Possible Cisco Source Code Theft

OmegaBlac writes "According to Ars Technica, a Russian security site is claiming that Cisco's corporate network was comprimised and about 800MB of Cisco's source code for IOS Operating System version 12.3 was stolen. I guess Cisco forgot to implement their own Self Defending Network solutions."

Stolen from the #1 Security Company?

[imidazole2]

Whats the deal with that!?

if true, this could cause big problems not only for Cisco, but for the entire Internet. Cisco routers are responsible for routing much of the Internet's traffic, and the company has long practiced a policy of "security through obscurity."

We're all screwed.

Re:Stolen from the #1 Security Company?

[Knightmare]

Cisco is far from the #1 security company. There has been very little emphasis on security at Cisco until the last few years. As would be evident if you have used any of their products. 90% of their products don't come standard with SSH, they all still use telnet. But for an extra fee you can install SSH, that is if you buy enough ram for the router to support that code load...

I think Cisco is working to change their security stance but, that takes time and lots of money. The money part they have covered, Cisco has an over 3 billion dollar R/D budget and if I remember correctly 2 billion of that is focused on security right now.

Closed source vs Open source

[Ckwop]

One (of the many) problem(s) with the closed source business model is the fact that the entire company can depend on this intellectual property. The security surrounding that source has to be so huge that the problem quickly becomes intractable.

Open source however, by virtue of it being free (as in Iraq hehe), is worthless. Support contracts are alot harder to steal :P

Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.

Why do we still use so much closed source stuff :/
Simon.

Re:Closed source vs Open source

Because we (people) like making money. Life sort of works that way, you know?

Re:Closed source vs Open source

[m1chael]

It's all about being selectively open.

Re:IOS OS

[JohnFluxx]

Don't touch it, don't see it, don't breathe near it, if you ever plan on contributing to linux.

Leaked code is very dangerous to open source software.

Other vendors

[Quill_28]

What about other companies that supply cisco with software?

This could hurt more than just cisco.

Re:WARNING copyrighted source samples ahead!

[sydb]

I spotted a printf, which seams odd for an IPV6 stack or part of an OS

IOS does interact with the user through a terminal session so printfs aren't all that unlikely.

Of course they ought not to be in the IPv6 stack. Unless they populate packets as formatted strings.

Heh...

Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.

Why do we still use so much closed source stuff :/

SO, if you don't like it, you go out and make an OS for the Cisco routers and put it out for free - go ahead, no one is stopping you. Or go out and try and convince everyone to use your little Linux boxes as routers...oh, wait, there's just as many security issues in Linux as there are in Windows..

But wait, there's more! With IOS, there's a small set of software that can cause trouble. Using something else, esp based on Linux, can cause even more problems - they can gain access by any other means, shutdown or change some OTHER critical system, and it shutdown the routing...Use your frickin head.

Re:Heh...

[sesaetaen]

SO, if you don't like it, you go out and make an OS for the Cisco routers and put it out for free - go ahead, no one is stopping you.

Apart from the fact that CISCO does not provide the necessary hardware specs, nor development kits for their products?

blabla ... Using something else, esp based on Linux, can cause even more problems - they can gain access by any other means, shutdown or change some OTHER critical system, and it shutdown the routing...Use your frickin head.

Billy? Is that you?

Re:IOS OS

[Ithika]

Surely that's only the case if being covered by software patents... which I think the general consensus in the Linux devlopment world is that's a Bad Thing(tm). Whether they will apply in Europe is still being discussed.

Copyright-protected code is obviously not allowed, but as long as there's a way of implementing the same thing in a different manner (always assuming that European s/w patents don't get ratified) I fail to see any issue in understanding how some other piece of software works.

The whole SCO debacle has done more than just piss everyone off, there's been a remarkable amount of reticence to learn from code that isn't Free. By that very logic authors shouldn't be allowed to read books and composers should be banned from listening to music.

--
This has been a scatterbrained post on behalf of the Poorly Thougt-out Argument Party

Re:This has happened before

[Dave2+Wickham]

Actually that wasn't the full Win2K source, and an exploit based on being able to see the code was released (see "Exploit Based On Leaked Windows Code Released").

Theft? Wasnt there a backup?

[nurb432]

You would think that a company as large as CISCO would have had a backup.

I cant belive it was 'stolen' from them.

Yes that was sarcasm. Just pisses me off how the world 'theft' is perversed when it comes to digital content.

They COPIED it people. It wasnt STOLEN. ( yes, still illegal, but much different of a concept )

Re:Theft? Wasnt there a backup?

[toddlg]

http://dictionary.reference.com/search?q=steal&r=6 7
steal ( P ) Pronunciation Key (stl)
v.

1. To take (the property of another) without right or permission.

http://dictionary.reference.com/search?q=theft&r =6 7
theft ( P ) Pronunciation Key (thft)
n.

1. The act or an instance of stealing; larceny.


Just pisses me off how the world 'theft' is perversed when it comes to digital content.

They COPIED it people. It wasnt STOLEN. ( yes, still illegal, but much different of a concept )

Care to explain to me how copying vs. stealing/theft is a much different concept? How does this perverse the definition of theft?

If I break into your computer and digitally copy important/valuable information off of it, what's the first term to come to mind about what I did? That I "copied" your stuff or that I "stole" your stuff?

COPYING is the method that they used to STEAL Cisco's stuff. Stealing is a violation of property rights (intellectual or otherwise). Copying is a way to steal IP. Whether IP/Copyright laws need to be revisited in a digital age is a topic talked about elsewhere...

Re:Stolen...?

[Waffle+Iron]

Actually, it is appropriate to say that something was "stolen" in this case. That's because Cisco's code was supposed to be secret. Once their network was compromised, the secrecy is eliminated, and Cisco no longer has a secret. That's why it's common usage in English to say that somebody "stole a secret".

This is different from calling illegal file sharing "stealing", where the information being appropriated has already been openly published. An illicit activity is taking place, and it may (indirectly) economically damage the artist or publisher. However, that is no more stealing than any number of other illegal acts that cause economic damage, such as vandalizing their offices or phoning in a false bomb threat.

Re:WARNING copyrighted source samples ahead!

No they don't: one is a *test* of IPv6 functions, so there is a printf.

Agreed, also the code is indented, but rather then using a pre (formated) tag the newlines have been replace by br`s in the .ru site. The spaces are still there to be restored. I guess I just didn`t wan`t to believe this.

Re:Open source safer ?? doubtful

[mikep.maine]

Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.

Software is only secure when specific security tests are performed against it. Almost no one does much of this, or even understands it well. I doubt that in 1000 readers, more than 5 could recite the top 5, never mind the top 20 tests you must perform.

Open source is also not inherently better at security because of it must be peered reviewed. If the reviewer doesn't know what to check, then what is the point of the review?

Software must be security certified by professionals, whether open or otherwise.

Re:Stolen...?

[horza]

How can the source code be stolen, when Cisco still has it?

How can you have identity theft if you are still you?

Phillip.

Re:Thats not all it does.

[$0+31337]

My ice coffee just shot out of my nose all over the fucking monitor... great comment :)

Makes perfect sense to me.

One thing you learn in the IT industry real quick is the cobbler's sons are the last shod.

Re:This has happened before

[AaronW]

Good luck. Where I work we legally have access to Cisco IOS, although we're very strict and only a handful of engineers have the permissions to access it (me being one of them). The code is very clean and when I've browsed it looking to see if there's any exploits, I have thus far come up empty. The code does not look like the Microsoft code I've seen, which tends to be overly complex IMO. That's not to say we don't find bugs in Cisco's code, but generally it's very high quality.

Re:This really means nothing.

[Kenja]

Thank god there aren't a bunch of old routers out there being used by people who think they are still secure.