Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco crapaganda

  • From: Stephen J. Wilcox
  • Date: Fri Aug 12 20:09:39 2005

Hi Rich,

> A. If open publication of the full source code of XYZ would render it
> insecure, then XYZ is _already_ insecure.

i like that way of looking at it..
 
> B. In analyzing any attack, it's prudent to presume that the attackers have
> the full source code of every piece of software involved. [1]

sure, or even a snippet would be sufficient to find and exploit a hole

> It's time to level the playing field.  It's time for all the vendors to
> publish ALL the source code so that we at least have the same information as
> our adversaries.

thats going to be a leap too far, its not an issue of security its a question of 
property and value 

> [1] Either because it leaked (discarded computer equipment, backup tapes,

source code is much wider distributed than people might think, its possible to 
be a contractor (individual or company) or for example in MS's case a partner 
and get source code supplied under NDA

> what's the dollar value on the open market of, oh, let's say, the full source
> code to one of Cisco's popular routers? Maybe $100K?  $250K?  Maybe more,
> considering what it might facilitate?

naww. $0. pre IOS-12 versions are in circulation already, 12.something was 
partially leaked a year or two ago, and i'm sure other bits can be picked up.

who would be willing to pay? not companies, thats illegal. blackhats? maybe, but 
they can juts grab the circulating bootlegs

> Whatever that number is, that's the amount that prospective attackers may be
> presumed to be willing to spend to get it.  And whether they spend it on R&D,
> or paying someone who's already done the R&D, or just cutting to the chase and
> paying off someone with access to it, doesn't really matter: if they're
> willing to spend to the money, they _will_ get it.

wonder why they dont already have it, maybe they do...

Steve





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.