Tony rites:
>No, just inconsistent. You do not have source code to the cisco
>router. Yet you trust it. [Don't let me discourage this. ;-)]
Trust is a funny thing. When a vulnerabitity appeared in the ESTABLISHED
bit on a CISCO, they published the fact (here and in a CERT advisory).
Compare with Mr. Gates reaction to an interview in Germany about problems.
Next, I do not know of any cases of "undocumented features" on a Cisco
router. In counterpoint, I have Ralf Brown's Interrupt list,
Undocumented Windows, Windows Secrets, Undocumented Windows 95, and soon
will add Woody Lionhard's "Hackers Guide to WORD" (group of plugs there).
ALL of which fill in holes left by those of the "Microsoft Press" (have
quite a few of them also. Accuracy is considerably less on treated subjects
as well).
Further, if I call Cisco, I can ask for Karyn or Paul, both of whom are known
on the net. At the other place you get muzak on hold (a user called Mr.
Bill's best because he thought he had a WORD virus. After several hours of
FL-WA, he was left with a virus-proof WORD (it would not load *any* file), had
double tool bars, and there was no backup of the original NORMAL.DOT (can
see all the added copyright notices though). Am still trying to figure out
how to repair it without reinstalling).
Finally, I give you the C2 Windows NT: Have not verified it but was told that
not only must all network services be disabled (have verified that), you
also must disconnect the bootable floppy disk drive. Right.
Sad part is that Microsoft is doing it to itself and does not even seem to
realize the damage that is being caused. To some of us, this seems like
malevolence, I suspect instead it is the same indifference that GM showed in
the '70s and '80s. Sooner or later people notice.
But the fact is that security is built on trust and as a group, security
professionals are somewhat less likely to grant trust and are quicker to
deny it. We're paid to be paranoid.
For me I do not require source code from everyone. If I feel that the people
involved have a good product and are worthy of trust and what it does
is limited enough in scope that I can test it adequately as a black box,
then source code is not necessary particularly if I am not betting the
corporation on it (outside connections should never have a single failure
point).
Now a very complex system from a company that seems to go out of its way
to bring products to market with an excessive number of bugs and to downplay
any problems. Products that when you examine the specifications have
exclusions that have been known to cause fits of laughter (get the latest
Microsoft WORD virus thingie - I forget the number but the one that is said
to detect/block macros in documents. Now read the README. Have a glass of
water handy to stop the hiccups.) Those, I usually ignore with or without
source, I have negative free time as it is.
Warmly,
Padgett
|
|
