[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <F9583C2B6C38D311800700508B0F1B8608DED9FE@rtcnt27.rtc.ch>
From: lksi.pikett at rtc.ch (Pikett/LKSI)
Subject: Cisco's stolen code
On Wed, 2004-05-26 at 10:25 AM, tobias@...sserth.de wrote:
>> now when it hits Cisco, everybody say its a crime lurking for the code or
>> publicating it. BUT when it hit M$ everybody thought, its a great idea to
>> share the stolen source code all over the internet (yes also on FD).
>What is true for Cisco is even more true for Microsoft. Stay the hell
>away from code that hasn't been licensed for you.
bad guys won't. they'll take their chances to find some holes in the code
which could allow them to control your router and everybody
else's...we can't be sure, that the few minor publicly known problems after
the MS code leaked were all there was/is/will be. Do you trust MS or Cisco,
that the code is all clean and secure? i don't. To my understanding, full
dislosure means informing the good (and some bad) guys about the existence
of a potential security hole in our configurations. "Opensource" software,
be it GPL oder leaked CSS, is the best way to get to the point withouth the
need of coincidence/reverse engineering/blackbox testing etc. i'm thankful
for every whitehat who analyzes the ios sources and helps to find holes
before a blackhat does. And it's not because i think Cisco deserves some
free working bugfinders...hell, every multibillion $ company should be
charged for bugs found by outsiders.
>Anybody who touches copyrighted code, be it MS or Cisco or whatever, is
>at risk. Why should I want to put myself at risk to solve problems the
>copyright holder of the code should solve? If I address a security flaw
>in MS code and say a year later I decide to write something that might
>attract the attention of MS as a competitor then I'm most certainly
>being confronted with accusations like "you took that from our code" and
>"you are a thief".
you might be right on that one and <conspiracy> that might even be a
motivation for some vendors to "coincidentially" leak their sources and
later use it against competitors </conspiracy>, reminds me of the patent
issue nightmare. still, how does that interfere with the searching for
potential security holes in more or less publicly available sourcecode for
the sake of knowing about any weaknesses?
regards
Sascha
Powered by blists - more mailing lists