Security Through Obscurity: What do you think?

Post Reply
InactiveX
BeOS Forever
Posts: 1385
Joined: Wed Jul 24, 2002 8:25 am
Location: UK

Security Through Obscurity: What do you think?

Post by InactiveX »

What does everyone think about Microsoft's "Security Through Obscurity" strategy for dealing with vulnerabilities?

I'm of the opinion that holes should be publicised as soon as they are discovered, rather than waiting months for MS to do something about a patch. This would force them into moving much quicker, and people can take steps to minimise any damage that could arise.

Take the recent WindowsXP HelpCentre vulnerability - http://www.bp6.com/forum/viewtopic.php?t=218 It took MS between June 2002 when they were alerted to the existence of the hole, and earlier in September when Service Pack 1 was released for the vulnerability to be dealt with. I think this is just not good enough. If a similar hole was found in, say, Linux, you can bet that it would have been fixed within 24 hours.

But Microsoft believe that we should keep quiet about any exploits we discover until their OS engineers decide to get off their backsides and do something.

As far as I know, the XP hole wasn't exploited in any serious malicious way, but it would only take one person in-the-know to publicise it on some hacker IRC channel and all the script kiddies in the world would have been deleting stuff from Windows hard disks.

Is it not better that everyone knows about vulnerabilities as soon as they are found so that they can take steps to protect themselves? If not, then aren't MS obliged to fix these holes a good deal quicker than they usually do?

On a side note, I'm beginning to think that MS are using the hole to their advantage - to push uptake of SP1 and the hardened-up product activation included. But that's just my theory.........
Post Reply