Hi Rich,
A. If open publication of the full source code of XYZ would render it insecure, then XYZ is _already_ insecure.
i like that way of looking at it..
B. In analyzing any attack, it's prudent to presume that the attackers have the full source code of every piece of software involved. [1]
sure, or even a snippet would be sufficient to find and exploit a hole
It's time to level the playing field. It's time for all the vendors to publish ALL the source code so that we at least have the same information as our adversaries.
thats going to be a leap too far, its not an issue of security its a question of property and value
[1] Either because it leaked (discarded computer equipment, backup tapes,
source code is much wider distributed than people might think, its possible to be a contractor (individual or company) or for example in MS's case a partner and get source code supplied under NDA
what's the dollar value on the open market of, oh, let's say, the full source code to one of Cisco's popular routers? Maybe $100K? $250K? Maybe more, considering what it might facilitate?
naww. $0. pre IOS-12 versions are in circulation already, 12.something was partially leaked a year or two ago, and i'm sure other bits can be picked up. who would be willing to pay? not companies, thats illegal. blackhats? maybe, but they can juts grab the circulating bootlegs
Whatever that number is, that's the amount that prospective attackers may be presumed to be willing to spend to get it. And whether they spend it on R&D, or paying someone who's already done the R&D, or just cutting to the chase and paying off someone with access to it, doesn't really matter: if they're willing to spend to the money, they _will_ get it.
wonder why they dont already have it, maybe they do... Steve