Mike Rothman had two posts today which merit noting. The first points to Ed’s breakdown over at SecurityCurve of the reality of mobile malware risk (hint: It’s a very acceptable risk). Go read it. It’s a great example of a data-driven FUD repudiation and doesn’t really lend itself to exerpting.

The other, though, needs some words. In his notes about an an intersting essay by Jeff Hayes about the difficulties in reporting or disclosing vulnerabilities in physical locks, Mike writes:

the WSJ picked (no pun intended) up an article that pointed out the vulnerabilities of locks from many of the leading manufacturers. They were pissed because they felt it was giving information to the bad guys. Have you seen this movie before? There is a difference in our world, in that it’s much easier to “patch” a technology vulnerability than something physical in my house. Depending on the nature of the issue, it could involve recalls, service calls, or who knows what. Besides the economic infeasibility of replacing all of those locks, fixing the problems are not as straight forward in the physical world. So the lock manufacturers do have a point. Responsible disclosure in our world works because it’s relatively trivial to fix problems. We need to be careful with obscurity in other sectors because you could really impact someone’s personal safety.

Here’s my take: Frankly, I don’t give a rat’s ass about the poor little lock manufacturers who sell me a faulty product and then are whine about the cost of fixing it.

When lock manufacturers cover up or refuse to disclose vulnerabilities in their products, they’re assuming risk on my behalf. If I suffer a loss of life, health, happiness, or property due to their product being faulty, that’s an externality to them unless I successfully sue them in civil court, that will take years and cost me tens of thousands of dollars before I ever see any compensation and even then, the manufacturer has probably transferred their liability risk through insurance.

Is this risk low? Probably. While I couldn’t find data by googling, my instinct is that very few break-ins involve a picked lock. That probably has more to do with the fact that it’s easier for the average attacker (burglar or home invader) to simply smash a window or kick in the door than pick the lock. Picking locks is generally an inefficient branch of the attack tree for getting into a facility (unless non-detection is significant, but detective controls are out-of-scope today).

Unfortunately, as the Kryptonite/Bic Pen class break demonstrated, if a vulnerability is discovered which alters the “cost” of a branch of the tree, the attackers (thieves) will shift very quickly to that now-efficient branch. With the bic pen exploit, what was already low risk became effectively a no-risk attack since the attacker now looks like the rightful owner of the bike unlocking his bike and doesn’t even need specialized tools.

When it comes to the security of myself, my family, and (to a lesser extent) my property, however, I’m extremely risk averse. I want a reasonable level of confidence that it’s going to take more than a bic pen or a bump key to bypass the lock on my front door. When it comes to my safety, I want risk full disclosure. I may decide that I can accept the risk of a lock being picked in ten minutes, but not bump key’ed in ten seconds, but currently I don’t have that option because the data is not readily available.

This is a simple risk management decision, but one that can’t be made without information. When people defend a company on the basis that fixing a problem they created is “too expensive,” I consider that irresponsible. If the company is concerned about the financial risk of inferior products, they should manage that risk themselves, either through some sort of errors & omissions insurance or by mitigating it with improved engineering and quality assurance. What they should not be able to do is silently pass the risk on to me as an externality.

Yes, I know that there are ratings based on some assessment of “time to pick” for a particular lock, but those are, so far as I know, somewhat subjective and not widely available, which makes them less-than-useful.

Its the End of Innocence for my friend Chandler…

Chandler over at Not Bad for a Cubicle learned that it is a cold, cruel world today, where risk is everywhere. It almost brings a tear to my eye. Of course, he must be pulling our legs a bit. I mean, you don’t have to watch too much television to sort…

[…] Not Bad For A Cubicle says Rothman’s response is no excuse for security by obscurity: “Frankly, I don’t give a rat’s ass about the poor little lock manufacturers who sell me a faulty product and then are whine about the cost of fixing it. When lock manufacturers cover up or refuse to disclose vulnerabilities in their products, they’re assuming risk on my behalf.” […]