The Russian security site securitylab.ru reported that the source code of the CISCO IOS 12.3, 12.3t operating system has probably been stolen. The leak of Cisco’s source code for its latest network devices will not result in a large number of discovered vulnerabilities, security experts said.
Cisco source code leak: No need to sweat yet
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Haha!
I gotta say, though, that this is one of the big benefits of using open source.
First, it is discovered that Cisco have a ‘backdoor’ in all of thier routers, and now with this source code leak. Only in a closed source enviorment would a code leak mean security issues.
Somehow, I dont think Cisco are what they used to be.
Ok, this appears to be wishful thinking, named one piece of software that does not have a bug in it? Now with some of the source code in the open it is all a matter of time and man power to find a hole/bug/crack somewhere. Sure it might not be major but what if it is?
The article states that compiling the source code requires specialist hardware which is difficult to get hold of. Fair enough, but I’m not sure why they would need to be able to compile the code in order to be able to spot vulnerabilities in it. This sounds utterly bogus to me.
Also, what’s with the “If you have the Windows source code, you can build it on your PC at home” statement? I wasn’t aware that the *complete* Windows source code had been leaked. Does anyone have a reference, or is Johannes Ullrich just spouting garbage?
So basically their entire arguement is that because when a fraction of the Windows source code was released it didn’t lead to lots of major known exploits? Can you say Apples and Oranges? First of all the cracker supposedly has the entire source code base for IOS. You can not in any way compare that to the Windows code leak which isn’t nearly on the same scale.
Sorry but this smacks of “experts” being paid off to reassure investors and Cisco hardware buyers that “Everything is OK”. I have no idea what will eventually happen and personally I hope nothing bad does, but this Don’t worry be happy bulls**t just doesn’t cut it for anyone with half a brain.
Johannes Ullrich, chief technology officer of the Internet Storm Center:
“If you have the Windows source code, you can build it on your PC at home, where the Cisco code needs specialised hardware, so most people aren’t going to be able to compile the files.”
Why would you need to compile the source code to check for vulnerabilities. Obviously a stupid remark.
ciscoboy : huwaaah! help nanny bad men are gonna get me
corporatenanny : no they won’t they can’t compile your code
“First, it is discovered that Cisco have a ‘backdoor’ in all of thier routers, and now with this source code leak. Only in a closed source enviorment would a code leak mean security issues”
It is common knowledge that Cisco gear has backdoors but yet there hasnt been a plague of router hacks, I am assuming you are refering to something else?
Secondly, people have been finding bugs/vulnerabilities in routing software for some time now and the internet hasn’t come crashing down yet(IOS , JunOS, Zebra, you name it).
And of course we have our obligitory “Well if it was open sourced….”. Pure B.S. Linux, the darling of the OSS world happens to be riddled with vulnerabilities, Then you have OSS such as OpenBSD which has not had a vulnerability worth mentioning in the last several years…so please just stop it. It is not a question of it is open, but how and the reasons behind the way the software was developed.
“””
And of course we have our obligitory “Well if it was open sourced….”. Pure B.S. Linux, the darling of the OSS world happens to be riddled with vulnerabilities, Then you have OSS such as OpenBSD which has not had a vulnerability worth mentioning in the last several years…so please just stop it. It is not a question of it is open, but how and the reasons behind the way the software was developed.
“””
You missed the point. If it was open source, then, unlike in the closed source model, a source code leak wouldn’t of been the end of the world.
Obvioussly, not everything open source immidiatly becomes more secure, but it does solve the two problems that cisco have had recently.
The backdoor I was referring to is:
http://www.cisco.com/warp/public/707/cisco-sa-20040407-username.sht…
Also, how do you know there hasn’t been any router hacks? Just because you didn’t hear about them dosn’t mean that some routers were switched to backup router, or how much sysadmins had to work to deal with these issues. If there was a serious hack, you probably wont hear about it.
This is beyond bugs. I am not talking about a small bug. I am talking about how people get hyped up because the source code leaked. Any type of ‘simple’ bug you can find with the source code leaked would probably not be in an open sourced product. (obvioussly it depends on the product, and it dosn’t mean that there can’t be any more ‘serious’ bugs).
I am not saying that open source is the end all to software, but that the two big issues that Cisco has had recently would of not happen had it been an open source product. There are obvioussly much more negatives and positives that I chose t ignore (like, could cisco be where they are today had they been open source, etc…), but I didn’t touch that.
P.S. how many remote root exploits are there in linux? What ‘vulnerabilities’ is linux riddled with?
… because unlike the windows source leak the IOS source doesn’t seem to have hit the major p2p networks yet.
opensourcing an embedded system sounds like a bad idea… embedded systems, unlike desktops, are not as easy to update to the newest version every few weeks.
“pensourcing an embedded system sounds like a bad idea… embedded systems, unlike desktops, are not as easy to update to the newest version every few weeks.”
not every system is updated that way. what about apache for example. secure embedded systems using open code is possible