Cisco Source Code Up For Sale: Only $24,000

spackbace writes "The notorious, mysterious Source Code Club (SCC) has re-emerged, this time selling source code for a Cisco application in another blatant violation of copyright regulations. Believed to be an anonymous collection of hackers, the SCC this week announced in a posting on a group Web site that it is offering the complete Cisco Pix 6.3.1 source code for US$24,000. Cisco Pix is a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks."

Pirated?

[joelanders]

Wouldn't these guys just figure that the code would get copied and shared after it gets sold. Once they sell it to someone, what keeps this guy from going and selling it for $10k? Or free?

Proof open source is better.

[rebeka+thomas]

This is really casting a cloud over the closed source world. It seems the closed-source hackers just can't keep their hands out of the illegal pie, and won't ever respect other people's property. The more you dabble in closed-source products, the worse it gets.

Best to start open source from the beginning. F/OSS is clearly a culture of more balanced individuals.

oh well

[hpavc]

If you follow (or try) the people that can read tcpdump (or simular) logging like plain english and then in turn generate the packets to interact (exploit) what they see. I doubt having pix source code would matter much.

Also the 'IDS' features of the pix are static and pretty mundane and not tied to the IDS product so i am sure most people know how to get around them.

Weekend project

[lateralus_1024]

1)Purchase SCC's code: $24k
2)Purchase Linksys W54G from BestBuy
2.5) Port SCC code onto W54G.
3)Resell Modded Linksys W54G to Fry's Electronics
4)Profit!!!!

Re:Money exchange?

[sgant]

I don't think they can. I mean, they might get away with it at the beginning...but time always catches up with them. It may take years, but in the end, they almost always get caught. There are plenty of slow, methodical crime investigators out there that will track them down. Plus, since Cisco is at the heart of this particular scam, don't you think they have a few people working for them that kinda-sorta know how to track things through the Net?

Of course, there's also the chance they could totally get away with it too...but not likely. Criminals always think they're smarter then the people after them, but they only have to make one mistake to kiss it all goodbye. Or just wait until the statute of limitations is up.

Out of Date

[msaulters]

Geez, 6.3.1 is so old, I've already had to upgrade my Pix twice due to software errors that would cause the box to reset itself under moderate load. Current version is 6.3.4, and there have been a load of fixes. Maybe someone will want to buy it so they can write their own fixes & see if they work better than Cisco's updated version.

Why trust these guys?

[Xoo]

From the newsgroup thread...

The SCC team does not expect you to trust us. To address this problem, we will split up the information into many files and you may purchase each part for a fraction of the total price. As your confidence grows with SCC, you may feel compelled to purchase these parts in bulk. Here is an example:
We are offering you a ~1 gigabyte compressed file for $10,000. We offer this file in 20 50 megabyte parts at $500 per part (10,000/20). You send us $500, we send you part 1. You send another $500, we send part 2. You choose to send $1000 and we send parts 3 and 4, etc etc. The rate that you purchase pieces is entirely up to you. As your confidence grows, we know that you will choose bigger pieces.
We also include detailed instructions on how to decrypt and put together the peices, it is a simple process that can be done with any unix computer.

The problem with this scheme is that critical elements of the source can be intentionally withheld and that those pieces could be sold in all likelihood at a ridiculous amount. I mean if a moronic company actually decided to buy source code from these guys, and they are spending $5,000 on each "piece" of the code, they will want the entire thing. This goes beyond just scamming the software companies... this is almost similar to a Nigerian 419 scam in a way.

Re:Anonymous collection of hackers?

[commodoresloat]

Actually, we ARE able to follow a lot of this money, the big transactions at least. More often than not, the money trail goes through very powerful banking interests who have an incentive to keep such trails hidden, and the enforcement falls to agents of governments who have an incentive not to break up these "hidden" economic networks. Read Modern Jihad for an excellent overview of the trail of money funding terrorism for example. The author makes the point that the economic network funding terrorism is also funding many above ground and legit enterprises, and that governments have resisted attacking economic networks that they too depend on for many things (including, ironically, many counterterrorism efforts). I would not be surprised to learn that the same point can be made about other forms of organized crime.

put it on eBay, make money

[EtherAlchemist]

Put it on eBay and people will pay 4 times what it's worth, then re-sell it for half what they bought it for 2 months later. Reverse-economics.

Re:Not even close

[evilviper]

knowing how the #1 router company in the world implements stateful packet-filtering [...] can be used as a basis for the design of anything that touches a packet.

Stateful packet filtering is not an art. You could just as easily look at the code for a BSD-licensed packet filter, and get the same functionality.

This source code surely exposes these APIs, which are covered by Cisco's own NDA

You could bribe someone who has signed an NDA for less than $24,000, and you'd get actual specs, not just source code. It wouldn't be any MORE or less illegal. Cisco is going to suspect something when your product can interact with all the products it does.

Were it legal, it'd be a bargain!

Exactly... It's not legal, so any commercial use of it will end badly. So what's left to do with it? Finding exploits is the only one I can come up with.

Re:Pointless

[graffix_jones]

It's like the guy who calls the police and files a report about his pot stash being stolen.

I don't know if the parent was being sarcastic, but here in my town, the police actually encourage this behavior.

We've had several home invasion robberies where people's marijuana and cash were stolen, who called the police, and had no charges pressed against them.

Our local police chief said he'll never prosecute people under these circumstances... his opinion is that it's better to get the people off the streets performing these robberies than it is to lock up these unlucky potheads, and thus he doesn't want them to be afraid to call the police.

Of course I live in Northern California as well, so that could have something to do with it... ;)

Re:Why bother?

[fuzzybunny]

Nice post :-)

Just for yuks, you might want to consider M0n0wall. I'm evaluating it for a client right now, and it's very impressive (BSD-based with a good PHP interface.) I'm running it on a PCEngines WRAP 1C-2 board (cheaper & faster than Soekris) and it works a charm (I ditched my cantankerous PC firewall for this a while ago.)