Cisco crapaganda

http://www.networkworld.com/news/2005/080805-cisco-routers.html

/* ARTICLE

Among the developments last week: Cisco continually revised its
security bulletin, adding details as to how versions of unpatched IOS
software could be undermined by a "specifically crafted IPv6 packet."
Sources at Cisco say testing will continue indefinitely and could
include findings related to more than simply IPv6-related exploits.

*/

Ironic the marketing and disinformation coming out of Cisco Systems
in relation to not disclosing what really occurred and labeling the
vulnerability as "IPv6 based.... but" after they initially stated
it as "IPv6 only!"

/* ARTICLE
The researcher who touched off the uproar, Michael Lynn, says he is
now the subject of inquiries by FBI agents, and he continues to defend
the propriety of his actions.
*/

Since when did the FBI decide to play "Corporation Superherosaviour"
so blatantly. Mr. Lynn's disclosure while a double edged sword can
possibly save the industry from a catastrophe, and while yes it can
also cause one, I believe he did the right thing.

/* ARTICLE
Experts and users say the hole in IOS appears not to be an immediate
concern based on what is public knowledge at the moment, since patches
are available. But what concerns some is that Lynn's exploit
techniques take router hacking to a new level, which eventually could
have security implications for Cisco customers.
*/

This same attitude from vendors is what causes those releasing POC
(proof of concept) code to release information on how things break.
I recall posting here a while back information on how it would be
possible to break neighbors in BGP by causing flaps. I did not post
the information with the intent on anyone using that information to
cause damage nor was it malicious. I did it under the impression
someone in the industry would take a look at it and see what I saw
and come up with a solution. To date however... It's been more or
less the same: "You're an ass for doing that..."

/* ARTICLE
While Lynn has settled one lawsuit with Cisco and ISS, agreeing not to
disclose anything he knows about the exploit, his problems don't seem
to be over. The FBI is investigating him and interviewing friends and
roommates, he says.
*/

Spin spin sugar... Looking at this current situation I'm wondering
when did it become a federal offense to break a non disclosure
agreement. I can look at this two possible ways now... Are the feds
looking at Mr. Lynn because they have something vested in the IOS
of Cisco (Carnivore, Magic Lantern), or are they going after him
under the guise of "National (in)Security". If it's national
(in)security, then why not go after Cisco for allowing this problem
to go unresolved when they knew of it months in advance.

Anyhow, sorry for the rants... The article is pseudo-worth the read
if you can filter out marketing and crapaganda.

Ironic the marketing and disinformation coming out of Cisco Systems
in relation to not disclosing what really occurred and labeling the
vulnerability as "IPv6 based.... but" after they initially stated
it as "IPv6 only!"

Its a half truth. The vulnerability was IPv6 only, the method for executing arbitrary code was not. That's definitely spin, and I hope they address it soon.

Spin spin sugar... Looking at this current situation I'm wondering
when did it become a federal offense to break a non disclosure
agreement.

The FBI is not investigating violation of a non disclosure agreement. My understanding is that they are investigating possible trade secret theft. Also, please note that there is a large up welling of support within the federal government for what Lynn did and it would be improper to characterize them all as demons. The FBI is performing due diligence investigations based on reports to them of criminal activity.

The FBI, in this case, is not the person responsible for this ongoing investigation. Rather, that lies with the assigned prosecutor and whomever the reporting parties were.

A much better summary of these events can be found at Jennifer Granick's blog:
http://www.granick.com/blog/

/* ARTICLE
Experts and users say the hole in IOS appears not to be an immediate
concern based on what is public knowledge at the moment, since patches
are available. But what concerns some is that Lynn's exploit
techniques take router hacking to a new level, which eventually could
have security implications for Cisco customers.
*/

They are not "Lynn's exploit techniques". The techniques were
published by someone else in considerable more detail than
Lynn along with source code. And this other person has also
described techniques for attacking other brands of network
equipment not just Cisco.

There is a sea change in hacker activity under way as
they realize that most embedded systems (including routers
and switches) are now based on general purpose computer
technology and that such systems are full of opportunities
for software exploits. Hackers no longer just attack OSes
like Windows and Linux, they now are beginning to go after
any kind of smart device, especially when the exploits can
be leveraged for blackmail or to earn cash from espionage.

You aren't safe just because your network runs on brand X
boxes. The only way to be safe is for your brand X vendors
to take software security and systemic security much more
seriously. I also believe that there are lessons to be
learned from the open source community's approach to security.
This doesn't mean that Cisco or any other Brand X vendor
should just run out and replace their box's OS with
OpenBSD or NetBSD or Linux. But they need to seriously
ask themselves what advantage they gain from inventing
their own wheel and rejecting the work of thousands of
highly skilled and dedicated people.

There really is no such thing as closed source. The people
building these exploits are fully capable of taking
code from ROM or flash memory and reading what it does.
It's all fine and well to have layers of security but
hiding your source code really shouldn't be counted
as a security layer.

Even if someone managed to eliminate Lynn and all past
and current employees of ISS by exiling them to Cuba,
this would not stop the hackers who are exploiting
network device flaws.

--Michael Dillon

Someone made a video of cisco hard at work fixing router security holes:
http://www.makezine.com/blog/archive/2005/08/video_of_ciscoi.html

Cisco is also fixing web security holes:
http://www.dslreports.com/shownews/66078

With all this and the FBI investigation of Lynn, I feel so much safer now.

Thanks cisco.

-Dan

But why worry! Peter Packet will save the 'Net!
<http://www.cisco.com/edu/peterpacket>

"You can't run forever hacker!"

--chuck

I've been saying this for years, and I'm sure you and I aren't the only ones.

Corrallaries:

A. If open publication of the full source code of XYZ would render
it insecure, then XYZ is _already_ insecure.

B. In analyzing any attack, it's prudent to presume that the attackers
have the full source code of every piece of software involved. [1]

C. It's not secure until everyone knows exactly how it works and it's
still secure.

D. Any piece of source code which hasn't been subjected to widespread
peer review should be presumed untrustworthy-- because it not only
hasn't been shown to be otherwise, the attempt hasn't even been made.
(Note that the contrapositive isn't true -- peer review is only a
necessary condition, not a sufficient one.)

More bluntly: the closed-source, "faith-based" approach to security
doesn't cut it. The attacks we're confronting are being launched
(in many cases) by people who *already have the source code*, and
who thus enjoy an enormous advantage over the defenders.

It's time to level the playing field. It's time for all the vendors
to publish ALL the source code so that we at least have the same
information as our adversaries.

Because relying on the supposed "secrecy" of source code is relying
on a fantasy.

---Rsk

[1] Either because it leaked (discarded computer equipment, backup
tapes, etc.), was stolen from outside (network break-in, physical
break-in), was stolen from inside (payoffs) or other means. Borrowing
heavily from Bruce Schneier's analysis of what it'd be worth to
buy an election: what's the dollar value on the open market of,
oh, let's say, the full source code to one of Cisco's popular routers?
Maybe $100K? $250K? Maybe more, considering what it might facilitate?

Whatever that number is, that's the amount that prospective attackers
may be presumed to be willing to spend to get it. And whether they
spend it on R&D, or paying someone who's already done the R&D, or
just cutting to the chase and paying off someone with access to it,
doesn't really matter: if they're willing to spend to the money,
they _will_ get it.

Hi Rich,

A. If open publication of the full source code of XYZ would render it
insecure, then XYZ is _already_ insecure.

i like that way of looking at it..

B. In analyzing any attack, it's prudent to presume that the attackers have
the full source code of every piece of software involved. [1]

sure, or even a snippet would be sufficient to find and exploit a hole

It's time to level the playing field. It's time for all the vendors to
publish ALL the source code so that we at least have the same information as
our adversaries.

thats going to be a leap too far, its not an issue of security its a question of
property and value

[1] Either because it leaked (discarded computer equipment, backup tapes,

source code is much wider distributed than people might think, its possible to
be a contractor (individual or company) or for example in MS's case a partner
and get source code supplied under NDA

what's the dollar value on the open market of, oh, let's say, the full source
code to one of Cisco's popular routers? Maybe $100K? $250K? Maybe more,
considering what it might facilitate?

naww. $0. pre IOS-12 versions are in circulation already, 12.something was
partially leaked a year or two ago, and i'm sure other bits can be picked up.

who would be willing to pay? not companies, thats illegal. blackhats? maybe, but
they can juts grab the circulating bootlegs

Whatever that number is, that's the amount that prospective attackers may be
presumed to be willing to spend to get it. And whether they spend it on R&D,
or paying someone who's already done the R&D, or just cutting to the chase and
paying off someone with access to it, doesn't really matter: if they're
willing to spend to the money, they _will_ get it.

wonder why they dont already have it, maybe they do...

Steve

Rich Kulawiec wrote:

More bluntly: the closed-source, "faith-based" approach to security
doesn't cut it. The attacks we're confronting are being launched
(in many cases) by people who *already have the source code*, and
who thus enjoy an enormous advantage over the defenders.

TBH though, usually the open source "faith based" approach to security doesn't cut it either. its easy to say "its open source, therefore anyone can check the code" but much harder to actually find someone who has taken the time to do it....

Depends on the project.

Some OSS projects turn around enhancements and bug fixes, and fix
vulnerabilities, quickly. Some don't. Some do some of the time, depending
on the type of change. (For example, Mozilla is good about patching
vulnerabilities quickly, but there's an Thunderbird enhancement almost 200
people voted for on Bugzilla, that people have been complaining about for
months, that they've not done anything about.)

[late followup]

Rich Kulawiec wrote:
>More bluntly: the closed-source, "faith-based" approach to security
>doesn't cut it. The attacks we're confronting are being launched
>(in many cases) by people who *already have the source code*, and
>who thus enjoy an enormous advantage over the defenders.
TBH though, usually the open source "faith based" approach to security
doesn't cut it either. its easy to say "its open source, therefore anyone
can check the code" but much harder to actually find someone who has taken
the time to do it....

Ah, but I covered that, or at least I thought I did:

  "D. Any piece of source code which hasn't been subjected to
  widespread peer review should be presumed untrustworthy-- because
  it not only hasn't been shown to be otherwise, the attempt hasn't
  even been made. (Note that the contrapositive isn't true --
  peer review is only a necessary condition, not a sufficient one.)"

Which means: just because it's open source and therefore any can check
it, doesn't mean that anyone has...or that they're competent...or that
they were thorough...or that they found all the issues.

Like I said, it's a necessary condition, not a sufficient one.

But...even with all the tools that have been developed -- everything
from formal proofs of correctness to array bounds checkers to stack
overflow guards to you-name-it...it seems that in 2005 that the very
best available/practical method we have for trying to produce secure
code is "lots and lots of independent and clueful eyeballs". I'm not
saying that's a desirable situation, because it's not: it would be
nice if we had something better. But we don't, at least not yet.

Another way of putting it: no matter who "you" are, from one lone
programmer to 10,000, the Internet is more thorough than you are.

Now, one could counter-argue that keeping source code secret provides
some measure of security. I'm not buying it: I don't think there's
any such thing as "secret source code". And even if there was: if
someone with enough cash to fill a briefcase wants it: they WILL get it.

I suppose what I'm saying is: let's drop the pretense that "closed-source"
really and truly exists, let's get the critical code out in the open,
and let's get started with the process of beating it into shape.
Because we're already paying (and paying and paying) a huge price
for continuing the charade.

---Rsk