Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Businesses

Cisco IOS Source Code Theft Story Continues 318

securitas writes "eWEEK's Steven J. Vaughan-Nichols reports that the source code for Cisco's 'main networking device operating system was stolen on Thursday' (May 13) according to the Russian company SecurityLab. SecurityLab says that criminals broke into Cisco's network and stole 800MB of source code for IOS 12.3 and IOS 12.3t, a pre-release variant. The purported culprit(s) then bragged about the feat in an IRC session and offered 2.5 MB of the code as proof. Industry analysts Dell'Oro Group says that 'Cisco owns 62 percent of the core router market.' More at the Sydney Morning Herald and Windows Network magazine." Our original coverage was here of this story.
This discussion has been archived. No new comments can be posted.

Cisco IOS Source Code Theft Story Continues

Comments Filter:
  • Can you imagine... (Score:5, Insightful)

    by Anonymous Coward on Monday May 17, 2004 @06:12AM (#9171910)
    ...if the entire internet was taken down? for an extended period of time? The world would fall into disarray. Although once upon a time the world functioned perfectly well without the internet. Amazing how technology makes us dependent just like junkies.
    • Even better, If a start exploded far away enough not to kill us and all devices that depended on anything magnetic broke down. BTW - I could be wrong about the science side of this... (Perhaps thats what the world needs?)
    • by skasingularity ( 777400 ) on Monday May 17, 2004 @06:42AM (#9172007)
      Sure there would be problems, but I think most people would opt for watching TV or going outside. Some businesses would stall, and slashdot users would probably try and hang themselves with their mice, but I think a relatively large part of the world would continue to operate.

      Just because you rely on the internet, doesn't mean the entire world does too.

      • by iapetus ( 24050 ) on Monday May 17, 2004 @06:44AM (#9172018) Homepage
        Personally I take offence at your narrow typecasting of Slashdot users.

        Some of us use wireless mice, and would have to resort to hanging ourselves with VGA cables.
      • by Segway Ninja ( 777415 ) on Monday May 17, 2004 @06:50AM (#9172033)
        But it would be fair to say that most businesses do rely on the internet, in some way or form. At least, they do in New Zealand. E-Mail would have to be a main source of internal communications (eg, within the company - but not the same building, as within the building would probably function without the net) - definately for technical resources on products and the like.
      • by B'Trey ( 111263 ) on Monday May 17, 2004 @07:09AM (#9172120)
        Sure there would be problems, but I think most people would opt for watching TV or going outside.

        It isn't the Internet as an entertainment tool that's the issue. It's the Internet as a business tool. In some situations, there are alternatives - a phone call instead of an email, a printed report instead of one transmitted electronically. But there are a great many systems which have been converted to the Internet for which the old infrastructure either no longer exists or would be extremely difficult to reactivate. Inventory systems, ordering systems, tracking systems, etc.

        I'm in the US Military. Message traffic used to be transmitted via radio to teletypes. Now, it all rides on the Internet. The teletypes are long gone. Lack of an Internet wouldn't bring us to our knees - we have contingency plans. But it would seriously impact our operations.

        Just because you rely on the internet, doesn't mean the entire world does too.

        The world DOES rely on the Internet, whether you're aware of it or not. We would survive, just as we survive hurricanes and black outs and other disasters. But any significant disruption of the Internet certainly would be classified as a disaster and have significant impact.

      • slashdot users would probably try and hang themselves with their mice

        I use a trackball, you insensitive clod!

      • ...I think most people would opt for watching TV or going outside.

        Outside? What's the URL for that?
    • Woohoo (Score:2, Funny)

      There's at least a couple of days off work there!
    • by tymbow ( 725036 )
      A friend of mine used to regularly say that only IT and the illicit drug trade call people "users".
    • by banzai51 ( 140396 ) on Monday May 17, 2004 @07:47AM (#9172320) Journal
      I have stolen the entire source code for Lunix. I'm gong to distribute it and see how long before EVERY linux server is down.
    • Most important business functions rely on private lines which are not directly connected to the Internet.

      For the most part, the Internet is a luxury at this point, and I can't think of a single critical service that relies on it.
  • backdoor (Score:5, Funny)

    by sleepnmojo ( 658421 ) on Monday May 17, 2004 @06:13AM (#9171912)
    They could have at least posted the code for the backdoor in all the routers.
  • by JPriest ( 547211 ) on Monday May 17, 2004 @06:14AM (#9171916) Homepage
    I notice this morning that since the code leak the Internet has been faster, more stable, and I get packeted less often. Since the code leak I also lost 5 pounds and I swear my erectioin this morning was larger. *phone rings* That must be my bank calling to tell me they lowered my intrest rates.
  • by fearlezz ( 594718 ) on Monday May 17, 2004 @06:15AM (#9171921)
    Please, everybody! Please remove the source code from the internet ASAP before SCO sees it and claims ownership!!
    • It's OK, the code will probably be covered by the BSDi settlement. After all, Cisco's software is descended from code written at Berkeley and then commercialised by ex-university staff.

      Chris

  • Secure ? (Score:5, Insightful)

    by cyberfunk2 ( 656339 ) on Monday May 17, 2004 @06:16AM (#9171923)
    Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter (just as the code for stuff like ipfw is open)?

    I realize however that Cisco code is likely more complex than the relatively simple stuff ipfw does.
    • Re:Secure ? (Score:5, Insightful)

      by flying_mushroom ( 775544 ) <nelson_menezes&hotmail,com> on Monday May 17, 2004 @06:21AM (#9171938) Homepage

      The problem is that, with 800 MB of code it's virtually impossible to be sure that there are no serious bugs somewhere.

      Sure, it might be more solid than Windows (!), but no large software project nowadays can presume to be bug-free. It's just too much code and possible scenarios to say that it all has been tested.

      • Re:Secure ? (Score:5, Insightful)

        by gnu-generation-one ( 717590 ) on Monday May 17, 2004 @06:52AM (#9172044) Homepage
        "The problem is that, with 800 MB of code it's virtually impossible to be sure that there are no serious bugs somewhere."

        Well, let's say that cisco has allocated x people for code-auditing, and that they've had y years to do so (something like 15 and 15, probably?) And because their products need to be secure, they fixed anything those people found wrong.

        Surely that means that to find a vulnerability, any would-be cracker would have to spend at least as long on auditing as cisco did themselves unless they happen to be very lucky, or unless there are problems easily-visible in the source-code that cisco haven't fixed. So we wouldn't expect any exploit to be seen in the near future?
        • I'm sure more eyes are going to be looking at this than 15 for 15 years.

          Heck, even decent people are probably going to look at it to see how to improve or tweak.
        • Re:Secure ? (Score:3, Insightful)

          by Phleg ( 523632 )
          You're assuming that code is static. New bugs are introduced with every release, and with every commit. Just because a group of Quality Assurance folks have been scanning the code for decades doesn't mean they'll catch the new bugs within a few hours.
        • Re:Secure ? (Score:5, Insightful)

          by gosand ( 234100 ) on Monday May 17, 2004 @08:22AM (#9172521)
          Well, let's say that cisco has allocated x people for code-auditing, and that they've had y years to do so (something like 15 and 15, probably?) And because their products need to be secure, they fixed anything those people found wrong. Surely that means that to find a vulnerability, any would-be cracker would have to spend at least as long on auditing as cisco did themselves unless they happen to be very lucky, or unless there are problems easily-visible in the source-code that cisco haven't fixed. So we wouldn't expect any exploit to be seen in the near future?

          Except that Cisco has no real incentive to find bugs in their code, whereas a cracker does. Motivation makes a huge difference. And why would Cisco need to do strict audits on their code? Nobody outside the company will ever see it. Right?

    • Re:Secure ? (Score:5, Interesting)

      by Anonymous Coward on Monday May 17, 2004 @06:21AM (#9171940)
      Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter (just as the code for stuff like ipfw is open)?
      I presume that by ipfw, you're speaking of the BSD IP firewall. In which case, yes, you're right, Cisco's IOS does a bit more in terms of advanced processing.

      Having had a look at some of the source code, I'm generally impressed. Cisco's code is solid. It's perhaps a bit more simplified than what you'll see in BSD's ipfw source, but simpler is better when you're talking about mission-critical applications. IOS is responsible for switching packets on a fair amount of heavy links; ipfw is responsible for switching packets at your average LAN.

      I don't think the IOS leak is going to lead to any new vulnerabilities. Cisco produces solid code. The only real interesting thing we may see is backdoor-style commands to IOS that the public is not aware of.

      --
      Free Naked Pics [fuckmeter.com]
      • Re:Secure ? (Score:4, Interesting)

        by xchino ( 591175 ) on Monday May 17, 2004 @06:41AM (#9172005)
        Sorry, but if this is true and the full source code has been released to the public, I can pretty much gurantee you there will be vulnerabilities found. The likleyhood that in the entire codebase, there exists not a single flaw is scientifically insignificant. We may not see any vulnerabilities the likes of "print 500 A's on login: " but you can bet there's something that will let someone do something they aren't supposed to. The chances of vulns coming from this are alot greater than the chances more vendor implemented backdoors are found, and that wouldn't suprise me in the least.

    • Re:Secure ? (Score:2, Interesting)

      by Anonymous Coward
      "A previous major source code theft of parts of Microsoft's NT 4.0 and Windows 2000 has not led to any security violations."

      Uhh...wasnt there a serious problem in the code for parsing bitmap files discovered? wasnt there a virus that started spreading whenever a bitmap was viewed based on the exploit found?
    • Re:Secure ? (Score:5, Interesting)

      by johne_ganz ( 750500 ) on Monday May 17, 2004 @09:35AM (#9173228)
      Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter

      Yes, provided it's solid code. So the obvious question is: is it solid code? What makes for solid code? I'm of the opinion that it is far from 'solid' code for two main reasons.

      The history of the code base.

      It's monolithic nature.

      IOS started out on the same CPU board as Sun (and SGI) computers: The Stanford 68000 board. Remember what Sun stands for: Stanford University Network. These three companies all started from the same hardware design. Cisco took this design and the original software for running the Stanford networks (some allege they stole it) and kept adding on to it. The 68000 had no MMU, and therefore provided no protection of one process from another- any process could write to any part of memory.

      The problem is that the software still has this in its genes. While IOS will make use of modern MMU's to do some level of protection (such as marking read-only the text segment), at its core its still a "every process is fully trusted" design. Now, this does have some advantages- in the old days when the forwarding was all done on the CPU in the interrupt context this was a huge win. Saving all the state and MMU context switches could really lower performance.

      The drawbacks, however, are pretty bad IMHO. Since there's no separation of processes, any one process can bring down the system. If BGP was running under Unix, and it ran in to a problem where it would seg fault, under IOS the entire system would panic and reboot. IF it happens to catch the error, which is much less likely to happen because there's no separation of processes and what memory resources belong to that process as opposed to other processes.

      The monolithic nature of IOS also tends to breed lax programming practices. Who needs to ensure that everything is tip top when everything is self contained? There's a certain darwinian pressure that gets placed on a system when anyone can write code for it and expects the system to stay up and running like Unix. Under IOS, none of that exists. As a matter of fact, the pressure is in the opposite direction- when you write something that crashes the system- don't do that. Furthermore, the code tends to largely interact with only a few other implementations, and the one it interacts with the most is itself (cisco's talking to cisco's). Not a lot of pressure to find those odd ball corner cases and fix them... Just the kind of corner cases that are the most likely to result in exploitable bugs.

      So, are there security problems with IOS? You'd better believe it. All you have to do is peruse the BugTracker database and look for bugs that cause a crash. Things like "malformed SNMP request causes crash" are prime candidates to exploit.

  • unlikely (Score:4, Funny)

    by beware1000 ( 678753 ) on Monday May 17, 2004 @06:16AM (#9171924)
    In other news, Microsoft, Valve and Cisco to give free seminars on network security!
    • by T-Kir ( 597145 ) on Monday May 17, 2004 @06:37AM (#9171990) Homepage

      In the seminars I can imagine how Cisco would explain they're love of being shafted, hence all the backdoor access (pun intended!)...

      ...Microsoft will just blab about how they CAN be trusted, and show everyone pretty pictures and a Matrix spoof to distract everyone...

      ..while Valve gets the dates for the seminar mixed up and turn up 6 months later.

  • Or merely misinformed, as I'm not much of a Cisco fanboi, but...

    Aren't their routers basically embedded *nix boxes? I can understand them developing their own frontend for such, but isn't the majority of the underlying code *nix based? If so, how detrimental can it be for that code to be leaked? Conversely, if it's the frontend code which has been stolen, how many security hole....oh yah, Windows 95...ne'er mind...
    • by p.rican ( 643452 )
      I recently finished CCNA training and asked the instructor what OS CiscoIOS was based on and I was told it's based on BSD OS. He didn't tell me which BSD though....
      • by LizardKing ( 5245 ) on Monday May 17, 2004 @06:52AM (#9172043)

        I recently finished CCNA training and asked the instructor what OS CiscoIOS was based on and I was told it's based on BSD OS. He didn't tell me which BSD though....

        It's descended from the Unix related work done at Berkeley in the early 1980's. I can't find a suitable link at the moment, but from what I remember there was some controversy about the commercialisation of the code. Much of the work was while the future Cisco founders were still employed at the university. This meant it should have belonged to the Regents, and released under a BSD license. If so, then it's ironic that the code is in the public domain, albeit under dubious circumstances.

        Chris

  • 1...
    2...
    3...
    4...
    5!

    I always thought the big company that would have this happen is Microsoft, but I guess people got ahold of win2k's source a while back... it's still really surprising to see this happen to Cisco. Does it impress anyone else that they have an 800 MB source on the O/S? That's a lot of code!!
    • linux kernel source unpacked takes 150MB, compare yourself. Maybe they have stolen several versions of the source?
      • Have you been reduced to only reading the slashdot headlines? If you had even read the writeup you would have seen that the person got two versions(12.3 and 12.3t). And you said it yourself - linux is just a kernel. Imagine how big the source code is for a full GNU/linux operating system. 800 megs does not sound entirely unreasonable for two versions of an operating system.
    • The thing that I find the most interesting is that first this shows that whatever security products they are selling obviously aren't good enough because there is someway around them(assuming Ciso would be using their own best products). But more importantly, if this were an open source project like Gnome, then we'd have up to the second details on what happened, why it happened, how it happened, what was accessed, whats at risk, etc... In the closed/proprietary world this doesn't happen, we are all just ba
  • by pdaoust007 ( 258232 ) on Monday May 17, 2004 @06:23AM (#9171945)
    All of these apocalyptic arguments about the Internet going down etc. would be moot...

    Then again one has to wonder how Cisco would have created their empire if their code would have been open sourced. A lot of their business is not only selling H/W but ISO features.
  • by Anonymous Coward on Monday May 17, 2004 @06:25AM (#9171952)
    Here is my suspect profile:

    1. French or German
    2. Linux/open source zealot
    3. Lives in parents basement
    4. Showers monthly

  • by iapetus ( 24050 ) on Monday May 17, 2004 @06:26AM (#9171955) Homepage
    "As SecurityLab discovered, on the 13th of May all the source code of the CISCO IOS operating system, which is used in the majority of CISCO's network installations was stolen. The full extent of the stolen information runs to about 800MB compressed.

    According to our information, the release of fragments of the source code came about due to a break-in to the corporate network of Cisco System. Representatives of Cisco System have meanwhile made no comment on the incident.

    The information came from a certain individual under the nick of franz on darknet@EFNet IRC, where he also presented a small part of the source code (about 2.5MB) as evidence.

    Below are links to the first 100 lines of source code from the files ipv6_tcp.c and ipv6_discovery_test.c."

    Apologies for any errors - my technical Russian's a little rusty. :)
  • Go for it Cisco (Score:4, Insightful)

    by Stokey ( 751701 ) on Monday May 17, 2004 @06:28AM (#9171966)
    Just do it!

    Open source all your code. It's too late now (cat/bag/out of). Set an example to the rest of the business community.

    • ah, of course there was going to be a troll like this.

      the simple fact is, and as much as it pains me to say this, SECURITY BY OBSCURITY DOES WORK.

      now, before you turn on your flamethrowers, consider this: if cisco opened their source last year, would you have looked at it since then in a meaningful way? cisco employs dozens to hundreds of people who look at their source code all day every day. are you going to have such an interest in doing the same work that those people for real salaries for free?

      • Re:Go for it Cisco (Score:5, Interesting)

        by the_mad_poster ( 640772 ) <shattoc@adelphia.com> on Monday May 17, 2004 @08:23AM (#9172526) Homepage Journal

        SECURITY BY OBSCURITY DOES WORK

        *sigh* And, of course there's going to be a troll like this.

        No, it doesn't, but thanks for playing. See, someday maybe you'll learn the painful lesson that Cisco is learning now: Security Through Obscurity only works as far as your REAL security measures can protect it. Gee. Looky there. Cisco's cat just left the bag, and why? Becuase the network security wasn't strong enough to protect it. All these years of obscurity are now on the brink of becoming completely worthless because the REAL protection wasn't there just long enough to let it happen. The second that code hits a public FTP server, STO at Cisco became absolutely useless.

        But, hey. If you want to rely on STO for anything more than your last line of defense, be my guest. Just promise me you won't be mad when I laugh at you for getting burned by it.

      • Sure, the black hats will be all over this like flies on p00p.

        But so will the white hats, and the gray hats.

        For both the white and gray hats, finding a weakness is their ticket to 15 minutes of fame. "Slightly shady" companies like eEye or @stake got their starts as hacker groups that found profit in promoting their l33t ski11z by discovering and announcing vulnerabilities. They found that while hacking for bragging rights is really fun, turning that newfound glory into IPOs was really, really a great

  • Lemme guess (Score:3, Funny)

    by eclectro ( 227083 ) on Monday May 17, 2004 @06:29AM (#9171971)

    The password they used to get access to the crown jewels was ciscokid

    Pretty 133t if you ask me.
  • what the fuck? (Score:5, Insightful)

    by CAIMLAS ( 41445 ) on Monday May 17, 2004 @06:30AM (#9171973)
    Two direct links on the front page of slashdot to (literally) stollen IP?

    I wonder if Slashdot will get in trouble with Cisco for this? The moderators could have at least have checked the links, no?
    • More specifically, links to external articles that include the source. Those external sources could be taken down, but Cisco is going to be more concerned about the OTHER 797.5MB of source, not what Slashdot links to.
    • We have the right to create deep links... and this is some pretty deep stuff!
    • Technically, it's not stolen IP. Apart from the fact that it's not _stolen_ anything (since you can only violate copyright, not steal it), semantics aside it's only _allegedly_ copied code.

      Pending confirmation from Cisco, it's at best a pointer to where you can find something which is purported to be part of something which someone says might be covered by somebody else's IP.

      There's enough uncertainty in there to be perfectly safe. Even were it confirmed, I don't think Cisco's in the mood for a DeCSS-go-r
      • "Technically, it's not stolen IP. Apart from the fact that it's not _stolen_ anything (since you can only violate copyright, not steal it), semantics aside it's only _allegedly_ copied code."

        Holy shit! Bill Clinton posts on /.
  • by Anonymous Coward
    This is not the first time that IOS code is circulating. Previous versions were available at least for the last five years.
  • Hmmm i wonder when the linux kernal source code will be stolen? oh yeah! never!
    • it's been stolen several times, just ask SCO..

      No seriously. It is somethign when everyone else is afraid of the source code being leaked into public domain/view when linux proudly places it there and begs for people to point out the flaws.

      I don't think there is any serious trade secrets that can't be protected by other means (legaly) that cisco would be huhrt if they opened up thier source and offered a bounty od lets say $50 to anyone (or thew first persons) finding a hole in it. Then maybe thier slef p
  • by RedShoeRider ( 658314 ) on Monday May 17, 2004 @06:41AM (#9172003)
    Thus far, I find it odd no one has inquired as to the exact nature of how the hell someone got so far into the system as to be able to copy source code. That's not something any company leaves sitting in /pub. Whomever pulled this off (assuming it's not bullshit) knew something (social engineering, perhaps), for I'm sure Sisco has been hammered by attacks for years, just like any large company.

    My one thought: it's all bullshit until Cisco comes out and says they were hacked. Anyone can put together a bunch of seemingly well-written code and say that they were l33t and got in to Cisco.

    The proof is in the pudding. And all I see so far is some sugar.

    • Anyone can put together a bunch of seemingly well-written code

      Many "professional" programmers can't, not at my company at least.

      Chris


    • Thus far, I find it odd no one has inquired as to the exact nature of how the hell someone got so far into the system as to be able to copy source code. That's not something any company leaves sitting in /pub.

      It's like some warped Stratego (TM) game, and the hackers have captured the flag.

      Now
      :
      1. The act of stealing it, sort of renders it useless, who would want a firewall that can be broken into an its own sources stolen.

      2. This embarrasement would have been circumvented if they had most of the code

    • This hit over the weekend, so I imagine that Cisco is still in damage control mode. A stratagy for dealing with this is shutdown ALL lines of communication and get the house in order before you talk to anyone.

      Besides, the story yesterday on /. had a link to an IRC brag. The guy got access to their network, and to their sourcesafe repository, hacked together his own faux sourcesafe client, and sucked the code out that way.

      It now being Monday (and 6:00 AM on Monday in California), it wouldn't supprise me
    • it's all bullshit until Cisco comes out and says they were hacked.


      So, using this logic all Cisco has to do is stay quiet, and this
      says they were never hacked?

      ya, That's bullshit alright.
  • by xplosiv ( 129880 ) on Monday May 17, 2004 @06:44AM (#9172014)
    Am I the only one who thinks this 'might' be a good thing? Cisco now has incentives to give their code another look and hunt down any serious bugs they might not know about yet, resulting in a more secure OS. I doubt it would happen, but it's what I would do if my source code was stolen.
  • by Anonymous Coward on Monday May 17, 2004 @06:47AM (#9172028)
    ..they would have noticed then if 800 MB was being downloaded.
  • Cizzz-coeee (Score:2, Funny)

    by caereth ( 645984 )
    Perhaps we will now see a Cizzz-coeee IOS source code detector van in the near future.
  • by RicoX9 ( 558353 ) <ricoNO@SPAMrico.org> on Monday May 17, 2004 @07:08AM (#9172110) Homepage
    I think that susceptibility will depend on what source was stolen. Was it the ENTIRE source? Or was it just pieces? They (the cracking types) may discover a hole in something that exists only in the Enterprise feature set, leaving most of the exposed routers on the Internet un-compromiseable (As most companies aren't going to pony up for the most expensive feature set when all they're doing is shuffling IP packets).

    Also could find a problem in basic TCP/IP code, making every Cisco router on the planet a revolving door. I find this scenario highly unlikely, as thier base code is probably a lot more stable and reviewed than the newer, more advanced features.
    • They (the cracking types) may discover a hole in something that exists only in the Enterprise feature set, leaving most of the exposed routers on the Internet un-compromiseable

      That's a good point. The IP code has likely been subjected to many uses, bugs, fixes, reviews and so on.

      IPX? DECnet? Appletalk? Those bits are less popular and probably have more potential problems, but have a much lower security exposure.
  • /*
    * Juniper engineers are weenies!
    */
  • by rainer_d ( 115765 ) * on Monday May 17, 2004 @07:08AM (#9172115) Homepage
    Buy shares in companies that deal or lease fax-machines !
    When the internet gets shut down for a maintenance-period, their business will go through the roof.
    And don't forget to reserve enough machines for yourself, or your business might go through the toilet :-)

  • Am I the only one wondering what on earth they are filling that much space up with?

    Seems bloated to hell to me - what exactly do these routers do that take so much code?
    • You are forgeting that IOS has to support a fairly wide range of harware and feature sets. Every router, switch, acesspoint etc. that cisco makes or has ever made has to have drivers in IOS

      For comparison, the Linux Kernel (2.6.6) is 34MB Bziped, 47MB unziped. It's likely that they are talking about 800MB of un-compressed code.
      Add on the size of all the userland programs like freeswan, webmin, telnet, openssh, openssl, tftpd, dhcpd, dpcpcd, ntpd, an ftpd, shorewall, etc. that would be needed for linux to ha
  • by Anonymous Coward on Monday May 17, 2004 @07:27AM (#9172224)
    Well ... is it not kinda strange? A few months back when the Windows code was leaked, most of Slashdot was screaming about 65,000(i dint cook that number!) Windows bugs. Well, nothing happened really. Except an IE 5.x bug, which was patched silently before the source code leak.

    Now lets compare the REAL security issues.
    1. The number of people who were dissecting the Windows Source Code are much more than those trying to find a Cisco hole.
    2. Even without the Windows Source, we can reverse engineer large parts of the Windows Sources and identify problems. With the leak it just became easier. I dont expect too many crackers trying to find holes in Cisco's IOS.

    This simply means that the chances of finding a security hole in Cisco is much higher than in Windows. Because now that the source is out in the open, its easier. Why would they choose to look?

    1. Bringing down those routers could virtually bring down most of the internet.
    2. The entire financial world uses them! If a hole is discovered it might just be the easiest way to get into those systems.
    3. It could be easier than trying to find a Windows hole, since (as from my earlier logic) many many people have already tried without results.
    4. The damage that could be done in those 2 cases are so immense, that a comparison would be irrelevant. ... Slashdotters, cant it be just possible that this leak might be much more disastrous that the Windows leak.

    [Troll: Btw ... its funny reading that Windows article again, and going through posts that talked abt non-existant security in Windows. And how many holes did people find.]
  • Again? (Score:2, Informative)

    by gkelman ( 665809 )
    The source code to IOS was floating round the net about 5 years ago. Obviously not the same as the latest version...
  • "OMG! What if this happened to Mandrake or SuSE?"
  • Code theft? (Score:5, Insightful)

    by Mr Smidge ( 668120 ) on Monday May 17, 2004 @08:00AM (#9172403) Homepage
    Slashdot labels a story as theft when no portion of the source code was removed from Cisco's computers? Never!

    No, I'm afraid this is not 'theft'.

    Theft must incorporate a desire to deprive the rightful owner of said taken item(s). Surely we know this by now?

    Stealing, yes. Theft, no.

    </PEDANT>
    • Isn't it actually spying? When a spy takes snapshots of secret documents, he's not stealing them. He just changes their nature from "SECRET" to "LETS PRETEND IT NEVER HAPPENED" (aka. "TOP SECRET"). But stealing?

  • by Anonymous Coward on Monday May 17, 2004 @08:13AM (#9172456)
    I've looked at the sources on display at the russian site [IPv6 sources], that pretend to be from the IOS. Several things took my attention:
    1. Since when programmers, working for a serious company, write copyright notices for themselves in the header... Like if you work for, let's say, SCO (ha-ha), you will put in the header copytight by you, and then - who knows - might sue SCO for stealing code from you :)
    2. printf("\nAdding %P to ND cache", &target);
    The ND cache is really connected to neighbor solicit messages, but would the Cisco IOS be printing a message, saying that it is adding the address to the ND cache without checking debug flags, etc.? And I am sure it is not a matter of system design in this case. You cannot get the impression just from one tiny piece of code.
    3. Some post here were stating... "root" access, which certainly made me smile. The IOS is running cooperative multitasking and the tasks usually run at the same level.
    4. Ole Troan really works for Cisco Systems (in UK) and is the proud author of the IPv6 DHCP RFC specification 3633. So this is an argument that supports a little bit of the theory. Just didnt think that Cisco still has developers in UK. I thought they outsourced everything to India long time ago ;)))
    There are some more, but I'll save you the tiny details, like big endian or other nifty stuff in the code.

  • by ThisIsFred ( 705426 ) on Monday May 17, 2004 @08:16AM (#9172471) Journal
    Does this code contain the infamous "backdoor" account ever present on certain Cisco devices? It should would be worth a criminal's time to get a hold of that. Think of all the other information he could steal once he knew that.
  • If it was the only copy of source code, then yes it was stolen. Otherwise it should be copyright infringement. After all, this is our claim regarding illegally downloaded music. Its not stolen. It's copyright infringement.
  • Call me crazy or mod me down, but I'm positive that this has something to do with CICSO's previous tussle with the GPL [linuxworld.com] .

    I can only assume one of two things:

    1. CICSO's use of code that's open to just anyone allowed a "hacker" to access vulnerabilities in its systems.
    2. Due to its earlier minor and well-intentioned misstep, some GNUlatic decided to take revenge on CICSO.

    In either case, this sends a loud and clear message to all businesses out there: messing with GPL code will get you burned, and burne
  • by jkabbe ( 631234 ) on Monday May 17, 2004 @09:29AM (#9173147)
    Who would use critical hardware from a company that can't even decide where to put their curly-braces? Are they at the end of the line or on a line by themself? Make up your frickin' mind!!
  • by aminorex ( 141494 ) on Monday May 17, 2004 @10:08AM (#9173529) Homepage Journal
    In fact, the owner was never deprived of the use
    of their putative property. Thus, no code was stolen.

"Someone's been mean to you! Tell me who it is, so I can punch him tastefully." -- Ralph Bakshi's Mighty Mouse

Working...