RE: [Full-Disclosure] Vulnerability Disclosure Debate
From: Jason Coombs (jasonc_at_science.org)
To: "Matthew Murphy" <firstname.lastname@example.org>, "Full Disclosure" <email@example.com> Date: Fri, 8 Aug 2003 09:49:41 -1000
> with a lock, the primary purpose of it is
> security -- it has no other purpose.
Everyone gets this wrong.
The purpose of a lock is not security. The purpose is to force unauthorized
people to use an alternative entry point such as a window or an axe.
This gives a measure of assurance that unauthorized entry will be detected
after the fact, or perhaps even detected while in progress.
Locks are intrusion detection devices, they do not prevent intrusions. Thus
they do not provide security, they provide an effective incident response
trigger and increase the likelihood that an intruder will be forced to leave
important forensic evidence at the scene.
This isn't a trivial distinction in this debate. Vendors who claim that
something provides 'security' also tend to claim that they must keep secrets
otherwise their products won't provide as much security. This is completely
wrong because those vendors' products do not provide security. Secret ways to
circumvent the real value of the 'lock' -- ways to enter a locked
object/building/computer without leaving forensic evidence of the intrusion --
these are threats everyone should care about eliminating because they destroy
the real value of a lock. These threats can be eliminated simply by revealing
the secrets so that people are aware and watch carefully for signs of
break-ins using the secret technique.
Knowledge of flaws is just as important as knowledge of features.
People who keep secrets and by doing so deprive other people of the
opportunity for self-defense are complicit in acts of crime that exploit those
Full-Disclosure - We believe in it.