× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2002

Security by Obscurity - Was: OS/400 User Account Name Disclosure Vulnerability

Mac,


> I agree with Ed
>
> This is like saying that knowing the name of someone is half the battle
for
> looking up their name in the phone book so as to find out where they live
so
> we can break into their home & steal from them, so the solution to that is
to
> get rid of phone books, business cards etc., and not have people's names
on
> mail boxes outside their residences, and no one in business give out their
> personal name or company name, when in reality it is the act of breaking
into
> private property that is the banned activity.
>
> Good security is not hiding a safe in an obvious place, it is having a
safe
> that cannot be cracked.


So then you have no problem with posting your full name, date of birth, home
address, spouse and children(s) names, mother's maiden name, and your bank
account number to this list?  If your bank has good security in place, you
won't really be putting yourself at any risk will you?

(NOTE: please don't post any of that information here - I am just trying to
prove a point!!!)

I have heard the "obscurity isn't security" so often that it is sounding
less and less like a rational argument and more and more like an article of
faith.  But if you analyze the concept rationally, you'll have to agree that
while obscurity cannot replace real security, it can and often does enhance
security by reducing the number of targets available for overt selection.
Some cases in point: Passwords are meant to be kept secret (obscure) in
order to limit access to systems.  Firewalls often refuse to acknowledge
"ping" requests in order to hide (obscure) the fact that their is a computer
residing at a particular IP address.  If I walk into your bank and request a
list of all account numbers, they will refuse to provide me with that list
based on the principle that it is private (obscure) information.  All of
these (and countless more) examples are effective security measures that we
rely on everyday.  They have weaknesses and drawbacks, but they provide an
element of security that we rely on.

Security by obscurity becomes a problem when obscurity is your only (or most
prominent) point of security.  Obscurity in support of other sound security
measures can be, and often is, quite effective in keeping valuable
information private.  While obscurity will not rebuff an attack, it does
reduce the likelihood that you will be singled out for attack, and so has
value.

In the case of this particular exploit Ed Fischel is right that a sound
security implementation is far more important in protecting user profiles
from *PUBLIC viewing.  That position still does not negate the fact that
there is value in not allowing every user on the system to see every object
in QSYS.  If IBM did not agree, then they would not hide certain objects
(such as the password table for one) in that same library.

jte

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.