Botched Security Lifetime Achievement Award

I wasn't going to add my 2c to the debate rumbling behind the OpenSSL defect, (summarised nicely here) Plenty of knowledgeable folks have raked over those coals already.

But then I came across this story, I don't know how old it is, Hardworking Locksmith In Prisons and it struck me that the OpenSSL problem was essentially the opposite of the locksmiths one.

On the one hand we have a security technology which was compromised because its secrets weren't known and understood well enough, and on the other we have a security technology who's flaw is that it relies to a large extent on practitioners keeping secrets.

So the award goes jointly to the guys who compromised OpenSSL without knowing what they were doing, and the guys who compromise our homes and offices just because they do.

I'm still not sure whether I'm happier to rely on knowledge or ignorance for my security though.