[rc5] Releasing source (was: Cyberian Discussion)

Vincent Janelle random at avara.com
Fri Aug 1 15:00:25 EDT 1997


I'd just liek to note that looking at the client souce is probably not a
good way to learn encryption, since it's basically in Assembler.  There
are better, and freely availiable DES and RC5 object and source files
floating around out there.  releasing the source is a judnt call on the
basis of teh administration.  I'm willing to bet that some of these people
are running pre-compiled copies of X Window System, or their login prompt,
if they are using Unix.  How many of you out there actaully think that
Microsoft is *not* capturing your passwords?  The Rc% client is not as
dangerous as those two, because they actaully interact with your system,
in ways that can, and do, crash systems very often.  There are thousands
of people who are perfectly happy to run these precompiled binaries, and
if you wish to prove your point, take the v1 source, like remi did, and
prove it one there.

On Fri, 1 Aug 1997, Tom Wheeler wrote:

> On Fri, 01 Aug 97 11:56:50 -0500, Colin L. Hildinger wrote:
> 
> >On Fri, 1 Aug 1997 11:02:22 +0200 (MET DST), Dirk Moerenhout wrote:
> >
> >>Bovine could learn a lot from the way Cyberian is handling it. If it 
> >>wouldn't have been they're doing stuff people waited for, nobody would 
> >>'ve switched. The moment the Bovine-effort stated they wouldn't release 
> >>source no more, they stopped the fun for people who aren't planning on 
> >>running unknown programs. The Cyberian people kept their promise and keep 
> >>releasing sources, as they should.
> >
> >Having participated now in several of these distributed efforts, I have
> >to say that Bovine is handling the issue of releasing source very well.
> > It's foolish to let anything but the key cracking code float around. 
> >Now some of you admins are gonna whine that you won't run anything you
> >can't compile (Come on, you think that it's gonna eat your system when
> >it's not eating everyone else's?  One word: paranoid), and others are
> >gonna say that security through obscurity isn't security at all.  I
> >say, fine, use the v1 clients and move on.  The fact is, obscurity DOES
> >provide some amount of security.  I could write a v1 client that faked
> >100 Mk/s in about 10 minutes or less with the v1 code (I wouldn't, of
> >course), I could do the same thing with the Cyberian source, but to do
> >it with the v2 protocol would be more work.  It doesn't make it
> >impossible by any means, but it IS a deterant.
> 
> I think you ought to reconsider your position, Colin.  The costs of not
> shipping source far outweight any potential benefit derived from not
> shipping.  All you get by not supplying source is to make it a little
> more difficult to do something nasty.  What you lose is the input of
> all the people who would make improvements; the people who won't run
> unknown binaries; people having the opportunity to look at and learn
> from the source.  Plus, by not shipping source, if somebody does do
> something malicious it'll be more difficult to detect.
> 
> Obscurity does not provide security.  Quite the opposite - the fewer
> the number of people who are in the know, the easier it is to get away
> with something.  When hundreds of people have the source, no broken
> client is going to get very far.
> 
> Maybe I'm missing something, but it looks pretty clear to me.
> 
> 
> Regards,
> Tom Wheeler
> tomw at intelligraphics.com
> 
> 
> ----
> To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.
> 

----
To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.



More information about the rc5 mailing list