[NANOG] IOS rootkits
Joel Jaeggli
joelja at bogus.com
Sun May 18 06:45:36 UTC 2008
Mark Smith wrote:
> On Sat, 17 May 2008 09:34:19 -0500
> travis+ml-nanog at subspacefield.org wrote:
>
>> On Sat, May 17, 2008 at 04:47:02PM +0930, Matthew Moyle-Croft wrote:
>>> I'm sure it'll be good for a number of security providers to hawk their
>>> wares.
>>>
>>> If the way of running this isn't out in the wild and it's actually
>>> dangerous then a pox on anyone who releases it, especially to gain
>>> publicity at the expensive of network operators sleep and well being.
>>> May you never find a reliable route ever again.
>> I personally like Gadi's work, but not as much as I like getting my
>> packets to their destination. I personally don't quite understand why
>> netops keep buying proprietary, closed technology for routers, but I'm
>> not and have never been a netop so I'm sure there's good reasons. To
>> me it seems that if you need reliable router hardware, you can buy
>> that from a vendor, but in theory I don't see why the software for
>> routers couldn't be much more open. When I can, I reflash my WAPs
>> with DD-WRT, because at least then I understand the system (and you
>> can't secure what you don't understand), but I am not saying that's
>> much of a comparison.
>>
>
> Have you read and security validated every line of open code you're
> running? Even if you've only read and security validated 99% of it,
> you're still trusting that the other 1% doesn't have any
> vulnerabilities in it.
There are people who routinely deal in absolutes. we generally call them
mathematicians...
The rest of us have to operate on a certain amount of uncertainty.
Ken's goal I think in 1985 was to open people's eyes to an area of
uncertainty which was then relatively poorly understood. It was
infeasible in 1985 and certainly remains so outside the confines of some
really narrowly focused areas to audit a significant percentage of the
code you run.
> Then again, even if you have audited every line of code, and it is
> 100% "secure", who's to say the compiler used to compile it is ... so you'll
> have to audit that too.
>
More information about the NANOG
mailing list