[asterisk-dev] Re: Security Through Obscurity

Edwin Groothuis edwin at mavetju.org
Mon Mar 5 02:58:04 MST 2007 

On Sun, Mar 04, 2007 at 11:11:39PM -0600, Kevin P. Fleming wrote:
> Matthew Rubenstein wrote:
> > 	This security reality is well known in the programming industry. I'm
> > disappointed to see Digium acting as if it weren't.
> 
> What is obscured? We clearly stated that the vulnerability existed, the
> patch to fix it was public, the release that contained that patch was
> public.

Just to give my two cents:

It was only said that there was a security issue, not in which part
of Asterisk. Is it the manager interface? Is it the SCCP stack? Is
it the SIP stack? Is it a zaptel driver issue?

Of course, once I knew where it was, I could easily see the commit
which fixed it, and see what happened. Since I patched it today,
would I have worried more about it if I knew where it was? Not
really, since I was away this weekend :-)

What could have been done better:

- Explain where the issue is so people not affected know there is
  nothing to worry about.

- Explain where the issue is so people under attack have a hint of
  "I have heard about this".

- I'm not running 1.2.12 or 1.2.13, I'm running somwhere in the
  1.2 branch. It would be to if I was vulnerable if I was running
  "Asterisk SVN-branch-1.2-r55277M" or to which revision I should
  go. Of course this is a dead give-away of where the problem lies.

- My network is protected by an IPS/IDS (yes, I have both, one
  commercial and one Snort). I wouldn't mind if the IPS would block
  it (that means they need knowledge of the issue), and if the IDS
  could detect it (that means they need knowledge of the issue).


The issue is there, the problem is in the field. The bad guys knew
the moment you announced it, the good guys could have known it a
little bit earlier if they were warned.


Digium has its policy with regarding to this, and I will respect
them, but as you can see, I don't fully agree with it.


Edwin
-- 
Edwin Groothuis      |            Personal website: http://www.mavetju.org
edwin at mavetju.org    |          Weblog: http://weblog.barnet.com.au/edwin/

More information about the asterisk-dev mailing list