Full Disclosure mailing list archives
RE: Cisco's stolen code
From: Pikett/LKSI <lksi.pikett () rtc ch>
Date: Wed, 26 May 2004 11:27:24 +0200
On Wed, 2004-05-26 at 10:25 AM, tobias () weisserth de wrote:
now when it hits Cisco, everybody say its a crime lurking for the code or
publicating it. BUT when it hit M$ everybody thought, its a great idea to
share the stolen source code all over the internet (yes also on FD).
What is true for Cisco is even more true for Microsoft. Stay the hell away from code that hasn't been licensed for you.
bad guys won't. they'll take their chances to find some holes in the code which could allow them to control your router and everybody else's...we can't be sure, that the few minor publicly known problems after the MS code leaked were all there was/is/will be. Do you trust MS or Cisco, that the code is all clean and secure? i don't. To my understanding, full dislosure means informing the good (and some bad) guys about the existence of a potential security hole in our configurations. "Opensource" software, be it GPL oder leaked CSS, is the best way to get to the point withouth the need of coincidence/reverse engineering/blackbox testing etc. i'm thankful for every whitehat who analyzes the ios sources and helps to find holes before a blackhat does. And it's not because i think Cisco deserves some free working bugfinders...hell, every multibillion $ company should be charged for bugs found by outsiders.
Anybody who touches copyrighted code, be it MS or Cisco or whatever, is at risk. Why should I want to put myself at risk to solve problems the copyright holder of the code should solve? If I address a security flaw in MS code and say a year later I decide to write something that might attract the attention of MS as a competitor then I'm most certainly being confronted with accusations like "you took that from our code" and "you are a thief".
you might be right on that one and <conspiracy> that might even be a motivation for some vendors to "coincidentially" leak their sources and later use it against competitors </conspiracy>, reminds me of the patent issue nightmare. still, how does that interfere with the searching for potential security holes in more or less publicly available sourcecode for the sake of knowing about any weaknesses? regards Sascha _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Cisco's stolen code, (continued)
- Re: Re: Cisco's stolen code Mister Coffee (May 26)
- Re: Re: Cisco's stolen code Ron DuFresne (May 26)
- Re: Re: Cisco's stolen code Benjamin Krueger (May 26)
- Re: Re: Cisco's stolen code Valdis . Kletnieks (May 27)
- Re: Re: Cisco's stolen code Paolo Mattiangeli (May 26)
- Re: Re: Cisco's stolen code Jason Weisberger (May 26)
- Re: Cisco's stolen code Rodrigo Gutierrez (May 26)
- Re: Re: Cisco's stolen code Mister Coffee (May 26)
- Re: Cisco's stolen code Cold Fire (May 26)
- RE: Cisco's stolen code Tobias Weisserth (May 26)
- Re: Re: Cisco's stolen code Valdis . Kletnieks (May 26)
- Re: Re: Cisco's stolen code Maarten (May 26)
- Question About International Disclosure Tom (May 26)
- Re: Question About International Disclosure Ron DuFresne (May 26)
- Re: Re: Cisco's stolen code Valdis . Kletnieks (May 26)
- Re: Cisco's stolen code Seth Alan Woolley (May 27)