Hackers have obtained source code for Cisco Systems Inc.'s (Nasdaq: CSCO) Internetwork Operating System (IOS) 12.3 Operating System, according to a report released over the weekend.
The significance is hard to determine, but it could help hackers identify security vulnerabilities that would enable them to disable routers and take down parts of the Internet.
The risk of this happening depends on how many security vulnerabilities exist in the code and what exactly has been stolen. Different versions of IOS Release 12.3 are used in a wide variety of Cisco equipment, including its 7000 series routers and Catalyst 6000 switches (see Cisco's Release Notes).
Cisco issued the following statement this morning: "Cisco is aware that a potential compromise of its proprietary information occurred and was reported on a public website just prior to the weekend. The Cisco Information Security team is looking into this matter and investigating what happened."
To the extent that Web translations can be trusted, the site appears to be saying Cisco's network was hacked, leading to 800 Mbytes of source code being taken.
There's a chance it's the real thing. Routing expert and former Cisco employee Tony Li posted to a mailing list for the North American Network Operators' Group (NANOG) saying the code appears "(approximately) genuine" and includes "normal calls to IOS infrastructure routines." Comments in the posted code indicate it was written in June 1996 by Kirk Lougheed.
On the plus side, router code is more complex than Microsoft Corp. (Nasdaq: MSFT) code. Routing expertise isn't as widespread as PC operating system knowledge. And to do any damage, a hacker probably would have to determine how the modules link to each other and find vulnerabilities in those links, says Frank Dzubeck, president of consulting firm Communications Network Architects.
Another factor is the age of the compromised code. Newer elements of IOS haven't been implemented yet or, in the case of IPv6, may apply primarily to Asia but not to Cisco's entire customer base, making any damage less apocalyptic. On the other hand, certain aspects of routing code trace back to IOS's beginnings; should that code fall in the wrong hands, it could force Cisco to issue patches applying to every prior release, a case worse than what Microsoft faces with its patches, Dzubeck says.
"There are people running [Cisco code] six or eight releases back," he says. "The average guy running a small router never changes code. And then, AT&T and some of these big guys are running several different instances of code."
Possibly worst of all, though, are the implications to Cisco's business should the code become public domain. "Now you have no problems with any vendor being compatible with Cisco. You suddenly reduce the hardware to a commodity," Dzubeck says. "It would disenfranchise Cisco, because if you ask what Cisco is as a company, it's IOS."
Of course, Cisco could try to litigate or use the criminal justice system to track down the thieves, if in fact their were any -- but even then it will be hard to undo any damage.
That -- along with the possibility that Cisco's own network was breached, bringing its security features under question -- makes Cisco's explanation of the weekend's events crucial. "This week, a whole lot of information has to come out of Cisco," Dzubeck says. "If they stonewall, there are going to be a lot of problems."
"My overall impression is that Huawei doesn't make a habit of copying. I can't prove this, and if someone *can* prove otherwise, I'd love to have the evidence."
Peter,
To do this, you are going to need a Cisco 3640 and a Huawei Quidway Refiner 3600. Open both boxes. Observe how the circuit boards are identical. Now, tell me that's a coincidence.
>>Might I suggest that this discussion is somewhat pointless? First, I can promise you that Cisco certainly provides "reasonable" care for its source code. Second, none of here (hopefully) is the judge or jury on this case. What they have to say is relevant, what we have to say is not.
Light, not heat please...
------------------
I somewhat disagree with you. Specifically, because we don’t know for sure if this was a hack or not. Therefore, if it wasn’t and this was just some disgruntled employee, then John Chambers is not the only very paranoid CEO in the industry right now.
Moreover, the action of this individual(s) is deplorable, and although the intent may have been to hurt Cisco, we all got hurt because it builds mistrust in the global community as to the viability of the Internet. IMHO, if you know who the S.O.B. is, do us all a favor and turn him or her in.
Look at the brighter side guys. The evil folks will look at Cisco coad, find the bugs, kill the internet for a few days (loss of billions??).
But at the end of all these, at least that part of Cisco code will be bug free (unless the great IOS guys introduce more bugs in the process of fixing them!!).
Might I suggest that this discussion is somewhat pointless? First, I can promise you that Cisco certainly provides "reasonable" care for its source code. Second, none of here (hopefully) is the judge or jury on this case. What they have to say is relevant, what we have to say is not.
"Second, Huawei can't show cause with code that may have pre-existed in public hands."
This is the fundamantal arguement Cisco is using against Huawei, just turned around.
"The code is still owned and copyrighted by Cisco. It may just be a bunch of bits and bytes but Cisco retains all rights to their code, regardless of condition precedents."
This is called begging the question.
"Huawei is not immune to claims of rights infrigement from Cisco, if they did have Cisco code; regardless of their origin. Period."
And I never said they were. But it does go to damages. Let me give you a very straight example: if Cisco knew, or should have reasonably known about the Russian site, and failed to even try to close it down, or remove their material, they might fail the reasonable care test.
Huawei has admitted to stealing software, ignoring patents, having access to the source code of their major competitor internally and directly copying large parts of their competitors documentation.
While Huawei can say by its actions that it is no longer selling a product with stolen software, unlicenced patented technology and stolen documentaiton, there is nothing Huawei can do to change the criminal nature of what they have done in the past.
They are totally guilty and they will lose if the case proceeds. The rogue developers defense will not work in court.
As far as their internal investigation, what they did was to remove the obvious evidence of copying at the level of the executables that cisco found. But if cisco gets access to the actual source code, its very possible that more copying would be discovered. Of course some people would believe that Huawei's internal investigation showing no examples of copying beyond what cisco already found is some sort of vindication.
If cisco finds a pattern of copying, meaning multiple examples in the source code, its still possible that Huawei's entire software could be declared tainted and therefore beyond fixing.
Interesting BioDiesel information. And not to be disrespectful. BUT..
>>Perhaps the "thief" thought he/she was being helpful?
I'm thinking you're spending too much time in the kitchen.
As for post #16
>>Reasonable care (in protecting your property) has tons of legal precedence: and the case law says if you fail to exercise reasonable care, you lose most of your rights to damages. Yes, you get the victory in court but it is meaningless: no money changes hands, or the amount is so small as to be trivial.
Sounds like you might be smokin some of that "green fuel" in post #15.
Ask companies like Microsoft, Rambus, or IBM if their victory in court is meaningless or trival.
You seem to under-estimate the power of the judicial system while at the same time making a stretchy case. First, no company in their right mind would fail to exercise reasonable care of their intellectual property. If standard practices of corporate network protection and access authorization are in use, I doubt how anyone can lawfully contend that Cisco was negligent in it's care of IOS code.
Second, Huawei can't show cause with code that may have pre-existed in public hands. The code is still owned and copyrighted by Cisco. It may just be a bunch of bits and bytes but Cisco retains all rights to their code, regardless of condition precedents. Huawei is not immune to claims of rights infrigement from Cisco, if they did have Cisco code; regardless of their origin. Period.
Everyone has a job to do, I think Peter is doing his. I respect your opinion, but stop blowing smoke up people's ass with unsound legal points. What you've said about Cisco's dimished rights and Huawei's damage limits isn't true, period. Your argument will never stand the legal muster for an hour in court.
Come on Dash, Peter has to make a living with the few optical communication companies left. This is a real ethical dilemma: be flexible and eat, or be perfectly honest and hungry. The days of the crusading reporter are gone, if they ever did exist. I am sure Peter will figure out creative ways to let us his readers know some of "the whole truth". Like this message board for example. Who knows who posts, right? A jab here, a poke there...
The blogs and comments are the opinions only of the writers and do not reflect the views of Light Reading. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
To save this item to your list of favorite Light Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.
If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Digg
Del.icio.us
Reddit
