From owner-freebsd-security@FreeBSD.ORG  Wed Jul  9 18:38:30 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5F288106564A
	for <freebsd-security@freebsd.org>;
	Wed,  9 Jul 2008 18:38:30 +0000 (UTC)
	(envelope-from chris@noncombatant.org)
Received: from strawberry.noncombatant.org (strawberry.noncombatant.org
	[64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id 2E54F8FC21
	for <freebsd-security@freebsd.org>;
	Wed,  9 Jul 2008 18:38:30 +0000 (UTC)
	(envelope-from chris@noncombatant.org)
Received: by strawberry.noncombatant.org (Postfix, from userid 1001)
	id B0A8F86687D; Wed,  9 Jul 2008 11:33:25 -0700 (PDT)
Date: Wed, 9 Jul 2008 11:33:25 -0700
From: Chris Palmer <chris@noncombatant.org>
To: Wesley Shields <wxs@FreeBSD.org>, freebsd-security@freebsd.org
Message-ID: <20080709183325.GE55473@noncombatant.org>
References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com>
	<3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org>
	<17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com>
	<4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org>
	<17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com>
	<20080709181515.GG92109@atarininja.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20080709181515.GG92109@atarininja.org>
User-Agent: Mutt/1.4.2.3i
Cc: 
Subject: Re: BIND update?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2008 18:38:30 -0000

Wesley Shields writes:

> In the security world there is a balance which must be maintained between
> providing information to consumers so that they may plan accordingly, and
> not providing too much information so that the attackers can write
> exploits; this is the sensitive nature of the information which often
> leads to opaque processes by security teams around the world.

http://en.wikipedia.org/wiki/Kerckhoffs'_principle

Malware authors create exploits based on information they gleaned by reverse
engineering the binary patches released by Microsoft. They are able to get
these exploits into the wild before everyone has even had a chance to apply
the patches, even though the patching is (semi-)automated.

Not only is there no security through obscurity, there isn't even any
obscurity. :)