[App_rpt-users] toy throwing time?

Bryan D. Boyle bdboyle at bdboyle.com
Mon Sep 12 21:28:49 UTC 2016 

hear hear.

Besides, we know what we have now and it's been pretty well gone through.

Can the same be said for the lastedt and greatest version of Asterisk?

Besides, this isn't managing the launch codes distribution.  Unless (and highly unlikely) it's being used in a primary public safety system...it's AMATEUR radio.

--
Bryan
Sent from my iPhone 6S...No electrons were harmed in the sending of this message.



On Sep 12, 2016, at 16:46, Stephen - K1LNX <k1lnx at k1lnx.net> wrote:

>> I realize keepng up with the Asterisk code base is a lot to ask, but for one thing it buys you is security.  While it is certainly true that "improvements"  do introduce new security holes, a more mature and current Asterisk is more likely to have fewer security holes.
>> 
>> Since many nodes face the public internet, it would certainly be catastrophic if a black hat were to have the ability to knock any public facing AllStar node in the world off the air by exploiting a previously undisclosed vulnerability.  Combining such an exploit with a router exploit to get to private networks of nodes is a real possibility, and there are LOTS of people around the world, including some big players, that invest heavily in having such a toolset ready for when it would benefit them.
>> 
>> Having what is essentially a static code base makes it easier for those folks.  I know that sounds rather paranoid, but just sayin....
> 
> I don't refute that. Security is a real threat and something that everyone should keep fingers on, but I really have to ask myself, if I was so concerned about something being attacked why is it on the internet in the first place? If my box were to get owned, I most likely would discover it in a timely manner and take corrective action anyhow, which would probably involve me laughing at it, wiping the drive, and restoring my configs from backup. This is pure hobby to me, not a mission critical production system. 
> 
> It's no excuse to have any insecure software or protocols running on any platform whatsoever, but I know of no single product in existence that has ever been made 100% bullet proof and secure out of the box, so that leads me to wonder what the real threat vector is here besides the "what if" factor. Believe me, as a security conscious guy who locks down his own servers and gear, I totally get it, but I view app_rpt in a different light because it's only existence in life for me is to control a repeater and provide network connectivity to other nodes. 
> 
> All in all, I like things where they are now, and if progress can be made on a newer platform, great, but otherwise the work others have done to this point on it has been phenomenal and I am in 100% support and appreciative of it. 
> 
> 73
> Stephen 
> K1LNX
> 
> 
>> On Mon, Sep 12, 2016 at 1:04 PM, Willem Schreuder <willem at prinmath.com> wrote:
>> On Mon, 12 Sep 2016, Stephen - K1LNX wrote:
>> 
>>> What exactly does it gain for us?
>> 
>> I realize keepng up with the Asterisk code base is a lot to ask, but for one thing it buys you is security.  While it is certainly true that "improvements"  do introduce new security holes, a more mature and current Asterisk is more likely to have fewer security holes.
>> 
>> Since many nodes face the public internet, it would certainly be catastrophic if a black hat were to have the ability to knock any public facing AllStar node in the world off the air by exploiting a previously undisclosed vulnerability.  Combining such an exploit with a router exploit to get to private networks of nodes is a real possibility, and there are LOTS of people around the world, including some big players, that invest heavily in having such a toolset ready for when it would benefit them.
>> 
>> Having what is essentially a static code base makes it easier for those folks.  I know that sounds rather paranoid, but just sayin....
>> 
>> 73 -Willem AC0KQ
> 
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at ohnosec.org
> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
> 
> To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
> You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20160912/fa4e2db6/attachment.html>

More information about the App_rpt-users mailing list