Bugtraq mailing list archives
RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
From: Thomas Corriher <tcorriher () earthlink net>
Date: Sun, 10 Jun 2001 11:57:19 -0400 (EDT)
On Thu, 7 Jun 2001, Andrew Gerweck wrote:
From: Andrew Gerweck <gerweck () yahoo com> To: bugtraq () securityfocus com Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Date: Thu, 7 Jun 2001 11:47:06 -0700 (PDT)does not qualify as an exploit. This information would seem useful only if we believed that security through obscurity had merit. Compound this with the fact that most people are not evenDoesn't security by obscurity have some value? In my opinion, it's naive to think that it's okay for software to disclose unnecessary information about its users. While obscurity alone is hardly a good security policy, it's one tool in a toolbox that can help keep a system secure.
I am corrected. You are correct that I should not have made a blanket statement about obscurity in all cases. I think most of us would agree that the less information an attacker is given the better. Perhaps I should have said security through obscurity should not be relied upon, but it can add an extra "layer" of security. Anything that makes an attacker's work more difficult must have some merit. Don't worry about a "flame war". My ego isn't that big, and I hope that the same applies to all the other readers here. Mailing lists lose their usefulness when people are afraid to participate in the discussion. -- Thomas Corriher Home Phone: 1-704-921-2470 Mobile Phone: 1-704-737-2038 Use Linux? Get counted at http://counter.li.org/
Current thread:
- RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Andrew Gerweck (Jun 08)
- RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Greg A. Woods (Jun 10)
- RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Thomas Corriher (Jun 10)