Re: Critical security updates for JVM
Roedy Green wrote:
I am glad they don't give too many details because that would just
help hackers screw people who were slow upgrading.
Lew wrote:
"Security through obscurity" is notably ineffective. You think that
by one company not giving away details that crackers (please, not
"hackers") will remain ignorant of these exploits? Puh-lease.
Joshua Cranmer wrote:
There is, IMO, *one* time when security through obscurity *may* be
effective: between the discovery of the flaw and the release of the fix
if the time period is short (<10 days) and everyone who sees it is
working their butts of to fix it. Afterwards, there is no reason not to
make the flaw the public. If the time period grew too long, more eyes
could help fix the flaw. After it's fixed, some people might realize
that there are similar security flaws that need to be fixed.
Yes, but the time frame for this particular vulnerability is > ten days, the
thing's been patched, and the article's out there. The flaw in this reasoning
generally is that the crackers usually have the vulnerability well before the
clock starts ticking on that "ten days". Also, in this case, the horse was
out of the barn by the time we started discussing it.
One thing I do not want to see is someone being harassed and threatened
because they reveal security flaws in, say, voter-machine software. The real
key to solving software security flaws is published source and full disclosure.
Still, I agree with you. A brief window for repair prior to publication is
"*one* time when security through obscurity *may* be effective."
--
Lew