[Asterisk-Users] Re: www.openpbx.org

Paul digium-list at 9ux.com
Sun Oct 9 22:38:06 MST 2005


Mike M wrote:

>On Sun, Oct 09, 2005 at 01:51:41PM -0400, Paul wrote:
>  
>
>>Mike M wrote:
>>    
>>
>>Mike, the context was regarding security by obscurity. It has nothing to 
>>do with stealing a product to sell to others. The only reverse 
>>engineering I ever did had nothing at all to do with bootlegging or 
>>counterfeiting software. The closest I ever came to that was reversal 
>>for the purpose of proving it contained stolen goods. By the way, I am 
>>not a mundane scribe or a relic by any means. Closest I ever came to 
>>being a scribe is putting a signature of mine in pcb copper and some 
>>silicon. I also left my signature in the leftover gates of some array 
>>logic. Calling me a scribe or relic is a rather hefty insult, don't you 
>>think?
>>    
>>
>
>The context of reversing was difficult to discern from repeated
>readings. The message seemed to be to not bother closing software because it
>can be reversed easily and the source can be better than the original.
>
>I supposed you were describing hypothetical abstract possibilites and not actual 
>occurences. My responses were similarly abstract.  I admit there can be 
>legally justifiable reasons for reversing, or that it could be a form of
>archaelogy, but the original statement did not suggest these cases.
>
>Now that your context, meaning, and intent are clearly defined,
>it's evident you should not take umbrage with the description of
>reversers as scribes and relics as those terms do not apply to you.
>
>Besides, illegitimate reversers can't complain about being insulted because they run
>the risk of being exposed. And then their contacts can be investigated
>for possible license violations.
>
>Reversing to exploit security weakness is most likely very effective. I
>agree with you that securing by keeping software closed is folly.
>Opening the software does not make it secure either.
>
>I return to my original point: Keeping software closed is done only when 
>you can't figure out how to have it open.  The point that launched this 
>sub-discussion was that Asterisk has a dual license and OpenPBX does not.  
>The underlying assumption is that the commercial license for Asterisk is 
>for a closed source super-implementation of the project. Could this be a 
>competitive advantage? As you point out, there are certainly no security
>advantages.  There could be some commercial advantages that currently
>exist for Asterisk that might be altered with the presence of OpenPBX.
>
>  
>
The sometimes valid reason for closed source commercial versions is that 
you can't provide affordable support for a moving target. It's not 
entirely valid in the case of asterisk. Count the config files and the 
number of things in those config files a customer can modify. So even if 
we know he has the exact same binary as our reference version there can 
be how many different configurations out there to support? Answer is 
some big number that just gets bigger as more copies are sold.

I haven't looked at the ABE license. I wonder if it allows reversing. I 
can see where reversing is needed. Somebody wants to move from ABE to 
locally compiled asterisk. They hire me to build an asterisk from the 
gpl that behaves the same as the ABE they have been using. First thing I 
would have to do is examine the ABE license and see if it is permissable 
to do that the fastest way I know because the fastest way I know would 
use some reversal techniques to match the binaries with the right 
compile options and patch sets.




More information about the asterisk-users mailing list