On Tue, Aug 09, 2005 at 04:11:45PM +0100, Michael.Dillon@btradianz.com wrote:
There really is no such thing as closed source.
I've been saying this for years, and I'm sure you and I aren't the only ones. Corrallaries: A. If open publication of the full source code of XYZ would render it insecure, then XYZ is _already_ insecure. B. In analyzing any attack, it's prudent to presume that the attackers have the full source code of every piece of software involved. [1] C. It's not secure until everyone knows exactly how it works and it's still secure. D. Any piece of source code which hasn't been subjected to widespread peer review should be presumed untrustworthy-- because it not only hasn't been shown to be otherwise, the attempt hasn't even been made. (Note that the contrapositive isn't true -- peer review is only a necessary condition, not a sufficient one.) More bluntly: the closed-source, "faith-based" approach to security doesn't cut it. The attacks we're confronting are being launched (in many cases) by people who *already have the source code*, and who thus enjoy an enormous advantage over the defenders. It's time to level the playing field. It's time for all the vendors to publish ALL the source code so that we at least have the same information as our adversaries. Because relying on the supposed "secrecy" of source code is relying on a fantasy. ---Rsk [1] Either because it leaked (discarded computer equipment, backup tapes, etc.), was stolen from outside (network break-in, physical break-in), was stolen from inside (payoffs) or other means. Borrowing heavily from Bruce Schneier's analysis of what it'd be worth to buy an election: what's the dollar value on the open market of, oh, let's say, the full source code to one of Cisco's popular routers? Maybe $100K? $250K? Maybe more, considering what it might facilitate? Whatever that number is, that's the amount that prospective attackers may be presumed to be willing to spend to get it. And whether they spend it on R&D, or paying someone who's already done the R&D, or just cutting to the chase and paying off someone with access to it, doesn't really matter: if they're willing to spend to the money, they _will_ get it.