Cisco Source Code Up For Sale: Only $24,000

spackbace writes "The notorious, mysterious Source Code Club (SCC) has re-emerged, this time selling source code for a Cisco application in another blatant violation of copyright regulations. Believed to be an anonymous collection of hackers, the SCC this week announced in a posting on a group Web site that it is offering the complete Cisco Pix 6.3.1 source code for US$24,000. Cisco Pix is a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks."

Now that's irony!

[plierhead]

One can only marvel at the irony - someone stealing the source code for "a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks"!!!

Re:Now that's irony!

[PhrostyMcByte]

like mitnick proved, it only takes one idiot with social skills to bypass your firewall.

Re:Now that's irony!

[madprof]

Indeed, as in the Mitnick case, one idiot *did* do it...

Re:Now that's irony!

[drinkypoo]

It might be better to say that it only takes one socially talented individual talking to one idiot inside your organization. A real idiot will make some stupid mistake during the conversation that will make it abundantly clear, even to the slowest-witted, that they are not in fact your CEO.

buying stolen property?

[spacerodent]

with all the legal cases on "stealing" mp3s could they charge these people with posession of stolen property?

Anonymous collection of hackers?

[jeblucas]

Is there really such a thing in this day and age? That $24k has to go somewhere. Can't we just follow the money? It seems like this is the kind of thing that the feds would be all over. I see one of those huge multinational Interpol busts in about 5 weeks.

Re:Anonymous collection of hackers?

[evilviper]

Can't we just follow the money?

No. If we could, Nigerian scams, and old people loosing their life savings could be prevented.

Just have the money wired to you, and pick it up outside the country. Even inside the country, it's nearly impossible to track, because you can show up at any branch, anywhere.

Re:Anonymous collection of hackers?

[cmowire]

Oh, sure.

And we'd be able to follow the money of drug dealers, kidnappers, terrorists, etc.

It's harder than CSI makes it sound.

Re:Pirated?

[Agilis]

It's not worth all that much to them sitting on their drives anyways. Who knows, some wacko might actually pay!

But really it's just to generate bad publicity for cisco

Pretty Pointless...

[evilviper]

So, for 24k, you can buy the PIX source code... For what?

You obviously can't sell a product using this stolen code. A company can't exactly buy it and roll their own version.

So it's really only good if you want to look for bugs in PIX that you can exploit, and since this is being sold by a group of hackers, you can bet that they've already looked for everything possibly exploitable.

Re:Here's the post on usenet

[erick99]

I suspect they are after attention and notoriety more than money.

Someone paying 24k

[Chuck+Chunder]

Isn't going to start handing it out for free.

The only real reason to want the code is to find exploitable holes in the software. If you're paying 24k so you can do that you presumably want to use those exploits for a purpose. Releasing the sourcecode and risking exploits becoming public (and then patched) devalues your investment.

Re:No worries...

[ikegami]

Traced to where? To a country with laws favorable to them? Or maybe they rented a room using only cash and use that room as a mailbox. Hire a bum or trick a kid into picking the mail in case the house is surveiled.

Better yet, take a cue from Autodesk

[Marxist+Hacker+42]

And Cisco, beat them to it by realeasing a totaly new version of the compiled firmware, then GPL'ing the source that they're trying to sell.

Re:Better yet, take a cue from Autodesk

[Jeremiah+Cornelius]

Maybe we'll finally get a PIX that can enforce bi-directional rules on arbitrary interfaces - and even route traffic!

Funny! Microsoft had a firewall do this before Cisco! 'Course, they don't have a financial interest in maintaining the distinction that a "Firewall is not a Router".

Re:$24k?

[goalive]

Well, I guess this will help decide once and for all if open-source software really is more secure than closed source. :-)

Re:Proof open source is better.

[schwagner]

There's a big difference between the people who write closed source code and the people who steal other people's work. This really says nothing about the quality of open vs. closed source code, or the people who write either one. It simply restates the fact that there are people out there who will do anything they want for money.

Pointless

[retro128]

Anyone who would pay for this would have to be an absolute idiot. First of all there is no guarantee the source code even the real thing. If it isn't as advertised, what are you going to do? Take an anonymous Russian hacking group that you knowingly bought stoken IP from to court? It's like the guy who calls the police and files a report about his pot stash being stolen.

Not even close

[Plasmic]

The value of this intellectual property is not defined by the cut-and-pasteability of source code into a company's product. Certainly, this is not the likely application for any would-be buyers. Instead, knowing how the #1 router company in the world implements stateful packet-filtering on an embedded device is a very worthy piece of knowledge that can be used as a basis for the design of anything that touches a packet.

In addition, Cisco spends hundreds of thousands of dollars in their support organization identifying hard-to-find interoperability issues and exception cases, testing things out in the lab, and then coding up fixes. All of these real-world experiences and corresponding code work-arounds that impact every other firewall/VPN/routing product on the market are captured in this source code.

Cisco PIXes have proprietary integration with third-party products, such as IDS systems, content-filtering proxies (e.g. WebSense), etc. This source code surely exposes these APIs, which are covered by Cisco's own NDA with these companies and are coveted by anyone trying to integrate with such closed-source commercial offerings.

Were it legal, it'd be a bargain!

Use the source Luke....

[kalvyn]

I disagree with the above statement.

Having the source to even a large program can be incredibly useful. Obtaining the source would lead to a higher level of understanding of the way Pix firewalls work. Knowing exactly how it is coded, being a closed-source product, you would now have the possiblity to have exclusive knowledge to flaws in the code.

Now, one hacker trying to sort through all of the code by oneself could take a very long while, unless it is well documented. Consider the possiblity that a hacker group acquired it. Say 12 hackers. You could divide it up and find flaws much quicker.

Given the wide use of Pix firewalls, it could end up being a skeleton key to thousands of corporate networks, assuming of course that it is the real deal.

All code has at least one bug...

Re:This is a problem for the /. crowd?

[Orgazmus]

Because willingly opening up source code is not the same as selling stolen code?

When the source is open(ed), its a great thing.

This is not!

Re:This is a problem for the /. crowd?

[jd]

First, why should source code be closed? What's so great about security through obscurity? Just about every critical security hole in recent times has been in "Closed Source" software, whereas "Open Source" products such as OpenBSD have no holes of much significance.

Second, what's so great about security through obscurity? Anyone is capable of scanning software for buffer overflows, etc, even for binaries. Plenty of packages exist for doing just that. The obscurity buys you exactly nothing. Unless you also sell such scanners, in which case it gets you a few sales of those.

Third, what's "Open Source" got to do with Stolen Source? Unless you're from SCO, there's no relationship. And even then, I'd question as to who was doing the stealing.

Wish they would sell video drivers!

[iplayfast]

Or make them Open source and claim for their own! (after all if it's close source, who knows where it came from). (joke).

Re:This is a problem for the /. crowd?

[ViolentGreen]

First, why should source code be closed?

It is closed because they wrote the code and they have the right to release it as they please. They have to respsct your decision to open your source code and you have to respect theirs to keep theirs closed. It is a product that they sell. If they open the source, they lose much of the capibility to sell it. It's really not that hard to understand.