Security through obscurity is more dangerous than no security at all. What one person can discover another can discover, so one has to assume that the security hole will be known. However, if it is not obvious it is known, then you get the following negative effects (amongst others):
1. Reduced incentive to fix the problem IF you are even aware of the problem.
2. A false sense of security which could lead to very bad descions (i.e. placing sensitive data or funcionality in unsecure areas).
3. As a result of the above two items, a real opportunity to exploit the problem in a malicious, lasting manner. Though most hackers are not really malicious and do not gain material profit, there are some who would. And an environment where people have a false sense of security and security holes go by and large unfixed is a very fertile environment for long term malicious exploitation.
If these holes are published, some posible consequences are:
1. Higher activity of exploitaion. There may be many more people or organizations exploiting the hole, but these will tend to be more spontaneous, more visible, and more short term, especially considering the reaction (fixing the problem) that such actions cause.
2. Systems will garner more scrutinization. Though this may come from outside sources looking for further security holes, possibly with the intent of exploiting them, the more a system is pulsed and attacked the more secure it will be in the long run.
Really, in summation of these two points, yes, there could be some pain caused by releasing this information, but the pain will be short and from a relatively obvious source. Also, it pushes the overall security level up. Additionally, it raises security in the consciousness of the general public, who, in general, are painfully ignorant of the subject.
In short, the microsoft argument is pure sophistry, and I would not be surprised to hear your post is a troll as it a clasic argument which is oft refuted; but it does serve as a nice platform for discussion.
Slashdot Mirror
Security through obscurity is more dangerous than no security at all. What one person can discover another can discover, so one has to assume that the security hole will be known. However, if it is not obvious it is known, then you get the following negative effects (amongst others):
1. Reduced incentive to fix the problem IF you are even aware of the problem.
2. A false sense of security which could lead to very bad descions (i.e. placing sensitive data or funcionality in unsecure areas).
3. As a result of the above two items, a real opportunity to exploit the problem in a malicious, lasting manner. Though most hackers are not really malicious and do not gain material profit, there are some who would. And an environment where people have a false sense of security and security holes go by and large unfixed is a very fertile environment for long term malicious exploitation.
If these holes are published, some posible consequences are:
1. Higher activity of exploitaion. There may be many more people or organizations exploiting the hole, but these will tend to be more spontaneous, more visible, and more short term, especially considering the reaction (fixing the problem) that such actions cause.
2. Systems will garner more scrutinization. Though this may come from outside sources looking for further security holes, possibly with the intent of exploiting them, the more a system is pulsed and attacked the more secure it will be in the long run.
Really, in summation of these two points, yes, there could be some pain caused by releasing this information, but the pain will be short and from a relatively obvious source. Also, it pushes the overall security level up. Additionally, it raises security in the consciousness of the general public, who, in general, are painfully ignorant of the subject.
In short, the microsoft argument is pure sophistry, and I would not be surprised to hear your post is a troll as it a clasic argument which is oft refuted; but it does serve as a nice platform for discussion.
This signature intentionally left blank.