RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

[Andrew Gerweck <gerweck () yahoo com>]

> does not qualify as an exploit.  This information would seem
> useful only if we believed that security through obscurity had
> merit.  Compound this with the fact that most people are not even

Doesn't security by obscurity have some value?  

In my opinion, it's naive to think that it's okay for software to
disclose unnecessary information about its users.  While obscurity
alone is hardly a good security policy, it's one tool in a toolbox
that can help keep a system secure.

I don't think that there are many examples of functional security
systems that don't involve obscurity on some level.  Whether it's a
private key, a secret password or a unique credit card number, or the
particular patterns on your fovea, there's always something obscure
involved in security.

Particularly in the case of massively used software, obscurity isn't
always a bad thing.  Contrary to popular slogans, obscurity is often
preferable to nothing, and can complement a real security policy
quite nicely.  I'm not advocating the obscurity in which security
holes in widely used software are kept secret.  I think that certain
internet security communities do themselves a great disservice by
pretending that obscurity means nothing.  That mentality is useful
when designing a security policy, but not as a mantra for application
to every situation.

I'm trying to avoid a flamewar by repeating: obscurity is not a good
security policy.  It is often useful to treat it as completely
valueless.  I'm simply suggesting that it's not valueless in all
cases, and we understand unnecessary information disclosure to
represent a security problem, instead of dismissing it.

--Andrew Gerweck

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/