Slashdot Mirror


Cisco IOS Source Code Theft Story Continues

securitas writes "eWEEK's Steven J. Vaughan-Nichols reports that the source code for Cisco's 'main networking device operating system was stolen on Thursday' (May 13) according to the Russian company SecurityLab. SecurityLab says that criminals broke into Cisco's network and stole 800MB of source code for IOS 12.3 and IOS 12.3t, a pre-release variant. The purported culprit(s) then bragged about the feat in an IRC session and offered 2.5 MB of the code as proof. Industry analysts Dell'Oro Group says that 'Cisco owns 62 percent of the core router market.' More at the Sydney Morning Herald and Windows Network magazine." Our original coverage was here of this story.

16 of 318 comments (clear)

  1. Can you imagine... by Anonymous Coward · · Score: 5, Insightful

    ...if the entire internet was taken down? for an extended period of time? The world would fall into disarray. Although once upon a time the world functioned perfectly well without the internet. Amazing how technology makes us dependent just like junkies.

    1. Re:Can you imagine... by Segway+Ninja · · Score: 4, Insightful

      But it would be fair to say that most businesses do rely on the internet, in some way or form. At least, they do in New Zealand. E-Mail would have to be a main source of internal communications (eg, within the company - but not the same building, as within the building would probably function without the net) - definately for technical resources on products and the like.

    2. Re:Can you imagine... by tymbow · · Score: 3, Insightful

      A friend of mine used to regularly say that only IT and the illicit drug trade call people "users".

    3. Re:Can you imagine... by B'Trey · · Score: 4, Insightful

      Sure there would be problems, but I think most people would opt for watching TV or going outside.

      It isn't the Internet as an entertainment tool that's the issue. It's the Internet as a business tool. In some situations, there are alternatives - a phone call instead of an email, a printed report instead of one transmitted electronically. But there are a great many systems which have been converted to the Internet for which the old infrastructure either no longer exists or would be extremely difficult to reactivate. Inventory systems, ordering systems, tracking systems, etc.

      I'm in the US Military. Message traffic used to be transmitted via radio to teletypes. Now, it all rides on the Internet. The teletypes are long gone. Lack of an Internet wouldn't bring us to our knees - we have contingency plans. But it would seriously impact our operations.

      Just because you rely on the internet, doesn't mean the entire world does too.

      The world DOES rely on the Internet, whether you're aware of it or not. We would survive, just as we survive hurricanes and black outs and other disasters. But any significant disruption of the Internet certainly would be classified as a disaster and have significant impact.

      --

      "The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.

  2. Secure ? by cyberfunk2 · · Score: 5, Insightful

    Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter (just as the code for stuff like ipfw is open)?

    I realize however that Cisco code is likely more complex than the relatively simple stuff ipfw does.

    1. Re:Secure ? by flying_mushroom · · Score: 5, Insightful

      The problem is that, with 800 MB of code it's virtually impossible to be sure that there are no serious bugs somewhere.

      Sure, it might be more solid than Windows (!), but no large software project nowadays can presume to be bug-free. It's just too much code and possible scenarios to say that it all has been tested.

    2. Re:Secure ? by gnu-generation-one · · Score: 4, Insightful

      "The problem is that, with 800 MB of code it's virtually impossible to be sure that there are no serious bugs somewhere."

      Well, let's say that cisco has allocated x people for code-auditing, and that they've had y years to do so (something like 15 and 15, probably?) And because their products need to be secure, they fixed anything those people found wrong.

      Surely that means that to find a vulnerability, any would-be cracker would have to spend at least as long on auditing as cisco did themselves unless they happen to be very lucky, or unless there are problems easily-visible in the source-code that cisco haven't fixed. So we wouldn't expect any exploit to be seen in the near future?

    3. Re:Secure ? by gosand · · Score: 4, Insightful
      Well, let's say that cisco has allocated x people for code-auditing, and that they've had y years to do so (something like 15 and 15, probably?) And because their products need to be secure, they fixed anything those people found wrong. Surely that means that to find a vulnerability, any would-be cracker would have to spend at least as long on auditing as cisco did themselves unless they happen to be very lucky, or unless there are problems easily-visible in the source-code that cisco haven't fixed. So we wouldn't expect any exploit to be seen in the near future?

      Except that Cisco has no real incentive to find bugs in their code, whereas a cracker does. Motivation makes a huge difference. And why would Cisco need to do strict audits on their code? Nobody outside the company will ever see it. Right?

      --

      My beliefs do not require that you agree with them.

  3. If IOS was Open Source... by pdaoust007 · · Score: 4, Insightful

    All of these apocalyptic arguments about the Internet going down etc. would be moot...

    Then again one has to wonder how Cisco would have created their empire if their code would have been open sourced. A lot of their business is not only selling H/W but ISO features.

  4. Go for it Cisco by Stokey · · Score: 4, Insightful
    Just do it!

    Open source all your code. It's too late now (cat/bag/out of). Set an example to the rest of the business community.

    --
    Natsu gusa-ya, Tsuwamono domo-ga, Yume no ato
  5. what the fuck? by CAIMLAS · · Score: 4, Insightful

    Two direct links on the front page of slashdot to (literally) stollen IP?

    I wonder if Slashdot will get in trouble with Cisco for this? The moderators could have at least have checked the links, no?

    --
    ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  6. Vulnerability by version by RicoX9 · · Score: 5, Insightful

    I think that susceptibility will depend on what source was stolen. Was it the ENTIRE source? Or was it just pieces? They (the cracking types) may discover a hole in something that exists only in the Enterprise feature set, leaving most of the exposed routers on the Internet un-compromiseable (As most companies aren't going to pony up for the most expensive feature set when all they're doing is shuffling IP packets).

    Also could find a problem in basic TCP/IP code, making every Cisco router on the planet a revolving door. I find this scenario highly unlikely, as thier base code is probably a lot more stable and reviewed than the newer, more advanced features.

  7. Re:The one thing not mentioned by groot · · Score: 3, Insightful

    Thus far, I find it odd no one has inquired as to the exact nature of how the hell someone got so far into the system as to be able to copy source code. That's not something any company leaves sitting in /pub.

    It's like some warped Stratego (TM) game, and the hackers have captured the flag.

    Now
    :
    1. The act of stealing it, sort of renders it useless, who would want a firewall that can be broken into an its own sources stolen.

    2. This embarrasement would have been circumvented if they had most of the code in the open source domain, especially the firewall. A good algorithm should be be able to resist the test of scrutiny of its sources.

    3. The routing algorithm would be valuable but I doubt that it is what the hackers were after. So maybe they would want not to open source it.

    Bottom line, those things which are not core to your business should be release to the open source community. Of course some, like MS believe the universe is their core, so some will never change.

    --laz
    --
    "Just remember, it takes a village idiot." -- The Motley Fool.
  8. Code theft? by Mr+Smidge · · Score: 4, Insightful

    Slashdot labels a story as theft when no portion of the source code was removed from Cisco's computers? Never!

    No, I'm afraid this is not 'theft'.

    Theft must incorporate a desire to deprive the rightful owner of said taken item(s). Surely we know this by now?

    Stealing, yes. Theft, no.

    </PEDANT>

  9. Security Through Obscurity? by ThisIsFred · · Score: 3, Insightful

    Does this code contain the infamous "backdoor" account ever present on certain Cisco devices? It should would be worth a criminal's time to get a hold of that. Think of all the other information he could steal once he knew that.

    --
    Fred

    "A fool and his freedom are soon parted"
    -RMS
  10. Re:backdoor by Gsus411 · · Score: 4, Insightful

    Honestly, what is so difficult about configuring cisco routers? You just configure the passwords, interfaces, set up a routing protocol, set a gateway of last resort, and you're set. You can learn how to do all this in 30 minutes!