Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco IOS Source Code Theft Story Continues

Posted by Hemos on from the bad-news-for-cisco dept.

securitas writes "eWEEK's Steven J. Vaughan-Nichols reports that the source code for Cisco's 'main networking device operating system was stolen on Thursday' (May 13) according to the Russian company SecurityLab. SecurityLab says that criminals broke into Cisco's network and stole 800MB of source code for IOS 12.3 and IOS 12.3t, a pre-release variant. The purported culprit(s) then bragged about the feat in an IRC session and offered 2.5 MB of the code as proof. Industry analysts Dell'Oro Group says that 'Cisco owns 62 percent of the core router market.' More at the Sydney Morning Herald and Windows Network magazine." Our original coverage was here of this story.

27 of 318 comments (clear)

  1. Can you imagine... by Anonymous Coward · · Score: 5, Insightful

    ...if the entire internet was taken down? for an extended period of time? The world would fall into disarray. Although once upon a time the world functioned perfectly well without the internet. Amazing how technology makes us dependent just like junkies.

    1. Re:Can you imagine... by Segway+Ninja · · Score: 4, Insightful

      But it would be fair to say that most businesses do rely on the internet, in some way or form. At least, they do in New Zealand. E-Mail would have to be a main source of internal communications (eg, within the company - but not the same building, as within the building would probably function without the net) - definately for technical resources on products and the like.

    2. Re:Can you imagine... by tymbow · · Score: 3, Insightful

      A friend of mine used to regularly say that only IT and the illicit drug trade call people "users".

    3. Re:Can you imagine... by B'Trey · · Score: 4, Insightful

      Sure there would be problems, but I think most people would opt for watching TV or going outside.

      It isn't the Internet as an entertainment tool that's the issue. It's the Internet as a business tool. In some situations, there are alternatives - a phone call instead of an email, a printed report instead of one transmitted electronically. But there are a great many systems which have been converted to the Internet for which the old infrastructure either no longer exists or would be extremely difficult to reactivate. Inventory systems, ordering systems, tracking systems, etc.

      I'm in the US Military. Message traffic used to be transmitted via radio to teletypes. Now, it all rides on the Internet. The teletypes are long gone. Lack of an Internet wouldn't bring us to our knees - we have contingency plans. But it would seriously impact our operations.

      Just because you rely on the internet, doesn't mean the entire world does too.

      The world DOES rely on the Internet, whether you're aware of it or not. We would survive, just as we survive hurricanes and black outs and other disasters. But any significant disruption of the Internet certainly would be classified as a disaster and have significant impact.

      --

      "The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.

    4. Re:Can you imagine... by 1u3hr · · Score: 2, Insightful
      A lot of the time, many people forget that there are ways of communicating OTHER than the internet, but I think that if push came to shove, internet users could deal without.

      Most companies still have a few fax machines, not to mention many printer/scanners that can be made to act like one. So we'd just go back to fax, phone, snail mail. Actually, unless you're Amazon or a similar web-centric company, most would find they were more productive for not pissing away time reading Slashdot, porn, sending chain mail and jokes, deleting spam.

  2. Secure ? by cyberfunk2 · · Score: 5, Insightful

    Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter (just as the code for stuff like ipfw is open)?

    I realize however that Cisco code is likely more complex than the relatively simple stuff ipfw does.

    1. Re:Secure ? by flying_mushroom · · Score: 5, Insightful

      The problem is that, with 800 MB of code it's virtually impossible to be sure that there are no serious bugs somewhere.

      Sure, it might be more solid than Windows (!), but no large software project nowadays can presume to be bug-free. It's just too much code and possible scenarios to say that it all has been tested.

    2. Re:Secure ? by gnu-generation-one · · Score: 4, Insightful

      "The problem is that, with 800 MB of code it's virtually impossible to be sure that there are no serious bugs somewhere."

      Well, let's say that cisco has allocated x people for code-auditing, and that they've had y years to do so (something like 15 and 15, probably?) And because their products need to be secure, they fixed anything those people found wrong.

      Surely that means that to find a vulnerability, any would-be cracker would have to spend at least as long on auditing as cisco did themselves unless they happen to be very lucky, or unless there are problems easily-visible in the source-code that cisco haven't fixed. So we wouldn't expect any exploit to be seen in the near future?

    3. Re:Secure ? by lewp · · Score: 0, Insightful

      Unless, of course, the thieves have a P-P-P-Powerbook at their disposal. Then we're all fucked.

      --
      Game... blouses.
    4. Re:Secure ? by Phleg · · Score: 2, Insightful

      You're assuming that code is static. New bugs are introduced with every release, and with every commit. Just because a group of Quality Assurance folks have been scanning the code for decades doesn't mean they'll catch the new bugs within a few hours.

      --
      No comment.
    5. Re:Secure ? by gosand · · Score: 4, Insightful
      Well, let's say that cisco has allocated x people for code-auditing, and that they've had y years to do so (something like 15 and 15, probably?) And because their products need to be secure, they fixed anything those people found wrong. Surely that means that to find a vulnerability, any would-be cracker would have to spend at least as long on auditing as cisco did themselves unless they happen to be very lucky, or unless there are problems easily-visible in the source-code that cisco haven't fixed. So we wouldn't expect any exploit to be seen in the near future?

      Except that Cisco has no real incentive to find bugs in their code, whereas a cracker does. Motivation makes a huge difference. And why would Cisco need to do strict audits on their code? Nobody outside the company will ever see it. Right?

      --

      My beliefs do not require that you agree with them.

  3. If IOS was Open Source... by pdaoust007 · · Score: 4, Insightful

    All of these apocalyptic arguments about the Internet going down etc. would be moot...

    Then again one has to wonder how Cisco would have created their empire if their code would have been open sourced. A lot of their business is not only selling H/W but ISO features.

  4. Re:And the secret backdoor password is... by Janek+Kozicki · · Score: 1, Insightful

    linux kernel source unpacked takes 150MB, compare yourself. Maybe they have stolen several versions of the source?

    --
    #
    #\ @ ? Colonize Mars
    #
  5. Go for it Cisco by Stokey · · Score: 4, Insightful
    Just do it!

    Open source all your code. It's too late now (cat/bag/out of). Set an example to the rest of the business community.

    --
    Natsu gusa-ya, Tsuwamono domo-ga, Yume no ato
  6. what the fuck? by CAIMLAS · · Score: 4, Insightful

    Two direct links on the front page of slashdot to (literally) stollen IP?

    I wonder if Slashdot will get in trouble with Cisco for this? The moderators could have at least have checked the links, no?

    --
    ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  7. Vulnerability by version by RicoX9 · · Score: 5, Insightful

    I think that susceptibility will depend on what source was stolen. Was it the ENTIRE source? Or was it just pieces? They (the cracking types) may discover a hole in something that exists only in the Enterprise feature set, leaving most of the exposed routers on the Internet un-compromiseable (As most companies aren't going to pony up for the most expensive feature set when all they're doing is shuffling IP packets).

    Also could find a problem in basic TCP/IP code, making every Cisco router on the planet a revolving door. I find this scenario highly unlikely, as thier base code is probably a lot more stable and reviewed than the newer, more advanced features.

  8. Re:The one thing not mentioned by groot · · Score: 3, Insightful

    Thus far, I find it odd no one has inquired as to the exact nature of how the hell someone got so far into the system as to be able to copy source code. That's not something any company leaves sitting in /pub.

    It's like some warped Stratego (TM) game, and the hackers have captured the flag.

    Now
    :
    1. The act of stealing it, sort of renders it useless, who would want a firewall that can be broken into an its own sources stolen.

    2. This embarrasement would have been circumvented if they had most of the code in the open source domain, especially the firewall. A good algorithm should be be able to resist the test of scrutiny of its sources.

    3. The routing algorithm would be valuable but I doubt that it is what the hackers were after. So maybe they would want not to open source it.

    Bottom line, those things which are not core to your business should be release to the open source community. Of course some, like MS believe the universe is their core, so some will never change.

    --laz
    --
    "Just remember, it takes a village idiot." -- The Motley Fool.
  9. Code theft? by Mr+Smidge · · Score: 4, Insightful

    Slashdot labels a story as theft when no portion of the source code was removed from Cisco's computers? Never!

    No, I'm afraid this is not 'theft'.

    Theft must incorporate a desire to deprive the rightful owner of said taken item(s). Surely we know this by now?

    Stealing, yes. Theft, no.

    </PEDANT>

  10. shame on you! by Anonymous Coward · · Score: 1, Insightful

    Changing the way the public perceives issues involving IP requires consistancy.

    Whether its illegally copied songs or illegally copied code, IT IS NOT THEFT because nothing is stolen. No one that had the code before doesn't have it now due to this.

    OF COURSE this is wrong, and it breaks many laws including copyright laws and computer crime laws (unauthorized access, etc), but please, do not frame this argument using the wrong terms. This just digs us deeper in our hole.

  11. Re:That's why corps should stick to dial-up.. by bruthasj · · Score: 2, Insightful

    It's funny until you actually have to work with corporations with this mentality.

  12. Security Through Obscurity? by ThisIsFred · · Score: 3, Insightful

    Does this code contain the infamous "backdoor" account ever present on certain Cisco devices? It should would be worth a criminal's time to get a hold of that. Think of all the other information he could steal once he knew that.

    --
    Fred

    "A fool and his freedom are soon parted"
    -RMS
  13. Re:And the secret backdoor password is... by LnxAddct · · Score: 2, Insightful

    The thing that I find the most interesting is that first this shows that whatever security products they are selling obviously aren't good enough because there is someway around them(assuming Ciso would be using their own best products). But more importantly, if this were an open source project like Gnome, then we'd have up to the second details on what happened, why it happened, how it happened, what was accessed, whats at risk, etc... In the closed/proprietary world this doesn't happen, we are all just basically left in the dark and have to accept whatever they tell us. All the more for linux based routers!
    Regards,
    Steve

  14. Re:the end is near.... by Anonymous Coward · · Score: 1, Insightful
    Relax. It has been trivial finding openings without the source code. There have been plenty of known openings against cisco over the years. The only reason why they do not have a bad record is that they
    1. have a good design
    2. hire decent coders
    3. have a good qc
    . Otherwise, they would already have a track record similar to MS.
  15. Re:backdoor by Gsus411 · · Score: 4, Insightful

    Honestly, what is so difficult about configuring cisco routers? You just configure the passwords, interfaces, set up a routing protocol, set a gateway of last resort, and you're set. You can learn how to do all this in 30 minutes!

  16. Re:backdoor by rjfan · · Score: 1, Insightful

    uhh.... You must not deal with routers much. Otherwise, you'd see other products such as Bay Networks/Nortel and sprinkle your words on your shoe for seasoning. A novice can have a Cisco router up and going in less than a minute. A decent guy can break into one in 3.

  17. Size of data may be a clue! by Anonymous Coward · · Score: 1, Insightful

    Just a hunch, but I worked for cisco for five years, and that source code was kept under TIGHT control, on a TIGHT network.

    Does the size relative to the amount of data that can be burned to one CD make anyone else suspect that an insider walked it out on a CD?

    Maybe it was just the most l33t ever...

  18. This makes it impossible for Cisco to open source by imbezol · · Score: 2, Insightful

    If Cisco were to release the code into open source now it would send a message to the world that anything they're able to steal they can have. They would never open source this code now for that reason.

    Cisco does not want to reward hackers and would be "freedom fighters" for attrosities such as this one.

    I think those of us that support the open source movement need to be very careful about the comments we post after incidents like this. Most of us are hard working respectable geeks that don't go busting into corporate networks to steal proprietary code.

    Let them open source when they want to. Have the conviction and faith that our movement will gain their trust in time. Stealing their code is not going to get us anywhere.

    BigFiber.net