[rc5] Releasing source (was: Cyberian Discussion)

Tom Wheeler tomw at intelligraphics.com
Fri Aug 1 13:43:45 EDT 1997

On Fri, 01 Aug 97 11:56:50 -0500, Colin L. Hildinger wrote:

>On Fri, 1 Aug 1997 11:02:22 +0200 (MET DST), Dirk Moerenhout wrote:
>>Bovine could learn a lot from the way Cyberian is handling it. If it 
>>wouldn't have been they're doing stuff people waited for, nobody would 
>>'ve switched. The moment the Bovine-effort stated they wouldn't release 
>>source no more, they stopped the fun for people who aren't planning on 
>>running unknown programs. The Cyberian people kept their promise and keep 
>>releasing sources, as they should.
>Having participated now in several of these distributed efforts, I have
>to say that Bovine is handling the issue of releasing source very well.
> It's foolish to let anything but the key cracking code float around. 
>Now some of you admins are gonna whine that you won't run anything you
>can't compile (Come on, you think that it's gonna eat your system when
>it's not eating everyone else's?  One word: paranoid), and others are
>gonna say that security through obscurity isn't security at all.  I
>say, fine, use the v1 clients and move on.  The fact is, obscurity DOES
>provide some amount of security.  I could write a v1 client that faked
>100 Mk/s in about 10 minutes or less with the v1 code (I wouldn't, of
>course), I could do the same thing with the Cyberian source, but to do
>it with the v2 protocol would be more work.  It doesn't make it
>impossible by any means, but it IS a deterant.

I think you ought to reconsider your position, Colin.  The costs of not
shipping source far outweight any potential benefit derived from not
shipping.  All you get by not supplying source is to make it a little
more difficult to do something nasty.  What you lose is the input of
all the people who would make improvements; the people who won't run
unknown binaries; people having the opportunity to look at and learn
from the source.  Plus, by not shipping source, if somebody does do
something malicious it'll be more difficult to detect.

Obscurity does not provide security.  Quite the opposite - the fewer
the number of people who are in the know, the easier it is to get away
with something.  When hundreds of people have the source, no broken
client is going to get very far.

Maybe I'm missing something, but it looks pretty clear to me.

Tom Wheeler
tomw at intelligraphics.com

To unsubscribe, send email to majordomo at llamas.net with 'unsubscribe rc5' in the body.

More information about the rc5 mailing list