RE: [Full-Disclosure] Vulnerability Disclosure Debate

From: Jason Coombs (jasonc_at_science.org)
Date: 08/08/03

  • Next message: Aron Nimzovitch: "Re: [Full-Disclosure] Vulnerability Disclosure Debate"
    To: "Matthew Murphy" <mattmurphy@kc.rr.com>, "Full Disclosure" <full-disclosure@lists.netsys.com>
    Date: Fri, 8 Aug 2003 09:49:41 -1000
    
    

    > with a lock, the primary purpose of it is
    > security -- it has no other purpose.

    Everyone gets this wrong.

    The purpose of a lock is not security. The purpose is to force unauthorized
    people to use an alternative entry point such as a window or an axe.

    This gives a measure of assurance that unauthorized entry will be detected
    after the fact, or perhaps even detected while in progress.

    Locks are intrusion detection devices, they do not prevent intrusions. Thus
    they do not provide security, they provide an effective incident response
    trigger and increase the likelihood that an intruder will be forced to leave
    important forensic evidence at the scene.

    This isn't a trivial distinction in this debate. Vendors who claim that
    something provides 'security' also tend to claim that they must keep secrets
    otherwise their products won't provide as much security. This is completely
    wrong because those vendors' products do not provide security. Secret ways to
    circumvent the real value of the 'lock' -- ways to enter a locked
    object/building/computer without leaving forensic evidence of the intrusion --
    these are threats everyone should care about eliminating because they destroy
    the real value of a lock. These threats can be eliminated simply by revealing
    the secrets so that people are aware and watch carefully for signs of
    break-ins using the secret technique.

    Knowledge of flaws is just as important as knowledge of features.

    People who keep secrets and by doing so deprive other people of the
    opportunity for self-defense are complicit in acts of crime that exploit those
    secrets.

    Jason Coombs
    jasonc@science.org

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Aron Nimzovitch: "Re: [Full-Disclosure] Vulnerability Disclosure Debate"

    Relevant Pages

    • RE: [Full-Disclosure] Vulnerability Disclosure Debate
      ... > The purpose of a lock is not security. ... The purpose of a lock is to keep unauthorized people out. ... Knowledge of limitations is just as important, ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Vulnerability Disclosure Debate
      ... You see, with a lock, the primary purpose of it is ... or of other requirements than personal security. ... there is only one vendor that I'm aware of that can do that -- Microsoft ... code for every vulnerability eliminates the notion of difficulty to exploit, ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Vulnerability Disclosure Debate
      ... You see, with a lock, the primary purpose of it is ... or of other requirements than personal security. ... there is only one vendor that I'm aware of that can do that -- Microsoft ... code for every vulnerability eliminates the notion of difficulty to exploit, ...
      (Full-Disclosure)
    • Re: PDS Lock
      ... using your Security product ... Re: PDS Lock ... Standard Life plc, ...
      (bit.listserv.ibm-main)
    • [NT] File Locking and Security (Group Policy DoS on Windows 2000 Domains)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... EXCLUSIVE lock on a file. ... file locking is only checked ... Windows, things are different. ...
      (Securiteam)