Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is anyone actually USING IP QoS?

  • From: Majdi Abbas
  • Date: Wed Jun 16 14:59:19 1999

Brett_Watson@enron.net wrote:
| in some cases, yes you can.  but the fact that i (someone who doesn't crack
| systems) can get source code to some flavors of unix doesn't stop the
| hackers from getting it either.  no *real* gain here.  and if you don't

	Actually, there's quite a bit of gain.  If something is discovered,
usually the patch is fairly trivial and can be written by just about anyone
with a little coding experience.  Once it's written, anyone can apply it--
perhaps MONTHS before the vendor releases a patch.  I'd say having my
systems patched in less than half the time would have to go on the 'gain,'
list, wouldn't you?

	Also, consider the fact that the script kiddies usually haven't
the slightest clue how to do a real code review with an eye towards 
potential security flaws.

| think that some of the more elite hackers in the world don't have access to
| proprietary source code, both systems and router vendors....  if you're not
| scared, you don't understand.

	Proprietary source leaks are not particularly uncommon, no...scary?
Not really.  The type of people who manage to pick up, say, complete IOS
source trees, generally aren't the type who distribute them and aren't 
particularly reckless in how they use them.

	I think his point is simply this: Proprietary source -may- leak,
but that isn't neccessarily a big incentive to the vendor to ensuring that
their code is bulletproof; a vendor that is distributing source far and
wide will go much further to ensure that they have a secure, reliable
product than one that doesn't.

	Ultimately, you have to assume that -everyone- attacking your
systems has full source code...and therefore, if you can swing it, you
should probably have it too.  It is for this reason alone that security
through obscurity -does not work-.  It may occaisionally be neccessary,
but choosing it as your front line defense is less than wise.

| maybe i just misunderstand you but you seem to portray these issues as
| black and white.  they're not.  ssh has had known security problems, and
| kerberos, while i like it myself, is damned easy to misconfigure which
| opens all kinds of holes.

	K4, maybe.  K5?  Not quite so easily.  Either is not nearly as
bad as open telnet.  And "has had known security problems" is not the
same as "has known security problems," and the former does not strenghen
your argument nearly as much as you seem to think it does.

	Perhaps you should follow your own career advice.

	--msa





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.