,
and for isolated and higher-value servers.

For those running OpenVMS in production, patch to current, and
implement monitoring and telemetry for security-relevant events and
activities. Preferably with the collected data remotely logged.

Review the security of your apps and server configurations and your
processes, as well.