Full Disclosure mailing list archives
RE: Vulnerability Disclosure Debate
From: "Mike Fratto" <mfratto () nwc com>
Date: Fri, 8 Aug 2003 16:22:00 -0400
with a lock, the primary purpose of it is security -- it has no other purpose.Everyone gets this wrong.
Including you. :)
The purpose of a lock is not security. The purpose is to force unauthorized people to use an alternative entry point such as a window or an axe.
Nope. The purpose of a lock is to keep unauthorized people out. That a lock forces intruders to seek other methods of entry which may or may not be detectable is a side-effect of the inability to un-lock the lock. If you want intrusion detection on the door (or anywhere else), why not run tape tin-foil tape around the door? (hologram stamped and all that).
This isn't a trivial distinction in this debate. Vendors who claim that something provides 'security' also tend to claim that they must keep secrets otherwise their products won't provide as much security.
Yeah, products provide protection qualified by proper installation, proper operation, etc.
Knowledge of flaws is just as important as knowledge of features.
Knowledge of limitations is just as important, and may be more important than knowledge of flaws (flaws are ubiquitous, limitations are not). It is the limitations of security products that are 1) hard to get out of vendors and 2) unless your intimate with the secuirty problems are hard to ask about apriori. mike _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Vulnerability Disclosure Debate, (continued)
- Re: Vulnerability Disclosure Debate Jeremiah Cornelius (Aug 07)
- Re: Vulnerability Disclosure Debate Florian Weimer (Aug 07)
- Re: Vulnerability Disclosure Debate Georgi Guninski (Aug 07)
- Re: Vulnerability Disclosure Debate Geoincidents (Aug 07)
- Re: Vulnerability Disclosure Debate Cesar (Aug 07)
- Re: Vulnerability Disclosure Debate gregh (Aug 07)
- Re: Vulnerability Disclosure Debate Matthew Murphy (Aug 07)
- Re: Vulnerability Disclosure Debate Darren Bennett (Aug 07)
- Re: Vulnerability Disclosure Debate Matthew Murphy (Aug 07)
- RE: Vulnerability Disclosure Debate Jason Coombs (Aug 08)
- RE: Vulnerability Disclosure Debate Mike Fratto (Aug 08)
- RE: Vulnerability Disclosure Debate Jason Coombs (Aug 08)
- Re: Vulnerability Disclosure Debate Darren Bennett (Aug 07)
- Re: Vulnerability Disclosure Debate Valdis . Kletnieks (Aug 07)
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)
- Re: Vulnerability Disclosure Debate Valdis . Kletnieks (Aug 08)
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)
- Message not available
- Re: Vulnerability Disclosure Debate Aron Nimzovitch (Aug 08)