Slashdot Mirror
Possible Cisco Source Code Theft
OmegaBlac writes "According to Ars Technica, a Russian security site is claiming that Cisco's corporate network was comprimised and about 800MB of Cisco's source code for IOS Operating System version 12.3 was stolen. I guess Cisco forgot to implement their own Self Defending Network solutions."
I've worked there as a temp in 2000-2001 and the corporate network resources sure didn't seem to be that well protected... But I won't elaborate.
How can the source code be stolen, when Cisco still has it?
IOS 11.3 source is definitely in the wild - I think there is a copy of it around here somewhere. I've contacted Cisco on it and they're so excited they can't even get someone from law enforcement to come and talk to me about the information on the guy who sent it to me.
11.3 is ancient history, but 12.3 is bad bad bad
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
The rusian site contains samples of the source claimed stolen!
If these are authentic (which I personally begin to doubth more and more) then looking at them may be problematic if you ever intend on working on IPV6 stacks from someone else then cisco. (OpenBSD?)
Now I did have a peek at that code and I can tell it looks very fake (Obiously *don`t* take my word for it and think its safe to ignore my warning!)
Also at the forum of the .ru site there is a post from someone who claim the word on the IRC channel on which the story originates is that this is a fake.... But I am not touching that channel.
This is one of the companys that helpped make the Internet what it is today.
(I'm not talking about spam, trolls or worms)
They have the experence to know what can or can not happen.
Sure they use obscurity but I doupt they believe it to be a sereous security layor. Instead they probably have experts pooring over ios every day.
It is possable to have "Many Eyes" while remaining closed. Just have many expert eyes constantly on the code instead of many more untrainned eyes occasionally disecting the code.
It's expensive so don't expect it to happen too often.
Microsoft delutes itself into thinking that is what they have with a team of programmers working on the code. But in reality the only people who actually see the code is the original coder and a code verifier. Just two people for every segment of code.
But I would guess Cisco uses the expensive version of Many eyes that we get for free in open source.
I don't actually exist.
This reminds me of the buzz that surrounded MS's source code theft/leak. There are a couple of different things being discussed here.
First there are the security implications. Having the source out there for all to see isn't the endgame for the internet people, with MS people thought it was a big issue because their code is, well... crappy. I don't think this is true with Cisco, and unless there are some very obvious and very damaging security holes the internet will live to see another day, so all you doomsayers out there screaming that the world is coming to an end... settle down.
It does highlight once again the shortcomings of a security through obscurity model, but let's not go down that road again.
The second thing, which is where the story really lies, is how this could have happened. It's Cisco after all, how could their network be compromised? Probably someone there really dropped the ball. Any specifics on how this happened?
Cisco's IOS is full of uncdomented commands. An old list is available on my site
http://boerland.com/dotu.
So opening the code might reveal more undocumented commands.
(btw: I will migrated this data towards a real CMS as hosted at home; http://willy.boerland.com/myblog.)
-- for undocumented cisco commands, take a peek @ dotu
A quick google search on 'Ole Troan' leads to Cisco Systems, Inc. 250 Longwater Avenue Reading RG2 6GB United Kingdom If this is a fake, then at least these Russians did their homework. :-)
As anyone who works for an ISP of any size and importance will tell you, Cisco routers don't do much when it comes to the big, hard-core routing that takes place at the NAPs or even at aggregation points. Their products have historically not been up to par for the high-end demands in these environments.
If a Juniper bug comes out, then it's time to be concerned about pieces of the Internet falling off. But then this is mitigated because there are relatively few aggregation points that can be upgraded hopefully quickly.
Sure, a large Cisco IOS bug will hit mom and pop and small to medium business, but the big boys just don't use Cisco.
wouldn't the comparision be to not read stolen books, and not listen to stolen music?
I agree with nettdata, Cisco has one of the only certification programs out there that actually means something. Granted, though, this is more true for CCNP/CCDP and CCIE certs, and not so much CCNA.
My company sent me to an NT class once that was part of an MCSE track. The instructor was an absolute moron, and the MCSE-track students even worse. One student was *bragging* that he had spent 'only' about $18k so far. He immediately followed up lamenting about having to finish within the next month, though, because MS was about to expire his current MCSE track. If he didn't take the exam and pass, he'd have to re-take every class and exam he had done so far.
Morons...
Care to share what those tests are?