[c-nsp] FW: Cisco Security Response: [Full-disclosure] CiscoPIX TCP Connection Prevention

[Ted Mittelstaedt]

>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Andrew
>Yourtchenko
>Sent: Wednesday, November 23, 2005 8:03 PM
>To: Virgil
>Cc: cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] FW: Cisco Security Response:
>[Full-disclosure] CiscoPIX TCP Connection Prevention
>
>
>
>I can think of some situations where this might bring inconveniences of
>varying extent - but my understanding is that they are
>relatively corner cases.
>If you can think of something major - understanding what it is would
>definitely help. So far I just do not see anything gross in this - but
>maybe I need an eye check - please help :-)
>

Andrew, I will probably get screamed at for saying this but most of these
so-called security advisories that have come out in the last couple years
for everything other than Microsoft's stuff are highly speculative,
almost
imposssible to duplicate anywhere other than a lab, and are pretty much
political balls thrown out there for reasons that have nothing to do with
actually increasing security on the Internet.

It seems a number of these Security companies seem to feel that
nobody is going to take them seriously unless they publically announce
that -they- have found a security vulnerability in someone's shipping
stuff.  It seems to me that these groups are basically engaged in a
"my dick is bigger than yours" game whereby they continually attempt
to top each other to be the latest to find another security hole.  The
reality that most of the time the security vulnerabilies aren't
practically
exploitable in the field is a side issue quickly shunted aside by them
and by the computer media, who are always looking for grist for
the mill.

I can count the number of bona-fied DoS attacks against our stuff and
our customers stuff over the last 5 years on the fingers of one hand.  By
contrast if I had a dime for every time a customer of ours had a server
broken into by a spammer, or a system taken offline by a virus that one
of their idiot employees opened as a mail attachment, I'd be a rich man.

With all that said, I will point out that Cisco's "security through
obscurity"
approach of not letting it's source code out for inspection by the
community
at large is really, really stupid, and you get what you deserve because
of it.  Even Microsoft allows it's Windows source out there for
inspection -
they have for years now.  Cisco's IOS code has been leaked twice that I
know about, and we all know that the crackers have copies of those, but
your company's ass-backwards head-in-the-sand approach to this is
extremely counterproductive and simply makes the crackers all the more
determined to break into your stuff.  It also puts the lid on discussion
in
the community that would help your company to make your stuff more
secure, and makes us think that your programmers must be pretty
crappy, so terrible that they are embarassed for their awful coding to be
made public.

Security through obscurity has been shown to be a bankrupt approach
and it's high time that Cisco's upper management understood that there's
things like copyrights and patents and licenses that can protect it's
stuff,
and it's high time that Cisco's upper management also understood that
part of the value of buying Cisco gear is your buying a piece of the
giant
organization behind it, and that is not something that a competitor can
duplicate just by seeing your source code.  If tomorrow someone like
Adtran came out with a router that worked perfectly (instead of like
crap that it does now) based on stealing your ideas, I -still- wouldn't
buy their router product because those people are phone guys, and do not
have the corporate culture to understand what a router is.

Ted