[VOIPSEC] An issue of trust?
Andre Fucs de Miranda
afucs-listas at mandicmail.com
Sun Jun 18 16:10:01 CDT 2006
Shawn,
> Stated plainly: Software security bugs exist in products. Some get
> fixed, some don't. Features add into products to improve security
> may actually well expose the product and network to increased risk of
> compromise. This is something that I'm sure we can all agree on.
I would agree but remark that ANY FEATURE, and not only security features,
tends to increase your security exposure. But this is not related to security
features but software reliability and quality. What you say sounds like a
more as a sophism than actual reason. :-)
> The Release Notes for Cisco uBR10012 - Cisco IOS Release 12.3
> BC indicate several CALEA related bugs of interest:
Already expected since CALEA is a "new feature". Points us to the same aspect
of software quality. I usualy don't agree that much with Marcus Ranum but he
has a nice point of view about this.
http://www.ranum.com/security/computer_security/editorials/dumb/
[#3) Penetrate and Patch]
> One may think that admin (level 15) access on a LI enabled IOS box has
> all privileges this document seems to indicate otherwise:
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part30/hclivws.htm
>
> .....snip.....
>
> Commands available in lawful intercept view belong to one of the
> following categories:
>
> •Lawful intercept commands that should not be made available to any
> other view or privilege level
> •CLI views that are useful for lawful intercept users but do not have
> to be excluded from other views or privilege levels
>
> Troubleshooting Tips
>
> To display information for all users who have access to a lawful
> intercept view, issue the show users lawful-intercept command. (This
> command is available only to authorized lawful intercept view users.)
>
> ........./snip........
For me sounds just like a separation of duties issue. Unix systems are a good
school for us to understand that the administrator isn't a supernatural
person and should have limited powers.
An admin is not supposed to use LI commands unless allowed to, am I wrong?
Separation of duties is just a basic security principle. Am I missing the
point or you don't agree with that?
> Just something to think about as we all move towards a better
> understanding of "security"
Shawn, that's for sure! :-)
--
Andre Fucs
http://www.fucs.org/
More information about the Voipsec
mailing list