mailing list archives
RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
From: woods () weird com (Greg A. Woods)
Date: Sat, 9 Jun 2001 11:21:33 -0400 (EDT)
[ On Thursday, June 7, 2001 at 11:47:06 (-0700), Andrew Gerweck wrote: ]
Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
Doesn't security by obscurity have some value?
Quite the opposite when it misleads people into a false sense of security.
I'm trying to avoid a flamewar by repeating: obscurity is not a good
security policy. It is often useful to treat it as completely
valueless. I'm simply suggesting that it's not valueless in all
cases, and we understand unnecessary information disclosure to
represent a security problem, instead of dismissing it.
It's only of value when its full implicatoins are understood completely
by those using it.
Sometimes the best place to hide something *is* in plain view, but if
you don't know that's what you're actually doing then you may not have
hidden it properly at all.
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods () acm org> <woods () robohack ca>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>