RE: Vulnerability Disclosure Debate

["Mike Fratto" <mfratto () nwc com>]

> > with a lock, the primary purpose of it is
> > security -- it has no other purpose.
>
> Everyone gets this wrong.

Including you.  :)

> The purpose of a lock is not security. The purpose is to 
> force unauthorized people to use an alternative entry point 
> such as a window or an axe.

Nope. The purpose of a lock is to keep unauthorized people out. That a lock
forces intruders to seek other methods of entry which may or may not be
detectable is a side-effect of the inability to un-lock the lock.

If you want intrusion detection on the door (or anywhere else), why not run
tape tin-foil tape around the door? (hologram stamped and all that).

> This isn't a trivial distinction in this debate. Vendors who 
> claim that something provides 'security' also tend to claim 
> that they must keep secrets otherwise their products won't 
> provide as much security. 

Yeah, products provide protection qualified by proper installation, proper
operation, etc.

> Knowledge of flaws is just as important as knowledge of features.

Knowledge of limitations is just as important, and may be more important
than knowledge of flaws (flaws are ubiquitous, limitations are not). It is
the limitations of security products that are 1) hard to get out of vendors
and 2) unless your intimate with the secuirty problems are hard to ask about
apriori.

mike

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html