Full Disclosure mailing list archives

RE: Cisco's stolen code

From: Pikett/LKSI <lksi.pikett () rtc ch>
Date: Wed, 26 May 2004 11:27:24 +0200

On Wed, 2004-05-26 at 10:25 AM, tobias () weisserth de wrote:

now when it hits Cisco, everybody say its a crime lurking for the code or

publicating it. BUT when it hit M$ everybody thought, its a great idea to

share the stolen source code all over the internet (yes also on FD).

What is true for Cisco is even more true for Microsoft. Stay the hell
away from code that hasn't been licensed for you.


bad guys won't. they'll take their chances to find some holes in the code
which could allow them to control your router and everybody 
else's...we can't be sure, that the few minor publicly known problems after
the MS code leaked were all there was/is/will be. Do you trust MS or Cisco,
that the code is all clean and secure? i don't. To my understanding, full
dislosure means informing the good (and some bad) guys about the existence
of a potential security hole in our configurations. "Opensource" software,
be it GPL oder leaked CSS, is the best way to get to the point withouth the
need of coincidence/reverse engineering/blackbox testing etc. i'm thankful
for every whitehat who analyzes the ios sources and helps to find holes
before a blackhat does. And it's not because i think Cisco deserves some
free working bugfinders...hell, every multibillion $ company should be
charged for bugs found by outsiders.

Anybody who touches copyrighted code, be it MS or Cisco or whatever, is
at risk. Why should I want to put myself at risk to solve problems the
copyright holder of the code should solve? If I address a security flaw
in MS code and say a year later I decide to write something that might
attract the attention of MS as a competitor then I'm most certainly
being confronted with accusations like "you took that from our code" and
"you are a thief".


you might be right on that one and <conspiracy> that might even be a
motivation for some vendors to "coincidentially" leak their sources and
later use it against competitors </conspiracy>, reminds me of the patent
issue nightmare. still, how does that interfere with the searching for
potential security holes in more or less publicly available sourcecode for
the sake of knowing about any weaknesses? 


regards
Sascha



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Re: Cisco's stolen code, (continued)
- - - Re: Re: Cisco's stolen code Mister Coffee (May 26)
    - Re: Re: Cisco's stolen code Ron DuFresne (May 26)
    - Re: Re: Cisco's stolen code Benjamin Krueger (May 26)
    - Re: Re: Cisco's stolen code Valdis . Kletnieks (May 27)
    - Re: Re: Cisco's stolen code Paolo Mattiangeli (May 26)
    - Re: Re: Cisco's stolen code Jason Weisberger (May 26)
    - Re: Cisco's stolen code Rodrigo Gutierrez (May 26)
    - Re: Re: Cisco's stolen code Mister Coffee (May 26)
- Re: Re: Cisco's stolen code Marek Isalski (May 26)
  - Re: Cisco's stolen code Cold Fire (May 26)
- RE: Cisco's stolen code Pikett/LKSI (May 26)
  - RE: Cisco's stolen code Tobias Weisserth (May 26)
- RE: Re: Cisco's stolen code Glenn_Everhart (May 26)
  - Re: Re: Cisco's stolen code Valdis . Kletnieks (May 26)
  - Re: Re: Cisco's stolen code Maarten (May 26)
    - Question About International Disclosure Tom (May 26)
    - Re: Question About International Disclosure Ron DuFresne (May 26)
- Re: Cisco's stolen code Eric Scher (May 26)
  - Re: Re: Cisco's stolen code Valdis . Kletnieks (May 26)
- RE: Cisco's stolen code Brad Griffin (May 26)
  - Re: Cisco's stolen code Seth Alan Woolley (May 27)

(Thread continues...)