Cisco IOS Source Code Theft Story Continues 318
securitas writes "eWEEK's Steven J. Vaughan-Nichols reports that the source code for Cisco's 'main networking device operating system was stolen on Thursday' (May 13) according to the Russian company SecurityLab. SecurityLab says that criminals broke into Cisco's network and stole 800MB of source code for IOS 12.3 and IOS 12.3t, a pre-release variant. The purported culprit(s) then bragged about the feat in an IRC session and offered 2.5 MB of the code as proof. Industry analysts Dell'Oro Group says that 'Cisco owns 62 percent of the core router market.' More at the Sydney Morning Herald and Windows Network magazine." Our original coverage was here of this story.
Can you imagine... (Score:5, Insightful)
Re:Can you imagine... (Score:2, Redundant)
Re:Can you imagine... (Score:5, Funny)
Just because you rely on the internet, doesn't mean the entire world does too.
Re:Can you imagine... (Score:5, Funny)
Some of us use wireless mice, and would have to resort to hanging ourselves with VGA cables.
Re:Can you imagine... (Score:2)
(just kidding, although hugging a tesla coil while earthing yourself would do the job just nicely)
Re:Can you imagine... (Score:4, Insightful)
Re:Can you imagine... (Score:3, Insightful)
Most companies still have a few fax machines, not to mention many printer/scanners that can be made to act like one. So we'd just go back to fax, phone, snail mail. Actually, unless you're Amazon or a similar web-centric company, most would find they were more productive for not pissing away time reading Slashdot, porn, sending chain
Re:Can you imagine... (Score:2)
Re:Can you imagine... (Score:5, Insightful)
It isn't the Internet as an entertainment tool that's the issue. It's the Internet as a business tool. In some situations, there are alternatives - a phone call instead of an email, a printed report instead of one transmitted electronically. But there are a great many systems which have been converted to the Internet for which the old infrastructure either no longer exists or would be extremely difficult to reactivate. Inventory systems, ordering systems, tracking systems, etc.
I'm in the US Military. Message traffic used to be transmitted via radio to teletypes. Now, it all rides on the Internet. The teletypes are long gone. Lack of an Internet wouldn't bring us to our knees - we have contingency plans. But it would seriously impact our operations.
Just because you rely on the internet, doesn't mean the entire world does too.
The world DOES rely on the Internet, whether you're aware of it or not. We would survive, just as we survive hurricanes and black outs and other disasters. But any significant disruption of the Internet certainly would be classified as a disaster and have significant impact.
Re:Can you imagine... (Score:2)
I use a trackball, you insensitive clod!
Re:Can you imagine... (Score:2)
Re:Can you imagine... (Score:3, Funny)
Outside? What's the URL for that?
Re:Er.... (Score:2)
Woohoo (Score:2, Funny)
Re:Can you imagine... (Score:3, Insightful)
Re:Can you imagine... (Score:5, Funny)
Re:Can you imagine... (Score:2)
For the most part, the Internet is a luxury at this point, and I can't think of a single critical service that relies on it.
backdoor (Score:5, Funny)
Re:backdoor (Score:2, Funny)
Re:backdoor (Score:5, Funny)
Re:backdoor (Score:4, Insightful)
The internet seems faster today. (Score:4, Funny)
Re:The internet seems faster today. (Score:5, Funny)
Re:The internet seems faster today. (Score:2, Funny)
Nope, sorry, they are calling to tell you that your Mor@tgage hav baen d.e.nied
Please remove code (Score:4, Funny)
Re:Please remove code (Score:2)
It's OK, the code will probably be covered by the BSDi settlement. After all, Cisco's software is descended from code written at Berkeley and then commercialised by ex-university staff.
Chris
Secure ? (Score:5, Insightful)
I realize however that Cisco code is likely more complex than the relatively simple stuff ipfw does.
Re:Secure ? (Score:5, Insightful)
The problem is that, with 800 MB of code it's virtually impossible to be sure that there are no serious bugs somewhere.
Sure, it might be more solid than Windows (!), but no large software project nowadays can presume to be bug-free. It's just too much code and possible scenarios to say that it all has been tested.
Re:Secure ? (Score:5, Insightful)
Well, let's say that cisco has allocated x people for code-auditing, and that they've had y years to do so (something like 15 and 15, probably?) And because their products need to be secure, they fixed anything those people found wrong.
Surely that means that to find a vulnerability, any would-be cracker would have to spend at least as long on auditing as cisco did themselves unless they happen to be very lucky, or unless there are problems easily-visible in the source-code that cisco haven't fixed. So we wouldn't expect any exploit to be seen in the near future?
Re:Secure ? (Score:2)
Heck, even decent people are probably going to look at it to see how to improve or tweak.
Re:Secure ? (Score:3, Insightful)
Re:Secure ? (Score:5, Insightful)
Except that Cisco has no real incentive to find bugs in their code, whereas a cracker does. Motivation makes a huge difference. And why would Cisco need to do strict audits on their code? Nobody outside the company will ever see it. Right?
Re:Secure ? (Score:5, Interesting)
Having had a look at some of the source code, I'm generally impressed. Cisco's code is solid. It's perhaps a bit more simplified than what you'll see in BSD's ipfw source, but simpler is better when you're talking about mission-critical applications. IOS is responsible for switching packets on a fair amount of heavy links; ipfw is responsible for switching packets at your average LAN.
I don't think the IOS leak is going to lead to any new vulnerabilities. Cisco produces solid code. The only real interesting thing we may see is backdoor-style commands to IOS that the public is not aware of.
--
Free Naked Pics [fuckmeter.com]
Re:Secure ? (Score:4, Interesting)
Re:Secure ? (Score:2)
cisco has a reputation of excellence, however, their code has not yet stood up to the scrutiny of tens of thousands of people, yet. the possibility of them finding *something* exploitable is very much there.
Re:Secure ? (Score:2)
Re:Secure ? (Score:2)
there's less assurance than that about salaried coders, simply because the company in question cannot logistically interview tens of thousands of applicants to fill just one position.
Re:Secure ? (Score:2, Interesting)
Uhh...wasnt there a serious problem in the code for parsing bitmap files discovered? wasnt there a virus that started spreading whenever a bitmap was viewed based on the exploit found?
Re:Secure ? (Score:2, Informative)
Re:Secure ? (Score:5, Interesting)
Yes, provided it's solid code. So the obvious question is: is it solid code? What makes for solid code? I'm of the opinion that it is far from 'solid' code for two main reasons.
The history of the code base.
It's monolithic nature.
IOS started out on the same CPU board as Sun (and SGI) computers: The Stanford 68000 board. Remember what Sun stands for: Stanford University Network. These three companies all started from the same hardware design. Cisco took this design and the original software for running the Stanford networks (some allege they stole it) and kept adding on to it. The 68000 had no MMU, and therefore provided no protection of one process from another- any process could write to any part of memory.
The problem is that the software still has this in its genes. While IOS will make use of modern MMU's to do some level of protection (such as marking read-only the text segment), at its core its still a "every process is fully trusted" design. Now, this does have some advantages- in the old days when the forwarding was all done on the CPU in the interrupt context this was a huge win. Saving all the state and MMU context switches could really lower performance.
The drawbacks, however, are pretty bad IMHO. Since there's no separation of processes, any one process can bring down the system. If BGP was running under Unix, and it ran in to a problem where it would seg fault, under IOS the entire system would panic and reboot. IF it happens to catch the error, which is much less likely to happen because there's no separation of processes and what memory resources belong to that process as opposed to other processes.
The monolithic nature of IOS also tends to breed lax programming practices. Who needs to ensure that everything is tip top when everything is self contained? There's a certain darwinian pressure that gets placed on a system when anyone can write code for it and expects the system to stay up and running like Unix. Under IOS, none of that exists. As a matter of fact, the pressure is in the opposite direction- when you write something that crashes the system- don't do that. Furthermore, the code tends to largely interact with only a few other implementations, and the one it interacts with the most is itself (cisco's talking to cisco's). Not a lot of pressure to find those odd ball corner cases and fix them... Just the kind of corner cases that are the most likely to result in exploitable bugs.
So, are there security problems with IOS? You'd better believe it. All you have to do is peruse the BugTracker database and look for bugs that cause a crash. Things like "malformed SNMP request causes crash" are prime candidates to exploit.
unlikely (Score:4, Funny)
Seminar sessions (Score:5, Funny)
In the seminars I can imagine how Cisco would explain they're love of being shafted, hence all the backdoor access (pun intended!)...
...Microsoft will just blab about how they CAN be trusted, and show everyone pretty pictures and a Matrix spoof to distract everyone...
..while Valve gets the dates for the seminar mixed up and turn up 6 months later.
I may be ignorant, (Score:2)
Aren't their routers basically embedded *nix boxes? I can understand them developing their own frontend for such, but isn't the majority of the underlying code *nix based? If so, how detrimental can it be for that code to be leaked? Conversely, if it's the frontend code which has been stolen, how many security hole....oh yah, Windows 95...ne'er mind...
Cisco IOS built on BSD (Score:3, Interesting)
Re:Cisco IOS built on BSD (Score:5, Interesting)
I recently finished CCNA training and asked the instructor what OS CiscoIOS was based on and I was told it's based on BSD OS. He didn't tell me which BSD though....
It's descended from the Unix related work done at Berkeley in the early 1980's. I can't find a suitable link at the moment, but from what I remember there was some controversy about the commercialisation of the code. Much of the work was while the future Cisco founders were still employed at the university. This meant it should have belonged to the Regents, and released under a BSD license. If so, then it's ironic that the code is in the public domain, albeit under dubious circumstances.
Chris
Re:Cisco IOS built on BSD (Score:3, Informative)
Re:I may be ignorant, (Score:2, Funny)
I may be ignorant
Or merely misinformed
I'm not a fan, but
I sure can understand...
Nahh, that couldn't be it.
Wow, that's weird as all Hell, and of course there's no way to verify, but I've never heard Avril Lavigne that I know of before. For some reason I'm assuming BritneyPop? My tas
And the secret backdoor password is... (Score:3, Funny)
2...
3...
4...
5!
I always thought the big company that would have this happen is Microsoft, but I guess people got ahold of win2k's source a while back... it's still really surprising to see this happen to Cisco. Does it impress anyone else that they have an 800 MB source on the O/S? That's a lot of code!!
Re:And the secret backdoor password is... (Score:2, Insightful)
Re:And the secret backdoor password is... (Score:2, Informative)
Re:And the secret backdoor password is... (Score:2, Insightful)
If IOS was Open Source... (Score:5, Insightful)
Then again one has to wonder how Cisco would have created their empire if their code would have been open sourced. A lot of their business is not only selling H/W but ISO features.
Suspect profile (Score:5, Funny)
1. French or German
2. Linux/open source zealot
3. Lives in parents basement
4. Showers monthly
Rough translation of 'bragged' link... (Score:5, Informative)
According to our information, the release of fragments of the source code came about due to a break-in to the corporate network of Cisco System. Representatives of Cisco System have meanwhile made no comment on the incident.
The information came from a certain individual under the nick of franz on darknet@EFNet IRC, where he also presented a small part of the source code (about 2.5MB) as evidence.
Below are links to the first 100 lines of source code from the files ipv6_tcp.c and ipv6_discovery_test.c."
Apologies for any errors - my technical Russian's a little rusty.
Go for it Cisco (Score:4, Insightful)
Open source all your code. It's too late now (cat/bag/out of). Set an example to the rest of the business community.
Re:Go for it Cisco (Score:2)
the simple fact is, and as much as it pains me to say this, SECURITY BY OBSCURITY DOES WORK.
now, before you turn on your flamethrowers, consider this: if cisco opened their source last year, would you have looked at it since then in a meaningful way? cisco employs dozens to hundreds of people who look at their source code all day every day. are you going to have such an interest in doing the same work that those people for real salaries for free?
Re:Go for it Cisco (Score:5, Interesting)
SECURITY BY OBSCURITY DOES WORK
*sigh* And, of course there's going to be a troll like this.
No, it doesn't, but thanks for playing. See, someday maybe you'll learn the painful lesson that Cisco is learning now: Security Through Obscurity only works as far as your REAL security measures can protect it. Gee. Looky there. Cisco's cat just left the bag, and why? Becuase the network security wasn't strong enough to protect it. All these years of obscurity are now on the brink of becoming completely worthless because the REAL protection wasn't there just long enough to let it happen. The second that code hits a public FTP server, STO at Cisco became absolutely useless.
But, hey. If you want to rely on STO for anything more than your last line of defense, be my guest. Just promise me you won't be mad when I laugh at you for getting burned by it.
Re:Go for it Cisco (Score:2)
But so will the white hats, and the gray hats.
For both the white and gray hats, finding a weakness is their ticket to 15 minutes of fame. "Slightly shady" companies like eEye or @stake got their starts as hacker groups that found profit in promoting their l33t ski11z by discovering and announcing vulnerabilities. They found that while hacking for bragging rights is really fun, turning that newfound glory into IPOs was really, really a great
Lemme guess (Score:3, Funny)
The password they used to get access to the crown jewels was ciscokid
Pretty 133t if you ask me.
what the fuck? (Score:5, Insightful)
I wonder if Slashdot will get in trouble with Cisco for this? The moderators could have at least have checked the links, no?
Re:what the fuck? (Score:2)
But... but... (Score:2)
Re:what the fuck? (Score:2)
Pending confirmation from Cisco, it's at best a pointer to where you can find something which is purported to be part of something which someone says might be covered by somebody else's IP.
There's enough uncertainty in there to be perfectly safe. Even were it confirmed, I don't think Cisco's in the mood for a DeCSS-go-r
Re:what the fuck? (Score:3, Funny)
Holy shit! Bill Clinton posts on
Not the first time (Score:2)
Makes you think.. (Score:2, Funny)
Re:Makes you think.. (Score:2)
No seriously. It is somethign when everyone else is afraid of the source code being leaked into public domain/view when linux proudly places it there and begs for people to point out the flaws.
I don't think there is any serious trade secrets that can't be protected by other means (legaly) that cisco would be huhrt if they opened up thier source and offered a bounty od lets say $50 to anyone (or thew first persons) finding a hole in it. Then maybe thier slef p
Re:Makes you think.. (Score:2)
The one thing not mentioned (Score:5, Interesting)
My one thought: it's all bullshit until Cisco comes out and says they were hacked. Anyone can put together a bunch of seemingly well-written code and say that they were l33t and got in to Cisco.
The proof is in the pudding. And all I see so far is some sugar.
Re:The one thing not mentioned (Score:2, Funny)
Anyone can put together a bunch of seemingly well-written code
Many "professional" programmers can't, not at my company at least.
Chris
Re:The one thing not mentioned (Score:3, Insightful)
It's like some warped Stratego (TM) game, and the hackers have captured the flag.
Now
:
1. The act of stealing it, sort of renders it useless, who would want a firewall that can be broken into an its own sources stolen.
2. This embarrasement would have been circumvented if they had most of the code
Re:The one thing not mentioned (Score:2)
Besides, the story yesterday on
It now being Monday (and 6:00 AM on Monday in California), it wouldn't supprise me
Re:The one thing not mentioned (Score:2)
So, using this logic all Cisco has to do is stay quiet, and this
says they were never hacked?
ya, That's bullshit alright.
might be a good thing ... (Score:3, Interesting)
That's why corps should stick to dial-up.. (Score:5, Funny)
Re:That's why corps should stick to dial-up.. (Score:3, Insightful)
Cizzz-coeee (Score:2, Funny)
Vulnerability by version (Score:5, Insightful)
Also could find a problem in basic TCP/IP code, making every Cisco router on the planet a revolving door. I find this scenario highly unlikely, as thier base code is probably a lot more stable and reviewed than the newer, more advanced features.
Re:Vulnerability by version (Score:2)
That's a good point. The IP code has likely been subjected to many uses, bugs, fixes, reviews and so on.
IPX? DECnet? Appletalk? Those bits are less popular and probably have more potential problems, but have a much lower security exposure.
Funny lines in the source code (Score:5, Funny)
* Juniper engineers are weenies!
*/
QUICK ! React ! (Score:3, Funny)
When the internet gets shut down for a maintenance-period, their business will go through the roof.
And don't forget to reserve enough machines for yourself, or your business might go through the toilet
800Mb when compressed? (Score:2)
Seems bloated to hell to me - what exactly do these routers do that take so much code?
Re:800Mb when compressed? (Score:2)
For comparison, the Linux Kernel (2.6.6) is 34MB Bziped, 47MB unziped. It's likely that they are talking about 800MB of un-compressed code.
Add on the size of all the userland programs like freeswan, webmin, telnet, openssh, openssl, tftpd, dhcpd, dpcpcd, ntpd, an ftpd, shorewall, etc. that would be needed for linux to ha
If it had been a microsoft leak ... (Score:5, Interesting)
Now lets compare the REAL security issues.
1. The number of people who were dissecting the Windows Source Code are much more than those trying to find a Cisco hole.
2. Even without the Windows Source, we can reverse engineer large parts of the Windows Sources and identify problems. With the leak it just became easier. I dont expect too many crackers trying to find holes in Cisco's IOS.
This simply means that the chances of finding a security hole in Cisco is much higher than in Windows. Because now that the source is out in the open, its easier. Why would they choose to look?
1. Bringing down those routers could virtually bring down most of the internet.
2. The entire financial world uses them! If a hole is discovered it might just be the easiest way to get into those systems.
3. It could be easier than trying to find a Windows hole, since (as from my earlier logic) many many people have already tried without results.
4. The damage that could be done in those 2 cases are so immense, that a comparison would be irrelevant.
[Troll: Btw
Again? (Score:2, Informative)
What? Nobody's said it yet? (Score:2)
Code theft? (Score:5, Insightful)
No, I'm afraid this is not 'theft'.
Theft must incorporate a desire to deprive the rightful owner of said taken item(s). Surely we know this by now?
Stealing, yes. Theft, no.
</PEDANT>
Re:Code theft? (Score:2)
Isn't it actually spying? When a spy takes snapshots of secret documents, he's not stealing them. He just changes their nature from "SECRET" to "LETS PRETEND IT NEVER HAPPENED" (aka. "TOP SECRET"). But stealing?
Re:Code theft? (Score:2)
steal
v. tr.
To take (the property of another) without right or permission.
The verb 'take' does not necessarily imply that what is taken is in fact removed, where as complete removal is in the definition of 'theft'.
Re:Code theft? (Score:2)
The verb 'take' does not necessarily imply that what is taken is in fact removed
"Okay guys, let's take some pictures..." Reporters picking up pictures from the office walls. Airplane I.
Re:Code theft? (Score:2)
Copying is different from theft/stealing/larceny both legally and ethically. It's fine to have opinions as to whether it is or should be right/wrong legal/illegal. But lumping it in with stealing is just misleading, and that is not a fair way to present your case.
Of course, this is worse than copyright infringement, as it is misappropriation of trade secrets,
the code that is "shown" as Cisco IOS .... (Score:4, Interesting)
1. Since when programmers, working for a serious company, write copyright notices for themselves in the header... Like if you work for, let's say, SCO (ha-ha), you will put in the header copytight by you, and then - who knows - might sue SCO for stealing code from you
2. printf("\nAdding %P to ND cache", &target);
The ND cache is really connected to neighbor solicit messages, but would the Cisco IOS be printing a message, saying that it is adding the address to the ND cache without checking debug flags, etc.? And I am sure it is not a matter of system design in this case. You cannot get the impression just from one tiny piece of code.
3. Some post here were stating... "root" access, which certainly made me smile. The IOS is running cooperative multitasking and the tasks usually run at the same level.
4. Ole Troan really works for Cisco Systems (in UK) and is the proud author of the IPv6 DHCP RFC specification 3633. So this is an argument that supports a little bit of the theory. Just didnt think that Cisco still has developers in UK. I thought they outsourced everything to India long time ago
There are some more, but I'll save you the tiny details, like big endian or other nifty stuff in the code.
Security Through Obscurity? (Score:4, Insightful)
Shouldn't we say 'copyright infringement'? (Score:2)
The GPL doesn't pay (Score:2, Funny)
I can only assume one of two things:
1. CICSO's use of code that's open to just anyone allowed a "hacker" to access vulnerabilities in its systems.
2. Due to its earlier minor and well-intentioned misstep, some GNUlatic decided to take revenge on CICSO.
In either case, this sends a loud and clear message to all businesses out there: messing with GPL code will get you burned, and burne
Poor coding standards (Score:4, Funny)
Not actually stolen (Score:3, Funny)
of their putative property. Thus, no code was stolen.
Re:800MB?? (Score:5, Informative)
Re:800MB?? (Score:2)
Re:Keys-in (Score:2)
Better analogy is:
Leave the keys in your BMW so that everybody can make a duplicate. And then they add your big shiney wheels and sound system, and I can get a free upgrade as well.