Paul Gilmartin wrote: >I believe otherwise. I know of a case where a vendor allowed a product >to escape to the field containing a tester's back door, and another >related to II14489. Either could be exploited with no brute force, >merely knowledge of the existence and nature of the defect. In the >case of the latter, the vendor chose to obscure the details very long >term to protect customers who might not have installed the fix. >"That's security by obscurity."
But that's still the same thing, just smaller: IF they knew about it, then they could exploit it. It's just a matter of degree. Similarly, OCO makes it harder to find the way around, say, a CPUID or license key. >But protecting passwords is a valid use of "That's security by >obscurity." A password is not a pervasive defect as those other cases >are. "protecting passwords" in what context? I'm sure your point is valid but it's escaping me! ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
