[Asterisk-Users] Re: Advice on OS Choice

Fri Oct 15 14:43:56 MST 2004

> On Friday 15 October 2004 16:22, Michael Giagnocavo wrote:
> > >problem lies in the policy for upgrading or installing software on
> > >life-critical machines not being followed.
> 
> > I agree with that. But, what's going to be held up in court? As a lawyer
> > for a medical equipment corp, which route are you going to take to be safe?
> 
> As a medical equipment corp system designer (I do this for a living, although 
> not for medical) I'd make damn sure the software couldn't be updated without 
> the correct access codes being in place, including hardware interlocks with 
> physical keys.  It's not hard to make firmware loaders require this kind of 
> stuff.

That was never really the concern, that kind of stuff is pretty trivial.

The concern was always more along the line of "what happens when they take
out the hard drive and putz with the image" - something you have relatively
little control over, because most shops expect to be able to do maintenance
on their equipment.  You can do various integrity checks that'll be mostly
sufficient (think: message digests of executables, into a fingerprint file,
itself signed with a key, but you still have to play some games to make it
difficult to corrupt the system)..

Providing source makes it hellishly easier to disable or corrupt that
integrity verification system.

I'll also say this:  while I'm no fan of security through obscurity, there
are certain extra risks to having code open to public scrutiny, especially
for networked appliances.  Sure, the code's carefully written, and audited,
but that doesn't save you 100% of the time...

> > Imagine a toaster that ships with a booklet that shows the schematics and
> > shows people how to "rebuild" the toaster. Then some person (either a
> > 9-yr-old or an experienced electrician) uses the instructions, and fries
> > themselves. Or the next person who uses the toaster starts a fire. When it
> > gets to court, you can bet that the lawyers are going to try to blame the
> > company for "making it easier to modify the toaster". Even though it's
> > utterly silly, that's how the US legal system works. No one is responsible
> > for their own mistakes.
> 
> This used to be the way it was.  The Amiga computers all came with full 
> schematics.  Radios and televisions had easily obtainable service manuals.  
> Radio Shack actually had a decent parts inventory.  Hell IIRC certain 
> versions of DOS (CP/M?) had full source listings!

Most UNIX variants still do.

> *sigh* good old days...

:-)

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.