Slashdot Mirror
Possible Cisco Source Code Theft
OmegaBlac writes "According to Ars Technica, a Russian security site is claiming that Cisco's corporate network was comprimised and about 800MB of Cisco's source code for IOS Operating System version 12.3 was stolen. I guess Cisco forgot to implement their own Self Defending Network solutions."
Whats the deal with that!?
if true, this could cause big problems not only for Cisco, but for the entire Internet. Cisco routers are responsible for routing much of the Internet's traffic, and the company has long practiced a policy of "security through obscurity."
We're all screwed.
-Imidazole2
One (of the many) problem(s) with the closed source business model is the fact that the entire company can depend on this intellectual property. The security surrounding that source has to be so huge that the problem quickly becomes intractable.
:P
:/
Open source however, by virtue of it being free (as in Iraq hehe), is worthless. Support contracts are alot harder to steal
Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.
Why do we still use so much closed source stuff
Simon.
This did actually happen. A friend in an IRC channel I frequent was pasting large portions of it to show off.
:(
I can't help much see a nearby future full of Cisco-powered site takeovers
Vonal Declosion
CiSCO IOS? .
.
.
SecurityLab, 13 2004 CISCO IOS 12.3, 12.3t, CISCO. 800
, - Cisco System. Cisco System
franz #darknet@EFnet IRC ( 2.5 )
100 ipv6_tcp.c ipv6_discovery_test.c.
Hope that helps!
Yours Sincerely, Michael.
I've worked there as a temp in 2000-2001 and the corporate network resources sure didn't seem to be that well protected... But I won't elaborate.
I use windows RRAS as my router and not the damned (potentially) insecure Cisco kit ;-)
.. "ha-HAAH" .. ala Nelson.
Darl??
"Hey! Unless this is a nude love-in, get the hell off my property!!"
What kind of OS is this? Embedded I would assume. If not, what kinds of things can we do with it now that it's in the open, assuming one were to get a copy?
This could actually be good... I have been fighting with bugs in IOS a long time, and the big dfficulty is in trying to describe an infrequently occurring problem to them in sufficient detail.
(combined with their hautain attitude)
Usually the only result of an afternoon-long effort of describing a problem and documenting it with traces etc is "need more information".
When the source would be publicly available, it might be possible to find the actual bug and send them the patch.
How can the source code be stolen, when Cisco still has it?
IOS 11.3 source is definitely in the wild - I think there is a copy of it around here somewhere. I've contacted Cisco on it and they're so excited they can't even get someone from law enforcement to come and talk to me about the information on the guy who sent it to me.
11.3 is ancient history, but 12.3 is bad bad bad
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
Slashdot: Read today's ArsTechnica tomorrow!
The rusian site contains samples of the source claimed stolen!
If these are authentic (which I personally begin to doubth more and more) then looking at them may be problematic if you ever intend on working on IPV6 stacks from someone else then cisco. (OpenBSD?)
Now I did have a peek at that code and I can tell it looks very fake (Obiously *don`t* take my word for it and think its safe to ignore my warning!)
Also at the forum of the .ru site there is a post from someone who claim the word on the IRC channel on which the story originates is that this is a fake.... But I am not touching that channel.
... that their remote access software had a default username/password built in that couldn't be disabled. A high-level Ciso executive has threatened to sue the software providers for including such a stupid 'feature' in their product
This is one of the companys that helpped make the Internet what it is today.
(I'm not talking about spam, trolls or worms)
They have the experence to know what can or can not happen.
Sure they use obscurity but I doupt they believe it to be a sereous security layor. Instead they probably have experts pooring over ios every day.
It is possable to have "Many Eyes" while remaining closed. Just have many expert eyes constantly on the code instead of many more untrainned eyes occasionally disecting the code.
It's expensive so don't expect it to happen too often.
Microsoft delutes itself into thinking that is what they have with a team of programmers working on the code. But in reality the only people who actually see the code is the original coder and a code verifier. Just two people for every segment of code.
But I would guess Cisco uses the expensive version of Many eyes that we get for free in open source.
I don't actually exist.
What about other companies that supply cisco with software?
This could hurt more than just cisco.
Seriously, A friend of mine, in an icq conversation told me it wasn't true. Plus my mom said so as well.
This reminds me of the buzz that surrounded MS's source code theft/leak. There are a couple of different things being discussed here.
First there are the security implications. Having the source out there for all to see isn't the endgame for the internet people, with MS people thought it was a big issue because their code is, well... crappy. I don't think this is true with Cisco, and unless there are some very obvious and very damaging security holes the internet will live to see another day, so all you doomsayers out there screaming that the world is coming to an end... settle down.
It does highlight once again the shortcomings of a security through obscurity model, but let's not go down that road again.
The second thing, which is where the story really lies, is how this could have happened. It's Cisco after all, how could their network be compromised? Probably someone there really dropped the ball. Any specifics on how this happened?
Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.
:/
Why do we still use so much closed source stuff
SO, if you don't like it, you go out and make an OS for the Cisco routers and put it out for free - go ahead, no one is stopping you. Or go out and try and convince everyone to use your little Linux boxes as routers...oh, wait, there's just as many security issues in Linux as there are in Windows..
But wait, there's more! With IOS, there's a small set of software that can cause trouble. Using something else, esp based on Linux, can cause even more problems - they can gain access by any other means, shutdown or change some OTHER critical system, and it shutdown the routing...Use your frickin head.
we get to see that 1/2 of their code was GPL'd opensource that they were using illegally?
HAHAhahahaha..
Cisco's IOS is full of uncdomented commands. An old list is available on my site
http://boerland.com/dotu.
So opening the code might reveal more undocumented commands.
(btw: I will migrated this data towards a real CMS as hosted at home; http://willy.boerland.com/myblog.)
-- for undocumented cisco commands, take a peek @ dotu
A quick google search on 'Ole Troan' leads to Cisco Systems, Inc. 250 Longwater Avenue Reading RG2 6GB United Kingdom If this is a fake, then at least these Russians did their homework. :-)
Don't you mean Liberated?
You would think that a company as large as CISCO would have had a backup.
I cant belive it was 'stolen' from them.
Yes that was sarcasm. Just pisses me off how the world 'theft' is perversed when it comes to digital content.
They COPIED it people. It wasnt STOLEN. ( yes, still illegal, but much different of a concept )
---- Booth was a patriot ----
As anyone who works for an ISP of any size and importance will tell you, Cisco routers don't do much when it comes to the big, hard-core routing that takes place at the NAPs or even at aggregation points. Their products have historically not been up to par for the high-end demands in these environments.
If a Juniper bug comes out, then it's time to be concerned about pieces of the Internet falling off. But then this is mitigated because there are relatively few aggregation points that can be upgraded hopefully quickly.
Sure, a large Cisco IOS bug will hit mom and pop and small to medium business, but the big boys just don't use Cisco.
Software is only secure when specific security tests are performed against it. Almost no one does much of this, or even understands it well. I doubt that in 1000 readers, more than 5 could recite the top 5, never mind the top 20 tests you must perform.
Open source is also not inherently better at security because of it must be peered reviewed. If the reviewer doesn't know what to check, then what is the point of the review?
Software must be security certified by professionals, whether open or otherwise.
Mike www.sharecube.com
Embedded software companies use versions of GCC with buggy optimisers in them, and they won't give us the source code so we can find out what the bug is!
Of course, I'm not going to downplay the effects this could have for Cisco and in the long run for possibly tainted opensource projects.. The comments in here speak for themselves that people can't keep their hands off the source-code.
I've seen the 12.3 sourcecode before, under NDA, and several institutions outside of Cisco has legal access to it. Several universities, most of the larger security-firms such as ISS and whatnot have had access to it for years. So it's been combed through pretty well before. Sure there might be an odd exploit released from this source, but I don't count it as very probable, and certainly not as a threat to internet stability.
"I guess Cisco forgot to implement their own Self Defending Network solutions"
No they did implement it. But when it found out that it was outnumbered by the hackers, the self-surrender module(also know as the french module) went into effect.
Cisco had already announced a few weeks ago that version 13 of IOS was coming out and in June they were going to dump IOS fully for a totally new os for their routers that was going to be pluggable and more secure
http://news.com.com/2100-1033_3-5210745.html
There is a good chance that this leak came from one of the 'partners' in china that Cisco uses.
China doesn't have the same regard for foreign IP that the USA does.
Seriously, A friend of mine, in an icq conversation told me it wasn't true. Plus my mom said so as well.
Translation: Accept information only from Official Sources(tm).
Any reports, of any event, not vetted by Your Official Corporate Public Relations Officer(tm) isn't real and has no validity.
Do not accept word of mouth. Healthy kepticism is not sufficient (for the facts may speak for themselves and undermine Our Official Position(tm)); you are to ignore any anectdotes, any word of mouth reporting, completely and utterly.
Indeed, you shall respond to any unofficial information with disparagement and hostility, as is your duty as a drone Consumer(tm).
Accept the Party Line. It is the Truth(tm), all else is Heresy.
Thank you.
Your Cisco Security.
("Stooges R Us")
The Future of Human Evolution: Autonomy
If one was to go to Cisco's network acadamy and login, One would find (If they were using a packet sniffer) that the passwords are in clear text.
When this was brought to cisco's attention the reaction was it was not worth fixing.
What a great way to start teaching the next generation.
"Certified Professionals" , right because we all know just how well "certification" works.
Now well trained professionals might make better sense.
Open source also ensures the acces of real professionals rather than "certified professionals"...
Note to Mods: When I post mirrors, it's a best guess. I don't know for certain whether or not the site will go down!
Here's to poverty Ralph!
IOS source code is no big deal. It's Cisco's hardware implementation and architecture that is the real interesting part. At least for the core router functionality. Some fringe aspects would be interesting to study, but it's not really that critical.
cpghost at Cordula's Web.
One thing you learn in the IT industry real quick is the cobbler's sons are the last shod.
Does the word 'theft' really fit in here?
I mean, didn't they just copy the sourcecode?
Or did they remove the sourcecode from the server after the transfer?
On a side note, everyone on IRC/Bittorrent seems to be excited about a new leak of the NT Source Code, this time only the Kernel. Found a screenshot here: http://members.tripod.com/WinAlOS/Screenshot/sourc e.jpg
It's on SuprNova and TorrentReactor...
Wow, that OS must have a teeny footprint, at a mere 800 Megs for the source code!
Just one more reason why OpenBSD is a better solution than other small-midrange under performing, less secure, overly priced, overly patent encumbered Cisco garbage.
Woooo!
I'm working for my CCNA, and this crap keeps happening? hell we learn how to make sure events like this dont happen.
the source code should have been on a server on a separate subnet than the rest of the network, or on its own private network that has no access to the internet..
putting internet access to anything is a sure fire way of getting hacked at one point or the other. so if you have really sensitive data, NEVER put it on a network that's connected to the net.
it's like having a screen door on a vault filled with raw meat with a hungry bear on the other side.
... and I haven't a clue, quite frankly, it does present an interesting conundrum.
Cisco's software has been one-plussed and customised so many times to meet (perceived) marketing necessities that it is very hard to maintain - because so many distinct variants (often specific to a customer) are live in the field.
On the one hand, this makes for a certain amount of reslience to attack, since there is not quite the monoculture that might at first appear. On the other hand, if there are exploits in code which is common across the many variants, there is no straightforward way of issuing a patch, since so many different special builds would be required.
Although cisco have had some recent success in controlling their proliferating IOS code base, they've had several attempts at a unifying "next gen" architecture and it always so far seems to have eluded them.
This is always the crunch for "entrenched" systems suppliers: how do you keep your existing customers happy and innovate at the same time.
Maybe having the code on sourceforge wouldn't be such a bad idea...
When you take intellectual property without paying for it, you have stolen intellectual property. Same reason Slashdot reports on "GPL theft" (violating the copyright of the GPL), not to mention identity theft.
Why Slashbots continue to be hung up on the use of this simple word which describes a simple violation of the law amazes me. Anything to argue, I guess. Or remove the stigma of "thief" from an online pirate (which is the topic where this argument comes from).
Funny, I clicked the Penny Arcade link in your signature and I was greeted by a pageful of "Warning: mysql_connect(): Can't create a new thread (errno 12)."
"Slashdot: the bitter truth" indeed.
Prescriptive grammar:linguistics
...IOS is as expensive as it is, not as so much as money, but more of it the idea of having to go as far as selling your soul to them to get it (read: contracts that have the threat of taking away the security of your network). Given the situation, I'm very glad this happened - since I'd not mind taking a good look at this myself.
"Forget the engineers." -Carly Fiorina, briber of MIT Technology Review.
"Certified Professionals" , right because we all know just how well "certification" works.
Actually, Ciso Certification is probably one of the very few certifications that I will trust.
It ain't your typical MCSC / crackerjack box certification process.
$0.02 (CDN)
I agree with nettdata, Cisco has one of the only certification programs out there that actually means something. Granted, though, this is more true for CCNP/CCDP and CCIE certs, and not so much CCNA.
My company sent me to an NT class once that was part of an MCSE track. The instructor was an absolute moron, and the MCSE-track students even worse. One student was *bragging* that he had spent 'only' about $18k so far. He immediately followed up lamenting about having to finish within the next month, though, because MS was about to expire his current MCSE track. If he didn't take the exam and pass, he'd have to re-take every class and exam he had done so far.
Morons...
So if they snagged 800MB of code it's hard to believe that they didn't get everything including years of revisions.
Did somebody grep for "Juniper coders are weenies?"
bash$
Care to share what those tests are?
I agree with nettdata, Cisco has one of the only certification programs out there that actually means something.
I wouldn't necessarily agree with this. The last place I worked, I worked in a LAN/WAN group, and I - with no certs - was teaching IP subnetting to CCIEs! And, I'm talking about guys whose 4-digit CCIE numbers start with 3. Now, I haven't even gotten into discussing CCNPs who would ask for my help regarding basic frame relay troubleshooting nor the CCNAs who don't even know the OSI model. Let's just say that the certifications of any stripe don't really tell the tale.
In other words, don't be in awe of someone's cert - even if he has multiple CCIEs, because all that means is that he/she has studied for a test.
"Good, Fast, Cheap: Pick any two" -- RFC 1925
its the only solution to security of source. write-only code. aka, write-once, read never. or, more accurately, write-once, read-never, execute-only.
with this approach there is NEVER a chance that your IP can be taken. it just can't.
(this has nothing to do with c++. while its true that c++ is a KIND of write-only language, this isn't the one I was referring to).
--
"It is now safe to switch off your computer."
Right. Hard one to believe.
Try verifying these 'CCIE's' with Cisco and see if they actually are certified with it. A CCIE who doesn't know subnetting is like Isaac Newton not knowing basic arithmetic.
I hope in a sick way, that the cisco code or its analysis is posted somewhere online. People can then compile it for x86 machines under Linux/BSD/someother crap to turn it into a high-performance cisco router.
I know Linux has its own routing tools, but the IOS has more features and too many net admins are used to its syntax. zebra is a nice attempt at cloning IOS, which itself is far more advanced.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
speaking as someone who works at an ISP, you have no fucking clue what you're spewing.
the big boys do use cisco. unless you don't count qwest, worldcom/uunet, sprint, at&t, etc. as "big boys".
juniper marketshare is slowly growing, but the majority of IXP traffic is still carried through cisco (switches, routers).
"Where I work we legally have access to Cisco IOS, although we're very strict and only a handful of engineers have the permissions to access it (me being one of them). The code is very clean and when I've browsed it looking to see if there's any exploits, I have thus far come up empty"
Sound like the words of a Cicso employee to me..
thank God the internet isn't a human right.
I agree that some morons may have slipped through the cracks with a CCNP. But the CCIE certi costs $400-450 for the written test. Once you pass that, then you get the privilege of paying $1200+ for the hands-on exam. Until last year (i.e. when your 3000-ish CCIE took it), it was two days--now it's one day. They put you into a room full of various Cisco equipment--everything under the sun. They give you a set of scenarios, and you have to build design and build the network properly.
During the two-day test, the second day the proctor would break your network in every way imaginable, and you had to fix it.
You simply can't fake out and pass a test like that. You have to know what you are doing to have any hope--unless you paid off the proctor, that is...
Well, I guess that Isaac Newton doesn't know basic arithmetic, because we've verified these guys. From their CCIE leather jackets w/ their CCIE numbers on it, to our company's Cisco account reps verifying their claims, to the CCIE database actually having them listed as a CCIE - these guys are, as those girls in O Brother, Where Art Thou would say, they're bonafide.
"Good, Fast, Cheap: Pick any two" -- RFC 1925
At the end of the day, you just have to face the fact that foo bar baz.
True. However, CCxx is far less difficult today than it was a few years ago.
QNX is amazingly efficient at doing I/O, especially when handling high interrupt rates. In 1983 I developed an application on QNX that could handle 12 dialup users at 2400 baud on a 4 Mhz 8086 CPU. And that was with one-char-per-interrupt 8250 UART chips.
..you know the stuff they printed out and scanned and put on a few hundred cd's, to comply to the letter of the court order. ;-)
Mod parent up, what he says is true.
It's different from other IP, because it's not published; it's a trade secret. Music files, binary executables, etc., aren't kept secret.
When someone reveals a secret, it's no longer a secret, so its secret-virginity has been lost; since being lost is a result of someone else's actions, there is good reason to call it "stealing."
I had but a simple dream, to destroy all humans.
IIRC, it was
user: admin
password: password
I had but a simple dream, to destroy all humans.