Possible Cisco Source Code Theft 189
OmegaBlac writes "According to Ars Technica, a Russian security site is claiming that Cisco's corporate network was comprimised and about 800MB of Cisco's source code for IOS Operating System version 12.3 was stolen. I guess Cisco forgot to implement their own Self Defending Network solutions."
Stolen from the #1 Security Company? (Score:5, Insightful)
if true, this could cause big problems not only for Cisco, but for the entire Internet. Cisco routers are responsible for routing much of the Internet's traffic, and the company has long practiced a policy of "security through obscurity."
We're all screwed.
Re:Stolen from the #1 Security Company? (Score:2)
Re:Stolen from the #1 Security Company? (Score:5, Insightful)
I think Cisco is working to change their security stance but, that takes time and lots of money. The money part they have covered, Cisco has an over 3 billion dollar R/D budget and if I remember correctly 2 billion of that is focused on security right now.
Re:Stolen from the #1 Security Company? (Score:3, Informative)
Not really... every version of Cisco IOS since 6 has been leaked. The first time I've seen IOS source was probably 6-7 years ago. I'm not even sure why this is news.
Closed source vs Open source (Score:5, Insightful)
Open source however, by virtue of it being free (as in Iraq hehe), is worthless. Support contracts are alot harder to steal
Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.
Why do we still use so much closed source stuff
Simon.
Re:Closed source vs Open source (Score:1, Insightful)
Re:Closed source vs Open source (Score:1, Interesting)
Re:Closed source vs Open source (Score:2)
Oh, no you didn't. Now IT'S ON.
Re:Closed source vs Open source (Score:1)
Re:Open source safer ?? doubtful (Score:5, Insightful)
Software is only secure when specific security tests are performed against it. Almost no one does much of this, or even understands it well. I doubt that in 1000 readers, more than 5 could recite the top 5, never mind the top 20 tests you must perform.
Open source is also not inherently better at security because of it must be peered reviewed. If the reviewer doesn't know what to check, then what is the point of the review?
Software must be security certified by professionals, whether open or otherwise.
Re:Open source safer ?? doubtful (Score:2, Interesting)
Care to share what those tests are?
Re:Open source safer ?? doubtful (Score:2)
Actually, Ciso Certification is probably one of the very few certifications that I will trust.
It ain't your typical MCSC / crackerjack box certification process.
Re:Open source safer ?? doubtful (Score:3, Interesting)
My company sent me to an NT class once that was part of an MCSE track. The instructor was an absolute moron, and the MCSE-track students even worse. One student was *bragging* that he had spent 'only' about $18k so far. He immediately followed up lamenting about having to finish within the next month, thoug
Re:"Granted, though, this is more true for CCNP/CC (Score:2)
During the two-day t
Re:Closed source vs Open source (Score:2)
Re:Closed source vs Open source (Score:1, Insightful)
Not just possible, truthful (Score:5, Funny)
I can't help much see a nearby future full of Cisco-powered site takeovers
Re:Not just possible, truthful (Score:1, Interesting)
Oh Really? No. (Score:5, Funny)
Or, to paraphrase... (Score:4, Funny)
Translation: Accept information only from Official Sources(tm).
Any reports, of any event, not vetted by Your Official Corporate Public Relations Officer(tm) isn't real and has no validity.
Do not accept word of mouth. Healthy kepticism is not sufficient (for the facts may speak for themselves and undermine Our Official Position(tm)); you are to ignore any anectdotes, any word of mouth reporting, completely and utterly.
Indeed, you shall respond to any unofficial information with disparagement and hostility, as is your duty as a drone Consumer(tm).
Accept the Party Line. It is the Truth(tm), all else is Heresy.
Thank you.
Your Cisco Security.
("Stooges R Us")
Full text translation (Score:5, Funny)
SecurityLab, 13 2004 CISCO IOS 12.3, 12.3t, CISCO. 800
, - Cisco System. Cisco System
franz #darknet@EFnet IRC ( 2.5 )
100 ipv6_tcp.c ipv6_discovery_test.c.
Hope that helps!
Re:Full text translation (Score:4, Informative)
Here is word-to-word translation (english is not my mother tongue):
Source code leak was made possible because of Cisco's corporate network compromise. Cisco gave no official comments yet.
Someone known as franz at IRC channel #darknet@EFnet showed a small part of stolen code as the proof.
First 100 lines of source file ipv6_tcp.c and ipv6_discovery_test.c is listed below.
wouldn't surprise me (Score:3, Interesting)
Thank God .. (Score:3, Funny)
IOS OS (Score:2)
Re:IOS OS (Score:1)
Re:IOS OS (Score:5, Insightful)
Leaked code is very dangerous to open source software.
Re:IOS OS (Score:5, Insightful)
Copyright-protected code is obviously not allowed, but as long as there's a way of implementing the same thing in a different manner (always assuming that European s/w patents don't get ratified) I fail to see any issue in understanding how some other piece of software works.
The whole SCO debacle has done more than just piss everyone off, there's been a remarkable amount of reticence to learn from code that isn't Free. By that very logic authors shouldn't be allowed to read books and composers should be banned from listening to music.
--
This has been a scatterbrained post on behalf of the Poorly Thougt-out Argument Party
Re:IOS OS (Score:3, Interesting)
Re:IOS OS (Score:2)
Stolen...? (Score:3, Interesting)
Re:Stolen...? (Score:2)
Music? Design plans?
Information in a book?
etc
Re:Stolen...? (Score:4, Funny)
Re:Stolen...? (Score:1)
Re:Stolen...? (Score:2, Insightful)
This is different from calling illegal file sharing "stealing", where the information being appropriated has already been openly published. An illicit activity is taking place, and it may (indirectly) eco
Losing secret status as result of others' actions (Score:2)
It's different from other IP, because it's not published; it's a trade secret. Music files, binary executables, etc., aren't kept secret.
When someone reveals a secret, it's no longer a secret, so its secret-virginity has been lost; since being lost is a result of someone else's actions, there is good reason to call it "stealing."
Re:Stolen...? (Score:5, Insightful)
How can you have identity theft if you are still you?
Phillip.
Re:Stolen...? (Score:2)
Try signing you name X next time and you could steal my identity.
Re:Stolen...? (Score:2)
Yeah, and how can you steal a kiss? Oh, wait... this is Slashdot. Nobody can steal a kiss anyway.
Re:Stolen...? (Score:2)
Re:Stolen...? (Score:2)
Intellectual property theft (Score:3)
Why Slashbots continue to be hung up on the use of this simple word which describes a simple violation of the law amazes me. Anything to argue, I guess. Or remove the stigma of "thief" from an online pirate (which is the topic where this argument comes from).
Re:Intellectual property theft (Score:2)
Because it's a guaranteed "+5 Informative".
Re:Intellectual property theft (Score:2)
When the FBI raided those computer networks for the Half-Life 2 source code, they were raiding for intellectual property theft.
Yes, it is theft--both legally, logically, and ethically. Go ahead and justify your piracy though.
This has happened before (Score:5, Interesting)
IOS 11.3 source is definitely in the wild - I think there is a copy of it around here somewhere. I've contacted Cisco on it and they're so excited they can't even get someone from law enforcement to come and talk to me about the information on the guy who sent it to me.
11.3 is ancient history, but 12.3 is bad bad bad
Re:This has happened before (Score:1, Funny)
If you leave your mailing address I'll send you a postcard when it does.
Re:This has happened before (Score:2, Interesting)
Re:This has happened before (Score:5, Insightful)
Re:This has happened before (Score:3, Funny)
I'm not trying to break the encryption. I'm just looking at the ciphertext, and reading my own stuff into it. :)
Who do you work for? (Score:2)
Sound like the words of a Cicso employee to me..
Re:This has happened before (Score:2)
Of course, you're assuming you've provided something special. Something unique. Knowledge of code "in the wild" that Cisco's representatives don't already know about.
Your sig (Score:2)
"Slashdot: the bitter truth" indeed.
Re:This has happened before (Score:3, Insightful)
Re:This has happened before (Score:2)
Having deployed Cisco boxes for about the last six years I have some idea of the pace of new releases
Re:This has happened before (Score:2)
Because developers hate to sneakernet before doing cvs update?
Time for a new motto (Score:2, Offtopic)
Re:Time for a new motto (Score:5, Funny)
WARNING copyrighted source samples ahead! (Score:5, Interesting)
The rusian site contains samples of the source claimed stolen!
If these are authentic (which I personally begin to doubth more and more) then looking at them may be problematic if you ever intend on working on IPV6 stacks from someone else then cisco. (OpenBSD?)
Now I did have a peek at that code and I can tell it looks very fake (Obiously *don`t* take my word for it and think its safe to ignore my warning!)
Also at the forum of the .ru site there is a post from someone who claim the word on the IRC channel on which the story originates is that this is a fake.... But I am not touching that channel.
Re:WARNING copyrighted source samples ahead! (Score:3, Insightful)
IOS does interact with the user through a terminal session so printfs aren't all that unlikely.
Of course they ought not to be in the IPv6 stack. Unless they populate packets as formatted strings.
Re:WARNING copyrighted source samples ahead! (Score:2)
It would make more sense to use a sprintf, or even more sense to use a stack-safe function...
Re:WARNING copyrighted source samples ahead! (Score:1, Interesting)
No they don't: one is a *test* of IPv6 functions, so there is a printf. Second if it was a fake, people taking the time to write those, would have least take the time to compile them, I mean, why spent 12 hours writing fake code, and not compiling it?
Re:WARNING copyrighted source samples ahead! (Score:5, Informative)
Re:WARNING copyrighted source samples ahead! (Score:2)
Rumour has it ... (Score:4, Funny)
... that their remote access software had a default username/password built in that couldn't be disabled. A high-level Ciso executive has threatened to sue the software providers for including such a stupid 'feature' [slashdot.org] in their product
Actual combination (Score:2)
user: admin
password: password
May not lead to anything (Score:5, Interesting)
(I'm not talking about spam, trolls or worms)
They have the experence to know what can or can not happen.
Sure they use obscurity but I doupt they believe it to be a sereous security layor. Instead they probably have experts pooring over ios every day.
It is possable to have "Many Eyes" while remaining closed. Just have many expert eyes constantly on the code instead of many more untrainned eyes occasionally disecting the code.
It's expensive so don't expect it to happen too often.
Microsoft delutes itself into thinking that is what they have with a team of programmers working on the code. But in reality the only people who actually see the code is the original coder and a code verifier. Just two people for every segment of code.
But I would guess Cisco uses the expensive version of Many eyes that we get for free in open source.
Re:May not lead to anything (Score:4, Funny)
Unfortunately those experts are figuring out how to draw the release structure diagram and name the branches. I don't think cisco engineers have time to work on new code, there's too much old code to figure out.
Other vendors (Score:3, Insightful)
This could hurt more than just cisco.
Settle down... (Score:4, Interesting)
First there are the security implications. Having the source out there for all to see isn't the endgame for the internet people, with MS people thought it was a big issue because their code is, well... crappy. I don't think this is true with Cisco, and unless there are some very obvious and very damaging security holes the internet will live to see another day, so all you doomsayers out there screaming that the world is coming to an end... settle down.
It does highlight once again the shortcomings of a security through obscurity model, but let's not go down that road again.
The second thing, which is where the story really lies, is how this could have happened. It's Cisco after all, how could their network be compromised? Probably someone there really dropped the ball. Any specifics on how this happened?
Re:Settle down... (Score:2)
The major TCP flaw that was announced recently also affected most Cisco equipment. We just did the usual--grab the patched IOS and load it up during a maintenance window.
Updates like this happen all the time, and the most you probably notice is your overnight porn..erm...Linux ISO downloads stopped about 3am or so.
Heh... (Score:2, Insightful)
Why do we still use so much closed source stuff
SO, if you don't like it, you go out and make an OS for the Cisco routers and put it out for free - go ahead, no one is stopping you. Or go out and try and convince everyone to use your little Linux boxes as routers...oh, wait, there's just as many security issues in Linux as there are in Windows..
But wait, there's more! With IOS
Re:Heh... (Score:2, Insightful)
Apart from the fact that CISCO does not provide the necessary hardware specs, nor development kits for their products?
blabla
Billy? Is that you?
Re:Heh... (Score:2, Informative)
Who said that there isn't somethink like this ?
http://www.uclinux.org/ports/
From uClinux page: uClinux has successfully been ported to the Cisco 2500, 3000, 4000 routers. The patch allowing uClinux to run on the Cisco 2500/3000/4000 routers was completed by Koen De Vleeschauwer"
Impact on Undocumented commands? (project DOTU) (Score:4, Interesting)
http://boerland.com/dotu [boerland.com].
So opening the code might reveal more undocumented commands.
(btw: I will migrated this data towards a real CMS as hosted at home; http://willy.boerland.com/myblog [boerland.com].)
At least the name of the programmer matches... (Score:3, Interesting)
Theft? Wasnt there a backup? (Score:2, Insightful)
I cant belive it was 'stolen' from them.
Yes that was sarcasm. Just pisses me off how the world 'theft' is perversed when it comes to digital content.
They COPIED it people. It wasnt STOLEN. ( yes, still illegal, but much different of a concept )
Re:Theft? Wasnt there a backup? (Score:2, Insightful)
steal ( P ) Pronunciation Key (stl)
v.
1. To take (the property of another) without right or permission.
http://dictionary.reference.com/search?q=theft&r =6 7
theft ( P ) Pronunciation Key (thft)
n.
1. The act or an instance of stealing; larceny.
Just pisses me off how the world 'theft' is perversed when it comes to digital content.
They COPIED it people. It wasnt STOLEN. ( yes, still illegal, but much different of a concept )
Re:Theft? Wasnt there a backup? (Score:2)
Keep up the excellent work!
Re:Theft? Wasnt there a backup? (Score:2)
Re:Theft? Wasnt there a backup? (Score:2)
The Internet Doesn't Run On Cisco (Score:3, Interesting)
If a Juniper bug comes out, then it's time to be concerned about pieces of the Internet falling off. But then this is mitigated because there are relatively few aggregation points that can be upgraded hopefully quickly.
Sure, a large Cisco IOS bug will hit mom and pop and small to medium business, but the big boys just don't use Cisco.
one word: bullshit (Score:3)
the big boys do use cisco. unless you don't count qwest, worldcom/uunet, sprint, at&t, etc. as "big boys".
juniper marketshare is slowly growing, but the majority of IXP traffic is still carried through cisco (switches, routers).
Re:one word: bullshit (Score:2, Informative)
Re:The Internet Doesn't Run On Cisco (Score:3, Informative)
its freebsd. I used to work there so I know.
Thats not all it does. (Score:5, Funny)
No they did implement it. But when it found out that it was outnumbered by the hackers, the self-surrender module(also know as the french module) went into effect.
Re:Thats not all it does. (Score:2, Insightful)
This really means nothing. (Score:4, Informative)
http://news.com.com/2100-1033_3-5210745.html
Re:This really means nothing. (Score:3)
Re:This really means nothing. (Score:2)
QNX is fast (Score:2)
Re:This really means nothing. (Score:2, Insightful)
Hardware architecture more important (Score:2)
IOS source code is no big deal. It's Cisco's hardware implementation and architecture that is the real interesting part. At least for the core router functionality. Some fringe aspects would be interesting to study, but it's not really that critical.
Re:Hardware architecture more important (Score:2)
Really? I've looked at the leaked IOS code, and it doesn't look like anything special at all. Pretty standard implementation of most protocols. The only really interesting part was EIGRP, because it was never published elsewhere. But really, IOS didn't contain any substantial surprises.
Anyone could build a decent router with standard TCP/IP stack, like, say, from BSD. But such home-made router would never achieve the performance level of Cisco equipment, if you have to pass every IP packet through the mai
Windows Kernel Leaked too (Score:2)
It's on SuprNova and TorrentReactor...
damn dude... (Score:2)
the source code should have been on a server on a separate subnet than the rest of the network, or on its own private network that has no access to the internet..
putting internet access to anything is a sure fire way of getting hacked at one point or the other. so if you have really sensitive data, NEVER put it on a network that's connected to the net.
it's like having a screen door on a vaul
Re:damn dude... (Score:2)
Juniper / KAME comments (Score:3, Funny)
write-only code (Score:2)
with this approach there is NEVER a chance that your IP can be taken. it just can't.
(this has nothing to do with c++. while its true that c++ is a KIND of write-only language, this isn't the one I was referring to).
Code should be posted (Score:2)
I know Linux has its own routing tools, but the IOS has more features and too many net admins are used to its syntax. zebra is a nice attempt at cloning IOS, which itself is far more advanced.
Re:rah rah rah you scumbags (Score:5, Funny)