Security by obscurity fails again (RSA)

[daddydave]

RSA Security will replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt....

RSA Security Chairman Art Coviello said that the reason RSA had not disclosed the full extent of the vulnerability because doing so would have revealed to the hackers how to perform further attacks. RSA's customers might question this reasoning; the Lockheed Martin incident suggests that the RSA hackers knew what to do anyway—failing to properly disclose the true nature of the attack served only to mislead RSA's customers about the risks they faced.

from Ars Technica (hate that graphic)

[40hz]

IMO not disclosing the full extent of the vulnerability serves no real purpose other than to allow RSA to attempt to hide, from its SecurID customers, the the sand their castles are built on.  

As the article pointed out, the hackers already seemed to know what to do.

[phitsc]

Good timing with the replacement. Mine just got broken I hope they use the chance to make them a bit more sturdy