North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Fwd: Cisco crapaganda

  • From: James Baldwin
  • Date: Tue Aug 09 14:35:14 2005

On Aug 9, 2005, at 11:11 AM, [email protected] wrote:

They are not "Lynn's exploit techniques". The techniques were
published by someone else in considerable more detail than
Lynn along with source code.

What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to?


You aren't safe just because your network runs on brand X
boxes. The only way to be safe is for your brand X vendors
to take software security and systemic security much more
seriously. I also believe that there are lessons to be
learned from the open source community's approach to security.
This doesn't mean that Cisco or any other Brand X vendor
should just run out and replace their box's OS with
OpenBSD or NetBSD or Linux. But they need to seriously
ask themselves what advantage they gain from inventing
their own wheel and rejecting the work of thousands of
highly skilled and dedicated people.

Quality control.

The general operating systems are not designed with a specific goal of high availability routing in mind, and while they display and can compete on some levels with specialized operating systems, they will loose out in the end. In this regard it is not open source environments that present the benefit, but as you say "thousands of highly skilled and dedicated people". There are very few of those people who are experienced in the realm of high end routing systems.

The general operating system can garner a large support base due to its broad market appeal, its use in both servers, low end routing hardware, and desktops. However, to develop strong support for a reduced feature set and circumscribed is difficult. The same number of dedicated developers will be reduced and the amount of time highly specialized developers will focus on that code base will be diminished.

You can see examples of similar behavior in the subsets of Linux developed for embedded systems, like the WAP Linksys routers.

That being said, who would continue to buy Cisco equipment if IOS was available elsewhere? The Chinese market is already flooded with Cisco knock-offs, the rest would most certainly follow if it was legal.

Out of curiosity, what, in your opinion, is the open source community's approach to security? I have seen differing approaches from different groups, some which are downright despicable (methods, not people).


There really is no such thing as closed source. The people
building these exploits are fully capable of taking
code from ROM or flash memory and reading what it does.

I've had some experience with reverse engineering and disassembly, and while it is true that you can analyze an image of a running program and find what it does that is a long, long step to having the kind of understanding of a program you can gain through the actual source code.


It's all fine and well to have layers of security but
hiding your source code really shouldn't be counted
as a security layer.

Obscurity should never be counted on as a sole security layer, but it does add a level of difficulty. One of the major themes in the security industry is mitigation. Obscurity does not add a level of security, but it does reduce the number of people who can easily accomplish a task. It raises the bar and reduces the pool of attackers.


Even if someone managed to eliminate Lynn and all past
and current employees of ISS by exiling them to Cuba,
this would not stop the hackers who are exploiting
network device flaws.

Did anyone ever think that?