Slashdot Mirror
Cisco Source Code Up For Sale: Only $24,000
spackbace writes "The notorious, mysterious Source Code Club (SCC) has re-emerged, this time selling source code for a Cisco application in another blatant violation of copyright regulations.
Believed to be an anonymous collection of hackers, the SCC this week announced in a posting on a group Web site that it is offering the complete Cisco Pix 6.3.1 source code for US$24,000. Cisco Pix is a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks."
Take a cue from SCO and drop the price to $699. That way EVERYONE will buy it!
Although I bet I'm screwed anyhow...
From my experience with PIXen, it's certainly not worth that...
One can only marvel at the irony - someone stealing the source code for "a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks"!!!
[x] auto-moderate all posts by this user as insightful
there is no ebay-link this time... :)
But still i sense the good old "want to sell something? Advertise with a slashdot story" sprit
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Anyone here has the source code for Linux OS? I'll pay roughly $2-3 grands via Yahoo Paydirect.
with all the legal cases on "stealing" mp3s could they charge these people with posession of stolen property?
Relevant Google Search:d e+Club
http://www.google.com/search?hl=en&q=%22Source+Co
and goto jail tomorrow....
Is there really such a thing in this day and age? That $24k has to go somewhere. Can't we just follow the money? It seems like this is the kind of thing that the feds would be all over. I see one of those huge multinational Interpol busts in about 5 weeks.
blarg.
but i'm in California and I don't want to pay tax on it.
If you think
It's not worth all that much to them sitting on their drives anyways. Who knows, some wacko might actually pay!
But really it's just to generate bad publicity for cisco
"Wouldn't these guys just figure that the code would get copied and shared after it gets sold. Once they sell it to someone, what keeps this guy from going and selling it for $10k? Or free?"
Why would they give a fuck? They're 24k up.
Also on offer, apparently, is the Enterasys Dragon IDS 6.1 intrusion detection system (IDS) software for $16,000 and an old Napster file sharing code, a snip at $10,000.
The original name behind the group was one Larry Hobbles who now seems to have disappeared. The Source Code Club is now said to be hawking a list of other stolen code to anyone who buys one full copy of the source code for sale.
http://www.busyweather.com/
So, for 24k, you can buy the PIX source code... For what?
You obviously can't sell a product using this stolen code. A company can't exactly buy it and roll their own version.
So it's really only good if you want to look for bugs in PIX that you can exploit, and since this is being sold by a group of hackers, you can bet that they've already looked for everything possibly exploitable.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I suspect they are after attention and notoriety more than money.
http://www.busyweather.com/
If you follow (or try) the people that can read tcpdump (or simular) logging like plain english and then in turn generate the packets to interact (exploit) what they see. I doubt having pix source code would matter much.
Also the 'IDS' features of the pix are static and pretty mundane and not tied to the IDS product so i am sure most people know how to get around them.
members are seeing something, your seeing an ad
1)Purchase SCC's code: $24k
2)Purchase Linksys W54G from BestBuy
2.5) Port SCC code onto W54G.
3)Resell Modded Linksys W54G to Fry's Electronics
4)Profit!!!!
If you think
Isn't going to start handing it out for free.
The only real reason to want the code is to find exploitable holes in the software. If you're paying 24k so you can do that you presumably want to use those exploits for a purpose. Releasing the sourcecode and risking exploits becoming public (and then patched) devalues your investment.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Traced to where? To a country with laws favorable to them? Or maybe they rented a room using only cash and use that room as a mailbox. Hire a bum or trick a kid into picking the mail in case the house is surveiled.
And Cisco, beat them to it by realeasing a totaly new version of the compiled firmware, then GPL'ing the source that they're trying to sell.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
So what if the source code is available? If the device is any good, availability of source code shouldn't make any difference to the security.
There's a big difference between the people who write closed source code and the people who steal other people's work. This really says nothing about the quality of open vs. closed source code, or the people who write either one. It simply restates the fact that there are people out there who will do anything they want for money.
Where's Gilda Radner when I need her?
I'm not sure the source code to a huge programme is useful.
About the only thing you can do with it, without *understanding it*, is compile it and use the binary (and stealing the binary in the first place is much easier than the source.)
The effort required to understand a large programme is vast. It's far easier just to buy a license.
--
Toby
I don't think they can. I mean, they might get away with it at the beginning...but time always catches up with them. It may take years, but in the end, they almost always get caught. There are plenty of slow, methodical crime investigators out there that will track them down. Plus, since Cisco is at the heart of this particular scam, don't you think they have a few people working for them that kinda-sorta know how to track things through the Net?
Of course, there's also the chance they could totally get away with it too...but not likely. Criminals always think they're smarter then the people after them, but they only have to make one mistake to kiss it all goodbye. Or just wait until the statute of limitations is up.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Anyone who would pay for this would have to be an absolute idiot. First of all there is no guarantee the source code even the real thing. If it isn't as advertised, what are you going to do? Take an anonymous Russian hacking group that you knowingly bought stoken IP from to court? It's like the guy who calls the police and files a report about his pot stash being stolen.
-R
Sure enough, here's the CISCO Pix file listing and the "newsletter".
The value of this intellectual property is not defined by the cut-and-pasteability of source code into a company's product. Certainly, this is not the likely application for any would-be buyers. Instead, knowing how the #1 router company in the world implements stateful packet-filtering on an embedded device is a very worthy piece of knowledge that can be used as a basis for the design of anything that touches a packet.
In addition, Cisco spends hundreds of thousands of dollars in their support organization identifying hard-to-find interoperability issues and exception cases, testing things out in the lab, and then coding up fixes. All of these real-world experiences and corresponding code work-arounds that impact every other firewall/VPN/routing product on the market are captured in this source code.
Cisco PIXes have proprietary integration with third-party products, such as IDS systems, content-filtering proxies (e.g. WebSense), etc. This source code surely exposes these APIs, which are covered by Cisco's own NDA with these companies and are coveted by anyone trying to integrate with such closed-source commercial offerings.
Were it legal, it'd be a bargain!
I wonder how they work out the values for the source they steal. Is it just based on how long it took them to get it, or do they have a formula like the Ed Norton one in Fight Club?
--
The last digit of pi is four.
Information wants to cost 24 thousand dollars!
pssst, there is another firewall you can download from here for free!!! Can you believe that??? But shhh! keep it quiet or they'll shut down the mirror.
___
If you think big enough, you'll never have to do it.
Geez, 6.3.1 is so old, I've already had to upgrade my Pix twice due to software errors that would cause the box to reset itself under moderate load. Current version is 6.3.4, and there have been a load of fixes. Maybe someone will want to buy it so they can write their own fixes & see if they work better than Cisco's updated version.
These people looked deep into my soul and assigned me a number based on the order in which I joined.
Here's the newsletter that they just posted to alt.gap.international.sales.
I disagree with the above statement.
Having the source to even a large program can be incredibly useful. Obtaining the source would lead to a higher level of understanding of the way Pix firewalls work. Knowing exactly how it is coded, being a closed-source product, you would now have the possiblity to have exclusive knowledge to flaws in the code.
Now, one hacker trying to sort through all of the code by oneself could take a very long while, unless it is well documented. Consider the possiblity that a hacker group acquired it. Say 12 hackers. You could divide it up and find flaws much quicker.
Given the wide use of Pix firewalls, it could end up being a skeleton key to thousands of corporate networks, assuming of course that it is the real deal.
All code has at least one bug...
Wanna buy a camo colored, flame resistant suit? Only $699! And you can close it as well; there's a zipper in the back!
Buy! BUY!!
"The only clear view is from atop the mountain of our dead selves." - Peter Carroll
Because willingly opening up source code is not the same as selling stolen code?
When the source is open(ed), its a great thing.
This is not!
The system had the verbosity of HTML combined with all the readability of compiled assembly viewed as bitmap images
if someone stole the source then its not a very effective at keeping people out, is it?
$24KUSD? dont think so.
http://www.digifuzz.net
okay slashdot. why on earth do you both modding someone up just because they typed "source code club" into google and posted a search link.
a +bunch+of+knobs&btnG=Google+Search&meta=/
r ator+iq+zero&btnG=Search&meta=/
e +noise%2C+dammit&btnG=Search&meta=/
i di ots
i mean, i didn't get points when i suggested:
http://www.google.ca/search?hl=en&q=you+guys+are+
http://www.google.ca/search?hl=en&q=slashdot+mode
http://www.google.ca/search?hl=en&q=filter+out+th
yours faithfully,
another anonymous coward
who-doesn't-have-a-nick-because-the-masses-are-
From the newsgroup thread...
The SCC team does not expect you to trust us. To address this problem, we will split up the information into many files and you may purchase each part for a fraction of the total price. As your confidence grows with SCC, you may feel compelled to purchase these parts in bulk. Here is an example:
We are offering you a ~1 gigabyte compressed file for $10,000. We offer this file in 20 50 megabyte parts at $500 per part (10,000/20). You send us $500, we send you part 1. You send another $500, we send part 2. You choose to send $1000 and we send parts 3 and 4, etc etc. The rate that you purchase pieces is entirely up to you. As your confidence grows, we know that you will choose bigger pieces.
We also include detailed instructions on how to decrypt and put together the peices, it is a simple process that can be done with any unix computer.
The problem with this scheme is that critical elements of the source can be intentionally withheld and that those pieces could be sold in all likelihood at a ridiculous amount. I mean if a moronic company actually decided to buy source code from these guys, and they are spending $5,000 on each "piece" of the code, they will want the entire thing. This goes beyond just scamming the software companies... this is almost similar to a Nigerian 419 scam in a way.
Karma police, arrest this man, he talks in maths....
Really, I really don't understand why this is a big deal. Anyone worth their salt in trying to take the code and develop the 'sploits doesn't need the source to get 'em. Many groups out there have already reverse-engineered the OS without the source and have plenty of 0-day exploits for the PIX, as well as Checkpoint and many other vendors. These groups are commerical R&D groups as well as hackers.
Between all the 0-days for Checkpoint and PIX, I honestly don't understand why anyone in their right mind would want to use these firewalls. This source offer is for eager script kiddies and nothing more.
The reason anyone would do this is a bit Merkey.
Since when does anyone actually have to STEAL anything to get the SCO to sue them?
Or make them Open source and claim for their own! (after all if it's close source, who knows where it came from). (joke).
Nah. Merkey (from Merkey Research?, or was that his brother Paul?) is interested in copyright. Since I just gained read access to their repository of source code and was able to download it, I can only let him read the code ;-) After all the SCC group is not selling the copyrights to Cisco's code either :-)
LedgerSMB: Open source Accounting/ERP
--
TABLE OF CONTENTS
1) Contact Information
2) News
3) Buy
4) FAQ
5) About
Contact Information
Two ways to contact us:
1) Post a PGP message encrypted with our public key via usenet to: alt.gap.international.sales This method of contact is preferred.
2) Send email to: dmitrysky@rediffmail.com
THE EMAIL COULD CHANGE OR GO DOWN. If you absolutely must get a message to SCC, we recommend using usenet. The SCC PGP public key is located on full disclosure mailing list archives, usenet, and the end of this newsletter. It is wise to make sure they all match, for your safety. This public key will NEVER change. Only PGP encrypted email will be responded to.
News
SCC is proud to announce the general availability of Cisco Pix 6.3.1 source code. This release is significant because pix is vital to the security of many ultra-secure networks.
With the ubiquity of pix devices these days, we see a huge market for such code. Many intelligence agencies/government organizations will want to know if those 1's and 0's in the pix image really are doing what was advertised. You must ask yourself how well you trust the pix images you download to your appliance from cisco.com.
After reading the code, you may build the source code with one of the many Makefiles provided in the distribution to create your own in-house pix images. Sleep well at night knowing exactly what is sitting in your pix device's memory. Scroll down to the Buy section below for more information.
The price of Enterasys IDS and Napster has been raised. SCC is a dynamic entity, always evolving and trying out new ways of doing things. We have made a few changes in the way we operate, all for the
better.
We are now offering some buyer incentives. After you purchase one full source from SCC, you become a private member. Private members get access to lists of sources that are not available to the general public. This list may contain sources that have been deemed to sensitive to put up
for public buying, or it may contain sources that we plan on releasing in the future to public buyers. Private members not only get many months advance buying power to the sources, but will also pay less for sources than non-members.
The source you purchase to become a private member can be any source, no matter how cheap or expensive. This means you will purchase every 'part' of the source before becoming a private member.
We keep track of who is a private member by your PGP public key. This way a customer may always approach us from any anonymous place, and we can always verify he/she is a member by the public key. Do do not destroy those PGP keys!
Buy
SCC is currently offering:
o Cisco Pix 6.3.1-release source code (NEW!)
o Enterasys network and host IDS source code and design documentation
o Napster source code repository
Buying Options:
1) All at once
2) Piece by piece
Buying Instructions:
Email us with our PGP key to tell us how many pieces of which package you wish to purchase (read FAQ if you are confused). PUT YOUR PUBLIC PGP KEY INSIDE THE MESSAGE SO WE CAN RESPOND TO YOU. We will not take orders from anyone not using PGP.
Cisco Pix Information:
Cisco Pix is one of the leading firewall security applications on the market. This firewall provides security, ipsec, vpn, intrusion protection, network monitoring, and much more services that can be used
on small personal & business networks and massive gigabit carrier networks. For more information on this product and many other great products, please visit www.cisco.com.
The source package includes all sources and 'make' files to compi
Nice post :-)
Just for yuks, you might want to consider M0n0wall. I'm evaluating it for a client right now, and it's very impressive (BSD-based with a good PHP interface.) I'm running it on a PCEngines WRAP 1C-2 board (cheaper & faster than Soekris) and it works a charm (I ditched my cantankerous PC firewall for this a while ago.)
Cole's Law: Thinly sliced cabbage
First, why should source code be closed?
It is closed because they wrote the code and they have the right to release it as they please. They have to respsct your decision to open your source code and you have to respect theirs to keep theirs closed. It is a product that they sell. If they open the source, they lose much of the capibility to sell it. It's really not that hard to understand.
Not everything is analogous to cars. Car analogies rarely work.