In my investigations with Cerritos College, a common theme has come up – the concept of “security by obscurity”. An often diminutive term within cybersecurity industries, it refers to the concept of making a site or platform secure by making its configuration so obscure that no attacker would bother penetrating it. It isn’t true security; anyone who actually cares enough to attack the site will quickly make it in if there are no other effective security measures. The only reason anyone bothers to attempt to justify it is because most attacks happen at scale; SbO follows the “robber’s principle”, where any attack that seems difficult is avoided in favor of going after someone/something else. The problem, though, is that this does nothing for directed attacks.
At Cerritos, SbO is the law of the land. It is the key policy of their security contractors, security teams, and legal teams; everything is hidden. Take, for instance, the December 5 Document. Cerritos’ legal department said that that document should never have been disclosed, because it threaten’s the college’s security. But the actual “security” element – the blocking – could’ve been easily determined by an attacker by just trying a few websites. Or better yet, they could just make a legitimate site, request automatic evaluation on it, and run traffic through that. Anyone who cares enough can easily get around such a “security” protection – so the only thing hiding the list does is stop public accountability for surveillance and censorship.
Another thing is their policy on SSH and ICMP. Why are those blocked, at least as stated? Because “blocking everything we can” is the “most secure” option. That’s just plainly false. Having SSH open adds no new vulnerabilities compared to having 80/443 (HTTP/HTTPS) open; in fact, 80 and 443 are infinitely more exploitable than SSH. Same deal with having at least some ICMP traffic able to travel, such as Echo Requests and Echo Replies (the two components of pings).
SbO also tends to lead to the introduction of new vulnerabilities. Cerritos College uses ASP.NET 4.7 (2017) paired with .NET Framework 4.0 (2010). These have known CVEs and are overall outdated, vulnerable pieces of software. They fall into the category of SbO because their continued usage is likely intentional – upgrading .NET Framework and ASP.NET is usually trivial, but by using old versions, attacks on newer vulnerabilities don’t apply. However, a dedicated attacker could easily exploit the aforementioned CVEs to get in.
Overall, SbO is not a valid reason to deny a public records request. If you are making a request and it is denied by SbO, or some other action you took is being stopped by SbO procedures, explain why it’s not applicable to them – or even send them this article. Lightly taking claims of SbO allows corruption to propagate and transparency to fall; don’t let it continue.