In a message written on Thu, Jul 28, 2005 at 04:51:18PM -0400, Geo. wrote:
Cisco routers are being sold to every company who connects to the internet,
it's one step up from consumer products. You can't expect every company who
owns a cisco router to buy an expensive contract or be willing to go thru
the gauntlet to get the patches.
Cisco needs to come up with a better way.
In a message written on Thu, Jul 28, 2005 at 08:29:38PM +0000, Christopher L. Morrow wrote:
if it's critical to your business you'd think you'd have a support
contract for it, eh? (or you decided that the 'better part of a week' and
associated risk was an acceptable cost to your business)
Unfortunately Chris, that doesn't match how (small) business works.
I had to hold up Microsoft as an example of being a good corporate
citizen, but here it goes. If a 10 person company buys Windows XP
and runs it in their office they get free Windows Updates patches
for the "life" of the product (typically around 5-7 years). There
is no TAC or other system to go through, you just tell the box to
update and it does it.
Now, I'm not suggesting a large ISP would go with this model, but
Cisco has moved out of the core and into small edge and SOHO routers,
VOIP phones, and all sorts of other gizmos being bought by home
office users and small companies who don't buy support for their
other technology items, but get updates. Heck, even digital camera
makers and such put free firmware updates on their web site.
Expecting all of these users to buy a support contract that costs,
what, $350/year for a $2500 box is absurd. Even full tilt talk to
a real person with on-site service dell support is only around
There is a reason all of these boxes are running around unpatched.
Look at the percentage of windows boxes, which have auto-update
software, and free updates that are patched. Now think about the
routers out there, where there is no update software, and no free
updates. It should surprise no one that there are thousands of
routers on the ends of T1's and DS-3's running code 2-6 years (or
more) old, vulnerable to any number of things.
Why is Cisco so scared of this one? Well, before now hacking them
was low value. You could DDOS a 5 person company off the air, maybe
reboot their router with a vulnerability -- which frankly many of
them wouldn't notice. However, now they can be added to the zombie
army of your choice. From being able to simply trigger a flood
ping remotely to being able to upload a remote controllable module
it's all possible now.
Cisco knows a lot of these small offices don't have support. They
don't have someone who knows how to upgrade code on a Cisco. For
Cisco to actually upgrade a lot of these boxes (assuming people are
informed, and know to demand an upgrade) under their current system
means tens of thousands of tac calls from people who've never logged
into a router before needing to be walked through downloading code
and upgrading a router. Millions, if not tens of millions in support
Will all of these people demand it? Who knows. The popular press
picking up the issue is a huge step to alerting joe random with a
small office and a 2501 in the corner he should pay attention, but
it's probably not enough. If a hacker manages to take over twenty
or thirty thousand routers though....I suspect a flood of calls