Slashdot Mirror
Cisco IOS Source Code Theft Story Continues
securitas writes "eWEEK's Steven J. Vaughan-Nichols reports that the source code for Cisco's 'main networking device operating system was stolen on Thursday' (May 13) according to the Russian company SecurityLab. SecurityLab says that criminals broke into Cisco's network and stole 800MB of source code for IOS 12.3 and IOS 12.3t, a pre-release variant. The purported culprit(s) then bragged about the feat in an IRC session and offered 2.5 MB of the code as proof. Industry analysts Dell'Oro Group says that 'Cisco owns 62 percent of the core router market.' More at the Sydney Morning Herald and Windows Network magazine." Our original coverage was here of this story.
omfg
...if the entire internet was taken down? for an extended period of time? The world would fall into disarray. Although once upon a time the world functioned perfectly well without the internet. Amazing how technology makes us dependent just like junkies.
They could have at least posted the code for the backdoor in all the routers.
I notice this morning that since the code leak the Internet has been faster, more stable, and I get packeted less often. Since the code leak I also lost 5 pounds and I swear my erectioin this morning was larger. *phone rings* That must be my bank calling to tell me they lowered my intrest rates.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
Please, everybody! Please remove the source code from the internet ASAP before SCO sees it and claims ownership!!
.sig: No such file or directory
800MB of source code? for a router? WTF?
Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter (just as the code for stuff like ipfw is open)?
I realize however that Cisco code is likely more complex than the relatively simple stuff ipfw does.
In other news, Microsoft, Valve and Cisco to give free seminars on network security!
Or merely misinformed, as I'm not much of a Cisco fanboi, but...
Aren't their routers basically embedded *nix boxes? I can understand them developing their own frontend for such, but isn't the majority of the underlying code *nix based? If so, how detrimental can it be for that code to be leaked? Conversely, if it's the frontend code which has been stolen, how many security hole....oh yah, Windows 95...ne'er mind...
Don't park drunk, accidents cause people.
They plan to fork the 12.3 tree and release SOI 12.3 server as a free, open-source alternative to IOS.
How big is this IOS anyway?
1...
2...
3...
4...
5!
I always thought the big company that would have this happen is Microsoft, but I guess people got ahold of win2k's source a while back... it's still really surprising to see this happen to Cisco. Does it impress anyone else that they have an 800 MB source on the O/S? That's a lot of code!!
stuff |
All of these apocalyptic arguments about the Internet going down etc. would be moot...
Then again one has to wonder how Cisco would have created their empire if their code would have been open sourced. A lot of their business is not only selling H/W but ISO features.
1. French or German
2. Linux/open source zealot
3. Lives in parents basement
4. Showers monthly
I recently finished CCNA training and asked the instructor what OS CiscoIOS was based on and I was told it's based on BSD OS. He didn't tell me which BSD though....
"As SecurityLab discovered, on the 13th of May all the source code of the CISCO IOS operating system, which is used in the majority of CISCO's network installations was stolen. The full extent of the stolen information runs to about 800MB compressed.
:)
According to our information, the release of fragments of the source code came about due to a break-in to the corporate network of Cisco System. Representatives of Cisco System have meanwhile made no comment on the incident.
The information came from a certain individual under the nick of franz on darknet@EFNet IRC, where he also presented a small part of the source code (about 2.5MB) as evidence.
Below are links to the first 100 lines of source code from the files ipv6_tcp.c and ipv6_discovery_test.c."
Apologies for any errors - my technical Russian's a little rusty.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Open source all your code. It's too late now (cat/bag/out of). Set an example to the rest of the business community.
Natsu gusa-ya, Tsuwamono domo-ga, Yume no ato
The password they used to get access to the crown jewels was ciscokid
Pretty 133t if you ask me.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
Two direct links on the front page of slashdot to (literally) stollen IP?
I wonder if Slashdot will get in trouble with Cisco for this? The moderators could have at least have checked the links, no?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
In the seminars I can imagine how Cisco would explain they're love of being shafted, hence all the backdoor access (pun intended!)...
...Microsoft will just blab about how they CAN be trusted, and show everyone pretty pictures and a Matrix spoof to distract everyone...
..while Valve gets the dates for the seminar mixed up and turn up 6 months later.
Are you local? There's nothing for you here!
This is not the first time that IOS code is circulating. Previous versions were available at least for the last five years.
Hmmm i wonder when the linux kernal source code will be stolen? oh yeah! never!
This comment does not represent the views or opinions of the user.
My one thought: it's all bullshit until Cisco comes out and says they were hacked. Anyone can put together a bunch of seemingly well-written code and say that they were l33t and got in to Cisco.
The proof is in the pudding. And all I see so far is some sugar.
Chris Knight is my hero.
Am I the only one who thinks this 'might' be a good thing? Cisco now has incentives to give their code another look and hunt down any serious bugs they might not know about yet, resulting in a more secure OS. I doubt it would happen, but it's what I would do if my source code was stolen.
..they would have noticed then if 800 MB was being downloaded.
Well, if Cisco would just GPL the code, we can
improve it...get the bugs out, more secure, etc.
Why are some companies SO slow at recognizing this?
Fine, want to keep your code secret and proprietary?
You won't be getting any of my business, using
bug-filled, secret, full of security holes
software...
Perhaps we will now see a Cizzz-coeee IOS source code detector van in the near future.
And no one shouting 'DUPE' ??? I don't get it.
There's at least a couple of days off work there!
Boffoonery - downloadable Comedy Benefit for Bletchley Park
I think that susceptibility will depend on what source was stolen. Was it the ENTIRE source? Or was it just pieces? They (the cracking types) may discover a hole in something that exists only in the Enterprise feature set, leaving most of the exposed routers on the Internet un-compromiseable (As most companies aren't going to pony up for the most expensive feature set when all they're doing is shuffling IP packets).
Also could find a problem in basic TCP/IP code, making every Cisco router on the planet a revolving door. I find this scenario highly unlikely, as thier base code is probably a lot more stable and reviewed than the newer, more advanced features.
/*
* Juniper engineers are weenies!
*/
bash$
When the internet gets shut down for a maintenance-period, their business will go through the roof.
And don't forget to reserve enough machines for yourself, or your business might go through the toilet
Windows 2000 - from the guys who brought us edlin
Am I the only one wondering what on earth they are filling that much space up with?
Seems bloated to hell to me - what exactly do these routers do that take so much code?
A pizza of radius z and thickness a has a volume of pi z z a
You think the TV networks would continue to operate if 62% of the worlds routers wen't offline?
If so I envy you, since you seem to be living in a fantasy land...
Well ... is it not kinda strange? A few months back when the Windows code was leaked, most of Slashdot was screaming about 65,000(i dint cook that number!) Windows bugs. Well, nothing happened really. Except an IE 5.x bug, which was patched silently before the source code leak.
... Slashdotters, cant it be just possible that this leak might be much more disastrous that the Windows leak.
... its funny reading that Windows article again, and going through posts that talked abt non-existant security in Windows. And how many holes did people find.]
Now lets compare the REAL security issues.
1. The number of people who were dissecting the Windows Source Code are much more than those trying to find a Cisco hole.
2. Even without the Windows Source, we can reverse engineer large parts of the Windows Sources and identify problems. With the leak it just became easier. I dont expect too many crackers trying to find holes in Cisco's IOS.
This simply means that the chances of finding a security hole in Cisco is much higher than in Windows. Because now that the source is out in the open, its easier. Why would they choose to look?
1. Bringing down those routers could virtually bring down most of the internet.
2. The entire financial world uses them! If a hole is discovered it might just be the easiest way to get into those systems.
3. It could be easier than trying to find a Windows hole, since (as from my earlier logic) many many people have already tried without results.
4. The damage that could be done in those 2 cases are so immense, that a comparison would be irrelevant.
[Troll: Btw
The source code to IOS was floating round the net about 5 years ago. Obviously not the same as the latest version...
They just legally drive away... and return it the next day with wider wheels and a new sound system!
"OMG! What if this happened to Mandrake or SuSE?"
Got time? Spend some of it coding or testing
My routers run IOS 9, the desktops run Windows 95 and we use IE 4.
Nobody has released an exploit for these things in ages, my costs are very low and I can buy 200 MB computers for a song when something breaks.
Another upside is I don't have to worry about patching things, because none have been produced for years!
Slashdot labels a story as theft when no portion of the source code was removed from Cisco's computers? Never!
No, I'm afraid this is not 'theft'.
Theft must incorporate a desire to deprive the rightful owner of said taken item(s). Surely we know this by now?
Stealing, yes. Theft, no.
</PEDANT>
Changing the way the public perceives issues involving IP requires consistancy.
Whether its illegally copied songs or illegally copied code, IT IS NOT THEFT because nothing is stolen. No one that had the code before doesn't have it now due to this.
OF COURSE this is wrong, and it breaks many laws including copyright laws and computer crime laws (unauthorized access, etc), but please, do not frame this argument using the wrong terms. This just digs us deeper in our hole.
I've looked at the sources on display at the russian site [IPv6 sources], that pretend to be from the IOS. Several things took my attention: :) ;)))
1. Since when programmers, working for a serious company, write copyright notices for themselves in the header... Like if you work for, let's say, SCO (ha-ha), you will put in the header copytight by you, and then - who knows - might sue SCO for stealing code from you
2. printf("\nAdding %P to ND cache", &target);
The ND cache is really connected to neighbor solicit messages, but would the Cisco IOS be printing a message, saying that it is adding the address to the ND cache without checking debug flags, etc.? And I am sure it is not a matter of system design in this case. You cannot get the impression just from one tiny piece of code.
3. Some post here were stating... "root" access, which certainly made me smile. The IOS is running cooperative multitasking and the tasks usually run at the same level.
4. Ole Troan really works for Cisco Systems (in UK) and is the proud author of the IPv6 DHCP RFC specification 3633. So this is an argument that supports a little bit of the theory. Just didnt think that Cisco still has developers in UK. I thought they outsourced everything to India long time ago
There are some more, but I'll save you the tiny details, like big endian or other nifty stuff in the code.
Does this code contain the infamous "backdoor" account ever present on certain Cisco devices? It should would be worth a criminal's time to get a hold of that. Think of all the other information he could steal once he knew that.
Fred
"A fool and his freedom are soon parted"
-RMS
We have the right to create deep links... and this is some pretty deep stuff!
I've attended at a MS seminar in Buenos Aires where i heard one of the top managers talking about security. After a long speech about the "do"s and "dont"s in computer security, he said: "...and that's why we never had a security problem at microsoft".
This seminar was one of two weeks after the windows 2000/nt source code leak.
If it was the only copy of source code, then yes it was stolen. Otherwise it should be copyright infringement. After all, this is our claim regarding illegally downloaded music. Its not stolen. It's copyright infringement.
I seem to remember that cisco bought a small compamy called grand junction, which produced switching products. they also had this product called IOS. Which is just the reason why cisco bought them. Cisco has just branded and improved someone elses product. it is that simple, i know a couple of people that work for cisco since way back in the day. And this is a story most of them can confirm.
So is anyone looking for ppl, i am a CCNP in the southfield, mi area looking for a job. I am great with linux, bsd, and windows. Anyone?
thedude_001@hotmail.com
The thing that annoys me most is how Cisco is going to handle this.
I bought one of their home/soho routers, the "cheap" $300 one. I wanted more meat to my home broadband than what Linksys had to offer.
The day after I buy it I find out that the software is out of date and there are upgrades. Am I able to get them? Nope. I have to pay an extra $100/year to just get the software updates.
Needless to say, this will be the last Cisco product I own.
Considering the small form factor PCs out there, custom Linux firewall is in the works.
I attended a Cisco Intrusion Detection System class a shortwhile back and laughed my arse off when I saw the Red Hat 7.3 installation screen. I asked the instructor for a copy of the modified source code and he just sat there looking stupid... nice. At least the worlds routers are not running Microsoft right?
No, they can't. But if you put a photocopier and a full set of schematics of both car and copier, it'd be legal for someone to plug the copier in, insert their own toner and paper, and copy the schemaitcs, then build their own BMW. Except for those nasty patents, but you should be in the EU anyway.
Call me crazy or mod me down, but I'm positive that this has something to do with CICSO's previous tussle with the GPL .
I can only assume one of two things:
1. CICSO's use of code that's open to just anyone allowed a "hacker" to access vulnerabilities in its systems.
2. Due to its earlier minor and well-intentioned misstep, some GNUlatic decided to take revenge on CICSO.
In either case, this sends a loud and clear message to all businesses out there: messing with GPL code will get you burned, and burned badly. DANGER WILL ROBINSON!!!.
Stay away while you still have your security intact. GNUlatics only want to hurt you.
Thank you for your support.
Way to go Slashidiots! Directly linking to stolen IP is one of your finer decisions. Thanks.
They didn't change the default administrator password on their Linksys BEFW11S4 router.
Who would use critical hardware from a company that can't even decide where to put their curly-braces? Are they at the end of the line or on a line by themself? Make up your frickin' mind!!
things would just be easier. GPL?, LGPL?, BSD-License?, Open License?
That kind of BS is exactly why we keep losing our jobs to trained monkeys.
I am and since my BMW is not software, the patents are still valid ;-)
But you're right, my analogy was incorrect. The difference with my analogy and Open Source is that, while you can drive my BMW away and deprive me of the use of my shiney, Topasblue Compact, with Open Source I'd still be able to use my software.
And like above post says, they would be able to improve my BMW and I would reap the benefits as well.
Everybody knows that CISCO IOS source was stolen about 5 years ago by a Bulgarian hacker called Simeonov at Varna Hacking Group. It was available within hacking communities in Bulgaria but as far as I know was not publicly distributed on IRCs and such. The IOS source code was found to contain large portions of open source code including (gdb and GNU development tools -- you could even fall back to gdb in the IOS if compiled in debug mode.
Maybe all is not as it seems?
I thought showering once a month was the norm in France?
In fact, the owner was never deprived of the use
of their putative property. Thus, no code was stolen.
-I like my women like I like my tea: green-
The company I work for prefaces all source files with copyright statements. I never understood the rationale, but I bet it's pretty common practice.
What is more intresting is that the 12.3t was stolen, "t" in the IOS name means "technology", that is where new features are introduced into the code (like the odd kernel numbering), but a lot of companies run the t IOS becouse that is the only place you can get all the features that Cisco advertizes.
Cisco has a book just on the naming convention of IOS - and the book is pretty thick.
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
Security lab posted first 100 lines of ipv6_discovery_test.c and ipv6_tcp.c. Aside from a somewhat clumsy type names, the code is clean.
3.243F6A8885A308D313
Just a hunch, but I worked for cisco for five years, and that source code was kept under TIGHT control, on a TIGHT network.
Does the size relative to the amount of data that can be burned to one CD make anyone else suspect that an insider walked it out on a CD?
Maybe it was just the most l33t ever...
There is at least one business activity that has totally flourished with the internet: stock trading. Even though most equities are still being traded by mutual funds and the like, the amount traded by individuals over the internet is pretty significant. If the internet went down for an extended period of time, don't be surprised to see a direct effect on the stock market and the economy.
From what i remember, when the guys formed a company and started selling what was developed in class, it created quite a ruckus.. and they had to pay something back to the school..
I dont have details handy, but I'm sure its 'out there' somewhere as it wasnt a secret..
---- Booth was a patriot ----
See: http://news.com.com/2100-7349_3-5213724.html?tag=n efd.top
I don't know if something like this is possible, but if I had the source code I'd try these
a) Modify it so that sends private/public keys, passwords and other such info to my site somewhere on the net
b) Add a backdoor or two
When timing is right, I'd upload it to a bunch of 2nd hand Cisco switches and resell them at slight loss on eBay.
Or perhaps work with a disgruntled employee of some networking h/w reseller to get my switch installed at some attractive site such as bank.
It only affected an old version of IE (IE 5?) and had been patched a very long time ago at the time that exploit was found.
In any event, it's a pity that this code is pretty much only in the hands of those who do not mean well, rather than in the hands of people who would probably submit patches back to Cisco to help make the Internet more secure...
The great thing about open source is that you only work on a project if you know what you are doing
I think I clearly remember working on many open source projects when I didn't know what I was doing. I was working on open source in order to learn how to do it in fact.
I would bet there are quite a few people like me out there as well.
Just a thought; but you do have to enjoy it, that's true.
saying that leaked IOS source code will hurt anything is silly. do you think cisco has horrible coding standards? do you think anyone actually cares to touch and read and be contaminated by such obviously illegal intellectual property anyways? you who espouse open source as being more scrutinized and secure are complaining about source code being out?
its an embarrassment for cisco if it happened but nothing at all more serious unless happy-lucky-router-co in china manages to use it to sell their own criscos and kill the asian sales for cisco. fat chance.
Obscurity is just one part in a multi-layered defense. Attackers footprint a network and enumerate as much information as possible. The less information they can obtain, the better the defense. What do you think is more likely: Someone finding a security hole with or without the source code? I'll pick the software that's more difficult to analyze and has corporate backing. If someone's trying to target my network, I want to make it as difficult as possible.
If there were armies trying to capture the data on my network and their success meant my death, I would pick a product designed from the ground up with security as the number one concern. Windows 2003 is a lot closer to that goal than 2000 and XP because it's shipped locked down by default, but it's still built on old code. New vulnerabilities are still being announced regularly. If my life were on the line, I would have to go with SecureBSD. It has a solid record and it's built from the ground up with security as the number one concern. Last I heard, it's only had one vulnerability announced in the last few years. However, if there were a closed source equivalent, I would choose that.
Luckily, my workplace doesn't require that level of security. I take the most functional, cost effective product (TCO) for our business and harden it manually to a level I feel fits the company. The Windows NT family works great for us.
-Lucas
I mean, c'mon d00dz! With the source code to their smartcards (complete with comments), just imagine how much more 13373r you could be when you're charging $30/month to program the latest "unhackable" technology :)
This just in. routercli-0.1.pre-alpha From the project page:
:-)
"RouterCLI is a cisco-like shell for small or diskless linux distributions. Pre-alpha includes interface configuration, routing manipulation, ping,telnet and trace utilities, I still think about libtecla, access-lists and config."
I'm sure it's coincidence, but the timing is kinda funny. Actually looks like it might become a useful little tool. And we can tell it's not really based on the leaked Cisco source by the use of fork()
Security flaws aside, studying this code would make interoperability with ios much easier for juniper and other router companies.
As well, looking over the code could give cisco's competitors lots of hints to improve their own products.
Not much chance that this will be seen now, but according to CNet Cisco has confirmed that "unspecified amount" of code been leaked. The article is here
Could they choose a smaller font?! /me ctl+scrolls
Life is offtopic.
If Cisco were to release the code into open source now it would send a message to the world that anything they're able to steal they can have. They would never open source this code now for that reason.
Cisco does not want to reward hackers and would be "freedom fighters" for attrosities such as this one.
I think those of us that support the open source movement need to be very careful about the comments we post after incidents like this. Most of us are hard working respectable geeks that don't go busting into corporate networks to steal proprietary code.
Let them open source when they want to. Have the conviction and faith that our movement will gain their trust in time. Stealing their code is not going to get us anywhere.
BigFiber.net
The internet taken down because people found out weaknesses in the sources and exploited them on running routers?
Isn't this what OSS is so good at preventing? Security through obscurity doesn't work, period. Maybe if they DO find holes and exploit them, it will underscore the need to have more core technologies open sourced.
- It's not the Macs I hate. It's Digg users. -
So there is the IP issue... but honestly this just gives people and incentive to switch to juniper. GSR's cant even touch a high end Juniper for edge routing...
from news.com - Cisco apparently thinks this is not a problem at all
I completely agree that once you have some sit time on the console, Cisco equipment isn't that bad. It just gets weird when you start to work on equipment that varies between major IOS versions. Then you have Catalyst OS on High-End equipment that changes everything. Almost as if they program the way Microsoft does. Change everything and change it often. --tarballedtux
I always figured that it was just a precaution in case the file got out in the wild.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Someone please use the IOS source to find an exploit that goes around and updates Cisco routers with proper egress filtering. k, thx! :-)
Dossy's Blog
You all act as if Cisco's IOS hasnt been in the open for years.
-r-------- 1 -- -- 55804111 15 Jan 2002 IOS-11.2-8.tar.gz
or perhaps
-rw-r--r-- 1 -- -- 152437 15 Jan 2002 CHANGES.112-7.4-8.1
drwxr-xr-x 14 -- -- 10240 15 Jan 2002 boot
drwxr-xr-x 2 -- -- 6144 15 Jan 2002 micro
drwxr-xr-x 8 -- -- 2048 15 Jan 2002 snmp-em
drwxr-xr-x 5 -- -- 2048 15 Jan 2002 subsys
drwxr-xr-x 167 -- -- 26624 15 Jan 2002 sys
drwxr-xr-x 3 -- -- 2048 15 Jan 2002 wbu
The src for 11.2 has been around for ever.
Noted that its some 7 years old but if they lost it once.
I can find no evidence that any exploits created from back when this came out until now are based on this code so I can only assume that exactly the same events will happen now.
A few hackers will keep the code as a momento and no one will be bothered looking for bugs. Well no one who has the skills to find them anyhow.
In 11.2 there are some 258416 lines of code. I expect that in 7 years has become probably 2 million lines. Sure there will be bugs . there has to be. but I still cant see any reason to stress out over it.
In an interview, the Chief Architecture Officer of the Ministry of Truth, Gill Bates, was quoted as saying, "There are no Americans in Iraq."