[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Vulnerability Disclosure Debate
- To: <jasonc@science.org>, "'Matthew Murphy'" <mattmurphy@kc.rr.com>, "'Full Disclosure'" <full-disclosure@lists.netsys.com>
- Subject: RE: [Full-Disclosure] Vulnerability Disclosure Debate
- From: "Mike Fratto" <mfratto@nwc.com>
- Date: Fri, 8 Aug 2003 16:22:00 -0400
> > with a lock, the primary purpose of it is
> > security -- it has no other purpose.
>
> Everyone gets this wrong.
Including you. :)
>
> The purpose of a lock is not security. The purpose is to
> force unauthorized people to use an alternative entry point
> such as a window or an axe.
Nope. The purpose of a lock is to keep unauthorized people out. That a lock
forces intruders to seek other methods of entry which may or may not be
detectable is a side-effect of the inability to un-lock the lock.
If you want intrusion detection on the door (or anywhere else), why not run
tape tin-foil tape around the door? (hologram stamped and all that).
> This isn't a trivial distinction in this debate. Vendors who
> claim that something provides 'security' also tend to claim
> that they must keep secrets otherwise their products won't
> provide as much security.
Yeah, products provide protection qualified by proper installation, proper
operation, etc.
> Knowledge of flaws is just as important as knowledge of features.
Knowledge of limitations is just as important, and may be more important
than knowledge of flaws (flaws are ubiquitous, limitations are not). It is
the limitations of security products that are 1) hard to get out of vendors
and 2) unless your intimate with the secuirty problems are hard to ask about
apriori.
mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html