Slashdot Mirror


Cisco Source Code Up For Sale: Only $24,000

spackbace writes "The notorious, mysterious Source Code Club (SCC) has re-emerged, this time selling source code for a Cisco application in another blatant violation of copyright regulations. Believed to be an anonymous collection of hackers, the SCC this week announced in a posting on a group Web site that it is offering the complete Cisco Pix 6.3.1 source code for US$24,000. Cisco Pix is a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks."

45 of 292 comments (clear)

  1. Take a cue from SCO by Anonymous Coward · · Score: 5, Funny

    Take a cue from SCO and drop the price to $699. That way EVERYONE will buy it!

    1. Re:Take a cue from SCO by Plural+of+Mongoose · · Score: 5, Funny

      As long as they don't start selling software they steal from IBM, as then SCO would hafta sue 'em!

      --
      The last fucking thing you want is my undivided attention...
  2. Good thing I'm running 6.3(4) by Anonymous Coward · · Score: 3, Funny

    Although I bet I'm screwed anyhow...

  3. $24k? by miles31337 · · Score: 5, Funny

    From my experience with PIXen, it's certainly not worth that...

    1. Re:$24k? by goalive · · Score: 4, Insightful

      Well, I guess this will help decide once and for all if open-source software really is more secure than closed source. :-)

  4. Now that's irony! by plierhead · · Score: 4, Insightful

    One can only marvel at the irony - someone stealing the source code for "a firewall application providing security, intrusion protection, network monitoring and other services for business and carrier networks"!!!

    --

    [x] auto-moderate all posts by this user as insightful

    1. Re:Now that's irony! by PhrostyMcByte · · Score: 5, Insightful

      like mitnick proved, it only takes one idiot with social skills to bypass your firewall.

    2. Re:Now that's irony! by madprof · · Score: 5, Insightful

      Indeed, as in the Mitnick case, one idiot *did* do it...

    3. Re:Now that's irony! by drinkypoo · · Score: 3, Insightful

      It might be better to say that it only takes one socially talented individual talking to one idiot inside your organization. A real idiot will make some stupid mistake during the conversation that will make it abundantly clear, even to the slowest-witted, that they are not in fact your CEO.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. At least... by imsabbel · · Score: 5, Funny

    there is no ebay-link this time...
    But still i sense the good old "want to sell something? Advertise with a slashdot story" sprit :)

    --
    HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
    1. Re:At least... by superpulpsicle · · Score: 4, Funny

      I know slashdotters, make some shit up. Source code is worth nothing until it comes out of some good story.

      A female russian spy escaped cisco with the source code after sneaking by an army of cisco security armed with AK-47s. She walked all the way to Ebay headquarters bearfoot and delivered 40 floppies in a pizza box. Her only weapon was a 10BaseT ethernet cable.

  6. Will buy Linux by Anonymous Coward · · Score: 5, Funny

    Anyone here has the source code for Linux OS? I'll pay roughly $2-3 grands via Yahoo Paydirect.

    1. Re:Will buy Linux by Anonymous Coward · · Score: 4, Funny

      $2-3 grand!? I got mine for $699 from a little company called SCO, which is currently having a closing down sale.

    2. Re:Will buy Linux by name773 · · Score: 5, Funny

      Of course, the toll-free telephone support line seems disconnected: 1-800-DEV-NULL
      at first i thought that said "troll-free telephone support line".

    3. Re:Will buy Linux by wizzardme2000 · · Score: 3, Informative

      Who you ask? It be these people: http://www.webhostworks.net/helpdesk.html

      --

      Toast lands jelly down. If you jelly both sides of a piece of toast, it will hover in a state of quantum indecision.
  7. buying stolen property? by spacerodent · · Score: 3, Insightful

    with all the legal cases on "stealing" mp3s could they charge these people with posession of stolen property?

  8. Anonymous collection of hackers? by jeblucas · · Score: 4, Insightful

    Is there really such a thing in this day and age? That $24k has to go somewhere. Can't we just follow the money? It seems like this is the kind of thing that the feds would be all over. I see one of those huge multinational Interpol busts in about 5 weeks.

    --
    blarg.
    1. Re:Anonymous collection of hackers? by evilviper · · Score: 4, Insightful
      Can't we just follow the money?

      No. If we could, Nigerian scams, and old people loosing their life savings could be prevented.

      Just have the money wired to you, and pick it up outside the country. Even inside the country, it's nearly impossible to track, because you can show up at any branch, anywhere.
      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    2. Re:Anonymous collection of hackers? by cmowire · · Score: 3, Insightful

      Oh, sure.

      And we'd be able to follow the money of drug dealers, kidnappers, terrorists, etc.

      It's harder than CSI makes it sound.

    3. Re:Anonymous collection of hackers? by commodoresloat · · Score: 4, Interesting

      Actually, we ARE able to follow a lot of this money, the big transactions at least. More often than not, the money trail goes through very powerful banking interests who have an incentive to keep such trails hidden, and the enforcement falls to agents of governments who have an incentive not to break up these "hidden" economic networks. Read Modern Jihad for an excellent overview of the trail of money funding terrorism for example. The author makes the point that the economic network funding terrorism is also funding many above ground and legit enterprises, and that governments have resisted attacking economic networks that they too depend on for many things (including, ironically, many counterterrorism efforts). I would not be surprised to learn that the same point can be made about other forms of organized crime.

  9. I would buy it by lateralus_1024 · · Score: 5, Funny

    but i'm in California and I don't want to pay tax on it.

    --
    If you think /. comments are bad, check out Digg.
  10. Re:Pirated? by Agilis · · Score: 5, Insightful

    It's not worth all that much to them sitting on their drives anyways. Who knows, some wacko might actually pay!

    But really it's just to generate bad publicity for cisco

  11. A bit more by erick99 · · Score: 5, Informative
    I found this in another article about the same story:

    Also on offer, apparently, is the Enterasys Dragon IDS 6.1 intrusion detection system (IDS) software for $16,000 and an old Napster file sharing code, a snip at $10,000.

    The original name behind the group was one Larry Hobbles who now seems to have disappeared. The Source Code Club is now said to be hawking a list of other stolen code to anyone who buys one full copy of the source code for sale.

    --
    http://www.busyweather.com/
  12. Pretty Pointless... by evilviper · · Score: 4, Insightful

    So, for 24k, you can buy the PIX source code... For what?

    You obviously can't sell a product using this stolen code. A company can't exactly buy it and roll their own version.

    So it's really only good if you want to look for bugs in PIX that you can exploit, and since this is being sold by a group of hackers, you can bet that they've already looked for everything possibly exploitable.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  13. oh well by hpavc · · Score: 4, Interesting

    If you follow (or try) the people that can read tcpdump (or simular) logging like plain english and then in turn generate the packets to interact (exploit) what they see. I doubt having pix source code would matter much.

    Also the 'IDS' features of the pix are static and pretty mundane and not tied to the IDS product so i am sure most people know how to get around them.

    --
    members are seeing something, your seeing an ad
  14. Weekend project by lateralus_1024 · · Score: 4, Interesting

    1)Purchase SCC's code: $24k
    2)Purchase Linksys W54G from BestBuy
    2.5) Port SCC code onto W54G.
    3)Resell Modded Linksys W54G to Fry's Electronics
    4)Profit!!!!

    --
    If you think /. comments are bad, check out Digg.
  15. Someone paying 24k by Chuck+Chunder · · Score: 5, Insightful

    Isn't going to start handing it out for free.

    The only real reason to want the code is to find exploitable holes in the software. If you're paying 24k so you can do that you presumably want to use those exploits for a purpose. Releasing the sourcecode and risking exploits becoming public (and then patched) devalues your investment.

    --
    Boffoonery - downloadable Comedy Benefit for Bletchley Park
    1. Re:Someone paying 24k by Xerp · · Score: 5, Funny

      Sure. Yes. Pay 24k. Uh-hu. OK. Let me get my PayPal account set up. Ah, I have a buyer... "Leave the money in a brown paper bag STOP Wear a false mustache and a pink carnation STOP Make sure the bills are unmarked STOP Either that, or five copies of that wonderful Microsoft Windows XP will do STOP thank you Mr Ballmer STOP"

  16. Re:Proof open source is better. by schwagner · · Score: 3, Insightful

    There's a big difference between the people who write closed source code and the people who steal other people's work. This really says nothing about the quality of open vs. closed source code, or the people who write either one. It simply restates the fact that there are people out there who will do anything they want for money.

    --
    Where's Gilda Radner when I need her?
  17. Re:Money exchange? by sgant · · Score: 4, Interesting

    I don't think they can. I mean, they might get away with it at the beginning...but time always catches up with them. It may take years, but in the end, they almost always get caught. There are plenty of slow, methodical crime investigators out there that will track them down. Plus, since Cisco is at the heart of this particular scam, don't you think they have a few people working for them that kinda-sorta know how to track things through the Net?

    Of course, there's also the chance they could totally get away with it too...but not likely. Criminals always think they're smarter then the people after them, but they only have to make one mistake to kiss it all goodbye. Or just wait until the statute of limitations is up.

    --

    "Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
  18. Pointless by retro128 · · Score: 3, Insightful

    Anyone who would pay for this would have to be an absolute idiot. First of all there is no guarantee the source code even the real thing. If it isn't as advertised, what are you going to do? Take an anonymous Russian hacking group that you knowingly bought stoken IP from to court? It's like the guy who calls the police and files a report about his pot stash being stolen.

    --
    -R
  19. Details by Rabin+Vincent · · Score: 5, Informative
    The group posted to FullDisclosure that they will post further announcements in alt.gap.international.sales.

    Sure enough, here's the CISCO Pix file listing and the "newsletter".

  20. Not even close by Plasmic · · Score: 5, Insightful

    The value of this intellectual property is not defined by the cut-and-pasteability of source code into a company's product. Certainly, this is not the likely application for any would-be buyers. Instead, knowing how the #1 router company in the world implements stateful packet-filtering on an embedded device is a very worthy piece of knowledge that can be used as a basis for the design of anything that touches a packet.

    In addition, Cisco spends hundreds of thousands of dollars in their support organization identifying hard-to-find interoperability issues and exception cases, testing things out in the lab, and then coding up fixes. All of these real-world experiences and corresponding code work-arounds that impact every other firewall/VPN/routing product on the market are captured in this source code.

    Cisco PIXes have proprietary integration with third-party products, such as IDS systems, content-filtering proxies (e.g. WebSense), etc. This source code surely exposes these APIs, which are covered by Cisco's own NDA with these companies and are coveted by anyone trying to integrate with such closed-source commercial offerings.

    Were it legal, it'd be a bargain!

  21. $24K ...hmm. by SinaSa · · Score: 4, Funny

    I wonder how they work out the values for the source they steal. Is it just based on how long it took them to get it, or do they have a formula like the Ed Norton one in Fight Club?

    --
    --
    The last digit of pi is four.
  22. It's like the mantra goes.... by Anonymous Coward · · Score: 3, Funny

    Information wants to cost 24 thousand dollars!

  23. wow! firewall! by RelliK · · Score: 4, Funny

    pssst, there is another firewall you can download from here for free!!! Can you believe that??? But shhh! keep it quiet or they'll shut down the mirror.

    --
    ___
    If you think big enough, you'll never have to do it.
  24. Here's their newsletter by enosys · · Score: 3, Informative

    Here's the newsletter that they just posted to alt.gap.international.sales.

  25. Use the source Luke.... by kalvyn · · Score: 4, Insightful

    I disagree with the above statement.

    Having the source to even a large program can be incredibly useful. Obtaining the source would lead to a higher level of understanding of the way Pix firewalls work. Knowing exactly how it is coded, being a closed-source product, you would now have the possiblity to have exclusive knowledge to flaws in the code.

    Now, one hacker trying to sort through all of the code by oneself could take a very long while, unless it is well documented. Consider the possiblity that a hacker group acquired it. Say 12 hackers. You could divide it up and find flaws much quicker.

    Given the wide use of Pix firewalls, it could end up being a skeleton key to thousands of corporate networks, assuming of course that it is the real deal.


    All code has at least one bug...
  26. Re:This is a problem for the /. crowd? by Lobo93 · · Score: 3, Funny

    Wanna buy a camo colored, flame resistant suit? Only $699! And you can close it as well; there's a zipper in the back!

    Buy! BUY!!

    --
    "The only clear view is from atop the mountain of our dead selves." - Peter Carroll
  27. Re:This is a problem for the /. crowd? by Orgazmus · · Score: 4, Insightful

    Because willingly opening up source code is not the same as selling stolen code?

    When the source is open(ed), its a great thing.

    This is not!

    --
    The system had the verbosity of HTML combined with all the readability of compiled assembly viewed as bitmap images
  28. firewall? by digifuzz · · Score: 3, Funny

    if someone stole the source then its not a very effective at keeping people out, is it?

    $24KUSD? dont think so.

    --
    http://www.digifuzz.net
  29. Why trust these guys? by Xoo · · Score: 4, Interesting

    From the newsgroup thread...

    The SCC team does not expect you to trust us. To address this problem, we will split up the information into many files and you may purchase each part for a fraction of the total price. As your confidence grows with SCC, you may feel compelled to purchase these parts in bulk. Here is an example:
    We are offering you a ~1 gigabyte compressed file for $10,000. We offer this file in 20 50 megabyte parts at $500 per part (10,000/20). You send us $500, we send you part 1. You send another $500, we send part 2. You choose to send $1000 and we send parts 3 and 4, etc etc. The rate that you purchase pieces is entirely up to you. As your confidence grows, we know that you will choose bigger pieces.
    We also include detailed instructions on how to decrypt and put together the peices, it is a simple process that can be done with any unix computer.


    The problem with this scheme is that critical elements of the source can be intentionally withheld and that those pieces could be sold in all likelihood at a ridiculous amount. I mean if a moronic company actually decided to buy source code from these guys, and they are spending $5,000 on each "piece" of the code, they will want the entire thing. This goes beyond just scamming the software companies... this is almost similar to a Nigerian 419 scam in a way.

    --
    Karma police, arrest this man, he talks in maths....
  30. Re:Better yet, take a cue from Autodesk by Jeremiah+Cornelius · · Score: 4, Insightful
    Maybe we'll finally get a PIX that can enforce bi-directional rules on arbitrary interfaces - and even route traffic!

    Funny! Microsoft had a firewall do this before Cisco! 'Course, they don't have a financial interest in maintaining the distinction that a "Firewall is not a Router".

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  31. What? by Cyberllama · · Score: 3, Funny

    Since when does anyone actually have to STEAL anything to get the SCO to sue them?

  32. Re:This is a problem for the /. crowd? by ViolentGreen · · Score: 3, Insightful

    First, why should source code be closed?

    It is closed because they wrote the code and they have the right to release it as they please. They have to respsct your decision to open your source code and you have to respect theirs to keep theirs closed. It is a product that they sell. If they open the source, they lose much of the capibility to sell it. It's really not that hard to understand.

    --
    Not everything is analogous to cars. Car analogies rarely work.