RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

[Thomas Corriher <tcorriher () earthlink net>]

On Thu, 7 Jun 2001, Andrew Gerweck wrote:

> From: Andrew Gerweck <gerweck () yahoo com>
> To: bugtraq () securityfocus com
> Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information
>     retrival
> Date: Thu, 7 Jun 2001 11:47:06 -0700 (PDT)
>
> > does not qualify as an exploit.  This information would seem
> > useful only if we believed that security through obscurity had
> > merit.  Compound this with the fact that most people are not even
>
> Doesn't security by obscurity have some value?
>
> In my opinion, it's naive to think that it's okay for software to
> disclose unnecessary information about its users.  While obscurity
> alone is hardly a good security policy, it's one tool in a toolbox
> that can help keep a system secure.

I am corrected.  You are correct that I should not have made a
blanket statement about obscurity in all cases.  I think most
of us would agree that the less information an attacker is
given the better.  Perhaps I should have said security through
obscurity should not be relied upon, but it can add an extra
"layer" of security.  Anything that makes an attacker's work
more difficult must have some merit.

Don't worry about a "flame war".  My ego isn't that big, and I
hope that the same applies to all the other readers here.
Mailing lists lose their usefulness when people are afraid to
participate in the discussion.


-- 
  Thomas Corriher
  Home Phone:  1-704-921-2470
  Mobile Phone: 1-704-737-2038

   Use Linux?  Get counted at http://counter.li.org/