nanog mailing list archives

Re: [NANOG] IOS rootkits

From: Joel Jaeggli <joelja () bogus com>
Date: Sat, 17 May 2008 23:45:36 -0700

Mark Smith wrote:

On Sat, 17 May 2008 09:34:19 -0500
travis+ml-nanog () subspacefield org wrote:

On Sat, May 17, 2008 at 04:47:02PM +0930, Matthew Moyle-Croft wrote:

I'm sure it'll be good for a number of security providers to hawk their 
wares.

If the way of running this isn't out in the wild and it's actually 
dangerous then a pox on anyone who releases it, especially to gain 
publicity at the expensive of network operators sleep and well being.   
May you never find a reliable route ever again.

I personally like Gadi's work, but not as much as I like getting my
packets to their destination.  I personally don't quite understand why
netops keep buying proprietary, closed technology for routers, but I'm
not and have never been a netop so I'm sure there's good reasons.  To
me it seems that if you need reliable router hardware, you can buy
that from a vendor, but in theory I don't see why the software for
routers couldn't be much more open.  When I can, I reflash my WAPs
with DD-WRT, because at least then I understand the system (and you
can't secure what you don't understand), but I am not saying that's
much of a comparison.


Have you read and security validated every line of open code you're
running? Even if you've only read and security validated 99% of it,
you're still trusting that the other 1% doesn't have any
vulnerabilities in it.


There are people who routinely deal in absolutes. we generally call them 
mathematicians...

The rest of us have to operate on a certain amount of uncertainty.

Ken's goal I think in 1985 was to open people's eyes to an area of 
uncertainty which was then relatively poorly understood. It was 
infeasible in 1985 and certainly remains so outside the confines of some 
really narrowly focused areas to audit a significant percentage of the 
code you run.

Then again, even if you have audited every line of code, and it is
100% "secure", who's to say the compiler used to compile it is ... so you'll
have to audit that too.


_______________________________________________
NANOG mailing list
NANOG () nanog org
http://mailman.nanog.org/mailman/listinfo/nanog

Current thread:

Re: [NANOG] IOS rootkits, (continued)
- - - Re: [NANOG] IOS rootkits Gadi Evron (May 25)
    - Re: [NANOG] IOS rootkits Christian (May 25)
    - Re: [NANOG] IOS rootkits Aaron Glenn (May 25)
    - Re: [NANOG] IOS rootkits Mark Smith (May 18)
    - Re: [NANOG] IOS rootkits Suresh Ramasubramanian (May 18)
    - Re: [NANOG] IOS rootkits Gadi Evron (May 18)
    - Re: [NANOG] IOS rootkits travis+ml-nanog (May 17)
    - Re: [NANOG] IOS rootkits Mark Smith (May 17)
    - Re: [NANOG] IOS rootkits Gadi Evron (May 17)
    - Re: [NANOG] IOS rootkits Mark Smith (May 17)
    - Re: [NANOG] IOS rootkits Joel Jaeggli (May 17)
    - Re: [NANOG] IOS rootkits Gadi Evron (May 17)