Obfuscate:
verb (used with object), ob·fus·cat·ed, ob·fus·cat·ing.
to confuse, bewilder, or stupefy.
to make obscure or unclear:
to darken.
I personally prescribe to obfuscation for my own purposes, using different email address or even renting out a post office box to receive certain types of mail. I do this for two reasons, the first is it’s convenient for organizational purposes. If I’m working I use my work email, if I’m organizing a game night I use my personal email, this allows me to more fully segregate my activities and better focus on the one at hand. The post office box allows me to move from one place to another without missing a letter. Those are two good reasons to create obfuscation. A bad reason is for security.
A very famous form of obfuscation is Hillary Clinton’s email server. You know, the “emails” email server. As Secretary of State she was not using a ‘state.gov’ email address, instead she was using a private email server. That was some fancy smoke and mirrors, but as we learned that obfuscation was not a replacement for security. State actors saw through her disguise and infiltrated the email system, at least once.
Obfuscation can help to streangthen a security system. A good example is ussing more than one password for different websites. I hope that’s more than common knowledge, I hope it’s common practice. But the most important part of using different passwords is that they are passwords. They are used in conjunction with your username to create a login system. If you just had a user name the system wouldn’t be very secure would it, even if “only you” knew your user name. Anyone else could guess, or systematically try your username and gain access to the information.
The reason I’m bringing this up is because my school sent an email today that really got under my skin. It looked like this:
Dear David,
Do you know what you currently owe on your student loans? As part of the Know More, Borrow Less initiative, the Office of Student Financial Aid is providing annual information on your cumulative education loan debt.
https://ung.awardletter.com/document/link/KNzqEFaaceJ8lrHNHMUMkL!L
That link lead directly to a webpage that contained, as you might guess, the total amount of my outstanding student loans. I immediately sent an email demanding that the webpage be removed. In their reply the office told me that the links were randomly generated and that ‘no one’ could guess my link. I was livid.
This randomly generated link is exactly the insecure scenario that I described above. Once generated, the ‘random’ part of that link is associated with my data, it’s effectively my user name, and there’s no password involved. It wouldn’t take a spider on a raspberry pi, maybe a week to scrap the possible combinations of the 24 characters of randomized data in that URL. In a week, with equipment that costs less than $20, I could identify just how much money every student that goes to my school owes in student loans. I’m not going to, but I could.
This is not a secure system, it’s also unsolicited and possible illegal due to the heavy regulations around the release of student information to the public.
Security is at the least supposed to deter a malicious actor, maybe slow down a determined actor, but in this case the obfuscation of a URL does neither. I would expect more from the University System of Georgia.
Update: Were my personal opinion is that the security considerations for this campaign were misguided; it’s intent and effect were well placed and properly executed. The page was designed to communicate the cost of student loans, it included the total amount of loans the student had taken as well as the projected total after interest, as well as the sum of that interest. In a world where some young adults do not recive adiquate personal financial training the college was giving them enough information to realize the long term effects of their immediate spending habits. A noble endeavor.
Kudos as well to the administrator who responded to my request for my information to be taken down. It was only a matter of hours before my request resulted in the page being removed. That responsiveness shows a tactical competence by the school.