Over at the securosis.com site there’s a pretty good article titled “The 3 dirty little secrets of disclosure no one wants to talk about“. Except some of us really do want to talk about it! The post lists three problems with whole idea of disclosure:
- Full disclosure helps the bad guys: I agree, but I think it also helps the good guys. I’m willing to cede that it probably helps the bad guys more, which is why I’m also willing to cede that full disclosure is not the way to go by default.
- It’s about ego, control and competition: I’m not sure I can I can agree with this point. There are elements of all three of these in many of the disclosures incidents, but I’m not sure if it’s even true in the majority of cases. Ego is probably true about many of the security researchers, while the control issue is more of a concern with the vendors and competition is true of both groups. I consider this to be a neutral issue, because there are very few people on either side of the argument that can say they really aren’t guilty of these sins somewhere along the line.
- We need the threat of full disclosure or vendors will ignore security: This I agree with whole heartedly. This is also why I can’t back any system where the vendor is the one who get’s to define ‘responsible disclosure’. As long as the vendor get’s to be the one defining the terms, any disclosure that doesn’t meet with the vendor’s timelines is by definition going to be ‘irresponsible’, a setup that is almost as bad as no disclosure.
One more minor issue I have with the article is the use of security through obscurity: while this works for a while, security through obscurity is the most brittle of all types of security. All it takes is one hacker releasing his notes on your security vulnerability and what little security you had because of the lack of knowledge is gone. I sure don’t want my bank relying on security through obscurity to protect my bank account. Not that they’d get much right now, a couple of days before the end of the month.
Technorati Tags: security, Mckeay, Security through obscurity
I had to travel via plane this week for training, and I’ll have to admit I was a bit of a chicken and didn’t pack anything I thought might even remotely questionable by airport security. Other than the fact that I had two cell phones, a Nintendo DS, a Nokia 770 and my laptop that is. But they didn’t seem to care about all the electronics since I took them all out before going through the X-ray.
But apparently another security professional wasn’t so lucky and has several points to share with us: Dave Piscitello had no problems getting his deoderant to his destination, but when his time came to travel back, he had two very different experiences in short order. He shares with us several lessons he thinks the TSA is sorely in need of learning, the most basic of which is be consistant. On the other hand, I guess if regular travellers can’t make heads or tails of what the heck the TSA agents are going to flag, neither can the bad guys. Security through idiocy?
Technorati Tags: security, McKeay, airport, TSA