[20955] in bugtraq
RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
daemon@ATHENA.MIT.EDU (Thomas Corriher)
Sun Jun 10 20:31:54 2001
Date: Sun, 10 Jun 2001 11:57:19 -0400 (EDT)
From: Thomas Corriher <tcorriher@earthlink.net>
Reply-To: Thomas Corriher <tcorriher@earthlink.net>
To: <bugtraq@securityfocus.com>
Cc: <gerweck@yahoo.com>
In-Reply-To: <20010607184706.50407.qmail@web10401.mail.yahoo.com>
Message-ID: <Pine.LNX.4.33.0106101144360.14526-100000@desktop>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 7 Jun 2001, Andrew Gerweck wrote:
> From: Andrew Gerweck <gerweck@yahoo.com>
> To: bugtraq@securityfocus.com
> Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information
> retrival
> Date: Thu, 7 Jun 2001 11:47:06 -0700 (PDT)
>
> > does not qualify as an exploit. This information would seem
> > useful only if we believed that security through obscurity had
> > merit. Compound this with the fact that most people are not even
>
> Doesn't security by obscurity have some value?
>
> In my opinion, it's naive to think that it's okay for software to
> disclose unnecessary information about its users. While obscurity
> alone is hardly a good security policy, it's one tool in a toolbox
> that can help keep a system secure.
I am corrected. You are correct that I should not have made a
blanket statement about obscurity in all cases. I think most
of us would agree that the less information an attacker is
given the better. Perhaps I should have said security through
obscurity should not be relied upon, but it can add an extra
"layer" of security. Anything that makes an attacker's work
more difficult must have some merit.
Don't worry about a "flame war". My ego isn't that big, and I
hope that the same applies to all the other readers here.
Mailing lists lose their usefulness when people are afraid to
participate in the discussion.
--
Thomas Corriher
Home Phone: 1-704-921-2470
Mobile Phone: 1-704-737-2038
Use Linux? Get counted at http://counter.li.org/
