On Thu, 7 Jun 2001, Andrew Gerweck wrote: > From: Andrew Gerweck <gerweckat_private> > To: bugtraqat_private > Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information > retrival > Date: Thu, 7 Jun 2001 11:47:06 -0700 (PDT) > > > does not qualify as an exploit. This information would seem > > useful only if we believed that security through obscurity had > > merit. Compound this with the fact that most people are not even > > Doesn't security by obscurity have some value? > > In my opinion, it's naive to think that it's okay for software to > disclose unnecessary information about its users. While obscurity > alone is hardly a good security policy, it's one tool in a toolbox > that can help keep a system secure. I am corrected. You are correct that I should not have made a blanket statement about obscurity in all cases. I think most of us would agree that the less information an attacker is given the better. Perhaps I should have said security through obscurity should not be relied upon, but it can add an extra "layer" of security. Anything that makes an attacker's work more difficult must have some merit. Don't worry about a "flame war". My ego isn't that big, and I hope that the same applies to all the other readers here. Mailing lists lose their usefulness when people are afraid to participate in the discussion. -- Thomas Corriher Home Phone: 1-704-921-2470 Mobile Phone: 1-704-737-2038 Use Linux? Get counted at http://counter.li.org/
This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 17:32:27 PDT