SunWorld: Security through obscurity - Why are we helping hackers?Oct 29, 2000, 14:17 (1 Talkback[s])
(Other stories by Carole Fennelly)
"Is security through obscurity ever a useful way to protect your network, or does it just make things easier for corporate spies and hackers?..."
"With software packages, it's a different matter entirely. End users are at the mercy of the software vendors, and are forced to rely on them to properly test their products. I used to be in a system test group and, believe me, such groups have no status in software development departments. I tried going directly to developers before writing bug reports on their software, and many appreciated my covering for their mistakes. One developer surprised me by telling me to write up the bug report even though she fixed the problem as I was talking to her. When I questioned her on this, she explained that the monthly bug report that was distributed to the entire department forced developers to do a better job at debugging their code. It also forced management to recognize that unrealistic deadlines led to bad code."
"Sadly, the today's system test department is an unfunded, loosely organized group of technologists, commonly referred to as hackers. Many hackers provide exploit code to demonstrate the bug in question -- just as I did when I was in system test. The big difference is that these hackers release the exploit to the public at large, not just to the vendor. Some people, particularly Marcus Ranum (of TIS FWTK fame), object to this practice and feel it causes more harm than good."