Lpc2000

--- In lpc2000@yahoogroups.com, Robert Adsett <subscriptions@a...> wrote:

> I would have thought that was obvious.  It shows it can be
> done.  There is  something to be said for the courtesy of
> informing Philips before doing so but most security
> vulnerabilities appear to have only been addressed when 
> the holes are demonstrated, not just talked about.

Things come out in the public domain when one party wants to take the
other party out (usually egged by a competitor) to manipulate the
market.  The fact that this has not happened is an indication that
Philips is not a contender for the security market.

> Until it is shown with how much ease security can be
> bypassed claims about that ease are generally disregarded
> by most people concerned.

Not so by the people who make them, let me assure you.  There are far
reaching consequences when claims are relied upon that are later
discovered to be false or misleading or even deceptive.

When the manufacturers goes quiet and do not comment on such issues,
it is usually a sign heads are rolling and finger pointing is going
inside the organisation that they do not want us to know.

> Of course in some parts of the world it may now be questionable
> as to whether it is legal to perform any research on this question
> so some people may not want to take that risk...

Precisely my point.
 
> If there is a security hole is it more responsible to expose
> it before more people rely on it or to keep it hidden?  See
> above if you are wondering why I would consider the discussion
> so far to be one that leant towards keeping it hidden.

There are good arguments for and against.  So it is a matter of ethics
really, and which side you lean on.

IMO it perfectly okay to discuss risks relating to is to putting the
front door key in the flower pot or under the floor rug but saying
so-and-so puts his key at such-and-such a place is just not on.

IMO it is NOT okay to fetch the encrypted password files for a bunch
of users without seeking their permission and and trying crack it for
academic purposes with the undertaking that any cracked password will
not be used.

This is akin to allowing someone to try a of keys on your front door
without your knowledge with the undertaking they will will not remove
anything from your house if they succeeded.

This is an area where there two people have three opinions.

If we come back to the topic, why 2148 identifies itself as 2138, it
can be as minor as slackness to as grave as systemic problems at the
organisation level.

Undocumented commands and hidden arguments is a serious breach of
security because this was a deliberate action on the part of the
programmers.

Watever the reasons are, these impact on the trust issue I spoke
about.  When Philips will not admit to the existence of methods that
you know and can prove exist (by disassembling boot sector of your
part), I cannot why anone should admit boot loader code or Philips
into their trust domain.

Jaya