“Is security through obscurity ever a useful way to protect
your network, or does it just make things easier for corporate
spies and hackers?…“
“With software packages, it’s a different matter entirely. End
users are at the mercy of the software vendors, and are forced to
rely on them to properly test their products. I used to be in a
system test group and, believe me, such groups have no status in
software development departments. I tried going directly to
developers before writing bug reports on their software, and many
appreciated my covering for their mistakes. One developer surprised
me by telling me to write up the bug report even though she fixed
the problem as I was talking to her. When I questioned her on this,
she explained that the monthly bug report that was distributed to
the entire department forced developers to do a better job at
debugging their code. It also forced management to recognize that
unrealistic deadlines led to bad code.”
“Sadly, the today’s system test department is an unfunded,
loosely organized group of technologists, commonly referred to as
hackers. Many hackers provide exploit code to demonstrate the bug
in question — just as I did when I was in system test. The big
difference is that these hackers release the exploit to the public
at large, not just to the vendor. Some people, particularly Marcus
Ranum (of TIS FWTK fame), object to this practice and feel it
causes more harm than good.”