Amergin wrote:
>
> Now if M$ doesn't have a patch already available I'll be pissed. I was
> told a year and a half ago by a M$ employee that they had already found
> this bug. He told me that they knew it could be done but they were
> counting on no one else discovering it.
There have been numerous bugs that make this a possibility. I'm not
sure if this takes advantage of a known one or not. But there
are plenty to take advantage of:
http://www.jmu.edu/info-security/engineering/issues/serious.htm
(i know i need to update it.)
> Security through obscurity, works quite well as we can see.
Security through obscurity is much maligned IMHO. Security is
relative, its not absolute. Most any measure can be overcome
with the right amount of time, money, and motivation. If you
make the key length such that all the computers in the world
can't break it in eons, the attackers go after where the key is
stored, the PIN, the card, the password protecting it, the person
carrying it, their desktop, etc. Ergo, security is a finite fence.
If I can make it more difficult for interlopers to climb,
poke a hole in, or crawl under my fence, I'm improving
security by decreasing the number of people with the
time, money, and motivation to do so. If they have to
study something, reconoiter, guess, etc. due to
insufficient information, then I've put up an extra
barrier. Note that I don't advocate depending solely
on that barrier, but IMHO having an extra barrier can
only be good. In fact, it goes back to "defense in depth".
Shoot, 99% of all of today's security access controls
are based on obscurity...the obscurity of something
called a secret password :)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
