North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Cisco crapaganda
- From: Stephen J. Wilcox
- Date: Fri Aug 12 20:09:39 2005
> A. If open publication of the full source code of XYZ would render it
> insecure, then XYZ is _already_ insecure.
i like that way of looking at it..
> B. In analyzing any attack, it's prudent to presume that the attackers have
> the full source code of every piece of software involved. 
sure, or even a snippet would be sufficient to find and exploit a hole
> It's time to level the playing field. It's time for all the vendors to
> publish ALL the source code so that we at least have the same information as
> our adversaries.
thats going to be a leap too far, its not an issue of security its a question of
property and value
>  Either because it leaked (discarded computer equipment, backup tapes,
source code is much wider distributed than people might think, its possible to
be a contractor (individual or company) or for example in MS's case a partner
and get source code supplied under NDA
> what's the dollar value on the open market of, oh, let's say, the full source
> code to one of Cisco's popular routers? Maybe $100K? $250K? Maybe more,
> considering what it might facilitate?
naww. $0. pre IOS-12 versions are in circulation already, 12.something was
partially leaked a year or two ago, and i'm sure other bits can be picked up.
who would be willing to pay? not companies, thats illegal. blackhats? maybe, but
they can juts grab the circulating bootlegs
> Whatever that number is, that's the amount that prospective attackers may be
> presumed to be willing to spend to get it. And whether they spend it on R&D,
> or paying someone who's already done the R&D, or just cutting to the chase and
> paying off someone with access to it, doesn't really matter: if they're
> willing to spend to the money, they _will_ get it.
wonder why they dont already have it, maybe they do...