lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ILEPILDHBOLAHHEIMALBOEINGGAA.jasonc@science.org>
From: jasonc at science.org (Jason Coombs)
Subject: Vulnerability Disclosure Debate

Hmm.

A lock is a permissive measure, to permit you to more easily enter a room, for
instance, without having to destroy a portion of one of its four walls. The
lock is installed in a door. The door is a vulnerability. The lock attempts to
compensate for the door vulnerability. Without the lock the door can be opened
by anyone. With the lock the door can also be opened by anyone who has a foot
attached to a leg and the ability to apply it in a forward kicking motion. The
only difference is that the broken door leaves evidence of the intrusion. The
lock forces the application of destructive force or use of a circumvention
technique. The lock does NOT change the security level of the room, because it
still has a door vulnerability.

I'm pretty sure this is not wrong thinking, and thus my previous comments,
which I stand by after having re-read them.

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Mike Fratto
Sent: Friday, August 08, 2003 10:22 AM
To: jasonc@...ence.org; 'Matthew Murphy'; 'Full Disclosure'
Subject: RE: [Full-Disclosure] Vulnerability Disclosure Debate



> > with a lock, the primary purpose of it is
> > security -- it has no other purpose.
>
> Everyone gets this wrong.

Including you.  :)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ