Re: Interesting MetaLink notice

  • From: stephen booth <>
  • To: gogala@xxxxxxxxxxxxx
  • Date: Sun, 5 Feb 2006 19:50:28 +0000

On 05/02/06, Mladen Gogala <gogala@xxxxxxxxxxxxx> wrote:
> On 02/05/2006 01:17:26 PM, Jared Still wrote:
> > Even those problems that are addressed by security problems are
> > not always corrected, requiring only a small change in the exploit
> > to get around the security 'fix'.
> Software companies, not just Oracle, simply love the concept of "security 
> through
> obscurity", which is not one of my favorites.

I remember some years ago (1997 or 98 IIRC) locking horns with one of
my managers over security.  It was over a web application (not Oracle
based, just flat files and PERL scripts) that was going to be put on
the Internet so our customers could vote on which enhancement requests
they wanted us to prioritise.  He argued that we didn't need to worry
about security because we'd only give the URL to our customers so
no-one who should see the data would even be able to find it.  He even
used the phrase "Secutiy through Obscurity"

After some arguing I came up with an analogy:  "Good security is like
an onion, it's got lots of layers.  Obscurity can be one layer, it
can't be the whole onion."

I'd love to say that this brought him around to my side, but it
didn't.  He went on long term sick, due to an unrelated accident, and
the manager who took over for him was much more security conscious.

It's better to ask a silly question than to make a silly assumption.

Other related posts: