Possible Cisco Source Code Theft

OmegaBlac writes "According to Ars Technica, a Russian security site is claiming that Cisco's corporate network was comprimised and about 800MB of Cisco's source code for IOS Operating System version 12.3 was stolen. I guess Cisco forgot to implement their own Self Defending Network solutions."

Stolen from the #1 Security Company?

[imidazole2]

Whats the deal with that!?

if true, this could cause big problems not only for Cisco, but for the entire Internet. Cisco routers are responsible for routing much of the Internet's traffic, and the company has long practiced a policy of "security through obscurity."

We're all screwed.

Re:Stolen from the #1 Security Company?

[Knightmare]

Cisco is far from the #1 security company. There has been very little emphasis on security at Cisco until the last few years. As would be evident if you have used any of their products. 90% of their products don't come standard with SSH, they all still use telnet. But for an extra fee you can install SSH, that is if you buy enough ram for the router to support that code load...

I think Cisco is working to change their security stance but, that takes time and lots of money. The money part they have covered, Cisco has an over 3 billion dollar R/D budget and if I remember correctly 2 billion of that is focused on security right now.

Re:Stolen from the #1 Security Company?

the company has long practiced a policy of "security through obscurity

Not really... every version of Cisco IOS since 6 has been leaked. The first time I've seen IOS source was probably 6-7 years ago. I'm not even sure why this is news.

Closed source vs Open source

[Ckwop]

One (of the many) problem(s) with the closed source business model is the fact that the entire company can depend on this intellectual property. The security surrounding that source has to be so huge that the problem quickly becomes intractable.

Open source however, by virtue of it being free (as in Iraq hehe), is worthless. Support contracts are alot harder to steal :P

Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.

Why do we still use so much closed source stuff :/
Simon.

Not just possible, truthful

[CptChipJew]

This did actually happen. A friend in an IRC channel I frequent was pasting large portions of it to show off.

I can't help much see a nearby future full of Cisco-powered site takeovers :(

Full text translation

[sydb]

CiSCO IOS?
SecurityLab, 13 2004 CISCO IOS 12.3, 12.3t, CISCO. 800 .

, - Cisco System. Cisco System .

franz #darknet@EFnet IRC ( 2.5 ) .

100 ipv6_tcp.c ipv6_discovery_test.c.

Hope that helps!

Re:Full text translation

[versus]

I don't know who moderated parent as Informative (hint: use +1 Funny)

Here is word-to-word translation (english is not my mother tongue):

• As SecurityLabz was informed, in May 13, 2004 all source code of Cisco IOS 12.3, 12.3t was stolen. Cisco IOS is used in most Cisco network products. Full size of the stolen information is about 800 MBytes archived.

• Source code leak was made possible because of Cisco's corporate network compromise. Cisco gave no official comments yet.

  Someone known as franz at IRC channel #darknet@EFnet showed a small part of stolen code as the proof.

  First 100 lines of source file ipv6_tcp.c and ipv6_discovery_test.c is listed below.

wouldn't surprise me

[fugas]

I've worked there as a temp in 2000-2001 and the corporate network resources sure didn't seem to be that well protected... But I won't elaborate.

Thank God ..

I use windows RRAS as my router and not the damned (potentially) insecure Cisco kit ;-)

Re:rah rah rah you scumbags

[Chicane-UK]

Darl??

Stolen...?

[Henrik+S.+Hansen]

How can the source code be stolen, when Cisco still has it?

Re:Stolen...?

[real_smiff]

ah, wait a sec (while i fetch me textbook of /. answers).. yes... i see, "it was not stolen... it was copy-right in-fringe-ment".. how was that? :)

Re:Stolen...?

[horza]

How can the source code be stolen, when Cisco still has it?

How can you have identity theft if you are still you?

Phillip.

This has happened before

[puzzled]

IOS 11.3 source is definitely in the wild - I think there is a copy of it around here somewhere. I've contacted Cisco on it and they're so excited they can't even get someone from law enforcement to come and talk to me about the information on the guy who sent it to me.

11.3 is ancient history, but 12.3 is bad bad bad ... this means new Cisco exploits as people comb through the code :-( Time to go unplug your internet connection until 12.4 is released ...

Re:This has happened before

[AaronW]

Good luck. Where I work we legally have access to Cisco IOS, although we're very strict and only a handful of engineers have the permissions to access it (me being one of them). The code is very clean and when I've browsed it looking to see if there's any exploits, I have thus far come up empty. The code does not look like the Microsoft code I've seen, which tends to be overly complex IMO. That's not to say we don't find bugs in Cisco's code, but generally it's very high quality.

Re:IOS OS

[JohnFluxx]

Don't touch it, don't see it, don't breathe near it, if you ever plan on contributing to linux.

Leaked code is very dangerous to open source software.

WARNING copyrighted source samples ahead!

The rusian site contains samples of the source claimed stolen!

If these are authentic (which I personally begin to doubth more and more) then looking at them may be problematic if you ever intend on working on IPV6 stacks from someone else then cisco. (OpenBSD?)

Now I did have a peek at that code and I can tell it looks very fake (Obiously *don`t* take my word for it and think its safe to ignore my warning!)

• They are attributed to only one coder per file.
• It isn`t indented (intentional obscurity?)
• there are way to specific includes that dont make much sence (dothis.h)
• I have a feeling there are includes missing
• I spotted a printf, which seams odd for an IPV6 stack or part of an OS
• I cant see any working logic, and I cant see how the code is supposed to do what the (short and very simple) comments claim it does.
• It looks like there are many syntax errors but without a compiler, the preprocessor directives and identation it is hard to tell.

Also at the forum of the .ru site there is a post from someone who claim the word on the IRC channel on which the story originates is that this is a fake.... But I am not touching that channel.

Re:WARNING copyrighted source samples ahead!

[cide1]

Yeah, I'd like to believe you, but I've seen people get away with murder in source code before. Open source coders worry a lot more about things like indentation, and filenames that make sense. In closed source shops, a lot of times what is quickly coded as a prototype becomes the shipping product, and things like indent cant be used because it breaks diffs. As much as I'd like to look with my own eyes, this sounds like one of the things it would be best if I just ignored it.

Rumour has it ...

[BabyDave]

... that their remote access software had a default username/password built in that couldn't be disabled. A high-level Ciso executive has threatened to sue the software providers for including such a stupid 'feature' in their product

May not lead to anything

[Felinoid]

This is one of the companys that helpped make the Internet what it is today.
(I'm not talking about spam, trolls or worms)

They have the experence to know what can or can not happen.
Sure they use obscurity but I doupt they believe it to be a sereous security layor. Instead they probably have experts pooring over ios every day.

It is possable to have "Many Eyes" while remaining closed. Just have many expert eyes constantly on the code instead of many more untrainned eyes occasionally disecting the code.

It's expensive so don't expect it to happen too often.
Microsoft delutes itself into thinking that is what they have with a team of programmers working on the code. But in reality the only people who actually see the code is the original coder and a code verifier. Just two people for every segment of code.

But I would guess Cisco uses the expensive version of Many eyes that we get for free in open source.

Re:May not lead to anything

[curator_thew]

"Instead they probably have experts pooring over ios every day."

Unfortunately those experts are figuring out how to draw the release structure diagram and name the branches. I don't think cisco engineers have time to work on new code, there's too much old code to figure out.

Oh Really? No.

[Frequanaut]

Seriously, A friend of mine, in an icq conversation told me it wasn't true. Plus my mom said so as well.

Settle down...

[Graftweed]

This reminds me of the buzz that surrounded MS's source code theft/leak. There are a couple of different things being discussed here.

First there are the security implications. Having the source out there for all to see isn't the endgame for the internet people, with MS people thought it was a big issue because their code is, well... crappy. I don't think this is true with Cisco, and unless there are some very obvious and very damaging security holes the internet will live to see another day, so all you doomsayers out there screaming that the world is coming to an end... settle down.

It does highlight once again the shortcomings of a security through obscurity model, but let's not go down that road again.

The second thing, which is where the story really lies, is how this could have happened. It's Cisco after all, how could their network be compromised? Probably someone there really dropped the ball. Any specifics on how this happened?

Re:IOS OS

[Ithika]

Surely that's only the case if being covered by software patents... which I think the general consensus in the Linux devlopment world is that's a Bad Thing(tm). Whether they will apply in Europe is still being discussed.

Copyright-protected code is obviously not allowed, but as long as there's a way of implementing the same thing in a different manner (always assuming that European s/w patents don't get ratified) I fail to see any issue in understanding how some other piece of software works.

The whole SCO debacle has done more than just piss everyone off, there's been a remarkable amount of reticence to learn from code that isn't Free. By that very logic authors shouldn't be allowed to read books and composers should be banned from listening to music.

--
This has been a scatterbrained post on behalf of the Poorly Thougt-out Argument Party

Impact on Undocumented commands? (project DOTU)

[bertboerland]

Cisco's IOS is full of uncdomented commands. An old list is available on my site
http://boerland.com/dotu.

So opening the code might reveal more undocumented commands.

(btw: I will migrated this data towards a real CMS as hosted at home; http://willy.boerland.com/myblog.)

Re:Time for a new motto

[ch-chuck]

How about, " The next Slashdot story will be ready soon, but readers of ArsTechnica can beat the rush and see it early!"

At least the name of the programmer matches...

[wallclimber21]

A quick google search on 'Ole Troan' leads to Cisco Systems, Inc. 250 Longwater Avenue Reading RG2 6GB United Kingdom If this is a fake, then at least these Russians did their homework. :-)

The Internet Doesn't Run On Cisco

As anyone who works for an ISP of any size and importance will tell you, Cisco routers don't do much when it comes to the big, hard-core routing that takes place at the NAPs or even at aggregation points. Their products have historically not been up to par for the high-end demands in these environments.

If a Juniper bug comes out, then it's time to be concerned about pieces of the Internet falling off. But then this is mitigated because there are relatively few aggregation points that can be upgraded hopefully quickly.

Sure, a large Cisco IOS bug will hit mom and pop and small to medium business, but the big boys just don't use Cisco.

Re:Open source safer ?? doubtful

[mikep.maine]

Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.

Software is only secure when specific security tests are performed against it. Almost no one does much of this, or even understands it well. I doubt that in 1000 readers, more than 5 could recite the top 5, never mind the top 20 tests you must perform.

Open source is also not inherently better at security because of it must be peered reviewed. If the reviewer doesn't know what to check, then what is the point of the review?

Software must be security certified by professionals, whether open or otherwise.

Thats not all it does.

[CodePyro]

"I guess Cisco forgot to implement their own Self Defending Network solutions"

No they did implement it. But when it found out that it was outnumbered by the hackers, the self-surrender module(also know as the french module) went into effect.

This really means nothing.

[corrosive_nf]

Cisco had already announced a few weeks ago that version 13 of IOS was coming out and in June they were going to dump IOS fully for a totally new os for their routers that was going to be pluggable and more secure

http://news.com.com/2100-1033_3-5210745.html

Or, to paraphrase...

[FreeUser]

Seriously, A friend of mine, in an icq conversation told me it wasn't true. Plus my mom said so as well.

Translation: Accept information only from Official Sources(tm).

Any reports, of any event, not vetted by Your Official Corporate Public Relations Officer(tm) isn't real and has no validity.

Do not accept word of mouth. Healthy kepticism is not sufficient (for the facts may speak for themselves and undermine Our Official Position(tm)); you are to ignore any anectdotes, any word of mouth reporting, completely and utterly.

Indeed, you shall respond to any unofficial information with disparagement and hostility, as is your duty as a drone Consumer(tm).

Accept the Party Line. It is the Truth(tm), all else is Heresy.

Thank you.

Your Cisco Security.
("Stooges R Us")