"Cisco gate" and "Meet the Fed" at Defcon....
No one ever said the Internet wasn't chock full of contradictions. One one hand, we have what some are now calling "Cisco gate": http://news.com.com/Hackers+rally+behind+Cisco+flaw+finder/2100-1002_3-58120... ...and on the other hand, we have the DOD Cyber Crime Center folks at Defcon looking to hire people: http://news.com.com/2061-10789_3-5812102.html Wow, what a world, huh? ;-) - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
On Sun, 31 Jul 2005, Fergie (Paul Ferguson) wrote:
No one ever said the Internet wasn't chock full of contradictions. One one hand, we have what some are now calling "Cisco gate": http://news.com.com/Hackers+rally+behind+Cisco+flaw+finder/2100-1002_3-58120...
<quote>Alder then blasted Cisco for going after Lynn. "Cisco, you are really screwing up," she said, followed by a round of applause. "Suing researchers is not going to make you secure. Alienating the security community is not going to encourage people to come to you and report problems and work with you."</quote> Agreed 100%. Cisco, are you listening? By this misbehavior you are seriously discouraging researchers from releasing info to you. They will suspect you'll sit on the exploit for months and not tell anyone (as you did with this one). They'll be afraid you'll try to kill the messenger (as you did with this one). Instead, they're just going to release exploits into the wild anonymously. Is this what you want? Then keep it up. -Dan
Cisco, are you listening?
Cisco is in fact listening. Cisco, like other companies, generally does not release security notices until enough information exists to allow customers to make a reasonable determination as to whether or not they are at risk and how to mitigate possible risk. The issue underlying the suit wasn't the disclosure of the security issue, although we would have rather worked that according to the usual processes. From what the corporate legal folks tell me, their issue was the disclosure of Cisco intellectual property. Note that it wasn't just Cisco that felt the presentation was out of order; Lynn's employer became "former" because it also felt that way. I'll refer you to the legal brief for anything further on that, but I would really like to see this discussion begin to resemble an informed one.
By this misbehavior you are seriously discouraging researchers from releasing info to you. They will suspect you'll sit on the exploit for months and not tell anyone (as you did with this one). They'll be afraid you'll try to kill the messenger (as you did with this one).
For the record, the vulnerability was first detected by Cisco in internal testing, not by outside researchers, and Cisco's approach to this has been in accordance with the RDF. Part of that process, at Cisco, is to develop work-arounds or updated code that corrects the exploit, testing it, and getting it into the field. Releasing the information on the exploit before that point exposes the ISPs to a vulnerability that they can't fix, or puts them into a scramble to download code that they haven't been able to gain confidence on. I should imagine that the various operators on this list would prefer to get the fix in place before the vulnerability is exposed rather than playing catchup while their pants are around their ankles. We very much try to work with people that are willing to work with us. We aren't very impressed by people that expose the industry to danger.
At 11:47 AM +0200 2005-08-01, Fred Baker wrote:
We very much try to work with people that are willing to work with us. We aren't very impressed by people that expose the industry to danger.
Here's the fundamental problem. You guys say that you're willing to work with people. But on the other hand, this weakness has been known for many months, and in fact was supposedly fixed back in April. Michael's paper at Black Hat was known in advance by you and ISS, for months. Yet, at the very last possible moment, you guys go all "scorched earth" on him, leaving him no honorable option but to go ahead and do the presentation anyway and suffer the professional consequences that you have caused him. That shows how very hypocritical you are, and just how badly you're willing to screw anyone who has tried to work with you, and has successfully done so for years. It's going to be a very long time before you are capable of repairing your reputation in this industry. Maybe you need a few hacking attempts that are successful in cracking into virtually every router on the planet, before you will recognize the folly in your action. IMO, John Chambers (CEO), Larry Carter (Sr. VP), Dennis Powell (CFO), Randy Pond (Sr. VP), and everyone else working for them that have been involved in this process, have been in direct violation of their fiduciary responsibilities to the shareholders and to the industry as a whole, and you should all be summarily fired. You guys seriously need an SEC investigation into this matter. And a hundred billion or so knocked off your market cap. Maybe once all your options are permanently under water you'll get a grasp of the severity of the situation. -- Brad Knowles, <brad@stop.mail-abuse.org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.
Excuse me, I'm not really fluent in english, so this sentence is not clear for me : On 1 Aug 2005 at 11:47, Fred Baker wrote:
We aren't very impressed by people that expose the industry to danger.
Are you sarcastic, talking about the roots of the wonder ; people who write poor software ? Or about thoughtless people acting like kids in a provocating manner launching a challenge to all the hackers tribes of the world ?
From here the case is not obvious. What's the matter ? To launch the internet paralisy contest or to offer to our students a historical case study of the worst crisis management strategy ?
See also: Basic documentation and mainly the item 'Designated spokesperson' http://www3.niu.edu/newsplace/crisis.html -- Guy Coslado.
Guy Coslado (GC0111) wrote:
Excuse me, I'm not really fluent in english, so this sentence is not clear for me :
On 1 Aug 2005 at 11:47, Fred Baker wrote:
We aren't very impressed by people that expose the industry to danger.
It means they give a s**t for us, their customers.
Are you sarcastic, talking about the roots of the wonder ; people who write poor software ? Or about thoughtless people acting like kids in a provocating manner launching a challenge to all the hackers tribes of the world ?
It is about money: People who make it sports to find security holes and celebrate parties in the streets if they find one, are bad. There is no money only noise. Garbage to clean, ... People who make profit, selling their bad knowledge secretly to people making more profit, exploring those security wholes are favoured by them.
From here the case is not obvious. What's the matter ? To launch the internet paralisy contest or to offer to our students a historical case study of the worst crisis management strategy ?
Tabarnak! Your homepage says they must be camels because they just started spitting. I dont know who annoyed them but I dont want to be their customer when they start biting.
See also: Basic documentation and mainly the item 'Designated spokesperson' http://www3.niu.edu/newsplace/crisis.html
Having seen some interesting threads here - or is it threats? Sorry my english. What is more dangerous, a soho router in the NIC or some of them big iron? You know that soho router will come down when you really use it. You dont know when that big iron will come done but you know for shure, when it comes done it will bring a lot more damage. About that spokesperson: I feel quite comfortable in front of a tv set, as long as it it switched off. I tv camera behaves somewhat like a tv set that is switched off. At least as long as that monkey behind it keeps his mouth shut. I am not afraid of a camera, should that desaster really strike. They will not find a network to plug their laptop into :)
-- Guy Coslado.
Regards, Peter and Karin Dambier -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: peter@peter-dambier.de http://iason.site.voila.fr http://www.kokoom.com/iason
fred, seeing as there is not now, and likely never will be fixed versions for many of our routers (25xx, 17xx, ..., and i can't find a path up from my 7200 k4p-mz.120-25.4.S on the web site), your logic tells us that cisco will never announce. i am sure this is not what you intend. randy
Randy Bush <randy@psg.com> writes:
fred, seeing as there is not now, and likely never will be fixed versions for many of our routers (25xx, 17xx, ..., and i can't
No? Logged in to ftp.cisco.com. Current remote directory is /cisco. ncftp /cisco > dir ios/12.3/12.3.15a/2500/ -rw-rw-r-- 1 518 1 11013444 Jul 25 14:50 c2500-c-l.123-15a.bin -rw-rw-r-- 1 518 1 12303148 Jul 25 15:17 c2500-i-l.123-15a.bin -rw-rw-r-- 1 518 1 16191744 Jul 25 14:34 c2500-is-l.123-15a.bin ncftp /cisco > dir ios/12.3/12.3.15a/1700/ -rw-rw-r-- 1 518 1 9779944 Jul 25 15:03 c1700-bnr2sy7-mz.123-15a.bin -rw-rw-r-- 1 518 1 9186836 Jul 25 14:56 c1700-entbase-mz.123-15a.bin -rw-rw-r-- 1 518 1 7758064 Jul 25 14:46 c1700-ipbase-mz.123-15a.bin -rw-rw-r-- 1 518 1 12504136 Jul 25 14:32 c1700-ipvoice-mz.123-15a.bin -rw-rw-r-- 1 518 1 10068088 Jul 25 15:05 c1700-sv3y-mz.123-15a.bin -rw-rw-r-- 1 518 1 12826128 Jul 25 15:05 c1700-sv8y7-mz.123-15a.bin -rw-rw-r-- 1 518 1 8568756 Jul 25 15:06 c1700-sy7-mz.123-15a.bin -rw-rw-r-- 1 518 1 6992208 Jul 25 15:13 c1700-y7-mz.123-15a.bin -rw-rw-r-- 1 518 1 5911432 Jul 25 14:49 c1700-y-mz.123-15a.bin Bjørn
On Tue, 2 Aug 2005, [iso-8859-1] Bjørn Mork wrote:
Randy Bush <randy@psg.com> writes:
fred, seeing as there is not now, and likely never will be fixed versions for many of our routers (25xx, 17xx, ..., and i can't
No?
Logged in to ftp.cisco.com. Current remote directory is /cisco. ncftp /cisco > dir ios/12.3/12.3.15a/2500/ -rw-rw-r-- 1 518 1 11013444 Jul 25 14:50 c2500-c-l.123-15a.bin -rw-rw-r-- 1 518 1 12303148 Jul 25 15:17 c2500-i-l.123-15a.bin -rw-rw-r-- 1 518 1 16191744 Jul 25 14:34 c2500-is-l.123-15a.bin
note image size of 11/12/16 mb... note that many (most?) 2500's don't have 16M flash :( many, many referenced before (term servers for instance) are 2mb flash boxes. It's possible that Randy's referring to this sort of 2500. Kindly using himself for a whipping boy instead of the rest of us with 2500 term servers with 2mb flash :) I suspect the same thing goes for the 1700's as well in many cases.
note image size of 11/12/16 mb... note that many (most?) 2500's don't have 16M flash :( many, many referenced before (term servers for instance) are 2mb flash boxes. It's possible that Randy's referring to this sort of 2500. Kindly using himself for a whipping boy instead of the rest of us with 2500 term servers with 2mb flash :) I suspect the same thing goes for the 1700's as well in many cases.
IIRC the 2500 has an end of support date of 2009 so I expect images to be available. Regards, Neil.
On Tue, 2 Aug 2005, Neil J. McRae wrote:
note image size of 11/12/16 mb... note that many (most?) 2500's don't have 16M flash :( many, many referenced before (term servers for instance) are 2mb flash boxes. It's possible that Randy's referring to this sort of 2500. Kindly using himself for a whipping boy instead of the rest of us with 2500 term servers with 2mb flash :) I suspect the same thing goes for the 1700's as well in many cases.
IIRC the 2500 has an end of support date of 2009 so I expect images to be available.
cons uptime is 1 week, 10 hours, 42 minutes System restarted by power-on System image file is "flash:igs-i-l.111-9", booted via flash cisco 2511 (68030) processor (revision D) with 2048K/2048K bytes of memory. lather/rinse/repeat... where are the images that fit in my 2501's 2mb ram/2mbflash? (current, non-vulnerable, ipv6 capable even)
cons uptime is 1 week, 10 hours, 42 minutes System restarted by power-on System image file is "flash:igs-i-l.111-9", booted via flash
cisco 2511 (68030) processor (revision D) with 2048K/2048K bytes of memory.
lather/rinse/repeat... where are the images that fit in my 2501's 2mb ram/2mbflash? (current, non-vulnerable, ipv6 capable even)
So are you running IPV6 code on this box now?
On Tue, 2 Aug 2005, Neil J. McRae wrote:
cons uptime is 1 week, 10 hours, 42 minutes System restarted by power-on System image file is "flash:igs-i-l.111-9", booted via flash
cisco 2511 (68030) processor (revision D) with 2048K/2048K bytes of memory.
lather/rinse/repeat... where are the images that fit in my 2501's 2mb ram/2mbflash? (current, non-vulnerable, ipv6 capable even)
So are you running IPV6 code on this box now?
no, but I'd like to... since I'm upgrading and all (for security reasons and ipv6 is so much better for security, right? :) )
On Tue, 2 Aug 2005, Neil J. McRae wrote:
no, but I'd like to... since I'm upgrading and all (for security reasons and ipv6 is so much better for security, right? :) )
ok so your issue is totally irrelvant to the recent "ciscogate" paranoia?
no... not really, not originally, it got morphed into something different :( So, the ciscogate paranoia, as near as I saw, got down to: "cisco wont tell people about vulns as soon as they know about them" (or some version of I don't get to know fast enough about vulns from a vendor, while we currently bash on cisco) With that in mind, the example 2500 above is a cisco box, running old code because it can't be upgraded to current code. Cisco is reluctant to tell folks in public about vulnerabilities without there beig fixes for the problem in as much running code as possible. -Chris
So yes then.
no... not really, not originally, it got morphed into something different :( So, the ciscogate paranoia, as near as I saw, got down to: "cisco wont tell people about vulns as soon as they know about them" (or some version of I don't get to know fast enough about vulns from a vendor, while we currently bash on cisco)
With that in mind, the example 2500 above is a cisco box, running old code because it can't be upgraded to current code. Cisco is reluctant to tell folks in public about vulnerabilities without there beig fixes for the problem in as much running code as possible.
-Chris
ok so your issue is totally irrelvant to the recent "ciscogate" paranoia?
That would depend on what other exploits cisco has slipstream patched wouldn't it? (honest question as I don't know but it would be nice if cisco would clarify the situation) Geo. George Roettger Netlink Services
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
no, but I'd like to... since I'm upgrading and all (for security reasons and ipv6 is so much better for security, right? :) )
It has quality of service, too! Let's not forget that!
I'd be happy with ssh. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQFC7+otTs2s3OoD6D8RAnugAJ44Pf9RRIHR26iXVn2bcGi2OBdkiACfdpFh jnHI1sqm6qsGIV+/QY1gASo= =8nrN -----END PGP SIGNATURE-----
"Christopher L. Morrow" <christopher.morrow@mci.com> writes:
On Tue, 2 Aug 2005, [iso-8859-1] Bjørn Mork wrote:
Randy Bush <randy@psg.com> writes:
fred, seeing as there is not now, and likely never will be fixed versions for many of our routers (25xx, 17xx, ..., and i can't
No?
Logged in to ftp.cisco.com. Current remote directory is /cisco. ncftp /cisco > dir ios/12.3/12.3.15a/2500/ -rw-rw-r-- 1 518 1 11013444 Jul 25 14:50 c2500-c-l.123-15a.bin -rw-rw-r-- 1 518 1 12303148 Jul 25 15:17 c2500-i-l.123-15a.bin -rw-rw-r-- 1 518 1 16191744 Jul 25 14:34 c2500-is-l.123-15a.bin
note image size of 11/12/16 mb... note that many (most?) 2500's don't have 16M flash :( many, many referenced before (term servers for instance) are 2mb flash boxes. It's possible that Randy's referring to this sort of 2500.
I might be wrong, but I thought an image with IPv6 support required 16 MB flash on the 2500? Anyway, the upgrade path is there although it may include a flash (and possibly boot prom) upgrade. Bjørn
On Tue, 2 Aug 2005, [iso-8859-1] Bjørn Mork wrote:
"Christopher L. Morrow" <christopher.morrow@mci.com> writes:
On Tue, 2 Aug 2005, [iso-8859-1] Bjørn Mork wrote:
Randy Bush <randy@psg.com> writes:
fred, seeing as there is not now, and likely never will be fixed versions for many of our routers (25xx, 17xx, ..., and i can't
No?
Logged in to ftp.cisco.com. Current remote directory is /cisco. ncftp /cisco > dir ios/12.3/12.3.15a/2500/ -rw-rw-r-- 1 518 1 11013444 Jul 25 14:50 c2500-c-l.123-15a.bin -rw-rw-r-- 1 518 1 12303148 Jul 25 15:17 c2500-i-l.123-15a.bin -rw-rw-r-- 1 518 1 16191744 Jul 25 14:34 c2500-is-l.123-15a.bin
note image size of 11/12/16 mb... note that many (most?) 2500's don't have 16M flash :( many, many referenced before (term servers for instance) are 2mb flash boxes. It's possible that Randy's referring to this sort of 2500.
I might be wrong, but I thought an image with IPv6 support required 16 MB flash on the 2500? Anyway, the upgrade path is there although
and in order to get 30k devices (more actually) upgraded I'll have to spend 30k+X dollars? I'm fairly certain that's not going to happen. This gets back to 2 things: 1) no (practical) upgrade path under security vulnerabilities (hence reluctance of vendors to release info without fix) 2) possibly unhappy customers and vulnerabilities silently fixed in other code trains. Oh well...
note image size of 11/12/16 mb... note that many (most?) 2500's don't have 16M flash :( many, many referenced before (term servers for instance) are 2mb flash boxes. It's possible that Randy's referring to this sort of 2500. Kindly using himself for a whipping boy instead of the rest of us with 2500 term servers with 2mb flash :) I suspect the same thing goes for the 1700's as well in many cases.
bingo! though i have 8mb in the term server. randy
> note image size of 11/12/16 mb... note that many (most?) 2500's don't have > 16M flash. If you feel like keeping 2500s in service, rather than replacing them with something that holds NM-32As, the flash problem is easily resolved for less than US$50: http://www.memorydealers.com/8mbcisthirpa.html -Bill
On Wed, 3 Aug 2005, Bill Woodcock wrote:
> note image size of 11/12/16 mb... note that many (most?) 2500's don't have > 16M flash.
If you feel like keeping 2500s in service, rather than replacing them with something that holds NM-32As, the flash problem is easily resolved for less than US$50:
to be fair... 2500s are quite useful for things other than what their original purpose intended, but that usefulness diminishes with memory upgrades that are comparable in price to the value of the router having said that, as they are often not used as public routers, a suitably placed acl/fw can keep them out of harms way and still run the old code Steve
On Wed, Aug 03, 2005 at 10:49:38AM +0100, Stephen J. Wilcox wrote:
On Wed, 3 Aug 2005, Bill Woodcock wrote: ...
If you feel like keeping 2500s in service, rather than replacing them with something that holds NM-32As, the flash problem is easily resolved for less than US$50:
to be fair... 2500s are quite useful for things other than what their original purpose intended, but that usefulness diminishes with memory upgrades that are comparable in price to the value of the router
$US 24??? Where can you get a router for that? [I'm surprised you can get 8 Mb Cisco RAM for that! ;-)] -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
On Wed, 3 Aug 2005, Joseph S D Yao wrote: > > > If you feel like keeping 2500s in service, rather than replacing them with > > > something that holds NM-32As, the flash problem is easily resolved for less > > > than US$50: > > > http://www.memorydealers.com/8mbcisthirpa.html > > to be fair... 2500s are quite useful for things other than what their original > > purpose intended, but that usefulness diminishes with memory upgrades that are > > comparable in price to the value of the router > $US 24??? Where can you get a router for that? [I'm surprised you can > get 8 Mb Cisco RAM for that! ;-)] http://search.ebay.com/cisco-2501 2501s seem to mostly cost between $10-$30. -Bill
and you can get an MPLS image for it too :) On 8/4/05, Bill Woodcock <woody@pch.net> wrote:
If you feel like keeping 2500s in service, rather than replacing
something that holds NM-32As, the flash problem is easily resolved for less than US$50: http://www.memorydealers.com/8mbcisthirpa.html to be fair... 2500s are quite useful for things other than what their original purpose intended, but that usefulness diminishes with memory upgrades
On Wed, 3 Aug 2005, Joseph S D Yao wrote: them with that are
comparable in price to the value of the router $US 24??? Where can you get a router for that? [I'm surprised you can get 8 Mb Cisco RAM for that! ;-)]
http://search.ebay.com/cisco-2501
2501s seem to mostly cost between $10-$30.
-Bill
Current remote directory is /cisco. ncftp /cisco > dir ios/12.3/12.3.15a/2500/ -rw-rw-r-- 1 518 11013444 Jul 25 14:50 c2500-c-l.123-15a.bin -rw-rw-r-- 1 518 12303148 Jul 25 15:17 c2500-i-l.123-15a.bin -rw-rw-r-- 1 518 16191744 Jul 25 14:34 c2500-is-l.123-15a.bin ncftp /cisco > dir ios2.3.15a/1700/ -rw-rw-r-- 1 518 9779944 Jul 25 15:03 c1700-bnr2sy7-mz.123-15a.bin -rw-rw-r-- 1 518 9186836 Jul 25 14:56 c1700-entbase-mz.123-15a.bin -rw-rw-r-- 1 518 7758064 Jul 25 14:46 c1700-ipbase-mz.123-15a.bin -rw-rw-r-- 1 518 12504136 Jul 25 14:32 c1700-ipvoice-mz.123-15a.bin -rw-rw-r-- 1 518 10068088 Jul 25 15:05 c1700-sv3y-mz.123-15a.bin -rw-rw-r-- 1 518 12826128 Jul 25 15:05 c1700-sv8y7-mz.123-15a.bin -rw-rw-r-- 1 518 8568756 Jul 25 15:06 c1700-sy7-mz.123-15a.bin -rw-rw-r-- 1 518 6992208 Jul 25 15:13 c1700-y7-mz.123-15a.bin -rw-rw-r-- 1 518 5911432 Jul 25 14:49 c1700-y-mz.123-15a.bin
those of us who are not suicidal need crypto/ssh, e.g. upgrades to c2500-k4p-l.120-21.S1 c1700-k9sv8y7-mz.122-15.T5.bin and they have to fit in 8mb flash for 2511s etc. but perhaps this part of the discussion should move to cisco-nsp? randy
participants (18)
-
Bill Woodcock
-
Bjørn Mork
-
Brad Knowles
-
Christopher L. Morrow
-
Dan Hollis
-
Fergie (Paul Ferguson)
-
Fred Baker
-
Geo.
-
Guy Coslado (GC0111)
-
Jeff Rosowski
-
Joe Abley
-
Joseph S D Yao
-
Kim Onnel
-
Neil J. McRae
-
Peter Dambier
-
Randy Bush
-
Stephen J. Wilcox
-
Susan Harris