> does not qualify as an exploit. This information would seem > useful only if we believed that security through obscurity had > merit. Compound this with the fact that most people are not even Doesn't security by obscurity have some value? In my opinion, it's naive to think that it's okay for software to disclose unnecessary information about its users. While obscurity alone is hardly a good security policy, it's one tool in a toolbox that can help keep a system secure. I don't think that there are many examples of functional security systems that don't involve obscurity on some level. Whether it's a private key, a secret password or a unique credit card number, or the particular patterns on your fovea, there's always something obscure involved in security. Particularly in the case of massively used software, obscurity isn't always a bad thing. Contrary to popular slogans, obscurity is often preferable to nothing, and can complement a real security policy quite nicely. I'm not advocating the obscurity in which security holes in widely used software are kept secret. I think that certain internet security communities do themselves a great disservice by pretending that obscurity means nothing. That mentality is useful when designing a security policy, but not as a mantra for application to every situation. I'm trying to avoid a flamewar by repeating: obscurity is not a good security policy. It is often useful to treat it as completely valueless. I'm simply suggesting that it's not valueless in all cases, and we understand unnecessary information disclosure to represent a security problem, instead of dismissing it. --Andrew Gerweck __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 11:37:34 PDT