Lpc2000

At 09:35 AM 1/10/06 +0000, jayasooriah wrote:
>--- In lpc2000@yahoogroups.com, Robert Adsett <subscriptions@a...> wrote:
>
> > I would have thought that was obvious.  It shows it can be
> > done.  There is  something to be said for the courtesy of
> > informing Philips before doing so but most security
> > vulnerabilities appear to have only been addressed when
> > the holes are demonstrated, not just talked about.
>
>Things come out in the public domain when one party wants to take the
>other party out (usually egged by a competitor) to manipulate the
>market.

Well, that's one motivation.  Public service and reputation are others.

> > Of course in some parts of the world it may now be questionable
> > as to whether it is legal to perform any research on this question
> > so some people may not want to take that risk...
>
>Precisely my point.

It is?  I missed that completely then.  BTW, if it wasn't obvious I think 
banning research on security flaws is somewhere between pointless and 
self-defeating.

>
> > If there is a security hole is it more responsible to expose
> > it before more people rely on it or to keep it hidden?  See
> > above if you are wondering why I would consider the discussion
> > so far to be one that leant towards keeping it hidden.
>
>There are good arguments for and against.  So it is a matter of ethics
>really, and which side you lean on.
>
>IMO it perfectly okay to discuss risks relating to is to putting the
>front door key in the flower pot or under the floor rug but saying
>so-and-so puts his key at such-and-such a place is just not on.

Fair enough, but the analogy may be better put as showing whether a certain 
brand of lock  is easily bypassed.  In that case I don't think there is an 
ethical breach in demonstrating the flaw, indeed it strikes me more as a 
consumer service.  Now if you then go ahead and publish which neighbours 
are using that as the front door lock you have another issue entirely.

>IMO it is NOT okay to fetch the encrypted password files for a bunch
>of users without seeking their permission and and trying crack it for
>academic purposes with the undertaking that any cracked password will
>not be used.

I won't disagree with you on that.

>If we come back to the topic, why 2148 identifies itself as 2138, it
>can be as minor as slackness to as grave as systemic problems at the
>organisation level.

Indeed.

>Undocumented commands and hidden arguments is a serious breach of
>security because this was a deliberate action on the part of the
>programmers.

Security yes, although in the case of the 2104/5/6 that's rather a moot 
point.  The question will be how much of that was redone and to what effect.

I also agree that security through obscurity isn't.

>Watever the reasons are, these impact on the trust issue I spoke
>about.  When Philips will not admit to the existence of methods that
>you know and can prove exist (by disassembling boot sector of your
>part), I cannot why anone should admit boot loader code or Philips
>into their trust domain.

Maybe they are looking for the moral equivalent of a child lock?  Not 
something to protect against a concerted attempt, just something to 
indicate that you consider the internals proprietary.

Robert

" 'Freedom' has no meaning of itself.  There are always restrictions,   be 
they legal, genetic, or physical.  If you don't believe me, try to chew a 
radio signal. "  -- Kelvin Throop, III
http://www.aeolusdevelopment.com/