|
Mac, > I agree with Ed > > This is like saying that knowing the name of someone is half the battle for > looking up their name in the phone book so as to find out where they live so > we can break into their home & steal from them, so the solution to that is to > get rid of phone books, business cards etc., and not have people's names on > mail boxes outside their residences, and no one in business give out their > personal name or company name, when in reality it is the act of breaking into > private property that is the banned activity. > > Good security is not hiding a safe in an obvious place, it is having a safe > that cannot be cracked. So then you have no problem with posting your full name, date of birth, home address, spouse and children(s) names, mother's maiden name, and your bank account number to this list? If your bank has good security in place, you won't really be putting yourself at any risk will you? (NOTE: please don't post any of that information here - I am just trying to prove a point!!!) I have heard the "obscurity isn't security" so often that it is sounding less and less like a rational argument and more and more like an article of faith. But if you analyze the concept rationally, you'll have to agree that while obscurity cannot replace real security, it can and often does enhance security by reducing the number of targets available for overt selection. Some cases in point: Passwords are meant to be kept secret (obscure) in order to limit access to systems. Firewalls often refuse to acknowledge "ping" requests in order to hide (obscure) the fact that their is a computer residing at a particular IP address. If I walk into your bank and request a list of all account numbers, they will refuse to provide me with that list based on the principle that it is private (obscure) information. All of these (and countless more) examples are effective security measures that we rely on everyday. They have weaknesses and drawbacks, but they provide an element of security that we rely on. Security by obscurity becomes a problem when obscurity is your only (or most prominent) point of security. Obscurity in support of other sound security measures can be, and often is, quite effective in keeping valuable information private. While obscurity will not rebuff an attack, it does reduce the likelihood that you will be singled out for attack, and so has value. In the case of this particular exploit Ed Fischel is right that a sound security implementation is far more important in protecting user profiles from *PUBLIC viewing. That position still does not negate the fact that there is value in not allowing every user on the system to see every object in QSYS. If IBM did not agree, then they would not hide certain objects (such as the password table for one) in that same library. jte
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
