Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Router Hack Inspires New Patching Religion

Posted by timothy on from the which-wire-to-cut-first? dept.

ancientribe writes "The dirty little secret about patching routers is that many enterprises don't bother — for fear of the fallout any changes to their Cisco router software could have on the rest of their infrastructure. But the recent discovery of a way to easily hack these devices has put pressure on organizations to change their ways and patch. This article in Dark Reading gives tips on how to patch without taking down the network, including input from Cisco's own director of IT on how Cisco itself handles router patching."

48 comments

  1. Re:Obama Policies Will Bankrupt USA Tsarkon Report by Anonymous Coward · · Score: 1, Funny

    I'll invoke Spock on this one:
    "Fascinating."

  2. Crap by Anonymous Coward · · Score: 2, Interesting

    Hope my boss doesn't hear of this and ask me how we're doing on patching the routing equipment. It's always a nervous wait as the stuff comes back up, we tend to block things at the perimeter and via ACLs.

    1. Re:Crap by Anonymous Coward · · Score: 0

      cisco is a real pita for upgrades - and they make you pay. I avoid them if at all possible.

  3. Guidelines = Religion? by Anonymous Coward · · Score: 1, Insightful

    I suppose that's all religions really are, a loose set of beliefs, policies, and procedures that should be followed to make the world a better place.

    1. Re:Guidelines = Religion? by rthille · · Score: 1, Troll

      ^better^worse

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    2. Re:Guidelines = Religion? by cromar · · Score: 0, Offtopic

      Perhaps that's an attempt at humor, but you know, it's getting pretty trite either way :\

      Religion has done humanity a lot of good, however true you take its various forms. Sure it's done us a lot of bad too, but such is life. Science has certainly done us a lot of harm, as well as the good we tech-minded people usually prefer to look at. Give people a break. We're all trying ot make it in the world, and "faith" does help a lot of people cope. Hell, I'll go so far as to say that religion serves most people better in making their way in the world than all the over-prescribed anti-depressants, etc. Still, liquors the best solution ;-)

    3. Re:Guidelines = Religion? by Anonymous Coward · · Score: 1, Insightful

      Cute,
      Shall we apply all of the horrors that Atheists have committed to all Atheists as well?

      No, I didn't think so. Try not to confuse the horrors of what people have done in the name of $foo with $foo itself.

      Normally I would ignore it, but your sig shows that you're not a troll but you actually believe it.

    4. Re:Guidelines = Religion? by Anonymous Coward · · Score: 1, Insightful

      In the bible it says: 'Do unto others as you would have done to you'.

      If you judge Christians by how they fare in following this rule, then no true Christian has ever committed an atrocity.

      Oh, there are a lot of people who *say* they are Christians, sure, there are also a lot of people who *claim* to be atheists.

    5. Re:Guidelines = Religion? by rthille · · Score: 1

      If you judge Christians by that rule, there _are_ no "true christians", they're like "true scotsmen"
      http://en.wikipedia.org/wiki/No_true_Scotsman

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    6. Re:Guidelines = Religion? by drsmithy · · Score: 2, Funny

      Shall we apply all of the horrors that Atheists have committed to all Atheists as well?

      How many of them were done in the name of Atheism ?

    7. Re:Guidelines = Religion? by gad_zuki! · · Score: 2, Informative

      >Hell, I'll go so far as to say that religion serves most people better in making their way in the world than all the over-prescribed anti-depressants, etc.

      Whenever I see a defense of religion I see an attack on psychiatry. I think people who are clinging to beliefs out of desperation and ignorance as opposed to choice and for betterment are truly threatened by the fact the therapy has become a secular "religion." You can learn to cope without belief in the invisible man in the sky. The fact that secular people are doing this and that it works is threatening their worldview, thus the jabs at SSRIs (which truly help people) and other childish attacks.

    8. Re:Guidelines = Religion? by Anonymous Coward · · Score: 0

      The bible is pretty clear on this:

      ââoeYou shall love the Lord your God with all your heart, and with all your soul, and with all your mind.â This is the greatest and first commandment. And a second is like it: âoeYou shall love your neighbor as yourself.â On these two commandments hang all the law and the prophets.â(TM)

      So it's pretty explicit that to be a Christian, you have to do the 'love your neighbor' bit.

      The two cases in the Wiki article are for cases where something could be disputed. There are hundreds of things to do with Christianity where that applies, but I think loving your neighbor does preclude atrocities.

    9. Re:Guidelines = Religion? by cromar · · Score: 0, Offtopic

      Well, you may be right in some cases, although here I have been "let down" by both religion and Prozac. Basically my point is that changing the way one thinks about one's life is a much better cure in most cases than are the common anti-depressants (which it is hard to argue aren't over-prescribed). I'm glad the medications are there for the people that need them, but I know in my case a good, swift kick in the ass would have helped me more than the Prozac my psychiatrist prescribed me. (I knew something was off when I decided that it was better for my life to skip class and sit on a park bench for hours a day - sure it made me happier, but it couldn't have lasted - I wouldn't even have been able to afford the medications if I took that path!)

      We all deal in different ways; most religious people are not extremists or fundamentalists - they are able to draw strength from the ritual and community that their church provides. I truly believe it something that needs to be discussed without resorting to the facile argument of "religion bad, science good." Any thoughts? Seriously, I enjoy these discussions :-)

    10. Re:Guidelines = Religion? by Anonymous Coward · · Score: 1

      I think you guys need to go watch religious. http://www.imdb.com/title/tt0815241/

    11. Re:Guidelines = Religion? by Anonymous Coward · · Score: 0

      Shall we apply all of the horrors that Atheists have committed to all Atheists as well?

      How many of them were done in the name of Atheism ?

      Some of the worst ones were committed in the name of an ideal which includes atheism as one of its tenets. Do you really need them listed for you?

    12. Re:Guidelines = Religion? by Anonymous Coward · · Score: 0

      liquors the best solution

      "liquor's".

    13. Re:Guidelines = Religion? by Jedi+Alec · · Score: 1

      I'm glad the medications are there for the people that need them, but I know in my case a good, swift kick in the ass would have helped me more than the Prozac my psychiatrist prescribed me.

      When I was a lot younger, I visited a psychologist together with my mom. The guy actually prescribed, on paper, the occasional swift kick in the ass.

      Now, 15 years and a lot of experience later, I simply can't get over how right the good man was.

      --

      People replying to my sig annoy me. That's why I change it all the time.
    14. Re:Guidelines = Religion? by neomunk · · Score: 2, Insightful

      Lessee... Yeah, I think this is appropriate...

      In Soviet Russia, religion denies YOU!

    15. Re:Guidelines = Religion? by Anonymous Coward · · Score: 0

      ...and so cue the biblical cherry-picking.

      So it's pretty explicit that to be a Christian, you have to do the 'love your neighbor' bit.

      No, not really. You've given one quote. There is no shortage of contradictory ones.
      "This is the greatest and first commandment" doesn't cut it when your Bible explicitly instructs you to kill homosexuals.

    16. Re:Guidelines = Religion? by blueskies · · Score: 1

      Anything that gives you happiness by providing you with fairy tales is harmful in large doses. The fact that religion doesn't match up with reality is the problem.

      Science can and must change in response to reality, where as religion is just arbitrary rules.

      If you think anti-depressants are over-prescribed just think how much religion is over-prescribed.

    17. Re:Guidelines = Religion? by cromar · · Score: 1

      Anything that gives you happiness by providing you with fairy tales is harmful in large doses

      You can say that, but it doesn't make it true ;-) Why exactly? How is it harmful? If you are happy, and, say volunteering and giving to charity, what is wrong with your life? Sounds to me like you would be a pretty good person. It's not the only way to be a good person or a happy person; being good and/or happy really doesn't correlate with one's understanding of abstract scientific principles...

      If you think anti-depressants are over-prescribed just think how much religion is over-prescribed.

      Luckily for most everyone in the developed world, we do not have to listen to our doctors or pastors, and many choose not to. The only real problem comes from being forced to believe something you don't or being forced to take psychoactive medicines.

    18. Re:Guidelines = Religion? by blueskies · · Score: 1

      You can say that, but it doesn't make it true ;-) Why exactly? How is it harmful? If you are happy, and, say volunteering and giving to charity, what is wrong with your life?

      Well, for one the cancer in your testicle isn't getting cured by praying. Your pastor tells you that God will cure you and this is a test of faith. On one hand there is fairy tale and the other reality. Reality always wins in the end.

      we do not have to listen to our doctors or pastors, and many choose not to.

      Try, but only one of those will use psychological guilt trips and family to pressure you into thinking you don't have a choice. Only one of those will care if you get a second opinion.

    19. Re:Guidelines = Religion? by cromar · · Score: 1

      Your pastor tells you that God will cure you and this is a test of faith.

      See, you are over generalizing. Most religious people do not belong to cults that don't believe in medicine. Most religious people are not fundamentalists, extremists, or zealots.

      only one of those will use psychological guilt trips and family to pressure you into thinking you don't have a choice

      While that, I imagine, would happen more often in a religious setting, at least now a days, it is just untrue to say that guilt trips or worse have never been applied to people for disagreeing with their doctors - in fact, psych wards until recently have been known as frightening places - that one can't leave of one's own free will - imprisoning people and subjecting them to electro-shock, experimental drugs, and other abuses simply because it was considered "abnormal/insane" to use drugs other than alcohol or to be homosexual or to be a radical, etc., etc., etc. Hell, they used to prescribe amphetamine as a diet pill. It almost seems like you consider medicine/psychiatry infallible, which it is certainly and very obviously not. Going to the hospital is the third leading cause of death in America!

      Furthermore, there's nothing wrong with your family being concerned for you; if they believe it will harm you to leave their church, why wouldn't they try to persuade you to stay? People do what they feel is Right, and that's only a problem when they start forcing that view on other people.

      Reality always wins in the end.

      So why not enjoy it and create Good in the world, instead of worrying about the ways other people try to enjoy life and create Good in the world :-) There is this very popular false dichotomy between science and religion, reason and faith, which just isn't there when you look at the way people live their lives and the actual roles of science and religion in society.

    20. Re:Guidelines = Religion? by blueskies · · Score: 1

      See, you are over generalizing. Most religious people do not belong to cults that don't believe in medicine. Most religious people are not fundamentalists, extremists, or zealots.

      Actually, i didn't generalize at all. I gave an example. Now I'll generalize: the more fairy tales people believe in the greater the chance of it leading to harm. So just because you can tell me most people don't drown swimming where there isn't a lifeguard doesn't mean it is not dangerous swimming in the ocean without a lifeguard present. You are just talking about a difference in scale.

      in fact, psych wards until recently have been known as frightening places

      I think you just stumbled upon my point. Science has a feature for assimilating better representations of reality--religion does not or at least it does not have a formalized deterministic way of assimilating change. If the religion says the earth is 6000 years old--it can't change.

      Look at traditional Judaism. Check out the rules of things you aren't allowed to do on their sabbath. Including driving to worship--you better be walking to Temple.

      instead of worrying about the ways other people try to enjoy life

      I don't care except where they are determined to stop me from doing the things i want to do. Like when Texas decides to stop teaching real science in classrooms.

    21. Re:Guidelines = Religion? by cromar · · Score: 1

      the more fairy tales people believe in the greater the chance of it leading to harm

      Yes, you said that before. It's not particularly true. Not everyone is even going to have the aptitude, let alone the need, to look at things logically beyond day-to-day concerns. Why should they? It has little bearing on the basic things that are important in day-to-day life. In other words, not everyone is a mathematician, engineer, or theorist, and we tech-minded people shouldn't try to force our methods and processes of life and perception on them, just as they should not force their methods and processes on us!

      Humanity will always have leaders. Leaders have always exploited those they lead. It is no different with science. It can just as easily be bent towards corrupt goals as religion can, or for that matter sports, wealth, comfort, etc. Most religious people could give a shit about how old the Earth is. It's when their leaders have stake in that claim for political reasons that it becomes an issue. Especially when the followers of reason tell them they are stupid for having faith. I am convinced that what needs to be made clear to religious people is that, like you say, science comes up with the best explanation given the facts at hand and by testing observations. We should be making it clear to religious people that to simply brush these observations away at a whim is intellectually dishonest. We need to make it clear to them that we believe in their freedom of religion - and we truly should believe that. We need to make it clear to them that censoring science is an insult to their faith. If there faith is so weak it cannot stand to reason, it is no faith at all (in the sense that if the Earth were 6000 years old, their higher power could make millions of years of geological processes happen in 6 days by speeding up time or something, higher powers are supposed to be all powerful right?).

      Check out the rules of things you aren't allowed to do on their sabbath. Including driving to worship--you better be walking to Temple.

      And yet, Judaism has enriched many peoples' lives and still does. I do take your point however, with Texas and the like. In fact, it is a good example of religious people demonizing science. What we need less of is demonization - that's my point. Humanity has a lot of problems. Worries about people believing in "fairy tales" or about the "moral baselessness" of science are both counterproductive and divisive.

    22. Re:Guidelines = Religion? by Anonymous Coward · · Score: 0

      There are a lot of religious morons modding down anti-religion comments today.

      Q: Why was baby Jesus born in a manger?
      A: Because the "virgin" Mary didn't want to be away from the horse she was fucking.

      more trivia: Baby jesus was born with a black eye for some odd reason.

      But to be serious, the masses of religious morons are cause for concern. They propogate like vermin and even scientologists are a joke compared to the vast conspiracies of crooked Catholics, Mormons^W morons, and Jews who are in the highest levels of our legal system and government agencies.

      Judges and FBI in particular are mostly Catholic. Crazy religious fuckers have no qualms about doing their god's work(clandestine elimination of "undesirables") in the name of their "values" which are based on poorly-written, plot loophole-ridden epic poems about omnipotent manic-depressives whose "love" is the envy of even the most twisted, sadistic inner-party nazi working in a room 101 of a fictional windowless ministry.

      Religion == madness. Wake the fuck up, people!

    23. Re:Guidelines = Religion? by rthille · · Score: 1

      liquors the best solution

      "liquor's".

      liquors are the best solution.

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  4. Not fear, just a respect for reality by Glendale2x · · Score: 5, Insightful

    Fear? What the hell? It's well known that infrastructure collapsing bugs are frequently introduced. Some trains of IOS have a horrible reputation depending on your platform. And playing in T train land? Good luck with that game of Russian roulette.

    --
    this is my sig
    1. Re:Not fear, just a respect for reality by Em+Emalb · · Score: 1

      Parent poster nailed it.

      Even the Russian judge gave him a 9.75.

      If I had points, I'd mod you up. I can't count the number of times we upgraded to a newer rev to fix a bug or security flaw only to find that 3 other things broke during the process.

      Upgrading code on a Cisco device is a crap-shoot sometimes.

      --
      Sent from your iPad.
    2. Re:Not fear, just a respect for reality by dave562 · · Score: 2, Insightful

      This has been my experience as well. Cisco hardware seems to be rock solid once you get it configured. However it often times falls into the, "If it ain't broke, don't even think about fucking touching it." mentality.

    3. Re:Not fear, just a respect for reality by MarcQuadra · · Score: 1

      Yes, but I've worked many places where they let the software fall so far behind that the admins have -absolutely- no idea what would happen if they upgraded to a recent bugfix release. It might be scary re-flashing your switches and routers on an incremental basis, but I've been shot down on major important upgrades because we had configs that haven't been altered in five years!

      --
      "Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
    4. Re:Not fear, just a respect for reality by AgentPhunk · · Score: 1

      Well that's your own fault, for not reading the release notes on the new revision, and checking to see if there are any Open Issues that affect your particular config. If you're really lazy you can open a TAC case and have one of their front line guys do it for you.

      I've been running 12.4T since 12.4.2T2, on over 100 routers, with complex BGP, DMVPN, and QoS configs, with no problem. No problem because I made sure I wasn't going to get hit with a known bug, but yes, I'll agree that there are usually quite a few known bugs in any given release.

    5. Re:Not fear, just a respect for reality by Em+Emalb · · Score: 1

      Wow, arrogant much?

      I'm talking about basically having no recourse but upgrade to a different rev to fix an exiting issue that is caused by a software bug that breaks a couple other things. It's a damned if you do, damned if you don't situation.

      A lot of the time you're forced to upgrade because the bug you're dealing with is affecting a mission critical app (VOIP, for example, PSTN calls randomly failing is a good one) and the resolution breaks something else.

      This is my job. I've been doing it for years. To say I'm not reading the release notes is not only missing the point but also wrong.

      --
      Sent from your iPad.
  5. Assorted routers or not assorted routers? by Applekid · · Score: 1

    TFA:

    Researcher Felix "FX" Lindner's research earlier this year demonstrated that multiple versions of routers can be attacked -- specifically, Cisco's PowerPC routers -- shooting down the assumption that hacking routers requires separate exploits for each type of router.

    Oh, wow, so, it doesn't matter that your infrastructure has a mish-mash of routers because they can easily attack them all in the same way? FFFFFFUUUUUUU---

    The idea that the variability of router platforms would defend you from an attacker is false. All versions have something in common [in this research], and this is not just in theory, but FX demonstrated it and used it to exploit all [PowerPC IOS] versions."

    Er, wait, so, you "demonstrated" by testing it all on one specific line of routers? How is that any kind of proof?

    I smell Cisco astroturfing to make having to patch routers sound like it's important for everyone's routers and not just theirs.

    --
    More Twoson than Cupertino
    1. Re:Assorted routers or not assorted routers? by Effugas · · Score: 1

      What FX has shown is that each hardware line tends to have enough in common that exploits can be built independent of the individual version of software deployed on that piece of hardware. That's a decrease in variability of at least a couple orders of magnitude.

  6. I really don't get this by Profane+MuthaFucka · · Score: 1

    What is a patching religion? And why are Cisco people susceptible to such idiocy? Can't they leave such thinking to the Republicans?

    Can anyone help me fan this little fire I've started?

    --
    Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
    1. Re:I really don't get this by doas777 · · Score: 1

      well, patching is generally accepted as rule 2 in running a secure system.
      rule 1 is "Test Test Test".
      I often find that people who have big troubles with rule 2, have the same troubles with rule 1.

  7. SLA? by doas777 · · Score: 5, Insightful

    if they want me to patch my router, then they should give me the patch for free, don't you think?

    1. Re:SLA? by mikkelm · · Score: 3, Informative

      They do. You'll able to use every minor release in your release train free of charge, and they'll be developed for your platform until the product reaches end of life. You don't pay for patches.

    2. Re:SLA? by Anonymous Coward · · Score: 0

      I spent 250K on Cisco equipment 10 years ago. I was surprised to find out that I didn't qualify for free patches, even the security ones. Then when I get access to the patches I find out what an incredible nightmare it is to patch their stuff. We recently constructed and moved into a new building. I made sure we didn't use a single Cisco product (and things work great).

    3. Re:SLA? by gth-au · · Score: 1

      You're right, downloading patches from Cisco is such a pain with their registration requirements. Better to Google the filename and grab the IOS (the version you think you need) from whatever 3rd party has stuck it on their ad-supported page, right? After all, nobody would put malware in a router update, surely...

  8. getting the patches is the problem by Anonymous Coward · · Score: 1, Insightful

    The dirty little secret about patching routers is that you can't just download the damned things. Why do I need to be certified and SLA'ed 3 ways round, or go to some third party, just to get it ?

    up yours Cisco !

    1. Re:getting the patches is the problem by amorsen · · Score: 2, Informative

      If you manage to get hold of the actual Cisco vulnerability statement, it contains information about how to request a patched version even if you don't have a service contract.

      --
      Finally! A year of moderation! Ready for 2019?
  9. Not unreasonable... by Anonymous Coward · · Score: 0

    Sounds a lot like Cisco does (and would like you to do) is have a lab with duplicate hardware to test with and roll out system by system.

    I'm not a proper sysadmin, but this seems completely reasonable to me, until you look at what their hardware costs. But then I work for a not-for-profit.

  10. Re:SLA? - They do. by Anonymous Coward · · Score: 2, Informative

    If there is a security vulnerability in your IOS, call Cisco, say you have no support contract and they will give you the latest patch at your release level for nothing (or an upgraded release if there is no patch at your level).

  11. after reading Cisco's take by freemti · · Score: 1

    test it in the lab eh? Yeah right.... Gone are the days when even largish companies have a lab that even looks vaguely like what they actually have running or the staff to run and maintain one. At best its some creaking old collection of cast off routers & switches