[ On Thursday, June 7, 2001 at 11:47:06 (-0700), Andrew Gerweck wrote: ]
> Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
>
> Doesn't security by obscurity have some value?
Quite the opposite when it misleads people into a false sense of security.
> I'm trying to avoid a flamewar by repeating: obscurity is not a good
> security policy. It is often useful to treat it as completely
> valueless. I'm simply suggesting that it's not valueless in all
> cases, and we understand unnecessary information disclosure to
> represent a security problem, instead of dismissing it.
It's only of value when its full implicatoins are understood completely
by those using it.
Sometimes the best place to hide something *is* in plain view, but if
you don't know that's what you're actually doing then you may not have
hidden it properly at all.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
