Cisco crapaganda

Rich Kulawiec rsk at gsp.org
Tue Sep 6 01:34:40 UTC 2005


[late followup]

On Sat, Aug 13, 2005 at 07:32:20PM +0100, Dave Howe wrote:
> Rich Kulawiec wrote:
> >More bluntly: the closed-source, "faith-based" approach to security
> >doesn't cut it.  The attacks we're confronting are being launched
> >(in many cases) by people who *already have the source code*, and
> >who thus enjoy an enormous advantage over the defenders.
> TBH though, usually the open source "faith based" approach to security 
> doesn't cut it either. its easy to say "its open source, therefore anyone 
> can check the code" but much harder to actually find someone who has taken 
> the time to do it....

Ah, but I covered that, or at least I thought I did:

	"D. Any piece of source code which hasn't been subjected to
	widespread peer review should be presumed untrustworthy-- because
	it not only hasn't been shown to be otherwise, the attempt hasn't
	even been made.  (Note that the contrapositive isn't true --
	peer review is only a necessary condition, not a sufficient one.)"

Which means: just because it's open source and therefore any can check
it, doesn't mean that anyone has...or that they're competent...or that
they were thorough...or that they found all the issues.

Like I said, it's a necessary condition, not a sufficient one.

But...even with all the tools that have been developed -- everything
from formal proofs of correctness to array bounds checkers to stack
overflow guards to you-name-it...it seems that in 2005 that the very
best available/practical method we have for trying to produce secure
code is "lots and lots of independent and clueful eyeballs".  I'm not
saying that's a desirable situation, because it's not: it would be
nice if we had something better.  But we don't, at least not yet.

Another way of putting it: no matter who "you" are, from one lone
programmer to 10,000, the Internet is more thorough than you are.

Now, one could counter-argue that keeping source code secret provides
some measure of security.  I'm not buying it: I don't think there's
any such thing as "secret source code".   And even if there was: if
someone with enough cash to fill a briefcase wants it: they WILL get it.

I suppose what I'm saying is: let's drop the pretense that "closed-source"
really and truly exists, let's get the critical code out in the open,
and let's get started with the process of beating it into shape.
Because we're already paying (and paying and paying) a huge price
for continuing the charade.

---Rsk



More information about the NANOG mailing list