North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Cisco crapaganda
- From: Rich Kulawiec
- Date: Fri Aug 12 19:42:37 2005
On Tue, Aug 09, 2005 at 04:11:45PM +0100, Michael.Dillon@btradianz.com wrote:
> There really is no such thing as closed source.
I've been saying this for years, and I'm sure you and I aren't the only ones.
A. If open publication of the full source code of XYZ would render
it insecure, then XYZ is _already_ insecure.
B. In analyzing any attack, it's prudent to presume that the attackers
have the full source code of every piece of software involved. 
C. It's not secure until everyone knows exactly how it works and it's
D. Any piece of source code which hasn't been subjected to widespread
peer review should be presumed untrustworthy-- because it not only
hasn't been shown to be otherwise, the attempt hasn't even been made.
(Note that the contrapositive isn't true -- peer review is only a
necessary condition, not a sufficient one.)
More bluntly: the closed-source, "faith-based" approach to security
doesn't cut it. The attacks we're confronting are being launched
(in many cases) by people who *already have the source code*, and
who thus enjoy an enormous advantage over the defenders.
It's time to level the playing field. It's time for all the vendors
to publish ALL the source code so that we at least have the same
information as our adversaries.
Because relying on the supposed "secrecy" of source code is relying
on a fantasy.
 Either because it leaked (discarded computer equipment, backup
tapes, etc.), was stolen from outside (network break-in, physical
break-in), was stolen from inside (payoffs) or other means. Borrowing
heavily from Bruce Schneier's analysis of what it'd be worth to
buy an election: what's the dollar value on the open market of,
oh, let's say, the full source code to one of Cisco's popular routers?
Maybe $100K? $250K? Maybe more, considering what it might facilitate?
Whatever that number is, that's the amount that prospective attackers
may be presumed to be willing to spend to get it. And whether they
spend it on R&D, or paying someone who's already done the R&D, or
just cutting to the chase and paying off someone with access to it,
doesn't really matter: if they're willing to spend to the money,
they _will_ get it.