The Register is running a story today saying that UK police have arrested a suspect in relation to the Cisco IOS routers. Interestingly, the article states that "The theft is a worry for security pros because wider access to Cisco's proprietary source code might make it easier for hackers to develop exploits". Makes sense doesn't it?
Well, no. One of the great arguments in the cryptography world is that there should be no Security Through Obscurity. If you don't know just how a particular crypto algorithm really works then you really have no way of verifying whether or not it does the best job it possibly can. Just as scientists have a long running history of publishing and sharing their findings in order that their peers can review their work and debate it, so too do cryptographers. Only by allowing millions of other people, with both good intentions and bad, around the world to attack your work can you possibly be sure that it really is secure and effective. This is one of the big reasons why DES is no longer used by the sensible people as a method of encryption (the fact that DES uses "secret" boxes that no-one understands makes the algorithm inherently risky to trust).
It's good however that the police do now have a suspect in the case - source code theft is a nasty thing. But come on Cisco - if you're products really are that secure, then shouldn't you be proving it, instead of just shouting it?
10:52:26 AM 
|
