Don't Tell the Attacker Anything
Cryptic error messages are the bane of normal users and can lead to expensive support calls. However, you need to balance the advice you give to attackers. For example, if the attacker attempts to access a file, you should not return an error message such as Unable to locate stuff.txt at c:\secretstuff\docs doing so reveals a little more information about the environment to the attacker. You should return a simple error message, such as Request Failed, and log the error in the event log so that the administrator can see what's going on. Another factor to consider is that returning user-supplied information can lead to cross-site scripting attacks if a Web browser might be used with your application. If you're writing a server, log detailed error messages where the administrator of the system can read them.