Re: Cisco crapaganda

[Rich Kulawiec]

[late followup]

On Sat, Aug 13, 2005 at 07:32:20PM +0100, Dave Howe wrote:
> Rich Kulawiec wrote:
> >More bluntly: the closed-source, "faith-based" approach to security
> >doesn't cut it.  The attacks we're confronting are being launched
> >(in many cases) by people who *already have the source code*, and
> >who thus enjoy an enormous advantage over the defenders.
> TBH though, usually the open source "faith based" approach to security 
> doesn't cut it either. its easy to say "its open source, therefore anyone 
> can check the code" but much harder to actually find someone who has taken 
> the time to do it

Ah, but I covered that, or at least I thought I did:

"D. Any piece of source code which hasn't been subjected to
widespread peer review should be presumed untrustworthy-- because
it not only hasn't been shown to be otherwise, the attempt hasn't
even been made.  (Note that the contrapositive isn't true --
peer review is only a necessary condition, not a sufficient one.)"

Which means: just because it's open source and therefore any can check
it, doesn't mean that anyone has...or that they're competent...or that
they were thorough...or that they found all the issues.

Like I said, it's a necessary condition, not a sufficient one.

But...even with all the tools that have been developed -- everything
from formal proofs of correctness to array bounds checkers to stack
overflow guards to you-name-it...it seems that in 2005 that the very
best available/practical method we have for trying to produce secure
code is "lots and lots of independent and clueful eyeballs".  I'm not
saying that's a desirable situation, because it's not: it would be
nice if we had something better.  But we don't, at least not yet.

Another way of putting it: no matter who "you" are, from one lone
programmer to 10,000, the Internet is more thorough than you are.

Now, one could counter-argue that keeping source code secret provides
some measure of security.  I'm not buying it: I don't think there's
any such thing as "secret source code".   And even if there was: if
someone with enough cash to fill a briefcase wants it: they WILL get it.

I suppose what I'm saying is: let's drop the pretense that "closed-source"
really and truly exists, let's get the critical code out in the open,
and let's get started with the process of beating it into shape.
Because we're already paying (and paying and paying) a huge price
for continuing the charade.

---Rsk

Re: Cisco crapaganda

[Steven J. Sobol]

On Sat, 13 Aug 2005, Dave Howe wrote:

> 
> Rich Kulawiec wrote:
> > More bluntly: the closed-source, "faith-based" approach to security
> > doesn't cut it.  The attacks we're confronting are being launched
> > (in many cases) by people who *already have the source code*, and
> > who thus enjoy an enormous advantage over the defenders.

> TBH though, usually the open source "faith based" approach to security
> doesn't cut it either. its easy to say "its open source, therefore
> anyone can check the code" but much harder to actually find someone who
> has taken the time to do it
 
Depends on the project.

Some OSS projects turn around enhancements and bug fixes, and fix 
vulnerabilities, quickly. Some don't. Some do some of the time, depending 
on the type of change. (For example, Mozilla is good about patching 
vulnerabilities quickly, but there's an Thunderbird enhancement almost 200 
people voted for on Bugzilla, that people have been complaining about for 
months, that they've not done anything about.)

-- 
Steve Sobol, Professional Geek   888-480-4638   PGP: 0xE3AE35ED
Company website: http://JustThe.net/
Personal blog, resume, portfolio: http://SteveSobol.com/
E: [EMAIL PROTECTED] Snail: 22674 Motnocab Road, Apple Valley, CA 92307

Re: Cisco crapaganda

[Dave Howe]

Rich Kulawiec wrote:

More bluntly: the closed-source, "faith-based" approach to security
doesn't cut it.  The attacks we're confronting are being launched
(in many cases) by people who *already have the source code*, and
who thus enjoy an enormous advantage over the defenders.
TBH though, usually the open source "faith based" approach to security doesn't 
cut it either. its easy to say "its open source, therefore anyone can check the 
code" but much harder to actually find someone who has taken the time to do it

Re: Cisco crapaganda (Modified by Jason Chambers)

[Jason Chambers]

On Aug 10, 2005, at 05:53, [EMAIL PROTECTED] wrote:


Also, what about DoD Orange Book certification? Can this kind of
testing methodology be applied to routing systems as well, such as 
IOS?


I don't claim to fully understand Orange Book but it seems to
me that one of the essences of Open Source is the process of
certification.


<--snip-->


To learn more about the Orange book, look here
http://www.dynamoo.com/orange/



In relation to the Orange Book,

There is a evaluation program available, named TPEP, links are below.  
Very interesting and intense.


Yes, routing systems \ IOS applies.  See 1.3 TPEP Process Overview at 
http://www.radium.ncsc.mil/tpep/process/procedures.html


I chatted briefly with a fed @ Defcon about this program, specifically 
about work to make this achievement something [buzzword warning] 
"Critical Infrastructure" and the well known software manufacturers 
would look to engage in \ use.  Maybe by way of public forums such as 
this is that accomplished.  In labels we trust.


http://www.radium.ncsc.mil/tpep/index.html
http://www.radium.ncsc.mil/tpep/tpep.html
http://www.radium.ncsc.mil/tpep/process/faq-sect6.html#Q8

-Jason

Re: Cisco crapaganda

[Stephen J. Wilcox]

Hi Rich,

> A. If open publication of the full source code of XYZ would render it
> insecure, then XYZ is _already_ insecure.

i like that way of looking at it..
 
> B. In analyzing any attack, it's prudent to presume that the attackers have
> the full source code of every piece of software involved. [1]

sure, or even a snippet would be sufficient to find and exploit a hole

> It's time to level the playing field.  It's time for all the vendors to
> publish ALL the source code so that we at least have the same information as
> our adversaries.

thats going to be a leap too far, its not an issue of security its a question 
of 
property and value 

> [1] Either because it leaked (discarded computer equipment, backup tapes,

source code is much wider distributed than people might think, its possible to 
be a contractor (individual or company) or for example in MS's case a partner 
and get source code supplied under NDA

> what's the dollar value on the open market of, oh, let's say, the full source
> code to one of Cisco's popular routers? Maybe $100K?  $250K?  Maybe more,
> considering what it might facilitate?

naww. $0. pre IOS-12 versions are in circulation already, 12.something was 
partially leaked a year or two ago, and i'm sure other bits can be picked up.

who would be willing to pay? not companies, thats illegal. blackhats? maybe, 
but 
they can juts grab the circulating bootlegs

> Whatever that number is, that's the amount that prospective attackers may be
> presumed to be willing to spend to get it.  And whether they spend it on R&D,
> or paying someone who's already done the R&D, or just cutting to the chase and
> paying off someone with access to it, doesn't really matter: if they're
> willing to spend to the money, they _will_ get it.

wonder why they dont already have it, maybe they do...

Steve

Re: Cisco crapaganda

[Rich Kulawiec]

On Tue, Aug 09, 2005 at 04:11:45PM +0100, [EMAIL PROTECTED] wrote:
> There really is no such thing as closed source. 

I've been saying this for years, and I'm sure you and I aren't the only ones.

Corrallaries:

A. If open publication of the full source code of XYZ would render
it insecure, then XYZ is _already_ insecure.

B. In analyzing any attack, it's prudent to presume that the attackers
have the full source code of every piece of software involved. [1]

C. It's not secure until everyone knows exactly how it works and it's
still secure.

D. Any piece of source code which hasn't been subjected to widespread
peer review should be presumed untrustworthy-- because it not only 
hasn't been shown to be otherwise, the attempt hasn't even been made.
(Note that the contrapositive isn't true -- peer review is only a
necessary condition, not a sufficient one.)


More bluntly: the closed-source, "faith-based" approach to security
doesn't cut it.  The attacks we're confronting are being launched
(in many cases) by people who *already have the source code*, and
who thus enjoy an enormous advantage over the defenders.

It's time to level the playing field.  It's time for all the vendors
to publish ALL the source code so that we at least have the same
information as our adversaries.

Because relying on the supposed "secrecy" of source code is relying
on a fantasy.

---Rsk

[1] Either because it leaked (discarded computer equipment, backup
tapes, etc.), was stolen from outside (network break-in, physical
break-in), was stolen from inside (payoffs) or other means.  Borrowing
heavily from Bruce Schneier's analysis of what it'd be worth to
buy an election: what's the dollar value on the open market of,
oh, let's say, the full source code to one of Cisco's popular routers?
Maybe $100K?  $250K?  Maybe more, considering what it might facilitate?

Whatever that number is, that's the amount that prospective attackers
may be presumed to be willing to spend to get it.  And whether they
spend it on R&D, or paying someone who's already done the R&D, or
just cutting to the chase and paying off someone with access to it,
doesn't really matter: if they're willing to spend to the money,
they _will_ get it.

RE: Cisco crapaganda

[Hannigan, Martin]

[ SNIP ]

> But I found more. It seems that a guy using the name FX
> has been publishing stuff about Cisco heap exploits for
> years now. I found his slides from a presentation made
> at BlackHat Las Vegas in 2002. Lots of juicy detail. And I
> found a long document translated from Chinese about modern
> information/economic warfare.

If people want to be up to date, imagine the unimaginable.


-M<

Re: Cisco crapaganda

[Michael . Dillon]

> Get a grip, Michael.  Any black hat who reads this list already knows
> this information (if indeed it exists; acting mysterious isn't gaining
> you any credibility with the cynical among us, and of course you
> aren't even providing enough detail for people with clues to discern
> what the bloody heck you're referring to).  All you're doing is
> withholding data from the non-black-hats.

*sigh*

I have no special sources of info. One Monday morning
I saw the traffic on this list about Lynn's presentation.
None of the posted URL's worked. One of them led to a legal
document ordering that the slides not be posted. So what
did I do?

That's right, I turned to Google. I found articles written
by people who attended the presentation. One person had
posted a zip file with photos of all of Lynn's slides as
presented at BlackHat. I even managed to find the PDF file
with the edited version of the slides that was the target
of the lawyers.

But I found more. It seems that a guy using the name FX
has been publishing stuff about Cisco heap exploits for
years now. I found his slides from a presentation made
at BlackHat Las Vegas in 2002. Lots of juicy detail. And I
found a long document translated from Chinese about modern
information/economic warfare.

I really didn't think this stuff was all that hard to find
because it took me all of 30 minutes.

The big question in my mind is why did Cisco freak out when
somebody wanted to present an overview of exploits that have
been worked on by hackers for the past 3 years? Especially
when Lynn is giving them some valuable free advice, i.e.
don't make it easier for hackers to use heap exploits.

Thank's to Drew's posting I now know that FX presented
again at BHLV a year later pointing out a UDP exploit that
can be used to facilitate building the correct heap exploit
for a specific IOS release and architecture.

It seems to me that Cisco has a fundamental communications
problem in regards to security. Their actions against Lynn
did not stop people from reading his slides and his slides
were not nearly as informative as the older slides from FX.
Also, Cisco seems stuck in the traditional vendor-customer
communications cycle that causes them to ignore or deprioritize
security related communications unless it comes to them
through a major customer. In fact, the people who REALLY
know this stuff may not work for a major Cisco customer
or if they do, they may not have access to the privileged
communications channels within their company.

--Michael Dillon

Give a man a fish and you feed him for a day, teach him
how to fish and you feed him for a lifetime.

Re: Cisco crapaganda

[Aaron Glenn]

On 8/10/05, Chris Gilbert <[EMAIL PROTECTED]> wrote:
> 
> But in some ways, aren't those Open Source software techniques also
> assisting Juniper, as JunOS is based in no small part on FreeBSD?
> 

For clarification:

"We took the networking part in the FreeBSD software, threw it away,
and replaced it with our own specialized software. That way, we don't
have to worry about file systems and process management and all the
operating features that the OS community is better at doing. We focus
on adding our value to the networking part." -
http://www.hyperchip.com/Coverage/ICD/router_makers_speak_out.htm

aaron.glenn

Re: Cisco crapaganda

[JORDI PALET MARTINEZ]

I will say is also about development time. We are continuously asking for
new features (some times somehow artificially generated by the market or the
vendors ?), so they need to work faster, test faster ...

Regards,
Jordi




> De: Daniel Roesen <[EMAIL PROTECTED]>
> Responder a: <[EMAIL PROTECTED]>
> Fecha: Thu, 11 Aug 2005 00:31:04 +0200
> Para: "nanog@merit.edu" 
> Asunto: Re: Fwd: Cisco crapaganda
> 
> 
> On Wed, Aug 10, 2005 at 11:13:42AM +0100, [EMAIL PROTECTED] wrote:
>> The root of all these vulnerabilities is our inability to write
>> complex software that is free of bugs.
> 
> Inability? I'd rather say it's an economic question. Would you want to
> pay for proven bug-free software? Think twice (and look at some expense
> figures for such software first). :-)
> 
> 
> Regards,
> Daniel
> 
> -- 
> CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0





The IPv6 Portal: http://www.ipv6tf.org

Barcelona 2005 Global IPv6 Summit
Information available at:
http://www.ipv6-es.com

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the use of the 
individual(s) named above. If you are not the intended recipient be aware that 
any disclosure, copying, distribution or use of the contents of this 
information, including attached files, is prohibited.

Re: Fwd: Cisco crapaganda

[Daniel Roesen]

On Wed, Aug 10, 2005 at 11:13:42AM +0100, [EMAIL PROTECTED] wrote:
> The root of all these vulnerabilities is our inability to write
> complex software that is free of bugs.

Inability? I'd rather say it's an economic question. Would you want to
pay for proven bug-free software? Think twice (and look at some expense
figures for such software first). :-)


Regards,
Daniel

-- 
CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0

RE: Cisco crapaganda

[Maness, Drew]

Title: RE: Cisco crapaganda






Sorry 2 years ago (2003)

http://www.blackhat.com/html/bh-multi-media-archives.html#USA-2003

FX - More (Vulnerable) Embedded Systems

Lynn also refered to a "Chinese Hacker" group that was reviewing pieces of stolen IOS code for the sole purpose of shovleing shell code into IOS.




-Original Message-
From:   [EMAIL PROTECTED] on behalf of Maness, Drew
Sent:   Wed 8/10/2005 10:11 AM
To: [EMAIL PROTECTED]; nanog@merit.edu
Cc:
Subject:    RE: Cisco crapaganda
Lynn refered to FX from phenoelit's presentation at blackhat 3 years ago.  Http://www.phenoelit.de


-Original Message-
From:   [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent:   Wed 8/10/2005 6:14 AM
To: nanog@merit.edu
Cc:
Subject:    Re: Cisco crapaganda

> I, desperately, hope you are not referring to Raven Adler's
> presentation at Defcon following Black Hat.

No, I am referring to something that was published
3 years ago and describes substantially the same
exploits and techniques as Lynn described except the
3 year old document has much more technical detail and
offers a URL where source code for the exploits can
be acquired.

Maybe Lynn rediscovered this independently. Maybe he
heard rumours of an exploit in blackhat communications
and this guided him where to look. But if my memory
serves me correctly, Lynn himself claimed that his work
was based on the work of a blackhat.

--Michael Dillon

RE: Cisco crapaganda

[Maness, Drew]

Title: RE: Cisco crapaganda






Lynn refered to FX from phenoelit's presentation at blackhat 3 years ago.  Http://www.phenoelit.de


-Original Message-
From:   [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent:   Wed 8/10/2005 6:14 AM
To: nanog@merit.edu
Cc:
Subject:    Re: Cisco crapaganda

> I, desperately, hope you are not referring to Raven Adler's
> presentation at Defcon following Black Hat.

No, I am referring to something that was published
3 years ago and describes substantially the same
exploits and techniques as Lynn described except the
3 year old document has much more technical detail and
offers a URL where source code for the exploits can
be acquired.

Maybe Lynn rediscovered this independently. Maybe he
heard rumours of an exploit in blackhat communications
and this guided him where to look. But if my memory
serves me correctly, Lynn himself claimed that his work
was based on the work of a blackhat.

--Michael Dillon

Re: Cisco crapaganda

[Robert E . Seastrom]

[EMAIL PROTECTED] writes:

>> If not, once again, I'd ask you to cite sources rather 
>> than make broad sweeping statements about what is already available. 
>> Appealing to some anonymous authority in order to claim the sky is 
>> falling is hardly endearing.
>
> I think that people who specialise in security know what
> I am referring to. I won't say any more publicly since
> there are black hats reading this list. If they don't already
> know about this stuff, I'm not going to help them.

Get a grip, Michael.  Any black hat who reads this list already knows
this information (if indeed it exists; acting mysterious isn't gaining
you any credibility with the cynical among us, and of course you
aren't even providing enough detail for people with clues to discern
what the bloody heck you're referring to).  All you're doing is
withholding data from the non-black-hats.

---rob

Re: Cisco crapaganda

[Michael . Dillon]

> I, desperately, hope you are not referring to Raven Adler's 
> presentation at Defcon following Black Hat.

No, I am referring to something that was published
3 years ago and describes substantially the same
exploits and techniques as Lynn described except the
3 year old document has much more technical detail and
offers a URL where source code for the exploits can
be acquired.

Maybe Lynn rediscovered this independently. Maybe he
heard rumours of an exploit in blackhat communications
and this guided him where to look. But if my memory
serves me correctly, Lynn himself claimed that his work
was based on the work of a blackhat.

--Michael Dillon

Re: Cisco crapaganda

[Michael . Dillon]

> If not, once again, I'd ask you to cite sources rather 
> than make broad sweeping statements about what is already available. 
> Appealing to some anonymous authority in order to claim the sky is 
> falling is hardly endearing.

I think that people who specialise in security know what
I am referring to. I won't say any more publicly since
there are black hats reading this list. If they don't already
know about this stuff, I'm not going to help them.

If anyone wants to know what I am talking about, then
go to the security people in your company and ask them.
The company pays them to keep abreast of this stuff.

> That's a fairly bold statement. I'd also hesitate to label Lynn as a 
> black hat

I never labelled Lynn as a blackhat. I said that Lynn and
ISS and all other similar firms and researchers do the
same thing as blackhats. They monitor communications of
blackhats and learn from them. This activity does not make
someone into a blackhat.

> researchers of 
> any hat, in my experience, keep their secrets amongst a small group.

It is human nature to brag about what you have discovered and
for many blackhats, this is the only return they get for their
work. I agree that whitehats like Lynn are generally much more 
careful about their secrets which is why Lynn's presentation was
quite vague about many things.

> On the other hand, Lynn is exactly the sort of guru 
> you describe. Riley Eller said it best "If you put him and a (Cisco) 
> box in a room, the box breaks."

I'm sceptical about such rhetoric.

> It boils down to the following question: Do you think benefit or 
> releasing the source code for IOS, allowing independent researchers 
> access to the source code in order to locate flaws, outweighs the 
> costs of that release, allowing criminals access to the source code 
> in order to locate flaws and forfeiting trade secrets? In the case of 
> Cisco, I'm sure the latter weighs more heavily in their mind.

First, I don't think there will be any trade secrets of great value
revealed by the source code. Software and systems have a long history
and people continue to reinvent wheels that were first invented two 
or three generations ago. In any case, people looking for trade secrets
simply acquire the boxes and reverse engineer.

Second, I don't suggest that Cisco suddenly release their code. But
I can imagine a phased approach where they release the code to an
ever widening circle of people, and then finally make it completely
open. Or they could phase in a new codebase using Open Source as the
foundation.

--Michael Dillon

Re: Cisco crapaganda

[James Baldwin]

On Aug 10, 2005, at 6:13 AM, [EMAIL PROTECTED] wrote:


What techniques are you referencing? The technique Lynn demonstrated
has not been seen anywhere in the wild, as far as I know. He, nor
ISS, ever made the source code available to anyone outside of Cisco,
or ISS. What publication are you referring to?



Didn't Lynn come out and say flat out that he'd found a lot of  
information
on a Chinese website (with the implication that the website had  
even more

information than what he presented)?



A black hat who is not Chinese has published some slides with
far more explicit step-by-step details of how to crack IOS using
the techniques that Lynn glossed over in his presentation. This
person also claims to have source code available on his website
for download but I didn't look to know for sure.


I, desperately, hope you are not referring to Raven Adler's  
presentation at Defcon following Black Hat. If so, I think "far more  
explicit step-by-step" is quite an over characterization of what she  
presented. If not, once again, I'd ask you to cite sources rather  
than make broad sweeping statements about what is already available.  
Appealing to some anonymous authority in order to claim the sky is  
falling is hardly endearing.



Since all blackhats tend to
communicate with each other to share ideas and to brag about
their exploits, it is entirely possible that this Cisco
exploit began in China.


That's a fairly bold statement. I'd also hesitate to label Lynn as a  
black hat as his actions, notification of vendor, confirmation of a  
patch, and release, are not characteristic of a black hat. I'd  
suggest that generalization is incorrect in any case, researchers of  
any hat, in my experience, keep their secrets amongst a small group.



It is a nice myth to believe that a company like ISS does all
their own work in-house and that their employees are all super
gurus. But I would hope that most of you realize this is not
true. Companies like ISS leverage the work of blackhats just
like any hacker does. That's why I don't think gagging Lynn or
ISS or the Blackhat conference will have any positive effect
whatsoever. In fact, I would argue that this legal manouevering
has had a net negative effect because it has now been widely
published that Cisco exploits are possible. This means that
many more hackers are now trying to craft their own exploits
and own Cisco routers.


I agree that this was a very large public relations blunder on the  
part of ISS and Cisco. Their actions caused undue attention to be  
placed on this issue and put both groups on the wrong side of a very  
public argument. On the other hand, Lynn is exactly the sort of guru  
you describe. Riley Eller said it best "If you put him and a (Cisco)  
box in a room, the box breaks."


Having spoken with him throughout development of this technique, I  
can assure you that it was not developed, and further, not propagated  
to anyone outside of ISS with Lynn's knowledge. He has taken every  
care possible to ensure that this did not leak. That's not to say it  
will not, certain members within ISS were keen on originally  
releasing this to the public before informing Cisco which prompted  
Lynn to resign on the spot before he was talked into returning after  
they dropping the subject of uninformed public release.



Now I believe that Open Source software techniques can solve
this root problem because many eyes can find more bugs.
This doesn't just mean *BSD and Linux. There are also
systems like OSKit http://www.cs.utah.edu/flux/oskit/
and RTAI http://www.rtai.org/ that are more appropriate
for building things like routers.


"Many eyes can find more bugs" implies several things. It implies  
that a large group of people are investigating bugs, and that the are  
qualified to find bugs of this nature. I would argue that the number  
that meet both criteria is small in the open source world. That is  
not to imply that there are untalented people in the FOSS community,  
only that they are not interested in locating bugs or ensuring  
security of a specialized routing operating system as their primary  
function.


It boils down to the following question: Do you think benefit or  
releasing the source code for IOS, allowing independent researchers  
access to the source code in order to locate flaws, outweighs the  
costs of that release, allowing criminals access to the source code  
in order to locate flaws and forfeiting trade secrets? In the case of  
Cisco, I'm sure the latter weighs more heavily in their mind.

Re: Cisco crapaganda

[Michael . Dillon]

> But in some ways, aren't those Open Source software techniques also
> assisting Juniper, as JunOS is based in no small part on FreeBSD?

Yes Juniper is getting an advantage from Open Source as are
hundreds of smaller vendors of routing/switching equipment.
I believe it is only a matter of time before Open Source 
software becomes the de facto standard for everything
everywhere. We have already seen that Open Source does not
lead to monoculture but does create a competitive environment
for operating systems and applications. And we already know
that competitive environments are a spur to evolution.

> Also, what about DoD Orange Book certification? Can this kind of
> testing methodology be applied to routing systems as well, such as IOS?

I don't claim to fully understand Orange Book but it seems to
me that one of the essences of Open Source is the process of
certification. Of course nowadays this certification is rather
haphazard and often amounts to people saying that they published
their source and there have been no security flaws discovered
for X period of time. But it could be done in a more formal
and organized way. If it is reasonable for governments to insist
on safety certification for airplanes, child carseats, and
medical equipment, then why not routers/switches?

To learn more about the Orange book, look here
http://www.dynamoo.com/orange/

> I wonder if infrastructure customers should, or could be getting
> similar treatment from Cisco in regards to IOS, for them to better
> protect their customers. (Government would apply here too.)

If you consider the Internet to be a public network which benefits
all of society then the question arises: Is it sufficient for a few
large private organizations to audit the code in Internet infrastructure
devices or should this audit be done by a public agency of some sort?

Now that the whole bipartisan environment of the Cold War has disappeared
we are more able to experiment with different types of governance 
structures
without being labelled as communist or capitalist. In the corporate
world, things Sarbanes-Oxley have legitimized the concept of a public
agency having audit oversight over private businesses. It is not unusual
to find corporations accepting board members from strategic customers
or providing strategic customers some input into governance of the
seemingly private corporation. I think that these types of structures
are the essence of free market, non-centrally planned economies and
that we should feel free to adopt such structures and experiment with
them.

The DHS is such a structure and it is evolving as it learns. I think
it is only a matter of time before the DHS dips its toes into the auditing
of software systems, including Cisco IOS and Microsoft software, because
society becomes more and more dependent on these software systems every
day.

--Michael Dillon

Re: Cisco crapaganda

[Chris Gilbert]

Given the term "Crapaganda" I couldn't help but share this when I ran
across it today:

http://www.cisco.com/edu/peterpacket

Enjoy :)

Also,

> Of course, in the end, Juniper is also vulnerable. ... Now I
> believe that Open Source software techniques can solve this root
> problem because many eyes can find more bugs. This doesn't just
> mean *BSD and Linux. There are also systems like OSKit
> http://www.cs.utah.edu/flux/oskit/ and RTAI http://www.rtai.org/
> that are more appropriate for building things like routers.

But in some ways, aren't those Open Source software techniques also
assisting Juniper, as JunOS is based in no small part on FreeBSD?

Perhaps their hybrid of Open-Source adoption and proprietary
development will take the benefits from both worlds and prove an
effective method for maintaining a high level of software security.

Also, what about DoD Orange Book certification? Can this kind of
testing methodology be applied to routing systems as well, such as IOS?

In recent years Microsoft has been releasing code for internal
security audits to special customers such as large corporate partners
and government.

I wonder if infrastructure customers should, or could be getting
similar treatment from Cisco in regards to IOS, for them to better
protect their customers. (Government would apply here too.)

--
Regards,
Chris Gilbert
IO Interactive A/S

Re: Fwd: Cisco crapaganda

[Michael . Dillon]

> > What techniques are you referencing? The technique Lynn demonstrated 
> > has not been seen anywhere in the wild, as far as I know. He, nor 
> > ISS, ever made the source code available to anyone outside of Cisco, 
> > or ISS. What publication are you referring to?
> 
> Didn't Lynn come out and say flat out that he'd found a lot of 
information
> on a Chinese website (with the implication that the website had even 
more
> information than what he presented)?

A black hat who is not Chinese has published some slides with
far more explicit step-by-step details of how to crack IOS using
the techniques that Lynn glossed over in his presentation. This
person also claims to have source code available on his website
for download but I didn't look to know for sure.

As for the Chinese connection, there is a fairly long document
circulating on the net from a couple of years back. It is translated
from Chinese and it is about modern techniques of information warfare.
I think a lot of people interested in network security are aware
that lots of Chinese hackers are at work out there and that
they are good at what they do. Since all blackhats tend to 
communicate with each other to share ideas and to brag about
their exploits, it is entirely possible that this Cisco
exploit began in China.

It is a nice myth to believe that a company like ISS does all
their own work in-house and that their employees are all super
gurus. But I would hope that most of you realize this is not
true. Companies like ISS leverage the work of blackhats just
like any hacker does. That's why I don't think gagging Lynn or
ISS or the Blackhat conference will have any positive effect
whatsoever. In fact, I would argue that this legal manouevering
has had a net negative effect because it has now been widely
published that Cisco exploits are possible. This means that 
many more hackers are now trying to craft their own exploits
and own Cisco routers.

Of course, in the end, Juniper is also vulnerable. Nortel is
vulnerable. Every manufacturer of routing/switching equipment
is vulnerable. Modern electronic devices are all built around 
embedded computers with complex software running on them. The
root of all these vulnerabilities is our inability to write
complex software that is free of bugs.

Now I believe that Open Source software techniques can solve
this root problem because many eyes can find more bugs.
This doesn't just mean *BSD and Linux. There are also
systems like OSKit http://www.cs.utah.edu/flux/oskit/
and RTAI http://www.rtai.org/ that are more appropriate
for building things like routers.

--Michael Dillon

Re: Cisco crapaganda

[chuck goolsbee]

At 11:49 AM -0700 8/9/05, Dan Hollis wrote:

Someone made a video of cisco hard at work fixing router security holes:
http://www.makezine.com/blog/archive/2005/08/video_of_ciscoi.html

Cisco is also fixing web security holes:
http://www.dslreports.com/shownews/66078

With all this and the FBI investigation of Lynn, I feel so much safer now.

Thanks cisco.

-Dan


But why worry! Peter Packet will save the 'Net!


"You can't run forever hacker!"





--chuck

Re: Cisco crapaganda

[James Baldwin]

On Aug 9, 2005, at 3:20 PM, [EMAIL PROTECTED] wrote:


On Tue, 09 Aug 2005 14:31:08 EDT, James Baldwin said:



What techniques are you referencing? The technique Lynn demonstrated
has not been seen anywhere in the wild, as far as I know. He, nor
ISS, ever made the source code available to anyone outside of Cisco,
or ISS. What publication are you referring to?



Didn't Lynn come out and say flat out that he'd found a lot of  
information
on a Chinese website (with the implication that the website had  
even more

information than what he presented)?



No. Not at all. Lynn found information on Chinese websites indicating  
people were actively working to exploit IOS, not that anyone had  
actually done so. 

Re: Fwd: Cisco crapaganda

[Valdis . Kletnieks]

On Tue, 09 Aug 2005 14:31:08 EDT, James Baldwin said:

> What techniques are you referencing? The technique Lynn demonstrated  
> has not been seen anywhere in the wild, as far as I know. He, nor  
> ISS, ever made the source code available to anyone outside of Cisco,  
> or ISS. What publication are you referring to?

Didn't Lynn come out and say flat out that he'd found a lot of information
on a Chinese website (with the implication that the website had even more
information than what he presented)?


pgp5AGzqEzj9z.pgp
Description: PGP signature

Re: Cisco crapaganda

[Dan Hollis]

On Tue, 9 Aug 2005, J. Oquendo wrote:
> Anyhow, sorry for the rants... The article is pseudo-worth the read
> if you can filter out marketing and crapaganda.

Someone made a video of cisco hard at work fixing router security holes:
http://www.makezine.com/blog/archive/2005/08/video_of_ciscoi.html

Cisco is also fixing web security holes:
http://www.dslreports.com/shownews/66078

With all this and the FBI investigation of Lynn, I feel so much safer now. 

Thanks cisco.

-Dan

Fwd: Cisco crapaganda

[James Baldwin]

On Aug 9, 2005, at 11:11 AM, [EMAIL PROTECTED] wrote:


They are not "Lynn's exploit techniques". The techniques were
published by someone else in considerable more detail than
Lynn along with source code.



What techniques are you referencing? The technique Lynn demonstrated  
has not been seen anywhere in the wild, as far as I know. He, nor  
ISS, ever made the source code available to anyone outside of Cisco,  
or ISS. What publication are you referring to?




You aren't safe just because your network runs on brand X
boxes. The only way to be safe is for your brand X vendors
to take software security and systemic security much more
seriously. I also believe that there are lessons to be
learned from the open source community's approach to security.
This doesn't mean that Cisco or any other Brand X vendor
should just run out and replace their box's OS with
OpenBSD or NetBSD or Linux. But they need to seriously
ask themselves what advantage they gain from inventing
their own wheel and rejecting the work of thousands of
highly skilled and dedicated people.



Quality control.

The general operating systems are not designed with a specific goal  
of high availability routing in mind, and while they display and can  
compete on some levels with specialized operating systems, they will  
loose out in the end. In this regard it is not open source  
environments that present the benefit, but as you say "thousands of  
highly skilled and dedicated people". There are very few of those  
people who are experienced in the realm of high end routing systems.


The general operating system can garner a large support base due to  
its broad market appeal, its use in both servers, low end routing  
hardware, and desktops. However, to develop strong support for a  
reduced feature set and circumscribed is difficult. The same number  
of dedicated developers will be reduced and the amount of time highly  
specialized developers will focus on that code base will be diminished.


You can see examples of similar behavior in the subsets of Linux  
developed for embedded systems, like the WAP Linksys routers.


That being said, who would continue to buy Cisco equipment if IOS was  
available elsewhere? The Chinese market is already flooded with Cisco  
knock-offs, the rest would most certainly follow if it was legal.


Out of curiosity, what, in your opinion, is the open source  
community's approach to security? I have seen differing approaches  
from different groups, some which are downright despicable (methods,  
not people).




There really is no such thing as closed source. The people
building these exploits are fully capable of taking
code from ROM or flash memory and reading what it does.



I've had some experience with reverse engineering and disassembly,  
and while it is true that you can analyze an image of a running  
program and find what it does that is a long, long step to having the  
kind of understanding of a program you can gain through the actual  
source code.




It's all fine and well to have layers of security but
hiding your source code really shouldn't be counted
as a security layer.



Obscurity should never be counted on as a sole security layer, but it  
does add a level of difficulty. One of the major themes in the  
security industry is mitigation. Obscurity does not add a level of  
security, but it does reduce the number of people who can easily  
accomplish a task. It raises the bar and reduces the pool of attackers.




Even if someone managed to eliminate Lynn and all past
and current employees of ISS by exiling them to Cuba,
this would not stop the hackers who are exploiting
network device flaws.



Did anyone ever think that?

Re: Cisco crapaganda

[Michael . Dillon]

> /* ARTICLE
> Experts and users say the hole in IOS appears not to be an immediate
> concern based on what is public knowledge at the moment, since patches
> are available. But what concerns some is that Lynn's exploit
> techniques take router hacking to a new level, which eventually could
> have security implications for Cisco customers.
> */

They are not "Lynn's exploit techniques". The techniques were
published by someone else in considerable more detail than 
Lynn along with source code. And this other person has also
described techniques for attacking other brands of network
equipment not just Cisco.

There is a sea change in hacker activity under way as
they realize that most embedded systems (including routers
and switches) are now based on general purpose computer
technology and that such systems are full of opportunities
for software exploits. Hackers no longer just attack OSes
like Windows and Linux, they now are beginning to go after
any kind of smart device, especially when the exploits can
be leveraged for blackmail or to earn cash from espionage.

You aren't safe just because your network runs on brand X
boxes. The only way to be safe is for your brand X vendors
to take software security and systemic security much more
seriously. I also believe that there are lessons to be
learned from the open source community's approach to security.
This doesn't mean that Cisco or any other Brand X vendor
should just run out and replace their box's OS with 
OpenBSD or NetBSD or Linux. But they need to seriously
ask themselves what advantage they gain from inventing 
their own wheel and rejecting the work of thousands of
highly skilled and dedicated people.

There really is no such thing as closed source. The people
building these exploits are fully capable of taking 
code from ROM or flash memory and reading what it does.
It's all fine and well to have layers of security but
hiding your source code really shouldn't be counted
as a security layer.

Even if someone managed to eliminate Lynn and all past 
and current employees of ISS by exiling them to Cuba,
this would not stop the hackers who are exploiting
network device flaws.

--Michael Dillon

Re: Cisco crapaganda

[James Baldwin]

On Aug 9, 2005, at 9:57 AM, J. Oquendo wrote:


Ironic the marketing and disinformation coming out of Cisco Systems
in relation to not disclosing what really occurred and labeling the
vulnerability as "IPv6 based but" after they initially stated
it as "IPv6 only!"


Its a half truth. The vulnerability was IPv6 only, the method for  
executing arbitrary code was not. That's definitely spin, and I hope  
they address it soon.



Spin spin sugar... Looking at this current situation I'm wondering
when did it become a federal offense to break a non disclosure
agreement.


The FBI is not investigating violation of a non disclosure agreement.  
My understanding is that they are investigating possible trade secret  
theft. Also, please note that there is a large up welling of support  
within the federal government for what Lynn did and it would be  
improper to characterize them all as demons. The FBI is performing  
due diligence investigations based on reports to them of criminal  
activity.


The FBI, in this case, is not the person responsible for this ongoing  
investigation. Rather, that lies with the assigned prosecutor and  
whomever the reporting parties were.


A much better summary of these events can be found at Jennifer  
Granick's blog:

http://www.granick.com/blog/

Cisco crapaganda

[J. Oquendo]

http://www.networkworld.com/news/2005/080805-cisco-routers.html

/* ARTICLE

Among the developments last week: Cisco continually revised its
security bulletin, adding details as to how versions of unpatched IOS
software could be undermined by a "specifically crafted IPv6 packet."
Sources at Cisco say testing will continue indefinitely and could
include findings related to more than simply IPv6-related exploits.

*/

Ironic the marketing and disinformation coming out of Cisco Systems
in relation to not disclosing what really occurred and labeling the
vulnerability as "IPv6 based but" after they initially stated
it as "IPv6 only!"


/* ARTICLE
The researcher who touched off the uproar, Michael Lynn, says he is
now the subject of inquiries by FBI agents, and he continues to defend
the propriety of his actions.
*/


Since when did the FBI decide to play "Corporation Superherosaviour"
so blatantly. Mr. Lynn's disclosure while a double edged sword can
possibly save the industry from a catastrophe, and while yes it can
also cause one, I believe he did the right thing.


/* ARTICLE
Experts and users say the hole in IOS appears not to be an immediate
concern based on what is public knowledge at the moment, since patches
are available. But what concerns some is that Lynn's exploit
techniques take router hacking to a new level, which eventually could
have security implications for Cisco customers.
*/


This same attitude from vendors is what causes those releasing POC
(proof of concept) code to release information on how things break.
I recall posting here a while back information on how it would be
possible to break neighbors in BGP by causing flaps. I did not post
the information with the intent on anyone using that information to
cause damage nor was it malicious. I did it under the impression
someone in the industry would take a look at it and see what I saw
and come up with a solution. To date however... It's been more or
less the same: "You're an ass for doing that..."


/* ARTICLE
While Lynn has settled one lawsuit with Cisco and ISS, agreeing not to
disclose anything he knows about the exploit, his problems don't seem
to be over. The FBI is investigating him and interviewing friends and
roommates, he says.
*/

Spin spin sugar... Looking at this current situation I'm wondering
when did it become a federal offense to break a non disclosure
agreement. I can look at this two possible ways now... Are the feds
looking at Mr. Lynn because they have something vested in the IOS
of Cisco (Carnivore, Magic Lantern), or are they going after him
under the guise of "National (in)Security". If it's national
(in)security, then why not go after Cisco for allowing this problem
to go unresolved when they knew of it months in advance.

Anyhow, sorry for the rants... The article is pseudo-worth the read
if you can filter out marketing and crapaganda.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

To conquer the enemy without resorting to war is the most
desirable.  The highest form of generalship is to conquer
the enemy by strategy." - Sun Tzu