On Aug 9, 2005, at 11:11 AM, Michael.Dillon@btradianz.com wrote:
They are not "Lynn's exploit techniques". The techniques were published by someone else in considerable more detail than Lynn along with source code.
What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to?
You aren't safe just because your network runs on brand X boxes. The only way to be safe is for your brand X vendors to take software security and systemic security much more seriously. I also believe that there are lessons to be learned from the open source community's approach to security. This doesn't mean that Cisco or any other Brand X vendor should just run out and replace their box's OS with OpenBSD or NetBSD or Linux. But they need to seriously ask themselves what advantage they gain from inventing their own wheel and rejecting the work of thousands of highly skilled and dedicated people.
Quality control. The general operating systems are not designed with a specific goal of high availability routing in mind, and while they display and can compete on some levels with specialized operating systems, they will loose out in the end. In this regard it is not open source environments that present the benefit, but as you say "thousands of highly skilled and dedicated people". There are very few of those people who are experienced in the realm of high end routing systems. The general operating system can garner a large support base due to its broad market appeal, its use in both servers, low end routing hardware, and desktops. However, to develop strong support for a reduced feature set and circumscribed is difficult. The same number of dedicated developers will be reduced and the amount of time highly specialized developers will focus on that code base will be diminished. You can see examples of similar behavior in the subsets of Linux developed for embedded systems, like the WAP Linksys routers. That being said, who would continue to buy Cisco equipment if IOS was available elsewhere? The Chinese market is already flooded with Cisco knock-offs, the rest would most certainly follow if it was legal. Out of curiosity, what, in your opinion, is the open source community's approach to security? I have seen differing approaches from different groups, some which are downright despicable (methods, not people).
There really is no such thing as closed source. The people building these exploits are fully capable of taking code from ROM or flash memory and reading what it does.
I've had some experience with reverse engineering and disassembly, and while it is true that you can analyze an image of a running program and find what it does that is a long, long step to having the kind of understanding of a program you can gain through the actual source code.
It's all fine and well to have layers of security but hiding your source code really shouldn't be counted as a security layer.
Obscurity should never be counted on as a sole security layer, but it does add a level of difficulty. One of the major themes in the security industry is mitigation. Obscurity does not add a level of security, but it does reduce the number of people who can easily accomplish a task. It raises the bar and reduces the pool of attackers.
Even if someone managed to eliminate Lynn and all past and current employees of ISS by exiling them to Cuba, this would not stop the hackers who are exploiting network device flaws.
Did anyone ever think that?