nanog mailing list archives
Re: Cisco crapaganda
From: "Stephen J. Wilcox" <steve () telecomplete co uk>
Date: Sat, 13 Aug 2005 01:08:31 +0100 (BST)
Hi Rich,
A. If open publication of the full source code of XYZ would render it insecure, then XYZ is _already_ insecure.
i like that way of looking at it..
B. In analyzing any attack, it's prudent to presume that the attackers have the full source code of every piece of software involved. [1]
sure, or even a snippet would be sufficient to find and exploit a hole
It's time to level the playing field. It's time for all the vendors to publish ALL the source code so that we at least have the same information as our adversaries.
thats going to be a leap too far, its not an issue of security its a question of property and value
[1] Either because it leaked (discarded computer equipment, backup tapes,
source code is much wider distributed than people might think, its possible to be a contractor (individual or company) or for example in MS's case a partner and get source code supplied under NDA
what's the dollar value on the open market of, oh, let's say, the full source code to one of Cisco's popular routers? Maybe $100K? $250K? Maybe more, considering what it might facilitate?
naww. $0. pre IOS-12 versions are in circulation already, 12.something was partially leaked a year or two ago, and i'm sure other bits can be picked up. who would be willing to pay? not companies, thats illegal. blackhats? maybe, but they can juts grab the circulating bootlegs
Whatever that number is, that's the amount that prospective attackers may be presumed to be willing to spend to get it. And whether they spend it on R&D, or paying someone who's already done the R&D, or just cutting to the chase and paying off someone with access to it, doesn't really matter: if they're willing to spend to the money, they _will_ get it.
wonder why they dont already have it, maybe they do... Steve
Current thread:
- Cisco crapaganda J. Oquendo (Aug 09)
- Re: Cisco crapaganda James Baldwin (Aug 09)
- Re: Cisco crapaganda Michael . Dillon (Aug 09)
- Re: Cisco crapaganda Rich Kulawiec (Aug 12)
- Re: Cisco crapaganda Stephen J. Wilcox (Aug 12)
- Re: Cisco crapaganda Dave Howe (Aug 13)
- Re: Cisco crapaganda Steven J. Sobol (Aug 13)
- Re: Cisco crapaganda Rich Kulawiec (Aug 12)
- Re: Cisco crapaganda Dan Hollis (Aug 09)
- Re: Cisco crapaganda chuck goolsbee (Aug 09)
- <Possible follow-ups>
- Fwd: Cisco crapaganda James Baldwin (Aug 09)
- Re: Fwd: Cisco crapaganda Valdis . Kletnieks (Aug 09)
- Re: Cisco crapaganda James Baldwin (Aug 09)
- Re: Fwd: Cisco crapaganda Michael . Dillon (Aug 10)
- Re: Cisco crapaganda James Baldwin (Aug 10)
- Re: Cisco crapaganda Michael . Dillon (Aug 10)
- Re: Fwd: Cisco crapaganda Valdis . Kletnieks (Aug 09)