[rc5] Releasing source (was: Cyberian Discussion)

Colin L. Hildinger colin at ionet.net
Fri Aug 1 14:04:16 EDT 1997

On Fri, 01 Aug 97 12:43:45 -0600, Tom Wheeler wrote:

>On Fri, 01 Aug 97 11:56:50 -0500, Colin L. Hildinger wrote:
>>Having participated now in several of these distributed efforts, I have
>>to say that Bovine is handling the issue of releasing source very well.
>> It's foolish to let anything but the key cracking code float around. 
>>Now some of you admins are gonna whine that you won't run anything you
>>can't compile (Come on, you think that it's gonna eat your system when
>>it's not eating everyone else's?  One word: paranoid), and others are
>>gonna say that security through obscurity isn't security at all.  I
>>say, fine, use the v1 clients and move on.  The fact is, obscurity DOES
>>provide some amount of security.  I could write a v1 client that faked
>>100 Mk/s in about 10 minutes or less with the v1 code (I wouldn't, of
>>course), I could do the same thing with the Cyberian source, but to do
>>it with the v2 protocol would be more work.  It doesn't make it
>>impossible by any means, but it IS a deterant.
>I think you ought to reconsider your position, Colin.  

No need, I've seen the arguments on several mailing lists for months
and months.  The argument for releasing source doesn't hold water.

>The costs of not
>shipping source far outweight any potential benefit derived from not
>shipping.  All you get by not supplying source is to make it a little
>more difficult to do something nasty.  

EXACTLY.  This is a good thing.

>What you lose is the input of
>all the people who would make improvements; 

Really?  You get hundreds of different "improvements," some of them
don't work right and cause all sorts of problems for the organizers,
you get a cluster-f*^k.  The organizers end up spending all their time
chasing these problems and not looking for malicious folks.

>the people who won't run
>unknown binaries; 

They can run the v1 clients if they want, or they can go somewhere
stupid enough to release all their source.  Quite frankly, (my opinion,
not distributed.net's) these people don't account for that much of the
effort anyway.  DESCHALL broke the DES message without being foolish
and releasing source.

>people having the opportunity to look at and learn
>from the source.  

Um, that's not the goal.  Breaking RSA's message is the goal.  If you
want to learn to program, there are other ways to do it.

>Plus, by not shipping source, if somebody does do
>something malicious it'll be more difficult to detect.

??????  You seem to have an intense lack of logic.  This statement
ranks a negative 20 on the logic scale (0-1, illogical or logical). 
How the heck does it make it more difficult to detect?

>Obscurity does not provide security.  Quite the opposite - the fewer
>the number of people who are in the know, the easier it is to get away
>with something.  When hundreds of people have the source, no broken
>client is going to get very far.

OK, so if I know exactly how the client works, how the heck does that
affect someone's ability to get away with spamming the servers?  The
answer is, of course, that it doesn't.  Duh.  You make this baseless
argument twice, please *explain* how public source makes it easier to
detect malicious clients.

>Maybe I'm missing something, but it looks pretty clear to me.

Apparently you are missing something.

Colin L. Hildinger
| Games Editor - OS/2 e-Zine! | The Ultimate OS/2 Gaming Page          |
| http://www.os2ezine.com/    | http://www.ionet.net/~colin/games.html |
|	   The Official Unofficial AWE32 and OS/2 Warp Page            |
| 		http://www.ionet.net/~colin/awe32.html                 |


To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.

More information about the rc5 mailing list