[Asterisk-Users] Re: www.openpbx.org

Steve Underwood steveu at coppice.org
Sat Oct 8 18:15:37 MST 2005


Steve Kennedy wrote:

>On Sat, Oct 08, 2005 at 08:43:07PM +0300, Tzafrir Cohen wrote:
>
>  
>
>>On Sat, Oct 08, 2005 at 11:59:04AM -0400, Mike M wrote:
>>    
>>
>>>On Sat, Oct 08, 2005 at 09:20:07AM -0400, Paul wrote:
>>>      
>>>
>>>>Closed source might delay the cracker but it also delays pre-crack and 
>>>>post-crack countermeasures.
>>>>        
>>>>
>>>What's the alternative?  Open source?  Cracking is unnecessary with open
>>>source.
>>>      
>>>
>>Search a bit about "security by obscurity". Basically if the security of
>>your system depends on a secret you can't easily change, it will get
>>exposed sooner or later. So you should design it to withstand such
>>leakage. E.g: change a password if it was exposed.
>>    
>>
>
>As this was related to Mastercard/Visa, they can allow open source,
>however the software has to be certified to meet their security specs,
>which may be harder to accomplish for open source.
>  
>
It's not harder. It's just different. A number of things have similar 
requirements. The ISDN4Linux folk have certain versions of their 
software approved by the telecoms bodies in Europe. They need to tie 
down exactly what was approved, so any other versions emit a notice that 
says they are unapproved versions. They do this with a signature on the 
approved version. It seems to work out OK.

Regards,
Steve




More information about the asterisk-users mailing list