Is anyone actually USING IP QoS?

Majdi Abbas abbas at
Wed Jun 16 19:00:16 UTC 1999

Brett_Watson at wrote:
| in some cases, yes you can.  but the fact that i (someone who doesn't crack
| systems) can get source code to some flavors of unix doesn't stop the
| hackers from getting it either.  no *real* gain here.  and if you don't

	Actually, there's quite a bit of gain.  If something is discovered,
usually the patch is fairly trivial and can be written by just about anyone
with a little coding experience.  Once it's written, anyone can apply it--
perhaps MONTHS before the vendor releases a patch.  I'd say having my
systems patched in less than half the time would have to go on the 'gain,'
list, wouldn't you?

	Also, consider the fact that the script kiddies usually haven't
the slightest clue how to do a real code review with an eye towards 
potential security flaws.

| think that some of the more elite hackers in the world don't have access to
| proprietary source code, both systems and router vendors....  if you're not
| scared, you don't understand.

	Proprietary source leaks are not particularly uncommon, no...scary?
Not really.  The type of people who manage to pick up, say, complete IOS
source trees, generally aren't the type who distribute them and aren't 
particularly reckless in how they use them.

	I think his point is simply this: Proprietary source -may- leak,
but that isn't neccessarily a big incentive to the vendor to ensuring that
their code is bulletproof; a vendor that is distributing source far and
wide will go much further to ensure that they have a secure, reliable
product than one that doesn't.

	Ultimately, you have to assume that -everyone- attacking your
systems has full source code...and therefore, if you can swing it, you
should probably have it too.  It is for this reason alone that security
through obscurity -does not work-.  It may occaisionally be neccessary,
but choosing it as your front line defense is less than wise.

| maybe i just misunderstand you but you seem to portray these issues as
| black and white.  they're not.  ssh has had known security problems, and
| kerberos, while i like it myself, is damned easy to misconfigure which
| opens all kinds of holes.

	K4, maybe.  K5?  Not quite so easily.  Either is not nearly as
bad as open telnet.  And "has had known security problems" is not the
same as "has known security problems," and the former does not strenghen
your argument nearly as much as you seem to think it does.

	Perhaps you should follow your own career advice.


More information about the NANOG mailing list