Bugtraq mailing list archives

RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

From: woods () weird com (Greg A. Woods)
Date: Sat, 9 Jun 2001 11:21:33 -0400 (EDT)

[ On Thursday, June 7, 2001 at 11:47:06 (-0700), Andrew Gerweck wrote: ]

Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

Doesn't security by obscurity have some value?


Quite the opposite when it misleads people into a false sense of security.

I'm trying to avoid a flamewar by repeating: obscurity is not a good
security policy.  It is often useful to treat it as completely
valueless.  I'm simply suggesting that it's not valueless in all
cases, and we understand unnecessary information disclosure to
represent a security problem, instead of dismissing it.


It's only of value when its full implicatoins are understood completely
by those using it.

Sometimes the best place to hide something *is* in plain view, but if
you don't know that's what you're actually doing then you may not have
hidden it properly at all.

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>     <woods () robohack ca>
Planix, Inc. <woods () planix com>;   Secrets of the Weird <woods () weird com>

Current thread:

RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Andrew Gerweck (Jun 08)
- RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Greg A. Woods (Jun 10)
- RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Thomas Corriher (Jun 10)