Full Disclosure mailing list archives
RE: Vulnerability Disclosure Debate
From: "Jason Coombs" <jasonc () science org>
Date: Fri, 8 Aug 2003 09:49:41 -1000
with a lock, the primary purpose of it is security -- it has no other purpose.
Everyone gets this wrong. The purpose of a lock is not security. The purpose is to force unauthorized people to use an alternative entry point such as a window or an axe. This gives a measure of assurance that unauthorized entry will be detected after the fact, or perhaps even detected while in progress. Locks are intrusion detection devices, they do not prevent intrusions. Thus they do not provide security, they provide an effective incident response trigger and increase the likelihood that an intruder will be forced to leave important forensic evidence at the scene. This isn't a trivial distinction in this debate. Vendors who claim that something provides 'security' also tend to claim that they must keep secrets otherwise their products won't provide as much security. This is completely wrong because those vendors' products do not provide security. Secret ways to circumvent the real value of the 'lock' -- ways to enter a locked object/building/computer without leaving forensic evidence of the intrusion -- these are threats everyone should care about eliminating because they destroy the real value of a lock. These threats can be eliminated simply by revealing the secrets so that people are aware and watch carefully for signs of break-ins using the secret technique. Knowledge of flaws is just as important as knowledge of features. People who keep secrets and by doing so deprive other people of the opportunity for self-defense are complicit in acts of crime that exploit those secrets. Jason Coombs jasonc () science org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Vulnerability Disclosure Debate, (continued)
- Re: Vulnerability Disclosure Debate Ben Laurie (Aug 13)
- Re: Vulnerability Disclosure Debate Jeremiah Cornelius (Aug 07)
- Re: Vulnerability Disclosure Debate Florian Weimer (Aug 07)
- Re: Vulnerability Disclosure Debate Georgi Guninski (Aug 07)
- Re: Vulnerability Disclosure Debate Geoincidents (Aug 07)
- Re: Vulnerability Disclosure Debate Cesar (Aug 07)
- Re: Vulnerability Disclosure Debate gregh (Aug 07)
- Re: Vulnerability Disclosure Debate Matthew Murphy (Aug 07)
- Re: Vulnerability Disclosure Debate Darren Bennett (Aug 07)
- Re: Vulnerability Disclosure Debate Matthew Murphy (Aug 07)
- RE: Vulnerability Disclosure Debate Jason Coombs (Aug 08)
- RE: Vulnerability Disclosure Debate Mike Fratto (Aug 08)
- RE: Vulnerability Disclosure Debate Jason Coombs (Aug 08)
- Re: Vulnerability Disclosure Debate Darren Bennett (Aug 07)
- Re: Vulnerability Disclosure Debate Valdis . Kletnieks (Aug 07)
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)
- Re: Vulnerability Disclosure Debate Valdis . Kletnieks (Aug 08)
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)
- Message not available
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)