Cisco and the tobacco industry
Subject : RE: Cisco IOS Exploit Cover Up On Thu, 28 Jul 2005, Geo. wrote:
I think there is also a LOT concern about all the unpatched routers that remain unpatched simply because the admins don't feel like spending a week running the cisco gauntlet to get patches when you don't have a support contract with cisco. Its like cisco doesn't want you to patch or they would make it easy.
Geo.
This is oh so true - contracts in order to patch your equipment. Normally I would never mention the need for an authority to intervene on things related to the Internet but how long will it be before the term "Digital Pearl Harbor" is a reality. Maybe it is time an authority figure steps in and makes some form of rules for vendors to distribute fixes under some form of law. If this flaw of Cisco's could lead to the kind of severe damage as Mr. Lynn claims, shouldn't it fall on the shoulders of Cisco to get their act together and provide a fix as opposed to sending in the hounds (legal shmoes via lawsuit) to quash their problems. I'm sort of taking a look at it from the tobacco company lawsuit stance where the tobacco bigwigs would bury the truth in legal trash as opposed to making things right. It's rather irresponsible behaviour on the part of Cisco to avoid coming clean on this issue. On matters of a public exploit and or the skill level necessary to create an attack via whatever flaw Mr. Lynn spoke of: It is only a matter of time before something is out there, so for some to criticize Mr. Lynn for being a whistleblower, shame on you. I think he did a courageous thing. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo sil @ infiltrated . net | http://www.infiltrated.net GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 To conquer the enemy without resorting to war is the most desirable. The highest form of generalship is to conquer the enemy by strategy." - Sun Tzu
* J. Oquendo:
Maybe it is time an authority figure steps in and makes some form of rules for vendors to distribute fixes under some form of law. If this flaw of Cisco's could lead to the kind of severe damage as Mr. Lynn claims, shouldn't it fall on the shoulders of Cisco to get their act together and provide a fix as opposed to sending in the hounds (legal shmoes via lawsuit) to quash their problems.
But it looks as if Cisco actually did this, and you (and Geo) just weren't part of the elite circle of operators whose networks are considered U.S. national critical infrastructure.
On Thu, Jul 28, 2005 at 02:17:46PM -0400, J. Oquendo wrote:
Subject : RE: Cisco IOS Exploit Cover Up
On Thu, 28 Jul 2005, Geo. wrote:
I think there is also a LOT concern about all the unpatched routers that remain unpatched simply because the admins don't feel like spending a week running the cisco gauntlet to get patches when you don't have a support contract with cisco. Its like cisco doesn't want you to patch or they would make it easy.
Geo.
This is oh so true - contracts in order to patch your equipment. Normally I would never mention the need for an authority to intervene on things related to the Internet but how long will it be before the term "Digital Pearl Harbor" is a reality.
Maybe it is time an authority figure steps in and makes some form of rules for vendors to distribute fixes under some form of law. If this flaw of Cisco's could lead to the kind of severe damage as Mr. Lynn claims, shouldn't it fall on the shoulders of Cisco to get their act together and provide a fix as opposed to sending in the hounds (legal shmoes via Cisco to avoid coming clean on this issue.
Cisco always has provided free upgrades to non-contract holders for security bugs. eg: http://www.cisco.com/en/US/products/products_security_advisory09186a008042d5... -- snip -- Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. -- snip -- Now the fact that there has been no advisory (yet) means no free upgrade (yet?). This is much kinder than other companies have done where you can't get squat. Now, for the doomsdayers, yes, it's likely we'll have something nasty happen to the internet at some point. Yes, it'll disrupt 911 and other critical services (finance, health care, etc..) but without people taking active responsibility to the equipment they own and operate, the question is who will get hurt and how bad. We do security testing on our IOS images and have found bugs that have been reported to PSIRT and fixed "quietly". They've been fairly good at solving the issues. I think with anytime I deal with a vendor, promptness is always an issue, I'd always like a fix in a few days, they never seem to move as fast as one would want. If you don't do testing of your images, I suggest you create a plan and add it to your qualification procedures. Even if you don't have a current contract, you can get free upgrades if you find a PSIRT bug, perhaps that should make everyone *want* to help Cisco. Then again, there have been issues for years where this happens, I encourage everyone to beat on their routers (in the lab) and work with your vendors to solve the problems and not run around creating massive amount of chaos, we've all seen what that does. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Jared, Have you ever actually tried to get the updates using this method? It really does take the better part of a week and no less than half a dozen emails or phone calls and then there is the begging... Geo. George Roettger Netlink Services
Cisco always has provided free upgrades to non-contract holders for security bugs.
eg:
http://www.cisco.com/en/US/products/products_security_advisory09186a008042d 51b.shtml
-- snip -- Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. -- snip --
On Thu, Jul 28, 2005 at 03:46:41PM -0400, Geo. wrote:
Jared,
Have you ever actually tried to get the updates using this method? It really does take the better part of a week and no less than half a dozen emails or phone calls and then there is the begging...
The point is you did get the update, right? It's better than no update. As far as what happens, I've found the TAC underperform my expectations in every possible situation, what you say above doesn't shock me. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
No, the point is if you want the internet to be patched then you can't torture people when they come to you for the patches. Cisco routers are being sold to every company who connects to the internet, it's one step up from consumer products. You can't expect every company who owns a cisco router to buy an expensive contract or be willing to go thru the gauntlet to get the patches. Cisco needs to come up with a better way. If your point is simply that it's possible to get the patches, well it's possible to code them yourself too if you know assembler. Geo. George Roettger Netlink Services -----Original Message-----
Have you ever actually tried to get the updates using this method? It really does take the better part of a week and no less than half a dozen emails or phone calls and then there is the begging...
The point is you did get the update, right? It's better than no update. As far as what happens, I've found the TAC underperform my expectations in every possible situation, what you say above doesn't shock me. - jared
On 7/28/05 4:51 PM, "Geo." <geoincidents@nls.net> wrote:
No, the point is if you want the internet to be patched then you can't torture people when they come to you for the patches.
Cisco routers are being sold to every company who connects to the internet, it's one step up from consumer products. You can't expect every company who owns a cisco router to buy an expensive contract or be willing to go thru the gauntlet to get the patches.
Sorry, but its a traditional part of the product model for telecommunications equipment. PBX's, routers, pretty much everything - support contract required. Sure, you could have it a different way, but you would have to be willing to pay significantly more up front to pay for that ongoing support. Its not like the vendors are deceiving anyone here - a support contract is listed on the quote for pretty much every new piece of gear you buy from a vendor. Take it from Ice-T - "don't hate the player, hate the game". Words to live by. [snip]
Geo.
George Roettger Netlink Services
Daniel Golding
Sorry, but its a traditional part of the product model for telecommunications equipment. PBX's, routers, pretty much everything - support contract required. Sure, you could have it a different way, but you would have to be willing to pay significantly more up front to pay for
that
ongoing support.
What ongoing support, just put the fixes on an ftp site. Cisco's problem is they aren't patches, they are full versions. If they created an exe file that attached via tcp/ip to the router and just changed the bits that needed changing instead of requiring a whole new build be loaded it wouldn't be such an issue to just leave the patches out there on cisco.com so anyone with a router could get them without costing cisco anything but a bit of bandwidth. Look, it's up to Cisco how they do this but if DHS wants this country's infrastructure to be secure then Cisco is going to need to realize that a whole lot of people are not going to be willing to pay to fix product defects and they're not going to be willing to spend days trying to get those fixes for free. Perhaps after a few router worms it will make more sense. Oh and I don't know about you but if I buy a PBX and a flaw in it allows any remote caller to make outbound calls at my expense, you can bet money that I'm going to expect a flaw like that to be fixed free of charge, contract or not. Geo.
On Sat, 30 Jul 2005 00:48:13 EDT, "Geo." said:
What ongoing support, just put the fixes on an ftp site. Cisco's problem is they aren't patches, they are full versions. If they created an exe file that attached via tcp/ip to the router and just changed the bits that needed
The ability to connect to the router and push a software change? Let's think this through a bit, shall we? ;)
Perhaps after a few router worms it will make more sense.
Your mail header says: X-mailer: Microsoft Outlook Express 6.00.2800.1506 Now, what were you saying about a few worms causing *ANY* change in behavior? ;)
The ability to connect to the router and push a software change? Let's
----- Original Message ----- From: <Valdis.Kletnieks@vt.edu> think this through a bit, shall we? ;)<< Who said push? I said cisco's whole patch method is to move people to a new version of IOS instead of patching the old version. Cisco charges for new versions so it's not in their financial interest to make new versions available for free like the patches need to be. So I suggest they employ a different patch method, you download an exe from their ftp site, it takes your current build which is stored on your computer, patches it, and uploads it to your router or you then upload it to your router. Since this would require you already have the image they could continue to manage their image distributions as they do now. I mean your issue is not impossible to work around.
X-mailer: Microsoft Outlook Express 6.00.2800.1506
Now, what were you saying about a few worms causing *ANY* change in behavior? ;)
it's amazing how safe software can be when used by a professional, isn't it? Everyone here knows you have a woodie for OE by the format of your posts which appear as attachments instead of normal text in OE. I notice that behavior hasn't changed either <g>. Nuff said? Geo. George Roettger Netlink Services
On Sat, 30 Jul 2005 10:28:38 EDT, "Geo." said:
available for free like the patches need to be. So I suggest they employ a different patch method, you download an exe from their ftp site, it takes your current build which is stored on your computer, patches it, and uploads it to your router or you then upload it to your router.
Your original suggestion was that it push it to the router. Security-wise, this is very different from the router pulling it. (Hint - consider the authentication issues, not only for a correctly set up machine, but for likely misconfigurations actually seen out in the field).
Everyone here knows you have a woodie for OE by the format of your posts which appear as attachments instead of normal text in OE. I notice that behavior hasn't changed either <g>. Nuff said?
My behavior hasn't changed because my MUA has been able to understand the formats originally defined in RFC1847 and RFC2015, as updated by RFC3156, for over a decade now. If you don't like it, complain to your vendor, or find a vendor who can follow the RFCs. Or you can fix it yourself by visiting http://www.openpgp.org/resources/downloads.shtml and finding a plugin for your MUA. A number of them are listed at http://www.gnupg.org/(en)/related_software/frontends.html#win Curse the dark, or light a match. You decide, it's your dark.
--On Saturday, July 30, 2005 14:43 -0400 Valdis.Kletnieks@vt.edu wrote:
On Sat, 30 Jul 2005 10:28:38 EDT, "Geo." said:
available for free like the patches need to be. So I suggest they employ a different patch method, you download an exe from their ftp site, it takes your current build which is stored on your computer, patches it, and uploads it to your router or you then upload it to your router.
Your original suggestion was that it push it to the router. Security-wise, this is very different from the router pulling it. (Hint - consider the authentication issues, not only for a correctly set up machine, but for likely misconfigurations actually seen out in the field).
In any case, making router software updates dependent on Windows is a _REALLY_ bad idea. Why should I be locked into Micr0$0ft just because I bought a piece of backbone hardware from Cisco (or any other vendor). In general, I try to avoid any vendor that requires me to have stuff from any specific other vendor. If you can't comply with open standards for interoperability, your hardware doesn't belong in my network.
My behavior hasn't changed because my MUA has been able to understand the formats originally defined in RFC1847 and RFC2015, as updated by RFC3156, for over a decade now. If you don't like it, complain to your vendor, or find a vendor who can follow the RFCs. Or you can fix it yourself by visiting http://www.openpgp.org/resources/downloads.shtml and finding a plugin for your MUA. A number of them are listed at http://www.gnupg.org/(en)/related_software/frontends.html#win
Well said... It's really tiresome that so many users think the world should comply with and accommodate their errors.
Curse the dark, or light a match. You decide, it's your dark.
I like that... I will probably plagiarize it. :-) Owen -- If this message was not signed with gpg key 0FE2AA3D, it's probably a forgery.
----- Original Message ----- From: "Owen DeLong" <owen@delong.com>
Whether 90% of the world uses it or not, the point is that the problem is your software doesn't comply with the established standards. Why should everyone who has software that complies be incumbered with the limitations of the bugs in software that doesn't. The reason we have an IETF and RFCs is to allow interoperability and the ability to depend on capabilities implemented according to standards.<<
Right, does your mail server do strict enforcement of RFC 821 standards or do you accept mail from microsoft Outlook users since it doesn't adhere to 821? So what does that say about your attitude towards what 90% of the people use? Geo.
----- Original Message ----- From: <Valdis.Kletnieks@vt.edu>
Your original suggestion was that it push it to the router.<<
My behavior hasn't changed because my MUA has been able to understand the
Ok I guess it could be read that way but I was more suggesting they look for a way to patch not upgrade to a new version. I've been around the industry long enough to have seen Autodesk use the exe patch routine to patch existing files right on disk so I know this is nothing new. My original suggestion was to take that one step further and patch right in memory on the router but if that's a security issue then fine patch the image on disk and upload it like normal, makes no difference to my point. formats originally defined in RFC1847 and RFC2015, as updated by RFC3156, for over a decade now.<< Yeah yeah, I've had this discussion several times, it's a bug in my software and you couldn't give a darn if you are doing something that is incompatible with what 90% of the world uses for email because you are right and everyone else is wrong. Such is the spirit of the internet huh? (you picked on my use of OE first, I was just responding) Geo. George Roettger Netlink Services
At 3:58 PM -0400 2005-07-30, Geo. wrote:
Yeah yeah, I've had this discussion several times, it's a bug in my software and you couldn't give a darn if you are doing something that is incompatible with what 90% of the world uses for email because you are right and everyone else is wrong.
Just because 90% of the people in the world are stupid, does that mean that we all have to be stupid as well? If nine out of ten people jumped off a bridge, should the other guy be forced to do the same? -- Brad Knowles, <brad@stop.mail-abuse.org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.
Just because 90% of the people in the world are stupid, does that mean that we all have to be stupid as well? If nine out of ten people jumped off a bridge, should the other guy be forced to do the same?
Gee, it must be nice to be in the top 10% of the smart people. Why don't you suggest Valdis aim for the top 5% and figure out how Mr. Jeffrey I. Schiller manages to post using debian PGP signed messages that don't appear as attachments? I'm not forcing you to do anything, simple netizen that I am I try to be as compatible with others as I can (notice how I post in text not html?), however Valdis chose to read something into my choice of email software so I read something into his choice and oh surprise it seems to have struck a nerve <g>. How about we don't waste any more bandwidth on this stupid sideline? Side note to Valdis: I don't mind, I was just pushing your buttons after the OE comment. Geo. George Roettger Netlink Services
Geo> Gee, it must be nice to be in the top 10% of the smart Geo> people. Why don't you suggest Valdis aim for the top 5% and Geo> figure out how Mr. Jeffrey I. Schiller manages to post using Geo> debian PGP signed messages that don't appear as attachments? Having just taken a quick look, it appears the messages you like are just plain text with PGP markup, and the ones you don't are multipart/signed. IIRC correctly any unrecognized multipart subtype is supposed to be rendered as multipart/mixed, so you should see the message fine, though the signature will probably appear as an attachment. If you're seriously suggesting that all signing of messages should be done entirely in-band within a plain-text message then, well, I disagree... And so do Microsoft (IIRC they support S/MIME) -roy
Roy Badami wrote:
Geo> Gee, it must be nice to be in the top 10% of the smart Geo> people. Why don't you suggest Valdis aim for the top 5% and Geo> figure out how Mr. Jeffrey I. Schiller manages to post using Geo> debian PGP signed messages that don't appear as attachments?
Having just taken a quick look, it appears the messages you like are just plain text with PGP markup, and the ones you don't are multipart/signed.
IIRC correctly any unrecognized multipart subtype is supposed to be rendered as multipart/mixed, so you should see the message fine, though the signature will probably appear as an attachment.
In an "open discussion forum" where unknown (lurker) participants may be using any type of mail client, the only appropriate message format is plain text and that includes messages that are PGP signed. If you feel the need to PGP sign your post, the PGP .sig should be in plain text in the message body, not attached. PGP .sig multipart/mixed attachments should be restricted to use in private email (or private lists) where you know the other parties are using a mailer capable of handling the attachment type. (R. Thayer (see RFC 2240) agrees with this position, BTW.) Don't bother quoting other RFCs, just because a standard exists for attaching "something" to email doesn't mean that DOING that in email to a discussion list is appropriate - for instance on this list it has been agreed that HTML attachments are not appropriate - and PGP attachments aren't appropriate either. Plain text works. Use it.
If you're seriously suggesting that all signing of messages should be done entirely in-band within a plain-text message then, well, I disagree... And so do Microsoft (IIRC they support S/MIME)
You think that because Microsoft does it this way, it's supposed to BE that way? What's the point of having standards if we are going to let a monopoly company force their capricious software design choices on the rest of us? Heck, we might as all start sending HTML email then, since AOL decided that should be the default, what, 5 years ago? <sigh> jc
At 5:33 PM -0400 2005-07-30, Geo. wrote:
Gee, it must be nice to be in the top 10% of the smart people. Why don't you suggest Valdis aim for the top 5% and figure out how Mr. Jeffrey I. Schiller manages to post using debian PGP signed messages that don't appear as attachments?
The fact that you receive PGP-signed messages as attachments says more about your choice in MUA than anything. The fact that you want to dumb everyone down to this level says more about you than anything.
How about we don't waste any more bandwidth on this stupid sideline?
You're right. You're leading us off-topic, and this thread should have ended three or four exchanges ago. -- Brad Knowles, <brad@stop.mail-abuse.org> "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin (1706-1790), reply of the Pennsylvania Assembly to the Governor, November 11, 1755 SAGE member since 1995. See <http://www.sage.org/> for more info.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks. All that is needed is for cisco to put an "upgrade" command into their router. The "upgrade" command determines the routers version (and current patch level) and requests the download of a version specific patch file. The command takes as arguments the on-disk (flash) version of the core image and the beginning of a URL where to find the file. The filename itself can be constructed based on the current version. The upgrade file itself contains the checksum of the image it should be applied against as well as the checksum of the final image. Of course it is digitally signed by cisco (so Cisco will need a public key installed in its images). The upgrade command then determines if sufficient flash exists to perform the change and performs the upgrade. It might even be able to patch in the in-core image (presumably this can be done via code that is included in the patch itself, I leave this as an exercise for cisco). The actual patch file can be located in a server at the customer's site and Cisco can distribute them via BitTorrent :-) Important points: * Upgrade is initiated by the user. If the necessary arguments are stored in the system configuration, perhaps the upgrade can be triggered by SNMP even (yeah right). * All patches are signed. * Patches know what version they apply to and are careful to ensure they are being applied to the right version (even if the customer improperly names the files on their server). This isn't trivial to do, but it isn't rocket science either! -Jeff - -- ============================================================================= Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis@mit.edu ============================================================================ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC6+RK8CBzV/QUlSsRAmdAAKDCpvTl0sBIk5v0hX1Wbta1mRHe4ACg5/Or ONwi+567ZEAdtW7B1J/yDhk= =GJ2e -----END PGP SIGNATURE-----
This isn't trivial to do, but it isn't rocket science either!
True, but you ARE suggesting that Cisco produce a binary patch, to a possibly compressed image. I think you should really think long and hard before you conclude that you really want that. IMHO, the risk/reward ratio as compared to just downloading a full image is all wrong. Tony
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tony Li wrote:
True, but you ARE suggesting that Cisco produce a binary patch, to a possibly compressed image.
Like I said, it isn't trivial. For example, the patching software (this would require memory) could uncompress the image, patch it and recompress the result. As a double check it can verify that the newly patched compressed image has the correct checksum (because the compression is completely deterministic, you can do this). But this is getting into details that I, having no access to source nor the way the binary is put together, am not competent to go into in any authoritative way. However I do believe this problem can be solved. It may indeed be technically easier to distribute a whole new image. However I suspect this is harder from a management, legal point of view. A patch tool, when made publically available, doesn't give away as much information as does a whole image. And you should make security fixes readily available, to the point that anyone on the planet might download and examine them. However my main point is that upgrading, at least for the provision of security patches needs to be much easier then it is today. Both for the professionally managed networks as well as the SOHO and residential market. -Jeff P.S. I am going out of my way to "plain text" sign these messages rather then sending PGP/MIME. PGP/MIME is the more modern technology. - -- ============================================================================= Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis@mit.edu ============================================================================ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC7C6x8CBzV/QUlSsRAhQdAKCsIXA6OWSM5HXU50Bbq2DkiyWIwwCeLdhF BcCk2LBE6fzCgfT4qndUik8= =wK9y -----END PGP SIGNATURE-----
Applying patches to binaries, hmmmmm. Sounds a bit difficult. IMHO IOS should be completely modular. ie SNMP/QOS/BGP etc should be a loadable module etc. In the event of you patching a service specific bug, you'd only upload the new modules and insmod them. I'd be very happy if the Cisco router fairy would write and backport such an IOS. That should end this idiotic router rebooting nonsense that the internet is plagued with, for the most part. But, there is some progress in this direction; afaik IOS XR is modular IOS but only runs on really-really-really big equipment like the Cisco CRS-1 ("Helo Dave" Red light module optional).
The actual patch file can be located in a server at the customer's site and Cisco can distribute them via BitTorrent :-) That's equivalent to saying the internet is safe enough to do your corporate banking via plain text email.
my 2 pence, ivan Jeffrey I. Schiller wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Folks.
All that is needed is for cisco to put an "upgrade" command into their router. The "upgrade" command determines the routers version (and current patch level) and requests the download of a version specific patch file.
The command takes as arguments the on-disk (flash) version of the core image and the beginning of a URL where to find the file. The filename itself can be constructed based on the current version. The upgrade file itself contains the checksum of the image it should be applied against as well as the checksum of the final image. Of course it is digitally signed by cisco (so Cisco will need a public key installed in its images).
The upgrade command then determines if sufficient flash exists to perform the change and performs the upgrade. It might even be able to patch in the in-core image (presumably this can be done via code that is included in the patch itself, I leave this as an exercise for cisco).
The actual patch file can be located in a server at the customer's site and Cisco can distribute them via BitTorrent :-)
Important points:
* Upgrade is initiated by the user. If the necessary arguments are stored in the system configuration, perhaps the upgrade can be triggered by SNMP even (yeah right). * All patches are signed. * Patches know what version they apply to and are careful to ensure they are being applied to the right version (even if the customer improperly names the files on their server).
This isn't trivial to do, but it isn't rocket science either!
-Jeff
- -- ============================================================================= Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis@mit.edu ============================================================================ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFC6+RK8CBzV/QUlSsRAmdAAKDCpvTl0sBIk5v0hX1Wbta1mRHe4ACg5/Or ONwi+567ZEAdtW7B1J/yDhk= =GJ2e -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ivan Groenewald wrote:
.. and Cisco can distribute them via BitTorrent :-) That's equivalent to saying the internet is safe enough to do your corporate banking via plain text email. my 2 pence,
Actually BitTorrent is a very good technology for this sort of thing. It scales well for a large file to be downloaded by a large number of people. Another important feature is that the .torrent file contains a cryptographic hash of the file to be obtained (as well as the individual pieces of the file). So as long as you can securely obtain the .torrent file (say from an SSL protected Cisco operated website) you can relay on the final delivered file to also be correct. -Jeff - -- ============================================================================= Jeffrey I. Schiller MIT Network Manager Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-190 Cambridge, MA 02139-4307 617.253.0161 - Voice jis@mit.edu ============================================================================ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFC7DOd8CBzV/QUlSsRAuApAJ9VPJAtUFx0zKWlOUgbcvWW/z1wJwCfT37x E7skOVQeFrqjLB+N/xjYva0= =/4vN -----END PGP SIGNATURE-----
----- Original Message ----- From: "Ivan Groenewald" <ivang@xtrahost.co.uk>
Applying patches to binaries, hmmmmm. Sounds a bit difficult.
It's actually quite simple, you do a compare between the old binary and the new and the patch contains only the differences. It's a very effective way to do patches in a non dll type world because it's efficient size wise and it requires that you already have the product so manual verification isn't necessary. I think it would work well for Cisco's IOS patch requirements. Geo.
On Thu, 28 Jul 2005, Geo. wrote:
Have you ever actually tried to get the updates using this method? It really does take the better part of a week and no less than half a dozen emails or phone calls and then there is the begging...
I have, on at least two occasions I remember, and I don't recall it being that big a deal, fill out the form, I don't recall if I even had to speak to anyone, and I received the link to the image. ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
On Thu, 28 Jul 2005, Geo. wrote:
Jared,
Have you ever actually tried to get the updates using this method? It really does take the better part of a week and no less than half a dozen emails or phone calls and then there is the begging...
if it's critical to your business you'd think you'd have a support contract for it, eh? (or you decided that the 'better part of a week' and associated risk was an acceptable cost to your business) ('you' in the royal sense, not 'you geo')
Geo.
George Roettger Netlink Services
Cisco always has provided free upgrades to non-contract holders for security bugs.
eg:
http://www.cisco.com/en/US/products/products_security_advisory09186a008042d 51b.shtml
-- snip -- Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. -- snip --
In a message written on Thu, Jul 28, 2005 at 04:51:18PM -0400, Geo. wrote:
Cisco routers are being sold to every company who connects to the internet, it's one step up from consumer products. You can't expect every company who owns a cisco router to buy an expensive contract or be willing to go thru the gauntlet to get the patches.
Cisco needs to come up with a better way.
In a message written on Thu, Jul 28, 2005 at 08:29:38PM +0000, Christopher L. Morrow wrote:
if it's critical to your business you'd think you'd have a support contract for it, eh? (or you decided that the 'better part of a week' and associated risk was an acceptable cost to your business)
Unfortunately Chris, that doesn't match how (small) business works. I had to hold up Microsoft as an example of being a good corporate citizen, but here it goes. If a 10 person company buys Windows XP and runs it in their office they get free Windows Updates patches for the "life" of the product (typically around 5-7 years). There is no TAC or other system to go through, you just tell the box to update and it does it. Now, I'm not suggesting a large ISP would go with this model, but Cisco has moved out of the core and into small edge and SOHO routers, VOIP phones, and all sorts of other gizmos being bought by home office users and small companies who don't buy support for their other technology items, but get updates. Heck, even digital camera makers and such put free firmware updates on their web site. Expecting all of these users to buy a support contract that costs, what, $350/year for a $2500 box is absurd. Even full tilt talk to a real person with on-site service dell support is only around $120/year. There is a reason all of these boxes are running around unpatched. Look at the percentage of windows boxes, which have auto-update software, and free updates that are patched. Now think about the routers out there, where there is no update software, and no free updates. It should surprise no one that there are thousands of routers on the ends of T1's and DS-3's running code 2-6 years (or more) old, vulnerable to any number of things. Why is Cisco so scared of this one? Well, before now hacking them was low value. You could DDOS a 5 person company off the air, maybe reboot their router with a vulnerability -- which frankly many of them wouldn't notice. However, now they can be added to the zombie army of your choice. From being able to simply trigger a flood ping remotely to being able to upload a remote controllable module it's all possible now. Cisco knows a lot of these small offices don't have support. They don't have someone who knows how to upgrade code on a Cisco. For Cisco to actually upgrade a lot of these boxes (assuming people are informed, and know to demand an upgrade) under their current system means tens of thousands of tac calls from people who've never logged into a router before needing to be walked through downloading code and upgrading a router. Millions, if not tens of millions in support costs. Will all of these people demand it? Who knows. The popular press picking up the issue is a huge step to alerting joe random with a small office and a 2501 in the corner he should pay attention, but it's probably not enough. If a hacker manages to take over twenty or thirty thousand routers though....I suspect a flood of calls Cisco's direction. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On 7/28/05 4:29 PM, "Christopher L. Morrow" <christopher.morrow@mci.com> wrote:
On Thu, 28 Jul 2005, Geo. wrote:
Jared,
Have you ever actually tried to get the updates using this method? It really does take the better part of a week and no less than half a dozen emails or phone calls and then there is the begging...
if it's critical to your business you'd think you'd have a support contract for it, eh? (or you decided that the 'better part of a week' and associated risk was an acceptable cost to your business)
('you' in the royal sense, not 'you geo')
Software has bugs. Deal with it. Sometimes you have to pay for updates to fix those bugs. If you don't like it, find another vendor. Except - all vendors do that, don't they? Well, I guess if your business model isn't compatible with purchasing support contracts on vital gear, you may not have a viable business. YMMV. Cisco's conduct in this case may or may not be improper - we'll have to wait for a little more information. From a PR point of view, they probably should have let things ride and allowed the Blackhat talk to occur. They look like bullies now, which is never good. Hindsight is 20/20, though. That being said, their policy of offering free updates for certain bug fixes to those who don't pay them for support is generous. See that hand feeding you? Don't bite it. -- Daniel Golding
participants (16)
-
Brad Knowles
-
Christopher L. Morrow
-
Christopher X. Candreva
-
Daniel Golding
-
Florian Weimer
-
Geo.
-
Ivan Groenewald
-
J. Oquendo
-
Jared Mauch
-
JC Dill
-
Jeffrey I. Schiller
-
Leo Bicknell
-
Owen DeLong
-
Roy Badami
-
Tony Li
-
Valdis.Kletnieks@vt.edu