mailing list archives
RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
From: Thomas Corriher <tcorriher () earthlink net>
Date: Sun, 10 Jun 2001 11:57:19 -0400 (EDT)
On Thu, 7 Jun 2001, Andrew Gerweck wrote:
From: Andrew Gerweck <gerweck () yahoo com>
To: bugtraq () securityfocus com
Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information
Date: Thu, 7 Jun 2001 11:47:06 -0700 (PDT)
does not qualify as an exploit. This information would seem
useful only if we believed that security through obscurity had
merit. Compound this with the fact that most people are not even
Doesn't security by obscurity have some value?
In my opinion, it's naive to think that it's okay for software to
disclose unnecessary information about its users. While obscurity
alone is hardly a good security policy, it's one tool in a toolbox
that can help keep a system secure.
I am corrected. You are correct that I should not have made a
blanket statement about obscurity in all cases. I think most
of us would agree that the less information an attacker is
given the better. Perhaps I should have said security through
obscurity should not be relied upon, but it can add an extra
"layer" of security. Anything that makes an attacker's work
more difficult must have some merit.
Don't worry about a "flame war". My ego isn't that big, and I
hope that the same applies to all the other readers here.
Mailing lists lose their usefulness when people are afraid to
participate in the discussion.
Home Phone: 1-704-921-2470
Mobile Phone: 1-704-737-2038
Use Linux? Get counted at http://counter.li.org/