Fwd: Cisco crapaganda

James Baldwin jbaldwin at antinode.net
Tue Aug 9 18:31:08 UTC 2005


On Aug 9, 2005, at 11:11 AM, Michael.Dillon at btradianz.com wrote:

> They are not "Lynn's exploit techniques". The techniques were
> published by someone else in considerable more detail than
> Lynn along with source code.
>

What techniques are you referencing? The technique Lynn demonstrated  
has not been seen anywhere in the wild, as far as I know. He, nor  
ISS, ever made the source code available to anyone outside of Cisco,  
or ISS. What publication are you referring to?


> You aren't safe just because your network runs on brand X
> boxes. The only way to be safe is for your brand X vendors
> to take software security and systemic security much more
> seriously. I also believe that there are lessons to be
> learned from the open source community's approach to security.
> This doesn't mean that Cisco or any other Brand X vendor
> should just run out and replace their box's OS with
> OpenBSD or NetBSD or Linux. But they need to seriously
> ask themselves what advantage they gain from inventing
> their own wheel and rejecting the work of thousands of
> highly skilled and dedicated people.
>

Quality control.

The general operating systems are not designed with a specific goal  
of high availability routing in mind, and while they display and can  
compete on some levels with specialized operating systems, they will  
loose out in the end. In this regard it is not open source  
environments that present the benefit, but as you say "thousands of  
highly skilled and dedicated people". There are very few of those  
people who are experienced in the realm of high end routing systems.

The general operating system can garner a large support base due to  
its broad market appeal, its use in both servers, low end routing  
hardware, and desktops. However, to develop strong support for a  
reduced feature set and circumscribed is difficult. The same number  
of dedicated developers will be reduced and the amount of time highly  
specialized developers will focus on that code base will be diminished.

You can see examples of similar behavior in the subsets of Linux  
developed for embedded systems, like the WAP Linksys routers.

That being said, who would continue to buy Cisco equipment if IOS was  
available elsewhere? The Chinese market is already flooded with Cisco  
knock-offs, the rest would most certainly follow if it was legal.

Out of curiosity, what, in your opinion, is the open source  
community's approach to security? I have seen differing approaches  
from different groups, some which are downright despicable (methods,  
not people).


> There really is no such thing as closed source. The people
> building these exploits are fully capable of taking
> code from ROM or flash memory and reading what it does.
>

I've had some experience with reverse engineering and disassembly,  
and while it is true that you can analyze an image of a running  
program and find what it does that is a long, long step to having the  
kind of understanding of a program you can gain through the actual  
source code.


> It's all fine and well to have layers of security but
> hiding your source code really shouldn't be counted
> as a security layer.
>

Obscurity should never be counted on as a sole security layer, but it  
does add a level of difficulty. One of the major themes in the  
security industry is mitigation. Obscurity does not add a level of  
security, but it does reduce the number of people who can easily  
accomplish a task. It raises the bar and reduces the pool of attackers.


> Even if someone managed to eliminate Lynn and all past
> and current employees of ISS by exiling them to Cuba,
> this would not stop the hackers who are exploiting
> network device flaws.
>

Did anyone ever think that?





More information about the NANOG mailing list