Brett_Watson@enron.net wrote: | in some cases, yes you can. but the fact that i (someone who doesn't crack | systems) can get source code to some flavors of unix doesn't stop the | hackers from getting it either. no *real* gain here. and if you don't Actually, there's quite a bit of gain. If something is discovered, usually the patch is fairly trivial and can be written by just about anyone with a little coding experience. Once it's written, anyone can apply it-- perhaps MONTHS before the vendor releases a patch. I'd say having my systems patched in less than half the time would have to go on the 'gain,' list, wouldn't you? Also, consider the fact that the script kiddies usually haven't the slightest clue how to do a real code review with an eye towards potential security flaws. | think that some of the more elite hackers in the world don't have access to | proprietary source code, both systems and router vendors.... if you're not | scared, you don't understand. Proprietary source leaks are not particularly uncommon, no...scary? Not really. The type of people who manage to pick up, say, complete IOS source trees, generally aren't the type who distribute them and aren't particularly reckless in how they use them. I think his point is simply this: Proprietary source -may- leak, but that isn't neccessarily a big incentive to the vendor to ensuring that their code is bulletproof; a vendor that is distributing source far and wide will go much further to ensure that they have a secure, reliable product than one that doesn't. Ultimately, you have to assume that -everyone- attacking your systems has full source code...and therefore, if you can swing it, you should probably have it too. It is for this reason alone that security through obscurity -does not work-. It may occaisionally be neccessary, but choosing it as your front line defense is less than wise. | maybe i just misunderstand you but you seem to portray these issues as | black and white. they're not. ssh has had known security problems, and | kerberos, while i like it myself, is damned easy to misconfigure which | opens all kinds of holes. K4, maybe. K5? Not quite so easily. Either is not nearly as bad as open telnet. And "has had known security problems" is not the same as "has known security problems," and the former does not strenghen your argument nearly as much as you seem to think it does. Perhaps you should follow your own career advice. --msa