| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mfratto at nwc.com (Mike Fratto) Subject: Vulnerability Disclosure Debate > > with a lock, the primary purpose of it is > > security -- it has no other purpose. > > Everyone gets this wrong. Including you. :) > > The purpose of a lock is not security. The purpose is to > force unauthorized people to use an alternative entry point > such as a window or an axe. Nope. The purpose of a lock is to keep unauthorized people out. That a lock forces intruders to seek other methods of entry which may or may not be detectable is a side-effect of the inability to un-lock the lock. If you want intrusion detection on the door (or anywhere else), why not run tape tin-foil tape around the door? (hologram stamped and all that). > This isn't a trivial distinction in this debate. Vendors who > claim that something provides 'security' also tend to claim > that they must keep secrets otherwise their products won't > provide as much security. Yeah, products provide protection qualified by proper installation, proper operation, etc. > Knowledge of flaws is just as important as knowledge of features. Knowledge of limitations is just as important, and may be more important than knowledge of flaws (flaws are ubiquitous, limitations are not). It is the limitations of security products that are 1) hard to get out of vendors and 2) unless your intimate with the secuirty problems are hard to ask about apriori. mike
Powered by blists - more mailing lists