Security Through Obscurity (was: Re: [asterisk-dev] asterisk 1.4.1/1.2.16 release question)

Matthew Rubenstein email at mattruby.com
Sun Mar 4 21:54:43 MST 2007


	Securing an open project (or even a closed one) by keeping known
exploits "secret" is well known to be a failing strategy. The bad guys
are at least as likely as anyone else to have discovered it. And at
least as motivated to monitor the patches for the exploit. Keeping the
exploit "secret" doesn't prevent at least some bad guys from finding
out. But it does prevent many more targets from even knowing we're
vulnerable. Or what the costs/benefits to upgrading would be.

	This security reality is well known in the programming industry. I'm
disappointed to see Digium acting as if it weren't.


On Sun, 2007-03-04 at 12:00 -0700, asterisk-dev-request at lists.digium.com
wrote:
> Date: Sun, 04 Mar 2007 11:46:01 -0600
> From: "Kevin P. Fleming" <kpfleming at digium.com>
> Subject: Re: [asterisk-dev] asterisk 1.4.1/1.2.16 release question
> To: Asterisk Developers Mailing List <asterisk-dev at lists.digium.com>
> Message-ID: <45EB05D9.8020607 at digium.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Anthony Lamantia wrote:
> > "obvious reasons" .. ?,  I really would like to know what the risk
> to my
> > asterisk servers are.
> 
> We have never, and will never, help potential exploiters directly.
> 
> The issue is that a very simple SIP packet can cause Asterisk to
> crash.
> Figuring out how to construct that packet should be trivial for anyone
> who understands the code and reads the (very small) patch.
> 
> 
-- 

(C) Matthew Rubenstein



More information about the asterisk-dev mailing list