lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jasonc at science.org (Jason Coombs)
Subject: Vulnerability Disclosure Debate

> with a lock, the primary purpose of it is
> security -- it has no other purpose.

Everyone gets this wrong.

The purpose of a lock is not security. The purpose is to force unauthorized
people to use an alternative entry point such as a window or an axe.

This gives a measure of assurance that unauthorized entry will be detected
after the fact, or perhaps even detected while in progress.

Locks are intrusion detection devices, they do not prevent intrusions. Thus
they do not provide security, they provide an effective incident response
trigger and increase the likelihood that an intruder will be forced to leave
important forensic evidence at the scene.

This isn't a trivial distinction in this debate. Vendors who claim that
something provides 'security' also tend to claim that they must keep secrets
otherwise their products won't provide as much security. This is completely
wrong because those vendors' products do not provide security. Secret ways to
circumvent the real value of the 'lock' -- ways to enter a locked
object/building/computer without leaving forensic evidence of the intrusion --
these are threats everyone should care about eliminating because they destroy
the real value of a lock. These threats can be eliminated simply by revealing
the secrets so that people are aware and watch carefully for signs of
break-ins using the secret technique.

Knowledge of flaws is just as important as knowledge of features.

People who keep secrets and by doing so deprive other people of the
opportunity for self-defense are complicit in acts of crime that exploit those
secrets.

Jason Coombs
jasonc@...ence.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ