Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco IOS Source Code Theft Story Continues

Posted by Hemos on from the bad-news-for-cisco dept.

securitas writes "eWEEK's Steven J. Vaughan-Nichols reports that the source code for Cisco's 'main networking device operating system was stolen on Thursday' (May 13) according to the Russian company SecurityLab. SecurityLab says that criminals broke into Cisco's network and stole 800MB of source code for IOS 12.3 and IOS 12.3t, a pre-release variant. The purported culprit(s) then bragged about the feat in an IRC session and offered 2.5 MB of the code as proof. Industry analysts Dell'Oro Group says that 'Cisco owns 62 percent of the core router market.' More at the Sydney Morning Herald and Windows Network magazine." Our original coverage was here of this story.

42 of 318 comments (clear)

  1. Can you imagine... by Anonymous Coward · · Score: 5, Insightful

    ...if the entire internet was taken down? for an extended period of time? The world would fall into disarray. Although once upon a time the world functioned perfectly well without the internet. Amazing how technology makes us dependent just like junkies.

    1. Re:Can you imagine... by skasingularity · · Score: 5, Funny
      Sure there would be problems, but I think most people would opt for watching TV or going outside. Some businesses would stall, and slashdot users would probably try and hang themselves with their mice, but I think a relatively large part of the world would continue to operate.

      Just because you rely on the internet, doesn't mean the entire world does too.

    2. Re:Can you imagine... by iapetus · · Score: 5, Funny

      Personally I take offence at your narrow typecasting of Slashdot users.

      Some of us use wireless mice, and would have to resort to hanging ourselves with VGA cables.

      --
      ++ Say to Elrond "Hello.".
      Elrond says "No.". Elrond gives you some lunch.
    3. Re:Can you imagine... by Segway+Ninja · · Score: 4, Insightful

      But it would be fair to say that most businesses do rely on the internet, in some way or form. At least, they do in New Zealand. E-Mail would have to be a main source of internal communications (eg, within the company - but not the same building, as within the building would probably function without the net) - definately for technical resources on products and the like.

    4. Re:Can you imagine... by tymbow · · Score: 3, Insightful

      A friend of mine used to regularly say that only IT and the illicit drug trade call people "users".

    5. Re:Can you imagine... by B'Trey · · Score: 4, Insightful

      Sure there would be problems, but I think most people would opt for watching TV or going outside.

      It isn't the Internet as an entertainment tool that's the issue. It's the Internet as a business tool. In some situations, there are alternatives - a phone call instead of an email, a printed report instead of one transmitted electronically. But there are a great many systems which have been converted to the Internet for which the old infrastructure either no longer exists or would be extremely difficult to reactivate. Inventory systems, ordering systems, tracking systems, etc.

      I'm in the US Military. Message traffic used to be transmitted via radio to teletypes. Now, it all rides on the Internet. The teletypes are long gone. Lack of an Internet wouldn't bring us to our knees - we have contingency plans. But it would seriously impact our operations.

      Just because you rely on the internet, doesn't mean the entire world does too.

      The world DOES rely on the Internet, whether you're aware of it or not. We would survive, just as we survive hurricanes and black outs and other disasters. But any significant disruption of the Internet certainly would be classified as a disaster and have significant impact.

      --

      "The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.

    6. Re:Can you imagine... by banzai51 · · Score: 5, Funny

      I have stolen the entire source code for Lunix. I'm gong to distribute it and see how long before EVERY linux server is down.

    7. Re:Can you imagine... by infochuck · · Score: 3, Funny

      ...I think most people would opt for watching TV or going outside.

      Outside? What's the URL for that?

  2. backdoor by sleepnmojo · · Score: 5, Funny

    They could have at least posted the code for the backdoor in all the routers.

    1. Re:backdoor by thpdg · · Score: 5, Funny

      Have you ever tried to configure any Cisco equipment? Even if you had the password, you'd give up in frustration after a few minutes. The only ones who can do it, are the ones who have a lot of experience with it. That's the real security of the plan!

      --

      -Patrick

      "They never stop thinking about new ways to harm our country and our people, and neither do we."

    2. Re:backdoor by Gsus411 · · Score: 4, Insightful

      Honestly, what is so difficult about configuring cisco routers? You just configure the passwords, interfaces, set up a routing protocol, set a gateway of last resort, and you're set. You can learn how to do all this in 30 minutes!

  3. The internet seems faster today. by JPriest · · Score: 4, Funny

    I notice this morning that since the code leak the Internet has been faster, more stable, and I get packeted less often. Since the code leak I also lost 5 pounds and I swear my erectioin this morning was larger. *phone rings* That must be my bank calling to tell me they lowered my intrest rates.

    --
    Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
    1. Re:The internet seems faster today. by System.out.println() · · Score: 4, Funny

      And on top of all that, I just saved a bunch of money on my car insurance by switching to Geico!

      --
      I've got more mod points and GMail invi
  4. Please remove code by fearlezz · · Score: 4, Funny

    Please, everybody! Please remove the source code from the internet ASAP before SCO sees it and claims ownership!!

    --
    .sig: No such file or directory
  5. Secure ? by cyberfunk2 · · Score: 5, Insightful

    Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter (just as the code for stuff like ipfw is open)?

    I realize however that Cisco code is likely more complex than the relatively simple stuff ipfw does.

    1. Re:Secure ? by flying_mushroom · · Score: 5, Insightful

      The problem is that, with 800 MB of code it's virtually impossible to be sure that there are no serious bugs somewhere.

      Sure, it might be more solid than Windows (!), but no large software project nowadays can presume to be bug-free. It's just too much code and possible scenarios to say that it all has been tested.

    2. Re:Secure ? by Anonymous Coward · · Score: 5, Interesting
      Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter (just as the code for stuff like ipfw is open)?
      I presume that by ipfw, you're speaking of the BSD IP firewall. In which case, yes, you're right, Cisco's IOS does a bit more in terms of advanced processing.

      Having had a look at some of the source code, I'm generally impressed. Cisco's code is solid. It's perhaps a bit more simplified than what you'll see in BSD's ipfw source, but simpler is better when you're talking about mission-critical applications. IOS is responsible for switching packets on a fair amount of heavy links; ipfw is responsible for switching packets at your average LAN.

      I don't think the IOS leak is going to lead to any new vulnerabilities. Cisco produces solid code. The only real interesting thing we may see is backdoor-style commands to IOS that the public is not aware of.

      --
      Free Naked Pics
    3. Re:Secure ? by xchino · · Score: 3, Interesting

      Sorry, but if this is true and the full source code has been released to the public, I can pretty much gurantee you there will be vulnerabilities found. The likleyhood that in the entire codebase, there exists not a single flaw is scientifically insignificant. We may not see any vulnerabilities the likes of "print 500 A's on login: " but you can bet there's something that will let someone do something they aren't supposed to. The chances of vulns coming from this are alot greater than the chances more vendor implemented backdoors are found, and that wouldn't suprise me in the least.

      --
      Everyone is entitled to their own opinion. It's just that yours is stupid.
    4. Re:Secure ? by gnu-generation-one · · Score: 4, Insightful

      "The problem is that, with 800 MB of code it's virtually impossible to be sure that there are no serious bugs somewhere."

      Well, let's say that cisco has allocated x people for code-auditing, and that they've had y years to do so (something like 15 and 15, probably?) And because their products need to be secure, they fixed anything those people found wrong.

      Surely that means that to find a vulnerability, any would-be cracker would have to spend at least as long on auditing as cisco did themselves unless they happen to be very lucky, or unless there are problems easily-visible in the source-code that cisco haven't fixed. So we wouldn't expect any exploit to be seen in the near future?

    5. Re:Secure ? by gosand · · Score: 4, Insightful
      Well, let's say that cisco has allocated x people for code-auditing, and that they've had y years to do so (something like 15 and 15, probably?) And because their products need to be secure, they fixed anything those people found wrong. Surely that means that to find a vulnerability, any would-be cracker would have to spend at least as long on auditing as cisco did themselves unless they happen to be very lucky, or unless there are problems easily-visible in the source-code that cisco haven't fixed. So we wouldn't expect any exploit to be seen in the near future?

      Except that Cisco has no real incentive to find bugs in their code, whereas a cracker does. Motivation makes a huge difference. And why would Cisco need to do strict audits on their code? Nobody outside the company will ever see it. Right?

      --

      My beliefs do not require that you agree with them.

    6. Re:Secure ? by johne_ganz · · Score: 5, Interesting
      Forgive my ignorance, but if the code is truly solid code, without buffer overruns and the like, shouldnt this theoretically not matter

      Yes, provided it's solid code. So the obvious question is: is it solid code? What makes for solid code? I'm of the opinion that it is far from 'solid' code for two main reasons.

      The history of the code base.

      It's monolithic nature.

      IOS started out on the same CPU board as Sun (and SGI) computers: The Stanford 68000 board. Remember what Sun stands for: Stanford University Network. These three companies all started from the same hardware design. Cisco took this design and the original software for running the Stanford networks (some allege they stole it) and kept adding on to it. The 68000 had no MMU, and therefore provided no protection of one process from another- any process could write to any part of memory.

      The problem is that the software still has this in its genes. While IOS will make use of modern MMU's to do some level of protection (such as marking read-only the text segment), at its core its still a "every process is fully trusted" design. Now, this does have some advantages- in the old days when the forwarding was all done on the CPU in the interrupt context this was a huge win. Saving all the state and MMU context switches could really lower performance.

      The drawbacks, however, are pretty bad IMHO. Since there's no separation of processes, any one process can bring down the system. If BGP was running under Unix, and it ran in to a problem where it would seg fault, under IOS the entire system would panic and reboot. IF it happens to catch the error, which is much less likely to happen because there's no separation of processes and what memory resources belong to that process as opposed to other processes.

      The monolithic nature of IOS also tends to breed lax programming practices. Who needs to ensure that everything is tip top when everything is self contained? There's a certain darwinian pressure that gets placed on a system when anyone can write code for it and expects the system to stay up and running like Unix. Under IOS, none of that exists. As a matter of fact, the pressure is in the opposite direction- when you write something that crashes the system- don't do that. Furthermore, the code tends to largely interact with only a few other implementations, and the one it interacts with the most is itself (cisco's talking to cisco's). Not a lot of pressure to find those odd ball corner cases and fix them... Just the kind of corner cases that are the most likely to result in exploitable bugs.

      So, are there security problems with IOS? You'd better believe it. All you have to do is peruse the BugTracker database and look for bugs that cause a crash. Things like "malformed SNMP request causes crash" are prime candidates to exploit.

  6. unlikely by beware1000 · · Score: 4, Funny

    In other news, Microsoft, Valve and Cisco to give free seminars on network security!

  7. If IOS was Open Source... by pdaoust007 · · Score: 4, Insightful

    All of these apocalyptic arguments about the Internet going down etc. would be moot...

    Then again one has to wonder how Cisco would have created their empire if their code would have been open sourced. A lot of their business is not only selling H/W but ISO features.

  8. Suspect profile by Anonymous Coward · · Score: 5, Funny
    Here is my suspect profile:

    1. French or German
    2. Linux/open source zealot
    3. Lives in parents basement
    4. Showers monthly

  9. Cisco IOS built on BSD by p.rican · · Score: 3, Interesting

    I recently finished CCNA training and asked the instructor what OS CiscoIOS was based on and I was told it's based on BSD OS. He didn't tell me which BSD though....

    --

    /. --"Demented and sad....but social" -Judd Nelson

    1. Re:Cisco IOS built on BSD by LizardKing · · Score: 5, Interesting

      I recently finished CCNA training and asked the instructor what OS CiscoIOS was based on and I was told it's based on BSD OS. He didn't tell me which BSD though....

      It's descended from the Unix related work done at Berkeley in the early 1980's. I can't find a suitable link at the moment, but from what I remember there was some controversy about the commercialisation of the code. Much of the work was while the future Cisco founders were still employed at the university. This meant it should have belonged to the Regents, and released under a BSD license. If so, then it's ironic that the code is in the public domain, albeit under dubious circumstances.

      Chris

  10. Rough translation of 'bragged' link... by iapetus · · Score: 5, Informative

    "As SecurityLab discovered, on the 13th of May all the source code of the CISCO IOS operating system, which is used in the majority of CISCO's network installations was stolen. The full extent of the stolen information runs to about 800MB compressed.

    According to our information, the release of fragments of the source code came about due to a break-in to the corporate network of Cisco System. Representatives of Cisco System have meanwhile made no comment on the incident.

    The information came from a certain individual under the nick of franz on darknet@EFNet IRC, where he also presented a small part of the source code (about 2.5MB) as evidence.

    Below are links to the first 100 lines of source code from the files ipv6_tcp.c and ipv6_discovery_test.c."

    Apologies for any errors - my technical Russian's a little rusty. :)

    --
    ++ Say to Elrond "Hello.".
    Elrond says "No.". Elrond gives you some lunch.
  11. Go for it Cisco by Stokey · · Score: 4, Insightful
    Just do it!

    Open source all your code. It's too late now (cat/bag/out of). Set an example to the rest of the business community.

    --
    Natsu gusa-ya, Tsuwamono domo-ga, Yume no ato
    1. Re:Go for it Cisco by the_mad_poster · · Score: 4, Interesting

      SECURITY BY OBSCURITY DOES WORK

      *sigh* And, of course there's going to be a troll like this.

      No, it doesn't, but thanks for playing. See, someday maybe you'll learn the painful lesson that Cisco is learning now: Security Through Obscurity only works as far as your REAL security measures can protect it. Gee. Looky there. Cisco's cat just left the bag, and why? Becuase the network security wasn't strong enough to protect it. All these years of obscurity are now on the brink of becoming completely worthless because the REAL protection wasn't there just long enough to let it happen. The second that code hits a public FTP server, STO at Cisco became absolutely useless.

      But, hey. If you want to rely on STO for anything more than your last line of defense, be my guest. Just promise me you won't be mad when I laugh at you for getting burned by it.

      --
      Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  12. what the fuck? by CAIMLAS · · Score: 4, Insightful

    Two direct links on the front page of slashdot to (literally) stollen IP?

    I wonder if Slashdot will get in trouble with Cisco for this? The moderators could have at least have checked the links, no?

    --
    ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  13. Re:800MB?? by SmackCrackandPot · · Score: 5, Informative

    You've got a real-time operating system, a basic file-system, the TCP/IP and all the other protocol stacks, the SNMP/MIB support and proprietary routing algorithms. Presumably, the source code would be documented to some extent, along with SCCS archiving. All of this could easily add up to over 800 Megabytes.

  14. Seminar sessions by T-Kir · · Score: 4, Funny

    In the seminars I can imagine how Cisco would explain they're love of being shafted, hence all the backdoor access (pun intended!)...

    ...Microsoft will just blab about how they CAN be trusted, and show everyone pretty pictures and a Matrix spoof to distract everyone...

    ..while Valve gets the dates for the seminar mixed up and turn up 6 months later.

    --
    Are you local? There's nothing for you here!
  15. The one thing not mentioned by RedShoeRider · · Score: 5, Interesting
    Thus far, I find it odd no one has inquired as to the exact nature of how the hell someone got so far into the system as to be able to copy source code. That's not something any company leaves sitting in /pub. Whomever pulled this off (assuming it's not bullshit) knew something (social engineering, perhaps), for I'm sure Sisco has been hammered by attacks for years, just like any large company.

    My one thought: it's all bullshit until Cisco comes out and says they were hacked. Anyone can put together a bunch of seemingly well-written code and say that they were l33t and got in to Cisco.

    The proof is in the pudding. And all I see so far is some sugar.

    --

    Chris Knight is my hero.

    1. Re:The one thing not mentioned by groot · · Score: 3, Insightful

      Thus far, I find it odd no one has inquired as to the exact nature of how the hell someone got so far into the system as to be able to copy source code. That's not something any company leaves sitting in /pub.

      It's like some warped Stratego (TM) game, and the hackers have captured the flag.

      Now
      :
      1. The act of stealing it, sort of renders it useless, who would want a firewall that can be broken into an its own sources stolen.

      2. This embarrasement would have been circumvented if they had most of the code in the open source domain, especially the firewall. A good algorithm should be be able to resist the test of scrutiny of its sources.

      3. The routing algorithm would be valuable but I doubt that it is what the hackers were after. So maybe they would want not to open source it.

      Bottom line, those things which are not core to your business should be release to the open source community. Of course some, like MS believe the universe is their core, so some will never change.

      --laz
      --
      "Just remember, it takes a village idiot." -- The Motley Fool.
  16. That's why corps should stick to dial-up.. by Anonymous Coward · · Score: 5, Funny

    ..they would have noticed then if 800 MB was being downloaded.

  17. Vulnerability by version by RicoX9 · · Score: 5, Insightful

    I think that susceptibility will depend on what source was stolen. Was it the ENTIRE source? Or was it just pieces? They (the cracking types) may discover a hole in something that exists only in the Enterprise feature set, leaving most of the exposed routers on the Internet un-compromiseable (As most companies aren't going to pony up for the most expensive feature set when all they're doing is shuffling IP packets).

    Also could find a problem in basic TCP/IP code, making every Cisco router on the planet a revolving door. I find this scenario highly unlikely, as thier base code is probably a lot more stable and reviewed than the newer, more advanced features.

  18. Funny lines in the source code by MavEtJu · · Score: 4, Funny

    /*
    * Juniper engineers are weenies!
    */

    --
    bash$ :(){ :|:&};:
  19. If it had been a microsoft leak ... by Anonymous Coward · · Score: 5, Interesting

    Well ... is it not kinda strange? A few months back when the Windows code was leaked, most of Slashdot was screaming about 65,000(i dint cook that number!) Windows bugs. Well, nothing happened really. Except an IE 5.x bug, which was patched silently before the source code leak.

    Now lets compare the REAL security issues.
    1. The number of people who were dissecting the Windows Source Code are much more than those trying to find a Cisco hole.
    2. Even without the Windows Source, we can reverse engineer large parts of the Windows Sources and identify problems. With the leak it just became easier. I dont expect too many crackers trying to find holes in Cisco's IOS.

    This simply means that the chances of finding a security hole in Cisco is much higher than in Windows. Because now that the source is out in the open, its easier. Why would they choose to look?

    1. Bringing down those routers could virtually bring down most of the internet.
    2. The entire financial world uses them! If a hole is discovered it might just be the easiest way to get into those systems.
    3. It could be easier than trying to find a Windows hole, since (as from my earlier logic) many many people have already tried without results.
    4. The damage that could be done in those 2 cases are so immense, that a comparison would be irrelevant. ... Slashdotters, cant it be just possible that this leak might be much more disastrous that the Windows leak.

    [Troll: Btw ... its funny reading that Windows article again, and going through posts that talked abt non-existant security in Windows. And how many holes did people find.]

  20. Code theft? by Mr+Smidge · · Score: 4, Insightful

    Slashdot labels a story as theft when no portion of the source code was removed from Cisco's computers? Never!

    No, I'm afraid this is not 'theft'.

    Theft must incorporate a desire to deprive the rightful owner of said taken item(s). Surely we know this by now?

    Stealing, yes. Theft, no.

    </PEDANT>

  21. the code that is "shown" as Cisco IOS .... by Anonymous Coward · · Score: 4, Interesting

    I've looked at the sources on display at the russian site [IPv6 sources], that pretend to be from the IOS. Several things took my attention:
    1. Since when programmers, working for a serious company, write copyright notices for themselves in the header... Like if you work for, let's say, SCO (ha-ha), you will put in the header copytight by you, and then - who knows - might sue SCO for stealing code from you :)
    2. printf("\nAdding %P to ND cache", &target);
    The ND cache is really connected to neighbor solicit messages, but would the Cisco IOS be printing a message, saying that it is adding the address to the ND cache without checking debug flags, etc.? And I am sure it is not a matter of system design in this case. You cannot get the impression just from one tiny piece of code.
    3. Some post here were stating... "root" access, which certainly made me smile. The IOS is running cooperative multitasking and the tasks usually run at the same level.
    4. Ole Troan really works for Cisco Systems (in UK) and is the proud author of the IPv6 DHCP RFC specification 3633. So this is an argument that supports a little bit of the theory. Just didnt think that Cisco still has developers in UK. I thought they outsourced everything to India long time ago ;)))
    There are some more, but I'll save you the tiny details, like big endian or other nifty stuff in the code.

  22. Security Through Obscurity? by ThisIsFred · · Score: 3, Insightful

    Does this code contain the infamous "backdoor" account ever present on certain Cisco devices? It should would be worth a criminal's time to get a hold of that. Think of all the other information he could steal once he knew that.

    --
    Fred

    "A fool and his freedom are soon parted"
    -RMS
  23. Poor coding standards by jkabbe · · Score: 3, Funny

    Who would use critical hardware from a company that can't even decide where to put their curly-braces? Are they at the end of the line or on a line by themself? Make up your frickin' mind!!