Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco crapaganda

  • From: Michael.Dillon
  • Date: Wed Aug 10 09:11:12 2005

> If not, once again, I'd ask you to cite sources rather 
> than make broad sweeping statements about what is already available. 
> Appealing to some anonymous authority in order to claim the sky is 
> falling is hardly endearing.

I think that people who specialise in security know what
I am referring to. I won't say any more publicly since
there are black hats reading this list. If they don't already
know about this stuff, I'm not going to help them.

If anyone wants to know what I am talking about, then
go to the security people in your company and ask them.
The company pays them to keep abreast of this stuff.

> That's a fairly bold statement. I'd also hesitate to label Lynn as a 
> black hat

I never labelled Lynn as a blackhat. I said that Lynn and
ISS and all other similar firms and researchers do the
same thing as blackhats. They monitor communications of
blackhats and learn from them. This activity does not make
someone into a blackhat.

> researchers of 
> any hat, in my experience, keep their secrets amongst a small group.

It is human nature to brag about what you have discovered and
for many blackhats, this is the only return they get for their
work. I agree that whitehats like Lynn are generally much more 
careful about their secrets which is why Lynn's presentation was
quite vague about many things.

> On the other hand, Lynn is exactly the sort of guru 
> you describe. Riley Eller said it best "If you put him and a (Cisco) 
> box in a room, the box breaks."

I'm sceptical about such rhetoric.

> It boils down to the following question: Do you think benefit or 
> releasing the source code for IOS, allowing independent researchers 
> access to the source code in order to locate flaws, outweighs the 
> costs of that release, allowing criminals access to the source code 
> in order to locate flaws and forfeiting trade secrets? In the case of 
> Cisco, I'm sure the latter weighs more heavily in their mind.

First, I don't think there will be any trade secrets of great value
revealed by the source code. Software and systems have a long history
and people continue to reinvent wheels that were first invented two 
or three generations ago. In any case, people looking for trade secrets
simply acquire the boxes and reverse engineer.

Second, I don't suggest that Cisco suddenly release their code. But
I can imagine a phased approach where they release the code to an
ever widening circle of people, and then finally make it completely
open. Or they could phase in a new codebase using Open Source as the

--Michael Dillon

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.