Possible Cisco Source Code Theft

OmegaBlac writes "According to Ars Technica, a Russian security site is claiming that Cisco's corporate network was comprimised and about 800MB of Cisco's source code for IOS Operating System version 12.3 was stolen. I guess Cisco forgot to implement their own Self Defending Network solutions."

Stolen from the #1 Security Company?

Whats the deal with that!?

if true, this could cause big problems not only for Cisco, but for the entire Internet. Cisco routers are responsible for routing much of the Internet's traffic, and the company has long practiced a policy of "security through obscurity."

We're all screwed.

Re:Stolen from the #1 Security Company?

Cisco is far from the #1 security company. There has been very little emphasis on security at Cisco until the last few years. As would be evident if you have used any of their products. 90% of their products don't come standard with SSH, they all still use telnet. But for an extra fee you can install SSH, that is if you buy enough ram for the router to support that code load...

I think Cisco is working to change their security stance but, that takes time and lots of money. The money part they have covered, Cisco has an over 3 billion dollar R/D budget and if I remember correctly 2 billion of that is focused on security right now.

Closed source vs Open source

One (of the many) problem(s) with the closed source business model is the fact that the entire company can depend on this intellectual property. The security surrounding that source has to be so huge that the problem quickly becomes intractable.

Open source however, by virtue of it being free (as in Iraq hehe), is worthless. Support contracts are alot harder to steal :P

Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.

Why do we still use so much closed source stuff :/
Simon.

Re:Open source safer ?? doubtful

Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.

Software is only secure when specific security tests are performed against it. Almost no one does much of this, or even understands it well. I doubt that in 1000 readers, more than 5 could recite the top 5, never mind the top 20 tests you must perform.

Open source is also not inherently better at security because of it must be peered reviewed. If the reviewer doesn't know what to check, then what is the point of the review?

Software must be security certified by professionals, whether open or otherwise.

Not just possible, truthful

This did actually happen. A friend in an IRC channel I frequent was pasting large portions of it to show off.

I can't help much see a nearby future full of Cisco-powered site takeovers :(

Oh Really? No.

Seriously, A friend of mine, in an icq conversation told me it wasn't true. Plus my mom said so as well.

Or, to paraphrase...

Seriously, A friend of mine, in an icq conversation told me it wasn't true. Plus my mom said so as well.

Translation: Accept information only from Official Sources(tm).

Any reports, of any event, not vetted by Your Official Corporate Public Relations Officer(tm) isn't real and has no validity.

Do not accept word of mouth. Healthy kepticism is not sufficient (for the facts may speak for themselves and undermine Our Official Position(tm)); you are to ignore any anectdotes, any word of mouth reporting, completely and utterly.

Indeed, you shall respond to any unofficial information with disparagement and hostility, as is your duty as a drone Consumer(tm).

Accept the Party Line. It is the Truth(tm), all else is Heresy.

Thank you.

Your Cisco Security.
("Stooges R Us")

Full text translation

CiSCO IOS?
SecurityLab, 13 2004 CISCO IOS 12.3, 12.3t, CISCO. 800 .

, - Cisco System. Cisco System .

franz #darknet@EFnet IRC ( 2.5 ) .

100 ipv6_tcp.c ipv6_discovery_test.c.

Hope that helps!

Re:Full text translation

I don't know who moderated parent as Informative (hint: use +1 Funny)

Here is word-to-word translation (english is not my mother tongue):

• As SecurityLabz was informed, in May 13, 2004 all source code of Cisco IOS 12.3, 12.3t was stolen. Cisco IOS is used in most Cisco network products. Full size of the stolen information is about 800 MBytes archived.

• Source code leak was made possible because of Cisco's corporate network compromise. Cisco gave no official comments yet.

  Someone known as franz at IRC channel #darknet@EFnet showed a small part of stolen code as the proof.

  First 100 lines of source file ipv6_tcp.c and ipv6_discovery_test.c is listed below.

wouldn't surprise me

I've worked there as a temp in 2000-2001 and the corporate network resources sure didn't seem to be that well protected... But I won't elaborate.

Thank God ..

I use windows RRAS as my router and not the damned (potentially) insecure Cisco kit ;-)

IOS OS

What kind of OS is this? Embedded I would assume. If not, what kinds of things can we do with it now that it's in the open, assuming one were to get a copy?

Re:IOS OS

Don't touch it, don't see it, don't breathe near it, if you ever plan on contributing to linux.

Leaked code is very dangerous to open source software.

Re:IOS OS

Surely that's only the case if being covered by software patents... which I think the general consensus in the Linux devlopment world is that's a Bad Thing(tm). Whether they will apply in Europe is still being discussed.

Copyright-protected code is obviously not allowed, but as long as there's a way of implementing the same thing in a different manner (always assuming that European s/w patents don't get ratified) I fail to see any issue in understanding how some other piece of software works.

The whole SCO debacle has done more than just piss everyone off, there's been a remarkable amount of reticence to learn from code that isn't Free. By that very logic authors shouldn't be allowed to read books and composers should be banned from listening to music.

--
This has been a scatterbrained post on behalf of the Poorly Thougt-out Argument Party

Stolen...?

How can the source code be stolen, when Cisco still has it?

Re:Stolen...?

ah, wait a sec (while i fetch me textbook of /. answers).. yes... i see, "it was not stolen... it was copy-right in-fringe-ment".. how was that? :)

Re:Stolen...?

How can the source code be stolen, when Cisco still has it?

How can you have identity theft if you are still you?

Phillip.

This has happened before

IOS 11.3 source is definitely in the wild - I think there is a copy of it around here somewhere. I've contacted Cisco on it and they're so excited they can't even get someone from law enforcement to come and talk to me about the information on the guy who sent it to me.

11.3 is ancient history, but 12.3 is bad bad bad ... this means new Cisco exploits as people comb through the code :-( Time to go unplug your internet connection until 12.4 is released ...

Re:This has happened before

Good luck. Where I work we legally have access to Cisco IOS, although we're very strict and only a handful of engineers have the permissions to access it (me being one of them). The code is very clean and when I've browsed it looking to see if there's any exploits, I have thus far come up empty. The code does not look like the Microsoft code I've seen, which tends to be overly complex IMO. That's not to say we don't find bugs in Cisco's code, but generally it's very high quality.

Time for a new motto

Slashdot: Read [slashdot.org] today's [slashdot.org] ArsTechnica [slashdot.org] tomorrow! [slashdot.org]

Re:Time for a new motto

How about, " The next Slashdot story will be ready soon, but readers of ArsTechnica can beat the rush and see it early!"

WARNING copyrighted source samples ahead!

The rusian site contains samples of the source claimed stolen!

If these are authentic (which I personally begin to doubth more and more) then looking at them may be problematic if you ever intend on working on IPV6 stacks from someone else then cisco. (OpenBSD?)

Now I did have a peek at that code and I can tell it looks very fake (Obiously *don`t* take my word for it and think its safe to ignore my warning!)

• They are attributed to only one coder per file.
• It isn`t indented (intentional obscurity?)
• there are way to specific includes that dont make much sence (dothis.h)
• I have a feeling there are includes missing
• I spotted a printf, which seams odd for an IPV6 stack or part of an OS
• I cant see any working logic, and I cant see how the code is supposed to do what the (short and very simple) comments claim it does.
• It looks like there are many syntax errors but without a compiler, the preprocessor directives and identation it is hard to tell.

Also at the forum of the .ru site there is a post from someone who claim the word on the IRC channel on which the story originates is that this is a fake.... But I am not touching that channel.

Re:WARNING copyrighted source samples ahead!

Yeah, I'd like to believe you, but I've seen people get away with murder in source code before. Open source coders worry a lot more about things like indentation, and filenames that make sense. In closed source shops, a lot of times what is quickly coded as a prototype becomes the shipping product, and things like indent cant be used because it breaks diffs. As much as I'd like to look with my own eyes, this sounds like one of the things it would be best if I just ignored it.

Rumour has it ...

... that their remote access software had a default username/password built in that couldn't be disabled. A high-level Ciso executive has threatened to sue the software providers for including such a stupid 'feature' [slashdot.org] in their product

May not lead to anything

This is one of the companys that helpped make the Internet what it is today.
(I'm not talking about spam, trolls or worms)

They have the experence to know what can or can not happen.
Sure they use obscurity but I doupt they believe it to be a sereous security layor. Instead they probably have experts pooring over ios every day.

It is possable to have "Many Eyes" while remaining closed. Just have many expert eyes constantly on the code instead of many more untrainned eyes occasionally disecting the code.

It's expensive so don't expect it to happen too often.
Microsoft delutes itself into thinking that is what they have with a team of programmers working on the code. But in reality the only people who actually see the code is the original coder and a code verifier. Just two people for every segment of code.

But I would guess Cisco uses the expensive version of Many eyes that we get for free in open source.

Re:May not lead to anything

"Instead they probably have experts pooring over ios every day."

Unfortunately those experts are figuring out how to draw the release structure diagram and name the branches. I don't think cisco engineers have time to work on new code, there's too much old code to figure out.

Other vendors

What about other companies that supply cisco with software?

This could hurt more than just cisco.

Settle down...

This reminds me of the buzz that surrounded MS's source code theft/leak. There are a couple of different things being discussed here.

First there are the security implications. Having the source out there for all to see isn't the endgame for the internet people, with MS people thought it was a big issue because their code is, well... crappy. I don't think this is true with Cisco, and unless there are some very obvious and very damaging security holes the internet will live to see another day, so all you doomsayers out there screaming that the world is coming to an end... settle down.

It does highlight once again the shortcomings of a security through obscurity model, but let's not go down that road again.

The second thing, which is where the story really lies, is how this could have happened. It's Cisco after all, how could their network be compromised? Probably someone there really dropped the ball. Any specifics on how this happened?

Heh...

Let's not forget that open source provides robust security (in principle) where as for closed source we can never be sure.

Why do we still use so much closed source stuff :/

SO, if you don't like it, you go out and make an OS for the Cisco routers and put it out for free - go ahead, no one is stopping you. Or go out and try and convince everyone to use your little Linux boxes as routers...oh, wait, there's just as many security issues in Linux as there are in Windows..

But wait, there's more! With IOS, there's a small set of software that can cause trouble. Using something else, esp based on Linux, can cause even more problems - they can gain access by any other means, shutdown or change some OTHER critical system, and it shutdown the routing...Use your frickin head.

Impact on Undocumented commands? (project DOTU)

Cisco's IOS is full of uncdomented commands. An old list is available on my site
http://boerland.com/dotu [boerland.com].

So opening the code might reveal more undocumented commands.

(btw: I will migrated this data towards a real CMS as hosted at home; http://willy.boerland.com/myblog [boerland.com].)

At least the name of the programmer matches...

A quick google search on 'Ole Troan' leads to Cisco Systems, Inc. 250 Longwater Avenue Reading RG2 6GB United Kingdom If this is a fake, then at least these Russians did their homework. :-)

Theft? Wasnt there a backup?

You would think that a company as large as CISCO would have had a backup.

I cant belive it was 'stolen' from them.

Yes that was sarcasm. Just pisses me off how the world 'theft' is perversed when it comes to digital content.

They COPIED it people. It wasnt STOLEN. ( yes, still illegal, but much different of a concept )

The Internet Doesn't Run On Cisco

As anyone who works for an ISP of any size and importance will tell you, Cisco routers don't do much when it comes to the big, hard-core routing that takes place at the NAPs or even at aggregation points. Their products have historically not been up to par for the high-end demands in these environments.

If a Juniper bug comes out, then it's time to be concerned about pieces of the Internet falling off. But then this is mitigated because there are relatively few aggregation points that can be upgraded hopefully quickly.

Sure, a large Cisco IOS bug will hit mom and pop and small to medium business, but the big boys just don't use Cisco.

Not as serious as it sounds..

Of course, I'm not going to downplay the effects this could have for Cisco and in the long run for possibly tainted opensource projects.. The comments in here speak for themselves that people can't keep their hands off the source-code.

I've seen the 12.3 sourcecode before, under NDA, and several institutions outside of Cisco has legal access to it. Several universities, most of the larger security-firms such as ISS and whatnot have had access to it for years. So it's been combed through pretty well before. Sure there might be an odd exploit released from this source, but I don't count it as very probable, and certainly not as a threat to internet stability.

Thats not all it does.

"I guess Cisco forgot to implement their own Self Defending Network solutions"

No they did implement it. But when it found out that it was outnumbered by the hackers, the self-surrender module(also know as the french module) went into effect.

This really means nothing.

Cisco had already announced a few weeks ago that version 13 of IOS was coming out and in June they were going to dump IOS fully for a totally new os for their routers that was going to be pluggable and more secure

http://news.com.com/2100-1033_3-5210745.html

China?

There is a good chance that this leak came from one of the 'partners' in china that Cisco uses.

China doesn't have the same regard for foreign IP that the USA does.

Hardware architecture more important

IOS source code is no big deal. It's Cisco's hardware implementation and architecture that is the real interesting part. At least for the core router functionality. Some fringe aspects would be interesting to study, but it's not really that critical.

Makes perfect sense to me.

One thing you learn in the IT industry real quick is the cobbler's sons are the last shod.

Windows Kernel Leaked too

On a side note, everyone on IRC/Bittorrent seems to be excited about a new leak of the NT Source Code, this time only the Kernel. Found a screenshot here: http://members.tripod.com/WinAlOS/Screenshot/sourc e.jpg
It's on SuprNova and TorrentReactor...

800 Megs

Wow, that OS must have a teeny footprint, at a mere 800 Megs for the source code!

damn dude...

I'm working for my CCNA, and this crap keeps happening? hell we learn how to make sure events like this dont happen.

the source code should have been on a server on a separate subnet than the rest of the network, or on its own private network that has no access to the internet..

putting internet access to anything is a sure fire way of getting hacked at one point or the other. so if you have really sensitive data, NEVER put it on a network that's connected to the net.
it's like having a screen door on a vault filled with raw meat with a hungry bear on the other side.

If this were true...

... and I haven't a clue, quite frankly, it does present an interesting conundrum.

Cisco's software has been one-plussed and customised so many times to meet (perceived) marketing necessities that it is very hard to maintain - because so many distinct variants (often specific to a customer) are live in the field.

On the one hand, this makes for a certain amount of reslience to attack, since there is not quite the monoculture that might at first appear. On the other hand, if there are exploits in code which is common across the many variants, there is no straightforward way of issuing a patch, since so many different special builds would be required.

Although cisco have had some recent success in controlling their proliferating IOS code base, they've had several attempts at a unifying "next gen" architecture and it always so far seems to have eluded them.

This is always the crunch for "entrenched" systems suppliers: how do you keep your existing customers happy and innovate at the same time.

Maybe having the code on sourceforge wouldn't be such a bad idea...

Not surprised at all when...

...IOS is as expensive as it is, not as so much as money, but more of it the idea of having to go as far as selling your soul to them to get it (read: contracts that have the threat of taking away the security of your network). Given the situation, I'm very glad this happened - since I'd not mind taking a good look at this myself.

800 MB of source code?!

To put that 800MB number in perspective...

$ uname -rs
FreeBSD 4.9-RELEASE
$ du -sk /usr/src
385392 /usr/src

So if they snagged 800MB of code it's hard to believe that they didn't get everything including years of revisions.

Juniper / KAME comments

Did somebody grep for "Juniper coders are weenies?"

write-only code

its the only solution to security of source. write-only code. aka, write-once, read never. or, more accurately, write-once, read-never, execute-only.

with this approach there is NEVER a chance that your IP can be taken. it just can't.

(this has nothing to do with c++. while its true that c++ is a KIND of write-only language, this isn't the one I was referring to).

Code should be posted

I hope in a sick way, that the cisco code or its analysis is posted somewhere online. People can then compile it for x86 machines under Linux/BSD/someother crap to turn it into a high-performance cisco router.

I know Linux has its own routing tools, but the IOS has more features and too many net admins are used to its syntax. zebra is a nice attempt at cloning IOS, which itself is far more advanced.

Re:rah rah rah you scumbags

Darl??