[Asterisk-Users] Re: www.openpbx.org

Paul digium-list at 9ux.com
Sat Oct 8 19:43:28 MST 2005 

Steve Underwood wrote:

> Steve Kennedy wrote:
>
>> On Sat, Oct 08, 2005 at 08:43:07PM +0300, Tzafrir Cohen wrote:
>>
>>  
>>
>>> On Sat, Oct 08, 2005 at 11:59:04AM -0400, Mike M wrote:
>>>   
>>>
>>>> On Sat, Oct 08, 2005 at 09:20:07AM -0400, Paul wrote:
>>>>     
>>>>
>>>>> Closed source might delay the cracker but it also delays pre-crack 
>>>>> and post-crack countermeasures.
>>>>>       
>>>>
>>>> What's the alternative?  Open source?  Cracking is unnecessary with 
>>>> open
>>>> source.
>>>>     
>>>
>>> Search a bit about "security by obscurity". Basically if the 
>>> security of
>>> your system depends on a secret you can't easily change, it will get
>>> exposed sooner or later. So you should design it to withstand such
>>> leakage. E.g: change a password if it was exposed.
>>>   
>>
>>
>> As this was related to Mastercard/Visa, they can allow open source,
>> however the software has to be certified to meet their security specs,
>> which may be harder to accomplish for open source.
>>  
>>
> It's not harder. It's just different. A number of things have similar 
> requirements. The ISDN4Linux folk have certain versions of their 
> software approved by the telecoms bodies in Europe. They need to tie 
> down exactly what was approved, so any other versions emit a notice 
> that says they are unapproved versions. They do this with a signature 
> on the approved version. It seems to work out OK.
>
> Regards,
> Steve

I think that the important thing to remember is that a good reverse 
engineer can take the object code from a rom and produce source files 
that are better commented than the original source ever was. I close my 
source because it's mine and it's none of your business but I don't get 
a false sense of security from doing that. There are people who 
specialize in taking gate array chips apart in a very careful manner in 
order to get the programmed logic  patterns using a microscope. If I can 
buy/build a good enough logic analyzer I can get what I need without 
even powering down your product. So consider that if I can clone your 
electronic key device, disassembling the binaries for your closed source 
software is a minor obstacle.

More information about the asterisk-users mailing list