> with a lock, the primary purpose of it is > security -- it has no other purpose.
Everyone gets this wrong. The purpose of a lock is not security. The purpose is to force unauthorized people to use an alternative entry point such as a window or an axe. This gives a measure of assurance that unauthorized entry will be detected after the fact, or perhaps even detected while in progress. Locks are intrusion detection devices, they do not prevent intrusions. Thus they do not provide security, they provide an effective incident response trigger and increase the likelihood that an intruder will be forced to leave important forensic evidence at the scene. This isn't a trivial distinction in this debate. Vendors who claim that something provides 'security' also tend to claim that they must keep secrets otherwise their products won't provide as much security. This is completely wrong because those vendors' products do not provide security. Secret ways to circumvent the real value of the 'lock' -- ways to enter a locked object/building/computer without leaving forensic evidence of the intrusion -- these are threats everyone should care about eliminating because they destroy the real value of a lock. These threats can be eliminated simply by revealing the secrets so that people are aware and watch carefully for signs of break-ins using the secret technique. Knowledge of flaws is just as important as knowledge of features. People who keep secrets and by doing so deprive other people of the opportunity for self-defense are complicit in acts of crime that exploit those secrets. Jason Coombs [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
