Security Through Obscurity (was: Re: [asterisk-dev]
asterisk 1.4.1/1.2.16 release question)
cadm at tiscali.it
Mon Mar 5 01:29:21 MST 2007
Security though obscurity and opening the source code are
complementary philosophies, not mutually exclusive ones. There isn't
one which is better than to the other one: both have pros and cons,
and the choise must be done according to the problem which must be resolved.
At 05.54 05/03/2007, you wrote:
> Securing an open project (or even a closed one) by keeping known
>exploits "secret" is well known to be a failing strategy. The bad guys
>are at least as likely as anyone else to have discovered it. And at
>least as motivated to monitor the patches for the exploit. Keeping the
>exploit "secret" doesn't prevent at least some bad guys from finding
>out. But it does prevent many more targets from even knowing we're
>vulnerable. Or what the costs/benefits to upgrading would be.
> This security reality is well known in the programming industry. I'm
>disappointed to see Digium acting as if it weren't.
>On Sun, 2007-03-04 at 12:00 -0700, asterisk-dev-request at lists.digium.com
> > Date: Sun, 04 Mar 2007 11:46:01 -0600
> > From: "Kevin P. Fleming" <kpfleming at digium.com>
> > Subject: Re: [asterisk-dev] asterisk 1.4.1/1.2.16 release question
> > To: Asterisk Developers Mailing List <asterisk-dev at lists.digium.com>
> > Message-ID: <45EB05D9.8020607 at digium.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> > Anthony Lamantia wrote:
> > > "obvious reasons" .. ?, I really would like to know what the risk
> > to my
> > > asterisk servers are.
> > We have never, and will never, help potential exploiters directly.
> > The issue is that a very simple SIP packet can cause Asterisk to
> > crash.
> > Figuring out how to construct that packet should be trivial for anyone
> > who understands the code and reads the (very small) patch.
>(C) Matthew Rubenstein
>--Bandwidth and Colocation provided by Easynews.com --
>asterisk-dev mailing list
>To UNSUBSCRIBE or update options visit:
More information about the asterisk-dev