lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080521091842.GB30032@lboro.ac.uk>
Date: Wed, 21 May 2008 10:18:42 +0100
From: A.L.M.Buxey@...ro.ac.uk
To: n3td3v <xploitable@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [NANOG] IOS rootkits

Hi,

> How can you say the cyber world is unlikely to end when Cisco is the
> most widely used router on the internet today? Everyone uses Cisco,
> all the ISP's and everyone.

I tend to ignore your comments, however this is just ridiculous.
The internet is based on CISCO?  yes. sure. I'm sure that Juniper
would be very surprised to find out that all the ISPs..and everyone..uses
Cisco as their router platform. Juniper...and Foundry and Extreme to a
lesser extent.. might want to know why the major ISPs etc bought 
their kit if all they'll do with it is shove it into a store room
or use it for a development network.  Subtle hint: Cisco isnt the
only player in the major ISP market. 

IOS issues have been reported for years. a rootkit isnt the threat - 
remote vulnerability to get that rootkit on in the first place is
a threat.   Your issue with the information being release at this
security conference? the fact that people paid to learn this information?
Or the release of the information? If the info was released for free
to the world then you'd have no issue because you dont want to pay
for some info? or you dont want full disclosure and rely on security
through obscurity? but surely that goes against what eg this list stands for.

Bring on the issues. It'll ensure that Cisco sort their issues out. if they 
dont then those other vendors will be happy to supply to companies who
are properly concerned about such threats.  Such issues are what
make full disclosure a reasonable practice. 

alan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ