I agree. I think this issue is overblown. ________________________________ From: funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] On Behalf Of Dan Kaminsky Sent: Sunday, January 17, 2010 3:13 PM To: Larry Seltzer Cc: funsec@linuxbox.org Subject: Re: [funsec] Facebook Image Privacy
On Sun, Jan 17, 2010 at 8:47 PM, Larry Seltzer <la...@larryseltzer.com<mailto:la...@larryseltzer.com>> wrote: >> It's a password to a single asset, which is retrieved in its entirety. If >> you allow "omg, somebody could share the link" to be considered a security >> hole, then I can see the stories now... I've often thought that security through obscurity gets a bad rap. Perhaps this is one of those cases. Obscurity is not secrecy. A password is secret. So are prime numbers at the heart of RSA private keys. The difference is that analysis by an attacker will yield progress against an obscure system, but not a well chosen secret. Or, put another way, *systems* have to do things, so they're behavior can't be as random as a password or a private key. My real problem with it is that I've marked it for "Only Me." Why do they need to provide this link? And they only do it for images, not for plain text posts or videos where you mark it as "Only Me." Clearly users wanted to know how to take a photo that was for "only me" and share it with a few others, out of band. As long as the photo isn't showing up in open galleries, I think it's pretty clear that user intent is actually being scrupulously respected. Larry Seltzer Contributing Editor, PC Magazine larry_selt...@ziffdavis.com<mailto:larry_selt...@ziffdavis.com> http://blogs.pcmag.com/securitywatch/
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
