More on Last Year's Cisco Source Code Theft 266
grazzy writes "The New York Times has a story about last year's theft of Cisco source code:
The incident seemed alarming enough: a breach of a Cisco Systems network in which an intruder seized programming instructions for many of the computers that control the flow of the Internet. "
Did they steal the editor too? (Score:3, Funny)
Re:Did they steal the editor too? (Score:2)
Yup....and I wrote daddypants and everything.
Asleep at the switch.
Re:Did they steal the editor too? (Score:2, Funny)
A chef with a lisp?
Re:Did they steal the editor too? (Score:2)
[OT] Re:Did they steal the editor too? (Score:5, Informative)
You expect these things when someone begins a sentence 'More on'
One of my English profs explained the importance of thinking through sentence structure so as not to be phonetically or grammatically careless, i.e. 'Me and Jim went to the arcade' as it could sound like 'Mean Jim went to the arcade', proper grammar is 'Jim and I went to the arcade.'
Thus endeth today's grammar report.
Re:[OT] Re:Did they steal the editor too? (Score:5, Funny)
Proper grammer is admirable, but it's no substitute for careful enunciation.
Re:[OT] Re:Did they steal the editor too? (Score:2)
Brains? Who needs 'em?
This is
Re:Did they steal the editor too? (Score:5, Funny)
Stakkato (Score:3, Interesting)
so now the hunt is on for the elusive stakkato...
cmdr taco (Score:4, Funny)
Re:cmdr taco (Score:2)
Yo, homey! What up? What it is? Run it down! Whaaaas zappening, bro?
But on 24 they said cisco networks were (Score:4, Funny)
Re:But on 24 they said cisco networks were (Score:2)
I haven't see the eppisode you talk about, but aircraft that don't have RADAR aren't completely without RADAR information. Another aircraft (AWACS) can gather very detailed information and feed that (along with other supporting data) into a ground-based processing center. At that point, data is aggregated and filtered to show pertinant info. That data can be uploaded via secure link to an aircraft trying to hide by not using active RADAR.
In fact, not using active RADAR is fairly common.
Question for an expert... (Score:5, Interesting)
Re:Question for an expert... (Score:5, Funny)
Re:Question for an expert... (Score:5, Insightful)
Re:Question for an expert... (Score:2)
Re:Question for an expert... (Score:2)
Re:Question for an expert... (Score:3, Insightful)
1) Cisco IOS does not run the *whole* Internet. Different IOS versions apply as well.
2) Revealed source code != massive untapped exploits.
3) IOS doesn't have an execution environment with "open" interfaces like a desktop OS. Routers don't execute transport data or routing data. This means no script kiddies. There are of course other ways to crash a router.
4) IOS is mature and (obviously) well tested. People have been throwing all sorts of strange things as Cisco routers for a long ti
Re:Question for an expert... (Score:3, Insightful)
I kinda wonder about this sometimes. As a for instance, here [cisco.com] is an excellent example of how to write an SMTP client in the TCL shell included in recent IOS versions. Of course, getting the shell to start out with is left as an exercise to the reader, but routers operate more and more he
Re:Question for an expert... (Score:2)
Re:Question for an expert... (Score:2)
It runs enough of the backbones to cause very serious problems if it is compromised.
2) Revealed source code != massive untapped exploits.
I wouldn't want to count on that. It's possible that their code is perfect, but....
3) IOS doesn't have an execution environment with "open" interfaces like a desktop OS. Routers don't execute transport data or routing data. This means no script kiddies. There are of course ot
Re:Question for an expert... (Score:2)
The strength(and flaws) of internet become from the versatile equipment used in creating it. Most operators have their own device setup they're familiar with.
Not everything runs with cisco, though they would probably want it that way.(ca-ching)
The hardware in question isn't your average linux/bsd router, so you can't just whip up exploit with x86 compiler and push it in.
Since the system
Re:Question for an expert... (Score:3, Informative)
They used stolen passwords gathered from other hacked machines by using trojaned sshd's.
Says so in TFA.
Re:Question for an expert... (Score:2)
Let me ask...
What do your providers use? How about your provider's providers?
Thought so.
Re:Question for an expert... (Score:2)
I should have put something about PAM in there.
Re:Question for an expert... (Score:3, Interesting)
If somebody did something like that, it could basically bring the majority of the internet to a grinding halt. By anybody's book, this is a bad thing. Indeed, that's why I've been saying for so many years
Re:Question for an expert... (Score:2)
Yes, it would be a different attack, but the results could be just as bad.
Re:Question for an expert... (Score:3, Insightful)
IMHO, there are two models that work: tight security on source code and open source, the former because black hats have less tools to find security holes, the latter because the white hats vastly outnumber the black hats. Closed sou
Re:Question for an expert... (Score:2)
Well, I took the first two of the CCNA series so far without it costing ME anything, since I go to City College of San Francisco on a Pell Grant AND get a Board of Governors Fee Waiver as well...
Well, it did cost me the textbook - which is not cheap, either...
Haven't decided yet whether to take the last two courses, since I doubt I'll be doing much WAN router configuration for big corporations. Not to mention the rest of the Cisco training - I have no intention of being a CCIE.
Missing (Score:2, Redundant)
Comment removed (Score:3, Funny)
Re:Heh (Score:2)
Not according to the Spam in my inbox.
Re:Heh (Score:2)
It's not how broad you make it, it's how you make it long-lasting...
Oh, never mind, this is
Doesn't make sense (Score:4, Interesting)
Re:Doesn't make sense (Score:3, Interesting)
Re:Doesn't make sense (Score:3, Interesting)
Re:Doesn't make sense (Score:3, Interesting)
Re:Doesn't make sense (Score:2)
Meanwhile, people are still coming up with amusing weaknesses! Here's one that merely requires stealing the user's token for a week without their knowledge, and having
Re:Doesn't make sense (Score:3, Insightful)
Re:Doesn't make sense (Score:5, Interesting)
I don't know how Cisco has their stuff set up, but it's easy to imagine such a breach playing out:
While an attacker would need a fairly deep understanding of the software infrastructure he is attacking and of the usage habits of the users there to pull this off, the same basic strategy is applicable to UNIX, Windows, anything. I remember reading several years ago that the breakins at Exodus and VA Linux happened this way.
We're only used to the stuff we hear about not doing any real damage, because it's all dumb worms running without anyone at the controls. Just because we can fend off that stuff doesn't mean that someone with determination, knowledge, and patience won't get in and stay in.
Timing.. (Score:5, Interesting)
Just in time for major articles about how bad Cisco's security was that they had some source code stolen.
And people wonder why I don't watch television. Sad..just sad.
Re:Timing.. (Score:3, Insightful)
Re:Timing.. (Score:2)
Re:Timing.. (Score:5, Funny)
So this vision of 24 came to you in a fever dream then?
Re:Timing.. (Score:2, Insightful)
Obviously, you do watch television.
Re:Timing.. (Score:2)
My wife kept looking at me to watch my reaction to the on-screen stupidity and eventually said that she'd never actually heard anyone roll their eyes before.
hackiis6's 18yr old rule should be tossed out. (Score:2, Informative)
Alarming ? (Score:5, Insightful)
Why alarming ? The internet is still up and running since that last years theft.
(I guess it should be read last year's)
Sensationnal breaking news !
The programming instructions of Linux and Free/Net/OpenBSD, which run many of big corporations servers, is avalaible to the sight of anybody! That's alarming!
Re:Alarming ? (Score:3, Interesting)
Re:Alarming ? (Score:2)
Programming instructions? In the popular press (at least in Sweden), stolen source code is referred to as source codes and in such a way that it sounds like stolen passwords.
Wren Montgomery (Score:3, Insightful)
Re:Wren Montgomery (Score:2, Funny)
Re:WHAT!!! she is NOT, i repeat NOT, *hot* (Score:2)
Hey, I usually try not to judge people by photos, but she seemed pretty cute in the NYTimes photo. And she's probably smart. Just accept that some people could find her hot, but apparently not you. :)
Re:WHAT!!! she is NOT, i repeat NOT, *hot* (Score:2)
Re:Wren Montgomery (Score:2, Insightful)
And anyway, since when does etiquette play into the considerations of teenage vandals of any kind?
Re:Wren Montgomery (Score:3, Insightful)
RTFA (Score:4, Informative)
Anm
Re:RTFA (Score:2)
If I was this guy and got called a "quaint hacker" (is that anything like the "quaint Geneva Convention"?) by some asshole sys admin, I'd fry his whole system...
Re:Wren Montgomery (Score:2)
Contradiction? (Score:5, Insightful)
Re:Contradiction? Sorta. (Score:3, Interesting)
As odd as it sounds, both are correct. A sophisticated intruder could compromise security with the stolen code. Or not.
But for the sake of argument, suppose they do find flaws in Cisco's code. An exploit shows up on rootkit.org or someplace. It should be apparent from the exploit which flaws they're using, and so Cisco cleans up the flaw. In the long run, customers are actually safer.
It's sort of a backasswards way to open source your code.
Thef (Score:4, Interesting)
Re:Thef (Score:5, Funny)
Re:Thef (Score:5, Interesting)
50% Interesting
20% Troll
20% Redundant
Where's another post running a time analysis of Slashdot editing? Even given Slashdot's absence of features to prevent comment redundancy, isn't a chorus of "not again!" appropriate? And how is my coherent, accurate comment, which I haven't seen before, a "Troll"?
Perhaps this comment is just the criticism uberpost, destined to point out all the serious flaws in Slashdot's publishing system model. If so, here's some constructive suggestions for fixing it:
Re:Thef (Score:2, Offtopic)
They use Windows. (C'mon, where do you think all the Windows trolls here come from and why are all Windows trolls modded up?)
And haven't figured out how to use the spellchecker since it's on a menu, not an icon (on the desktop.)
I get the very uneasy feeling... (Score:5, Insightful)
Scary...
It's like having mice (Score:2)
It's the SMART mice eating the food in your cupboard and breeding in the walls that you don't see you have to be concerned with.
The same comments apply to serial killers. The dumb ones get caught, the smart ones are scary.
Re:It's like having mice (Score:2)
In a former living quarters (too disgusting to describe), I'm laying on my bed and I look over and see this mouse come out a hole in the wall next to my bed, ignore me, walk down the wall, turn the corner into the bathroom.
"Okay, smart ass, I got your ignore right here!", says I.
I take out a glue trap, put it right at the corner to the bathroom.
Sure enough, five minutes later, El Stupido comes waltzing around the corner following his nose whiskers as
Re:I get the very uneasy feeling... (Score:2)
Careful now - let's not invite JonKatz back into the picture...
Seriously, what's the problem? (Score:5, Insightful)
If you actually read the article, the exploit was not big deal either; some guy just distributed a trojan'd SSH client to a bunch of people and collected their passwords and then ran a bunch of rootkits. Nothing to see here.
Re:Seriously, what's the problem? (Score:2)
Cisco doesn't have to worry in the same way as no one else can see their code. There's less incentive to fix known potential holes and less incentive for Cisco to search the code for potential exploits.
Except....
So, yes. I'd be very surprised if Cisco routers
Cisco VPN Client (Score:2, Interesting)
Re:Cisco VPN Client (Score:2)
I remember using version 4 on WinXP and hitting connect instantly rebooted my system.
Great joerb!
Catastrophic apostrophic (Score:4, Informative)
Re:Catastrophic apostrophic (Score:2)
A theft in the last years of Cisco.
Sounds right to me.
This is actually kinda funny (Score:5, Interesting)
So in this sense, the script kiddies of the Internet are kinda like an early warning system: it's almost certain that before someone with serious intentions finds a nasty flaw and uses it, it'll be discovered by some kid who will promptly boast about it on IRC.
How lucky we are that terrorists find themselves vastly outnumbered by people with too much free time on their hands!
More Source Code stolen for Routers (Score:2, Funny)
not just Cisco! (Score:5, Funny)
Just wait until these guys see apache.org
John Markoff (Score:5, Informative)
His articles were full of lies and exaggerations back then so I would take this article with a grain of salt as well.
Re:John Markoff (Score:2)
Re:John Markoff (Score:2)
Kevin, we have a deadline, and you don't have time to be playing on
-- your boss
Re:John Markoff (Score:2)
Or did you mean this in the ebonics sense:
"You mean Mitnick isn't a-lying, sleazeball?"
(If I see this "Slow down, Cowboy" POS one more time, I'm gonna fill the fucktard who wrote that code full of 9mm hollowpoints. For an outfit that
Best thing about source code leak (Score:2)
Hopefully that will motivate someone to build an IOS clone on an OpenBSD or NetBSD subsystem for multiple architectures...
mmmmmmmm IOS source code *drool*
Re:Best thing about source code leak (Score:2)
Since IOS seems to consist of a brain-damaged circa-1965 UNIX clone with a command-line only a router engineer could love, I'd say it shouldn't be too difficult to implement it after taking a one-semester course in BASIC...
Their machines are basically 33MHz 486's with 8 or 16 MB of RAM, some interface chips and some ASICS.
If it wasn't for the ASIC chips, Cisco would have been out of business years ago.
I wouldn't believe everything in this story. (Score:3, Interesting)
Don't confuse this story with independent journalism; Markoff is out to make a mint here, however he can.
Markoff reportedly was pissed of at Kevin Mitnick for spurning a movie deal, and later set himself up to write "the Kevin Mitnick story", earning over a million dollars in the process.
Here's a link: http://www.labmistress.com/kevins_story.php [labmistress.com]
So one really has to wonder what the Truth is here, and whether Markoff is just trying to screw over some teenage kid in Europe in order to make another million off of it.
So I'd take anything that John Markoff has to say with a LARGE grain of salt. The same goes for the New York Times, which has officially encouraged this practice.
The real truth is probably out there; but I wouldn't expect to hear it from either John Markoff or the NY Times.
We got hit. (Score:5, Interesting)
One day later, I'm on another lab machine using my lab
Because our machines are pretty isolated and don't have any hint of financial stuff, he seemed to just drop it. I called the sysadmin at Stanford, turned out that on a machine with over 500 accounts (i won't say which department), the machine had been rooted about 2 months prior and every password was being captured during that time. The breakin was tracked back through a couple of departments, then back to University of Michigan, then to Uppsala.
Three valuable and perhaps obvious lessons here. Local priviledge escalation exploits are important even if your system has very few users. Keep your system patched (duh...), and remember, if you log onto your machine from another, ask yourself "What do I know about the integrity of this machine?". I really assumed that my stanford account was pretty secure and so I didn't even think about logging from that machine to my current one. No more.
The other interesting thing was that the local exploit used on my machines was announced well after the Stanford machine was hit. I don't think I ever heard of how that machine was comprimised.
Re:We got hit. (Score:5, Informative)
it was probably dobrk, that was one of the vulnerabilities the attacker(s) used last year to root systems.
see http://xforce.iss.net/xforce/xfdb/13880 [iss.net] (this was the 1st google link i saw, there are probably others with better information but i'm lazy).
Re:We got hit. (Score:2)
Remember, if you log onto your machine from another, ask yourself "What do I know about the integrity of this machine?". I really assumed that my stanford account was pretty secure and so I didn't even think about logging from that machine to my current one.
The key principle is that security is not inherently symmetrical between an
Re:We got hit. (Score:4, Insightful)
I have seen several incidents where the former pattern was used and it resulted in a compromise of the users password. The lab where I work has gone to 2 factor authentication to make exploiting this pattern more difficult, but with session hijacking, it is nearly impossible to eliminate.
I also want to point something out to those that have been critisizing Cisco's network security. The failure wasn't on the Cisco side of things. The actual security breach happened on a network 1 or more hops away from the Cisco network. As far as Cisco was concerned, a legitimate network transaction was happening. Someone with valid credentials logged on to the system, and until they do something out of the ordinary (install a root kit, scan the network, etc...) they are virtually undetectable, as they don't differ from normal valid network usage.
More Info (Score:2)
Books on how to hack Cisco routers (Score:2)
Re:Books on how to hack Cisco routers (Score:3, Funny)
Yes, I'm shocked anybody thinks a CCNA can control a Cisco router...
Re:Did anyone parse that as... (Score:2)
Re:Did anyone parse that as... (Score:2)
And here's [photobucket.com] Dangerous Andy about to do a number on him!
Hmmm... (Score:2)
Their systems were broken into, and the code in question was taken without permission. Yes, it was stolen, and this was theft. There's a difference between this and downloading songoftheday.mp3 from a perfectly willing uploader. In this case, the person you are copying/taking the file from is willing, it's a third-partly that is being "infringed" upon. Now if you hacked the RIAA servers, found a cache of mp3's - perhaps for some unrealeased CD's or whatever - and downloaded them to your hom
Re:It's not theft! (Score:5, Informative)
I know you're trying to be funny, but I think you're missing something basic. The reason this is "theft" and not "infringement" is because the intruder made a copy of something not generally released. (the source code).
In the music world, if someone buys an album, and gives copies to his or her friends, he is violatating the artist's right to control copies. (i.e. their "copyright"). If that same person hacks into the artist's recording studio, and downloads unreleased tracks, the artist has had those tracks stolen. It is a "theft".
Re:It's not theft! (Score:2)
Well, I'm not a lawyer, but here's how I see it:
If there is value to a secret, and that secret is compromised, then you have deprived the secret's owner of the secret's value.
If I'm an author, and while I'm writing the highly anticipated sequel to a book, and someone breaks into my house, reads the surprise ending, and then broadcasts it to the world, they have stolen. If they make xerox's of the last chapter, and then hand those out, t
Re:open code is good, right? (Score:2)
That's why you're on
Re:open code is good, right? (Score:2)
A) It's better to assume your code is open than to assume your code is closed; see "Security Through Obscurity;"
B) Code that is engineered from day 1 to assume it's open is less likely to have
/*
* Here, we assume that nobody knows that you can
* use 'feeb' as the alternate enable password
*/
Therefore, the fact that anyone can see the source code for Linux, Apache, and PHP isn't a big issue, but the fact that someone could see the source code for Cisco