nanog mailing list archives
Re: Cisco crapaganda
From: Michael.Dillon () btradianz com
Date: Wed, 10 Aug 2005 14:09:31 +0100
If not, once again, I'd ask you to cite sources rather than make broad sweeping statements about what is already available. Appealing to some anonymous authority in order to claim the sky is falling is hardly endearing.
I think that people who specialise in security know what I am referring to. I won't say any more publicly since there are black hats reading this list. If they don't already know about this stuff, I'm not going to help them. If anyone wants to know what I am talking about, then go to the security people in your company and ask them. The company pays them to keep abreast of this stuff.
That's a fairly bold statement. I'd also hesitate to label Lynn as a black hat
I never labelled Lynn as a blackhat. I said that Lynn and ISS and all other similar firms and researchers do the same thing as blackhats. They monitor communications of blackhats and learn from them. This activity does not make someone into a blackhat.
researchers of any hat, in my experience, keep their secrets amongst a small group.
It is human nature to brag about what you have discovered and for many blackhats, this is the only return they get for their work. I agree that whitehats like Lynn are generally much more careful about their secrets which is why Lynn's presentation was quite vague about many things.
On the other hand, Lynn is exactly the sort of guru you describe. Riley Eller said it best "If you put him and a (Cisco) box in a room, the box breaks."
I'm sceptical about such rhetoric.
It boils down to the following question: Do you think benefit or releasing the source code for IOS, allowing independent researchers access to the source code in order to locate flaws, outweighs the costs of that release, allowing criminals access to the source code in order to locate flaws and forfeiting trade secrets? In the case of Cisco, I'm sure the latter weighs more heavily in their mind.
First, I don't think there will be any trade secrets of great value revealed by the source code. Software and systems have a long history and people continue to reinvent wheels that were first invented two or three generations ago. In any case, people looking for trade secrets simply acquire the boxes and reverse engineer. Second, I don't suggest that Cisco suddenly release their code. But I can imagine a phased approach where they release the code to an ever widening circle of people, and then finally make it completely open. Or they could phase in a new codebase using Open Source as the foundation. --Michael Dillon
Current thread:
- Re: Cisco crapaganda, (continued)
- Re: Cisco crapaganda Stephen J. Wilcox (Aug 12)
- Re: Cisco crapaganda Dave Howe (Aug 13)
- Re: Cisco crapaganda Steven J. Sobol (Aug 13)
- Re: Cisco crapaganda Dan Hollis (Aug 09)
- Re: Cisco crapaganda chuck goolsbee (Aug 09)
- Fwd: Cisco crapaganda James Baldwin (Aug 09)
- Re: Fwd: Cisco crapaganda Valdis . Kletnieks (Aug 09)
- Re: Cisco crapaganda James Baldwin (Aug 09)
- Re: Fwd: Cisco crapaganda Michael . Dillon (Aug 10)
- Re: Cisco crapaganda James Baldwin (Aug 10)
- Re: Cisco crapaganda Michael . Dillon (Aug 10)
- Re: Cisco crapaganda Robert E . Seastrom (Aug 10)
- Re: Cisco crapaganda Michael . Dillon (Aug 11)
- Re: Fwd: Cisco crapaganda Valdis . Kletnieks (Aug 09)
- Re: Cisco crapaganda Michael . Dillon (Aug 10)
- Re: Fwd: Cisco crapaganda Daniel Roesen (Aug 10)
- Re: Cisco crapaganda JORDI PALET MARTINEZ (Aug 10)
- Re: Cisco crapaganda Michael . Dillon (Aug 10)
- Re: Cisco crapaganda Aaron Glenn (Aug 10)