[20952] in bugtraq
RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
daemon@ATHENA.MIT.EDU (Greg A. Woods)
Sun Jun 10 19:51:04 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: woods@weird.com (Greg A. Woods)
To: Andrew Gerweck <gerweck@yahoo.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20010607184706.50407.qmail@web10401.mail.yahoo.com>
Reply-To: woods@weird.com (Greg A. Woods)
Message-Id: <20010609152133.79624117@proven.weird.com>
Date: Sat, 9 Jun 2001 11:21:33 -0400 (EDT)
[ On Thursday, June 7, 2001 at 11:47:06 (-0700), Andrew Gerweck wrote: ]
> Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
>
> Doesn't security by obscurity have some value?
Quite the opposite when it misleads people into a false sense of security.
> I'm trying to avoid a flamewar by repeating: obscurity is not a good
> security policy. It is often useful to treat it as completely
> valueless. I'm simply suggesting that it's not valueless in all
> cases, and we understand unnecessary information disclosure to
> represent a security problem, instead of dismissing it.
It's only of value when its full implicatoins are understood completely
by those using it.
Sometimes the best place to hide something *is* in plain view, but if
you don't know that's what you're actually doing then you may not have
hidden it properly at all.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
