Re: Cisco crapaganda
[late followup] On Sat, Aug 13, 2005 at 07:32:20PM +0100, Dave Howe wrote: Rich Kulawiec wrote: More bluntly: the closed-source, faith-based approach to security doesn't cut it. The attacks we're confronting are being launched (in many cases) by people who *already have the source code*, and who thus enjoy an enormous advantage over the defenders. TBH though, usually the open source faith based approach to security doesn't cut it either. its easy to say its open source, therefore anyone can check the code but much harder to actually find someone who has taken the time to do it Ah, but I covered that, or at least I thought I did: D. Any piece of source code which hasn't been subjected to widespread peer review should be presumed untrustworthy-- because it not only hasn't been shown to be otherwise, the attempt hasn't even been made. (Note that the contrapositive isn't true -- peer review is only a necessary condition, not a sufficient one.) Which means: just because it's open source and therefore any can check it, doesn't mean that anyone has...or that they're competent...or that they were thorough...or that they found all the issues. Like I said, it's a necessary condition, not a sufficient one. But...even with all the tools that have been developed -- everything from formal proofs of correctness to array bounds checkers to stack overflow guards to you-name-it...it seems that in 2005 that the very best available/practical method we have for trying to produce secure code is lots and lots of independent and clueful eyeballs. I'm not saying that's a desirable situation, because it's not: it would be nice if we had something better. But we don't, at least not yet. Another way of putting it: no matter who you are, from one lone programmer to 10,000, the Internet is more thorough than you are. Now, one could counter-argue that keeping source code secret provides some measure of security. I'm not buying it: I don't think there's any such thing as secret source code. And even if there was: if someone with enough cash to fill a briefcase wants it: they WILL get it. I suppose what I'm saying is: let's drop the pretense that closed-source really and truly exists, let's get the critical code out in the open, and let's get started with the process of beating it into shape. Because we're already paying (and paying and paying) a huge price for continuing the charade. ---Rsk
Re: Cisco crapaganda (Modified by Jason Chambers)
On Aug 10, 2005, at 05:53, [EMAIL PROTECTED] wrote: Also, what about DoD Orange Book certification? Can this kind of testing methodology be applied to routing systems as well, such as IOS? I don't claim to fully understand Orange Book but it seems to me that one of the essences of Open Source is the process of certification. --snip-- To learn more about the Orange book, look here http://www.dynamoo.com/orange/ In relation to the Orange Book, There is a evaluation program available, named TPEP, links are below. Very interesting and intense. Yes, routing systems \ IOS applies. See 1.3 TPEP Process Overview at http://www.radium.ncsc.mil/tpep/process/procedures.html I chatted briefly with a fed @ Defcon about this program, specifically about work to make this achievement something [buzzword warning] Critical Infrastructure and the well known software manufacturers would look to engage in \ use. Maybe by way of public forums such as this is that accomplished. In labels we trust. http://www.radium.ncsc.mil/tpep/index.html http://www.radium.ncsc.mil/tpep/tpep.html http://www.radium.ncsc.mil/tpep/process/faq-sect6.html#Q8 -Jason
Re: Cisco crapaganda
Rich Kulawiec wrote: More bluntly: the closed-source, faith-based approach to security doesn't cut it. The attacks we're confronting are being launched (in many cases) by people who *already have the source code*, and who thus enjoy an enormous advantage over the defenders. TBH though, usually the open source faith based approach to security doesn't cut it either. its easy to say its open source, therefore anyone can check the code but much harder to actually find someone who has taken the time to do it
Re: Cisco crapaganda
On Sat, 13 Aug 2005, Dave Howe wrote: Rich Kulawiec wrote: More bluntly: the closed-source, faith-based approach to security doesn't cut it. The attacks we're confronting are being launched (in many cases) by people who *already have the source code*, and who thus enjoy an enormous advantage over the defenders. TBH though, usually the open source faith based approach to security doesn't cut it either. its easy to say its open source, therefore anyone can check the code but much harder to actually find someone who has taken the time to do it Depends on the project. Some OSS projects turn around enhancements and bug fixes, and fix vulnerabilities, quickly. Some don't. Some do some of the time, depending on the type of change. (For example, Mozilla is good about patching vulnerabilities quickly, but there's an Thunderbird enhancement almost 200 people voted for on Bugzilla, that people have been complaining about for months, that they've not done anything about.) -- Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED Company website: http://JustThe.net/ Personal blog, resume, portfolio: http://SteveSobol.com/ E: [EMAIL PROTECTED] Snail: 22674 Motnocab Road, Apple Valley, CA 92307
Re: Cisco crapaganda
On Tue, Aug 09, 2005 at 04:11:45PM +0100, [EMAIL PROTECTED] wrote: There really is no such thing as closed source. I've been saying this for years, and I'm sure you and I aren't the only ones. Corrallaries: A. If open publication of the full source code of XYZ would render it insecure, then XYZ is _already_ insecure. B. In analyzing any attack, it's prudent to presume that the attackers have the full source code of every piece of software involved. [1] C. It's not secure until everyone knows exactly how it works and it's still secure. D. Any piece of source code which hasn't been subjected to widespread peer review should be presumed untrustworthy-- because it not only hasn't been shown to be otherwise, the attempt hasn't even been made. (Note that the contrapositive isn't true -- peer review is only a necessary condition, not a sufficient one.) More bluntly: the closed-source, faith-based approach to security doesn't cut it. The attacks we're confronting are being launched (in many cases) by people who *already have the source code*, and who thus enjoy an enormous advantage over the defenders. It's time to level the playing field. It's time for all the vendors to publish ALL the source code so that we at least have the same information as our adversaries. Because relying on the supposed secrecy of source code is relying on a fantasy. ---Rsk [1] Either because it leaked (discarded computer equipment, backup tapes, etc.), was stolen from outside (network break-in, physical break-in), was stolen from inside (payoffs) or other means. Borrowing heavily from Bruce Schneier's analysis of what it'd be worth to buy an election: what's the dollar value on the open market of, oh, let's say, the full source code to one of Cisco's popular routers? Maybe $100K? $250K? Maybe more, considering what it might facilitate? Whatever that number is, that's the amount that prospective attackers may be presumed to be willing to spend to get it. And whether they spend it on RD, or paying someone who's already done the RD, or just cutting to the chase and paying off someone with access to it, doesn't really matter: if they're willing to spend to the money, they _will_ get it.
Re: Cisco crapaganda
Hi Rich, A. If open publication of the full source code of XYZ would render it insecure, then XYZ is _already_ insecure. i like that way of looking at it.. B. In analyzing any attack, it's prudent to presume that the attackers have the full source code of every piece of software involved. [1] sure, or even a snippet would be sufficient to find and exploit a hole It's time to level the playing field. It's time for all the vendors to publish ALL the source code so that we at least have the same information as our adversaries. thats going to be a leap too far, its not an issue of security its a question of property and value [1] Either because it leaked (discarded computer equipment, backup tapes, source code is much wider distributed than people might think, its possible to be a contractor (individual or company) or for example in MS's case a partner and get source code supplied under NDA what's the dollar value on the open market of, oh, let's say, the full source code to one of Cisco's popular routers? Maybe $100K? $250K? Maybe more, considering what it might facilitate? naww. $0. pre IOS-12 versions are in circulation already, 12.something was partially leaked a year or two ago, and i'm sure other bits can be picked up. who would be willing to pay? not companies, thats illegal. blackhats? maybe, but they can juts grab the circulating bootlegs Whatever that number is, that's the amount that prospective attackers may be presumed to be willing to spend to get it. And whether they spend it on RD, or paying someone who's already done the RD, or just cutting to the chase and paying off someone with access to it, doesn't really matter: if they're willing to spend to the money, they _will_ get it. wonder why they dont already have it, maybe they do... Steve
Re: Cisco crapaganda
Get a grip, Michael. Any black hat who reads this list already knows this information (if indeed it exists; acting mysterious isn't gaining you any credibility with the cynical among us, and of course you aren't even providing enough detail for people with clues to discern what the bloody heck you're referring to). All you're doing is withholding data from the non-black-hats. *sigh* I have no special sources of info. One Monday morning I saw the traffic on this list about Lynn's presentation. None of the posted URL's worked. One of them led to a legal document ordering that the slides not be posted. So what did I do? That's right, I turned to Google. I found articles written by people who attended the presentation. One person had posted a zip file with photos of all of Lynn's slides as presented at BlackHat. I even managed to find the PDF file with the edited version of the slides that was the target of the lawyers. But I found more. It seems that a guy using the name FX has been publishing stuff about Cisco heap exploits for years now. I found his slides from a presentation made at BlackHat Las Vegas in 2002. Lots of juicy detail. And I found a long document translated from Chinese about modern information/economic warfare. I really didn't think this stuff was all that hard to find because it took me all of 30 minutes. The big question in my mind is why did Cisco freak out when somebody wanted to present an overview of exploits that have been worked on by hackers for the past 3 years? Especially when Lynn is giving them some valuable free advice, i.e. don't make it easier for hackers to use heap exploits. Thank's to Drew's posting I now know that FX presented again at BHLV a year later pointing out a UDP exploit that can be used to facilitate building the correct heap exploit for a specific IOS release and architecture. It seems to me that Cisco has a fundamental communications problem in regards to security. Their actions against Lynn did not stop people from reading his slides and his slides were not nearly as informative as the older slides from FX. Also, Cisco seems stuck in the traditional vendor-customer communications cycle that causes them to ignore or deprioritize security related communications unless it comes to them through a major customer. In fact, the people who REALLY know this stuff may not work for a major Cisco customer or if they do, they may not have access to the privileged communications channels within their company. --Michael Dillon Give a man a fish and you feed him for a day, teach him how to fish and you feed him for a lifetime.
RE: Cisco crapaganda
[ SNIP ] But I found more. It seems that a guy using the name FX has been publishing stuff about Cisco heap exploits for years now. I found his slides from a presentation made at BlackHat Las Vegas in 2002. Lots of juicy detail. And I found a long document translated from Chinese about modern information/economic warfare. If people want to be up to date, imagine the unimaginable. -M
Re: Fwd: Cisco crapaganda
What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to? Didn't Lynn come out and say flat out that he'd found a lot of information on a Chinese website (with the implication that the website had even more information than what he presented)? A black hat who is not Chinese has published some slides with far more explicit step-by-step details of how to crack IOS using the techniques that Lynn glossed over in his presentation. This person also claims to have source code available on his website for download but I didn't look to know for sure. As for the Chinese connection, there is a fairly long document circulating on the net from a couple of years back. It is translated from Chinese and it is about modern techniques of information warfare. I think a lot of people interested in network security are aware that lots of Chinese hackers are at work out there and that they are good at what they do. Since all blackhats tend to communicate with each other to share ideas and to brag about their exploits, it is entirely possible that this Cisco exploit began in China. It is a nice myth to believe that a company like ISS does all their own work in-house and that their employees are all super gurus. But I would hope that most of you realize this is not true. Companies like ISS leverage the work of blackhats just like any hacker does. That's why I don't think gagging Lynn or ISS or the Blackhat conference will have any positive effect whatsoever. In fact, I would argue that this legal manouevering has had a net negative effect because it has now been widely published that Cisco exploits are possible. This means that many more hackers are now trying to craft their own exploits and own Cisco routers. Of course, in the end, Juniper is also vulnerable. Nortel is vulnerable. Every manufacturer of routing/switching equipment is vulnerable. Modern electronic devices are all built around embedded computers with complex software running on them. The root of all these vulnerabilities is our inability to write complex software that is free of bugs. Now I believe that Open Source software techniques can solve this root problem because many eyes can find more bugs. This doesn't just mean *BSD and Linux. There are also systems like OSKit http://www.cs.utah.edu/flux/oskit/ and RTAI http://www.rtai.org/ that are more appropriate for building things like routers. --Michael Dillon
Re: Cisco crapaganda
Given the term Crapaganda I couldn't help but share this when I ran across it today: http://www.cisco.com/edu/peterpacket Enjoy :) Also, Of course, in the end, Juniper is also vulnerable. ... Now I believe that Open Source software techniques can solve this root problem because many eyes can find more bugs. This doesn't just mean *BSD and Linux. There are also systems like OSKit http://www.cs.utah.edu/flux/oskit/ and RTAI http://www.rtai.org/ that are more appropriate for building things like routers. But in some ways, aren't those Open Source software techniques also assisting Juniper, as JunOS is based in no small part on FreeBSD? Perhaps their hybrid of Open-Source adoption and proprietary development will take the benefits from both worlds and prove an effective method for maintaining a high level of software security. Also, what about DoD Orange Book certification? Can this kind of testing methodology be applied to routing systems as well, such as IOS? In recent years Microsoft has been releasing code for internal security audits to special customers such as large corporate partners and government. I wonder if infrastructure customers should, or could be getting similar treatment from Cisco in regards to IOS, for them to better protect their customers. (Government would apply here too.) -- Regards, Chris Gilbert IO Interactive A/S
Re: Cisco crapaganda
On Aug 10, 2005, at 6:13 AM, [EMAIL PROTECTED] wrote: What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to? Didn't Lynn come out and say flat out that he'd found a lot of information on a Chinese website (with the implication that the website had even more information than what he presented)? A black hat who is not Chinese has published some slides with far more explicit step-by-step details of how to crack IOS using the techniques that Lynn glossed over in his presentation. This person also claims to have source code available on his website for download but I didn't look to know for sure. I, desperately, hope you are not referring to Raven Adler's presentation at Defcon following Black Hat. If so, I think far more explicit step-by-step is quite an over characterization of what she presented. If not, once again, I'd ask you to cite sources rather than make broad sweeping statements about what is already available. Appealing to some anonymous authority in order to claim the sky is falling is hardly endearing. Since all blackhats tend to communicate with each other to share ideas and to brag about their exploits, it is entirely possible that this Cisco exploit began in China. That's a fairly bold statement. I'd also hesitate to label Lynn as a black hat as his actions, notification of vendor, confirmation of a patch, and release, are not characteristic of a black hat. I'd suggest that generalization is incorrect in any case, researchers of any hat, in my experience, keep their secrets amongst a small group. It is a nice myth to believe that a company like ISS does all their own work in-house and that their employees are all super gurus. But I would hope that most of you realize this is not true. Companies like ISS leverage the work of blackhats just like any hacker does. That's why I don't think gagging Lynn or ISS or the Blackhat conference will have any positive effect whatsoever. In fact, I would argue that this legal manouevering has had a net negative effect because it has now been widely published that Cisco exploits are possible. This means that many more hackers are now trying to craft their own exploits and own Cisco routers. I agree that this was a very large public relations blunder on the part of ISS and Cisco. Their actions caused undue attention to be placed on this issue and put both groups on the wrong side of a very public argument. On the other hand, Lynn is exactly the sort of guru you describe. Riley Eller said it best If you put him and a (Cisco) box in a room, the box breaks. Having spoken with him throughout development of this technique, I can assure you that it was not developed, and further, not propagated to anyone outside of ISS with Lynn's knowledge. He has taken every care possible to ensure that this did not leak. That's not to say it will not, certain members within ISS were keen on originally releasing this to the public before informing Cisco which prompted Lynn to resign on the spot before he was talked into returning after they dropping the subject of uninformed public release. Now I believe that Open Source software techniques can solve this root problem because many eyes can find more bugs. This doesn't just mean *BSD and Linux. There are also systems like OSKit http://www.cs.utah.edu/flux/oskit/ and RTAI http://www.rtai.org/ that are more appropriate for building things like routers. Many eyes can find more bugs implies several things. It implies that a large group of people are investigating bugs, and that the are qualified to find bugs of this nature. I would argue that the number that meet both criteria is small in the open source world. That is not to imply that there are untalented people in the FOSS community, only that they are not interested in locating bugs or ensuring security of a specialized routing operating system as their primary function. It boils down to the following question: Do you think benefit or releasing the source code for IOS, allowing independent researchers access to the source code in order to locate flaws, outweighs the costs of that release, allowing criminals access to the source code in order to locate flaws and forfeiting trade secrets? In the case of Cisco, I'm sure the latter weighs more heavily in their mind.
Re: Cisco crapaganda
I, desperately, hope you are not referring to Raven Adler's presentation at Defcon following Black Hat. No, I am referring to something that was published 3 years ago and describes substantially the same exploits and techniques as Lynn described except the 3 year old document has much more technical detail and offers a URL where source code for the exploits can be acquired. Maybe Lynn rediscovered this independently. Maybe he heard rumours of an exploit in blackhat communications and this guided him where to look. But if my memory serves me correctly, Lynn himself claimed that his work was based on the work of a blackhat. --Michael Dillon
Re: Cisco crapaganda
[EMAIL PROTECTED] writes: If not, once again, I'd ask you to cite sources rather than make broad sweeping statements about what is already available. Appealing to some anonymous authority in order to claim the sky is falling is hardly endearing. I think that people who specialise in security know what I am referring to. I won't say any more publicly since there are black hats reading this list. If they don't already know about this stuff, I'm not going to help them. Get a grip, Michael. Any black hat who reads this list already knows this information (if indeed it exists; acting mysterious isn't gaining you any credibility with the cynical among us, and of course you aren't even providing enough detail for people with clues to discern what the bloody heck you're referring to). All you're doing is withholding data from the non-black-hats. ---rob
RE: Cisco crapaganda
Title: RE: Cisco crapaganda Lynn refered to FX from phenoelit's presentation at blackhat 3 years ago. Http://www.phenoelit.de -Original Message- From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 8/10/2005 6:14 AM To: nanog@merit.edu Cc: Subject: Re: Cisco crapaganda I, desperately, hope you are not referring to Raven Adler's presentation at Defcon following Black Hat. No, I am referring to something that was published 3 years ago and describes substantially the same exploits and techniques as Lynn described except the 3 year old document has much more technical detail and offers a URL where source code for the exploits can be acquired. Maybe Lynn rediscovered this independently. Maybe he heard rumours of an exploit in blackhat communications and this guided him where to look. But if my memory serves me correctly, Lynn himself claimed that his work was based on the work of a blackhat. --Michael Dillon
RE: Cisco crapaganda
Title: RE: Cisco crapaganda Sorry 2 years ago (2003) http://www.blackhat.com/html/bh-multi-media-archives.html#USA-2003 FX - More (Vulnerable) Embedded Systems Lynn also refered to a Chinese Hacker group that was reviewing pieces of stolen IOS code for the sole purpose of shovleing shell code into IOS. -Original Message- From: [EMAIL PROTECTED] on behalf of Maness, Drew Sent: Wed 8/10/2005 10:11 AM To: [EMAIL PROTECTED]; nanog@merit.edu Cc: Subject: RE: Cisco crapaganda Lynn refered to FX from phenoelit's presentation at blackhat 3 years ago. Http://www.phenoelit.de -Original Message- From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 8/10/2005 6:14 AM To: nanog@merit.edu Cc: Subject: Re: Cisco crapaganda I, desperately, hope you are not referring to Raven Adler's presentation at Defcon following Black Hat. No, I am referring to something that was published 3 years ago and describes substantially the same exploits and techniques as Lynn described except the 3 year old document has much more technical detail and offers a URL where source code for the exploits can be acquired. Maybe Lynn rediscovered this independently. Maybe he heard rumours of an exploit in blackhat communications and this guided him where to look. But if my memory serves me correctly, Lynn himself claimed that his work was based on the work of a blackhat. --Michael Dillon
Re: Fwd: Cisco crapaganda
On Wed, Aug 10, 2005 at 11:13:42AM +0100, [EMAIL PROTECTED] wrote: The root of all these vulnerabilities is our inability to write complex software that is free of bugs. Inability? I'd rather say it's an economic question. Would you want to pay for proven bug-free software? Think twice (and look at some expense figures for such software first). :-) Regards, Daniel -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0
Re: Cisco crapaganda
I will say is also about development time. We are continuously asking for new features (some times somehow artificially generated by the market or the vendors ?), so they need to work faster, test faster ... Regards, Jordi De: Daniel Roesen [EMAIL PROTECTED] Responder a: [EMAIL PROTECTED] Fecha: Thu, 11 Aug 2005 00:31:04 +0200 Para: nanog@merit.edu nanog@merit.edu Asunto: Re: Fwd: Cisco crapaganda On Wed, Aug 10, 2005 at 11:13:42AM +0100, [EMAIL PROTECTED] wrote: The root of all these vulnerabilities is our inability to write complex software that is free of bugs. Inability? I'd rather say it's an economic question. Would you want to pay for proven bug-free software? Think twice (and look at some expense figures for such software first). :-) Regards, Daniel -- CLUE-RIPE -- Jabber: [EMAIL PROTECTED] -- [EMAIL PROTECTED] -- PGP: 0xA85C8AA0 The IPv6 Portal: http://www.ipv6tf.org Barcelona 2005 Global IPv6 Summit Information available at: http://www.ipv6-es.com This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
Re: Cisco crapaganda
On 8/10/05, Chris Gilbert [EMAIL PROTECTED] wrote: But in some ways, aren't those Open Source software techniques also assisting Juniper, as JunOS is based in no small part on FreeBSD? For clarification: We took the networking part in the FreeBSD software, threw it away, and replaced it with our own specialized software. That way, we don't have to worry about file systems and process management and all the operating features that the OS community is better at doing. We focus on adding our value to the networking part. - http://www.hyperchip.com/Coverage/ICD/router_makers_speak_out.htm aaron.glenn
Cisco crapaganda
http://www.networkworld.com/news/2005/080805-cisco-routers.html /* ARTICLE Among the developments last week: Cisco continually revised its security bulletin, adding details as to how versions of unpatched IOS software could be undermined by a specifically crafted IPv6 packet. Sources at Cisco say testing will continue indefinitely and could include findings related to more than simply IPv6-related exploits. */ Ironic the marketing and disinformation coming out of Cisco Systems in relation to not disclosing what really occurred and labeling the vulnerability as IPv6 based but after they initially stated it as IPv6 only! /* ARTICLE The researcher who touched off the uproar, Michael Lynn, says he is now the subject of inquiries by FBI agents, and he continues to defend the propriety of his actions. */ Since when did the FBI decide to play Corporation Superherosaviour so blatantly. Mr. Lynn's disclosure while a double edged sword can possibly save the industry from a catastrophe, and while yes it can also cause one, I believe he did the right thing. /* ARTICLE Experts and users say the hole in IOS appears not to be an immediate concern based on what is public knowledge at the moment, since patches are available. But what concerns some is that Lynn's exploit techniques take router hacking to a new level, which eventually could have security implications for Cisco customers. */ This same attitude from vendors is what causes those releasing POC (proof of concept) code to release information on how things break. I recall posting here a while back information on how it would be possible to break neighbors in BGP by causing flaps. I did not post the information with the intent on anyone using that information to cause damage nor was it malicious. I did it under the impression someone in the industry would take a look at it and see what I saw and come up with a solution. To date however... It's been more or less the same: You're an ass for doing that... /* ARTICLE While Lynn has settled one lawsuit with Cisco and ISS, agreeing not to disclose anything he knows about the exploit, his problems don't seem to be over. The FBI is investigating him and interviewing friends and roommates, he says. */ Spin spin sugar... Looking at this current situation I'm wondering when did it become a federal offense to break a non disclosure agreement. I can look at this two possible ways now... Are the feds looking at Mr. Lynn because they have something vested in the IOS of Cisco (Carnivore, Magic Lantern), or are they going after him under the guise of National (in)Security. If it's national (in)security, then why not go after Cisco for allowing this problem to go unresolved when they knew of it months in advance. Anyhow, sorry for the rants... The article is pseudo-worth the read if you can filter out marketing and crapaganda. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x97B43D89 To conquer the enemy without resorting to war is the most desirable. The highest form of generalship is to conquer the enemy by strategy. - Sun Tzu
Re: Cisco crapaganda
On Aug 9, 2005, at 9:57 AM, J. Oquendo wrote: Ironic the marketing and disinformation coming out of Cisco Systems in relation to not disclosing what really occurred and labeling the vulnerability as IPv6 based but after they initially stated it as IPv6 only! Its a half truth. The vulnerability was IPv6 only, the method for executing arbitrary code was not. That's definitely spin, and I hope they address it soon. Spin spin sugar... Looking at this current situation I'm wondering when did it become a federal offense to break a non disclosure agreement. The FBI is not investigating violation of a non disclosure agreement. My understanding is that they are investigating possible trade secret theft. Also, please note that there is a large up welling of support within the federal government for what Lynn did and it would be improper to characterize them all as demons. The FBI is performing due diligence investigations based on reports to them of criminal activity. The FBI, in this case, is not the person responsible for this ongoing investigation. Rather, that lies with the assigned prosecutor and whomever the reporting parties were. A much better summary of these events can be found at Jennifer Granick's blog: http://www.granick.com/blog/
Re: Cisco crapaganda
/* ARTICLE Experts and users say the hole in IOS appears not to be an immediate concern based on what is public knowledge at the moment, since patches are available. But what concerns some is that Lynn's exploit techniques take router hacking to a new level, which eventually could have security implications for Cisco customers. */ They are not Lynn's exploit techniques. The techniques were published by someone else in considerable more detail than Lynn along with source code. And this other person has also described techniques for attacking other brands of network equipment not just Cisco. There is a sea change in hacker activity under way as they realize that most embedded systems (including routers and switches) are now based on general purpose computer technology and that such systems are full of opportunities for software exploits. Hackers no longer just attack OSes like Windows and Linux, they now are beginning to go after any kind of smart device, especially when the exploits can be leveraged for blackmail or to earn cash from espionage. You aren't safe just because your network runs on brand X boxes. The only way to be safe is for your brand X vendors to take software security and systemic security much more seriously. I also believe that there are lessons to be learned from the open source community's approach to security. This doesn't mean that Cisco or any other Brand X vendor should just run out and replace their box's OS with OpenBSD or NetBSD or Linux. But they need to seriously ask themselves what advantage they gain from inventing their own wheel and rejecting the work of thousands of highly skilled and dedicated people. There really is no such thing as closed source. The people building these exploits are fully capable of taking code from ROM or flash memory and reading what it does. It's all fine and well to have layers of security but hiding your source code really shouldn't be counted as a security layer. Even if someone managed to eliminate Lynn and all past and current employees of ISS by exiling them to Cuba, this would not stop the hackers who are exploiting network device flaws. --Michael Dillon
Fwd: Cisco crapaganda
On Aug 9, 2005, at 11:11 AM, [EMAIL PROTECTED] wrote: They are not Lynn's exploit techniques. The techniques were published by someone else in considerable more detail than Lynn along with source code. What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to? You aren't safe just because your network runs on brand X boxes. The only way to be safe is for your brand X vendors to take software security and systemic security much more seriously. I also believe that there are lessons to be learned from the open source community's approach to security. This doesn't mean that Cisco or any other Brand X vendor should just run out and replace their box's OS with OpenBSD or NetBSD or Linux. But they need to seriously ask themselves what advantage they gain from inventing their own wheel and rejecting the work of thousands of highly skilled and dedicated people. Quality control. The general operating systems are not designed with a specific goal of high availability routing in mind, and while they display and can compete on some levels with specialized operating systems, they will loose out in the end. In this regard it is not open source environments that present the benefit, but as you say thousands of highly skilled and dedicated people. There are very few of those people who are experienced in the realm of high end routing systems. The general operating system can garner a large support base due to its broad market appeal, its use in both servers, low end routing hardware, and desktops. However, to develop strong support for a reduced feature set and circumscribed is difficult. The same number of dedicated developers will be reduced and the amount of time highly specialized developers will focus on that code base will be diminished. You can see examples of similar behavior in the subsets of Linux developed for embedded systems, like the WAP Linksys routers. That being said, who would continue to buy Cisco equipment if IOS was available elsewhere? The Chinese market is already flooded with Cisco knock-offs, the rest would most certainly follow if it was legal. Out of curiosity, what, in your opinion, is the open source community's approach to security? I have seen differing approaches from different groups, some which are downright despicable (methods, not people). There really is no such thing as closed source. The people building these exploits are fully capable of taking code from ROM or flash memory and reading what it does. I've had some experience with reverse engineering and disassembly, and while it is true that you can analyze an image of a running program and find what it does that is a long, long step to having the kind of understanding of a program you can gain through the actual source code. It's all fine and well to have layers of security but hiding your source code really shouldn't be counted as a security layer. Obscurity should never be counted on as a sole security layer, but it does add a level of difficulty. One of the major themes in the security industry is mitigation. Obscurity does not add a level of security, but it does reduce the number of people who can easily accomplish a task. It raises the bar and reduces the pool of attackers. Even if someone managed to eliminate Lynn and all past and current employees of ISS by exiling them to Cuba, this would not stop the hackers who are exploiting network device flaws. Did anyone ever think that?
Re: Cisco crapaganda
On Tue, 9 Aug 2005, J. Oquendo wrote: Anyhow, sorry for the rants... The article is pseudo-worth the read if you can filter out marketing and crapaganda. Someone made a video of cisco hard at work fixing router security holes: http://www.makezine.com/blog/archive/2005/08/video_of_ciscoi.html Cisco is also fixing web security holes: http://www.dslreports.com/shownews/66078 With all this and the FBI investigation of Lynn, I feel so much safer now. Thanks cisco. -Dan
Re: Fwd: Cisco crapaganda
On Tue, 09 Aug 2005 14:31:08 EDT, James Baldwin said: What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to? Didn't Lynn come out and say flat out that he'd found a lot of information on a Chinese website (with the implication that the website had even more information than what he presented)? pgp5AGzqEzj9z.pgp Description: PGP signature
Re: Cisco crapaganda
On Aug 9, 2005, at 3:20 PM, [EMAIL PROTECTED] wrote: On Tue, 09 Aug 2005 14:31:08 EDT, James Baldwin said: What techniques are you referencing? The technique Lynn demonstrated has not been seen anywhere in the wild, as far as I know. He, nor ISS, ever made the source code available to anyone outside of Cisco, or ISS. What publication are you referring to? Didn't Lynn come out and say flat out that he'd found a lot of information on a Chinese website (with the implication that the website had even more information than what he presented)? No. Not at all. Lynn found information on Chinese websites indicating people were actively working to exploit IOS, not that anyone had actually done so.
